How do you check for live systems in a targeted environment? There are plenty of ways to accomplish this. Some common ways to perform these types of scans are:
■ Port scanning
Each of these techniques, along with others we will explore, offers something that the others don’t, or at least don’t offer in the same way. Once you understand these differences, you should have a much better idea of how to deploy these methods in a penetration test.
The first type of scan is an old but useful one known as wardialing. Wardialing has existed in an almost unchanged state since the mid-1980s and has stayed around so long because it has proven to be a useful information-gathering tool. In practice, wardialing is extremely simple compared to our other forms of scanning in that it simply dials a block of phone numbers using a standard modem to locate systems that also have a modem attached and accept connections. On the surface, this type of technique seems to be the digital equivalent of the dinosaur, but don’t let that fool you—the technique is still very useful. Understand that modems are still used for a number of reasons, including the low cost of the technology, ease of use, and the availability of phone lines, which are pretty much everywhere. Modems are still so commonly used that an attacker can easily dial a block of phone numbers in just about any town and locate a good number of computers still using dial-up to attach to the outside world.
Once you find a modem and get a response, the question becomes what to do with that information. To answer that, you need to know what devices modems are commonly attached to in the modern world. Private branch exchanges (PBXs) often have modems attached (the nondigital ones), which can provide a good opportunity for mischiefon behalf of the attacking party. Other devices that sometimes have modems attached are firewalls, routers, and fax machines. If an attacker dials into a firewall and gains access, an environment can quickly become unprotected.
The next type of scanning is wardriving, the process of driving around with a wireless enabled notebook or other device with the goal of mapping out access points, usually with the help of a GPS device. If done carefully and with some planning, you can locate many access points along with their configurations and physical locations. This type of scanning is somewhat the same as wardialing in that it is helping you find an entry point into a network—in this case not a modem but a wireless access point of some type. There are a number of tools that can be used to perform wardriving. The following lists some of the tools that fall into this category:
AirSnort A wireless cracking tool.
AirSnare An intrusion detection system that helps you monitor your wireless networks. It can notify you as soon as an unapproved machine connects to your wireless network.
Kismet A wireless network detector, sniffer, and intrusion detection system commonly found on Linux.
NetStumbler A wireless network detector; also available for Mac and for handhelds.
inSSIDer A wireless network detector and mapper of access points.
The next type of scanning for live systems is the simplest and one you are probably familiar with: pinging, or performing a ping sweep.
Pinging is the process of using the ping command to detect whether a system is live as well as gain information about the nature of the connection between your system and the target. The process involves using an Internet Control Message Protocol (ICMP) message, which is why this technique is also called ICMP scanning. The process works by using one system to send an ICMP ECHO request to another system; if that system is live, it will respond by sending back an ICMP ECHO reply. Once this reply is received, the system is confirmed to be up or live. Pinging is useful because it can tell you not only whether a system is up, but also the speed of the packets from one host to another and information about time to live (TTL).
Once you have found a live system, you can perform a port scan to check for open ports.