Network scanning:
Initial Network Scanning: (nMap)
- Initial
network scanning (nMap –sP
–PI 192.168.10.0/24)
This is ICMP probing to determine
hosts up. No response => there is a firewall
- Scanning
without ICMP and port 80 (nMap –sS –P0 -p21,25,53,80,110 –oG
output.txt 192.168.10.0/24)
- Identify
UDP services (nMap –sU –P0 –p6,53,69,123,137,161 –oG output.txt
192.168.10.0/24)
Full Network Scanning: (nMap) to
identify available network services.
- TCP
scanning with fingerprinting (nMap –sS –p0 –p1-65535 –v –A –o output.txt 192.168.10.0/24)
- Slowed
down: (nMap –sS –p0
–p1-65535 –v –A –t Sneaky –o output.txt 192.168.10.0/24)
- UDP
scanning: (nMap –sU
–p0 –p1-65535 –o output.txt 192.168.10.0/24)
Low-Level Network Testing (nMap):
- TCP
ISN sequence generation: (nMap –sS –p0 –p1-65535 –v –A –o output.txt 192.168.10.0/24)
- IP ID
sequence generation: bounced from 10.10 to 10.1 (nMap
–p0 –sI 192.168.10.10 192.168.10.1)
- Source
route testing to test the
accessible services for source routing (lsrscan –d 23 192.168.10.1)
- See
Cap.4 for more
Accessible Network Service Identification:
- Initial
Telnet Service Assessment (telnet 192.168.10.1)
- Initial
SSH Service Assessment (telnet 192.168.10.10 22)
- Initial
SMTP Service Assessment (telnet 192.168.10.10 25)
- Initial
Web Service Assessment to identify enabled components (./dnascan.pl http://192.168.10.25)
- Automated
scanning for Front Page and OWA components (N-Stealth)
Investigation of Known Vulnerabilities:
- CISCO
IOS Accessible Service Vulnerabilities => Packet Storm => Password
Grinding
- SOLARIS
Accessible Service Vulnerabilities=. Packet Storm
- Windows
Accessible Service Vulnerabilities =>MITRE, Security Focus, Packet
Storm and Microsoft
Network services testing:
- CISCO
IOS Router password grinding (hydra
–P pass,txt –e ns 192.168.10.1 cisco) (./ADMsnmp 192.168.10.1)
- SOLARIS
Mail Server => look for public exploits => Enumeration of user
accounts => Brute Force
- Windows
2000 Web Server (N-Stealth)
- Network
mapping (Linux): www.marko.net/cheops
- Vulnerability
scanning: www.nessus.org and www.cisco.com/warp/public/cc/pd/sqsw/nesn/
- Password
crackers: www.packetstormsecurity.com/Crackers/ and www.l0pht.com
Password file at:
c:/windows/repair/sam._ or
by using Linux c:\windows\system32\config
Retrieve and alter password file: home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
• Session
Hijacking: Achilles and dynamic sniffing: www.monkey.org/~dugsong/dsniff
Linux Redir: http://sun3.sammy.net/~sammy/hacks/
Web attacks
and security bulletins: www.attrition.org/mirror/attrition
NT rootkit: www.rootkit.com
WinZapper for altering logs: ntsecurity.nu/toolbox/winzapper . Separate SysLog
for Windows: www.kiwi-enterprises.com
Reverse WWW
shell: http://www.thc.org/papers/fw-backd.htm
Trojans and ports used: www.simovits.com/nyheter9902.html
Silk Rope for wrapping: www.netninja.com/bo/index.html
R E C O M E N D A T I O N S:
Quick Win Recommendations:
- Filter
access
- Service
packs
- Disable
unnecessary extensions on IIS Web Servers
Long-Term Recommendations:
- Egress
network filtering
- Enforce
single point of entry into the corporate network for remote users
- Simplify
the network topology, operating platforms and services
- Enforce
strong passwords and implement logging and auditing.
Use TCPView,
File Monitor, TDImon and Process Explorer from http://www.sysinternals.com
to identify open ports.
Use www.ntsecurity.nu/toolbox/promiscdetect/
to detect promiscuous mode interfaces.
Remotely www.packetfactory.net/Projects/sentinel/
Use http://www.megasecurity.org/news_all.html
news to find new BackDors.
www.packetstormsecurity.org
www.securityfocus.com
www.giac.org
or com
www.phrack.org
www.honeynet.org
www.megasecurity.org
www.infosecwriters.com
www.counterhack.net
Use www.xs4all.nl/~matrix/clear_cmos_ram.html
and www.xs4all.nl/~matrix/master-passwords.html
Use http://www.samair.ru/proxy/proxy-11.htm
for proxyes.