April 22, 2012

My auditing experience.

   Recently my company fired previous administrator and asked me to make a network security audition. At home I installed on my Ubuntu nmap + Zenmap as a first step. I was desperate to check open ports without logging on Firewall (Kerio). I used:

nmap -sS -PN -T2 -p 1-5000 victim_ip.

   As for me I prefer to use -T2 not to be logged (at monday I will check my idea), -sS is a stealth scan without any full TCP-connection (as I know there are special rules to find out this type of scanning, but they are not so often) -PN skip host discovery, because a lot of administrators block all ICMP replies from their servers. nmap showed that all ports are filtered except 21. As we know it is ftp. From public computer I connected to it by web-browser. Another surprise was that ftp allowed anonymous connection.

   During my google searching I found interesting and old information about FTP-bounce attack.  Briefly this nmap option gives us an opportunity to scan all ports on target server by using existing FTP. Nmap sends packets to FTP-server, it bounces to open FTP-port and packets go through firewall.
   I used as FTP-server opened  port and tried to find out open ports on same server. I used nmap in such way:
nmap -T2 -PN -p 1-65535 -b victim_ftp_server victim_server

I think till morning I will get results and now I'm going to find instruments for future steps.    

No comments:

Post a Comment