Firstly, determine if the system is alive.
Perform an automated ping sweep on a range of IP addresses and network blocks to determine if individual devices or systems are alive.
(file> lastalive)
Ping is used to send ICMP ECHO packets to a target system in an attempt to elicit an ICMP ECHO_REPLY, indicating whether the target system is alive.
Secondly, use port scanning techniques to discover available ports. You must also be able to detect the type of operating system on the target computer.
TCP Connect Scan connects to the target port and completes a "handshake" procedure (SYN, SYN/ACK, and ACK), as the TCP RFC (Request for Comments) states.
TCP SYN Scan. Occurs when a SYN packet is sent to the target port.
TCP FIN Scan sends a FIN packet to the target port. (Based on RFC 793)
http://www.IETF.org/rfc/rfc0793.txt
TCP XMAS Tree Scan. This technique sends a FIN, URG, and PUSH packet to the target port.
TCP NULL Scan. This technique turns off all flags.
TCP ACK Scan. Used to map-out firewall rulesets
TCP Windows Scan. May detect open as well as filtered/nonfiltered ports on some systems.
TCP RPC Scan. Used specifically for UNIX systems and is used to identify remote procedure call (rpc) ports and their associated program and version number.
UDP Scan sends a UDP packet to the target port.
Strobe = TCP port-scanning utility written by Julian Assange
http://linux.maruhn.com/sec/strobe.html
Another useful scanning feature is "Ident Scanning" (see RFC 1413 at http://www.IETF.org/rfc/rfc1413.txt)
This is used to determine the identity of a user of a particular TCP connection by communicating with port 113.
Windows-based port scanners
superscan (www.foundstone.com)
wups (windows UDP port scanner = http://ntsecurity.nu
scanline (www.foundstone.com)
Network-mapping tool
http://cheops-ng.sourceforge.net/
open-source graphical FTP client
"filezilla" http://filezilla-project.org/
list of anonymous FTP sites
www.ftp-sites.org
Enumerating common network services
- automated DNS enumeration: "DNSENUM" http://code.google.com/p/dnsenum
kb = knowledge base article for microsoft
www.hsc.fr/resources/articles/win_net_srv
www.ibt.ku.dk/jesper/ntools
www.inetcat.net/software/nbtscan.html
Local, Local Low, & Roaming (Profiles)
Changing "Roaming" profiles
NMB Scan ( http://nmbscan.gbarbier.org )
share-enumeration tools
www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en
softperfect's network scanner
www.softperfect.com/products/networkscanner
NBTEnum
http://reedarvin.thearvins.com/tools/nbtenum33.zip
packet-analysis tools
"scapy" ( http://www.secdev.org/projects/scapy/ )
netdude
http://netdude.sourceforge.net/
colasoft packet builder
http://www.colasoft.com/packet_builder/
cloudshark
http://www.cloudshark.org/
PCAPR
http://www.pcapr.net
Network Miner
http://tcpreplay.synfin.net/
NGREP
http://ngrep.sourceforge.net/
Libcap
http://www.tcpdump.org/
HPING
http://www.hping.org/
Domain Names and IP Addresses
"Domain Dossier" (http://www.centralops.net/co/domaindossier.aspx
"Wireshark" (http://www.wireshark.org/)
SANS
http://www.sans.org/
http://www.chrissanders.org/
http://www.packetstan.com/
wireshark training
http://www.wiresharktraining.com/
LUN = Logical Unit Number
In SCSI, a subunit of a SCSI device. With the exception of multidisc CD-ROM players, most SCSI devices do not have such subunits. The LUN number is assigned by the manufacturer and is encoded in the unit's hardware*
AirPcap (cace technologies)
http://www.cacetech.com/
wireshark wiki
http://wiki.wireshark.org/
kismet
http://www.kismetwireless.net/
DHCP options
http://www.iana.org/assignments/bootp-dhcp-parameters/
DNS-related RFC's
http://www.isc.org/community/reference/rfcs/dns
flow graph: http_google.pcap
www.gpanswers.com/resource/solutions-guide.html
