Prior to addressing the specific recipes mentioned in the list, we should address some of the underlying principles that will be discussed throughout the remainder of the chapter. Each of the recipes in this chapter will address tools that can be used to perform a few specific tasks. These tasks include banner grabbing, service identification, operating system identification, SNMP analysis, and firewall identification. Each of these tasks serves the common objective of gathering as much information about a target system as possible in order to be able to attack that system quickly and efficiently.
Before dedicating a large amount of time and resources to attempting to identify a remote service, we should determine whether that remote service will identify itself to us. Service banners consist of output text that is returned immediately when a connection is established with a remote service. It has historically been a very common practice for network services to disclose the manufacturer, software name, type of service, and even version number in service banners. Fortunately, for penetration testers, this information can be extremely useful in identifying known weaknesses, flaws, and vulnerabilities in the software. A service banner can easily be read by merely connecting to a remote Terminal service. However, for this to be an effective information-gathering tool, it should be automated so that we do not have to manually connect to each individual service on a remote host. The tools that will be addressed in the banner-grabbing recipes in this chapter will accomplish the task of automating banner-grabbing to identify as many open services as possible.
In the event that a remote service does not willingly disclose the software and/or version that is running on it, we will need to go to much greater lengths to identify the service. It is frequently possible to identify unique behaviors or to solicit unique responses that can be used to positively identify a service. It is usually even possible to identify specific versions of a particular service due to subtle variations in response or behavior. However, knowledge of all these unique signatures would be difficult for any human to retain. Fortunately, there are numerous tools that have been created to send large numbers of probes to remote services to analyze the responses and behavior of those target services. Similarly, response variation can also be used to identify the underlying operating system running on a remote server or workstation. These tools will be discussed in the recipes that address service identification and operating system identification.
Simple Network Management Protocol (SNMP) is a protocol that is designed to provide remote administrative services for various types of network devices. Management with SNMP is performed using community strings for authentication. It is very common for devices to be deployed with the default community strings. When this happens, it is often possible for an attacker to remotely gather large amounts of information about a target device's configuration and, in some cases, even reconfigure the devices. Techniques that leverage the use of SNMP for information gathering will be discussed in the recipes addressing SNMP analysis.
While gathering information about potential targets, it is important to also understand any obstacles that could impact successful reconnaissance or attacks. Firewalls are network devices or software that selectively restrict the flow of network traffic going to or coming from a particular destination or source. Firewalls are often configured to prevent remote access to particular services. The awareness of a firewall, which is modifying the flow of traffic between your attacking system and the target destination, can be instrumental in attempting to identify ways to either evade or bypass its filters. The techniques to identify firewall devices and services will be discussed in the recipes that address firewall identification.