"Competent Analysts will require adequate networking knowledge,
diligent security testing skills, and critical thinking skills to
assure factual data collection creates factual results through
correlation and analysis." - OSSTMM v3
Il Network Penetration Test (NPT) ha lo scopo verificare la sicurezza
dei sistemi esposti sulla rete. Viene valutata la presenza di
controlli - e la loro corretta implementazione - che annullano o
limitano le minacce esistenti verso i beni dell'organizzazione.
L'attività valuta uno scenario specifico che varia secondo il
bersaglio, la posizione degli attaccanti e le informazioni in possesso
al personale coinvolto.
Un Penetration Test si esegue tramite varie attivtà spesso molto
delicate e importanti e, come ben specificato nell'Open Source
Security Testing Methodology Manual (OSSTMM), gli analisti non solo
devono avere delle competenze adeguate della rete e dei suoi
protocolli ma anche applicare un ragionamento critico per raccogliere
e correlare le informazioni in maniera corretta così da ottenere
risultati oggettivi.
Durante il seminario verrà introdotta la metodologia OSSTMM, con
particolare attenzione alle reti TCP/IP (Data Networks) e alle
operazioni tipiche per la ricerca degli host sulla rete e
l'identificazione dei servizi interattivi.
17. traceroute
to
isecom.org
# traceroute -n isecom.org
traceroute to isecom.org (216.92.116.13), 64 hops
max, 52 byte packets
[...]
16 195.22.192.181 48.888 ms 52.587 ms 49.014 ms
17 89.221.34.50 40.760 ms 37.027 ms 40.741 ms
18 64.210.21.150 180.909 ms 170.083 ms 178.578 ms
19 * * *
20 * * *
18. traceroute
to
isecom.org
# tcpdump -Sni en0
440701 IP 195.22.192.181 > 10.10.10.10: ICMP time exceeded in-transit, length 36
493212 IP 195.22.192.181 > 10.10.10.10: ICMP time exceeded in-transit, length 36
542222 IP 195.22.192.181 > 10.10.10.10: ICMP time exceeded in-transit, length 36
583138 IP 89.221.34.50 > 10.10.10.10: ICMP time exceeded in-transit, length 36
620053 IP 89.221.34.50 > 10.10.10.10: ICMP time exceeded in-transit, length 36
660844 IP 89.221.34.50 > 10.10.10.10: ICMP time exceeded in-transit, length 36
841862 IP 64.210.21.150 > 10.10.10.10: ICMP time exceeded in-transit, length 36
011975 IP 64.210.21.150 > 10.10.10.10: ICMP time exceeded in-transit, length 36
190596 IP 64.210.21.150 > 10.10.10.10: ICMP time exceeded in-transit, length 36
42. # whois isecom.org
[...]
Registrant Organization:Institute for Security and Open Methodologies
[...]
Registrant City:Lake George
Registrant State/Province:NY
Registrant Postal Code:12845
Registrant Country:US
Registrant Phone:+1.5186***********
[...]
Registrant Email:a*******@isecom.org
Admin Name:Peter Herzog
Admin Organization:Institute for Security and Open Methodologies
[...]
Admin City:Lake George
Admin State/Province:NY
Admin Postal Code:12845
Admin Country:US
Admin Phone:+1. 5186***********
Admin FAX Ext.:
Admin Email:a*******@isecom.org
[...]
Name Server:NS222.PAIR.COM
Name Server:NS0000.NS0.COM
43. # dig isecom.org @NS222.PAIR.COM ANY
; <<>> DiG 9.8.3-P1 <<>> isecom.org @NS222.PAIR.COM ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65151
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;isecom.org. IN ANY
;; ANSWER SECTION:
isecom.org. 3600 IN A 216.92.116.13
isecom.org. 3600 IN MX 50 mailwash4.pair.com.
isecom.org. 3600 IN SOA ns222.pair.com. root.pair.com. 2012020511 3600
300 604800 3600
isecom.org. 3600 IN NS ns0000.ns0.com.
isecom.org. 3600 IN NS ns222.pair.com.
;; Query time: 176 msec
;; SERVER: 209.68.2.67#53(209.68.2.67)
[...]
44. # whois 216.92.116.13
NetRange: 216.92.0.0 - 216.92.255.255
CIDR: 216.92.0.0/16
OriginAS:
NetName: PAIRNET-BLK-3
NetHandle: NET-216-92-0-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1998-09-25
Updated: 2001-06-14
Ref: http://whois.arin.net/rest/net/NET-216-92-0-0-1
OrgName: pair Networks
OrgId: PAIR
Address: 2403 Sidney St
Address: Suite 510
City: Pittsburgh
StateProv: PA
PostalCode: 15232
Country: US
RegDate: 1997-01-30
Updated: 2008-10-04
45. # nmap -PN --traceroute -n -p80 isecom.org
Starting Nmap 6.00 ( http://nmap.org ) at 2012-10-27 09:00 CEST
Nmap scan report for isecom.org (216.92.116.13)
Host is up (0.17s latency).
PORT STATE SERVICE
80/tcp open http
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
[...]
17 42.97 ms 89.221.34.110
18 166.42 ms 64.210.21.150
19 ...
