Test Foro de elhacker.net SMF 2.1

Pues este año acabo el modulo superior de ASIR, y para fin de curso tenemos que entregar un proyecto, tenemos varias ideas y una de ellas es hacer una auditoria de seguridad del instituto y voy a ir poniendo aqui los avances para los que puedan aprender algo y para los que me puedan ayudar (que seguro sereis mas). Ostamos pillados de tiempo a si que ire bastante despacio...

Estos serán los datos que debería tener rellenos cuando finalize!

-INDICE
-OBJETIVO
-ESCENARIO
-DESARROLLO:
          1. Enumeración de objetivos
          2. Selección de objetivo
          3. Ataque
          4. Resultado
-CONCLUSIONES

yo le agregaria el item, como solucionar las fallas...

Bueno, hemos hecho un escaner de nuestra LAN con zenmap y pongo aqui los resultados, que vamos a ir estudiando...



Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-20 16:55 CET

Initiating NSE at 16:59
NSE Timing: About 47.98% done; ETC: 17:00 (0:00:34 remaining)
Completed NSE at 17:01, 138.93s elapsed
Nmap scan report for 172.18.0.2
Host is up (0.00044s latency).
Not shown: 983 filtered ports
PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Microsoft DNS 6.1.7601
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB14556)
88/tcp    open  kerberos-sec      Windows 2003 Kerberos (server time: 2012-11-20 16:01:18Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  netbios-ssn
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap
3269/tcp  open  globalcatLDAPssl?
3389/tcp  open  ms-wbt-server?
49154/tcp open  msrpc             Microsoft Windows RPC
49155/tcp open  msrpc             Microsoft Windows RPC
49157/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc             Microsoft Windows RPC
49163/tcp open  msrpc             Microsoft Windows RPC
MAC Address: 78:2B:CB:3F:F7:EC (Dell)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 7|Vista|2008
OS CPE: cpe:/o:microsoft:windows_7::professional cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1
OS details: Microsoft Windows 7 Professional, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7
Uptime guess: 4.575 days (since Fri Nov 16 03:14:19 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat:
|   NetBIOS name: SERVIDOR, NetBIOS user: <unknown>, NetBIOS MAC: 78:2b:cb:3f:f7:ec (Dell)
|   Names
|     JRO<00>              Flags: <group><active>
|     SERVIDOR<00>         Flags: <unique><active>
|     JRO<1c>              Flags: <group><active>
|     SERVIDOR<20>         Flags: <unique><active>
|_    JRO<1b>              Flags: <unique><active>
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing required
|_smbv2-enabled: Server supports SMBv2 protocol
| smb-os-discovery:
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   NetBIOS computer name: SERVIDOR
|   Workgroup: JRO
|_  System time: 2012-11-20 17:05:54 UTC+1

TRACEROUTE
HOP RTT     ADDRESS
1   0.44 ms 172.18.0.2

Nmap scan report for 172.18.0.3
Host is up (0.00032s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE        VERSION
80/tcp   open  http           Apache httpd 2.2.4 ((Win32))
|_http-title: Site doesn't have a title (text/html).
| http-methods: GET HEAD POST OPTIONS TRACE
| Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
135/tcp  open  msrpc          Microsoft Windows RPC
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds   Microsoft Windows 2003 or 2008 microsoft-ds
1025/tcp open  msrpc          Microsoft Windows RPC
1026/tcp open  msrpc          Microsoft Windows RPC
1032/tcp open  msrpc          Microsoft Windows RPC
3389/tcp open  ms-wbt-server?
MAC Address: 00:E0:18:22:33:CF (Asustek Computer)
Device type: general purpose
Running: Microsoft Windows 2000|XP|2003
OS CPE: cpe:/o:microsoft:windows_2000::sp2 cpe:/o:microsoft:windows_2000::sp3 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2003::- cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2
OS details: Microsoft Windows 2000 SP2 - SP4, Windows XP SP2 - SP3, or Windows Server 2003 SP0 - SP2
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
|   Account that was used for smb scripts: <blank>
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| nbstat:
|   NetBIOS name: SERVIDOR-VIEJO, NetBIOS user: <unknown>, NetBIOS MAC: 00:e0:18:22:33:cf (Asustek Computer)
|   Names
|     SERVIDOR-VIEJO<00>   Flags: <unique><active>
|     JRO<00>              Flags: <group><active>
|     SERVIDOR-VIEJO<20>   Flags: <unique><active>
|_    JRO<1e>              Flags: <group><active>
| smb-os-discovery:
|   OS: Windows Server 2003 3790 (Windows Server 2003 5.2)
|   Computer name: servidor-viejo
|   Domain name: jro.es
|   Forest name: jro.es
|   FQDN: servidor-viejo.jro.es
|   NetBIOS computer name: SERVIDOR-VIEJO
|   NetBIOS domain name: JRO
|_  System time: 2012-11-20 17:06:06 UTC+1

