Chapter 7: Network Scanning and Management

Network Scanning

We say that it is the utilization of a computer network for purposes of
collecting information about IT systems. We carry out scanning of
networks primarily to help us do system maintenance or a security
assessment. Hackers can also conduct a network scanning exercise before
launching their attacks. The following are some of the reasons we scan
networks:
Identification of the present TCP and UDP network services,
which may be actively being executed on the targets.
To get to understand the systems for filtering that are in
between the targeted hosts and the user.
Discover the operating systems that are being used through the
assessment of their IP responses.
Analyze a particular host that is being targeted for its number
predictability of the TCP sequence. This is to enable the TCP
spoofing and attack sequence prediction.
Network scanning comprises of two key aspects: vulnerability scanning
and network port scanning. The latter denotes a way of sending data
packets through a network over to a systems’ specific port numbers. The
goal is to discover network services that are present in that particular
system. It is an excellent way for troubleshooting issues that a given
system has. That way, the problems can be dealt with so that the system is
secure. For us to discover known vulnerabilities present in network
systems, a method known as vulnerability scanning is used. Through it, we
can identify weak spots both in the operating system and the application
software. It is these weak points that are usually used to compromise
computing systems.
Both vulnerability scanning and network port scanning can be said to be
techniques that are used in information gathering. On the flip side, they
can be a prelude to an attack when they are put to use by anonymous
entities. Such entities usually have malicious intentions. The inverse
mapping is another technique for network scanning. It is useful when it
comes to collecting IP addresses that are not mapped to live hosts. By
doing so, it will be aiding in the focussing attention on addresses that are
worth focussing on, that is, those that are feasible. There are three stages
in which information gathering can be accomplished.
i. The footprinting stage
ii. The scanning stage
iii. The enumeration stage
This, therefore, implies that network scanning is among the crucial steps
an attacker needs to be able to gather information

Network scanning with ifconfig

The ifconfig command is one of the essential tools that can be used for
examining and interacting with active network interfaces. You can use it to
query your active network connections by simply entering ifconfig in the
terminal.

Scanning Wireless Networks with iwconfig

If you have a wireless adapter, you can use the iwconfig command to
gather crucial information for wireless hacking, such as the adapter’s IP
address, its MAC address, what mode it’s in and more. The information
you can glean from this command is particularly important when you’re
using wireless hacking tools like aircrackng

Changing your network information

Being able to change your IP address and other network information is a
useful skill because it will help you access other networks while appearing
as a trusted device on those networks. For example, in a denial of service
(DoS) attack, you can spoof your IP so that that the attack appears to come
from another source, thus helping you evade IP capture during forensic
analysis. This is a relatively simple task in Linux and it’s done with the
ifconfig command.

Changing Your IP Address

To change your IP address, enter ifconfig, followed by the interface you
want to reassign and the new IP address you want to be assigned to that
interface. For example, to assign the IP address 192.168.181.115 to
interface eth0, you would enter the following:
Kali >ifconfig eth0 192.168.181.115
kali >
When you do this correctly, Linux will go back to the command prompt
and say nothing. This is a good thing! Then, when you again check your
network connections with ifconfig, you should see that your IP address has
changed to the new IP address you just assigned.

Changing Your Network Mask and Broadcast Address

You can also change your network mask (netmask) and broadcast address
with the ifconfig command. For instance, if you want to assign that same
eth0 interface with a netmask of 255.255.0.0 and a broadcast address of
192.168.1.255, you would enter the following:
Kali >ifconfig eth0 192.168.181.115 netmask 255.255.0.0 broadcast
192.168.1.255
kali >
Once again, if you’ve done everything correctly, Linux responds with a
new command prompt. Now enter ifconfig again to verify that each of the
parameters has been changed accordingly.

Spoofing Your MAC Address

You can also use ifconfig to change your MAC address. The MAC address
is globally unique and is often used as a security measure to keep hackers
out of networks —or to trace them. Changing your MAC address to spoof
a different MAC address is almost trivial and neutralizes those security
measures. Thus, it’s an instrumental technique for bypassing network
access controls. To spoof your MAC address, use the ifconfig command’s
down option to take down the interface (eth0 in this case). Then enter the
ifconfig command followed by the interface name (hw for hardware, ether
for Ethernet) and the new spoofed MAC address. Finally, bring the
interface back up with the up option for the change to take place.

