notes on doing some pentest on my isp

143月/100

notes on doing some pentest on my isp

it is just a sunday hacking...

first i would like to use the traceroute to know the gateway of my isp, you can simply traceroute some well known portal, like www.yahoo.com.

#traceroute www.yahoo.com
traceroute: Warning: www.yahoo.com has multiple addresses; using 72.30.2.43
traceroute to any-fp.wa1.b.yahoo.com (72.30.2.43), 64 hops max, 40 byte packets
 1  192.168.8.1 (192.168.8.1)  1.602 ms  0.782 ms  0.712 ms
 2  [gateway_hostname] (XXX.XXX.XXX.254)  18.115 ms  50.441 ms  11.054 ms

second i am interested in how many hosts are available in this /24 subnet, i use nmap -sP -PN to find out, there are many hosts are actually up, anyway, i go back to the gateway as my focus.
```
#nmap -sP XXX.XXX.XXX.0/24

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-13 17:32 HKT
Nmap scan report for [hostname] (XXX.XXX.XXX.3)
Host is up.
...
```

the next thing i am going to do is to have a heavy probing on the gateway and see what is actually live on it. i try to have the TCP SYN scan to probe the gateway and below is the result. it seems like that all of the services are being protected by kind of firewall.

#nmap -sS [gateway_ip]

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-14 13:37 HKT
Nmap scan report for [gateway_hostname] ([gateway_ip])
Host is up (0.053s latency).
Not shown: 988 closed ports
PORT      STATE    SERVICE
25/tcp    filtered smtp
80/tcp    filtered http
111/tcp   filtered rpcbind
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
515/tcp   filtered printer
593/tcp   filtered http-rpc-epmap
1068/tcp  filtered instl_bootc
5000/tcp  filtered upnp
6129/tcp  filtered unknown
10001/tcp filtered unknown

without giving up, i start the next round of udb scanning and see, seems like there is something open up for us, it is the snmp service on the host.

#nmap -sU [gateway_ip]

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-14 14:44 HKT
Nmap scan report for pcd-yck14-1-ex.netvigator.com (116.49.68.254)
Host is up (0.017s latency).
Not shown: 986 closed ports
PORT     STATE         SERVICE
7/udp    open|filtered echo
67/udp   open|filtered dhcps
68/udp   open|filtered dhcpc
111/udp  open|filtered rpcbind
123/udp  open|filtered ntp
135/udp  open|filtered msrpc
136/udp  open|filtered profile
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
161/udp  open          snmp
162/udp  open|filtered snmptrap
445/udp  open|filtered microsoft-ds
520/udp  open|filtered route
1434/udp open|filtered ms-sql-m

Nmap done: 1 IP address (1 host up) scanned in 2111.55 seconds

in order to get more feeling of the host, i enable the OS detection in the scan, but no luck on it.

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|media device|router|switch|printer
Running (JUST GUESSING) : Apple Mac OS X 10.5.X (91%), Apple iPhone OS 1.X (90%), OpenBSD 4.X (89%), FreeBSD 7.X (88%), Cisco IOS 12.X (88%), Novell NetWare 6.X (87%), HP embedded (86%), Microsoft Windows 2000|98 (86%)
Aggressive OS guesses: Apple Mac OS X 10.5 (Leopard) (Darwin 9.2.2, x86) (91%), Apple Mac OS X 10.5.5 - 10.6.1 (Leopard - Snow Leopard) (Darwin 9.5.0 - 10.0.0) (91%), Apple iPod touch audio player (iPhone OS 1.1.2 - 1.1.4, Darwin 9.0.0d1) (90%), OpenBSD 4.1 (89%), OpenBSD 4.3 (89%), OpenBSD 4.5 (89%), FreeBSD 7.0-RC1 (88%), FreeBSD 7.0-STABLE (88%), FreeBSD 7.1-PRERELEASE 7.2-STABLE (88%), OpenBSD 4.1 (x86) (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops

not manage to continue on the snmp, like looking into the community string, need to hang out with my wife...

reference - http://nmap.org/book/man-port-scanning-techniques.html

disclaimer: this article does not encourage people to do anything illegal, for those who reads this arcticle takes their own responsibilities and risks.