Network: Information Gathering

Khoa NguyenKhoa Nguyen
9 min read

Table of contents

Publicly Available Data

Before starting any network enumeration and analysis, it’s important to first understand the company or organization you’re looking at. This helps make sure your analysis is focused and relevant. A good first step is to collect publicly available information about the company, which can tell us about their systems, tools, and potential weak points. In simple terms, gathering public information is key to understanding a company before testing its network security. This research can help you in both the planning and execution of your test. Using sources like websites, social media, and code repositories helps create a complete picture of the company’s setup and possible security weaknesses.

Gathering Public Data

To gain a though understanding of a company, you need to gather publicly available information—a process known as Open Source Intelligence (OSINT). This is vast topic that can not be covered within a few section. This includes basic details about the company’s operations, services, location, and technology. You can find this information from various sources, such as company websites, new releases, financial reports, and social media. Company websites typically provide insights into the company’s offerings and services. For publicly traded companies, annual reports can reveal financial performance and partnerships. Social media platforms like LinkedIn and Twitter offer information employees and recent company updates.

You can also learn a lot from public records, such as business licenses and patents, which provide insights into the company’s legal structure and assets. Additionally, knowing where the company has offices can help you understand its operational setup and identify potential security concerns.

Understanding Connections

After collecting this information, you can see what other companies and tools the organization depends on. This includes their business partners, suppliers, and the software they use. These connections could have security risks that need to be checked. Looking at job postings and employee profiles can tell you what software the company uses. Job listings often mention specific computer programs or systems that employees need to know. This give you clues about their technology.

Social media, especially LinkedIn, is great for learning about the company’s tech staff. By looking at their profiles, you can see what they’re good at and what projects they’ve worked on. GitHub, where developers share code, is another useful source of information.

GitHub can tell you a lot about how a company builds software. Sometimes companies share their tools publicly, which shows how they work. These shared file might include instructions or example s of how they use different technologies. Sometimes, developers accidentally share sensitive information. For example, they might accidentally include access points, passwords, or secret keys in their code. This can be dangerous because others could use this information to attack and break into their systems.

Putting It All Together

By combining all this information, you can get a good picture of how the company works and what systems they use. This helps you know where to look during security testing. For example, if you know a company uses a specific cloud-based file sharing service, you could see if there are any CVE’s associated with it, or use it to craft a more convincing phishing attack.

Network and Service Scanning

Network and service scanning is a foundational step in penetration testing and security testing and security assessments. It involves identifying active hosts, open ports, and running services within a defined scope, and is used to gain a comprehensive understanding of the target environment. Network mapper (Nmap) is the most widely used tool for this purpose, due to its versatility, accuracy, and extensive feature set. By scanning the network, testers can map the attack surface, identify potential vulnerabilities, and prioritize targets for further analysis. This section explores the process of network scanning, provides a practical example using Nmap, and explains how the results can be leveraged to identify “low-hanging fruits”—easily exploitable vulnerabilities or misconfigurations.

Understanding the Assigned Scope

Before initiating a scan, it is critical to define and understand the scope of the assessment. The scope typically includes a range of IP addresses, domains, or systems that the client has authorized for testing. For example, a scope might consist of a single subnet, such as 10.129.12.0/24, which encompasses all IP addresses from 10.129.12.0 to 10.129.12.255. Understanding the scope ensures that testing remains within legal and ethical boundaries and focuses on the systems relevant to the client’s objectives.

The primary goal of network scanning is to identify active hosts within the scope and determine the services they expose. Active hosts are systems that respond to network probes, indicating they are online and potentially part of the target environment. Services, on the other hand, are applications or protocols running on specific ports, such as HTTP (port 80), SSH (port 22), or SMB (port 445). By mapping these services, we can infer the purpose of each system, its role in the network, and potential attack vectors.

Next, we will start enumerating the network. Therefore, follow up the commands from here on Pwnbox. You will see many different tools to be used. Do not be afraid to experiment and try different techniques. You will learn those tools in detail later.

Using Nmap for Network Scanning

Nmap is a powerful, open-source tool designed for network discovery and security auditing. It supports a wide range of scanning techniques, from simple ping scans to advanced service enumeration and vulnerability detection. Nmap’s flexibility allows testers to tailor scans to specific objectives, such as identifying open ports, detecting operating systems, or scripting custom probes.

Let’s consider a practical example of scanning the 10.129.12.0/24 network that’s been assigned to us, which contains only two hosts. To perform the scan, we can use the following Nmap command:

khoafrancisco@htb[/htb]$ nmap -sV -p- 10.129.12.0/24 -oA network-scan

  • sV: Enables service version detection, which attempts to identify the software and version running on each open port.

  • -p-: Scans all 65535 ports (both TCP and UDP) to ensure no services are missed.

  • -oA network-scan: Save the results of the scan to a file called “network-scan”.

  • 10.129.12.0/24: Specifies the target network range.

