Active information gathering produces more details about your network and helps you see your systems from an attacker’s perspective. For instance, you can:
Use the information provided by WHOIS searches to test other closely related IP addresses and hostnames. When you map out and gather information about a network, you see how its systems are laid out. This information includes determining IP addresses, hostnames (typically external but occasionally internal), running protocols, open ports, available shares, and running services and applications.
Scan internal hosts when and where they are within the scope of your testing. (Tip: They really ought to be.) These hosts might not be visible to outsiders (at least you hope they’re not), but you absolutely need to test them to see what rogue (or even curious or misguided) employees, other insiders, and even malware controlled by outside parties can access. A worst-case situation is that the intruder has set up shop on the inside. Just to be safe, examine your internal systems for weaknesses.
VMware Workstation Pro
( www.vmware.com/products/workstation/overview.html )
VirtualBox, the open source virtual machine alternative that works very well
( www.virtualbox.org )
Scan and document specific hosts that are accessible from the Internet and your internal network. Start by pinging either specific hostnames or IP addresses with one of these tools:
- The basic ping utility that’s built in to your operating system
- A third-party utility that allows you to ping multiple addresses at the same time, such as NetScanTools Pro ( www.netscantools.com ) for Windows and fping ( http://fping.sourceforge.net ) for Linux.
The site WhatIsMyIP.com ( www.whatismyip.com ) shows how your gateway IP address appears on the Internet. Just browse to that site, and your public IP address (your firewall or router — preferably not your local computer) appears. This information gives you an idea of the outermost IP address that the world sees.
Scan for open ports by using network scanning and analysis tools:
- Scan network ports with NetScanTools Pro or Nmap ( http://nmap.org ).
- Monitor network traffic with a network analyzer, such as OmniPeek ( www.savvius.com ) or Wireshark ( www.wireshark.com ).
Scanning internally is easy. Simply connect your PC to the network, load the software, and fire away. Just be aware of network segmentation and internal IPSs that may impede your work. Scanning from outside your network takes a few more steps, but it can be done. The easiest way to connect and get an outside-in perspective is to assign your computer a public IP address and plug that system into a switch on the public side of your firewall or router. Physically, the computer isn’t on the Internet looking in, but this type of connection works just the same as long as it’s outside your network perimeter. You can also do this outside-in scan from home or from a remote office location.