TRACEROUTE
HOP RTT     ADDRESS
1   0.32 ms 172.18.0.3

Nmap scan report for 172.18.0.4
Host is up (0.00024s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE     VERSION
80/tcp    open  http        Linksys wireless-G WAP http config (Name NET Disk)
|_http-methods: No Allow or Public header in OPTIONS response (status code 401)
|_http-title: 401 Unauthorized
| http-auth:
| HTTP/1.0 401 Unauthorized
|_  Basic realm=NET Disk
139/tcp   open  netbios-ssn
2869/tcp  open  tcpwrapped
10243/tcp open  unknown
MAC Address: 00:80:5A:67:4E:15 (Tulip Computers Internat'l B.V)
Device type: storage-misc|print server
Running: Argosy embedded, Asmax embedded, Freecom embedded, Iomega embedded
OS details: Asmax NAS-USB print server; or Argosy HD354N, Freecom Network Drive, or Iomega Home Media Network Hard Drive NAS device
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=93 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Device: WAP

Host script results:
| smb-os-discovery:
|   OS:  (R)
|   NetBIOS computer name:
|   Workgroup:
|_  System time: 1901-12-13 20:45:52 UTC+8
| nbstat:
|   NetBIOS name: HDDPECERA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     HDDPECERA<00>        Flags: <unique><active>
|     WORKGROUP<00>        Flags: <group><active>
|_    HDDPECERA<20>        Flags: <unique><active>

TRACEROUTE
HOP RTT     ADDRESS
1   0.24 ms 172.18.0.4

Nmap scan report for 172.18.0.35
Host is up (0.00035s latency).
Not shown: 983 filtered ports
PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Microsoft DNS 6.1.7601
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB14556)
88/tcp    open  kerberos-sec      Windows 2003 Kerberos (server time: 2012-11-20 16:01:18Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  netbios-ssn
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap
3269/tcp  open  globalcatLDAPssl?
3389/tcp  open  ms-wbt-server?
49154/tcp open  msrpc             Microsoft Windows RPC
49155/tcp open  msrpc             Microsoft Windows RPC
49157/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc             Microsoft Windows RPC
49163/tcp open  msrpc             Microsoft Windows RPC
MAC Address: 78:2B:CB:3F:F7:ED (Dell)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 7|Vista|2008
OS CPE: cpe:/o:microsoft:windows_7::professional cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1
OS details: Microsoft Windows 7 Professional, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2 or Windows Server 2008
Uptime guess: 4.575 days (since Fri Nov 16 03:14:19 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smbv2-enabled: Server supports SMBv2 protocol
| smb-os-discovery:
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   NetBIOS computer name: SERVIDOR
|   Workgroup: JRO
|_  System time: 2012-11-20 17:05:08 UTC+1
| nbstat:
|   NetBIOS name: SERVIDOR, NetBIOS user: <unknown>, NetBIOS MAC: 78:2b:cb:3f:f7:ed (Dell)
|   Names
|     JRO<00>              Flags: <group><active>
|     SERVIDOR<00>         Flags: <unique><active>
|     JRO<1c>              Flags: <group><active>
|     SERVIDOR<20>         Flags: <unique><active>
|_    JRO<1b>              Flags: <unique><active>
| smb-security-mode:
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing required

