Home > Articles > Cisco > CCNP Security

This chapter is from the book

Threat Types

Whether it comes at you from the outside or from within, the threat to your network can take one of four broad forms:

  • Reconnaissance

  • Unauthorized access

  • Denial of service (DoS)

  • Data manipulation


You can expect to see a number of questions related to threat types when you take the actual exam. The questions might require you to recognize the category in which a threat belongs, as well as know the names of the types. You should review this section's key points before taking the exam.


Reconnaissance is a word that evokes thoughts of war and military observers scanning for targets through binoculars and then placing the acquired target information on maps used to plan the attack. The analogy is apt; network reconnaissance is indeed the unauthorized discovery, mapping, and monitoring of the systems and services in a network, along with probing for their vulnerabilities. To do all this, an unauthorized person uses target discovery, network commands, ping sweeps and port scans, eavesdropping, and information theft.

Target Discovery

Finding out what is available to be attacked starts at the very broad level: domain names and IP address blocks. The discovery process gradually narrows the target definition, expanding the names and narrowing the address ranges until the person has individual hostnames and addresses.

Certain targets are easier to discover than others because some are required to be publicly listed. For instance, DNS records must list the publicly accessible servers and their addresses so that the public can access them (name resolution must work). But if you create the hypothetical BillyBong Corporation and obtain a registered block of addresses, that block can be learned via the Registry. (Regional Internet Registries are ARIN, RIPE, APNIC, and LACNIC; AfriNIC has been proposed but not yet accepted by ICANN at this time.)

What Can Hackers Really Learn?

How much can a hacker really learn about you, starting from an Internet Registry? Let's take a look. From my firewall log, I see that has been trying to connect to my network on port 445 (microsoft-ds, one of the most frequently tested ports). Because I'm in North America, I first try ARIN, http://www.arin.net, and enter the address in the whois search window.

From the output, I see that the address belongs to AT&T Worldnet Services, which owns the entire 12/8 (Class A) address block. I see the names of four name servers (DNS servers). Aha! I ping the name of one of them and discover that it uses an address in the block. This means that AT&T has another address block for me to investigate. Pinging the other three name servers shows me that AT&T runs dual name servers on two different networks, clearly using redundancy.

The ARIN information listing also gives me names, telephone numbers, and addresses, always a help if I'm inclined toward social engineering (more on that coming up).

If I'm running a DNS server myself, as many skilled hackers do, I can interrogate AT&T's name server and try for more information. If I'm lucky, I can even manage a zone transfer and pull in the whole set of public addresses for the servers. Alternatively, I can open a Telnet session to a mail server on port 25 (mail servers tend to use fairly standardized names, so I can guess at that, if I have to). The server obligingly replies with an SMTP informational message stating its name and the name and version of the software it is running (assuming that the banner it sends is real—I know of one service that deliberately lies in its banner, to misdirect hackers).

By the way, opening a Telnet session on port 25 or port 110 was the troubleshooting advice that an ISP's help desk gave me when I called to complain about problems retrieving my mail. They assumed that I really had an email account with them, I suppose.

A wealth of information really is obtainable about publicly accessible networks. And the reasonably skillful hackers start by getting as much of it as they can.

Network Commands

When a hacker has a notion of addresses and names, it's time to do some serious probing. Simple utilities built into the TCP/IP stack are where most hackers start:

  • ping (more on this perennial favorite coming up)

  • traceroute (or tracert, for Windows)

  • whois

  • finger

  • telnet

  • dig

  • nmap

  • nslookup

  • rusers (and all the other Unix "r commands," such as rlogin, rcp, and rexec)

  • rpcinfo

Some of these utilities are not found in systems running the various versions of Microsoft Windows, but they are generally present in Unix and Unix-derived systems (such as Linux, OpenBSD, or FreeBSD).

Ping Sweeps and Port Scans

Network mapping is much easier when it can be automated. People become bored and make silly mistakes manually repeating a command, but, of course, a computer never gets bored and (essentially) never makes mistakes (although code can become corrupted). Ping sweeps check for a reply (an ICMP Echo) from a series of addresses, and scripts to run such a sweep are easily located. Commercial versions are available for network management (as a way to discover unauthorized hosts surreptitiously added to your network); ping sweep scripts also are available at hacker Web sites (run an Internet search for "warez," for example).

