The most common approach to active reconnaissance is to conduct a scan against the target, send defined packets to the target, and then use the returned packets to gain information. The most popular tool of this type is Network Mapper (nmap).
To use nmap effectively, it must be run with root-level privileges. This is typical of applications that manipulate packets, which is why Kali defaults to root at the time of startup.
When attempting to minimize detection, some stealth techniques to avoid detection and subsequent alarms include the following:
- Attackers approach the target with a goal in mind and send the minimum number of packets needed to determine the objective. For example, if you wish to confirm the presence of a web host, you first need to determine whether port 80, the default port for web-based services, is open.
- Avoid scans that may connect with the target system and leak data. Do not ping the target or use synchronize (SYN) and non-conventional packet scans, such as acknowledge (ACK), finished (FIN), and reset (RST) packets.
- Randomize or spoof packet settings, such as the source IP and port address, and the MAC address.
- Adjust the timing to slow the arrival of packets at the target site.
- Change the packet size by fragmenting packets or appending random data to confuse packet inspection devices.
For example, if you want to conduct a stealthy scan and minimize detection, the following nmap command could be used:
# nmap --spoof-mac Cisco --data-length 24 -T paranoid --max-hostgroup 1 --max-parallelism 10 -Pn -f -D 10.1.20.5,RND:5,ME -v -n -sS -sV -oA /desktop/pentest/nmap/out -p T:1-1024 --randomize-hosts 10.1.1.10 10.1.1.15
The following table explains the previous command in detail:
|
Command |
Rationale |
|
--spoof-mac-Cisco |
This spoofs the MAC address to match a Cisco product. Replacing Cisco with 0 will create a completely random MAC address. |
|
--data-length 24 |
This appends 24 random bytes to most packets that are sent. |
|
-T paranoid |
This sets the time to the slowest setting: paranoid. |
|
--max-hostgroup |
Limits the hosts that are scanned at a time. |
|
--max-parallelism |
Limits the number of outstanding probes that are sent out. You can also use the --scan-delay option to set a pause between the probes; however, this option is not compatible with the --max_parallelism option. |
|
-pn |
This doesn't ping to identify active systems (this can leak data). |
|
-f |
This fragments the packets; this will frequently fool low-end and improperly configured IDs. |
|
-D 10.1.20.5, RND:5,ME |
This creates decoy scans to run simultaneously with the attacker's scans; this hides the actual attack. |
|
-n |
No DNS resolution: internal or external DNS servers are not actively queried by nmap for DNS information. Such queries are frequently logged, so the query function should be disabled. |
|
-sS |
This conducts a stealth TCP SYN scan, which does not complete the TCP handshake. Other scan types (for example, null scans) can also be used; however, most of these will trigger detection devices. |
|
-sV |
This enables version detection. |
|
-oA /desktop/pentest/nmap |
This outputs the results to all formats (normal, greppable, and XML). |
|
-p T:1-1024 |
This specifies the TCP ports to be scanned. |
|
--random-hosts |
This randomizes the target host order. |
Together, these options will create a very slow scan that hides the true identity of the source. However, if the packets are too unusual, complex modification may actually attract the attention of the target; therefore, many testers and attackers use anonymity networks to minimize detection.