How to Map a Network for a Security Test

By Kevin Beaver

As part of mapping out your network before performing security testing or an ethical hack, you can search public databases and resources to see what other people know about your systems.

WHOIS lookups

The best starting point is to perform a WHOIS lookup by using any one of the tools available on the Internet. In case you’re not familiar, WHOIS is a protocol you can use to query online databases such as DNS registries to learn more about domain names and IP address blocks. You may have used WHOIS to check whether a particular Internet domain name is available.

For security testing, WHOIS provides the following information that can give a hacker a leg up to start a social engineering attack or to scan a network:

  • Internet domain name registration information, such as contact names, phone numbers, and mailing addresses

  • DNS servers responsible for your domain

You can look up WHOIS information at one of the following places:

  • WHOIS.net

  • A domain registrar’s site, such as www.godaddy.com

  • Your ISP’s technical support site

Two favorite WHOIS tool websites are DNSstuff and MXToolBox. For example, you can run DNS queries directly from MXToolBox to do the following:

  • Display general domain-registration information

  • Show which host handles e-mail for a domain (the Mail Exchanger or MX record)

  • Map the location of specific hosts

  • Determine whether the host is listed on certain spam blacklists

A free site you can use for more basic Internet domain queries is DNS tools. Another commercial product called NetScanTools Prois excellent at gathering such information.

The following list shows various lookup sites for other categories:

  • U.S. Government

  • AFRINIC (Regional Internet Registry for Africa)

  • APNIC (Regional Internet Registry for the Asia Pacific Region)

  • ARIN (Regional Internet Registry for North America, a portion of the Caribbean, and subequatorial Africa)

  • LACNIC (Latin American and Caribbean Internet Addresses Registry)

  • RIPE Network Coordination Centre (Europe, Central Asia, African countries north of the equator, and the Middle East)

If you’re not sure where to look for a specific country, The Number Resource Organization has a reference guide.

Privacy policies

Check your website’s privacy policy. A good practice is to let your site’s users know what information is collected and how it’s being protected, but nothing more. I’ve seen many privacy policies that divulge a lot of technical details on security and related systems that should not be made public.

Make sure the people who write your privacy policies (often nontechnical lawyers) don’t divulge details about your information security infrastructure. Be careful to avoid the example of an Internet start-up businessman who once bragged about his company’s security systems that ensured the privacy of client information (or so he thought). If you went to his website to check out his privacy policy, you found he had posted the brand and model of firewall he was using, along with other technical information about his network and system architecture. This type of information could certainly be used against him by the bad guys. Not a good idea.