Assess organizational security with network reconnaissance tools part 1 - ProgrammerTech
Language:

Search

Assess organizational security with network reconnaissance tools part 1

  • Share this:
Assess organizational security with network reconnaissance tools part 1

Security assessment refers to the processes, procedures, and tools used to detect whether an organization has certain weaknesses that can be exploited by Threat actors. Literally, a security assessment is a security survey or study process that covers all of an organization's services, including Network Infrastructure and Web Applications. Threat Victor is probably weak, and I'm not as strong as the Penetration Testing Engineer. The outcome of the assessment is recommendations to deploy, enhance, or restructure security controls to mitigate the risk of vulnerabilities being exploited by a Threat agent.

Reconnaissance is one of the effective security assessment activities that maps the enterprise's service infrastructure by identifying the communications that make up the network, and we always need to perform checks on the network infrastructure using a set of tools that can be command line interface (CLI) or (GUI) Graphical User Interface using these tools we can analyze the data going through the network, follow the data packages, detailed scanning on the network, detect the services working in the infrastructure, and whether the service has special weakness. You should also understand how tools can be used to make Backdoor for the host until the data is secretly leaked.

Ipconfig, ping, and arp 

It is a set of tools that can be used to reconnaissance and detect potential weaknesses, and reconnaissance techniques can be used by Threat agent but are also used by security professionals to verify their security systems as part of effective security assessment and ongoing monitoring.    

Topology discovery or footprinting - It is a process in which a complete graph is made at the network level. Scanning is performed on different devices for the purpose of detecting the services running on those devices as well as the type of system, whether it is Linux or Windows and other Topology discovery methods are to detect the entire network infrastructure including all devices on the network including servers and user devices in addition to the protective devices as well as the type of systems running on those devices. 

Network
Topology Network  
 

These tools can be used to detect Topology discovery and these tools are integrated with different operating systems such as Linux or Windows 
 

ipconfig : It is a tool used to display all the interfaces on the network including the device address, Mac Address, IPv4, IPv6, IP router Gateway and see if the IP is static or taken from a DHCP server (this command works on Windows)

C:\Users\Administrator>ipconfig
        
        Windows IP Configuration
        
        
        Ethernet adapter Local Area Connection:
        
           Connection-specific DNS Suffix  . :
           Link-local IPv6 Address . . . . . : fe80::88d2:2f90:70ed:6abb%11
           IPv4 Address. . . . . . . . . . . : 192.168.1.4
           Subnet Mask . . . . . . . . . . . : 255.255.255.0
           Default Gateway . . . . . . . . . : 192.168.1.1
        
        Ethernet adapter VirtualBox Host-Only Network:
        
           Connection-specific DNS Suffix  . :
           Link-local IPv6 Address . . . . . : fe80::5ce7:800:4626:fdbc%18
           Autoconfiguration IPv4 Address. . : 169.254.253.188
           Subnet Mask . . . . . . . . . . . : 255.255.0.0
           Default Gateway . . . . . . . . . :
        
        Tunnel adapter isatap.{9BBD4417-E04C-4CA1-849D-0023BBAE2EB6}:
        
           Media State . . . . . . . . . . . : Media disconnected
           Connection-specific DNS Suffix  . :
        
        Tunnel adapter isatap.{455F6785-017B-4B36-AFDF-3EB13A27900B}:
        
           Media State . . . . . . . . . . . : Media disconnected
           Connection-specific DNS Suffix  . :
        
        C:\Users\Administrator>

ifconfig : does the same work as ipconfig, but this works on Linux systems

┌──(kali㉿kali)-[~]
└─$ ifconfig
    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 192.168.1.6  netmask 255.255.255.0  broadcast 192.168.1.255
            inet6 fe80::a00:27ff:fe50:4c14  prefixlen 64  scopeid 0x20<link>
            ether 08:00:27:50:4c:14  txqueuelen 1000  (Ethernet)
            RX packets 62  bytes 5765 (5.6 KiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 27  bytes 2962 (2.8 KiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
            inet 127.0.0.1  netmask 255.0.0.0
            inet6 ::1  prefixlen 128  scopeid 0x10<host>
            loop  txqueuelen 1000  (Local Loopback)
            RX packets 0  bytes 0 (0.0 B)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 0  bytes 0 (0.0 B)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
                                                                                                                                                                                   
    ┌──(kali㉿kali)-[~]
    └─$ 

Ping: This tool is used to ensure communication between different devices or computer address and uses the (ICMP) Internet Control Message Protocol. This tool is largely used by network engineers, so they can confirm communication between devices on the network without problems. “Destination host unreachable” is printed if contact with difficulties or this address does not exist.

┌──(kali㉿kali)-[~]
└─$ ping 192.168.1.4 -c 4
    PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data. 
    64 bytes from 192.168.1.4: icmp_seq=1 ttl=128 time=0.361 ms 
    64 bytes from 192.168.1.4: icmp_seq=2 ttl=128 time=0.359 ms	 //True
    64 bytes from 192.168.1.4: icmp_seq=3 ttl=128 time=0.374 ms
    64 bytes from 192.168.1.4: icmp_seq=4 ttl=128 time=0.398 ms
    
    --- 192.168.1.4 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3053ms
    rtt min/avg/max/mdev = 0.359/0.373/0.398/0.015 ms
    ┌──(kali㉿kali)-[~]
    └─$ ping 192.168.1.88    
    PING 192.168.1.88 (192.168.1.88) 56(84) bytes of data.
    From 192.168.1.6 icmp_seq=1 Destination Host Unreachable
    From 192.168.1.6 icmp_seq=2 Destination Host Unreachable       //False
    From 192.168.1.6 icmp_seq=3 Destination Host Unreachable
    ^C
    --- 192.168.1.88 ping statistics ---
    5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4081ms
    pipe 4
    ┌──(kali㉿kali)-[~]
    └─$

Arp: This tool can be used to view ARP tables on computer. There are all addresses of devices that are connected to the computer. This is very useful, and you can see if there is an IP impersonator connected to this computer.


    C:\Users\Administrator>arp -a
    
    Interface: 192.168.1.4 --- 0xb
      Internet Address      Physical Address      Type
      192.168.1.1           74-da-88-7f-c1-84     dynamic
      192.168.1.6           08-00-27-50-4c-14     dynamic
      192.168.1.255         ff-ff-ff-ff-ff-ff     static
      224.0.0.22            01-00-5e-00-00-16     static
      224.0.0.251           01-00-5e-00-00-fb     static
      224.0.0.252           01-00-5e-00-00-fc     static
      239.255.255.250       01-00-5e-7f-ff-fa     static
      255.255.255.255       ff-ff-ff-ff-ff-ff     static
    
    Interface: 169.254.253.188 --- 0x12
      Internet Address      Physical Address      Type
      169.254.255.255       ff-ff-ff-ff-ff-ff     static
      224.0.0.22            01-00-5e-00-00-16     static
      224.0.0.251           01-00-5e-00-00-fb     static
      224.0.0.252           01-00-5e-00-00-fc     static
      239.255.255.250       01-00-5e-7f-ff-fa     static
      255.255.255.255       ff-ff-ff-ff-ff-ff     static
    
    C:\Users\Administrator>

Route and traceroute 

The tools can be used to find out the routing methods, in other words, the intermediary devices between the communication processes, for example, PC1 wants to connect, PC2 what devices the connection goes through to reach me, PC2. The following tools can be used to find out the addresses of those intermediate devices.

Tracert: This tool is used to extract intermediate devices in communication processes where the ICMP protocol tool traces back and forth Round Trip Time (RTT) and that tool extracts intermediate device addresses on remote networks or so-called hops and remote network are supposed to be non-existent in the same router. And (the tool works on Windows).
 