IP Addresses assignment

Linux has a Dynamic Host Configuration Protocol (DHCP) server that
runs a daemon, a process that runs in the background, called dhcpd or the
dhcp daemon. The DHCP server will carry out the assignment of IP
addresses to all of the systems that are located on the subnet. It also keeps
a log of which IP address is allocated to which machine at any one time.
This makes it an excellent resource for forensic analysts to trace hackers
after an attack. For that reason, it’s useful to understand how the DHCP
server works. Usually, to connect to the internet from a LAN, you must
have a DHCP-assigned IP.
Therefore, after setting a static IP address, you must return and get a new
DHCP-assigned IP address. To do this, you can always reboot your system,
but I will show you how to retrieve a new DHCP without having to shut
your system down and restart it. To request an IP address from DHCP, all
that is required is to call the DHCP server using dhclient, followed by an
interface that you wish to assign the address. The different Linux distros
use different DHCP clients. Kali, for instance, is based on Debian that
uses dhclient.

Manipulating the Domain Name System (DNS)

Hackers can find a treasure trove of information on a target in its Domain
Name
System. This is a key element of the internet and although it’s designed to
translate domain names to IP addresses, a hacker can use it to garner
information on the target.

Examining DNS with dig

DNS is the service that translates a domain name like google.com to the
appropriate IP address. This way, your system knows how to get to it.
Without DNS, it would mean that we would be required to remember the
thousands of IP addresses that belong to the websites we visit frequently.
Dig is one of the commands any aspiring hacker needs to know. It offers a
way to gather DNS information about a target domain. The stored DNS
information can be a crucial piece of early reconnaissance to obtain before
attacking. This information could include the IP address of the target’s
nameserver (the server that translates the target’s name to an IP address),
the target’s email server and potentially any subdomains and IP addresses.
You can also use the dig command to get information on email servers
connected to a domain by adding the mx option (mx is short for mail
exchange server). This information is critical for attacks on email systems.

Changing Your DNS Server

In some cases, you may want to use another DNS server. To do so, you will
edit a plaintext file named /etc/resolv.conf on the system. Open that file in
a text editor. Then, on your command line, enter the precise name of your
editor, followed by the location of the file and the filename.

Wi-Fi Networks

Firstly, let us look at WiFi. Before doing so, here is a small introduction to
the various WiFi security protocols that usually are frequently used. The
original, Wired Equivalent Privacy (WEP), was severely flawed and easily
cracked. Its replacement, WiFi Protected Access (WPA), was a bit more
secure. Finally, WPA2PSK, which is much more secure and uses a
preshared key (PSK) that all users share, is now used by nearly all WiFi
AP’s (except enterprise WiFi).

Basic Wireless Commands

fconfig
To perform a network interface configuration in Unix-based operating
systems, one needs ifconfig. It is an administration utility that is found in
the system. Ifconfig has utilities that are utilized in the configuration,
querying and controlling of the parameters of the TCP/IP interface. As an
interactive tool, ifconfig can be used to show settings of the network
interface and analyze them.
In summary, ifconfig does the following:
The command enables the viewing of settings of a network;
Carrying out enabling of a network Interface and also disabling
it;
Network Interface IP address assigning ;
Assigning network interfaces a netmask ;
Allocating a Broadcast to Network Interface;
Assigning an IP, Netmask and Broadcast to Network Interface;
Changing MTU for a Network Interface;
Enabling and disabling Promiscuous Mode;
Addition and removal of New Alias to Network Interface;
Changing the MAC address of Network Interface.

iwevent

This command displays Wireless Events received through the RTNetlink
socket. Each line shows the specific Wireless Event, which describes what
has happened on the specified wireless interface. This command doesn't
take any arguments.

iwlist

This command can be used for scanning wireless networks available and
also for displaying any other information about the wireless networks
which are not displayed when the iwconfig command is used. Iwlist is
utilized in the generation of wireless access points that are nearby together
with their SSIDs and their MAC addresses.

iwspy

This command is used for monitoring nodes in a network. It can also be
used for recording the link quality of the nodes.

ifrename

This command is used for renaming wireless network interfaces depending
on multiple criteria that are static to allocate names consistently to each
interface. The interface names usually are dynamic by default. This
command helps users decide the name of the network interface.

iwgetid

This is used in the reporting of the NWID, ESSID or address of the access
point of the wireless network presently being used. By default, iwgetid
will display the devices’ ESSID. Suppose that it is unavailable, it will
output its NWID instead. The information reported is the same as the one
shown by iwconfig. In comparison, it is easier to do integration in various
scripts.

