Security assessment refers to the processes, procedures, and tools used to detect whether an organization has certain weaknesses that can be exploited by Threat actors. Literally, a security assessment is a security survey or study process that covers all of an organization's services, including Network Infrastructure and Web Applications. Threat Victor is probably weak, and I'm not as strong as the Penetration Testing Engineer. The outcome of the assessment is recommendations to deploy, enhance, or restructure security controls to mitigate the risk of vulnerabilities being exploited by a Threat agent.
Reconnaissance is one of the effective security assessment activities that maps the enterprise's service infrastructure by identifying the communications that make up the network, and we always need to perform checks on the network infrastructure using a set of tools that can be command line interface (CLI) or (GUI) Graphical User Interface using these tools we can analyze the data going through the network, follow the data packages, detailed scanning on the network, detect the services working in the infrastructure, and whether the service has special weakness. You should also understand how tools can be used to make Backdoor for the host until the data is secretly leaked.
Ipconfig, ping, and arp
It is a set of tools that can be used to reconnaissance and detect potential weaknesses, and reconnaissance techniques can be used by Threat agent but are also used by security professionals to verify their security systems as part of effective security assessment and ongoing monitoring.
Topology discovery or footprinting - It is a process in which a complete graph is made at the network level. Scanning is performed on different devices for the purpose of detecting the services running on those devices as well as the type of system, whether it is Linux or Windows and other Topology discovery methods are to detect the entire network infrastructure including all devices on the network including servers and user devices in addition to the protective devices as well as the type of systems running on those devices.
These tools can be used to detect Topology discovery and these tools are integrated with different operating systems such as Linux or Windows
ipconfig : It is a tool used to display all the interfaces on the network including the device address, Mac Address, IPv4, IPv6, IP router Gateway and see if the IP is static or taken from a DHCP server (this command works on Windows)
C:\Users\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::88d2:2f90:70ed:6abb%11
IPv4 Address. . . . . . . . . . . : 192.168.1.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
Ethernet adapter VirtualBox Host-Only Network:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::5ce7:800:4626:fdbc%18
Autoconfiguration IPv4 Address. . : 169.254.253.188
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
Tunnel adapter isatap.{9BBD4417-E04C-4CA1-849D-0023BBAE2EB6}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter isatap.{455F6785-017B-4B36-AFDF-3EB13A27900B}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\Administrator>
ifconfig : does the same work as ipconfig, but this works on Linux systems
┌──(kali㉿kali)-[~]
└─$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.6 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::a00:27ff:fe50:4c14 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:50:4c:14 txqueuelen 1000 (Ethernet)
RX packets 62 bytes 5765 (5.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 27 bytes 2962 (2.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
┌──(kali㉿kali)-[~]
└─$ Ping: This tool is used to ensure communication between different devices or computer address and uses the (ICMP) Internet Control Message Protocol. This tool is largely used by network engineers, so they can confirm communication between devices on the network without problems. “Destination host unreachable” is printed if contact with difficulties or this address does not exist.
┌──(kali㉿kali)-[~]
└─$ ping 192.168.1.4 -c 4
PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data.
64 bytes from 192.168.1.4: icmp_seq=1 ttl=128 time=0.361 ms
64 bytes from 192.168.1.4: icmp_seq=2 ttl=128 time=0.359 ms //True
64 bytes from 192.168.1.4: icmp_seq=3 ttl=128 time=0.374 ms
64 bytes from 192.168.1.4: icmp_seq=4 ttl=128 time=0.398 ms
--- 192.168.1.4 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3053ms
rtt min/avg/max/mdev = 0.359/0.373/0.398/0.015 ms
┌──(kali㉿kali)-[~]
└─$ ping 192.168.1.88
PING 192.168.1.88 (192.168.1.88) 56(84) bytes of data.
From 192.168.1.6 icmp_seq=1 Destination Host Unreachable
From 192.168.1.6 icmp_seq=2 Destination Host Unreachable //False
From 192.168.1.6 icmp_seq=3 Destination Host Unreachable
^C
--- 192.168.1.88 ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4081ms
pipe 4
┌──(kali㉿kali)-[~]
└─$Arp: This tool can be used to view ARP tables on computer. There are all addresses of devices that are connected to the computer. This is very useful, and you can see if there is an IP impersonator connected to this computer.
