Título: Prueba de proyecto Publicado por: _OLAYA_ en 24 Noviembre 2012, 21:28 pm Pues este año acabo el modulo superior de ASIR, y para fin de curso tenemos que entregar un proyecto, tenemos varias ideas y una de ellas es hacer una auditoria de seguridad del instituto y voy a ir poniendo aqui los avances para los que puedan aprender algo y para los que me puedan ayudar (que seguro sereis mas). Ostamos pillados de tiempo a si que ire bastante despacio...
Título: Re: Prueba de proyecto Publicado por: _OLAYA_ en 24 Noviembre 2012, 21:44 pm Estos serán los datos que debería tener rellenos cuando finalize!
-INDICE -OBJETIVO -ESCENARIO -DESARROLLO: 1. Enumeración de objetivos 2. Selección de objetivo 3. Ataque 4. Resultado -CONCLUSIONES Título: Re: Prueba de proyecto Publicado por: Elmonky en 27 Noviembre 2012, 03:43 am yo le agregaria el item, como solucionar las fallas...
Título: Re: Prueba de proyecto Publicado por: _OLAYA_ en 16 Diciembre 2012, 19:19 pm Bueno, hemos hecho un escaner de nuestra LAN con zenmap y pongo aqui los resultados, que vamos a ir estudiando...
Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-20 16:55 CET Initiating NSE at 16:59 NSE Timing: About 47.98% done; ETC: 17:00 (0:00:34 remaining) Completed NSE at 17:01, 138.93s elapsed Nmap scan report for 172.18.0.2 Host is up (0.00044s latency). Not shown: 983 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB14556) 88/tcp open kerberos-sec Windows 2003 Kerberos (server time: 2012-11-20 16:01:18Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open netbios-ssn 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ldapssl? 3268/tcp open ldap 3269/tcp open globalcatLDAPssl? 3389/tcp open ms-wbt-server? 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49163/tcp open msrpc Microsoft Windows RPC MAC Address: 78:2B:CB:3F:F7:EC (Dell) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows 7|Vista|2008 OS CPE: cpe:/o:microsoft:windows_7::professional cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1 OS details: Microsoft Windows 7 Professional, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 Uptime guess: 4.575 days (since Fri Nov 16 03:14:19 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=255 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | nbstat: | NetBIOS name: SERVIDOR, NetBIOS user: <unknown>, NetBIOS MAC: 78:2b:cb:3f:f7:ec (Dell) | Names | JRO<00> Flags: <group><active> | SERVIDOR<00> Flags: <unique><active> | JRO<1c> Flags: <group><active> | SERVIDOR<20> Flags: <unique><active> |_ JRO<1b> Flags: <unique><active> | smb-security-mode: | Account that was used for smb scripts: guest | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing required |_smbv2-enabled: Server supports SMBv2 protocol | smb-os-discovery: | OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1) | NetBIOS computer name: SERVIDOR | Workgroup: JRO |_ System time: 2012-11-20 17:05:54 UTC+1 TRACEROUTE HOP RTT ADDRESS 1 0.44 ms 172.18.0.2 Nmap scan report for 172.18.0.3 Host is up (0.00032s latency). Not shown: 992 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.4 ((Win32)) |_http-title: Site doesn't have a title (text/html). | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds 1025/tcp open msrpc Microsoft Windows RPC 1026/tcp open msrpc Microsoft Windows RPC 1032/tcp open msrpc Microsoft Windows RPC 3389/tcp open ms-wbt-server? MAC Address: 00:E0:18:22:33:CF (Asustek Computer) Device type: general purpose Running: Microsoft Windows 2000|XP|2003 OS CPE: cpe:/o:microsoft:windows_2000::sp2 cpe:/o:microsoft:windows_2000::sp3 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::- cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 OS details: Microsoft Windows 2000 SP2 - SP4, Windows XP SP2 - SP3, or Windows Server 2003 SP0 - SP2 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=257 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_smbv2-enabled: Server doesn't support SMBv2 protocol | smb-security-mode: | Account that was used for smb scripts: <blank> | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) | nbstat: | NetBIOS name: SERVIDOR-VIEJO, NetBIOS