Today, a gateway is open to technological information and corporate espionage, causing growing apprehension among enterprises worldwide. Hackers target network information using techniques referred to collectively as discovery. That is the subject of the first part of this chapter. Discovery techniques are closely related to scanning techniques, which is the topic of the second part of this chapter. Scanning for exploitable security holes has been used for many years. The idea is to probe as many ports as possible, and keep track of those receptive and at risk to a particular hack attack. A scanner program reports these receptive listeners, analyzes weaknesses, then cross-references those frailties with a database of known hack methods for further explication. The scanning section of this chapter begins by defining scanning, then examines the scanning process, and lists several scanners available for security analysis. Finally, the section illustrates scanning functionality using a real-world scenario.
Discovery
Online users, private and corporate alike, may desire anonymity as they surf the Web and connect to wide area networks but having an anonymous existence online, though not impossible, is technologically difficult to achieve. However, you can visit www.anonymizer.com for free anonymous Web browsing (shown in Figure 5.1).
This section delves into the query processes used to discover and survey a target network, in preparation for the section on vulnerability scanning and penetration attacking, using real world illustrations.
Discovery is the first step in planning an attack on a local or remote network. A premeditated, serious hack attempt will require some knowledge of the target network. A remote attack is defined as an attack using a communication protocol over a communication medium, from outside the target network. The following techniques will demonstrate the discovery preparation for a remote attack over the Internet.
The techniques described in this section can be performed in any order, usually depending on current knowledge of the target network. The examples that follow are based on a target company-euphemistically called XYZ, Inc. (the company's actual name, domain, and addresses have been changed for its protection).
Whois Domain Search Query
Finding a specific network on the Internet can be like finding the proverbial needle in a haystack; it's possible, but difficult. Whois is an Internet service that enables a user to find information, such as a universal resource locator (URL), for a given company or user who has an account at that domain.
Conducting a Whois domain search query entails locating the target company's network domain name on the Internet. The domain name is the address of a device connected to the Internet or any other TCP/IP network, in a system that uses words to identify servers, organizations, and types of organizations, such as www.companyname.com. The primary domain providing a Whois search is the Internet Network Information Center (InterNIC). InterNIC is responsible for registering domain names and IP addresses, as well as for distributing information about the Internet. InterNIC, located in Herndon, Virginia, was formed in 1993 as a consortium comprising the U.S. National Science Foundation, AT&T, General Atomics, and Network Solutions Inc.
The following list contains specific URLs for domains that provide the Whois service:
• www.networksolutions.com/cgi-bin/whois/whois. InterNIC domain-related information for North America
• www.ripe.net. European-related information
• www.apnic.net. Asia-Pacific-related information
Figures 5.2 and 5.3 represent a Whois service example, from Network Solutions (InterNIC), for our target company XYZ, Inc. As you can see, Whois discovered some valuable information for target company XYZ, Inc., namely, the company's URL: www.xyzinc.com.
Now that the target company has been located and verified as a valid Internet domain, the next step is to click on the domain link within the Whois search result (see Figure 5.4). Subsequently, address verification will substantiate the correct target company URL. The detailed Whois search indicates the following pertinent information:
• XYZ, Inc. domain URL www.xyzinc.com
• Administrative contact. Bill Thompson (obviously an employee of XYZ, Inc.)
• Technical contact. Hostmaster (apparently XYZ's Internet service provider [ISP])
• Domain servers. 207.237.2.2 and 207.237.2.3 (discussed later in the book)
iIH&IA-A5TPOZ-POni
(xyssttjq ios-dok)
idoublEMYTLOrE-doh) (ihpia-A5TP0-P0H) IDOUBL E EHVEL 0PE3-P0HI (ItTFOGIUBILEO-DOm (farag-TPAVE L5-doh) (PAfAG-T:-!AVЈlj3-f>0K) fimpIa-A STH03-POU) (KIS5HEHEHTAI-POHI (OOUBL EWELOP E 2 - POK]
ho&twe3i;er@ ACTIVE HOST. COH jm. valid.. emaiiGwoRLDNic .net
i fJOUBLENVELOPE3-DOHl (A YHOEETJQRL 0 3 -DQK) (0JJ.YH0KETJORLP2 -DOE) Art PING FTP.XYZINC.COM
• Pinging ftp.xyzinc.com [206.0.126.12] with 32 bytes of data:
• Reply from 206.0.126.12 bytes=32 time=312ms TTL=53
• Reply from 206.0.126.12 bytes=32 time=312ms TTL=53
• Reply from 206.0.126.12 bytes=32 time=312ms TTL=53
• Reply from 206.0.126.12 bytes=32 time=312ms TTL=53
The PING query requests reveal important network addressing, indicating the following DNS entries for XYZ Inc:
www www.xyzinc.com 206.0.126.10 mail mail.xyzinc.com 206.0.126.5 ftp ftp.xyzinc.com 206.0.126.12
Internet Web Search Query
The World Wide Web is frequently referred to as the Information Superhighway because it contains millions of megabytes of data and information that is viewed by countless people throughout the world. The World Wide Web accommodates most of this traffic by employing search engines, the fastest-growing sites on the Web.