TRACEROUTE
HOP RTT     ADDRESS
1   0.35 ms 172.18.0.35

Nmap scan report for 172.18.1.1
Host is up (0.00046s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.4 (protocol 2.0)
|_ssh-hostkey: 1024 74:b8:ff:fc:84:cd:49:76:e8:e7:4a:c8:8f:71:4d:68 (RSA)
80/tcp  open  http     SonicWALL firewall http config
|_http-title: Document Moved
443/tcp open  ssl/http SonicWALL firewall http config
|_http-title: SonicWALL - Authentication
| ssl-cert: Subject: commonName=192.168.168.168/organizationName=HTTPS Management Certificate for SonicWALL (self-signed)/stateOrProvinceName=California/countryName=US
| Issuer: commonName=192.168.168.168/organizationName=HTTPS Management Certificate for SonicWALL (self-signed)/stateOrProvinceName=California/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 1970-01-01 00:00:01
| Not valid after:  2038-01-19 03:14:07
| MD5:   0f6c 7e39 7538 b632 1141 d2dc 8051 f651
|_SHA-1: 7867 116f bea4 af7d df9d c587 4217 fd8c 60cf 29f9
MAC Address: C0:EA:E4:09:8D:12 (Sonicwall)
Device type: firewall|WAP|printer|broadband router|storage-misc
Running (JUST GUESSING): SonicWALL SonicOS 5.X|4.X (95%), Apple embedded (92%), Asus Linux 2.6.X (90%), Linux 2.6.X (90%), Ricoh embedded (89%), Wind River VxWorks (87%), Arris embedded (87%), IBM embedded (86%)
OS CPE: cpe:/o:sonicwall:sonicos:5 cpe:/h:asus:rt-n16 cpe:/o:asus:linux:2.6 cpe:/o:linux:kernel:2.6.22 cpe:/o:sonicwall:sonicos:4 cpe:/o:windriver:vxworks cpe:/h:arris:tm602b
Aggressive OS guesses: SonicWALL SonicOS Enhanced 5.2 (95%), Apple AirPort Express WAP v6.3 (92%), Asus RT-N16 WAP (Linux 2.6) (90%), Tomato 1.28 (Linux 2.6.22) (90%), Ricoh Aficion SP 4100N printer (89%), SonicWALL TZ 190 firewall (SonicOS Enhanced 4.0) (87%), VxWorks (87%), Arris TM602B cable modem (87%), Fujitsu Externus DX80 or IBM DCS9900 NAS device (86%), Netgear DG834G WAP or Western Digital WD TV media player (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Device: firewall

TRACEROUTE
HOP RTT     ADDRESS
1   0.46 ms 172.18.1.1

Nmap scan report for 172.18.1.3
Host is up (0.00026s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE     VERSION
135/tcp open  msrpc?
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
MAC Address: BC:AE:C5:D7:A5:67 (Asustek Computer)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3
OS details: Linux 2.6.38 - 3.2
Uptime guess: 0.056 days (since Tue Nov 20 15:40:47 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros

Host script results:
| smb-os-discovery:
|   OS: Unix (Samba 3.5.8)
|   Computer name: aula212
|   Domain name: jro.es
|   FQDN: aula212.jro.es
|   NetBIOS computer name:
|_  System time: 2012-11-20 17:05:07 UTC+1
| smb-security-mode:
|   Account that was used for smb scripts: <blank>
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| nbstat:
|   NetBIOS name: AULA212, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     AULA212<00>          Flags: <unique><active>
|     AULA212<03>          Flags: <unique><active>
|     AULA212<20>          Flags: <unique><active>
|     JRO<1e>              Flags: <group><active>
|_    JRO<00>              Flags: <group><active>

