Re: scanning...

[Jim MacLeod <jmacleod () gmail com>]

Paul D. Robertson wrote:

> On Wed, 2 Nov 2005, Brian Loe wrote:
>
>  
>
> > Let me ask all of you a fairly generic question that should garner
> > lots of different ideas. Let us say that you have gone to work for a
> > new company as a network admin. It is a fairly complex network with
> > multiple routers, switches and firewalls (a firewall for every router,
> > let's say). The current network team has no formal training and have
> > done all of their learning on the job, following a contracting company
> > who was paid to initially setup the network.
> >
> > Okay, so how would you go about mapping out this network? You don't
> >    
>
> 1.  Have the current staff draw diagrams as they understand the network.
> 2.  Chase as many wires as you can, documenting what's connected where.
> 3.  Put switches into mirroring mode and sniff for addresses (IP and MAC) 
> and scan the ranges you sniffed (IP and MAC.)
> 4.  While you're on each switch, actively scan using whatever you're 
> comfortalbe with.
> 5.  Cheops-ng isn't too bad a place to start.
> 6.  If you have Windows boxes, use WMI to enumerate systems/interfaces.
> 7.  If someone has SNMP enabled on stuff use that to enumerate stuff.
> 8.  Scan broadcast addresses for things which will answer to global 
> ethernet or IP broadcast addresses, then natural subnet broadcast 
> addresses.
> 9.  Get MAC addresses off the switches, if the switches don't do that, 
> then swap them out.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson      "My statements in this message are personal opinions
> paul () compuwar net       which may have no basis whatsoever in fact."
> fora.compuwar.net      Infosec discussion boards
>  
If I could add a few things:

Don't forget DNS domain map and DHCP static map configs.  In an 
"organically grown" network, named devices and statically addressed 
devices tend to be somewhat interesting.

Beyond mapping addresses, map traffic flow.  Which clients are 
connecting to which servers, on what ports?  Look at the logs on any 
transit devices that'll give 'em to you: firewalls, routers, switches.  
Packet dump if you have to.  Also use netstat to give you insight into 
what processes are bound to those ports.  On windows, 'netstat -nabv'.  
On *nix, 'netstat -nap'.

Pull the routing table off each router, then find someone who likes 
jigsaw puzzles.

Pull the policy from every firewall, then get current staff to justify 
each static map and every open port.

Cheers,
-Jim
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards