Chapter 3. Internet Host and Network Enumeration

This chapter focuses on the first steps you should take when assuming the role of an Internet-based attacker. The first avenue that any competent attacker should pursue is that of querying open sources for information relating to the target organization and its networks. At a high level, the following open sources are queried:

  • Web and newsgroup search engines

  • Domain and IP WHOIS registrars

  • Border Gateway Protocol (BGP) looking glass sites and route servers

  • Public DNS name servers

The majority of this probing is indirect, sending and receiving traffic from sites like Google or public WHOIS, BGP, and DNS servers. A number of direct querying techniques involve sending information to the target network in most cases, as follows:

  • DNS querying and grinding against specific name servers

  • Web server crawling

  • SMTP probing

Upon performing an Internet network enumeration exercise, querying all of these sources for useful information, an attacker can build a useful map of your networks and understand where potential weaknesses may lie. By identifying peripheral systems of interest (such as development or test systems), attackers can focus on specific areas of the target network later on.

The reconnaissance process is often interactive, repeating the full enumeration cycle when a new piece of information (such as a domain name or office address) is uncovered. The scope of the assessment exercise usually defines the boundaries, which sometimes includes testing ...

Get Network Security Assessment, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.