TRACEROUTE
HOP RTT     ADDRESS
1   0.26 ms 172.18.1.3

Nmap scan report for 172.18.1.4
Host is up (0.00061s latency).
Not shown: 989 filtered ports
PORT      STATE  SERVICE       VERSION
80/tcp    open   http          Apache httpd 2.2.21 ((Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1)
|_http-title: Site doesn't have a title (text/html).
|_http-favicon: Unknown favicon MD5: 3BD2EC61324AD4D27CB7B0F484CD4289
| http-methods: GET HEAD POST OPTIONS TRACE
| Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
135/tcp   open   msrpc         Microsoft Windows RPC
139/tcp   open   netbios-ssn
443/tcp   open   ssl/http      Apache httpd 2.2.21 ((Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1)
| http-methods: GET HEAD POST OPTIONS TRACE
| Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-favicon: Unknown favicon MD5: 3BD2EC61324AD4D27CB7B0F484CD4289
|_http-title: Site doesn't have a title (text/html).
|_sslv2: server still supports SSLv2
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2009-11-10 23:48:47
| Not valid after:  2019-11-08 23:48:47
| MD5:   a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0
|_SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6
445/tcp   open   netbios-ssn
912/tcp   open   vmware-auth   VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
3306/tcp  open   mysql         MySQL (unauthorized)
16992/tcp closed amt-soap-http
49152/tcp open   msrpc         Microsoft Windows RPC
49153/tcp open   msrpc         Microsoft Windows RPC
49154/tcp open   msrpc         Microsoft Windows RPC
MAC Address: BC:AE:C5:76:B6:2B (Asustek Computer)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.01%E=4%D=11/20%OT=80%CT=16992%CU=43129%PV=Y%DS=1%DC=D%G=Y%M=BCA
OS:EC5%TM=50ABA961%P=i686-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10B%TI=I%II=I%S
OS:S=S%TS=7)OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST1
OS:1%O5=M5B4NW8ST11%O6=M5B4ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000
OS:%W6=2000)ECN(R=Y%DF=Y%T=81%W=2000%O=M5B4NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=81%
OS:S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=81%W=2000%S=Z%A
OS:=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=81%IPL=164%UN=0%RIPL=G%R
OS:ID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=81%CD=Z)

Uptime guess: 1.362 days (since Mon Nov 19 08:19:48 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| nbstat:
|   NetBIOS name: PCPROFDCH, NetBIOS user: <unknown>, NetBIOS MAC: bc:ae:c5:76:b6:2b (Asustek Computer)
|   Names
|     PCPROFDCH<20>        Flags: <unique><active>
|     PCPROFDCH<00>        Flags: <unique><active>
|     JRO<00>              Flags: <group><active>
|_    JRO<1e>              Flags: <group><active>
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms 172.18.1.4

Nmap scan report for 172.18.1.10
Host is up (0.00025s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE     VERSION
135/tcp open  msrpc?
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
MAC Address: BC:AE:C5:76:B6:23 (Asustek Computer)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3
OS details: Linux 2.6.38 - 3.0
Uptime guess: 0.039 days (since Tue Nov 20 16:05:24 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=204 (Good luck!)
IP ID Sequence Generation: All zeros

Host script results:
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| nbstat:
|   NetBIOS name: AULA208, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     AULA208<00>          Flags: <unique><active>
|     AULA208<03>          Flags: <unique><active>
|     AULA208<20>          Flags: <unique><active>
|     JRO<1e>              Flags: <group><active>
|_    JRO<00>              Flags: <group><active>
| smb-security-mode:
|   Account that was used for smb scripts: <blank>
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Unix (Samba 3.5.8)
|   Computer name: aula208
|   Domain name: jro.es
|   FQDN: aula208.jro.es
|   NetBIOS computer name:
|_  System time: 2012-11-20 17:06:03 UTC+1

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms 172.18.1.10

Nmap scan report for 172.18.1.11
Host is up (0.00038s latency).
All 1000 scanned ports on 172.18.1.11 are closed
MAC Address: BC:AE:C5:D7:A5:8F (Asustek Computer)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.38 ms 172.18.1.11

