لطفا منتظر باشید ...
Foundation Topics
Reconnaissance Attacks
Network reconnaissance is the act of gathering information about a network in preparation for a possible attack. This information can be garnered from a wide variety of sources. The sources of information for a reconnaissance attack can include what is called uncontrollable information, which is information that the network staff cannot control because it is disseminated to network sweeps and port scans. Some examples of uncontrollable information include the IP address ranges owned by a company, which an attacker can determine through the use of the ARIN, RIPE, or APNIC databases, and domain name ownership information and DNS server IP addresses, which an attacker can determine by querying network registry databases such as Network Solutions or Register.com.Typically, after an attacker identifies the network ranges for a target, the attacker begins host discovery, which can be accomplished in a variety of ways. One way is to use ICMP ping sweeps or scans of the network ranges. Another way is to use a blind-TCP scan, whereby the attacker uses a tool, such as Nmap, to scan the network ranges using TCP instead of ICMP. This scan can search for common services such as web, mail, and FTP services. Although a blind-TCP scan may not provide a complete picture of all possible hosts that are reachable across the Internet, it does provide a sufficient list of publicly available servers. The blind-TCP scan can remain virtually invisible to network administrators because it searches only the set of ports that are likely to be open. Figure 6-1 shows how a blind-TCP scan works. In most cases, only two parts of the TCP three-way handshake (SYN, SYN-ACK, ACK) are completed. The scanning tool may choose not to complete the three-way handshake or it may send a RESET (RST) packet back to close the target's half-open TCP port.
Figure 6-1. Blind-TCP Scan
