This case study chains together several of the items learned within the chapter to perform a successful scan of a network. This case study trails Evil Jimmy the Hacker as he scans a small company called Little Company Network (LCN). He uses DNS to gather information before moving onto NMap for some scanning as he attempts to start his diagramming of the network.
The scene is set as LCN rejects Evil Jimmy for a position. He is skilled in penetration testing, and because LCN obviously did not even read to the end of his rèsumè, Jimmy plans to make use of his skills in an unauthorized manner. Jimmy knows the DNS names of his target LCN.com, so he plugs his laptop into the wall and begins his attack. Knowing that preparation is vital to a successful outcome, Jimmy starts by making a plan and gathering his tools. The following steps illustrate the execution.
- Evil Jimmy heads straight for the company website and uses the Wget tool to download the entire website. He can later browse this information at his leisure to look for e-mail addresses, address information, and any other details about the company that might later prove useful.
- Evil Jimmy uses SamSpade to discover the company address, contact, and registration information posted for the website at the time it was created. The following example displays these output details from SamSpade.
Registrant: LITTLE COMPANY NETWORK 100 NW JOHN OLSEN PLACE HILLSBORO, OR 97123 US Domain Name: LCN.COM Administrative Contact, Technical Contact: Little Company Network jbates@LCN.COM 100 NW JOHN OLSEN PL HILLSBORO, OR 97123 US 503-123-5555 fax: - 503-123-5555 Record expires on 11-Apr-2005. Record created on 10-Apr-1997. Database last updated on 20-Mar-2005 17:16:56 EST. Domain servers in listed order: NS1.SECURESERVERS.NET NS2.SECURESERVERS.NET
- Using his Visual Route tool, Jimmy gets a general idea of where the web server is. As Figure 5-30 shows, the web server is in Seattle, Washington, so the address in Oregon is probably the office address with the web server being hosted elsewhere in Washington..
Figure 5-30 Visual Route Results
- Armed with company address information, Evil Jimmy drives right over to the company office and plugs into the network to do a little scanning. (In the real world, this might or might not take place, but for the example, it works great.)
- Now that Jimmy has local network access, he can ping sweep the network. Using Pinger, Jimmy discovers several computers across the network. Figure 5-31 displays the computers on the network that respond to standard ICMP requests.
Figure 5-31 Pinger Results
- Next, Jimmy begins port scanning computers to help enumerate details of which programs are running on each computer. Also, Jimmy uses the NMap –O switch to detect which operation system is running. The following example shows the output information:
C:\>NMap -sS -O 192.168.200.21,100 Interesting ports on Desk1 (192.168.200.21): (The 1658 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 135/tcp open msrpc 139/tcp open netbios-ssn 5713/tcp open proshareaudio MAC Address: 08:00:46:F3:14:72 Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows XP SP2 NMap finished: 2 IP addresses (2 hosts up) scanned in 3.203 seconds Starting NMap 3.81 ( http://www.insecure.org/NMap ) at 2005-03-21 21:07 GMT Standard Time Interesting ports on WEB1 (192.168.200.100): (The 1652 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1026/tcp open LSA-or-nterm 1029/tcp open ms-lsa 1031/tcp open iad2 1433/tcp open ms-sql-s 1434/tcp open ms-sql-m MAC Address: 00:50:56:EE:EE:EE Device type: general purpose Running: Microsoft Windows 2003/.NET|NT/2K/XP OS details: Microsoft Windows 2003 Server or XP SP2
- Jimmy is finished scanning and leaves the building just as the networking team commences the search for the intruder. Fortunately for Jimmy, it took several minutes for the team to detect the scan before they could start searching for the guilty hacker.
- Back in the comfort of his home, Evil Jimmy starts to collate the information into an easy-to-read diagram that displays computer addresses, services open, and operating systems on each.
As you can see, collecting information about a company and its network is easy, fun, and relatively quick.