Network scanning:


Initial Network Scanning: (nMap)

  • Initial network scanning (nMap –sP –PI

This is ICMP probing to determine hosts up. No response => there is a firewall

  • Scanning without ICMP and port 80 (nMap –sS –P0 -p21,25,53,80,110 –oG output.txt
  • Identify UDP services (nMap –sU –P0 –p6,53,69,123,137,161 –oG output.txt


Full Network Scanning: (nMap) to identify available network services.

  • TCP scanning with fingerprinting (nMap –sS –p0 –p1-65535 –v –A –o output.txt
  • Slowed down: (nMap –sS –p0 –p1-65535 –v –A –t Sneaky –o output.txt
  • UDP scanning: (nMap –sU –p0 –p1-65535 –o output.txt


Low-Level Network Testing (nMap):

  • TCP ISN sequence generation: (nMap –sS –p0 –p1-65535 –v –A –o output.txt
  • IP ID sequence generation: bounced from 10.10 to 10.1 (nMap –p0 –sI
  • Source route testing to test the accessible services for source routing (lsrscan –d 23
  • See Cap.4 for more


Accessible Network Service Identification:

  • Initial Telnet Service Assessment (telnet
  • Initial SSH Service Assessment (telnet 22)
  • Initial SMTP Service Assessment (telnet 25)
  • Initial Web Service Assessment to identify enabled components (./
  • Automated scanning for Front Page and OWA components (N-Stealth)


Investigation of Known Vulnerabilities:

  • CISCO IOS Accessible Service Vulnerabilities => Packet Storm => Password Grinding
  • SOLARIS Accessible Service Vulnerabilities=. Packet Storm
  • Windows Accessible Service Vulnerabilities =>MITRE, Security Focus, Packet Storm and Microsoft


Network services testing:

  • CISCO IOS Router password grinding (hydra –P pass,txt –e ns cisco) (./ADMsnmp
  • SOLARIS Mail Server => look for public exploits => Enumeration of user accounts => Brute Force
  • Windows 2000 Web Server (N-Stealth)
  • Network mapping (Linux):
  • Vulnerability scanning: and
  • Password crackers: and

Password file at: c:/windows/repair/sam._ or by using Linux c:\windows\system32\config

Retrieve and alter password file:

• Session Hijacking: Achilles and dynamic sniffing:

Linux Redir:

Web attacks and security bulletins:

NT rootkit:

WinZapper for altering logs: . Separate SysLog for Windows:

Reverse WWW shell:

Trojans and ports used: Silk Rope for wrapping:


R E C O M E N D A T I O N S:


Quick Win Recommendations:

  • Filter access
  • Service packs
  • Disable unnecessary extensions on IIS Web Servers


Long-Term Recommendations:

  • Egress network filtering
  • Enforce single point of entry into the corporate network for remote users
  • Simplify the network topology, operating platforms and services
  • Enforce strong passwords and implement logging and auditing.



Use TCPView, File Monitor, TDImon and Process Explorer from to identify open ports.

Use to detect promiscuous mode interfaces.


Use news to find new BackDors. or com


Use and

Use for proxyes.