Case Study

 < Day Day Up > 

This case study chains together several of the items learned within the chapter to perform a successful scan of a network. This case study trails Evil Jimmy the Hacker as he scans a small company called Little Company Network (LCN). He uses DNS to gather information before moving onto NMap for some scanning as he attempts to start his diagramming of the network.

The scene is set as LCN rejects Evil Jimmy for a position. He is skilled in penetration testing, and because LCN obviously did not even read to the end of his rèsumè, Jimmy plans to make use of his skills in an unauthorized manner. Jimmy knows the DNS names of his target LCN.com, so he plugs his laptop into the wall and begins his attack. Knowing that preparation is vital to a successful outcome, Jimmy starts by making a plan and gathering his tools. The following steps illustrate the execution.

Step 1.

Evil Jimmy heads straight for the company website and uses the Wget tool to download the entire website. He can later browse this information at his leisure to look for e-mail addresses, address information, and any other details about the company that might later prove useful.

Step 2.

Evil Jimmy uses SamSpade to discover the company address, contact, and registration information posted for the website at the time it was created. The following example displays these output details from SamSpade.

  Registrant:   LITTLE COMPANY NETWORK      100 NW JOHN OLSEN PLACE      HILLSBORO, OR 97123      US      Domain Name: LCN.COM      Administrative Contact, Technical Contact:         Little Company Network jbates@LCN.COM         100 NW JOHN OLSEN PL         HILLSBORO, OR 97123         US         503-123-5555 fax: - 503-123-5555     Record expires on 11-Apr-2005.     Record created on 10-Apr-1997.     Database last updated on 20-Mar-2005 17:16:56 EST.     Domain servers in listed order:        NS1.SECURESERVERS.NET        NS2.SECURESERVERS.NET

Step 3.

Using his Visual Route tool, Jimmy gets a general idea of where the web server is. As Figure 5-30 shows, the web server is in Seattle, Washington, so the address in Oregon is probably the office address with the web server being hosted elsewhere in Washington..

Figure 5-30. Visual Route Results


Step 4.

Armed with company address information, Evil Jimmy drives right over to the company office and plugs into the network to do a little scanning. (In the real world, this might or might not take place, but for the example, it works great.)

Note

Wireless access is becoming increasingly viable as a way into a company network without ever needing to physically "touch" their network.

Step 5.

Now that Jimmy has local network access, he can ping sweep the network. Using Pinger, Jimmy discovers several computers across the network. Figure 5-31 displays the computers on the network that respond to standard ICMP requests.

Figure 5-31. Pinger Results


Step 6.

Next, Jimmy begins port scanning computers to help enumerate details of which programs are running on each computer. Also, Jimmy uses the NMap O switch to detect which operation system is running. The following example shows the output information:

  C:\>NMap -sS -O 192.168.200.21,100   Interesting ports on Desk1 (192.168.200.21):   (The 1658 ports scanned but not shown below are in state: closed)   PORT     STATE SERVICE   21/tcp   open  ftp   25/tcp   open  smtp   135/tcp  open  msrpc   139/tcp  open  netbios-ssn   5713/tcp open  proshareaudio   MAC Address: 08:00:46:F3:14:72   Device type: general purpose   Running: Microsoft Windows NT/2K/XP   OS details: Microsoft Windows XP SP2   NMap finished: 2 IP addresses (2 hosts up) scanned in 3.203 seconds   Starting NMap 3.81 ( http://www.insecure.org/NMap ) at 2005-03-21 21:07   GMT     Standard Time   Interesting ports on WEB1 (192.168.200.100):   (The 1652 ports scanned but not shown below are in state: closed)   PORT     STATE SERVICE   23/tcp   open  telnet   53/tcp   open  domain   135/tcp  open  msrpc   139/tcp  open  netbios-ssn   445/tcp  open  microsoft-ds   1025/tcp open  NFS-or-IIS   1026/tcp open  LSA-or-nterm   1029/tcp open  ms-lsa   1031/tcp open  iad2   1433/tcp open  ms-sql-s   1434/tcp open  ms-sql-m   MAC Address: 00:50:56:EE:EE:EE   Device type: general purpose   Running: Microsoft Windows 2003/.NET|NT/2K/XP   OS details: Microsoft Windows 2003 Server or XP SP2

Step 7.

Jimmy is finished scanning and leaves the building just as the networking team commences the search for the intruder. Fortunately for Jimmy, it took several minutes for the team to detect the scan before they could start searching for the guilty hacker.

Step 8.

Back in the comfort of his home, Evil Jimmy starts to collate the information into an easy-to-read diagram that displays computer addresses, services open, and operating systems on each.

As you can see, collecting information about a company and its network is easy, fun, and relatively quick.

     < Day Day Up > 


    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net