McNab C. Network Security Assessment / 3.4 Enumeration Technique Recap

Computers & Technology
Education & Reference
Business & Investing
Science & Math

Network Security Assessment
Authors: McNab C.
Published year: 2006
Pages: 33-35/166

<< Previous page
Table of contents
Next page >>

3.4 Enumeration Technique Recap

It is an interesting and entirely legal exercise to enumerate the CIA and other organizations' networks from the Internet by querying public records. As a recap, here is a list of public Internet-based querying techniques and their application:

Web and newsgroup searches: Using Google to perform searches against established domain names and target networks to identify personnel, hostnames, domain names , and useful data residing on publicly accessible web servers.
NIC querying: Querying NIC databases such as ARIN, APNIC, and RIPE to retrieve network block, routing, and contact details related to the target networks and domain names. NIC querying gives useful information relating to the sizes of reserved network blocks (useful later when performing intrusive network scanning).
DNS querying: Querying publicly accessible DNS servers to enumerate hostnames and subdomains. Misconfigured DNS servers can also be abused to download DNS zone files that categorically list subdomains, hostnames, operating platforms of devices and internal network information in severe cases.
SMTP probing: Sending email to nonexistent accounts at target domains to map internal network space by analyzing the responses from the SMTP system.

3.5 Enumeration Countermeasures

Use the following checklist of countermeasures to effectively reconfigure your Internet- facing systems not to give away potentially sensitive information:

Configure web servers to prevent indexing of directories that don't contain index.html or similar index files ( default.asp under IIS, for example). Also ensure that sensitive documents and files aren't kept on publicly accessible hosts , such as HTTP or FTP servers.
Always use a generic, centralized network administration contact detail (such as an IT help desk) in Network Information Center databases, to prevent potential social engineering and war dialing attacks against IT departments from being effective.
Configure all name servers to disallow DNS zone transfers to untrusted hosts.
Ensure that nonpublic hostnames aren't referenced to IP addresses within the DNS zone files of publicly accessible DNS servers, to prevent reverse DNS sweeping from being effective. This practice is known as split horizon DNS , using separate DNS zones internally and externally.
Ensure that HINFO and other novelty records don't appear in DNS zone files.
Configure SMTP servers either to ignore email messages to unknown recipients or to send responses that don't include the following types of information:
- Details of mail relay systems being used (such as Sendmail or MS Exchange).
- Internal IP address or host information.

Chapter 4. IP Network Scanning

This chapter focuses on the technical execution of IP network scanning. After undertaking initial reconnaissance to identify IP address spaces of interest, network scanning builds a clearer picture of accessible hosts and their network services. Network scanning and reconnaissance is the real data gathering exercise of an Internet-based security assessment. The rationale behind IP network scanning is to gain insight into the following elements of a given network:

ICMP message types that generate responses from target hosts
Accessible TCP and UDP network services running on the target hosts
Operating platforms of target hosts and their configuration
Areas of vulnerability within target host IP stack implementations (including sequence number predictability for TCP spoofing and session hijacking)
Configuration of filtering and security systems (including firewalls, border routers, switches, and IDS sensors)

Performing both network scanning and reconnaissance tasks paints a clear picture of the network topology and its security mechanisms. Before penetrating the target network, further assessment steps involve gathering specific information about the TCP and UDP network services that are running, including their versions and enabled options.