Given a scenario, apply environmental reconnaissance
techniques using appropriate tools and processes.

CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0

One of the first things both attackers and defenders do is to reconnoiter the network that they are attacking or defending. “Time spent on reconnaissance is seldom wasted.” – Duke of Wellington Arthur Wellesley. This is true in cybersecurity just like war. We must know what we’re defending if we have any hope of defending it.

“Time spent on reconnaissance is seldom wasted.”

Duke of Wellington Arthur Wellesley

Often the first step for analyst is to review any existing documentation on the network and the devices on the network.  This documentation will often include topology maps and lists of the assets on the network and what they do.  this documentation is often outdated, inaccurate and even non-existing and will serve only as a starting point.  

NMAP

Thankfully there are several tools and sources of information that will aid in getting the information that is needed.  One of the most versatile tools is the Network Mapper NMAP, which is a free (as in beer and speech) tool that will scan the network for hosts and then help to identify them.  NMAP can scan both wide and deep.  First scanning wide, it can identify all of the devices that respond to ICMP or UDP pings on the network.  An example of an NMAP ping scan is below.

$ nmap -sn 192.168.7.2-254
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-20 21:54 CDT
Nmap scan report for 192.168.7.24
Host is up (0.28s latency).
Nmap scan report for 192.168.7.25
Host is up (0.0038s latency).
Nmap scan report for 192.168.7.26
Host is up (0.066s latency).
Nmap scan report for 192.168.7.30
Host is up (0.021s latency).
Nmap scan report for 192.168.7.31
Host is up (0.0057s latency).
Nmap scan report for 192.168.7.37
Host is up (0.00028s latency).
Nmap scan report for 192.168.7.39
Host is up (0.12s latency).
Nmap scan report for 192.168.7.46
Host is up (0.033s latency).
Nmap scan report for 192.168.7.53
Host is up (0.0057s latency).
Nmap scan report for 192.168.7.54
Host is up (0.17s latency).
Nmap scan report for 192.168.7.59
Host is up (0.093s latency).
Nmap done: 253 IP addresses (11 hosts up) scanned in 9.09 seconds

Once live hosts are determined it can go deep and scan the hosts to interrogate them to determine what services are running, what versions of server software and with most hosts the operating system (OS) that the host is running through fingerprinting. This information will help to document what OS’s  what server software and what services are present on the network.  Knowing this information, helps to focus the security analyst on the attacks that are possible.  For example, if you know that there are no Apple Macintosh OSX devices on the network, you can filter out some attacks that might show up in Intrusion Prevention System (IPS) logs as not relevant.  This allows an analyst to focus on the detections that are potential issues.  An example of a deep scan of a host is below.

$ nmap -T4 -A -v 192.168.7.53
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-20 21:58 CDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Initiating Ping Scan at 21:58
Scanning 192.168.7.53 [2 ports]
Completed Ping Scan at 21:58, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:58
Completed Parallel DNS resolution of 1 host. at 21:58, 0.02s elapsed
Initiating Connect Scan at 21:58
Scanning 192.168.7.53 [1000 ports]
Discovered open port 23/tcp on 192.168.7.53
Discovered open port 80/tcp on 192.168.7.53
Discovered open port 8080/tcp on 192.168.7.53
Discovered open port 631/tcp on 192.168.7.53
Discovered open port 515/tcp on 192.168.7.53
Discovered open port 9100/tcp on 192.168.7.53
Completed Connect Scan at 21:58, 0.15s elapsed (1000 total ports)
Initiating Service scan at 21:58
Scanning 5 services on 192.168.7.53
Completed Service scan at 21:59, 18.52s elapsed (6 services on 1 host)
NSE: Script scanning 192.168.7.53.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.45s elapsed
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
Nmap scan report for 192.168.7.53
Host is up (0.010s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE    VERSION
23/tcp   open  telnet     HP LaserJet debug telnetd
80/tcp   open  http       HP LaserJet CP1205nw or P1606 http config
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: Mrvl-R1_0
| http-title: HP LaserJet Professional P1606dn   192.168.7.53
|_Requested resource was /SSI/index.htm
515/tcp  open  printer
631/tcp  open  http       HP LaserJet CP1205nw or P1606 http config
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: Mrvl-R1_0
| http-title: Site doesn't have a title.
|_Requested resource was /SSI/index.htm
8080/tcp open  http       HP LaserJet CP1205nw or P1606 http config
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: Mrvl-R1_0
| http-title: Site doesn't have a title.
|_Requested resource was /SSI/index.htm
9100/tcp open  jetdirect?
Service Info: Device: printer; CPE: cpe:/h:hp:laserjet_p1606

NSE: Script Post-scanning.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.38 seconds

Packet Analyzers

Another tool for investigating a network is a packet analyzer.  One of the most popular is known as Wireshark and is also a free tool.  With Wireshark you can capture the packets that a computer sees on the network.  Even without using techniques to tap or otherwise see traffic that won’t normally come to the computer on a switched network, one can learn a lot about the network.  For example, broadcast traffic can tell you what kind of switch the computer is attached to (LLDP) or the MAC addresses of other computers on the network via the ARP packets sent out.

If you have access to the logs on a network, they can be a good source of information as well.  Reviewing firewall logs can document what types of network traffic are present.  Intrusion Prevention(Detection) Systems (IPS/IDS) also provide useful logs that may indicate malicious behavior.