The best practice assessment methodology used by ambitious attackers and network security consultants includes four different high-level components:
Network discovery to identify IP networks and hosts of interest
Batch network scanning and research to identify potentially vulnerable hosts
Investigation of vulnerabilities and further manual network exploration
Exploiting vulnerabilities and bypassing security mechanisms
This complete methodology pertains to Internet-based networks that are blindly tested with limited target information (such as a single DNS domain name). If a consultant is commissioned to evaluate a particular block of IP domains, he or she will skip the initial network enumeration and begin mass network scanning and investigation of vulnerabilities.
Internet Host and Network Enumeration
Various discovery techniques are used to query open sources to identify hosts and networks of interest. These open sources include web and newsgroup search engines, WHOIS databases, and DNS nameservers. By querying these sources, attackers can obtain useful data about the structure of the target network from the Internet, often without actually scanning the network or necessarily directly researching it.
Initial reconnaissance is crucial because it can reveal hosts that are not properly fortified against attacks. While a determined attacker spends time identifying peripheral networks and hosts, companies and organizations concentrate their efforts on protecting obvious public systems (such as public web and mail servers) and often neglect unpopular hosts and networks.
It might be good for a determined attacker to also enumerate the networks of third-party vendors and partners who in turn have access to the target network area. Today, such third parties often have private connections to internal corporate network domains via VPN tunnels and other connections.
Key pieces of information gathered through initial discovery include details of Internet-based network blocks, internal IP addresses collected from DNS servers, insight into the target organization's DNS structure (including domain names, subdomains, and hostnames) and details of relationships between them. physical locations.
This information is then used to further evaluate the target network area and perform structured aggregated network scanning and research exercises to investigate potential vulnerabilities. Further discovery includes extracting user details, including email addresses, phone numbers, and office addresses.
No comments:
Post a Comment