Reconnaissance

In order to be successful attacker first must gather information about attacked systems hacker just like commander that must know position of the enemy his armament and numbers before launching successful attack.

Reconnaissance vectors

Passive reconnaissance

Hacker start looking for information in DNS and whois services, when he know the domain that is registered to target system. He can use commands like nslookup, dig and whois to get plenty of information about target, for sake if domain is a victim.com. Whois will give us information about dns servers and personal information about domain holder

Active Reconnaissance

Active reconnaissance can start with tools that actually send packets to discover target system the one of the tools that can be used is a – traceroute to find out ip addresses of routers and firewalls that protect victim hosts.

In case a something like firewall  blocks UDP packets along the path  we can use tcptraceroute tool to do the same type of reconnaissance when attacker have all this information he can use more sophisticated tools like nmap hping to perform active reconnaissance attack on victim. Nmap tool is capable to detect type of victims’ operation systems just using TCP fingerprinting. TCP fingerprinting uses Advanced fingerprinting analyses the TCP stack implementation. A TCP packet is crafted by switching ON or OFF certain flags and sent to the remote machine. The remote operating system based on its TCP stack implementation sends a response, with some specific flags ON or OFF (most often used flags are the SYN, ACK and FIN flags).Depending on TCP responses collected for each crafted packet we can make an intelligent guess of the operating system from its database of TCP stack signatures.

Next step for attacker is to reveal which services are enabled on individual hosts and  he will launch a port scan with nmap or old fashion connect scanner , after he will get all needed information he will us different technics to identify particular software that is working behind this ports. For this task usually he can use telnet , ftp or http client that can log info about let say web server what is version  what is  plugins  that uses this web server like php  , perl or other modules , after this he can launch a more powerful attacks like DDoS , buffer-overflow exploits and etc.

Mitigations

The most successful methods here is to use combination of firewalls and IPS, IDS who will notify us about active reconnaissance attacks and then we can decide to block or not access to particular service or subnet to avoid launching attacks like buffer overflow exploits or DoS floods.