Search engines and Usenet groups are great tools for researching target domains, so this step covers methods of acquiring this information to aid in the target network discovery process. Addresses, phone numbers, and technical contact names can be obtained and/or verified using extended searches from Web front ends. More popular search engines and spiders can be utilized for their information-gathering capabilities.
The company profile link from the target company Web site included information that verified the address, phone number, and director of information services (IS). (Remember Bill Thompson, who turned up earlier as the administrative contact?) This is more than enough information to pull off a social engineering query, which is covered in the next step.
Social Engineering Query
This step explains an attempt to coerce a potential victim to reveal network access information. This is a popular technique used by hackers, crackers, and phreaks worldwide. Simple successful adaptations of this method include posing as a new user as well as a technician.
Posing as a New User
From the information gathered in previous steps, a hacker could dial XYZ's main phone number, and ask to be transferred to the IS department or technical support group, then pretend to be a temp employee who was told to contact them for a temporary username and password.
Additional research could make this process much more successful. For example, calling and asking for the name of the head of the marketing department could change the preceding scenario in this way: After being transferred to a technician, the hacker could start by stating, ''Hello, my name is Tom Friedman. I'm a new temp for Sharon Roberts, the head of marketing, and she told me to call you for the temp username and password."
Posing as a Technician
To use this adaptation, a hacker might ask to be transferred to someone in the sales department. From there he or she could state that Bill Thompson, the director of IS, has requested that he or she contact each user in that department to verify logon access, because a new server will be introduced to replace an old one. This information would enable the hacker to log on successfully, making the server integration transparent to him.
There are unlimited variations to a social engineering query process. Thorough and detailed research gathering helps to develop the variation that works best for a targeted company. Social engineering queries produce a surprisingly high rate of success. For more information and success stories on this method, search the links in the Tiger Tools Repository found on this book's CD.
Site Scans
As mentioned at the beginning of this chapter, the premise behind scanning is to probe as many ports as possible, and keep track of those receptive or useful to a particular hack attack. A scanner program reports these receptive listeners, analyzes weaknesses, and cross-references those weak spots with a database of known hack methods, for later use.
There are serious legal issues connected to the techniques described in this book. Without written consent from the target company, most of these procedures are illegal in the United States and many other countries. Neither the author nor the publisher will be held accountable for the use or misuse of the information contained in this book.
Scanning Techniques
Vulnerability scanner capabilities can be broken down into three steps: locating nodes, performing service discoveries on them, and, finally, testing those services for known security holes. Some of the scanning techniques described in this section can penetrate a firewall. Many tools are deployed in the security and hacking world, but very few rank higher than scanners.
In this book, a firewall is defined as a security system intended to protect an Not**"" organization's network against external threats from another network, such as the Internet. A firewall prevents computers in the organization's network from communicating directly with external computers, and vice versa. Instead, all communication is routed through a proxy server outside of the organization's network; the proxy server determines whether it is safe to let a particular message or file pass through to the organization's network.
Scanners send multiple packets over communication mediums, following various protocols utilizing service ports, then listen and record each response. The most popular scanners, such as nmap, introduced later in this chapter, employ known techniques for inspecting ports and protocols, including:
• TCP Port Scanning. This is the most basic form of scanning. With this method, you attempt to open a full TCP port connection to determine if that port is active, that is, "listening."
• TCP SYN Scanning. This technique is often referred to as half-open or stealth scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection, and wait for a response. A SYN/ACK indicates the port is listening. Therefore, a RST response is indicative of a nonlistener. If a SYN/ACK is received, you immediately send a RST to tear down the connection. The primary advantage of this scanning technique is that fewer sites will log it.
