Re: [fw-wiz] scanning...
From: Jim MacLeod (jmacleod_at_gmail.com)
Date: 11/06/05
- Previous message: Paul D. Robertson: "Re: [fw-wiz] scanning..."
- In reply to: Paul D. Robertson: "Re: [fw-wiz] scanning..."
- Next in thread: Oddbjørn Steffensen: "Re: [fw-wiz] scanning..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Paul D. Robertson" <paul@compuwar.net> Date: Sun, 06 Nov 2005 10:51:27 -0800
Paul D. Robertson wrote:
>On Wed, 2 Nov 2005, Brian Loe wrote:
>
>
>
>>Let me ask all of you a fairly generic question that should garner
>>lots of different ideas. Let us say that you have gone to work for a
>>new company as a network admin. It is a fairly complex network with
>>multiple routers, switches and firewalls (a firewall for every router,
>>let's say). The current network team has no formal training and have
>>done all of their learning on the job, following a contracting company
>>who was paid to initially setup the network.
>>
>>Okay, so how would you go about mapping out this network? You don't
>>
>>
>
>1. Have the current staff draw diagrams as they understand the network.
>2. Chase as many wires as you can, documenting what's connected where.
>3. Put switches into mirroring mode and sniff for addresses (IP and MAC)
>and scan the ranges you sniffed (IP and MAC.)
>4. While you're on each switch, actively scan using whatever you're
>comfortalbe with.
>5. Cheops-ng isn't too bad a place to start.
>6. If you have Windows boxes, use WMI to enumerate systems/interfaces.
>7. If someone has SNMP enabled on stuff use that to enumerate stuff.
>8. Scan broadcast addresses for things which will answer to global
>ethernet or IP broadcast addresses, then natural subnet broadcast
>addresses.
>9. Get MAC addresses off the switches, if the switches don't do that,
>then swap them out.
>
>Paul
>-----------------------------------------------------------------------------
>Paul D. Robertson "My statements in this message are personal opinions
>paul@compuwar.net which may have no basis whatsoever in fact."
>fora.compuwar.net Infosec discussion boards
>
>
If I could add a few things:
Don't forget DNS domain map and DHCP static map configs. In an
"organically grown" network, named devices and statically addressed
devices tend to be somewhat interesting.
Beyond mapping addresses, map traffic flow. Which clients are
connecting to which servers, on what ports? Look at the logs on any
transit devices that'll give 'em to you: firewalls, routers, switches.
Packet dump if you have to. Also use netstat to give you insight into
what processes are bound to those ports. On windows, 'netstat -nabv'.
On *nix, 'netstat -nap'.
Pull the routing table off each router, then find someone who likes
jigsaw puzzles.
Pull the policy from every firewall, then get current staff to justify
each static map and every open port.
Cheers,
-Jim
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul D. Robertson: "Re: [fw-wiz] scanning..."
- In reply to: Paul D. Robertson: "Re: [fw-wiz] scanning..."
- Next in thread: Oddbjørn Steffensen: "Re: [fw-wiz] scanning..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
