This is the most important step in looking at a system. In this phase, you will try to identify as much information about the system so you can make an educated attack. Most hacking web sites skip this step and go right to exploits. However, you need to know some information before exploiting a system. How else will you know the Operating System (OS) or the version of applications and services running to know which exploits will work. Also, it is key to understand the System Admins (sysadmins) that manage the machine you are looking at. You should try to understand if they are security conscience. This helps identify possible traps they might have set up for you.
When I begin a vulnerability assessment, the first thing I do is try to understand the location of the machine. This is important because the legal system can play a part if I catch someone attacking my system.
As I begin to explain this first phase, I will take a few things into consideration. First is that you have identified a target. Second is that you have the IP address of the machine you wish to attack. Also, you have an understanding of a Unix or Unix like OS (Linux) as well as NT. Finally, that you can download and install the tools that I mention here. If you need help with these applications, all of which I have personally downloaded and installed and use regularly, you should consult the web sites that you downloaded it from.
Reconnaissance is not illegal in the United States. You can port scan a network or machine across the Internet and not break any laws. This is similar to a bank robber walking into a bank just to see the location of security cameras and the security guards.
There are a couple of sites and tools to help you perform this task. Below
I have listed some Whois sites. These sites offer a web site front end (GUI)
to the main whois databases.
http://allwhois.com/home.html
(This one includes look-up capabilities for 61 countries)
http://whois.arin.net/whois/index.html
http://www.internic.net/whois.html
Arin and Whois are websites where attackers can gather information about your IP address range as well as contact names and numbers. ARIN stands for the American Registry for Internet Numbers.
DNS can give important information as well. If you're a home user and don't run your own DNS, you don't have to worry. However, if you're a corporation, and have DNS servers, this could be an important step one could use to gather more information on your networks. An attacker could dump all records from your DNS servers allowing them to determine which machines are accessible on the Internet. Also, using a Unix command "NSLOOKUP", a lot of information can be learned. I suggest you try the following on your network and see what information is gathered:
Nslookup set type=any
Ls -d target_network_name
Many major companies I worked for in the past have affiliates or companies that they have acquired that may join the main companies backbone. This is critical because too many times I have seen this happen and the affiliates had no protection or monitoring of their Internet connection. In otherwords, instead of trying to hack into the main company, look for a business partner or affiliate that would be connected to the network of the main company. One way to discover this information is frequent the web site of the main company and look for announcements. Or do a search in a search engine like yahoo or altavista like this "link: www.target.com". That searches for sites that have made links to the target.
SAM SPADE is a great tool to help with all this as well. I don't see it mentioned
much but is a pretty comprehensive tool to gathering reconnaissance information.
You can download it from www.samspade.org. This tool runs on windows systems,
has a nice GUI and provides the following information:
Ping
Nslookup
Whois
IP block whois
Dig
Traceroute
Finger
Smtp verify
Web browser
Keep_alive
DNS zone transfer
I have also given a list of web sites below that will do the dirty work for
you. This is nice since if the target site logs, it will log these web sites
as the scanner and not you. Remember, it is not illegal to scan a system or
network.
www.network-tools.com
suicide.netfarmers.net
www.securityspace.com
privacy.net/analyze
crypto.yashy.com
www.webtrends.net/tools/security/scan.asp
www.doshelp.com
www.dslreports.com/r3/dsl/secureme
Of course there are many methods, many tools and many web sites that help with this stage of the attack. However, I think its important to not forget the basics. Like pinging and tracerouting. Tracerouting can give important information, like if there is a firewall or gateway between you and the target. So always perform these simple commands to get every piece of information you can and ensure less surprises.
Finally, I would like to pinpoint key information you want to discover about your target.
Computer Name:________________________
Computer IP:___________________________
Computer OS:__________________________
OS Version:____________________________
Ports and Services Running:_________________
Geographical Location of Computer:__________
Other IP Addresses Target Owns:____________
Notes:_________________________________