Network reconnaissance techniques for beginners

In this excerpt of 'How Cybersecurity Really Works,' author Sam Grubb breaks down common network reconnaissance techniques used by adversaries to attack wired networks.

Most cybersecurity programs cover myriad academic topics, such as emerging technologies and niche architectures. But when it comes to real-world infosec knowledge, the curricula can come up short. That's according to Sam Grubb, consultant at Edafio Technology Partners and former cybersecurity instructor for both the National Guard and high school students. To equip prospective cybersecurity practitioners for a SOC career, Grubb said, they need to know the "boring" topics, too.

In his upcoming book, How Cybersecurity Really Works: A Hands-On Guide for Total Beginners, published by No Starch Press, Grubb presents the basics of offensive and defensive security. The first two chapters cover what cybersecurity is -- and isn't -- and the attacker methodology, beginning with reconnaissance techniques to the command-and-control phase. Each subsequent chapter details a common attacker tactic -- such as phishing scams, malware infections and network tapping -- and concludes with a hands-on exercise for beginners to test what they've learned.

How Cybersecurity Really Works aims to help beginners understand how to prevent and mitigate attacks by explaining how they work through the attacker's mindset. For example, the same network reconnaissance techniques used by bad actors to exploit vulnerabilities can be used by security practitioners to proactively find and mitigate flaws.

The following excerpt of Chapter 6, "Network Tapping," explores how hackers use network reconnaissance techniques, including port scans and packet sniffing, to conduct common attacks.

In this Q&A, author Sam Grubb discusses the importance of comprehensive and accessible cybersecurity education and offers advice to industry newcomers.

Attacking Your Network

Black hats use a variety of techniques to attack your network, depending on their goals. Network attacks often focus on gaining access to the network to see traffic or steal data. This means they must connect into the network between the packets your system sends and the destination of those packets so they can see the data being sent. Adversaries also often attack the network directly. These attacks usually revolve around trying to find ways to shut down network usage so the victim can't use their network the way they normally would.

Either way, the black hat's primary goal is to understand the network in the first place. Adversaries use many reconnaissance techniques to learn about their victims before they start their attacks. One common method they use is to do a port scan, which involves sending requests to every possible port on an IP address and then observing how the device at that address responds. Based on these responses, the attacker can determine a lot of information about the system. For example, if an IP address responds when the black hat scans ports 80 and 443, the attacker knows those ports are open and that the server is likely running web services of some sort. An adversary can use that information to attack the server directly or to trick other systems into thinking they're a friendly system. Port scans provide attackers with valuable information, making it much easier for them to craft different network attacks.

 How Cybersecurity Really Works book coverClick here to learn more
about How Cybersecurity
Really Works by Sam Grubb.

How Black Hats See Your Traffic

Packets provide attackers all sorts of details, including what devices they pass through, where a device is located, and what protocols a device is using, not to mention the data held within the packet. When an adversary (or anyone for that matter) intercepts traffic as it moves through the network, it's called sniffing. Like a hound dog on a trail, adversaries pick up bits and pieces of the traffic that travels through the network and reconstruct what they need from it.

On wired networks, sniffing can be difficult for attackers to accomplish, because networks are designed to send traffic to the intended recipient only. This means that the attacker must figure out a way to circumvent that design to make the traffic come to them. You'll see how they do this on wireless networks in Chapter 8. On wired networks, black hats can do this in a few different ways.

One method is by adding their hardware to the network. If you can connect your own physical device, the device can scan and copy that traffic as it passes through the network. So how does an attacker sneak a router or switch onto a network without anyone noticing? Although it would be difficult to do that, adversaries often use a much smaller device called a network tap, which is designed specifically for this purpose. Figure 6-2 shows an example of a network tap. The tap connects to the infrastructure already in place on a network and copies traffic that passes through it.