Group Policy
- disable computer hardware using device manager
- disable group policy (killpol) > www.smart-x.com/
- RGPrefresh (www.gpoguy.com/free-gpoguy-tools.aspx)
- GPSIviewer (www.gpoguy.com/free-gpoguy-tools.aspx)
- WMI Filter Validations Utility
www.gpoguy.com/free-gpoguy-tools.aspx
- Central Store Creator utility
www.gpoguy.com/free-gpoguy-tools.aspx
- PowerShell Cmdlets for group policy
http://sdmsoftware.com/freeware.php
- Specops GPUpdate
www.specopssoft.com/products/specopsgpupdate/
- Specops Command Basic
www.specopssoft.com/powershell/
- Specops Password Policy Basic
http://tinyurl.com/34e3ud
- Policy Reporter (helps analyze Windows 7 logs to help locate Group Policy problems)
http://tinyurl.com/2ft4nq
- Policy Pak Design Studio
www.policypak.com
- Bulk-delete profiles
"Delprof Tool"
www.microsoft.com/windowsserver2003/techinfo/reskit/tools/default.mspx
- Group Policy Log View
http://go.microsoft.com/fwlink/?linkid=75004
- GPInventory
http://tinyurl.com/b38lu
- Avecto "Privilege Guard" (www.avecto.com)
Helps youu set applications to run as administrator and users to run with least privilege
- AdventNet "Manage Engine ADManager Plus" (www.manageengine.com)
- BeyondTrust "Privilege Manager"
www.beyondtrust.com
- Centrify "Direct Control"
www.centrify.com
- ConfigureSoft (Enterprise Configuration Manager) www.configuresoft.com
- FullArmor "Group Policy Anywhere and Policy Portal" (www.fullarmor.com)
- Likewise Software "Likewise Enterprise"
www.likewise.com
- PolicyPak Software www.policypak.com
- SpecopsSoftware (www.specopssoft.com)
- SDM Software www.sdmsoftware.com
- NetIQ (www.netiq.com)
- Secure Vantage (www.scriptlogic.com)
- SysPro Software (www.sysprosoft.com)
- ScriptLogic "Active Administrator" (change management capabilities) www.scriptlogic.com
- Quest www.quest.com/gpoadmin
Website Cloning Tools
httrack
teleport pro (http://www.tenmax.com)
blackbookonline (http://www.blackbookonline.info/)
peoplesearch (http://www.peoplesearch.com)
photo management sites
flickr.com
photobucket.com
wayback machine
http://www.archive.org
http://www.thememoryhole.org
"site digger 2.0"
http://www.foundstone.com
"Wikto 2.0"
http://www.sensepost.com/research/wikto
Firewall Configurations
comp.dcom.sys.cisco
comp.security.firewalls
www.fwbuilder.org
ICANN = "The Internet Corporation for Assigned Names and Numbers"
http://www.icann.org
Address Supporting Organization (ASO)
http://www.aso.icann.org
Generic Names Supporting Organization (GNSO)
http://www.gnso.icann.org
Country Code Domain Name Supporting Organization (CCNSO)
http://www.ccnso.icann.org
The ASO reviews & develops recommendations on IP address policy and advises the ICANN board on these matters. The ASO allocates IP addresses to various "Regional Internet Registries" (RIRs) who manage, distribute, and register public Internet number resoures within their respective regions.
NIR = National Internet Registries
LIR = Local Internet Registries
North America = "ARIN" (http://www.arin.net)
Europe= "RIPE" (http://www.ripe.net)
Known Port Numbers
http://www.iana.org/assignments/port-numbers
IP addresses
http://www.rfc-editor.org/rfc/rfc3330.txt Special-Use
GNSO reviews and develops recommendations on domain-name policy for all generic top-level domains (gTLDS)
List of country-code top-level domains
http://www.iana.org/cctld/cctld-whois.htm
http://www.allwhois.com
http://www.internic.net/whois.html
http://www.samspade.org
http://www.nwpsw.com
http://ws.arin.net
http://www.apnic.net
Traceroute
ftp://ftp.ee.lbl.gov/traceroute.tar.gz
http://michael.toren.net/code/tcptraceroute
www.snort.org (marty roesch)
http://www.ussrback.com/unix/loggers/rr.c.gz (log incoming traceroute requests)
Daniel S. Abrahamian
DATA MINING
FEELMYFLAME
No comments:
Post a Comment