Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

Case Study

This case study chains together several of the items learned within the chapter to perform a successful scan of a network. This case study trails Evil Jimmy the Hacker as he scans a small company called Little Company Network (LCN). He uses DNS to gather information before moving onto NMap for some scanning as he attempts to start his diagramming of the network.

The scene is set as LCN rejects Evil Jimmy for a position. He is skilled in penetration testing, and because LCN obviously did not even read to the end of his rèsumè, Jimmy plans to make use of his skills in an unauthorized manner. Jimmy knows the DNS names of his target LCN.com, so he plugs his laptop into the wall and begins his attack. Knowing that preparation is vital to a successful outcome, Jimmy starts by making a plan and gathering his tools. The following steps illustrate the execution.

  1. Evil Jimmy heads straight for the company website and uses the Wget tool to download the entire website. He can later browse this information at his leisure to look for e-mail addresses, address information, and any other details about the company that might later prove useful.
  2. Evil Jimmy uses SamSpade to discover the company address, contact, and registration information posted for the website at the time it was created. The following example displays these output details from SamSpade.
      Registrant:
      LITTLE COMPANY NETWORK
         100 NW JOHN OLSEN PLACE
         HILLSBORO, OR 97123
         US
         Domain Name: LCN.COM
         Administrative Contact, Technical Contact:
            Little Company Network jbates@LCN.COM
            100 NW JOHN OLSEN PL
            HILLSBORO, OR 97123
            US
            503-123-5555 fax: - 503-123-5555
    
        Record expires on 11-Apr-2005.
        Record created on 10-Apr-1997.
        Database last updated on 20-Mar-2005 17:16:56 EST.
    
        Domain servers in listed order:
    
           NS1.SECURESERVERS.NET
           NS2.SECURESERVERS.NET
  3. Using his Visual Route tool, Jimmy gets a general idea of where the web server is. As Figure 5-30 shows, the web server is in Seattle, Washington, so the address in Oregon is probably the office address with the web server being hosted elsewhere in Washington..
    05fig30.jpg

    Figure 5-30 Visual Route Results

  4. Armed with company address information, Evil Jimmy drives right over to the company office and plugs into the network to do a little scanning. (In the real world, this might or might not take place, but for the example, it works great.)
  5. Now that Jimmy has local network access, he can ping sweep the network. Using Pinger, Jimmy discovers several computers across the network. Figure 5-31 displays the computers on the network that respond to standard ICMP requests.
    05fig31.jpg

    Figure 5-31 Pinger Results

  6. Next, Jimmy begins port scanning computers to help enumerate details of which programs are running on each computer. Also, Jimmy uses the NMap –O switch to detect which operation system is running. The following example shows the output information:
      C:\>NMap -sS -O 192.168.200.21,100
    
      Interesting ports on Desk1 (192.168.200.21):
      (The 1658 ports scanned but not shown below are in state: closed)
      PORT     STATE SERVICE
      21/tcp   open  ftp
      25/tcp   open  smtp
      135/tcp  open  msrpc
      139/tcp  open  netbios-ssn
      5713/tcp open  proshareaudio
      MAC Address: 08:00:46:F3:14:72
      Device type: general purpose
      Running: Microsoft Windows NT/2K/XP
      OS details: Microsoft Windows XP SP2
      NMap finished: 2 IP addresses (2 hosts up) scanned in 3.203 seconds
    
      Starting NMap 3.81 ( http://www.insecure.org/NMap ) at 2005-03-21 21:07
      GMT
        Standard Time
      Interesting ports on WEB1 (192.168.200.100):
      (The 1652 ports scanned but not shown below are in state: closed)
      PORT     STATE SERVICE
      23/tcp   open  telnet
      53/tcp   open  domain
      135/tcp  open  msrpc
      139/tcp  open  netbios-ssn
      445/tcp  open  microsoft-ds
      1025/tcp open  NFS-or-IIS
      1026/tcp open  LSA-or-nterm
      1029/tcp open  ms-lsa
      1031/tcp open  iad2
      1433/tcp open  ms-sql-s
      1434/tcp open  ms-sql-m
      MAC Address: 00:50:56:EE:EE:EE
      Device type: general purpose
      Running: Microsoft Windows 2003/.NET|NT/2K/XP
      OS details: Microsoft Windows 2003 Server or XP SP2
          
  7. Jimmy is finished scanning and leaves the building just as the networking team commences the search for the intruder. Fortunately for Jimmy, it took several minutes for the team to detect the scan before they could start searching for the guilty hacker.
  8. Back in the comfort of his home, Evil Jimmy starts to collate the information into an easy-to-read diagram that displays computer addresses, services open, and operating systems on each.

As you can see, collecting information about a company and its network is easy, fun, and relatively quick.

  • + Share This
  • 🔖 Save To Your Account