From the course: Security Testing Essential Training

Network discovery

From the course: Security Testing Essential Training

Start my 1-month free trial Buy for my team

Network discovery

- [Instructor] Performing documentation and rule set reviews will provide you with considerable insights into your client's network. But ultimately, those reviews are academic exercises. If you want practical current state information, then scanning the targets on your network to validate your observations is a reasonable next step. Use the information you collected while reviewing network diagrams and firewall configs and build out a list of target networks. You'll need this information to properly configure your network discovery scanning tools. It's important to note there are two distinct types of discovery scanning techniques: active and passive. Active scanners interact with the target system directly. They send specific network packets intended to elicit a specific response. A ping scan will use internet control message protocol, or ICMP to determine whether a target system is up or down. But more in-depth scans will attempt to fingerprint the operating system and even identify services on that host with which an attacker could potentially interact. Passive scanners do not interact with target systems directly. Instead, they sit on the network and perform packet captures extracting source IP, destination IP, and service information from those packets. An example of passive network scanning would be using Wireshark to collect data and then running scripts against the output to automatically analyze that data for host information. Vulnerability scanning vendors like Tenable and Qualys have begun introducing passive network scanners, devices that sit on your network, monitor network traffic, and analyze that traffic to identify live network hosts. These technologies are especially useful for organizations interested in scanning operational technology, OT like industrial control system, or ICS networks. Certain ICS devices weren't designed in a way that supports active scanning of open ports and available services, and I've seen ICS devices revert to their factory default settings following a simple active network scan. If your client is running operational technologies that might crash when being scanned, then you should absolutely explore your passive scanning options.

Contents