Photo of a network tap
Figure 6-2: A network tap (image altered from the original created by Andrew Fresh under the Attribution 2.0 Generic [CC BY 2.0] license,

An adversary can also use a technique called IP spoofing in which they copy the IP address of a legitimate device on the network and imitate that device. Any traffic that was supposed to go to the device with the copied IP will go to the black hat as well. IP spoofing can trick you into connecting to a device, like a printer, that is actually an attacker.

A third method is to change where the traffic is being sent by altering the network settings. For example, by changing the default gateway on a device, a black hat can decide where traffic leaving the network goes. This allows them to direct traffic to a device they control so they can capture it.

Or an adversary could turn on port mirroring at a switch. Switches have numbered physical ports, or sockets you plug cables into. Typically, a switch has between 24 and 48 ports. Port mirroring tells the switch to copy all the traffic passing into or out of one port to another port. For example, if an adversary can turn on port mirroring at a switch, they can tell the switch to copy all the traffic coming in on port 1 to, say, port 22, where they've plugged in a device to capture it. Changing traffic settings usually requires a high level of access to accomplish, especially without network administrators noticing.

Another method an attacker can use is physically tapping the wire that traffic is passing through. How this is done depends on the type of wire used. For example, early networks often used a cable known as coax. It consisted of two copper lines wrapped in thick insulation. A special type of network tap called a vampire tap could pierce the insulation to physically connect two metal prongs (the teeth of the device) with the two copper wires, allowing the tap to record any traffic that traveled across. Figure 6-3 shows an example of a vampire tap.

Photo of a vampire tap
Figure 6-3: Example of a vampire tap (image modified from the original covered cover by the Attribution-ShareAlike 2.5 Generic [CC BY-SA 2.5] license,

Tapping fiber cables, which use pulses of light through glass tubes wrapped in insulation to send traffic, requires bending the cable and putting an unlit strain of fiber along the bend. When light goes through the bend, the unlit strand can grab some of the light, capturing the traffic.

The problem with these physical methods of traffic capture is that nearly all of them cause a loss in the signal along the cable. For example, bending the fiber cable increases the latency to the point that anyone monitoring the network would immediately realize something was wrong.

Man-in-the-Middle Attacks

Although using physical taps and changing network settings allow a black hat to see traffic in the network, making these techniques work requires a lot of setup. They're also difficult to hide, especially when they target larger businesses with dedicated IT staff who search for these types of attacks. Instead, adversaries can use a man-in-the-middle attack, which provides the same ability to read traffic without requiring physical access to the network.

In man-in-the-middle attacks, attackers place themselves in the traffic flow between their victim and the destination they're trying to reach. Instead of your traffic going directly to where you intended to send it -- a web server, for example -- it first goes to the attacker. The adversary can then read it, modify it, and pass it on to the destination. This allows attackers to capture your data and manipulate it for their own purposes. The worst part of these attacks is that they can be exceedingly difficult for the victim to detect. To the victim, everything looks like it's running correctly, albeit likely slower than normal. Figure 6-4 provides an example of a basic man-in-the-middle attack.

Diagram of a man-in-the-middle attack
Figure 6-4: An example of a man-in-the-middle attack

In this scenario, the black hat sends you a phishing email with what appears to be a legitimate link from your bank (1). When you click the link in the email, it takes you to the adversary's fake web server, where they've created a page that looks like your bank's website. You then enter your credentials on that website (2). The adversary receives the traffic you send the website and modifies it so it appears to be coming from the attacker's computer rather than yours. The attacker then sends it to the legitimate bank site (3) and gains access to your account (4). The attacker then sends you a 404 Not Found error, so you won't realize what happened (5).

Sam GrubbSam Grubb

About the author

Sam Grubb is a cybersecurity consultant at Edafio Technology Partners, a managed service provider that works with a large variety of clients. He has six years of experience teaching cybersecurity to both adults and teenagers and holds several cybersecurity certifications, including CISSP.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing