Hacking I: Scanning networks

In some cases, we need to identify the network ranges of a company ourselves for penetration testing. In the case of a pure black box pentest, we would only know the company name in our role as an attacker. Here we encounter two problems: if we don’t know the IP address range, we cannot estimate the effort needed in advance, and we must ensure that we don’t accidentally penetrate IT systems of third parties when carrying out an attack. For these reasons, the necessary information, such as the network ranges of the IT infrastructure to be examined, is usually provided by the client. In our scenario, network 10.250.53.0/24 of Dubius Payment Ltd. will be subjected to a penetration test.

So far, the task of compromising Dubius Payment Ltd. may have seemed a bit abstract. To shine a light on the situation, we must first identify the accessible servers and services in a network range. To do so, we must have a clear understanding of the unique values of a network connection: a network connection is uniquely identified by its source and target IP address, its source and target port and the transfer protocol.

A service can be addressed both over IPv4 and over IPv6, while we will only focus on the TCP and UDP transfer protocols for Dubius Payment Ltd. Also present are 65536 ports (0 - 65535), where a service might be listening for an incoming connection. It should be noted that opening a port below 1024 requires administrative rights. These values indicate the attack surface of a network and can establish connections to servers and services.

But as you might imagine, under no circumstances will we manually search for existing servers and services, as this task is easy to implement with a program or tool. Instead of sending out the same command thousands of times over to establish connections, we will “only“ use the nmap (network mapper) tool. But nmap offers much more than just automatically identifying servers and services.