Network scanning:

 

Initial Network Scanning: (nMap)

  • Initial network scanning (nMap –sP –PI 192.168.10.0/24)

This is ICMP probing to determine hosts up. No response => there is a firewall

  • Scanning without ICMP and port 80 (nMap –sS –P0 -p21,25,53,80,110 –oG output.txt 192.168.10.0/24)
  • Identify UDP services (nMap –sU –P0 –p6,53,69,123,137,161 –oG output.txt 192.168.10.0/24)

 

Full Network Scanning: (nMap) to identify available network services.

  • TCP scanning with fingerprinting (nMap –sS –p0 –p1-65535 –v –A –o output.txt 192.168.10.0/24)
  • Slowed down: (nMap –sS –p0 –p1-65535 –v –A –t Sneaky –o output.txt 192.168.10.0/24)
  • UDP scanning: (nMap –sU –p0 –p1-65535 –o output.txt 192.168.10.0/24)

 

Low-Level Network Testing (nMap):

  • TCP ISN sequence generation: (nMap –sS –p0 –p1-65535 –v –A –o output.txt 192.168.10.0/24)
  • IP ID sequence generation: bounced from 10.10 to 10.1 (nMap –p0 –sI 192.168.10.10 192.168.10.1)
  • Source route testing to test the accessible services for source routing (lsrscan –d 23 192.168.10.1)
  • See Cap.4 for more

 

Accessible Network Service Identification:

  • Initial Telnet Service Assessment (telnet 192.168.10.1)
  • Initial SSH Service Assessment (telnet 192.168.10.10 22)
  • Initial SMTP Service Assessment (telnet 192.168.10.10 25)
  • Initial Web Service Assessment to identify enabled components (./dnascan.pl http://192.168.10.25)
  • Automated scanning for Front Page and OWA components (N-Stealth)

 

Investigation of Known Vulnerabilities:

  • CISCO IOS Accessible Service Vulnerabilities => Packet Storm => Password Grinding
  • SOLARIS Accessible Service Vulnerabilities=. Packet Storm
  • Windows Accessible Service Vulnerabilities =>MITRE, Security Focus, Packet Storm and Microsoft

 

Network services testing:

  • CISCO IOS Router password grinding (hydra –P pass,txt –e ns 192.168.10.1 cisco) (./ADMsnmp 192.168.10.1)
  • SOLARIS Mail Server => look for public exploits => Enumeration of user accounts => Brute Force
  • Windows 2000 Web Server (N-Stealth)
  • Network mapping (Linux): www.marko.net/cheops
  • Vulnerability scanning: www.nessus.org and www.cisco.com/warp/public/cc/pd/sqsw/nesn/
  • Password crackers: www.packetstormsecurity.com/Crackers/ and www.l0pht.com

Password file at: c:/windows/repair/sam._ or by using Linux c:\windows\system32\config

Retrieve and alter password file: home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

• Session Hijacking: Achilles and dynamic sniffing: www.monkey.org/~dugsong/dsniff

Linux Redir: http://sun3.sammy.net/~sammy/hacks/

Web attacks and security bulletins: www.attrition.org/mirror/attrition

NT rootkit: www.rootkit.com

WinZapper for altering logs: ntsecurity.nu/toolbox/winzapper . Separate SysLog for Windows: www.kiwi-enterprises.com

Reverse WWW shell: http://www.thc.org/papers/fw-backd.htm

Trojans and ports used: www.simovits.com/nyheter9902.html Silk Rope for wrapping: www.netninja.com/bo/index.html

 

R E C O M E N D A T I O N S:

 

Quick Win Recommendations:

  • Filter access
  • Service packs
  • Disable unnecessary extensions on IIS Web Servers

 

Long-Term Recommendations:

  • Egress network filtering
  • Enforce single point of entry into the corporate network for remote users
  • Simplify the network topology, operating platforms and services
  • Enforce strong passwords and implement logging and auditing.

 

 

Use TCPView, File Monitor, TDImon and Process Explorer from http://www.sysinternals.com to identify open ports.

Use www.ntsecurity.nu/toolbox/promiscdetect/ to detect promiscuous mode interfaces.

Remotely www.packetfactory.net/Projects/sentinel/

Use http://www.megasecurity.org/news_all.html news to find new BackDors.

 

www.packetstormsecurity.org

www.securityfocus.com

www.giac.org or com

www.phrack.org

www.honeynet.org

www.megasecurity.org

www.infosecwriters.com

www.counterhack.net

 

Use www.xs4all.nl/~matrix/clear_cmos_ram.html and www.xs4all.nl/~matrix/master-passwords.html

Use http://www.samair.ru/proxy/proxy-11.htm for proxyes.