Network Mapping
Summary
This component allows the auditor to identify the devices on a host's network, the services that are being used by those devices, and any protections in place.
Purpose
Mapping an organization's network exposes the multitude of devices connected to it -- including mostly forgotten servers -- and provides the baseline for later work on device assessment and vulnerability research.
This process also reveals outside service usage (such as google services, dropbox, or others) which serve -- intentionally or not -- as shadow infrastructure for the organization. In combination with beacon research from the network discovery process, many devices can be associated with users.
The Flow Of Information
Guiding Questions
- What operating systems, and services being hosted or used by an organization? Are any hosts running unusual, custom, or outdated operating systems and services?
- Are there unexpected/unusual devices or services on the network?
- What is the topology of the network? What are the routers and modems
managing it? - What services (e.g. dropbox, web-mail, etc.) are running on the network that have not been mentioned by the organizational staff?
- What network assets does an attacker have access to once they have gained access to the internal network?
Approaches
- Network Mapping: Map hosts, services, and network hardware by scanning network devices.
- Monitor Open Wireless Traffic: Monitor wireless traffic for handshakes, beacons, and MAC addresses.
- Wireless Range Mapping: Map the range of the organizations wireless network outside of office space.
Outputs
- A list of hosts, servers, and other network hardware on LAN
- The operating systems and services on each host.
- Services used by the host as identified by decrypted wireless network traffic.
- Possible vulnerable services and practices.1
Operational Security
- Clarify timing and seek permission with staff - some activities can tax the network or cause disruptions.
- Confirm that all devices you are accessing/scanning belong to the organization.
- Delete all devices from your scan that do not belong to the organization.
- Study outputs for any obviously embarrassing personal information (especially traffic sniffing or personal devices connected to the network) before sharing.
- Treat captured network traffic with the utmost security and empathetic responsibility. They may contain very personal data, passwords, and more. These should not be shared except in specific, intentional samples with anyone, including the organization itself.
Preparation
Baseline Skills
- Skill with using nmap/zenmap and its scripting options
- Skill with Wireshark or other packet-capturing tool, as well as possibly more advanced traffic interception tools.
Resources
Guide: "10 Techniques for Blindly Mapping Internal Networks"
Resource List: Wireless Access Guides & Resources (SAFETAG)
Resource List: nmap Scanning Resources (SAFETAG)
Resource List: System Vulnerability Scanning Resources (SAFETAG)
Network Mapping Methods
Guide: "10 Techniques for Blindly Mapping Internal Networks"
Directory: "Network Forensics Packages and Appliances" (Forensics Wiki)
Directory: "Scripts and tools related to Wireshark" (Wireshark Wiki)
Nmap Scanning
Guide: "The Official Nmap Project Guide to Network Discovery and Security Scanning" (Gordon “Fyodor” Lyon)
Cheat Sheet: “Part 1: Introduction to Nmap” (Nmap Cheat Sheet: From Discovery to Exploits)
Cheat Sheet: “Part 2: Advance Port Scanning with Nmap And Custom Idle Scan” (Nmap Cheat Sheet: From Discovery to Exploits)
Cheat Sheet: “Part 3: Gathering Additional Information about Host and Network” (Nmap Cheat Sheet: From Discovery to Exploits)
Cheat Sheet: “Part 4” (Nmap Cheat Sheet: From Discovery to Exploits)
Cheat Sheet: “Nmap Cheat Sheet” (See-Security Technologies)
Overview: “The Purpose of a Graphical Frontend for Nmap” (Zenmap GUI Users' Guide)
Guide: “Zenmap GUI Users' Guide” (Zenmap GUI Users' Guide)
Guide: “Surfing the Network Topology” (Zenmap GUI Users' Guide)
Guide: “Host Detection” (nmap Reference Guide)
Activities
undefined