C:\Users\Administrator>arp -a
Interface: 192.168.1.4 --- 0xb
Internet Address Physical Address Type
192.168.1.1 74-da-88-7f-c1-84 dynamic
192.168.1.6 08-00-27-50-4c-14 dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Interface: 169.254.253.188 --- 0x12
Internet Address Physical Address Type
169.254.255.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
C:\Users\Administrator>
Route and traceroute
The tools can be used to find out the routing methods, in other words, the intermediary devices between the communication processes, for example, PC1 wants to connect, PC2 what devices the connection goes through to reach me, PC2. The following tools can be used to find out the addresses of those intermediate devices.
Tracert: This tool is used to extract intermediate devices in communication processes where the ICMP protocol tool traces back and forth Round Trip Time (RTT) and that tool extracts intermediate device addresses on remote networks or so-called hops and remote network are supposed to be non-existent in the same router. And (the tool works on Windows).
C:\Users\Administrator>tracert google.com
Tracing route to google.com [142.251.37.206]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms 192.168.1.1
2 7 ms 6 ms 7 ms 10.45.10.23
3 7 ms 6 ms 7 ms 10.38.20.217
4 7 ms 7 ms 7 ms 10.37.93.42
5 10 ms 10 ms 10 ms 10.38.157.1
6 12 ms 10 ms 10 ms 10.39.13.89
7 12 ms 11 ms 10 ms 10.39.15.217
8 11 ms 9 ms 10 ms 10.37.123.241
9 43 ms 48 ms 43 ms 72.14.196.84
10 44 ms 43 ms 43 ms 108.170.227.139
11 43 ms 43 ms 44 ms 142.251.78.81
12 43 ms 43 ms 43 ms mrs09s15-in-f14.1e100.net [142.251.37.206]
Trace complete.
C:\Users\Administrator>Traceroute: It's a tool that works on Linux systems because it does the same tracert business where it can also extract hops jumping addresses using UDP protocol by default instead of ICMP used with tracert
┌──(kali㉿kali)-[~]
└─$ traceroute google.com
traceroute to google.com (142.251.37.174), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 0.608 ms 0.815 ms 0.780 ms
2 10.45.10.23 (10.45.10.23) 7.754 ms 7.720 ms 7.414 ms
3 10.35.36.106 (10.35.36.106) 8.597 ms 10.35.36.146 (10.35.36.146) 8.428 ms 10.35.36.90 (10.35.36.90) 8.299 ms
4 10.37.93.42 (10.37.93.42) 9.644 ms 8.865 ms 8.742 ms
5 10.38.157.1 (10.38.157.1) 12.275 ms 12.134 ms 10.39.13.93 (10.39.13.93) 9.500 ms
6 10.39.13.89 (10.39.13.89) 12.917 ms 10.39.15.157 (10.39.15.157) 12.417 ms 10.39.15.142 (10.39.15.142) 12.344 ms
7 10.38.112.57 (10.38.112.57) 12.308 ms 10.39.15.209 (10.39.15.209) 11.351 ms 10.38.112.57 (10.38.112.57) 11.277 ms
8 10.38.249.90 (10.38.249.90) 11.766 ms 10.38.226.250 (10.38.226.250) 11.615 ms 10.37.98.61 (10.37.98.61) 12.013 ms
9 72.14.196.84 (72.14.196.84) 45.282 ms 45.249 ms 45.473 ms
10 * * *
11 72.14.232.162 (72.14.232.162) 48.083 ms mrs09s14-in-f14.1e100.net (142.251.37.174) 47.300 ms 142.251.78.76 (142.251.78.76) 44.039 ms
┌──(kali㉿kali)-[~]
└─$pathping: This tool provides communication detection as well as intermediate device extraction during communication and that tool works on Windows system, where there is a similar tool on Linux systems that is MTR.
(pathping = ping + tracert)
C:\Users\Administrator>pathping google.com
Tracing route to google.com [142.251.37.174]
over a maximum of 30 hops:
0 1AHDHMCEIGTEVLW [192.168.1.4]
1 192.168.1.1
2 10.45.10.23
3 10.35.36.146
4 10.37.93.42
5 10.38.157.1
6 10.39.13.89
7 10.39.15.213
8 10.38.249.90
9 72.14.196.84
10 108.170.227.139
11 142.251.78.89
12 mrs09s14-in-f14.1e100.net [142.251.37.174]
Computing statistics for 300 seconds...
