Once the tester's identity is protected, identifying the devices on the internet-accessible portion of the network is the next critical first step in scanning a network.
Attackers and penetration testers use this information to do the following:
- Identify devices that may confuse (load balancers) or eliminate (firewalls and packet inspection devices) test results
- Identify devices with known vulnerabilities
- Identify the requirement for continuing to implement stealthy scans
- Gain an understanding of the target's focus on secure architecture and on security in general
traceroute provides basic information on packet filtering abilities; some other applications on Kali include the following:
Application |
Description |
lbd |
Uses two DNS and HTTP-based techniques to detect load balancers (shown in the following screenshot) |
miranda.py |
Identifies universal plug-and-play and UPNP devices |
nmap |
Detects devices and determines the operating systems and their version |
Shodan |
Web-based search engine that identifies devices connected to the internet, including those with default passwords, known misconfigurations, and vulnerabilities |
censys.io |
Similar to the Shodan search that has already scanned the entire internet, with certificate details, technology information, misconfiguration, and known vulnerabilities |
The following screenshot shows the results obtained on running the lbd script against Facebook; as you can see, Google uses both DNS-Loadbalancing as well as HTTP-Loadbalancing on its site. From a penetration tester's perspective, this information could be used to explain why spurious results are obtained, as the load balancer shifts a particular tool's activity from one server to another. The following screenshot displays the HTTP-load balancing: