System Software
Security
(416CY)
Dr. Sondos Fadl
Lecture 03
�Outlines
3.1- Assess Organizational Security with Network Reconnaissance Tools
3.2- Explain Security Concerns with General Vulnerability Types
3.3- Summarize Vulnerability Scanning Techniques
3.4- Explain Penetration Testing Concepts
Labs
Lab 1: Exploring the Lab Environment
Lab 2: Scanning and Identifying Network Nodes
Lab 3: Intercepting and Interpreting Network Traffic with Packet Sniffing Tools
Lab 4: Analyzing the Results of a Credentialed Vulnerability Scan
2
�3.1- Assess Organizational Security with Network Reconnaissance Tools
3.2- Explain Security Concerns with General Vulnerability Types
3.3- Summarize Vulnerability Scanning Techniques
3.4- Explain Penetration Testing Concepts
3
�IPCONFIG, PING, AND ARP
• The process of mapping out the attack surface is referred to as network
reconnaissance and discovery.
• Reconnaissance techniques are used by threat actors, but they can also be used
by security professionals to test their own security systems, as part of a security
assessment and ongoing monitoring.
• Topology discovery (or "footprinting") means scanning for hosts, IP ranges, and
routes between networks to map out the structure of the target network.
• Topology discovery can also be used to build an asset database and to identify
non-authorized hosts (rogue system detection) or network configuration errors.
4
��IPCONFIG, PING, AND ARP (cont.)
• Basic topology discovery tasks can be accomplished using the command line tools
built into Windows and Linux.
• The following tools report the IP configuration and test connectivity on the local
network segment or subnet:
✓ ipconfig—show the configuration assigned to network interface(s) inWindows.
✓ ifconfig—show the configuration assigned to network interface(s) inLinux.
✓ ping—probe a host on a particular IP address or host name using Internet ControlMessage
Protocol (ICMP), You can use ping with a simple script to perform a sweep of all the IP
addresses in a subnet.
✓ arp—display the local machine's Address Resolution Protocol (ARP) cache. The ARP cache
shows the MAC address of the interface associated with each IP address the local host has
communicated with recently.
6
�IPCONFIG, PING, AND ARP (cont.)
• For more information about commands, including syntax usage, look up the
command in an online resource for Windows (docs.microsoft.com/en-
us/windows-server/administration/windows-commands/windows-commands) or
Linux (linux.die.net/man).
• In Linux, commands such as ifconfig, arp, route, and traceroute are deprecated
and the utilities have not been updated for some years, The iproute2 suite of
tools supply replacements for these commands
(digitalocean.com/community/tutorials/how-to-use-iproute2-tools-to-manage-
network-configuration-on-a-linux-vps).
7
���ROUTE AND TRACEROUTE
• The following tools can be used to test the routing configuration and connectivity
with remote hosts and networks:
✓ route—view and configure the host's local routing table. Most end systems use a default
route to forward all traffic for remote networks via a gateway router.
✓ tracert—uses ICMP probes to report the round trip time (RTT) for hops between the local
host and a host on a remote network, tracert is the Windows version of the tool.
✓ traceroute—performs route discovery from a Linux host, traceroute uses UDP probes
rather than ICMP, by default.
✓ pathping—provides statistics for latency and packet loss along a route over alonger
measuring period, pathping is a Windows tool; the equivalent on Linux is mtr.
1
0
�IP SCANNERS AND NMAP
• Scanning a network using tools such as ping is time consuming and non-stealthy,
and does not return detailed results.
• Most topology discovery is performed using a dedicated IP scanner tool.
• An IP scanner performs host discovery and identifies how the hosts are
connected together in an internetwork.
• The Nmap Security Scanner (nmap.org) is one of the most popular open-source IP
scanners.
• Nmap can use diverse methods of host discovery, some of which can operate
stealthily and serve to defeat security mechanisms such as firewalls and intrusion
detection.
1
1
�IP SCANNERS AND NMAP (cont.)
• The tool is open-source software with packages for most versions of Windows,
Linux, and macOS, It can be operated with a command line or via a GUI (Zenmap).
• The basic syntax of an Nmap command is to give the IP subnet (or IP host
address) to scan.
• When used without switches like this, the default behavior of Nmap is to ping
and send a TCP ACK packet to ports 80 and 443 to determine whether a host is
present.
• On a local network segment, Nmap will also perform ARP and ND (Neighbor
Discovery) sweeps.
• If a host is detected, Nmap performs a port scan against that host to determine
which services it is running.
1
2
�IP SCANNERS AND NMAP (cont.)
10
�SERVICE DISCOVERY AND NMAP
• Having identified active IP hosts on the network and gained an idea of the
network topology, the next step in network reconnaissance is to work out which
operating systems are in use, which network services each host is running, and, if
possible, which application software is underpinning those services.
• This process is described as service discovery.
• Service discovery can also be used defensively, to probe potential rogue systems
and identify the presence of unauthorized network service ports.
14
�SERVICE DISCOVERY AND NMAP (cont.)
• When Nmap completes a host discovery scan, it will report on the state of each
port scanned for each IP address in the scope.
• At this point, you can run additional service discovery scans against one or more
of the active IP addresses.
• Some of the principal options for service discovery scans are:
✓ TCP SYN (-sS)
✓ UDP scans (-sU)
✓ Port range (-p)
15
��SERVICE DISCOVERY AND NMAP (cont.)
• The detailed analysis of services on a particular host is often called fingerprinting.
• This is because each OS or application software that underpins a network service
responds to probes in a unique way.
• This allows the scanning software to guess at the software name and version,
without having any sort of privileged access to the host.
• This can also be described as banner grabbing, where the banner is the header of
the response returned by the application.
17
�OTHER RECONNAISSANCE AND DISCOVERY TOOLS
• There are hundreds of tools relevant to security assessments, network
reconnaissance, vulnerability scanning, and penetration testing.
• Security distributions specialize in bundling these tools:
✓ For Linux— KALI (kali.org) plus ParrotOS (parrotlinux.org)—and
✓ For Windows— (fireeye.com/blog/threat-research/2019/03/commando-vm-windows-
offensive-distribution.html).
18
