Network reconnaissance is the act of gathering information about a network in preparation for a possible attack. This information can be garnered from a wide variety of sources. The sources of information for a reconnaissance attack can include what is called uncontrollable information, which is information that the network staff cannot control because it is disseminated to network sweeps and port scans. Some examples of uncontrollable information include the IP address ranges owned by a company, which an attacker can determine through the use of the ARIN, RIPE, or APNIC databases, and domain name ownership information and DNS server IP addresses, which an attacker can determine by querying network registry databases such as Network Solutions or Register.com.
Typically, after an attacker identifies the network ranges for a target, the attacker begins host discovery, which can be accomplished in a variety of ways. One way is to use ICMP ping sweeps or scans of the network ranges. Another way is to use a blind-TCP scan, whereby the attacker uses a tool, such as Nmap, to scan the network ranges using TCP instead of ICMP. This scan can search for common services such as web, mail, and FTP services. Although a blind-TCP scan may not provide a complete picture of all possible hosts that are reachable across the Internet, it does provide a sufficient list of publicly available servers. The blind-TCP scan can remain virtually invisible to network administrators because it searches only the set of ports that are likely to be open. Figure 6-1 shows how a blind-TCP scan works. In most cases, only two parts of the TCP three-way handshake (SYN, SYN-ACK, ACK) are completed. The scanning tool may choose not to complete the three-way handshake or it may send a RESET (RST) packet back to close the target's half-open TCP port.
Other methods of host discovery include using TCP scans with unusual flag settings. For example, suppose the attacker suspects that the network administrators have access control lists (ACLs) deployed on the edge router of the network to filter inbound TCP connections but allow connections that are a part of existing connections to originate from the inside of the network. To work around this obstacle, the attacker may try a TCP ACK scan (a scan in which the ACK bit in the TCP header is set) to pass packets through the router's ACLs. When the packets reach their targets, the proper response (as defined in RFC 793) by a host to an unsolicited TCP ACK packet is either to send a TCP RST packet back to the originator if a service is running on the port in question or to not respond at all if there is no service associated with the port being targeted. Once an attacker has enumerated the hosts on a network, the attacker can move on identify the operating system of the target host as well as enumerating the services available in order to try to compromise that host on one of those services.Chapter 8.