|
is a Raptor firewall which replaces the Microsoft Stack. ISN (Initial sequence number) sampling can help identify the stack. Random increments indicate Solaris, IRIX, Freebsd, Digital UNIX, Cray; time varied indicate Microsoft, Random Linux, Open VMS, AIX; Constant 3com, Apple LaserWriter. SYN flood reaction helps OS identification .. most OSs hold 8 connections, Linux holds more. This would not be a stealthy method as risks downing the target. Target can be identified with fragmented IP and illegal flags in the headers. Microsoft and Cisco return an RST packet from a packet with an unsolicited FIN flag or a NULL headed packet. Linux pre 2.0.35 returns the bogus flag. The number of returned unreachable messages returned in a time period can indicate compliance to RFC1812 and an indication of OS .. the standard dictating the header and 8 bytes should be returned. Local Network Sniffing Assuming that access can be obtained to the clients internal network by system compromise (or if internal pen testing is undertaken) then sniffers can be installed using promiscuous mode network cards and telnet or ftp traffic can be examined and network shares enumerated. This can also be undertaken on thin client and remote control software (i.e. PC Anywhere password protection is weakly encrypted only) . This assumed no vpns are running in the target network. L0pht Crack can be applied for brute forcing of LANMAN NT hashes from the registry or from sniffed information. Sniffing (dsniff) would be used on redirected switched networks (using forged ARP requests) to inspect switched traffic on the sniffer's port. |
|
|
|
To Contact Me |
|
Phone: 07768 113497 Fax: 01473 423491 |
|
Network Penetration Methods |
|
Home Page | Network Penetration Testing | Firewall and VPN Engineering | Network Design | Security Policy | Network Support | Employment / Contract History | CV and References | Personal |
