Apache Security - Ivan Ristic [169]
239.36
traceroute to www.oreilly.com (208.201.239.36), 30 hops max, 38 byte packets
1 gw-prtr-44-a.schlund.net (217.160.182.253) 0.238 ms
2 v999.gw-dist-a.bs.ka.schlund.net (212.227.125.253) 0.373 ms
3 ge-41.gw-backbone-b.bs.ka.schlund.net (212.227.116.232) 0.535 ms
4 pos-80.gw-backbone-b.ffm.schlund.net (212.227.112.127) 3.210 ms
5 cr02.frf02.pccwbtn.net (80.81.192.50) 4.363 ms
6 pos3-0.cr02.sjo01.pccwbtn.net (63.218.6.66) 195.201 ms
7 layer42.ge4-0.4.cr02.sjo01.pccwbtn.net (63.218.7.6) 187.701 ms
8 2.fast0-1.gw.equinix-sj.sonic.net (64.142.0.21) 185.405 ms
9 fast5-0-0.border.sr.sonic.net (64.142.0.13) 191.517 ms
10 eth1.dist1-1.sr.sonic.net (208.201.224.30) 192.652 ms
11 www.oreillynet.com (208.201.239.36) 190.662 ms
The traceroute output shows the route packets use to travel from your location to the target's location. The last few lines matter; the last line is the server. On line 10, we see what is most likely a router, connecting the network to the Internet.
* * *
Tip
traceroute relies on the ICMP protocol to discover the path packets use to travel from one point to another, but ICMP packets can be filtered for security reasons. An alternative tool, tcptraceroute (http://michael.toren.net/code/tcptraceroute/) performs a similar function but uses other methods. Try tcptraceroute if tcproute does not produce results.
* * *
Port scanning
Port scanning is an active information-gathering technique. It is viewed as impolite and legally dubious. You should only perform port scanning against your own network or where you have written permission from the target.
The purpose of port scanning is to discover active network devices on a given range of addresses and to analyze each device to discover public services. In the context of web security assessment, you will want to know if a publicly accessible FTP or a database engine is running on the same server. If there is, you may be able to use it as part of your assessment.
* * *
Tip
Services often run unprotected and with default passwords. I once discovered a MySQL server on the same machine as the web server, running with the default root password (which is an empty string). Anyone could have accessed the company's data and not bother with the web application.
* * *
The most popular port-scanning tool is Nmap (http://www.insecure.org/nmap/), which is free and useful. It is a command line tool, but a freeware frontend called NmapW is available from Syhunt (http://www.syhunt.com/section.php?id=nmapw). In the remainder of this section, I will demonstrate how Nmap can be used to learn more about running devices. In all examples, the real IP addresses are masked because they belong to real devices.
The process of the discovery of active hosts is called a ping sweep. An attempt is made to ping each IP address and live addresses are reported. Here is a sample run, in which XXX.XXX.XXX.112/28 represents the IP address you would type:
# nmap -sP
XXX.XXX.XXX.112/28
Starting nmap 3.48 ( http://www.insecure.org/nmap/ )
Host (XXX.XXX.XXX.112) seems to be a subnet broadcast address (returned 1
extra pings).
Host (XXX.XXX.XXX.114) appears to be up.
Host (XXX.XXX.XXX.117) appears to be up.
Host (XXX.XXX.XXX.120) appears to be up.
Host (XXX.XXX.XXX.122) appears to be up.
Host (XXX.XXX.XXX.125) appears to be up.
Host (XXX.XXX.XXX.126) appears to be up.
Host (XXX.XXX.XXX.127) seems to be a subnet broadcast address (returned 1
extra pings).
Nmap run completed -- 16 IP addresses (6 hosts up) scanned in 7 seconds
After that, you can proceed to get more information from individual hosts by looking at their TCP ports for active services. The following is sample output from scanning a single host. I have used one of my servers since scanning one of O'Reilly's servers without a permit would have been inappropriate.
# nmap -sS
XXX.XXX.XXX.XXX
Starting nmap 3.48 ( http://www.insecure.org/nmap/ )
The SYN Stealth Scan took 144 seconds to scan 1657 ports.
Interesting