CySA+ domain #4: environmental reconnaissance techniques and analysis

Introduction

What would being a cybersecurity analyst be without knowledge of environmental reconnaissance techniques and analysis? A glorified Help Desk technician? Perhaps — but all jokes aside, this is a sizeable amount of material. 

This article will detail the different environmental reconnaissance techniques and analysis. It will cover the most important parts of this subdomain and based upon the sheer size of the material, you should use this article as a refresher and not your sole method of exam preparation. Sit back, strap in and get ready for some breakneck reviewing!

Procedures and common tasks

Topology discovery

Understanding the topology of your network environment is crucial for cybersecurity analysts. This is normally performed with a network scan that helps you make an educated guess about the topology based upon the time to live (TTL) of packets. You can lay out a topology of your network based upon network addresses and TTLs. This can be performed with NMAP using a Zenmap interface.

OS fingerprinting

OS fingerprinting is the identification of an OS based on the network traffic it sends. This is performed with TCP/IP stack fingerprinting technique, comparing the packets the OS sends to remote hosts.

Service discovery

Port scanning is a useful way to perform a service discovery on systems regarding the services they currently provide. Port scanners’ features commonly include:

  • Port scanning and service identification
  • Host discovery
  • Service version identification
  • Operating system identification

When running service discovery within Nmap, you will want to run the following command:

-# nmap -0 -P0 -sS [system IP address]

This will generate a list of ports and the services running on them. We will touch more on Nmap later.

Router/firewall ACLs review

Analyzing access control lists (ACLs) of routers and firewalls provides information about what traffic is allowed and can assist with (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/nf7k4SPiHIY/