user: <unknown>, NetBIOS MAC: 00:e0:18:22:33:cf (Asustek Computer) | Names | SERVIDOR-VIEJO<00> Flags: <unique><active> | JRO<00> Flags: <group><active> | SERVIDOR-VIEJO<20> Flags: <unique><active> |_ JRO<1e> Flags: <group><active> | smb-os-discovery: | OS: Windows Server 2003 3790 (Windows Server 2003 5.2) | Computer name: servidor-viejo | Domain name: jro.es | Forest name: jro.es | FQDN: servidor-viejo.jro.es | NetBIOS computer name: SERVIDOR-VIEJO | NetBIOS domain name: JRO |_ System time: 2012-11-20 17:06:06 UTC+1 TRACEROUTE HOP RTT ADDRESS 1 0.32 ms 172.18.0.3 Nmap scan report for 172.18.0.4 Host is up (0.00024s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 80/tcp open http Linksys wireless-G WAP http config (Name NET Disk) |_http-methods: No Allow or Public header in OPTIONS response (status code 401) |_http-title: 401 Unauthorized | http-auth: | HTTP/1.0 401 Unauthorized |_ Basic realm=NET Disk 139/tcp open netbios-ssn 2869/tcp open tcpwrapped 10243/tcp open unknown MAC Address: 00:80:5A:67:4E:15 (Tulip Computers Internat'l B.V) Device type: storage-misc|print server Running: Argosy embedded, Asmax embedded, Freecom embedded, Iomega embedded OS details: Asmax NAS-USB print server; or Argosy HD354N, Freecom Network Drive, or Iomega Home Media Network Hard Drive NAS device Network Distance: 1 hop TCP Sequence Prediction: Difficulty=93 (Good luck!) IP ID Sequence Generation: Incremental Service Info: Device: WAP Host script results: | smb-os-discovery: | OS: (R) | NetBIOS computer name: | Workgroup: |_ System time: 1901-12-13 20:45:52 UTC+8 | nbstat: | NetBIOS name: HDDPECERA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> | Names | HDDPECERA<00> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> |_ HDDPECERA<20> Flags: <unique><active> TRACEROUTE HOP RTT ADDRESS 1 0.24 ms 172.18.0.4 Nmap scan report for 172.18.0.35 Host is up (0.00035s latency). Not shown: 983 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB14556) 88/tcp open kerberos-sec Windows 2003 Kerberos (server time: 2012-11-20 16:01:18Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open netbios-ssn 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ldapssl? 3268/tcp open ldap 3269/tcp open globalcatLDAPssl? 3389/tcp open ms-wbt-server? 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49163/tcp open msrpc Microsoft Windows RPC MAC Address: 78:2B:CB:3F:F7:ED (Dell) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows 7|Vista|2008 OS CPE: cpe:/o:microsoft:windows_7::professional cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1 OS details: Microsoft Windows 7 Professional, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2 or Windows Server 2008 Uptime guess: 4.575 days (since Fri Nov 16 03:14:19 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_smbv2-enabled: Server supports SMBv2 protocol | smb-os-discovery: | OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1) | NetBIOS computer name: SERVIDOR | Workgroup: JRO |_ System time: 2012-11-20 17:05:08 UTC+1 | nbstat: | NetBIOS name: SERVIDOR, NetBIOS user: <unknown>, NetBIOS MAC: 78:2b:cb:3f:f7:ed (Dell) | Names | JRO<00> Flags: <group><active> | SERVIDOR<00> Flags: <unique><active> | JRO<1c> Flags: <group><active> | SERVIDOR<20> Flags: <unique><active> |_ JRO<1b> Flags: <unique><active> | smb-security-mode: | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing required TRACEROUTE HOP RTT ADDRESS 1 0.35 ms 172.18.0.35 Nmap scan report for 172.18.1.1 Host is up (0.00046s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.4 (protocol 2.0) |_ssh-hostkey: 1024 74:b8:ff:fc:84:cd:49:76:e8:e7:4a:c8:8f:71:4d:68 (RSA) 80/tcp open http SonicWALL firewall http config |_http-title: Document Moved 443/tcp open ssl/http SonicWALL firewall http config |_http-title: SonicWALL - Authentication | ssl-cert: Subject: commonName=192.168.168.168/organizationName=HTTPS Management Certificate for SonicWALL (self-signed)/stateOrProvinceName=California/countryName=US | Issuer: commonName=192.168.168.168/organizationName=HTTPS Management Certificate for SonicWALL (self-signed)/stateOrProvinceName=California/countryName=US | Public Key type: rsa | Public Key bits: 2048 | Not valid before: 1970-01-01 00:00:01 | Not valid after: 2038-01-19 03:14:07 | MD5: 0f6c 7e39 7538 b632 1141 d2dc 8051 f651 |_SHA-1: 7867 116f bea4 af7d df9d c587 4217 fd8c 60cf 29f9 MAC Address: C0:EA:E4:09:8D:12 (Sonicwall) Device type: firewall|WAP|printer|broadband router|storage-misc Running (JUST GUESSING): SonicWALL SonicOS 5.X|4.X (95%), Apple embedded (92%), Asus Linux 2.6.X (90%), Linux 2.6.X (90%), Ricoh embedded (89%), Wind River VxWorks (87%), Arris embedded (87%), IBM embedded (86%) OS CPE: cpe:/o:sonicwall:sonicos:5 cpe:/h:asus:rt-n16 cpe:/o:asus:linux:2.6 cpe:/o:linux:kernel:2.6.22 cpe:/o:sonicwall:sonicos:4 cpe:/o:windriver:vxworks cpe:/h:arris:tm602b Aggressive OS guesses: SonicWALL SonicOS Enhanced 5.2 (95%), Apple AirPort Express WAP v6.3 (92%), Asus RT-N16 WAP (Linux 2.6) (90%), Tomato 1.28 (Linux 2.6.22) (90%), Ricoh Aficion SP 4100N printer (89%), SonicWALL TZ 190 firewall (SonicOS Enhanced 4.0) (87%), VxWorks (87%), Arris TM602B cable modem (87%), Fujitsu Externus DX80 or IBM DCS9900 NAS device (86%), Netgear DG834G WAP or Western Digital WD TV media player (86%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Device: firewall TRACEROUTE HOP RTT ADDRESS 1 0.46 ms 172.18.1.1 Nmap scan report for 172.18.1.3 Host is up (0.00026s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc? 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) MAC Address: BC:AE:C5:D7:A5:67 (Asustek Computer) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3 OS details: Linux 2.6.38 - 3.2 Uptime guess: 0.056 days (since Tue Nov 20 15:40:47 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: All zeros Host script results: | smb-os-discovery: | OS: Unix (Samba 3.5.8) | Computer name: aula212 | Domain name: jro.es | FQDN: aula212.jro.es | NetBIOS computer name: |_ System time: 2012-11-20 17:05:07 UTC+1 | smb-security-mode: | Account that was used for smb scripts: <blank> | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) |_smbv2-enabled: Server doesn't support SMBv2 protocol | nbstat: | NetBIOS name: AULA212, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> | Names | AULA212<00> Flags: <unique><active> | AULA212<03> Flags: <unique><active> | AULA212<20> Flags: <unique><active> | JRO<1e> Flags: <group><active> |_ JRO<00> Flags: <group><active> TRACEROUTE HOP RTT ADDRESS 1 0.26 ms 172.18.1.3 Nmap scan report for 172.18.1.4 Host is up (0.00061s latency). Not shown: 989 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.21 ((Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1) |_http-title: Site doesn't have a title (text/html). |_http-favicon: Unknown favicon MD5: 3BD2EC61324AD4D27CB7B0F484CD4289 | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 443/tcp open ssl/http Apache httpd 2.2.21 ((Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1) | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-favicon: Unknown favicon MD5: 3BD2EC61324AD4D27CB7B0F484CD4289 |_http-title: Site doesn't have a title (text/html). |_sslv2: server still supports SSLv2 | ssl-cert: Subject: commonName=localhost | Issuer: commonName=localhost | Public Key type: rsa | Public Key bits: 1024 | Not valid before: 2009-11-10 23:48:47 | Not valid after: 2019-11-08 23:48:47 | MD5: a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0 |_SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6 445/tcp open netbios-ssn 912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP) 3306/tcp open mysql MySQL (unauthorized) 16992/tcp closed amt-soap-http 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC MAC Address: BC:AE:C5:76:B6:2B (Asustek Computer) No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=6.01%E=4%D=11/20%OT=80%CT=16992%CU=43129%PV=Y%DS=1%DC=D%G=Y%M=BCA OS:EC5%TM=50ABA961%P=i686-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10B%TI=I%II=I%S OS:S=S%TS=7)OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST1 OS:1%O5=M5B4NW8ST11%O6=M5B4ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000 