May 02 2010

Getting the Insider view with Nmap and Wireshark

I was recently at a client trying to get a better understanding of their undocumented network to troubleshoot a problem. The only tools that were at my disposal apart from the basic Windows XP networking tools,Nmap, Wireshark, and WirelessKeyView.

Phase 1: “Wireless Network Mapping”

The first thing I did was run Nirsofts’s Wireless key view on a Laptop that was already connected to the Wifi network. After obtaining the Wifi key and connecting to the network I did a Nmap –sP 192.168.1.0/24 to ping sweep the Wifi network to get an idea of hostnames and IP address of the machines that were turned on.

Phase 2: “LAN Mapping”

I noticed a Cisco 2950 series catalysis switch was in one of the offices with several cables connected, so naturally I attempted to connect my Laptop to one of the ports assuming that port security was not turned on.

After connecting to the switch port I noticed that I was not getting an IP address via DHCP, but instead I received a default none Internet routing IP address within the following range, 169.x.x.x .

Now since I was unable to do a ping sweep from this segment, here is where Wireshark comes into the picture. I launched Wireshark and did a passive sniff of the network from my 169.x.x.x IP address, and received exactly what I was looking for, “an IP address, and broadcast scope”.

Fig 1 Wireshark capture screen

What can we learn from this capture?

  1. We can obtain a valid IP address and subnet mass 192.168.76.0/24 , the reason why we know it’s a class C is  because the destination broadcast address was 192.168.76.255.
  2. We can clearly see a hostname for one of the Cisco devices “ComSW13“, and a switch port of interest “FastEthernet 0/21”.
  3. Looking closely you can also notice a printer  “TDYCC_PRINTER”

Phase 3: “Getting Connected”

Now that I have a valid IP range the first thing I did was reconfigured my LAN setting on the Laptop and added a static address of 192.168.76.202/24. Now you might think what’s so special about .202? I  usually like to pick a higher address since the possibility of that address being given out in a DHCP scope is pretty slim.

Now just in case you picked an address and you get an “error message” saying that the address is already in use, just keep picking another address. Once you have a working IP address you can always use a universal DNS address like 4.2.2.2 if you need to get out to the Internet.

At this point you can repeat the same Nmap command “nmap –sP 192.168.76.0/24” and pipe the output to a file for further documentation. Next I ran “nmap –A 192.168.76.0/24” to get a bit more detailed of the host that were found on the network.

And lastly just for fun I ran nmap192.168.76.82 –script=smb-brute.nse and to my surprise the script located several usable username/password to gain basic SMB access to the machine.

Fig 2 Nmap –script=smb-brute.nse

In conclusion with only a few tools you can see how effective it is gain some degree of information on a undocumented network.

Reference:

http://nmap.org/book/

http://www.wireshark.org/

http://www.nirsoft.net/utils/wireless_key.html

Leave a Reply

You must be logged in to post a comment.

Alibi3col theme by Themocracy

css.php
More in Uncategorized (3 of 4 articles)