Nmap scan report for 172.18.1.12
Host is up (0.00028s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE     VERSION
135/tcp open  msrpc?
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
MAC Address: BC:AE:C5:76:B3:DE (Asustek Computer)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3
OS details: Linux 2.6.38 - 3.2
Uptime guess: 0.076 days (since Tue Nov 20 15:11:50 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros

Host script results:
| nbstat:
|   NetBIOS name: AULA209, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     AULA209<00>          Flags: <unique><active>
|     AULA209<03>          Flags: <unique><active>
|     AULA209<20>          Flags: <unique><active>
|     \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|     JRO<1d>              Flags: <unique><active>
|     JRO<1e>              Flags: <group><active>
|_    JRO<00>              Flags: <group><active>
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
|   OS: Unix (Samba 3.5.8)
|   Computer name: aula209
|   Domain name: jro.es
|   FQDN: aula209.jro.es
|   NetBIOS computer name:
|_  System time: 2012-11-20 17:05:51 UTC+1

TRACEROUTE
HOP RTT     ADDRESS
1   0.28 ms 172.18.1.12

Nmap scan report for 172.18.1.16
Host is up (0.00021s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds
912/tcp  open  vmware-auth  VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
5405/tcp open  netsupport   NetSupport PC remote control (Name TIC4)
MAC Address: 00:1A:A0:55:D7:46 (Dell)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE
HOP RTT     ADDRESS
1   0.22 ms 172.18.1.16

Nmap scan report for 172.18.1.19
Host is up (0.00027s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE     VERSION
135/tcp open  msrpc?
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
MAC Address: BC:AE:C5:D7:A5:BD (Asustek Computer)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3
OS details: Linux 2.6.38 - 3.0
Uptime guess: 0.068 days (since Tue Nov 20 15:23:50 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=186 (Good luck!)
IP ID Sequence Generation: All zeros

Host script results:
| nbstat:
|   NetBIOS name: AULA206, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     AULA206<00>          Flags: <unique><active>
|     AULA206<03>          Flags: <unique><active>
|     AULA206<20>          Flags: <unique><active>
|     JRO<1e>              Flags: <group><active>
|_    JRO<00>              Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
|   Account that was used for smb scripts: <blank>
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Unix (Samba 3.5.8)
|   Computer name: aula206
|   Domain name: jro.es
|   FQDN: aula206.jro.es
|   NetBIOS computer name:
|_  System time: 2012-11-20 17:05:05 UTC+1

TRACEROUTE
HOP RTT     ADDRESS
1   0.27 ms 172.18.1.19

Nmap scan report for 172.18.1.20
Host is up (0.00028s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 5.8p1 Debian 7ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 61:6e:d4:5d:70:32:74:45:43:5e:5e:ae:02:5d:ed:51 (DSA)
|_2048 ab:5b:80:ac:04:68:a7:9f:33:00:d3:3e:0e:d7:24:e1 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
MAC Address: BC:AE:C5:76:B6:28 (Asustek Computer)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:kernel:3
OS details: Linux 3.0 - 3.1
Uptime guess: 0.035 days (since Tue Nov 20 16:10:35 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Host script results:
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
|   OS: Unix (Samba 3.5.11)
|   Computer name: aula211
|   Domain name: jro.es
|   FQDN: aula211.jro.es
|   NetBIOS computer name:
|   NetBIOS domain name: JRO
|_  System time: 2012-11-20 17:05:08 UTC+1
| nbstat:
|   NetBIOS name: AULA211, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     AULA211<00>          Flags: <unique><active>
|     AULA211<03>          Flags: <unique><active>
|     AULA211<20>          Flags: <unique><active>
|     JRO<1e>              Flags: <group><active>
|_    JRO<00>              Flags: <group><active>
| smb-security-mode:
|   Account that was used for smb scripts: <blank>
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)

TRACEROUTE
HOP RTT     ADDRESS
1   0.28 ms 172.18.1.20

Nmap scan report for 172.18.1.23
Host is up (0.00012s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE     VERSION
135/tcp open  msrpc?
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
MAC Address: BC:AE:C5:76:B6:36 (Asustek Computer)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3
OS details: Linux 2.6.38 - 3.2
Uptime guess: 0.040 days (since Tue Nov 20 16:04:14 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros

