In Chapter 4, we performed detailed autonomous system and routing domain mapping to look at the network as a whole. In this chapter, we look at standalone hosts such as routers and switches to identify their operational systems, open ports, running services, and supported protocols.
Initially, we planned for a single chapter to be devoted to network and host reconnaissance. However, the Border Gateway Protocol (BGP) turned out to be such great fun to play with that the network enumeration section outgrew its expected size . We split off the host enumeration and fingerprinting section to give us a better opportunity to describe this important part of the attacking procedure in greater detail. As in Chapter 4, we start from a less intrusive methodology, such as sniffing traffic and passive fingerprinting, and slowly move to full-connect portscans and banner grabbing .