Penetration Testing and Network Defense

Step 1.

Evil Jimmy heads straight for the company website and uses the Wget tool to download the entire website. He can later browse this information at his leisure to look for e-mail addresses, address information, and any other details about the company that might later prove useful.

Step 2.

Evil Jimmy uses SamSpade to discover the company address, contact, and registration information posted for the website at the time it was created. The following example displays these output details from SamSpade.

Registrant: LITTLE COMPANY NETWORK 100 NW JOHN OLSEN PLACE HILLSBORO, OR 97123 US Domain Name: LCN.COM Administrative Contact, Technical Contact: Little Company Network jbates@LCN.COM 100 NW JOHN OLSEN PL HILLSBORO, OR 97123 US 503-123-5555 fax: - 503-123-5555 Record expires on 11-Apr-2005. Record created on 10-Apr-1997. Database last updated on 20-Mar-2005 17:16:56 EST. Domain servers in listed order: NS1.SECURESERVERS.NET NS2.SECURESERVERS.NET

Step 3.

Using his Visual Route tool, Jimmy gets a general idea of where the web server is. As Figure 5-30 shows, the web server is in Seattle, Washington, so the address in Oregon is probably the office address with the web server being hosted elsewhere in Washington..

Step 4.

Armed with company address information, Evil Jimmy drives right over to the company office and plugs into the network to do a little scanning. (In the real world, this might or might not take place, but for the example, it works great.)

Note

Wireless access is becoming increasingly viable as a way into a company network without ever needing to physically "touch" their network.

Step 5.

Now that Jimmy has local network access, he can ping sweep the network. Using Pinger, Jimmy discovers several computers across the network. Figure 5-31 displays the computers on the network that respond to standard ICMP requests.

Step 6.

Next, Jimmy begins port scanning computers to help enumerate details of which programs are running on each computer. Also, Jimmy uses the NMap O switch to detect which operation system is running. The following example shows the output information:

C:\>NMap -sS -O 192.168.200.21,100 Interesting ports on Desk1 (192.168.200.21): (The 1658 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 135/tcp open msrpc 139/tcp open netbios-ssn 5713/tcp open proshareaudio MAC Address: 08:00:46:F3:14:72 Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows XP SP2 NMap finished: 2 IP addresses (2 hosts up) scanned in 3.203 seconds Starting NMap 3.81 ( http://www.insecure.org/NMap ) at 2005-03-21 21:07 GMT Standard Time Interesting ports on WEB1 (192.168.200.100): (The 1652 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1026/tcp open LSA-or-nterm 1029/tcp open ms-lsa 1031/tcp open iad2 1433/tcp open ms-sql-s 1434/tcp open ms-sql-m MAC Address: 00:50:56:EE:EE:EE Device type: general purpose Running: Microsoft Windows 2003/.NET|NT/2K/XP OS details: Microsoft Windows 2003 Server or XP SP2

Step 7.

Jimmy is finished scanning and leaves the building just as the networking team commences the search for the intruder. Fortunately for Jimmy, it took several minutes for the team to detect the scan before they could start searching for the guilty hacker.

Step 8.

Back in the comfort of his home, Evil Jimmy starts to collate the information into an easy-to-read diagram that displays computer addresses, services open, and operating systems on each.