Host script results:
| nbstat:
|   NetBIOS name: AULA216, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     AULA216<00>          Flags: <unique><active>
|     AULA216<03>          Flags: <unique><active>
|     AULA216<20>          Flags: <unique><active>
|     JRO<1e>              Flags: <group><active>
|_    JRO<00>              Flags: <group><active>
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Unix (Samba 3.5.8)
|   Computer name: aula216
|   Domain name: jro.es
|   FQDN: aula216.jro.es
|   NetBIOS computer name:
|_  System time: 2012-11-20 17:05:15 UTC+1
|_smbv2-enabled: Server doesn't support SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.12 ms 172.18.1.23

Nmap scan report for 172.18.1.29
Host is up (0.00025s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE     VERSION
135/tcp open  msrpc?
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
MAC Address: BC:AE:C5:D7:A6:3E (Asustek Computer)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3
OS details: Linux 2.6.38 - 3.0
Uptime guess: 0.071 days (since Tue Nov 20 15:19:04 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=199 (Good luck!)
IP ID Sequence Generation: All zeros

Host script results:
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| nbstat:
|   NetBIOS name: AULA214, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     AULA214<00>          Flags: <unique><active>
|     AULA214<03>          Flags: <unique><active>
|     AULA214<20>          Flags: <unique><active>
|     JRO<1e>              Flags: <group><active>
|_    JRO<00>              Flags: <group><active>
| smb-security-mode:
|   Account that was used for smb scripts: <blank>
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Unix (Samba 3.5.8)
|   Computer name: aula214
|   Domain name: jro.es
|   FQDN: aula214.jro.es
|   NetBIOS computer name:
|_  System time: 2012-11-20 17:05:14 UTC+1

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms 172.18.1.29

Nmap scan report for 172.18.1.33
Host is up (0.00026s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE     VERSION
135/tcp open  msrpc?
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
MAC Address: BC:AE:C5:76:B6:08 (Asustek Computer)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3
OS details: Linux 2.6.38 - 3.0
Uptime guess: 0.066 days (since Tue Nov 20 15:26:15 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=205 (Good luck!)
IP ID Sequence Generation: All zeros

Host script results:
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| nbstat:
|   NetBIOS name: AULA207, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     AULA207<00>          Flags: <unique><active>
|     AULA207<03>          Flags: <unique><active>
|     AULA207<20>          Flags: <unique><active>
|     JRO<1e>              Flags: <group><active>
|_    JRO<00>              Flags: <group><active>
| smb-os-discovery:
|   OS: Unix (Samba 3.5.8)
|   Computer name: aula207
|   Domain name: jro.es
|   FQDN: aula207.jro.es
|   NetBIOS computer name:
|_  System time: 2012-11-20 17:05:32 UTC+1

TRACEROUTE
HOP RTT     ADDRESS
1   0.26 ms 172.18.1.33

Nmap scan report for 172.18.1.35
Host is up (0.00028s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 5.8p1 Debian 1ubuntu3 (protocol 2.0)
| ssh-hostkey: 1024 fc:5a:a1:13:b4:a4:a2:2e:33:dc:00:11:fa:32:c1:8a (DSA)
|_2048 f9:4a:eb:0f:a4:07:64:7b:b8:73:6c:18:5c:b0:9f:32 (RSA)
135/tcp open  msrpc?
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: JRO)
MAC Address: BC:AE:C5:D7:A6:0C (Asustek Computer)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3
OS details: Linux 2.6.38 - 3.0
Uptime guess: 0.067 days (since Tue Nov 20 15:25:31 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=203 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Host script results:
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| nbstat:
|   NetBIOS name: AULA204, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     AULA204<00>          Flags: <unique><active>
|     AULA204<03>          Flags: <unique><active>
|     AULA204<20>          Flags: <unique><active>
|     JRO<1e>              Flags: <group><active>
|_    JRO<00>              Flags: <group><active>
| smb-os-discovery:
|   OS: Unix (Samba 3.5.8)
|   Computer name: aula204
|   Domain name: jro.es
|   FQDN: aula204.jro.es
|   NetBIOS computer name:
|_  System time: 2012-11-20 17:05:22 UTC+1
|_smbv2-enabled: Server doesn't support SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.28 ms 172.18.1.35

