Ethical hacking: Stealthy network recon techniques - Security Boulevard

Ethical hacking: Stealthy network recon techniques

Introduction

In this article, we shall discuss some stealthy reconnaissance techniques that should be employed during a hacking exercise. It’s important to know which scan to use, especially when you are getting blacklisted or having your scan results filtered out. 

Many hackers use tools such as nmap without properly understanding what certain switches mean and why they should be turned on. In this article, we will not discuss nmap; however, we will look at how it and some other scanners work, especially for stealth scans.

Overview

Before we can begin attacking any system, we need to first of all understand the type of system we are dealing with. Unfortunately, in order to properly probe a target, we employ probing techniques that are largely noisy and non-stealthy. These will largely get picked up by devices on the network such as firewalls, SIEMs and IDS devices. 

The focus now becomes identifying targets without alarming the system admins or Security Operations Center team. The techniques discussed below will either confuse the available defense mechanisms or make it more difficult to detect the activity from our attacking machine.

Before we can dive deeper, though, it is important to understand what a non-stealthy scan is.

What is a non-stealthy scan?

A TCP connection works through a three-way handshake, where a client and a server communicate in a particular manner before establishing a connection. This communication happens in the following steps:

  • The client sends a TCP packet to the server with the SYN flag set
  • The server responds to the client with a TCP packet with the SYN and ACK flags set if it says a probed port is open
  • If the port is closed, the server will respond with a TCP packet with the RST flag set
  • In case the port is open, (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Lester Obbayi. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/a7hoLPXwvKM/