Assuming the scan identifies the two hosts, the output might look like this (simplified for clarity):

khoafrancisco@htb[/htb]$ nmap -sV -p- 10.129.12.0/24 -oA network-scan

Starting Nmap 7.94 ( <https://nmap.org> )
Nmap scan report for 10.129.12.10
Host is up (0.0012s latency).
PORT     STATE SERVICE          VERSION
21/tcp   open  ftp              ProFTPD
22/tcp   open  ssh              OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http             nginx 1.18.0 (Ubuntu)
443/tcp  open  ssl/http         Apache httpd 2.4.52 ((Ubuntu))
8000/tcp open  ssl/http         Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
8001/tcp open  ssl/vcom-tunnel?
8080/tcp open  http             Apache httpd 2.4.52 ((Ubuntu))
8889/tcp open  ssl/http         Golang net/http server

Nmap scan report for 10.129.12.20
Host is up (0.0015s latency).
PORT     STATE SERVICE         VERSION
22/tcp    open  ssh            OpenSSH for_Windows_9.5 (protocol 2.0)
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds   Windows Server 2019 Standard 17763 microsoft-ds
3000/tcp  open  http           Golang net/http server
3389/tcp  open  ms-wbt-server  Microsoft Terminal Services
5357/tcp  open  http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5985/tcp  open  http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5986/tcp  open  ssl/http       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8000/tcp  open  ssl/http       Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
8889/tcp  open  ssl/http       Golang net/http server
49669/tcp open  msrpc          Microsoft Windows RPC

Nmap done: 256 IP addresses (2 hosts up) scanned in 12.34 seconds

Interpreting the Scan Results

The Nmap output provides a detailed snapshot of the network, highlighting the active hosts and their open ports. Let’s break down the results for each host:

10.129.12.10

  • Port 21(FTP): Running vsftpd 3.0.3, a popular FTP server. FTP is often a target for attacks due to weak authentication mechanisms or misconfigurations.

  • Port 22(SSH): Running OpenSSH 8.2p1.SSH is a secure protocol, but vulnerabilities in older versions or weak credentials could be exploited.

  • Port 80(HTTP): Hosting an Apache httpd 2.4.41 web server. Web servers are common attack vectors, especially if they host vulnerable applications or misconfigured settings.

  • Port 443(HTTPS): Also running Apache httpd 2.4.41 with SSL/TLS. HTTPS services may be vulnerable to SSL/TLS misconfigurations or outdated cipher suites.

  • Port 4369(Erlang Port Mapper Daemon): Used by Erlang-based applications. This service is less common and may indicate a specialized application, potentially misconfigured or vulnerable.

10.129.12.20

  • Port 22(SSH): Running OpenSSH for Windows 9.5. SSH provides secure remote access, though Windows-specific implementations may have unique security considerations.

  • Port 139(NetBIOS): A legacy protocol used for file sharing and printer services. It is often targeted in attacks due to historical vulnerabilities.

  • Port 445(SMB): Running Microsoft’s Server Message Block protocol, critical for file sharing in Windows environments.

  • Port 3000(HTTP): Running a Golang net/http server. Web applications on non-standard ports may indicate internal services or development environments that require security review.

  • Port 3389(RDP): Microsoft’s Remote Desktop Protocol, used for remote administration. RDP is frequently targeted for brute-force attacks or exploits if not properly secured.

Leveraging the Results

The scan results provide a great overview for further testing. Testers can prioritize targets based on the identified services and their associated risks. For example:

  • Vulnerability Scanning: Use tools like Nessus or OpenVAS to scan for know vulnerabilities in the identified software versions.

  • Credential Testing: Attempt brute-force attacks on services like FTP, SSH, and RDP to test for weak passwords.

  • Configuration Analysis: Review the configuration of web servers (port 80/443) and message brokers (port 8161) for misconfigurations, such as default credentials or insecure settings.

  • Exploit Testing: If vulnerabilities are identified, attempt to exploit them using frameworks like Metasploit to access their impact.

By systematically analyzing the scan results and focusing on low-hanging fruits, testers can efficiently identify and address critical vulnerabilities, improving the overall security posture of the target environment.

Note Talking

Thorough note-talking is essential. You should write down every you do, including all commands you run and everything you find. This has several benefits. It allows your team members to check your work and understand the actions you took. Write down exactly which commands you used, when you used them, and what happened. For example, if you ran an Nmap scan, write down the exact command you typed and what the results were, including any any error messages.

Additionally, good notes help you keep track of what you’re doing. When you find something interesting, like a possible “low hanging fruit” (that we will discuss next), write down:

  • What you found

  • Why you thought it was important

  • What made you decide to look into further

Third, having quality notes will make it much easier for you to write your final report. If you keep clear, organized notes during your work, you can easily:

  • Find specific problems you discovered

  • Show proof of security weakness

  • Explain exactly how you found each problem

It’s helpful to include screenshots and the results of commands you ran that led to important discoveries.

Keep your notes organized and easy to read. Use clear headings and a consistent format. The markdown format is recommended since it allow easy and quick styling. You can use tools like Notion, OneNote, or special security testing tools to help organize your notes. Remember to include the date and time for everything you do, and list any outside tools or resources you used.

0
Subscribe to my newsletter

Read articles from Khoa Nguyen directly inside your inbox. Subscribe to the newsletter, and don't miss out.

information gathering

Written by

Khoa Nguyen
Khoa Nguyen

Mình là người mới bắt đầu tìm hiểu công nghệ đặc biệt về ngành an toàn thông tin. Mình có viết lại các bài này chủ yếu luyện tiếng Anh và đọc thêm. Cảm ơn mọi người đã quan tâm và đón đọc. Nếu có góp ý gì xin hãy liên lạc với mình nhé!