Networking | Programming | Security | Linux | Computer Science | About

Reconnaissance Attacks

A reconnaissance attack, as the name implies, is the efforts of an unauthorized user to gain as much information about the network as possible before launching other more serious types of attacks. Quite often, the reconnaissance attack is implemented by using readily available information.

Public Information

Employee names and e-mail addresses provide a good start in guessing the user name for an employee’s account. Common practice is to use an employee’s first initial and last name as the user name for their network computer account. E-mail addresses are also a common user name for computer accounts. Large companies usually have their phone numbers assigned in blocks from the local telephone company, and many large corpo- rations have their own dialing prefix. By using this information, the intruder can begin war dialing all the company phone numbers looking for a dial-up server. Once a dial-up server is found, the intruder can begin guessing account user names based on an employee’s first initial and last name or their e-mail addresses. Brute force password crackers are freely available on the Internet. Once a user name has been guessed, it’s only a matter of time before a weak password can be cracked.

A war dialer is a program used to dial blocks of phone numbers until it finds a com- puter on the other end of the line. Once a computer is found, the war dialer application records the number dialed for later use by the intruder.

To use a user account on a server or a network, you must first have the user name and password. Discovering the user names is a fairly straightforward process described in the preceding paragraph. Attackers use password crackers to crack the passwords to user accounts. Some password crackers find the encrypted password files on the server and decrypt them. When a hacker is unable to retrieve the password files, then brute force password crackers are used. Brute force password crackers attempt to log in to a computer account over and over, using multiple password combinations. Some cracking soft- ware uses dictionary files, while others attempt every combination of each key on the keyboard—a time-consuming ordeal.

The following are commonly used password crackers:

Windows Unix/Linux
L0phtCrack       Qcrack by the Crypt Keeper
PWLVIEW CrackerJack by Jackal
Pwlhack John the Ripper by Solar Designer
PWL-Key Crack by Alec Muffet

Internet Protocol (IP) address information is publicly available via the ARIN and many other Internet registering authorities. From, anyone can begin a search using a single known IP address. The search will yield the complete block of IP addresses belonging to the company. Domain Naming Systems (DNS) is another pub-licly available system that can provide a wealth of information regarding the IP address- ing and naming strategies of virtually any company connected to the Internet. For a company to host its own e-mail, web, ftp, or any other service on the Internet, it must first have each of these servers listed within the DNS infrastructure. These DNS servers list the names of the servers, along with the IP addresses that can be used to ac- cess these services. To mitigate these risks, security conscious companies could choose to host these servers and services outside their private networks with a hosting company. This added security is usually rendered obsolete, however, by adding backend connec- tions from the hosting facilities back to their private networks.

Electronic Reconnaissance

The attacker must perform electronic reconnaissance to find what systems and resources are on the network. Unless the attacker has prior knowledge of the target network, he or she must find where the company resources are logically located. Once the company IP addresses are known, the attacker can begin to probe and scan the network. The intruder can scan the network looking for vulnerable hosts, applications, or infrastructure equipment. Scanning the network is typically done using a ping sweep utility that pings a range of IP addresses. The purpose of this scanning is to find what hosts are currently live on the network. The ping sweep identifies viable targets on the network. Once the IP address of viable hosts is known, the attacker can then begin to probe those hosts to gather additional information, such as the OS or applications running on those hosts.

Probing is attempting to discover information about the hosts that are on the network. Probing is accomplished by looking for open ports on the available host computers. Ports are like virtual doorways to the computer. For a computer to offer or use services on the network, it must first have an open port. Web servers typically use port 80, while FTP servers use port 21. An attacker can find out what services are running on a computer by discovering what ports that computer has opened.

TCP/IP uses port addresses to locate services running on host computers. The port numbers used by an application are that application’s address on that host. The address for a web application located on host would be This address speci- fies the host address and the application address of 80. Most common applica- tions use well-defined port numbers. A list of well-known port numbers managed by the Internet Assigned Number Authority (IANA) can be viewed at assignments/port-numbers.

The more ports that are open, the more potential for someone to exploit the services running on the host computer. Once the attacker knows which ports are open, he/or she can use this information further to discover the OS and the application servicing the port.

The purpose of this scanning and probing is to find weaknesses on the network. Intruders know the vulnerabilities of certain OSs and the applications they run. The in- truder increases his or her chance of succeeding by finding the weakest point on the network and later attacking that vulnerability. The attacker continues to discover infor- mation about the network until they have a complete map of the hosts, servers, and weaknesses to exploit in the future.

Reconnaissance Tools

The most common and widely used hacking tools are reconnaissance tools. Many of these tools have been developed by hackers to aid them in their illicit activities. Other tools used by hackers are the same tools commonly used by network engineers to view problems on the network.

As security and intrusion detection have gotten more sophisticated, so has the soft- ware used by hackers. Intrusion-detection software looks for people looking at the net- work. Hackers know that scanning and probing a network is likely to create suspicion and might generate alarms. Because of this, hackers have begun to develop new software that attempts to hide the true purpose of its activity. Reconnaissance tools in common use today include the following:

A reconnaissane attack is a form of network attack.

Published on Wed 23 March 2016 by Anthony Smith in Security with tag(s): reconnaissance attacks