Automatically Determining a Network Reconnaissance Scope Using Passive Scanning Techniques

TL;DR

This paper presents a passive scanning approach to automatically determine the scope of a network for security auditing, enabling topology discovery without prior knowledge, especially useful in complex or IoT-rich environments.

Contribution

It introduces a method to passively identify network scope and addresses, facilitating automated topology mapping without any pre-existing information.

Findings

Successfully identifies network scope passively in complex environments

Enables automatic bootstrap for active network scanning

Supports security audits in black-box scenarios

Abstract

The starting point of securing a network is having a concise overview of it. As networks are becoming more and more complex both in general and with the introduction of IoT technology and their topological peculiarities in particular, this is increasingly difficult to achieve. Especially in cyber-physical environments, such as smart factories, gaining a reliable picture of the network can be, due to intertwining of a vast amount of devices and different protocols, a tedious task. Nevertheless, this work is necessary to conduct security audits, compare documentation with actual conditions or found vulnerabilities using an attacker's view, for all of which a reliable topology overview is pivotal. For security auditors, however, there might not much information, such as asset management access, be available beforehand, which is why this paper assumes network to audit as a complete black box. The goal is therefore to set security auditors in a condition of, without having any a priori knowledge at all, automatically gaining a topology oversight. This paper describes, in the context of a bigger system that uses active scanning to determine the network topology, an approach to automate the first steps of this procedure: passively scanning the network and determining the network's scope, as well as gaining a valid address to perform the active scanning. This allows for bootstrapping an automatic network discovery process without prior knowledge.