Port scans test a given address across a range of commonly open ports or across a set range of ports (or even across all 65,535 TCP ports and 65,535 UDP ports, for those so inclined). Most hackers do not scan all possible ports, for two logical reasons. First, it takes some time, and repeated probes for an open port from a single address are likely to get the ISP a phone call, costing the hacker her access. Second, not every port is vulnerable, whereas some ports are almost always open—and putting the effort where the reward is likely to be found is as typical of a hacker as it is of anyone else.

Commonly probed ports are those used for networking, for typically installed services, and for services left operating by default installations of operating systems or applications. The Internet Storm Center is one site that reports on attack statistics. As this is being written, its most commonly probed ports and associated protocols are as follows (this list rarely changes):

  • 135—epmap

  • 1434—ms-sql-m

  • 137—netbios-ns

  • 80—www

  • 445—microsoft-ds

  • 1433—ms-sql-s

  • 554—rtsp

  • 139—netbios-ssn

  • 21—ftp

  • 1080—socks

The proportion of probes for each of these ports in North America might be different from the proportion on other continents, but the same ports are generally probed everywhere. The end of the chapter includes a reference where you can check for the most current information in your area of interest.


Children are generally taught that eavesdropping is not polite, but they learn from experience that it can be a good way to learn things that you weren't supposed to know. That's true of networks as well. Just as with eavesdropping on a spoken conversation, network eavesdropping is the passive monitoring of information flowing back and forth. It is often performed by software collectively known as packet sniffers.

Packet sniffers work very simply: They place the network connection on their host in promiscuous mode, where it processes every packet on the wire instead of only those addressed to the physical address (or a configured multicast address). In a shared wire, such as classical Ethernet or a hubbed network, the traffic of many hosts can be observed. Sniffers can filter traffic to capture only those packets bound for certain ports where interesting information can be discovered (for example, traffic bound for POP3 connections might carry plain-text email passwords). Figure 3.1 shows the output of a popular sniffer, Ethereal.

Figure 3.1Figure 3.1 Web traffic as seen by Ethereal.

Notice that you can pick out a particular packet and examine it in more detail. The middle pane shows this to be a DNS request; notice that the "layering" of information is a reverse of the OSI model (the bottom is the application layer, while the physical-layer information is at the top). I also turned on name resolution so that, in the upper pane, I can see the hostname of the destination instead of the IP address.

All of this is a simple example of an extremely powerful tool and one that you might well see reference to on the exam. That is because sniffing traffic is a favorite technique of hackers. Packet sniffers are relatively small software packages, with low overhead, which makes them generally unnoticeable because they have little performance impact. This means that any compromised host on the network could become an unnoticed spy if the package could be installed surreptitiously.


Some mail clients actually send the mail server all information, including the account password, in plain text. Because many people use the same password for multiple purposes, this is a useful little item to capture. That's especially true because, in many cases, the email account name matches the logon name. If so, a simple packet capture reveals the username and password with which a hacker can log on, not just read someone's mail (as if that weren't bad enough).

Information Theft

Having discovered some useful information, such as hostnames and IP addresses, usernames and passwords, and possibly other information, it becomes time to make use of that information. Posing as a legitimate user, the hacker can copy confidential data, make changes (even worse—industrial espionage could become industrial sabotage), use the account to create another user account known only to the hacker, and so on. The last possibility means that the hacker now can steal information even if the current user changes his password or that user account is terminated.

Unauthorized Access

That leads to Cisco's second type of security threat: unauthorized access. However an unauthorized person gains access, when that person has even the most basic access, it is common to make efforts to escalate the access into that with more privileges. One means is to crack the master password list, such as the Unix/Linux /etc/shadow or the Windows NT SAM hive (actually, the passwords are not decrypted; instead, the cracking routine matches a retrieved hash by creating one using the same encryption algorithm known to be used by the OS). If that seems farfetched, utilities are available in the hacker community to do this for either OS. For passwords to offer real instead of phantom protection, the organization must have and enforce a strong password policy.

The Unix "r commands"—rlogin, rsh, rcp—can be used to exploit trusted computing relationships among systems, just as trust relationships among Windows domains can be exploited. After getting into a system via a compromised account of exploited trust relationship, a hacker seeks to gain access to an account with more privileges (greater access, in terms of both scope of access and depth of access). This is known as escalating privilege. Escalating privilege, whether through obtaining the password or exploiting trust, is intended to gain the hacker control: the privileges of the Unix/Linux root account or the Windows Administrator account.


The CSI exam is neutral between the Windows operating system and the Unix and Unix-derived systems. Therefore, you need to be familiar with the security provisions of Windows, especially the servers, and those of the Unix community. Likewise, you need to be aware of the weaknesses of each and which protocols are more likely to be found working with which OS.

