penetration testing, this is usually performed to identify potential targets for attack. The
objective here is not to exhaust resources in gathering information about targets, but instead,
to merely find out where the targets are logically located. The final product of our discovery
should be a list of IP addresses that we can then use for further analysis. In this chapter, we
will discuss how to discover hosts on a network by using protocols operating at layer 2, layer 3,
and layer 4 of the OSI model. The following tutorials will include each of the following recipes:
#Using Scapy to perform layer 2 discovery
#Using ARPing to perform layer 2 discovery
#Using Nmap to perform layer 2 discovery#Using NetDiscover to perform layer 2 discovery
#Using Metasploit to perform layer 2 discovery
#Using ICMP ping to perform layer 3 discovery
#Using Scapy to perform layer 3 discovery
#Using Nmap to perform layer 3 discovery
#Using fping to perform layer 3 discovery
#Using hping3 to perform layer 3 discovery
#Using Scapy to perform layer 4 discovery
#Using Nmap to perform layer 4 discovery
#Using hping3 to perform layer 4 discovery
Discovery Scanning
46
Prior to addressing each of these scanning techniques specifically, we should first address a
few underlying principles. The Open Systems Interconnection (OSI) model is an International
Organization for Standardization (ISO) standard that defines how networked systems
communicate. This model is divided into seven layers that define how application content can
be sent by one system and/or received by another. The upper layers of the OSI model tend to
be more visible to the end user, whereas the lower layers operate transparently to most casual
users. These layers consist of the following:
OSI model Layer description Protocols
Layer 7 – Application This layer involves the application software that
is sending and receiving data
HTTP, FTP,
and Telnet
Layer 6 – Presentation This layer defines how data is formatted
or organized
ASCII, JPEG, PDF,
PNG, and DOCX
Layer 5 – Session This layer involves application session control,
management, synchronization,
and termination
NetBIOS, PPTP,
RPC, and SOCKS
Layer 4 – Transport This layer involves end-to-end
communication services
TCP and UDP
Layer 3 – Network This layer involves logical system addressing IPv4, IPv6, ICMP,
and IPSec
Layer 2 – Data link This layer involves physical system addressing ARP
Layer 1 – Physical This layer involves the data stream that is
passed over the wire
The lower layers of the OSI model are largely used to ensure that network traffic successfully
arrives at its intended destination. Many of the commonly used protocols at these lower
layers necessitate a response from the destination system and, as such, can be leveraged
by potential attackers to identify live systems. Techniques discussed in the remainder of this
section will leverage layers 2, 3 and 4 protocols to discover live network systems. Prior to
addressing each of the specific recipes, we will briefly discuss the protocols used and how
they can be leveraged for discovery.
The pros and cons of layer 2 discovery with ARP are as follows:
***Pros:
‰‰ Very fast
‰‰ Highly reliable
***Cons:
‰‰ Cannot discover remote systems (non-routable protocol)
#Using Metasploit to perform layer 2 discovery
#Using ICMP ping to perform layer 3 discovery
#Using Scapy to perform layer 3 discovery
#Using Nmap to perform layer 3 discovery
#Using fping to perform layer 3 discovery
#Using hping3 to perform layer 3 discovery
#Using Scapy to perform layer 4 discovery
#Using Nmap to perform layer 4 discovery
#Using hping3 to perform layer 4 discovery
Discovery Scanning
46
Prior to addressing each of these scanning techniques specifically, we should first address a
few underlying principles. The Open Systems Interconnection (OSI) model is an International
Organization for Standardization (ISO) standard that defines how networked systems
communicate. This model is divided into seven layers that define how application content can
be sent by one system and/or received by another. The upper layers of the OSI model tend to
be more visible to the end user, whereas the lower layers operate transparently to most casual
users. These layers consist of the following:
OSI model Layer description Protocols
Layer 7 – Application This layer involves the application software that
is sending and receiving data
HTTP, FTP,
and Telnet
Layer 6 – Presentation This layer defines how data is formatted
or organized
ASCII, JPEG, PDF,
PNG, and DOCX
Layer 5 – Session This layer involves application session control,
management, synchronization,
and termination
NetBIOS, PPTP,
RPC, and SOCKS
Layer 4 – Transport This layer involves end-to-end
communication services
TCP and UDP
Layer 3 – Network This layer involves logical system addressing IPv4, IPv6, ICMP,
and IPSec
Layer 2 – Data link This layer involves physical system addressing ARP
Layer 1 – Physical This layer involves the data stream that is
passed over the wire
The lower layers of the OSI model are largely used to ensure that network traffic successfully
arrives at its intended destination. Many of the commonly used protocols at these lower
layers necessitate a response from the destination system and, as such, can be leveraged
by potential attackers to identify live systems. Techniques discussed in the remainder of this
section will leverage layers 2, 3 and 4 protocols to discover live network systems. Prior to
addressing each of the specific recipes, we will briefly discuss the protocols used and how
they can be leveraged for discovery.
The pros and cons of layer 2 discovery with ARP are as follows:
***Pros:
‰‰ Very fast
‰‰ Highly reliable
***Cons:
‰‰ Cannot discover remote systems (non-routable protocol)
0 comments:
Post a Comment