Hack Like a Pro: How to Perform Stealthy Reconnaissance on a Protected Network

Welcome back, my fledgling hackers!

One of the first issues any hacker has to address is reconnaissance. Before we even begin to hack, we need to know quite a bit about the target systems. We should know their IP address, what ports are open, what services are running, and what operating system the target is using. Only after gathering this information can we begin to plan our attack. Most hackers spend far more time doing reconnaissance than exploiting.

I've written a couple articles on performing active and passive recon already, but this article is dedicated to doing reconnaissance without being detected or blocked.

Our reconnaissance tool of choice is nmap, which sends crafted packets at the target system, and then based upon how it responds, determines what ports and services are open and what operating system is running. Unfortunately, these types of scans can easily be detected, logged, and even blocked by a good firewall and/or NIDS (network intrusion detection system).

In this article, I will show you a couple of techniques that help you do reconnaissance stealthily without being detected or blocked.

Step 1: Scan the Network with TCP Connect

Let's start by scanning the network with the TCP connect protocol. This is our most reliable scan as it opens up a connection with the target system. Note that we are using the -P0 switch here. This suppresses the ping that nmap sends out by default and is blocked by most firewalls.

• nmap -sT -P0 192.168.1.115

As you can see, it returns us a reliable report on the open TCP ports.

The problem with this type of scan is that it opens up a connection with the TCP three-way handshake to the target system and therefore it's logged in the Windows Security events. If eventually we hack this system, it wouldn't be hard for the system admin to determine who did it, as he would have our IP address in his logs from this scan.

Step 2: Scan with SYN Flag

One of the strengths and weaknesses of the TCP scan is that it opens a connection, making it very reliable and at the same time, very un-stealthy. As an alternative, we can use a TCP protocol with just the SYN flag set that never completes the three-way handshake of a TCP connection and therefore is never logged. We can do this with:

• nmap -sS -P0 192.168.1.115

As you can see, it also provides us with us list of open ports and is nearly as reliable as the TCP connect scan, but without leaving a trail in the log files. Notice that this scan took .42 seconds according to nmap.

Step 3: Alternate Scans

Depending upon the system, we might also try a UDP scan (using the UDP protocol to find open ports), a NULL scan (a TCP packet with no flags set), and an Xmas (a TCP packet with the P, U, F flags set) scan. Each of these will return results, but with diminished reliability.

• nmap -sU -P0 192.168. 1.115
• nmap -sN -P0 192.168. 1.115
• nmap -sX -P0 192.168. 1.115

Step 4: Dropping Below the Threshold

Although these scans will not be logged, the firewall or NIDS may block or alert the system admin of the scan. Modern firewalls and nearly every NIDS can detect these types of scans and block your scan or send an alert. If you're blocked by the firewall or NIDS, the alert will capture your scan and IP address as it identifies your scan.

Most of these perimeter defenses, though, have a weakness. That weakness is that they only detect and alert on these scans when the number of packets that meet its signature exceed a certain level or threshold. If we can figure out what this threshold is and stay below it, we can run our reconnaissance scan without being blocked and without triggering an alert.

The most widely used NIDS in the world is Snort. It has signatures built into its ruleset to detect scans like those we are attempting from nmap, but because networks see so many port scans everyday (large corporate networks might see 1000s a day), they set a minimum threshold level that the scan must meet before it triggers an alert. In Snort, the threshold is set by default at 15 ports per second. If we scan scan below that threshold, our scan will go undetected!

Remember, the more we know about the firewall and NIDS, the better we can evade them. See my previous articles using evading an NIDS with Snort here and here for more information.

Fortunately, nmap allows us to scan at different speeds—and it has six different built-in speeds. We can change the speeds by using the -T switch followed by either the name of the speed or that speed's corresponding number. These are:

• paranoid 0
• sneaky 1
• polite 2
• normal 3
• aggressive 4
• insane 5

The two slowest speeds, paranoid and sneaky, are both below the Snort threshold for port scans. Now, we set our scan down to sneaky speed by using this command:

• nmap -sS -P0 -T sneaky 192.168.1.115

Our scan will now sail right past the NIDS and firewall without being detected. The downside, of course, is that we need to be VERY patient as this type of scan can take longer than a default scan or an insane scan (the fastest). For instance, the "sneaky" scan can take up to 5 hours per IP address vs. .42 seconds for the default scan. Your patience now, though, will likely be rewarded if you can get past the firewall or NIDS without being detected!

Questions?

If you have any questions on any of this, please ask them in the comments below. Or, if you have an unrelated hacking question, stop by the Null Byte forum. And as always, stay tuned for more hacking lessons!

Binoculars and military recon images via Shutterstock