OS:%W6=2000)ECN(R=Y%DF=Y%T=81%W=2000%O=M5B4NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=81% OS:S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=81%W=2000%S=Z%A OS:=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=81%IPL=164%UN=0%RIPL=G%R OS:ID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=81%CD=Z) Uptime guess: 1.362 days (since Mon Nov 19 08:19:48 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=263 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | Account that was used for smb scripts: guest | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) | nbstat: | NetBIOS name: PCPROFDCH, NetBIOS user: <unknown>, NetBIOS MAC: bc:ae:c5:76:b6:2b (Asustek Computer) | Names | PCPROFDCH<20> Flags: <unique><active> | PCPROFDCH<00> Flags: <unique><active> | JRO<00> Flags: <group><active> |_ JRO<1e> Flags: <group><active> |_smbv2-enabled: Server supports SMBv2 protocol TRACEROUTE HOP RTT ADDRESS 1 0.61 ms 172.18.1.4 Nmap scan report for 172.18.1.10 Host is up (0.00025s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc? 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) MAC Address: BC:AE:C5:76:B6:23 (Asustek Computer) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3 OS details: Linux 2.6.38 - 3.0 Uptime guess: 0.039 days (since Tue Nov 20 16:05:24 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=204 (Good luck!) IP ID Sequence Generation: All zeros Host script results: |_smbv2-enabled: Server doesn't support SMBv2 protocol | nbstat: | NetBIOS name: AULA208, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> | Names | AULA208<00> Flags: <unique><active> | AULA208<03> Flags: <unique><active> | AULA208<20> Flags: <unique><active> | JRO<1e> Flags: <group><active> |_ JRO<00> Flags: <group><active> | smb-security-mode: | Account that was used for smb scripts: <blank> | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) | smb-os-discovery: | OS: Unix (Samba 3.5.8) | Computer name: aula208 | Domain name: jro.es | FQDN: aula208.jro.es | NetBIOS computer name: |_ System time: 2012-11-20 17:06:03 UTC+1 TRACEROUTE HOP RTT ADDRESS 1 0.25 ms 172.18.1.10 Nmap scan report for 172.18.1.11 Host is up (0.00038s latency). All 1000 scanned ports on 172.18.1.11 are closed MAC Address: BC:AE:C5:D7:A5:8F (Asustek Computer) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.38 ms 172.18.1.11 Nmap scan report for 172.18.1.12 Host is up (0.00028s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc? 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) MAC Address: BC:AE:C5:76:B3:DE (Asustek Computer) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3 OS details: Linux 2.6.38 - 3.2 Uptime guess: 0.076 days (since Tue Nov 20 15:11:50 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: All zeros Host script results: | nbstat: | NetBIOS name: AULA209, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> | Names | AULA209<00> Flags: <unique><active> | AULA209<03> Flags: <unique><active> | AULA209<20> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | JRO<1d> Flags: <unique><active> | JRO<1e> Flags: <group><active> |_ JRO<00> Flags: <group><active> | smb-security-mode: | Account that was used for smb scripts: guest | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) |_smbv2-enabled: Server doesn't support SMBv2 protocol | smb-os-discovery: | OS: Unix (Samba 3.5.8) | Computer name: aula209 | Domain name: jro.es | FQDN: aula209.jro.es | NetBIOS computer name: |_ System time: 2012-11-20 17:05:51 UTC+1 TRACEROUTE HOP RTT ADDRESS 1 0.28 ms 172.18.1.12 Nmap scan report for 172.18.1.16 Host is up (0.00021s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP) 5405/tcp open netsupport NetSupport PC remote control (Name TIC4) MAC Address: 00:1A:A0:55:D7:46 (Dell) Device type: general purpose Running: Microsoft Windows XP|2003 OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003 OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=263 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows TRACEROUTE HOP RTT ADDRESS 1 0.22 ms 172.18.1.16 Nmap scan report for 172.18.1.19 Host is up (0.00027s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc? 