Scanning and enumeration

- So after investing so much time and effort in developing a comprehensive plan, it's time for us to move ahead in the process. And the next step of the process is to survey our environment and determine where the weak spots are. So the next objective is 2.0 and you'll remember that it is worth 22% of the overall question weight. In other words, that means that 22% of the questions that you'll get on the exam will be from this one domain. It's not the biggest domain, but it's the second biggest, so it's really, really important. So let's talk about how we assess our environment, our target environment, and determine where we want to poke it to look for vulnerabilities. So the first strategy in determining what's out there and what we might want to attack is basically scanning. So scanning is a first step in information gathering. It is a process of looking at a bunch of things out there to determine their characteristics. So we're basically surveying our network environment to see what's there and what we can attack. And now scanning can actually include more than just network resources, but we're going to focus primarily on just automated scanning. It's commonly used in the pen testing process to uncover target vulnerabilities. Before we can really uncover the vulnerabilities, we've got to find out what the targets are to start with. And there's many different types of scan targets, there are networks, there's network devices, which may or may not be computers, but then there's computers themselves and then there can be applications and services. Now those are the sub-areas of scanning that you'll encounter most frequently on the exam and in pen testing in general. But don't forget that you could be, "Scanning," for physical vulnerabilities as well. So part of your scanning may actually include walking up and looking for gates that are just open and not locked. But we're going to focus right now on the technical aspect of scanning. Once you have scanned your environment, you have an idea of what's out there, then you move to the next phase, which is called enumeration. Enumeration is counting the detected instances of some target class. What that basically means is that if you have a bunch of servers, you can't really attack a bunch of servers, you need to know how many servers are out there and what types they are. So you want to start creating a list of assets that may contain vulnerabilities. And there's different types of target classes out there, there are hosts or nodes on the network that could include networks themselves, actually, domains, users or groups. So each of these are different classes of targets we may want to attack. There's also network shares. So don't forget, that even though we're looking across a network, we're not necessarily looking for specific devices or hosts, it could be network shares which refer to linked resources that live on some other network host perhaps. We also could be looking for webpages or applications or services or tokens or even social networking sites. These are all potential targets and each type of target may have different vulnerabilities. So when we are enumerating, we want to also classify the targets that we encounter so that we can then explore further and determine whether each one of these guys has vulnerabilities, 'cause clearly if you run into a Windows server, that's going to be completely different from a web server running Apache under Linux. They're going to have different vulnerabilities and we may want to bring that together with an attack on a user's Facebook page, perhaps. So we're looking at totally different types of entities and different types of potential vulnerabilities. So let's take a look at how we might scan and enumerate some of our targets.