Reconnaissance: Interpreting Results - Paiet/Tech-Journal-for-Everything GitHub Wiki

Data output

Firewall logs

• Cisco log levels
  • DIAGRAM
• https://tinyurl.com/y79ck62b
• 5 types of logging
  • Console Logging
    • User connected to physical console port sees log messages
    • Router1# logging console
  • Terminal Logging
    • User connected to VTY sees log messages
    • Router1# terminal monitor
  • Buffered Logging
    • Stores logs in RAM
    • Router1# logging buffered 64000
    • Use show logging command to see logs in buffer
  • Syslog Logging
  • SNMP Trap Logging
    • Sends logs to SNMP server
• Log Levels
  • SHOW SIMPLE DIAGRAM
  • 0 Emergencies
    • System shutting down due to missing fan tray
  • 1 Alerts
    • Temperature limit exceeded
  • 2 Critical
    • Memory allocation failures
  • 3 Errors
    • Interface Up/Down messages
  • 4 Warnings
    • Configuration file written to server, via SNMP request
  • 5 Notifications
    • Line protocol Up/Down
  • 6 Information
    • Access-list violation logging
  • 7 Debugging
    • Debug messages

Packet captures

• What can you glean from sniffing network traffic?
  • Clear text info
  • Weak encryption
  • IP addresses
  • Odd connections/traffic
• DEMO: Wireshark of telnet session

NMAP scan results

• DEMO: nmap -A -T4 -n -p- 192.168.55.X

Event logs

• DEMO: Bruteforce login attempt of RDP
  • Local Security Policy
  • Enable logon audits
  • Attempt rdp connection
  • Check event viewer for security logon failures

Syslogs

• DEMO: cat /var/log/syslog

IDS report

Tools

SIEM (Security Information and Event Management)

• OSSIM
• AlienVault

Packet analyzer

• Wireshark
• TCPDUMP

IDS

• Snort
• Bro

Resource monitoring tool

• Solarwinds
• Nagios
• Built-in

Netflow analyzer