Active vs. Passive Network Scanning
Performing a network scan is an essential task in a penetration test. It helps the tester understand the environment they are working against, as well as provides some information for their employer or client about what information is readily available about them. There are two primary categories of network scanning: Passive and Active.
Passive Network Scanning
In a passive scan, the tester is not directly targeting any port or specific service related to a device on a network. Typical tasks in passive scanning include
- DNS reconnaissance
- Simple packet monitoring and inspection
- Using open-source intelligence (OSINT)
DNS reconnaissance involves an IP address and gathering data about the host associated with that address. There are many tools to aid in this research, here are a few of the common ones:
- nslookup: a built-in command for most operating systems, nslookup resolves a hostname (or fully qualified domain name; FQDN) to the IP addresses associated with it. If a host has multiple IPs, then they are all returned. With more advanced usage, you can specify specific server types to query for (MX, NS, SOA, etc.)
- dig: dig is a utility most commonly found on Linux/Unix style operating systems and works similarly to nslookup. It is the preferred utility for name resolution on Linux and is part of the BIND DNS package.
- dnsrecon: dnsrecon is a utility available as part of the standard Kali Linux distribution. It provides the ability to perform queries against a host using multiple name servers, as well as providing the ability to brute force subdomains.
Simple packet monitoring and inspection utilize tools such as Wireshark, and tcpdump to survey network traffic for potential vulnerabilities. Provided the capture device can sniff all available network traffic (capturing in promiscuous mode) a tester can detect unencrypted network traffic like FTP or older HTTP web applications that could lead to host compromises.
Using Open-Source Intelligence (OSINT). A tester can find information simply by using readily available search engines such as Google. A popular technique is to employ “google-dorks”, specially crafted google searches tailored to return specific information, in order to find information related to a host. One such technique is to use “site:” as part of the query. For example, searching for:
site:medium.com blog
Will return all pages with “blog” in the name, on medium.com’s website. There is an entire site dedicated to google-dorks, and many of them can reveal surprising information.
Active Network Scanning
Switching gears completely, active network scanning is intentionally targeting specific ports and/or network services for the purposes of obtaining information in order to enumerate the possibility of a vulnerability existing.
DISCLAIMER: It should go without saying, but do not perform active network scanning unless you have written permission of the system owner to perform that testing.
Possibly the best tool for port scanning and service enumeration is nmap.
- Nmap provides the ability to scan all 65,535 possible ports on a host for any listening service and report back on what service it believes is running on that port.
There are many tools available to automate port scanning using nmap, but my favorite is AutoRecon written by Tib3rius:
Using the information provided by nmap, a tester can continue to enumerate a host machine for information pertaining to users, services, and begin to map out any web applications present on the host machine.
Nmap provides several switches to aid in this research, and two of the most helpful are -sV and -sC. These two switches stand for standard version scans (-sV) and standard script scans (-sC). Between the two of these, a tester can get a solid idea about what services are actually running on the host in question.
Web content is a little different and there are many tools to aid in that research as well.
- Gobuster is a Go programming language port of the popular dirbuster tool for brute forcing webserver directories.
- Burp proxy allows a tester to intercept web requests sent to the server and manipulate them in hopes of bypassing security measures, brute-forcing log-in credentials, or performing vulnerability tests against the web server’s functionality.
Thank you for reading this quick overview of the differences between passive and active network scanning, If you enjoyed it please share and if there are any questions please don’t hesitate to comment.