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) MAC Address: BC:AE:C5:D7:A5:BD (Asustek Computer) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3 OS details: Linux 2.6.38 - 3.0 Uptime guess: 0.068 days (since Tue Nov 20 15:23:50 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=186 (Good luck!) IP ID Sequence Generation: All zeros Host script results: | nbstat: | NetBIOS name: AULA206, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> | Names | AULA206<00> Flags: <unique><active> | AULA206<03> Flags: <unique><active> | AULA206<20> Flags: <unique><active> | JRO<1e> Flags: <group><active> |_ JRO<00> Flags: <group><active> |_smbv2-enabled: Server doesn't support SMBv2 protocol | smb-security-mode: | Account that was used for smb scripts: <blank> | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) | smb-os-discovery: | OS: Unix (Samba 3.5.8) | Computer name: aula206 | Domain name: jro.es | FQDN: aula206.jro.es | NetBIOS computer name: |_ System time: 2012-11-20 17:05:05 UTC+1 TRACEROUTE HOP RTT ADDRESS 1 0.27 ms 172.18.1.19 Nmap scan report for 172.18.1.20 Host is up (0.00028s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.8p1 Debian 7ubuntu1 (protocol 2.0) | ssh-hostkey: 1024 61:6e:d4:5d:70:32:74:45:43:5e:5e:ae:02:5d:ed:51 (DSA) |_2048 ab:5b:80:ac:04:68:a7:9f:33:00:d3:3e:0e:d7:24:e1 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) MAC Address: BC:AE:C5:76:B6:28 (Asustek Computer) Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:kernel:3 OS details: Linux 3.0 - 3.1 Uptime guess: 0.035 days (since Tue Nov 20 16:10:35 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=260 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:kernel Host script results: |_smbv2-enabled: Server doesn't support SMBv2 protocol | smb-os-discovery: | OS: Unix (Samba 3.5.11) | Computer name: aula211 | Domain name: jro.es | FQDN: aula211.jro.es | NetBIOS computer name: | NetBIOS domain name: JRO |_ System time: 2012-11-20 17:05:08 UTC+1 | nbstat: | NetBIOS name: AULA211, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> | Names | AULA211<00> Flags: <unique><active> | AULA211<03> Flags: <unique><active> | AULA211<20> Flags: <unique><active> | JRO<1e> Flags: <group><active> |_ JRO<00> Flags: <group><active> | smb-security-mode: | Account that was used for smb scripts: <blank> | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) TRACEROUTE HOP RTT ADDRESS 1 0.28 ms 172.18.1.20 Nmap scan report for 172.18.1.23 Host is up (0.00012s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc? 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) MAC Address: BC:AE:C5:76:B6:36 (Asustek Computer) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3 OS details: Linux 2.6.38 - 3.2 Uptime guess: 0.040 days (since Tue Nov 20 16:04:14 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=263 (Good luck!) IP ID Sequence Generation: All zeros Host script results: | nbstat: | NetBIOS name: AULA216, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> | Names | AULA216<00> Flags: <unique><active> | AULA216<03> Flags: <unique><active> | AULA216<20> Flags: <unique><active> | JRO<1e> Flags: <group><active> |_ JRO<00> Flags: <group><active> | smb-security-mode: | Account that was used for smb scripts: guest | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) | smb-os-discovery: | OS: Unix (Samba 3.5.8) | Computer name: aula216 | Domain name: jro.es | FQDN: aula216.jro.es | NetBIOS computer name: |_ System time: 2012-11-20 17:05:15 UTC+1 |_smbv2-enabled: Server doesn't support SMBv2 protocol TRACEROUTE HOP RTT ADDRESS 1 0.12 ms 172.18.1.23 Nmap scan report for 172.18.1.29 Host is up (0.00025s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc? 