Firewall Wizards mailing list archives
Re: scanning...
From: Jim MacLeod <jmacleod () gmail com>
Date: Sun, 06 Nov 2005 10:51:27 -0800
Paul D. Robertson wrote:
On Wed, 2 Nov 2005, Brian Loe wrote:Let me ask all of you a fairly generic question that should garner lots of different ideas. Let us say that you have gone to work for a new company as a network admin. It is a fairly complex network with multiple routers, switches and firewalls (a firewall for every router, let's say). The current network team has no formal training and have done all of their learning on the job, following a contracting company who was paid to initially setup the network. Okay, so how would you go about mapping out this network? You don't1. Have the current staff draw diagrams as they understand the network. 2. Chase as many wires as you can, documenting what's connected where.3. Put switches into mirroring mode and sniff for addresses (IP and MAC) and scan the ranges you sniffed (IP and MAC.) 4. While you're on each switch, actively scan using whatever you're comfortalbe with.5. Cheops-ng isn't too bad a place to start. 6. If you have Windows boxes, use WMI to enumerate systems/interfaces. 7. If someone has SNMP enabled on stuff use that to enumerate stuff.8. Scan broadcast addresses for things which will answer to global ethernet or IP broadcast addresses, then natural subnet broadcast addresses. 9. Get MAC addresses off the switches, if the switches don't do that, then swap them out.Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." fora.compuwar.net Infosec discussion boards
If I could add a few things:Don't forget DNS domain map and DHCP static map configs. In an "organically grown" network, named devices and statically addressed devices tend to be somewhat interesting.
Beyond mapping addresses, map traffic flow. Which clients are connecting to which servers, on what ports? Look at the logs on any transit devices that'll give 'em to you: firewalls, routers, switches. Packet dump if you have to. Also use netstat to give you insight into what processes are bound to those ports. On windows, 'netstat -nabv'. On *nix, 'netstat -nap'.
Pull the routing table off each router, then find someone who likes jigsaw puzzles.
Pull the policy from every firewall, then get current staff to justify each static map and every open port.
Cheers, -Jim _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- scanning... Brian Loe (Nov 02)
- RE: scanning... Paul Melson (Nov 02)
- Re: scanning... Brian Loe (Nov 02)
- RE: scanning... Gwendolynn ferch Elydyr (Nov 04)
- Re: scanning... Paul D. Robertson (Nov 06)
- Re: scanning... Jim MacLeod (Nov 06)
- Re: scanning... Oddbjørn Steffensen (Nov 10)
- Re: scanning... Carric Dooley (Nov 16)
- <Possible follow-ups>
- Re: scanning... Hile . William (Nov 02)
- Re: scanning... Julian M D (Nov 04)
- Re: scanning... Brian Loe (Nov 04)
- Re: scanning... Julian M D (Nov 04)
- Re: scanning... Julian M D (Nov 04)
- RE: scanning... Paul Melson (Nov 02)