20 165.39 ms 216.92.116.13
Nmap done: 1 IP address (1 host up) scanned in 3.28 seconds
49. # hping2 --udp -c 100 isecom.org
HPING isecom.org (en0 216.92.116.13): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=216.92.116.13 name=isecom.org
ICMP Port Unreachable from ip=216.92.116.13 name=isecom.org
ICMP Port Unreachable from ip=216.92.116.13 name=isecom.org
ICMP Port Unreachable from ip=216.92.116.13 name=isecom.org
ICMP Port Unreachable from ip=216.92.116.13 name=isecom.org
ICMP Port Unreachable from ip=216.92.116.13 name=isecom.org
ICMP Port Unreachable from ip=216.92.116.13 name=isecom.org
ICMP Port Unreachable from ip=216.92.116.13 name=isecom.org
ICMP Port Unreachable from ip=216.92.116.13 name=isecom.org
[...]
ICMP Port Unreachable from ip=216.92.116.13 name=isecom.org
ICMP Port Unreachable from ip=216.92.116.13 name=isecom.org
ICMP Port Unreachable from ip=216.92.116.13 name=isecom.org
ICMP Port Unreachable from ip=216.92.116.13 name=isecom.org
ICMP Port Unreachable from ip=216.92.116.13 name=isecom.org
ICMP Port Unreachable from ip=216.92.116.13 name=isecom.org
--- isecom.org hping statistic ---
100 packets tramitted, 22 packets received, 78% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
51. # curl -kisX HEAD isecom.org
HTTP/1.1 200 OK
Date: Wed, 26 Oct 2012 09:30:00 GMT
Server: Apache/2.2.22
Last-Modified: Fri, 13 Apr 2012 15:48:14 GMT
ETag: "3e3a-4bd916679ab80"
Accept-Ranges: bytes
Content-Length: 15930
Identity: The Institute for Security and Open Methodologies
P3P: Not supported at this time
55. # curl -kisX HEAD "http://isecom.org/etc/
passwd?format=%%&xss=">
<script>alert('xss');</
script>&traversal=../../&sql='%20OR%201;"
HTTP/1.1 404 Not Found
Date: Wed, 27 Oct 2012 09:30:00 GMT
Server: Apache/2.2.22
Last-Modified: Fri, 13 Apr 2012 15:48:13 GMT
ETag: "25db-4bd91666a6940"
Accept-Ranges: bytes
Content-Length: 9691
Identity: The Institute for Security and Open
Methodologies
P3P: Not supported at this time
60. # nmap -sT -Pn -n --top-ports 10 isecom.org
Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-23 04:10
CEST
Nmap scan report for isecom.org (216.92.116.13)
Host is up (0.23s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp closed telnet
25/tcp filtered smtp
80/tcp open http
110/tcp open pop3
139/tcp closed netbios-ssn
443/tcp open https
445/tcp closed microsoft-ds
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 2.04 seconds
61. # nmap -sT -Pn -n --top-ports 10 --reason isecom.org
Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-23 04:17
CEST
Nmap scan report for isecom.org (216.92.116.13)
Host is up, received user-set (0.22s latency).
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
22/tcp open ssh syn-ack
23/tcp closed telnet conn-refused
25/tcp filtered smtp no-response
80/tcp open http syn-ack
110/tcp open pop3 syn-ack
139/tcp closed netbios-ssn conn-refused
443/tcp open https syn-ack
445/tcp closed microsoft-ds conn-refused
3389/tcp closed ms-wbt-server conn-refused
62. # nmap -sU -Pn -n --top-ports 10 --reason isecom.org
Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-23 04:28
CEST
Nmap scan report for hackerhighschool.org (216.92.116.13)
Host is up, received user-set (0.23s latency).
PORT STATE SERVICE REASON
53/udp closed domain port-unreach
67/udp open|filtered dhcps no-response
123/udp closed ntp port-unreach
135/udp closed msrpc port-unreach
137/udp closed netbios-ns port-unreach
138/udp closed netbios-dgm port-unreach
161/udp closed snmp port-unreach
445/udp closed microsoft-ds port-unreach
631/udp closed ipp port-unreach
1434/udp closed ms-sql-m port-unreach
63. # nmap -sU -Pn -n -p53,67 --reason --packet-trace isecom.org
Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-23 04:32 CEST
SENT (0.0508s) UDP 192.168.100.53:54940 > 216.92.116.13:67 ttl=46
id=54177 iplen=28
SENT (0.0509s) UDP 192.168.100.53:54940 > 216.92.116.13:53 ttl=37
id=17751 iplen=40
RCVD (0.3583s) ICMP 216.92.116.13 > 192.168.100.53 Port
unreachable (type=3/code=3) ttl=54 id=1724 iplen=56
SENT (2.5989s) UDP 192.168.100.53:54941 > 216.92.116.13:67 ttl=49
id=33695 iplen=28
Nmap scan report for isecom.org (216.92.116.13)
Host is up, received user-set (0.31s latency).
PORT STATE SERVICE REASON
53/udp closed domain port-unreach
67/udp open|filtered dhcps no-response
Nmap done: 1 IP address (1 host up) scanned in 4.15 seconds