In this article we will explore the presence of known vulnerabilities in switched LANs. I hope to open your eyes to some of the techniques and tools that are free to download and use to test your network. Let’s start with some of the basics we see in most small to medium sized networks. Now we need to start evaluating the network and collecting information about it. First we need to look at a few things to better understand the hurdles we may face in a penetration test. Start with these basic questions as the basis for collecting information.
Where are the switches located?
Is the equipment accessible?
What kind and type of switches or hubs are in the network?
Are the switches manageable and do they have a web interface?
What is the physical topology or layout of the network?
Do the switches have security features (IDS) and are VLANs used?
Once we have the basic information about the network layout and the equipment used in the network, we need to investigate the vendor’s security bulletins to see if there are any known vulnerabilities to test for. If this network is wireless, there are many other techniques that we can implement to find vulnerable points. At this point, we also need to look at what physical media is used to move data on the network (CAT5, fiber, or wireless). Once you know what the network medium is, you can figure out the best way to take advantage of it. Below are some ideas on how to take advantage of the network and the tools used.
Ethernet (CAT3, CAT5 or CAT6):
To access Ethernet, it is usually done using a protocol sniffer such as Ethereal. To trace an Ethernet LAN, you must have access to the network through the switch port of another network connection.
Fiber (Gig-e or FDDI):
To take advantage of a fiber network, you need an optical splitter like “netoptics”. To connect to a splitter you will need to have access to fiber lines. Once you have installed the splitter, you can run ethereal or any other network sniffer.
Wireless (802.11 A, B and G):
To take advantage of wireless, you must first identify what type of signal the network is using. Most common networks will use 802.11 B or G, but there are some networks that have 802.11 A. To find out what the type of wireless connection is, you can run software like Network Stumbler. Network Stumbler will allow you to see the access points and all the necessary information about them, such as the channel, the signal and the encryption used. Once you know if the AP is open or encrypted, you can plan your route to access the network. If you find that the wireless network is encrypted, you will need to find tools to crack the encryption. For WEP encryption, you can use tools like AirCrack to break the encryption. Once you have gained access to the wireless network, you will use a network sniffer such as ethereal to capture packets.
Sniffing/Tapping the Net
As I said above, Ethereal is a very good (and free) network sniffer, but there are many other protocol sniffing tools on the internet, many are free, but some providers charge for their tools. The idea behind detection is that you can see all the packets on the network. With the ability to view and capture packets, you can reconstruct data flowing through the network and gain access to passwords and password hashes. Other useful data that it can collect is emails, website data, database information, and many other sensitive information. Some of the obstacles you may face when sniffing are that if the network is changed, you will only see streaming traffic and traffic directed to your IP. To resolve this issue, you will need to sniff a trunk port, mirror port, or spoof network traffic to pass through your port. A good tool for sniffing and forging is Cain & Able, with Cain you can also sniff VoIP calls and many other passwords.
port scan
Port scanning is a way of testing network devices to see which communication ports may be open. This can be done from a LAN, WAN, MAN, or the Internet. Port scanners are some of the most widely used tools by pen testers to learn what is open and how to better identify devices and services running on network devices. For example, if you do a port scan of an IP and see that port 25 is open, there is a chance that a mail service is running. The next step in testing port 25 might be to telnet to the port and see if the response is a banner. If the device is a mail server, it will normally inform your telnet session with a service banner. The Microsoft Exchange server will report your SMTP name and the version of Exchange running on the server. Other interesting ports are 23 Telnet, 21 FTP, 23 SSH, 80 HTTP, 443 HTTPS and 3389 Terminal server (RDP). Some good port scanning programs are SuperScan (from foundstone), Nmap (from insecure.org), and X-scan (from xfocuse.com). There are hundreds of scanners on the Internet and many are specialized to scan for certain services or exploits. If you want to learn more about port scanning, just google it and you’ll be busy for months.
Password recovery
Password recovery can be done remotely or physically with software. On Windows PCs, you can remotely run programs like PWDump, and if you have access, you can run many different types of boot disk to change and recover passwords. Other password recovery methods include running Hash or Sam file recovery tools from the PC under a user account. With the Hashes SAM file, you can proceed to crack the hash to get the password.
password cracking
Password cracking is done by taking an encrypted value (Hash) and using a technique to crack or reverse engineer it. Some recommended types of cracking are running decan, Burteforce, or Cryptanalysis attacks on the hash. There are many programs on the internet to run dictionary and Burteforce attacks, but the fastest way to crack passwords is to use Rainbow Tables on them. There are some rainbow table cracking sites online and the rcrack.exe program is a free download with the source code from “antsight.com/zsl/rainbowcrack”. The most popular site to crack hashes online is plain-text.info and they allow 2 free hashes per hour to crack. With rainbow tables, the life of a penetration tester has become much easier. Older cracking methods like “Burteforce” can take months to crack a password and dictionary attacks only work if the password is a praise word.
So far we have discussed how to analyze a network and then profile it for a penetration test. We’ve also covered ways to tap/sniff the network for data. With the little information we’ve discussed, this should make for a good introductory session to show you where to start with penetration testing. All the tools mentioned in this article are easily found on the internet and all the tools mentioned in this article are free to download. If you need help with penetration testing, just use the internet, as there are many guides covering specialized areas of penetration testing. Remember that the idea behind penetration testing is to learn and protect your network.