CS38, Security and Privacy, Spring 2005
Network intelligence gathering
Network recon overview
Network Scanning Techniques,
http://www.sys-security.com/archive/papers/Network_Scanning_Techniques.pdf
[local Network_Scanning_Techniques.pdf]
A good overview of scanning techniques. See also Nmap pages.
Port scanning and OS fingerprinting tools
Nmap,
http://www.insecure.org/nmap/
De-facto standard advanced port scanner and OS fingerprinting tool. Read the manual for the explanations of various scanning techniques.
Xprobe2,
http://www.sys-security.com/index.php?page=xprobe
Intended to give better precision than Nmap.
Sing,
http://www.whitehats.ca/main/publications/external_pubs/icmp_usage/icmp_usage.html
Sing (Send ICMP nasty garbage) is, despite its scary name, merely a replacement for PING with extra flexibility for non-standard ICMP packet creation. See the ICMP section below for more info. Sing is installed in our virtual environments, see sing(8).
Nessus,
http://www.nessus.org
This is a free "scan in a box" vulnerability scanning tool that is easy to operate and even produces glitzy reports for the management. Kiewit uses it. It's very noisy. There is a remote possibility that you might crash a service by scanning remote machines.
Reconnaissance via ICMP
How can attacker use ICMP for reconnaissance? ,
KoonYaw Tan
http://www.sans.org/resources/idfaq/icmp_misuse.php
A SANS overview article
ICMP Usage in Scanning: The Complete Know How,
Ofir Arkin
http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.pdf
[local ICMP_Scanning_v3.0.pdf]
Long and very detailed analysis of various kinds of ICMP probes. Skimming it may be a good idea. Much of this functionality is implemented in Ofir's Xprobe2 tool. The Sing tool is amply used and quoted.
Hping2, Sing,
[http://sourceforge.net/projects/sing/]
[http://sourceforge.net/projects/hping2/]
Advanced ICMP pingers.
Back to Dartmouth CS Home Page
Sergey Bratus