Re: Difficulties in Network Mapping & port scanning

[Pete Herzog <lists () isecom org>]

David,

> I guess I'm looking for "I have used this technique in the past with 
> some success" type of reply rather than "this might work". Thanks for 
> anyone who takes the time to reply.

I have used the OSSTMM for this and it works.

Proper enumeration is something ISECOM has been teaching in the OPST
(www.opst.org) since its work as ideahamster, the inspiration for 
improved network scanning hence Unicornscan (www.unicornscan.org), and a 
fundamental part of the OSSTMM 3.0 (www.osstmm.org).

Analysis of the tests requires the correlation of information you get 
from OSSTMM tests.  You need to verify that the each port you test is 
for a valid service. Many port scanners will reply with 
OPEN/CLOSED/FILTERED.  But relying on that simplified model will force 
the scanner to tell you lies.  You need to understand what evidence you 
get from the scan in what ways to give a reasonable analysis.  Unlike 
pen-testing where the goal is the end, the security test requires the 
means to be the goal for a factual end result.

It's basically: construct packet, record construct, send packets, and 
record response. Modify and retry. Correlate.

Most importantly, what to note is responding target, protocol,
port if applicable, TTL, and any buffer text.

What you need to find is services and while some networks will let you 
take the broadsword approach, modern, secure networks, require the 
scalpel because what you need to be sure of  is that there is a service 
behind the port and you can't rely on SYN/ACKs to know this.  You can 
expect even TCP services will be as elusive as UDP in the near future 
for security reasons.

Now, the quick answer:  Look to technique and not tools.  First, know 
what your network can reliably carry for your tests (read logistics and 
controls).  Then do some sample ports on on various targets to see what 
kinds of responses you get for UDP/TCP/ICMP.  Vary the sending and 
target ports, flag types, the packet size, and in the case of ICMP, try 
non-standard, even unused, types and codes.  For the various IPs, note 
what IP address is the responder, the distance from the gateway router 
in hops, patterns, and inconsistencies.  You may get lucky and have a 
dumb network that just throws replies back at you without interferences. 
Verify replies by attaching with the appropriate protocol.  For example, 
if you have a syn/ack for port 80, use a web browser to see if port 80 
is running a web service.  Same with other protocols.  Correlate the 
data to see if either sending patterns or replies represent actual 
discovered services in any way or if there are services running on 
non-standard ports.  Once you find services, you can approach the rest 
of the test in the same, methodical manner, including the determination 
of other available services on other ports.

The TTLs in any replies along with traceroutes to the discovered 
services using the right port/protocol will help you map the network. 
It will also help you determine forwarded ports or PAT, use of NAT, or 
any other perimeter info.  Even fingerprinting tools provide interesting 
info not in the traditional "what is the OS" way but to determine of 
information (patterns) which get through the secure perimeter which 
allow one to enumerate and separate.

Anyway, most of this stuff you can learn in an OPST class.  We'd be 
happy to see you there!

Sincerely,
-pete.



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------