C:\Users\Administrator>tracert google.com

Tracing route to google.com [142.251.37.206]
over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  192.168.1.1
  2     7 ms     6 ms     7 ms  10.45.10.23
  3     7 ms     6 ms     7 ms  10.38.20.217
  4     7 ms     7 ms     7 ms  10.37.93.42
  5    10 ms    10 ms    10 ms  10.38.157.1
  6    12 ms    10 ms    10 ms  10.39.13.89
  7    12 ms    11 ms    10 ms  10.39.15.217
  8    11 ms     9 ms    10 ms  10.37.123.241
  9    43 ms    48 ms    43 ms  72.14.196.84
 10    44 ms    43 ms    43 ms  108.170.227.139
 11    43 ms    43 ms    44 ms  142.251.78.81
 12    43 ms    43 ms    43 ms  mrs09s15-in-f14.1e100.net [142.251.37.206]

Trace complete.

C:\Users\Administrator>

Traceroute: It's a tool that works on Linux systems because it does the same tracert business where it can also extract hops jumping addresses using UDP protocol by default instead of ICMP used with tracert

┌──(kali㉿kali)-[~]
└─$ traceroute google.com
traceroute to google.com (142.251.37.174), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  0.608 ms  0.815 ms  0.780 ms
 2  10.45.10.23 (10.45.10.23)  7.754 ms  7.720 ms  7.414 ms
 3  10.35.36.106 (10.35.36.106)  8.597 ms 10.35.36.146 (10.35.36.146)  8.428 ms 10.35.36.90 (10.35.36.90)  8.299 ms
 4  10.37.93.42 (10.37.93.42)  9.644 ms  8.865 ms  8.742 ms
 5  10.38.157.1 (10.38.157.1)  12.275 ms  12.134 ms 10.39.13.93 (10.39.13.93)  9.500 ms
 6  10.39.13.89 (10.39.13.89)  12.917 ms 10.39.15.157 (10.39.15.157)  12.417 ms 10.39.15.142 (10.39.15.142)  12.344 ms
 7  10.38.112.57 (10.38.112.57)  12.308 ms 10.39.15.209 (10.39.15.209)  11.351 ms 10.38.112.57 (10.38.112.57)  11.277 ms
 8  10.38.249.90 (10.38.249.90)  11.766 ms 10.38.226.250 (10.38.226.250)  11.615 ms 10.37.98.61 (10.37.98.61)  12.013 ms
 9  72.14.196.84 (72.14.196.84)  45.282 ms  45.249 ms  45.473 ms
10  * * *
11  72.14.232.162 (72.14.232.162)  48.083 ms mrs09s14-in-f14.1e100.net (142.251.37.174)  47.300 ms 142.251.78.76 (142.251.78.76)  44.039 ms 
┌──(kali㉿kali)-[~]
└─$

pathping: This tool provides communication detection as well as intermediate device extraction during communication and that tool works on Windows system, where there is a similar tool on Linux systems that is MTR.  

(pathping = ping + tracert)


C:\Users\Administrator>pathping google.com

Tracing route to google.com [142.251.37.174]
over a maximum of 30 hops:
  0  1AHDHMCEIGTEVLW [192.168.1.4]
  1  192.168.1.1
  2  10.45.10.23
  3  10.35.36.146
  4  10.37.93.42
  5  10.38.157.1
  6  10.39.13.89
  7  10.39.15.213
  8  10.38.249.90
  9  72.14.196.84
 10  108.170.227.139
 11  142.251.78.89
 12  mrs09s14-in-f14.1e100.net [142.251.37.174]

Computing statistics for 300 seconds...


 


Ahmed Kaissar

Ahmed Kaissar

From Egypt from Giza Governorate a web programmer and information security expert a lover of technology and information security a trainer for languages ​​Python HTML  CSS PHP  JS  Laravel and a CTF test trainer. I hope to communicate everything I have to everyone and do not skimp on any information.