Nmap scan report for 172.18.1.36
Host is up (0.00081s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE    VERSION
5405/tcp open  netsupport NetSupport PC remote control (Name AULA113)
MAC Address: 00:24:8C:D8:A8:CF (Asustek Computer)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2000|XP
OS CPE: cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 2000 SP4, Microsoft Windows XP SP2 or SP3, Microsoft Windows XP SP3
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: Incremental

TRACEROUTE
HOP RTT     ADDRESS
1   0.81 ms 172.18.1.36

Nmap scan report for 172.18.1.37
Host is up (0.00088s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE      VERSION
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds
5405/tcp open  netsupport   NetSupport PC remote control (Name AULA103)
MAC Address: 00:24:8C:D8:A8:F4 (Asustek Computer)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|2000|2003 (98%)
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_server_2003
Aggressive OS guesses: Microsoft Windows XP SP2 or SP3 (98%), Microsoft Windows 2000 SP4 (98%), Microsoft Windows XP SP2 (95%), Microsoft Windows XP SP3 (94%), Microsoft Windows 2000 (93%), Microsoft Windows XP SP3 or Small Business Server 2003 (93%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (92%), Microsoft Windows Small Business Server 2003 (92%), Microsoft Windows XP Professional SP2 (92%), Microsoft Windows Server 2003 SP0 or Windows XP SP2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat:
|   NetBIOS name: AULA103, NetBIOS user: <unknown>, NetBIOS MAC: 00:24:8c:d8:a8:f4 (Asustek Computer)
|   Names
|     AULA103<00>          Flags: <unique><active>
|     JRO<00>              Flags: <group><active>
|_    AULA103<20>          Flags: <unique><active>
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   Computer name: aula103
|   Domain name: jro.es
|   FQDN: aula103.jro.es
|   NetBIOS computer name: AULA103
|   NetBIOS domain name: JRO
|_  System time: 2012-11-20 17:05:38 UTC+1
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
|   Account that was used for smb scripts: <blank>
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)

TRACEROUTE
HOP RTT     ADDRESS
1   0.88 ms 172.18.1.37

Nmap scan report for 172.18.1.38
Host is up (0.0013s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE    VERSION
5405/tcp open  netsupport NetSupport PC remote control (Name AULA101)
MAC Address: 00:24:8C:D8:A9:64 (Asustek Computer)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2000|XP
OS CPE: cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 2000 SP4, Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental

TRACEROUTE
HOP RTT     ADDRESS
1   1.34 ms 172.18.1.38

Nmap scan report for 172.18.1.39
Host is up (0.00078s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE    VERSION
5405/tcp open  netsupport NetSupport PC remote control (Name AULA111)
MAC Address: 00:24:8C:D8:9E:58 (Asustek Computer)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2000|XP
OS CPE: cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 2000 SP4, Microsoft Windows XP SP2 or SP3, Microsoft Windows XP SP3
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental

TRACEROUTE
HOP RTT     ADDRESS
1   0.78 ms 172.18.1.39

Nmap scan report for 172.18.1.40
Host is up (0.00030s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
912/tcp open  vmware-auth  VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
MAC Address: 00:24:8C:D8:9E:2A (Asustek Computer)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=250 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| nbstat:
|   NetBIOS name: AULA110, NetBIOS user: <unknown>, NetBIOS MAC: 00:24:8c:d8:9e:2a (Asustek Computer)
|   Names
|     AULA110<00>          Flags: <unique><active>
|     JRO<00>              Flags: <group><active>
|     AULA110<20>          Flags: <unique><active>
|_    JRO<1e>              Flags: <group><active>
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   Computer name: aula110
|   Domain name: jro.es
|   Forest name: jro.es
|   FQDN: aula110.jro.es
|   NetBIOS computer name: AULA110
|   NetBIOS domain name: JRO
|_  System time: 2012-11-20 16:59:51 UTC-3

