This first article in a two-part series deals with tools to find security holes in webservers and workstations. Some of the topics covered are: port scanning, finding NFS security holes, and using lsof.
SNMP is a service which can provide an attacker with very detailed information about the target system and its networking environment. Many standard installations provide this service and often it is not disabled or secured. As an added bonus, this is an UDP service, so it will not show up in standard portscans - it is under the radar of many system administrators.
We are told the type and patchlevel of the system, we get a list of all
interfaces (not shown) and we can even use SNMP to dump the complete routing tables. This is useful to remotely gather information about the topology of the target network and enables us to direct our attacks to the strategically valuable hosts. Together with data taken from the DNS as shown above we will be able to construct a complete network map for the target. If additional management modules are being installed, we get even more important data, such as management information about Oracle, SAP or other remotely controlled subsystems. SNMP is being used in many routers and in RMON network probes, too. If these are not secured properly, we are even able to get traffic measurements from the target.