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) MAC Address: BC:AE:C5:D7:A6:3E (Asustek Computer) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3 OS details: Linux 2.6.38 - 3.0 Uptime guess: 0.071 days (since Tue Nov 20 15:19:04 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=199 (Good luck!) IP ID Sequence Generation: All zeros Host script results: |_smbv2-enabled: Server doesn't support SMBv2 protocol | nbstat: | NetBIOS name: AULA214, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> | Names | AULA214<00> Flags: <unique><active> | AULA214<03> Flags: <unique><active> | AULA214<20> Flags: <unique><active> | JRO<1e> Flags: <group><active> |_ JRO<00> Flags: <group><active> | smb-security-mode: | Account that was used for smb scripts: <blank> | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) | smb-os-discovery: | OS: Unix (Samba 3.5.8) | Computer name: aula214 | Domain name: jro.es | FQDN: aula214.jro.es | NetBIOS computer name: |_ System time: 2012-11-20 17:05:14 UTC+1 TRACEROUTE HOP RTT ADDRESS 1 0.25 ms 172.18.1.29 Nmap scan report for 172.18.1.33 Host is up (0.00026s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc? 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) MAC Address: BC:AE:C5:76:B6:08 (Asustek Computer) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3 OS details: Linux 2.6.38 - 3.0 Uptime guess: 0.066 days (since Tue Nov 20 15:26:15 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=205 (Good luck!) IP ID Sequence Generation: All zeros Host script results: |_smbv2-enabled: Server doesn't support SMBv2 protocol | smb-security-mode: | Account that was used for smb scripts: guest | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) | nbstat: | NetBIOS name: AULA207, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> | Names | AULA207<00> Flags: <unique><active> | AULA207<03> Flags: <unique><active> | AULA207<20> Flags: <unique><active> | JRO<1e> Flags: <group><active> |_ JRO<00> Flags: <group><active> | smb-os-discovery: | OS: Unix (Samba 3.5.8) | Computer name: aula207 | Domain name: jro.es | FQDN: aula207.jro.es | NetBIOS computer name: |_ System time: 2012-11-20 17:05:32 UTC+1 TRACEROUTE HOP RTT ADDRESS 1 0.26 ms 172.18.1.33 Nmap scan report for 172.18.1.35 Host is up (0.00028s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (protocol 2.0) | ssh-hostkey: 1024 fc:5a:a1:13:b4:a4:a2:2e:33:dc:00:11:fa:32:c1:8a (DSA) |_2048 f9:4a:eb:0f:a4:07:64:7b:b8:73:6c:18:5c:b0:9f:32 (RSA) 135/tcp open msrpc? 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: JRO) MAC Address: BC:AE:C5:D7:A6:0C (Asustek Computer) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3 OS details: Linux 2.6.38 - 3.0 Uptime guess: 0.067 days (since Tue Nov 20 15:25:31 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=203 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:kernel Host script results: | smb-security-mode: | Account that was used for smb scripts: guest | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) | nbstat: | NetBIOS name: AULA204, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> | Names | AULA204<00> Flags: <unique><active> | AULA204<03> Flags: <unique><active> | AULA204<20> Flags: <unique><active> | JRO<1e> Flags: <group><active> |_ JRO<00> Flags: <group><active> | smb-os-discovery: | OS: Unix (Samba 3.5.8) | Computer name: aula204 | Domain name: jro.es | FQDN: aula204.jro.es | NetBIOS computer name: |_ System time: 2012-11-20 17:05:22 UTC+1 |_smbv2-enabled: Server doesn't support SMBv2 protocol TRACEROUTE HOP RTT ADDRESS 1 0.28 ms 172.18.1.35 Nmap scan report for 172.18.1.36 Host is up (0.00081s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 5405/tcp open netsupport NetSupport PC remote control (Name AULA113) MAC Address: 00:24:8C:D8:A8:CF (Asustek Computer) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows 2000|XP OS CPE: cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows 2000 SP4, Microsoft Windows XP SP2 or SP3, Microsoft Windows XP SP3 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=255 (Good luck!) IP ID Sequence Generation: Incremental TRACEROUTE HOP RTT ADDRESS 1 0.81 ms 172.18.1.36 Nmap scan report for 172.18.1.37 Host is up (0.00088s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 5405/tcp open netsupport NetSupport PC remote control (Name AULA103) MAC Address: 00:24:8C:D8:A8:F4 (Asustek Computer) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows XP|2000|2003 (98%) OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2003 