Network Reconnaissance
Attack Pattern ID: 286 (Meta Attack Pattern Completeness: Stub)Typical Severity: LowStatus: Draft
+ Description


An attacker engages in network reconnaissance operations to gather information about a target network or its hosts. Network Reconnaissance techniques can range from stealthy to noisy and utilize different tools and methods depending upon the scope of the reconnaissance. Some techniques may target single hosts while others are used against entire network address ranges, such as a CIDR class C or B network. In general, reconnaissance activities fall into 5 distinct categories.

1. Host Discovery: The ICMP methods, as well as messages of other protocol types, commonly UDP and TCP, to determine if a host is active on an IP address.

2. Port Scanning: The application of various methods to determine the status of the ports on the remote device. Each machine can have a possible 65535 UDP and TCP ports that provide a service to network clients. The goal of port scanning is to determine which ports on a machine are open, as well as which ports are firewalled or filtered.

3. Operating System Fingerprinting: use of various probing methods to determine idiosyncratic behaviors of a remote device that allow the attacker to determine the operating system. Although networking protocols are governed by standards, each operating system exhibits unique characteristics of its implementation of these standards. By sending malformed packets or datagrams an attacker can solicit responses from an device that allow a highly reliable inference about its operating system.

4. Service Enumeration: Application-layer services can run on arbitrary ports, so an attacker must probe or interact with a remote port in order to obtain a fingerprint or signature of the application or protocol daemon using the port for communication.

5. Firewall Auditing: An attacker uses a number of techniques to determine which types of data can be infiltrated or exfiltrated through a firewall. These techniques require a responsive host protected by a firewall so that the attacker can map out which types of protocols and message types reach the' host or hosts and generate a response.

Applied together these activities allow an attack to map out a target network, its topology, as well as gather detailed device configuration information.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Network Layer

Target Attack Surface Localities


Target Attack Surface Types: Host

Target Functional Services

Target Functional Service 1: None
Protocol 1: Internet ProtocolProtocol 2: User Datagram ProtocolProtocol 3: Internet Control Messaging ProtocolProtocol 4: Transmission Control Protocol
+ Attack Prerequisites

The ability to send data to hosts on a target network segment and receive responses.

+ Resources Required

Each type of reconnaissance uses specific tools and methodologies to acquire information from the target.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ParentOfAttack PatternAttack Pattern289Infrastructure-based footprinting 
Mechanism of Attack1000
ParentOfAttack PatternAttack Pattern310Scanning for Vulnerable Software 
Mechanism of Attack (primary)1000
MemberOfViewView1000Mechanism of Attack 
Mechanism of Attack1000
+ References
Stuart McClure, Joel Scambray, George Kurtz. "Hacking Exposed: Network Security Secrets and Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
Gordon "Fyordor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". 3rd "Zero Day" Edition, . LLC, ISBN: 978-0-9799587-1-7. 2008.