Small Business Attack – Network Reconnaissance
- At September 16, 2009
- By Josh More
- In Business Security
- 0
Suppose an attacker gets into your network. Last week, we discussed a few tools that they might use to profile different systems, but we didn’t look that deeply into network scanning. Once they’ve done some of the more-basic and subtle checks, they may go on to more active exploration. The advantage of more active exploration is that an attacker can identify all services on all systems in a very short period of time. The disadvantage, of course, is that they are more likely to be detected.
However, since this is an attack day, let’s look at what the attacker can do here. Once they have control of a system, they can use namp to scan the system. Suppose you have an internal file server, other workstations and printers. In seconds, the attacker will have a list of all systems and what’s running on them. For example, here is a (slightly altered) list of systems available from a wireless network.
# nmap 192.168.4.* Starting Nmap 4.75 ( http://nmap.org ) at 2009-09-04 14:01 CDT Interesting ports on 192.168.4.21: Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 8654/tcp open unknown Interesting ports on 192.168.4.249: Not shown: 997 closed ports PORT STATE SERVICE 6006/tcp open X11:6 9220/tcp open unknown 16001/tcp open unknown MAC Address: 00:40:63:99:58:E2 (VIA Technologies) Interesting ports on 192.168.4.254: Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 2000/tcp open callbook MAC Address: 00:B0:D0:C0:54:11 (Dell Computer) Nmap done: 256 IP addresses (5 hosts up) scanned in 12.61 seconds
So here, an attacker would know that 192.168.0.254 and 192.168.0.21 are running ssh, and therefore are likely Linux or Unix servers as well as the brands. For example, a Dell Computer that is running ssh may well be a server worth attacking (in this case, it’s not… but it could be). So, in twelve seconds, the attacker will know exactly what to target. Sure, it’s a noisy and noticeable way to profile a network, but if you don’t notice the attack, it’s well worth the risk.
But what can you do about it?