Aggressive OS guesses: Microsoft Windows XP SP2 or SP3 (98%), Microsoft Windows 2000 SP4 (98%), Microsoft Windows XP SP2 (95%), Microsoft Windows XP SP3 (94%), Microsoft Windows 2000 (93%), Microsoft Windows XP SP3 or Small Business Server 2003 (93%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (92%), Microsoft Windows Small Business Server 2003 (92%), Microsoft Windows XP Professional SP2 (92%), Microsoft Windows Server 2003 SP0 or Windows XP SP2 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop TCP Sequence Prediction: Difficulty=254 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | nbstat: | NetBIOS name: AULA103, NetBIOS user: <unknown>, NetBIOS MAC: 00:24:8c:d8:a8:f4 (Asustek Computer) | Names | AULA103<00> Flags: <unique><active> | JRO<00> Flags: <group><active> |_ AULA103<20> Flags: <unique><active> | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | Computer name: aula103 | Domain name: jro.es | FQDN: aula103.jro.es | NetBIOS computer name: AULA103 | NetBIOS domain name: JRO |_ System time: 2012-11-20 17:05:38 UTC+1 |_smbv2-enabled: Server doesn't support SMBv2 protocol | smb-security-mode: | Account that was used for smb scripts: <blank> | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) TRACEROUTE HOP RTT ADDRESS 1 0.88 ms 172.18.1.37 Nmap scan report for 172.18.1.38 Host is up (0.0013s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 5405/tcp open netsupport NetSupport PC remote control (Name AULA101) MAC Address: 00:24:8C:D8:A9:64 (Asustek Computer) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows 2000|XP OS CPE: cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows 2000 SP4, Microsoft Windows XP SP2 or SP3 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=264 (Good luck!) IP ID Sequence Generation: Incremental TRACEROUTE HOP RTT ADDRESS 1 1.34 ms 172.18.1.38 Nmap scan report for 172.18.1.39 Host is up (0.00078s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 5405/tcp open netsupport NetSupport PC remote control (Name AULA111) MAC Address: 00:24:8C:D8:9E:58 (Asustek Computer) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows 2000|XP OS CPE: cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows 2000 SP4, Microsoft Windows XP SP2 or SP3, Microsoft Windows XP SP3 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: Incremental TRACEROUTE HOP RTT ADDRESS 1 0.78 ms 172.18.1.39 Nmap scan report for 172.18.1.40 Host is up (0.00030s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP) MAC Address: 00:24:8C:D8:9E:2A (Asustek Computer) Device type: general purpose Running: Microsoft Windows XP|2003 OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003 OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=250 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_smbv2-enabled: Server doesn't support SMBv2 protocol | nbstat: | NetBIOS name: AULA110, NetBIOS user: <unknown>, NetBIOS MAC: 00:24:8c:d8:9e:2a (Asustek Computer) | Names | AULA110<00> Flags: <unique><active> | JRO<00> Flags: <group><active> | AULA110<20> Flags: <unique><active> |_ JRO<1e> Flags: <group><active> | smb-security-mode: | Account that was used for smb scripts: guest | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | Computer name: aula110 | Domain name: jro.es | Forest name: jro.es | FQDN: aula110.jro.es | NetBIOS computer name: AULA110 | NetBIOS domain name: JRO |_ System time: 2012-11-20 16:59:51 UTC-3 TRACEROUTE HOP RTT ADDRESS 1 0.30 ms 172.18.1.40 Nmap scan report for 172.18.1.41 Host is up (0.00069s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 5405/tcp open netsupport NetSupport PC remote control (Name AULA112) MAC Address: 00:24:8C:D8:9E:28 (Asustek Computer) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows XP OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows XP SP2 or SP3, Microsoft Windows XP SP3 Network Distance: 1 hop<br Título: Re: Prueba de proyecto Publicado por: _OLAYA_ en 30 Mayo 2013, 00:29 am Bueno quise empezar demasiado pronto el proyecto de este año, y como no tuve tiempo deje de lado esto... pero ahora es la hora de la verdad y me meto de lleno!!
