The first stage of any attack is "reconnaissance": scanning the victims looking for ways into their systems.
The purpose of a this stage is to map out the target network and systems. The hacker will try to list all the systems on the network, then try to list all the holes available on the target systems.
In order to map the target network, the hacker will try:
- ping sweep
- Find out which machines respond by pinging them.
- DNS zone transfer
- Finds out all the machines that are listed in the DNS server, which often includes machines outside the the company's address range (colocated at hosting sites).
- whois
- Queries the InterNIC for assigned addresses and names.
Once the hacker has a list of systems, he/she will scan the system looking for possible entry points into the system:
- TCP or UDP port scan
- The hacker looks for "listening" or "open" ports. This is a list of programs on the system that will respond to network requests.
- Sun or Microsoft RPC port/end-point dump
- Lists all the RPC programs running on the system. This supplements a port scan by identifying the services running at ports.
- showmount -e target
- Will list the "shares" or "exports" of the NFS server.