• TCP FIN Scanning. There are times when even TCP SYN scanning isn't clandestine enough to avoid logging. Some firewalls and packet filters watch for SYNs to restricted ports, and programs such as Synlogger and Courtney are available to detect these scans altogether. FIN packets, on the other hand, may be able to pass through unmolested. The idea is that closed ports tend to reply to your FIN packet with the proper RST, while open ports tend to ignore the packet in question.
Fragmentation Scanning. This is a modification of other techniques. Instead of just sending the probe packet, you break it into a couple of small IP fragments. Basically, you are splitting up the TCP header over several packets to make it harder for packet filters to detect what is happening.
• TCP Reverse Ident Scanning. As noted by security guru Dave Goldsmith in a 1996 bugtraq post, the ident protocol (RFC 1413) allows for the disclosure of the username of the owner of any process connected via TCP, even if that process didn't initiate the connection. So you can, for example, connect to the http port, then use the ident daemon to find out whether the server is running as root.
• FTP Bounce Attack. An interesting "feature" of the FTP protocol (RFC 959) is support for "proxy" FTP connections. In other words, you should be able to connect from evil.com to the FTP server-PI (protocol interpreter) of target.com to establish the control communication connection. You should then be able to request that the server-PI initiate an active server-DTP (data transfer process) to send a file anywhere on the Internet!
• UDP ICMP Port Unreachable Scanning. This scanning method varies from the preceding methods in that it uses the UDP protocol instead of TCP. Though this protocol is less complex, scanning it is actually significantly more difficult. Open ports don't have to send an acknowledgment in response to your probe, and closed ports aren't even required to send an error packet. Fortunately, most hosts do send an ICMPPORTUNREACH error when you send a packet to a closed UDP port. Thus, you can find out if a port is closed, and by exclusion, determine which ports are open.
• UDP recvfrom() and write() Scanning. While nonroot users can't read port-unreachable errors directly, Linux is cool enough to inform the user indirectly when they have been received. For example, a second write() call to a closed port will usually fail. A lot of scanners, such as netcat and Pluvius' pscan.c, do this. This is the technique used for determining open ports when nonroot users use -u (UDP).
Scanner Packages
Many scanners are available to the public, each with its own unique capabilities to perform specific techniques for a particular target. There are TCP scanners, which assault TCP/IP ports and services such as those listed in Chapter 1. Other scanners scrutinize UDP ports and services, some of which were also listed in Chapter 1. This purpose of this section is to identify certain of the more popular scanners and to give a synopsis of their functionality. Chapter 12 introduces a complete internetworking security suite, called TigerSuite, whose evaluation is included on this book's CD.
CyberCop Scanner
Platforms: Windows NT, Linux
CyberCop Scanner (shown in Figure 5.7), by Network Associates, provides audits and vulnerability assessments combined with next generation intrusion monitoring tools and with advanced decoy server technology to combat snooping. CyberCop examines computer systems and network devices for security vulnerabilities and enables testing of NT and UNIX workstations, servers, hubs, switches, and includes Network Associates' unique tracer packet firewall test to provide audits of firewalls and routers. Report options include executive summaries, drill-down detail reports, and field resolution advice. One very unique feature of CyberCop Scanner is their auto update technology to keep the kernel engine, resolution, and vulnerability database current. Various forms of reporting analyses are featured such as network mapping, graphs, executive summaries, and risk factor reporting. CyberCop Scanner is certainly among the top of its class in vulnerability scanning today.
Figure 5.7 CyberCop Scanner screenshot.
In North America, CyberCop Scanner can be evaluated by clicking on www.networkassociates.com.
Jakal
Platform: Linux
Jakal is among the more popular of the scanners just defined as stealth or half-scan. Recall the communication handshake discussed in Chapter 1: A stealth scanner never completes the entire SYN/ACK process, therefore bypassing a firewall, and becoming concealed from scan detectors. This method allows stealth scanners like Jakal to indiscreetly generate active ports and services. A standard TCP connection is established by sending a SYN packet to the destination host. If the destination is waiting for a connection on the specified port, it responds with a SYN/ACK packet. The initial sender replies with an ACK packet, and the connection is established. If the destination host is not waiting for a connection on the specified port, it responds with an RST packet. Most system logs do not list completed connections until the final ACK packet is received from the source. Sending an RS T packet, instead of the final ACK, results in the connection never actually being established, so no logging takes place. Because the source can identify whether the destination host sent a SYN/ACK or an RST, an attacker can determine exactly which ports are open for connections, without the destination ever being aware of the probing. Keep in mind, however, that some sniffer packages can detect and identify stealth scanners, and that detection includes the identity of the scanning node as well.