Detecting and Connecting to Bluetooth

In recent times, nearly all gadgets, systems and devices have inbuilt
Bluetooth. The devices can be computers, iPods, smartphones, speakers,
game controllers, keyboards, tablets, among others. The ability to break
into Bluetooth networks can result in the compromising of the information
on the device, assuming a devices’ control and acquisition of a platform to
transmit privileges information from and to the device, among other
things. We, therefore, need to understand how Bluetooth works if we are to
exploit this technology. From this book, you will be able to acquire some
basic knowledge that will come in handy during the scanning and
connecting to Bluetooth devices in preparation for hacking them.

How Bluetooth Works

First, we can define Bluetooth as a wireless communication technology
that enables devices to transmit voice or data wirelessly. This happens
over a relatively short distance. This technology was meant to replace the
ubiquitous cables that were being used to connect devices while still
securing the communications across them. The process of joining two
Bluetooth devices is known as pairing. Pretty much any two devices can
pair if they are set to a discoverable mode. In the discoverable mode, a
Bluetooth device will broadcast the following information about
themselves:
Technical information
Name
List of services
Class
Upon pairing, two Bluetooth devices will exchange a link key. The devices
will store the key to be used in the identification of the other device in
future pairings. Every device has a unique identifier and usually a
manufacturer-assigned name. These will be useful pieces of data when we
want to identify and access a device.

Bluetooth Scanning and Reconnaissance

Linux has an implementation of the Bluetooth protocol stack called BlueZ
that we are going to use to scan for Bluetooth signals. Most Linux
distributions, including Kali Linux, have it as an inbuilt feature by default.
BlueZ possesses utilities that can help us scan and manage Bluetooth
capable devices. Examples of the utilities are outlined below:
hciconfig: this is an equivalent of ifconfig in Linux, but made
for Bluetooth capable devices.
hcitool: this is a tool that we use to perform inquiries. The
inquiries can be the device ID, name, class or even its clock
information. This helps the devices to work in sync.
hcidump: sniffing of Bluetooth communications is carried out
by this tool, it, therefore, gives us a chance to capture data that
is being sent over the Bluetooth signal.
The first scanning and reconnaissance step with Bluetooth is to check
whether the Bluetooth adapter on the system that we are using is
recognized and enabled so we can use it to scan for other devices.

Scanning for Bluetooth Devices with hcitool

Now that we know our adapter is up, we can use another tool in the BlueZ
suite called hcitool, which is used to scan for other Bluetooth devices
within range.
With the simple scan command, we can find out Bluetooth devices that are
transmitting using their discover beacons. That is, the devices set to their
discovery mode. Most of the tools for Bluetooth hacking you are likely to
encounter will be using these commands in a script. You should be able to
create your tools from these commands using Python script or even bash
script.

Using the sdptool to scanning for services

The service discovery protocol, SDP, as it is commonly known, is a
protocol of Bluetooth that is used in the searching of Bluetooth services
(Bluetooth is a suite of services), and, helpfully, BlueZ provides the
sdptool tool for browsing a device for the services it offers. It is also
important to note that the device does not have to be in discovery mode to
be scanned. The syntax is as follows:
sdptool browse MACaddress

seeing Whether the Devices Are Reachable with l2ping

Once we have gathered the MAC addresses of all nearby devices, we can
send out pings to these devices, whether they are in discovery mode or not,
to see whether they are in reach. This lets us know whether they are active
and within range. To send out a ping, we use the l2ping command with the
following syntax:
l2ping MACaddress

Summary

Wireless devices represent the future of connectivity and hacking. Linux
has developed specialized commands for scanning and connecting to Wi-
Fi APs in the first step toward hacking those systems. The aircrack-ng
suite of wireless hacking tools includes both airmon-ng and airodump-ng,
which enable us to scan and gather vital information from in-range
wireless devices. The BlueZ suite includes hciconfig, hcitool and other
tools capable of scanning and information gathering, which are necessary
for hacking the Bluetooth devices within range. It also includes many
other tools worth exploring.