Another means of gaining unauthorized access is social engineering, the process of obtaining the information needed because people give it up on their own (sometimes just because they were asked for it). This exploits trust, too, but it is the trust we have of people rather than the trust among computer systems. Social-engineering attacks will never be prevented by technology because no technology is really involved.

Many of the protocols used in a network are insecure; they operate on an assumption of trust and do not protect the information they pass. Protocols such as Telnet, NTP, SNMP, and CDP can be exploited to manipulate the network devices, which are the nervous system of the organization. Cisco strongly recommends that, as much as possible, insecure protocols should be replaced with secure ones, such as replacing Telnet with SSH (Secure Shell). Network-management protocols should use the strongest version available, with authentication and/or encryption. Remember, unauthorized access to networking devices provides the hacker with far more opportunities for mischief than access to a single host. Therefore, control over access to routers and switches often needs to be stronger than that used to protect the average host.

Denial of Service

Of course, if the hacker can't get in, he can try to ensure that no one else can, either. This is the denial-of-service attack, usually just known as DoS. We tend to think of DoS as flooding a line with packets; that is indeed one method of denying service. Others are to fill a buffer (such as filling a mail queue with spam) or to request more processes than the maximum allowed for a service, thereby cutting off that service from real users. These are all instances of resource overload; when a critical resource is overloaded, other (legitimate) users of the resource must be denied. Typical DoS attacks are listed here:

  • TCP SYN flood

  • Ping of death

  • Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K)

  • Trinoo

  • Stacheldraht (German for "barbed wire")

  • Trinity

Although DoS attacks do not try to obtain information directly, bear in mind that, depending on which item crashes under the load, their effect can expose other resources that were previously protected.

One average desktop system can output a surprising number of packets with which to attack; combining attacks from several systems can overwhelm even robust networks. The combined attack is known as distributed denial of service, or DDoS. A simple form of DDoS attack sends a series of pings from several systems to a network broadcast address. The source IP for these pings is forged to appear to be that of the machine that is the actual DDoS target. The members of the network all obligingly reply to each ping they receive, and the TCP/IP stack of the target is overwhelmed with replies to a request that it did not send (but it must process each reply somewhat just to learn what it was, when the address reveals that this system is indeed the proper recipient of each packet). And that forging leads to the final threat type: data manipulation.

Data Manipulation

Data manipulation can take many forms. Because targets are not likely to take attacks upon them kindly, it is common to manipulate the source IP address of a packet sent by a hacker. This is surprisingly easy to do; Figure 3.2 is a screenshot of NMapWin, a Windows version of the nmap tool. Notice the opportunity (in the middle right of the GUI) to forge the source IP address.

Figure 3.2Figure 3.2 Spoofing the source IP address.

Conveniently, NMapWin even tells you the command-line syntax to use to implement this the old-fashioned way (look at the status bar along the bottom). IP headers are not the only address elements forged; much spam is created with false email headers to make tracing the spammer more difficult.

Another form of data manipulation is the man-in-the-middle attack, in which a system interposes itself between the two parties in a dialogue, pretending to each of them that it is actually the other party rather than a third party. In this manner, the third party receives both sides of the conversation and can manipulate what each intended recipient sees. The idea behind this is shown in Figure 3.3.

Somewhat similar is the session replay or session hijacking form of data- manipulation attack. The difference here is that the hacker is the endpoint of your conversation, even though he pretends to be the other party (the other party isn't actually involved). A session replay reuses information, some of which can be altered, to create a new action (a new payment, for instance, in a larger amount or to a new payee). Session hijacking redirects traffic in an actual system data exchange, diverting it from the real other party to a hacker posing as that party. This can be done by noting the pattern of TCP sequence numbers and their change, and then interposing a packet with the predicted sequence number.

Figure 3.3Figure 3.3 Man-in-the-middle attack.

Finally, data can be diverted from its proper destination to a bogus one, such as a Web browser session being diverted to a good forgery of a Web page (rerouting); likewise, one party to an actual transaction might deny that the transaction ever took place. The latter is called repudiation and can be done to prevent a third party (such as the debt collector) from proving that the transaction occurred. Although the data itself is not necessarily manipulated, its validity as it currently exists is questioned because it cannot be proven that it was not manipulated. This makes repudiation a case of requiring proof of a non-event, that there was no attack. This is much more difficult to prove, and the methods for handling nonrepudiation ensure that it is reasonably provable.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020