Hackers Jakal can be evaluated on this book's CD. NetRecon
Platform: Windows NT
NetRecon (shown in Figure 5.8), by Axent, is a network vulnerability assessment tool that discovers, analyzes, and reports vulnerable holes in networks. NetRecon conducts an external assessment of current security by scanning and probing systems on the network. NetRecon re-creates specific intrusions or attacks to identify and report network vulnerabilities, while suggesting corrective actions. NetRecon ranks alongside CyberCop Scanner among the top of its class in vulnerability scanning today.
Hacker's In North America, NetRecon can be evaluated at www.axent.com.
Note^
Network Security Scanner/WebTrends Security Analyzer
Platforms: Windows 95/98/2000/NT, agents supported on Solaris and Red Hat Linux
Network Security Scanner (NSS) technology has been incorporated into the WebTrends Security Analyzer (shown in Figure 5.9). The product helps to secure your intranet and extranet by detecting security vulnerabilities on Windows NT, 95, and 98 systems, and recommends fixes for those vulnerabilities. A popular feature of this product is a built-in AutoSync that seamlessly updates WebTrends Security Analyzer with the latest security tests, for the most complete and current vulnerability analysis available. The product's HTML output is said to be the cleanest and most legible on the market today.
In North America, WebTrends Security Analyzer can be evaluated at www.webtrends.com/.
Platform: Linux
According to the author, Fyodor, Nmap (shown in Figure 5.10) is primarily a utility for port scanning large networks, although it works fine for single hosts as well. The guiding philosophy for the creation of nmap was the Perl slogan TMTOWTDI (there's more than one way to do it). Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required; or you may want to scan different protocols (UDP, TCP, ICMP, etc.). You can't do all that with one scanning mode, nor do you want 10 different scanners around, all with different interfaces and capabilities. Thus, nmap incorporates almost every scanning technique known.
Nmap also supports a number of performance and reliability features, such as dynamic delay time calculations, packet time-out and retransmission, parallel port scanning, and detection of down hosts via parallel pings. Nmap also offers flexible target and port specification, decoy scanning, determination of TCP sequence predictability characteristics, and output to machine-perusable or human-readable log files.
Nmap can be evaluated on this book's CD.
Scan.
Figure 5.10 The nmap front end. SAFEsuite
Platforms: Windows NT, Solaris, Linux
SAFEsuite (Figure 5.11) is a security application that also identifies security "hot spots'' in a network. This complete, global view of enterprise security information consolidates and correlates data from multiple sources to provide information that otherwise would not be available, thereby enabling security staff to make timely and informed security decisions.
SAFEsuite Decisions collects and integrates security information derived from network sources, including Check Point FireWall-1, Network Associates' Gauntlet Firewall, the ISS RealSecure intrusion detection and response system, and the ISS Internet Scanner and System Scanner vulnerability detection systems.
SAFEsuite Decisions automatically correlates and analyzes cross-product data to indicate the security risk profile of the entire enterprise network. For example, vulnerabilities found by the Internet scanner, and intrusion events detected by the SAFEsuite component RealSecure, will be correlated to provide high-value information, indicating both specific hosts on the network that are vulnerable to attack and those that have already been attacked.
Hacker's SAFEsuite can be evaluated on this book's CD.
Security Administrator's Tool for Analyzing Networks Successor SAINT
Platforms: Solaris, Linux, IRIX
The Security Administrator's Tool for Analyzing Networks (alias: SATAN) was written by Dan Farmer and Weite Vegema, and is advertised as a tool to help system administrators. According to Muffy Barkocy, a SATAN consultant, the program was developed out of the realization that computer systems are becoming more dependent on the network, and at the same time becoming more vulnerable to attack via that same network. SATAN recognizes and reports several common networking-related security problems, without actually exploiting them. For each type of problem found, SATAN offers a tutorial that explains the problem and its potential impact. The tutorial also explains how to remedy the problem, whether, for example, to correct an error in a configuration file, install a patch or bug fix from the vendor, use other means to restrict access, or simply disable a service.
SATAN collects information that is available to everyone with access to the network. With a properly configured firewall in place, there should be near-zero information accessible by outsiders. Limited research conducted by Muffy, found that on networks with more than a few dozen systems, SATAN would inevitably find problems. Keep in mind, however, that the intruder community has been exploiting these problems for a long time.