TRACEROUTE
HOP RTT     ADDRESS
1   0.30 ms 172.18.1.40

Nmap scan report for 172.18.1.41
Host is up (0.00069s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE    VERSION
5405/tcp open  netsupport NetSupport PC remote control (Name AULA112)
MAC Address: 00:24:8C:D8:9E:28 (Asustek Computer)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows XP SP2 or SP3, Microsoft Windows XP SP3
Network Distance: 1 hop<br

Bueno quise empezar demasiado pronto el proyecto de este año, y como no tuve tiempo deje de lado esto... pero ahora es la hora de la verdad y me meto de lleno!!

(http://img547.imageshack.us/img547/7568/topologia0.png)

Voy a explicar un poco la topologia que tenemos que auditar

Se trata de un edificio de varias plantas en la cual la mayor parte de la red se encuentra en la ultima planta, que consta de 2 clases y entre medias "La pecera" que es un CPD en version super cutre. Dentro de la pecera contamos con un montón de material informatico, papeles, cajas... todo lo que un CPD no deberia tener...
Ahora centrandonos en la topologia (dentro de la pecera):
------------------------------------------------------------------
*****SERVIDOR:
-SERVER 2008R2 SP1
-AD
-Dominio: jro.es
-DHCP RANGO
                        172.18.1.2
                        172.18.1.254

-DNS: 127.0.0.1  REENVIADORES:
                                                   8.8.4.4
                                                   80.58.0.22

Tiene 2 tarjetas de red, cada una conectada a un switch para separar la clase de 1º y de 2º  y cada switch conectado al switch principal

Tiene 2 HDD:
     1-DATOS (carpetas+usuarios+permisos)
     2-Backup
----------------------------------------------------------------------------------
******SERVIDOR-VIEJO
-SERVER2003 (SIN ACTUALIZAR)
-Es un equipo mas dentro del dominio para que los alumnos de 1º puedan acceder al material de cisco en caso  de que se caiga la red)
-APACHE 2.2.4             
----------------------------------------------------------------------------------

HDD-PECERA

Es un disco duro en red  Linksys wireless-G WAP
---------------------------------------------------------------------------------
Equipo Profesor

w7

---------------------------------------------------------------------------------


Las 2 clases:

LAN1 (1ASIR)

20 equipos con w7

LAN2 (2ASIR)

20 equipos con ubuntu 11.10
---------------------------------------------------------------------------------

El router esta 2 plantas mas para abajo, pero conectado por cable al swith principal de arriba. Aun no tenemos las caracteristicas del router pero si sabemos que esta junto al proxy (SONICWALL) 172.18.1.1

Bien ahora tenemos que dividir la auditoria en fases, pero sinceramente aun no lo tenemos claro del todo,  fases seguras son:

-Estudio de la topologia y como mejorarla
-Escaneo de la red
-Vulnerabilidades
-conclusiones

Aun asi estoy abierto a que me echeis un cable aqui...

Bien cosas evidentes que hemos visto sin ponernos muy enserio:

-Organizar bien el CPD, separando los servers a otra sala de las de abajo, con su temperatura en condiciones, intentar hacer los backup en otro sitio, desde Backtrack hemos conseguido shell remota facilisimo de server2003 por los puertos 135 y 445 ademas sabemos que la contraseña es la misma para server2008 con lo cual miraremos extraer el sam y crackearlo, sabemos que el switch principal es configurable y nada mas que esta pinchado con todo por defecto y queremos mirar el tema del wifi...

Me imagino que sobre la marcha nos iran saliendo mas cosas...

como vamos a ir documento cada paso que tengamos con imagenes y todo las ire subiendo aqui... al igual que las dudas que tenga por si podeis echarnos un cable...

esto es todo por hoy... mañana mas