Apologies in advance, this is a bit of a connective blog entry – this is a big topic, and it needs some scene setting, basic understanding and several weeks worth to get the most out of it.
We live in a connected world now – my other half was showing me a washing machine with a WiFi connection and an associated iPhone App that would allow you remote control of and reporting about your intimate garments spin cycle ! I wonder if that is really necessary to be honest, as even if it has finished, knowing that while I’m in the office and the washing machine is at home is a complete waste of electrons.
The network, and the connected nature of things is what allows us as penetration testers to attempt to compromise the security of a company without going anywhere near it. There are other aspects to full scale penetration testing as I’ve alluded to before – with social engineering and physical attack ( lock picking, not baseball bat ) parts of such a scope – but a majority of the work is computer and network based.
To that end, a good understanding and working knowledge of networking is pretty much a job pre-requisite. So, rather than giving you a lesson myself, I’ll give you a quick and dirty set of online references – this won’t make you an expert by any stretch of the imagination, but hopefully it will get us through the rest of this section without too much head scratching.1
- The OSI Model
- Internet Protocol (IP)
- Transmission Control Protocol (TCP)
- User Datagram Protocol (UDP)
I would apologise for the laziness on my part, however I subscribe to Larry Wall’s school of thought that it is a virtue – if someone else has done it well enough already, why spend time re-inventing the wheel. The corollary of that is, if you find that there isn’t a good explanation of something in that set that you’d like to understand better – add a comment on the bottom of this post and we’ll bring it up to scratch ( perhaps both here and at Wikipedia ;-) ).
So seing as you all now fully understand TCP/IP packet structure and know your URG from your SYN …
( It’s ok, I’m only joking. )
We are fortunate that in reality, we have some amazing tools available to us that include all of the low level things done for us already. I am going to profess a view though that, like forensics, you shouldn’t rely on the output of a tool that you don’t understand the inner working of and, that you couldn’t reproduce and/or verify the results of at a binary level. There are plenty of PenTest ( and Forensic ) companies out there who get cheap, unqualified labour to run automated tools and then publish the results as gospel – occasionally with disastrous results – please, please, please don’t add to them.
To that end, I’m going to introduce a few tools this week, and next time we are going to build a small lab and run a few scans and look at the network traffic and the results.
First off, our listening post, Wireshark (nee Ethereal). Wireshark is a network protocol analyser, given a promiscuous network port on a machine it will sit and listen to all traffic that it can see on its segment.2 I love Wireshark, and actually, as a general purpose network trouble shooting tool, it’s pretty hard to beat. It can colour, track and decode flows across a wide range of protocols and applications, and best of all – it’s free.
Secondly, our port scanner, NMap. Whilst, as they say on the BBC, other products exist, frankly I don’t see any reason to use them. NMap has been around for nearly as long as I have with early editions out in 1997, it has grown since then to one of the most comprehensive ( if not the most comprehensive ) tool of it’s type. There are graphical front ends and countless enhancements, and it is cross platform with clients for pretty much anything you might want to run it on and it plugs into dozens of other PenTest tools ( MetaSploit and Nessus [ which we will get to later ] amongst them ).
For now, I’m going to leave it there I’m afraid, I am trying to keep this in bite-size chunks and if I go into any more detail today I’m really going to over run. As a preview though, next time we are going to build a test lab using virtualisation, which we are going to continue to use for subsequent exercises, and we are going to run a range of port scans using NMap and see what we get back and what we can see in Wireshark while we do it. I’m also hoping to get some usage out of my new toy and see if we can’t get some demo video tutorials available to go with the text content. I intend to make downloadable VMs that you can easily use on a number of platforms, so hopefully this won’t be too painful an experience !
1. Above all other material in this area I would recommend, without hesitation, TCP/IP Illustrated: The Protocols v. 1. This is a phenomenally detailed book, that actually isn’t that bad to read, and is an excellent reference moving forward. In fact, I now own two copies, as I’ve found out through writing this that it has been updated to cover IPv6 late last year – so I’ve put my money where my mouth is !
2. Where a network is broken down into sections or segments with routers and switches ( rather than hubs ) – traffic is actively filtered by the networking devices, restricting the amount that can be seen by a sniffing device – worth remembering if you are wondering why you can’t see something and also if you are designing a secure network …