SATAN was written primarily in Perl and C with some HTML front ends for management and reporting. The kernel is tarred and zipped, and is compatible only with most UNIX flavors. SATAN scans focus on, but are not limited to, the following daemon vulnerabilities:
• NFS
• NIS
• RSH
• Sendmail
• X Server
Within a week of the initial SATAN release, an updated version became available, offering support for more platforms (bsdi, ultrix, dg/ux) and resolving several portability problems (rpcgen, ctime.pl, etc. are now bundled). Also, a large number of minor annoyances were fixed, and the FAQ document has been expanded. SATAN now comes with a vulnerability tutorial that explains how to run SATAN in a secure manner. It explains in detail what today's CERT/CC advisory did not tell, and more.
Using SATAN, hackers, crackers, and phreaks can scan almost every node or network connected to the Internet. UNIX systems are especially vulnerable to SATAN scans, as the intruder follows simple standard attack steps:
1. Obtain access to a system
2. Obtain administrator or root access on that system.
3. Extend access to other systems.
That said, UNIX administrators need not fret, as there are several monitoring agents available for SATAN detection including Courtney, Gabriel, and many TCP wrappers.
The Security Administrator's Integrated Network Tool
The Security Administrator's Integrated Network Tool (SAINT) is an updated and enhanced version of SATAN, designed to assess the security of computer networks. In its simplest mode, SAINT gathers as much information about remote hosts and networks as possible by examining such network services as finger, NFS, NIS, FTP and TFTP, rexd, statd, and other services. The information gathered includes the presence of various network information services, as well as potential security flaws. SAINT can then either report on this data or use a simple rule-based system to investigate any potential security problems. Users can subsequently examine, query, and analyze the output with an HTML browser, such as Netscape or Lynx. While the program is primarily geared toward analyzing the security implications of the results, a great deal of general network information can be obtained from the tool—network topology, network services running, types of hardware and software being used on the network, and more.
But the real power of SAINT comes into play when used in exploratory mode. Based on the initial data collection and a user-configurable rule set, it will examine the avenues of trust and dependency, and iterate further data collection runs over secondary hosts. This not only allows users to analyze their own network or hosts, but also to examine the implications inherent in network trust and services, and help them make reasonably educated decisions about the security level of the systems involved.
Hacker's Both SAINT and SATAN can be evaluated on this book's CD or from the following links:
Platforms: Windows 9x, NT, 2000, OS/2, Mac, LINUX, Solaris
TigerSuite, which consists of a complete suite of security hacking tools, is rated by some as the number-one internetworking security toolbox. In a benchmark comparison conducted by this author between Tiger Tools and other popular commercial discovery/scan software, for a simple 1000 port scan on five systems, Tiger Tools completed an average scan in less than one minute, compared to an average of 35 minutes with the same results ound in both scans. Simply stated, the design and developed product clearly outperform their competitors.
Among others, the product provides the specific security functions described in the following subsections.
Hackers TigerSuite is covered in detail in Chapter 12 and is available for evaluation on this ItoUr-' book's CD.
The Local Analyzer
The Local Analyzer is a set of tools designed to locally discover, analyze, and assess the system where this product will reside. The tools include:
• Virus/Trojan Analysis
• File Information
• Compare
• Sysinfo
• Resource Exploration
• DBF View/Edit
• DiskInfo
• Copy Master
These tools can be executed on any system within the network, and can be utilized for general system tools, but they must reside on the host system that is running the Tiger Tools products. This ensures the system is "clean" and ready for security analysis.
Network Discovery
Network Discovery includes a set of tools that can be run in a network environment to discover, identify, and list all areas of vulnerability within a network. The Network Discovery tool set includes:
• Ping
• Port Scanner
• IP Scanner
• Site Discovery
• Network Port Scanner
• Proxy Scanner
• Trace Route
• Telnet
• NSLookup
• DNS Query
• NetStat
• Finger, Echo
• Time, UDP
• Mail List Verify
• HTTPD Benchmark
• FTP Benchmark
Network Discovery will provide a network professional with an in-depth list of all of the vulnerabilities on the network. He or she can then refer back to the knowledge base in Tiger Tools 2000 InfoBase for recommended actions for vulnerability alleviation.
