Conduct Network Reconnaissance

Introduction

While you have gathered all of the network diagrams and vulnerability scan data to gain insight as to the configuration of the network, understand that it is likely that changes have been made to the network that might not be reflected in your diagrams. When you fall into a network it is important to conduct reconnaissance, baseline network traffic, and verify your findings with the network administrators.

Scanning the Network

The first thing you should do is conduct a series of ping sweeps and port scans on the network to assist you in building your own diagram and identifying open ports across the network. Sometimes there will be open ports on the network that are not needed, and you can use these scan results to identify those unnecessary ports and make appropriate recommendations to the local administrators. These scans can be conducted in a variety of ways including bash scripts, Network Mapper (NMAP), ZMap, etc.

It may also be worthwhile, if possible, to ask the systems administrators to run an additional vulnerability scan to ensure that those results match the results that were initially provided to you.

Understand that none of these scans should be conducted without authorization from the mission owner. The analysts should also know the scan source, destinations, and switches used prior to the scan being conducted to prevent any confusion.

Baselining Sensor Logs

On any given exercise or operation, your analysts could be filtering through millions of network and host logs. Their task can be made easier by filtering out redundant or non-anomalous logs as best as possible. Be aware that over-filtering your logs could potentially result in missing anomalous traffic.