Question:
You have been assigned as network administrator to the new
premises of a Medical Instruments Company (Medicon.com). Your
tasks revolve around design, evaluation, and troubleshooting and
administration of local area networks, internetworks, and wide area
networks as specified in the following requirements.
One of your first goals is as an administrator is to learn about the
network--- that is, to determine its topology, access method,
throughput rates, type of equipment, and the way the equipment is
interconnected. Although you do not have access into the secure
telecommunication and equipment rooms, you do have permission to
log-on to routers and switches. What information could you obtain by
logging in switches and routers? What information could you obtain
from issuing commands at your workstation that is connected to the
network? What kind of information do you suppose would not be
evident unless you could physically access to the network hardware?
Answer:
First of all I have to securely connect to the remote server of
company’s network, this can be achieved by telnet or SSH protocol,
using a client like PuTTY. I will choose SSH (Secure Shell) because
it’s much more secure than telnet, SSH use authentication methods
and encryption unlike telnet where all the data is transmitted in plain
text, including passwords. Also if you are in a public network for
example, or in a not trusted network and you need extra security,
SSH allows you to “tunnel” a port between your local system and the
remote server. Now that I am connected to the company’s server I
can run commands though my terminal or cmd, connect to routers
PAGE 1
and switches and many more. If I want to find informations about the
network, I have to follow seven basic steps. These include:
1. Information gathering
2. Determining the network range
3. Identifying active machines
4. Finding open ports and access points
5. OS fingerprinting
6. Fingerprinting services
7. Mapping the network
I begin running some simple and common commands on my terminal.
For start I try the net view command where displays a list of
computers in your current domain or with some parameters can
displays a list of domains, computers, or resources. Nslookup to find
informations about the DNS. Whois the servers IP and pinging
machines to find the active hosts, tracert / traceroute to determine
network ranges and port scanning individual systems using a
portscaner like nmap, to see which standard ports or services are
running and responding on the system, what operating system is
installed on the system, and what applications and versions of
applications are present. After I can try to fingerprint some services
like telnet, ftp, netcat, etc. Then I can map the network using
commands like traceroute, netstat with parameters like (-a, -t, -u, -I, -
s,-p, etc.), or even perform a visual ping.
Now, I can start log in to routers and switches, here with administrator
privileges I can find almost anything. It is very important the type and
the model and the firmware of the routers and the switches, on most
PAGE 2
cases though there is commands to see everything. Such as show
interface, show version to see everything for the router, show
inventory to see hardware connected to the router, sh ip route, show
ip protocol, sh arp, show cdp neighbors to see directed connected
neighbors and find the topology, etc, also if you have the enable
password for the router, where as administrator you should have, you
can run the command show run where you can find almost
everything like snmp, security methods(triple AAA or radius server),
access list, what protocols supports (like ssh or telnet), interfaces,
wireless bridges, acces points,wireless controlers, one or lan
throughput, etc. (Note: most of the above commands is for cisco
machines) I believe that is out of the bounds of this class to explain
deeper the commands and the information on a router or switch,
actually this topic is a book by its own, in general though, without
accessing the physical network hardware, if you know what to do, you
can find everything, IP addresses, DNS, ports, settings on each port,
routing tables, filtering rules, security methods, topology, access
methods, throughput rates, type of equipment, the way the equipment
is interconnected etc. the only things you could not find unless you
enter the server room is the actual condition of the room, the physical
condition of the machines, wires, jacks, how carefully there are
interconnected, if its labeled and in general if it all responds TIA/EIA
standards requirements, also would be impossible to find the color of
the room.
PAGE 3
I cite an actual outcome of the show run command to have a picture
of how much information there is on every router and switch and to
justify why it’s impossible to analyze deeper in the limits of this class.
PAGE 4
rts threshold 2312 bridge-group 1 spanning-disabled control-plane
power local cck 50 ! !
power local ofdm 30 interface Vlan2 bridge 1 route ip
channel 2462 no ip address bridge 2 route ip
station-role root bridge-group 2 bridge 3 route ip
! bridge-group 2 spanning-disabled !
interface Dot11Radio0.1 ! ip inspect name firewall tcp
description Cisco Open interface Vlan3 ip inspect name firewall udp
encapsulation dot1Q 1 native no ip address ip inspect name firewall rtsp
no cdp enable bridge-group 3 ip inspect name firewall h323
bridge-group 1 bridge-group 3 spanning-disabled ip inspect name firewall netshow
bridge-group 1 subscriber-loop-control ! ip inspect name firewall ftp
bridge-group 1 spanning-disabled interface BVI1 ip inspect name firewall sqlnet
bridge-group 1 block-unknown-source ip address 10.0.1.1 255.255.255.0 !
no bridge-group 1 source-learning ip nat inside access-list 103 permit udp host
no bridge-group 1 unicast-flooding ! 200.1.1.1 any eq isakmp
! interface BVI2 access-list 103 permit udp host
interface Dot11Radio0.2 ip address 10.0.2.1 255.255.255.0 200.1.1.1 eq isakmp any
encapsulation dot1Q 2 ! access-list 103 permit esp host
bridge-group 2 interface BVI3 200.1.1.1 any
bridge-group 2 subscriber-loop-control ip address 10.0.3.1 255.255.255.0 access-list 103 permit icmp any any
bridge-group 2 spanning-disabled ! access-list 103 deny ip any any
bridge-group 2 block-unknown-source ip classless access-list 105 permit ip 10.1.1.0
no bridge-group 2 source-learning ! 0.0.0.255 192.168.0.0 0.0.255.255
no bridge-group 2 unicast-flooding ip http server no cdp run
! no ip http secure-server !
interface Dot11Radio0.3 ! line con 0
encapsulation dot1Q 3 radius-server local password cisco123
bridge-group 3 nas 10.0.1.1 key 0 cisco123 no modem enable
bridge-group 3 subscriber-loop-control group rad_eap transport preferred all
bridge-group 3 spanning-disabled ! transport output all
bridge-group 3 block-unknown-source user jsomeone nthash 7 line aux 0
no bridge-group 3 source-learning 0529575803696F2C49214337582826 transport preferred all
no bridge-group 3 unicast-flooding 7C7A760E1113734624452725707C0 transport output all
! 10B065B line vty 0 4
interface Vlan1 user AMER\jsomeone nthash 7 password cisco123
ip address 192.168.1.1 255.255.255.0 0224550C29232E041C6A5D3C56333 transport preferred all
no ip directed-broadcast (default) 05D5D560C09027966167137233026 transport input all
crypto ipsec client ezvpn ezvpnclient 580E0B0D transport output all
inside ! !
ip inspect firewall in radius-server host 10.0.1.1 auth-port \
no cdp enable 1812 acct-port 1813 key cisco123
bridge-group 1 !
PAGE 1