Attacking a Network

A network attack is often an elaborate and methodical operation. A hacker sometimes spends days or weeks scouting and mapping the system so he'll know exactly how the network is organized. The reconnaissance process typically consists of the following:

• Gathering information A full-scale network attack begins with a broad sweep to determine as much information as possible about the company. This process is sometimes called footprinting. Some of this information can be collected over the Web: company locations, email addresses, and affiliations, as well as links to other Web sites. The intruder attempts to obtain any and all domain names used by the company. The domain names are then used to query DNS servers for company IP addresses.

• Scanning As you learned in Hour 6, application services are accessible from the network through a TCP or UDP port address. The scanning phase tells the intruder which services are running on each host and which ports the services are using. Several tools are available for assisting with the scanning process. One of the most common port scanning tools is nmap.

• Probing In the final phase of the reconnaissance process, the intruder looks deeper into the network. At this stage, he must have obtained some form of network privilege. By now he is actually logging on to systems and poking around in configuration files. He looks for specific resources such as devices and file resources and searches for information on user and group security.

By the time the reconnaissance is complete, the intruder will have a detailed map of the network and a clear indication of any vulnerabilities. He will then employ some of the other strategies discussed in this hour to expand system privileges, establish back doors, and engage in his chosen mischief.