Network scanning with Nmap, SMB security, cloud asset discovery, Netcat, and Sigma detection rules.
Explores attacker reconnaissance techniques including network scanning with Nmap, host discovery, service enumeration, and vulnerability identification across Windows, Linux, Azure, and AWS targets. Covers SMB protocol security including share discovery, exploitation, and relay attacks. Includes cloud-specific scanning for shadow IT discovery, network access manipulation techniques, Netcat usage for offensive and defensive operations, and detection using Hayabusa and Sigma rules. Maps to GIAC objectives: Scanning and Mapping, SMB Security, and Detecting Exploitation and Covert Communications Tools. (~20% of exam)
5 minutes
5 Questions
Reconnaissance, Scanning, and Enumeration are the first three critical phases of the cyber attack lifecycle, fundamental to the GIAC Certified Incident Handler (GCIH) body of knowledge.
**Reconnaissance** is the initial phase where an attacker gathers information about a target without directly interacting with the target systems. This includes passive techniques such as open-source intelligence (OSINT) gathering, reviewing public records, searching social media, analyzing DNS records, examining job postings for technology clues, and using tools like WHOIS lookups, Google dorking, and Shodan. The goal is to build a comprehensive profile of the target organization, its infrastructure, employees, and potential vulnerabilities without triggering any security alerts.
**Scanning** is the active phase where attackers directly probe target systems to identify live hosts, open ports, running services, and potential vulnerabilities. Key techniques include network sweeps (ping sweeps), port scanning using tools like Nmap, vulnerability scanning with tools such as Nessus or OpenVAS, and OS fingerprinting. Scanning is categorized into network scanning, port scanning, and vulnerability scanning. Unlike reconnaissance, scanning involves direct interaction with target systems and can potentially be detected by intrusion detection systems (IDS) and firewalls.
**Enumeration** goes deeper by actively extracting detailed information from discovered services and systems. This includes identifying user accounts, network shares, group memberships, application banners, SNMP data, DNS zone transfers, and service-specific details. Tools like enum4linux, SNMPwalk, ldapsearch, and NetBIOS enumeration utilities are commonly used. Enumeration often involves establishing active connections and crafting directed queries to extract actionable intelligence.
For GCIH professionals, understanding these phases is essential for both detecting and responding to attacks. Incident handlers must recognize indicators of each phase in logs, network traffic, and security alerts to implement timely countermeasures, such as monitoring for unusual queries, implementing rate limiting, hardening services against enumeration, and deploying proper network segmentation to limit attacker visibility.Reconnaissance, Scanning, and Enumeration are the first three critical phases of the cyber attack lifecycle, fundamental to the GIAC Certified Incident Handler (GCIH) body of knowledge.
**Reconnaissance** is the initial phase where an attacker gathers information about a target without directly in…
