RE: network auditing

["Hagen, Eric" <ehagen () DenverNewspaperAgency com>]

> Does one really need a certification in order to
> do all this auditing?

Absolutely not.  Many of the best hackers are not certified at all.
Knowledge is the key.  Make sure you inform and have permission from other
network administrators, otherwise you could find yourself in hot-water for
unauthorized penetration testing.


> I've read about the 'blackbox' and 'crystal' tests
> (from the NASA Audit thread) and would like to know
> how I can apply those tests, especially what type
> of tools required.  (Or should I even bother?)

Well, being the network administrator, it would be impossible for you to
"black box" test the network.  However, any penetration testing you employ
would be "crystal box" type tests.



> 1) Port scan the target network IP.

Do it quietly.  Port Scans are very "noisy" to IDS systems and likely to get
you detected and blocked before you even attempt to access the network.
Scan only those ports you're interested in.  Do it very slowly and spread
out the scan.

> 3) For each port use a specific tool to gain
>   access (starting from a simple approach to
>   a more technically involved approach).  ie.
>   ftp port use ftp.

Well, first of all you want to find out what versions you're looking at.
What OS, what application version.  There's no "recipe" for what to do at
this stage... it's just pure knowledge, intuition and skill.


> 4) if simple access isn't available (ie cannot
>   do any ftp password guessing either by
>   brute force or dictionary approach to
>   standard account names), then try using
>   particular vulnerabilities in that protocol
>   to attack/gain access to the system.

I'm shy about dictionary/brute force attacks.  They tend to set off alarms
all over the place and make your tracks very hard to cover.  Very few
services are not logged anymore, especially if a host-based IDS is employed.
At this point, sustained traffic to a single host may even set off a
network-based IDS too.

> Are there any particular books that I should take
> a gander at?

For "Intrustion Testing" and "hacking", the BEST (I mean BEST) book I've
ever seen is "Stealing the Network".  It's fairly expensive and it's also
technically fiction, but it explains in very clear words, the means by which
attackers will try to compromise a network in a vareity of different
situations.  It tends to be very technical, written for network
administrators, but it's a good one.

For a more "textbook" and somewhat more basic book, try out "Hacking
Exposed"  I think there's a 4th volume out now...



Eric Hagen

---------------------------------------------------------------------------
----------------------------------------------------------------------------