Tiger Tools Attack
Tiger Tools Attack comprises tools for penetration testing, including:
• Penetrator
• WinNuke
• Mail Bomber
• Bruteforce Generator
• Finger and Sendmail
• Buffer Overload
• Crc files
• Spammer
• HTTP Crack
• FTP Crack
• POP3 Crack
• Socks Crack
• SMB Password Check
• Unix Password Check
• Zip Crack
• Rar Crack
• CGI Check
• Trojan Scan
These tools actually generate numerous different types of attacks, crack attempts, and penetration tests, to determine whether current security policies are adequate or have been implemented correctly. This information will help the network professionals know what additional steps are required to adequately protect their network.
What'sUp
Platform: Windows
What'sUp Gold (Figure 5.12) provides a variety of real-time views of your network status and alerts you to network problems, remotely by pager or email, before they escalate into expensive downtime events. What'sUp Gold's superior graphical interface helps you create network maps, add devices, specify services to be monitored, and configure alerts. The What'sUp scan tool is a simple, point-and-click scanner for IP addresses and ports. Also, the tools
menu provides access to a selected set of network tools that may be used to diagnose network problems. They include:
Info. Displays summary information about a network host or device, including the official
hostname, IP address, and contact information (from the Whois database).
Time. Queries multiple time servers; also synchronizes your local system clock.
HTML. Queries a Web address and displays full header information and page data.
Ping. Sends a set number of ICMP echo requests to the specified IP address, and displays the
network response time (in milliseconds) on the screen.
TraceRoute. Displays the actual network path that an ICMP echo request takes to arrive at a destination, along with the difference from the previous time.
Lookup. Provides access to the name-resolving functions in a user's stack. Users can enter an IP address and get back the official name of the system, or they can enter a name and get back the IP address.
Finger. Queries a host by using the finger protocol. Users enter a hostname to see which other users are currently logged on.
Whois. Looks up network or user information from various network information providers. LDAP. Displays users' names and email addresses on an LDAP-supported host. Quote. Displays a "quote of the day" from a remote host that supports a Quote server. Scan. Scans specified range of IP addresses for attached network elements, and optionally maps results. A scan can also identify network services (e.g., SMTP, FTP, HTTP, Telnet, etc.) that may be available on a system.
SNMP. Displays network configuration and status information from a remote host that supports the SNMP protocol.
WinNet. Provides users information about their local network. Users can choose the type of network items they want to display from a drop-down list.
Throughput. Verifies the throughput of a network connection by sending a specified number of packets of increasing size to a remote host.
Hacker's In North America, What'sUp can be evaluated at www.ipswitch.com/.
Sample Scan
Earlier in this chapter, we performed a target discovery (during which we unearthed a network address); and now we have accumulated the right tools, so we're ready to perform a site scan. During this phase, we will scan only to discover active addresses and their open ports. Hackers would not spend a lot of time doing penetration scanning and vulnerability testing, as that could lead to their own detection.
A standard target site scan would begin with the assumption that the network is a full Class C (for a review of subnets, refer back to Chapter 1 and the appendixes in the back of this book). Thus, we'll set the scanner for an address range of 206.0.126.1 through 206.0.126.254, and 24 bits in the mask, or 255.255.255.0, to accommodate our earlier DNS discovery findings:
www www.xyzinc.com 206.0.126.10
mail mail.xyzinc.com 206.0.126.11
ftp ftp.xyzinc.com 206.0.126.12
For the first pass, and for maximum scanning speed, we'll scan ports 1 to 1000 (most of the well-known ports):
The remaining addresses are obviously dynamically, virtually assigned addresses, probably via network address translation (NAT) in a firewall or router. As you will notice, these addresses differ slightly in the second scan. The absence of active ports, as well as the address difference, is an indication that these are internal users browsing the Internet.
NAT is the process of converting between IP addresses used within an internal Note** network or other private network (called a subdomain) and legally provisioned IP
addresses. Administrators use NAT for reasons such as security, monitoring, control, and conversion to avoid having to modify previously assigned addresses to legal Internet addresses.
Let's further investigate our key target addresses and define each of the open ports:
206.0.126.1:23, 161, 162
Port 23: Telnet. A daemon that provides access and administration of a remote computer over the network or Internet. To more efficiently attack the system, a hacker can use information given by the telnet service.
Port 161/162: SNMP. Many administrators allow read/write attributes bound to these ports, usually with the default community name or one exceptionally easy to decode. We would presume this particular address is bound to an outside interface of a router. Administrators commonly use .1 of an address pool for the router. Also, the only active port is the telnet port for remote administration. In later chapters, we will perform a detailed, penetrating scan to further analyze this address. Some hackers will simply use some ISP account and test the address via telnet, for
ЈonnMt Ј
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment