But why bother actively scanning a potential target when someone has already done the work for you? Organizations and services like Shodan and Censys are surveying the internet on a massive scale and providing a search engine that anyone can use to find out more about an IP address or organization, as long as Shodan has already seen or scanned it. Such techniques are called passive recognition.
Using combined reconnaissance, attackers then attempt to reconstruct a profile of their target:
“There is an F5 to xxxx load balancer. It performs the yy.z software update. He can be vulnerable to foo.
“There is an Exchange server running OWA (Outlook Web Access) at aaaa. I don’t know what the patch level is. May have to test with multiple vulnerabilities.
“There is a custom web application running on mmmm.
What I am describing above is a small part of the attacker’s and / or penetration tester lifecycle. Of course, I’m simplifying things a lot here, but if you want to learn more about this sort of thing, consider looking at the phases of a pentest. Depending on what penetration test outfit you ask for, they all have a different idea of how many phases a penetration test is in – but in general Core Security has been around for a very long time and I liked it. their point of view. You may also consider watching Lockheed Martin’s cyber murder chain to learn how nation-state threats work.
For those who want to know in-depth information on the tactics used by the different attack groups, be sure to check out Miter. AT&CK.
On the right edge
The bad guys, the pentesters, and the Red Team are using your open ports against you for reconnaissance, of course. But what if the defenders did it instead? welcome to vulnerability management.
In short, vulnerability management is an effort by a security operations team to proactively and regularly probe their own systems for vulnerabilities, prioritize those vulnerabilities in terms of criticality and potential impact, and remediate them. or mitigate them in some other way, confirm that they are corrected, then repeat the whole process again.
There are a variety of commercial tools designed to do this (Qualys, Nessus, Nexpose), and many can use active and passive probing techniques to attempt to detect which network applications and protocols are running as well as which may. vulnerabilities be simply by observing network traffic, including the ports on which communication takes place.