nst_3
3
1. TCP/UDP services running on each system identified.
2. System architecture (Sparc, Alpha, x86).
3. Specific IP addresses of systems reachable via the Internet.
4. Operating system type.
Scanning can be compared with a thief checking all the doors and windows of a house he
wants to break into.
Enumeration - Enumeration is the process of extracting valid accounts or exported resource
names from systems. The information is gathered using active connections to systems and
queries, which is more intrusive in nature than foot printing and scanning.
The techniques are mostly operating system specific, and can gather information such as:
1. User & group names.
2. System banners
3. Routing tables
4. SNMP information
This article will focus on scanning, normally the second phase of computer intelligence
gathering technique.
1.2 Introduction to scanning
Today the number of automated scanners is constantly increasing, and as a result, more and
more attacks are successfully initiated.
In order to be better prepared, we need to fully understand the scanning tools and the
methods that these tools are using against us.
The questions we need to ask ourselves are:1
·
What are scanners doing?
·
What do they look like (signature)?
·
How they operate in order to accomplish their tasks?
·
What kind of information is collected?
·
How serious is the threat?
We need to identify the intruder’s behavior and understand the scanning techniques. If we
have an intrusion detection system, or planning on implementing one in the future, finding
scanning patterns in our log (manually, or automatically by the IDs) will give us an indication
of a probable upcoming attempt to gain unprivileged access to our systems.
Only after we understand scanning techniques we can try to protect ourselves against them.
1
John Green, NSWC Shadow Team, Identifying Scanners in the Wild.