Título: Re: Prueba de proyecto Publicado por: _OLAYA_ en 30 Mayo 2013, 00:30 am (http://img547.imageshack.us/img547/7568/topologia0.png)
Título: Re: Prueba de proyecto Publicado por: _OLAYA_ en 30 Mayo 2013, 00:50 am Voy a explicar un poco la topologia que tenemos que auditar
Se trata de un edificio de varias plantas en la cual la mayor parte de la red se encuentra en la ultima planta, que consta de 2 clases y entre medias "La pecera" que es un CPD en version super cutre. Dentro de la pecera contamos con un montón de material informatico, papeles, cajas... todo lo que un CPD no deberia tener... Ahora centrandonos en la topologia (dentro de la pecera): ------------------------------------------------------------------ *****SERVIDOR: -SERVER 2008R2 SP1 -AD -Dominio: jro.es -DHCP RANGO 172.18.1.2 172.18.1.254 -DNS: 127.0.0.1 REENVIADORES: 8.8.4.4 80.58.0.22 Tiene 2 tarjetas de red, cada una conectada a un switch para separar la clase de 1º y de 2º y cada switch conectado al switch principal Tiene 2 HDD: 1-DATOS (carpetas+usuarios+permisos) 2-Backup ---------------------------------------------------------------------------------- ******SERVIDOR-VIEJO -SERVER2003 (SIN ACTUALIZAR) -Es un equipo mas dentro del dominio para que los alumnos de 1º puedan acceder al material de cisco en caso de que se caiga la red) -APACHE 2.2.4 ---------------------------------------------------------------------------------- HDD-PECERA Es un disco duro en red Linksys wireless-G WAP --------------------------------------------------------------------------------- Equipo Profesor w7 --------------------------------------------------------------------------------- Las 2 clases: LAN1 (1ASIR) 20 equipos con w7 LAN2 (2ASIR) 20 equipos con ubuntu 11.10 --------------------------------------------------------------------------------- Título: Re: Prueba de proyecto Publicado por: _OLAYA_ en 30 Mayo 2013, 00:53 am El router esta 2 plantas mas para abajo, pero conectado por cable al swith principal de arriba. Aun no tenemos las caracteristicas del router pero si sabemos que esta junto al proxy (SONICWALL) 172.18.1.1
Título: Re: Prueba de proyecto Publicado por: _OLAYA_ en 30 Mayo 2013, 01:04 am Bien ahora tenemos que dividir la auditoria en fases, pero sinceramente aun no lo tenemos claro del todo, fases seguras son:
-Estudio de la topologia y como mejorarla -Escaneo de la red -Vulnerabilidades -conclusiones Aun asi estoy abierto a que me echeis un cable aqui... Bien cosas evidentes que hemos visto sin ponernos muy enserio: -Organizar bien el CPD, separando los servers a otra sala de las de abajo, con su temperatura en condiciones, intentar hacer los backup en otro sitio, desde Backtrack hemos conseguido shell remota facilisimo de server2003 por los puertos 135 y 445 ademas sabemos que la contraseña es la misma para server2008 con lo cual miraremos extraer el sam y crackearlo, sabemos que el switch principal es configurable y nada mas que esta pinchado con todo por defecto y queremos mirar el tema del wifi... Me imagino que sobre la marcha nos iran saliendo mas cosas... como vamos a ir documento cada paso que tengamos con imagenes y todo las ire subiendo aqui... al igual que las dudas que tenga por si podeis echarnos un cable... esto es todo por hoy... mañana mas |