Network Defence's blog
So you've got your big unknown network, you can see the blinking lights on your switch or router flashing away indicating the huge amounts of traffic zipping it's way from host to host and you want to know what that traffic is...
tcpdump is the tool for you!
On a switched network, to view all traffic on a link you may have to redirect traffic to your collection box using Cisco SPAN(or by using ARP poisoning).
The original pass-the-hash technique has been known about since 1997 but it in my experience it's implications are not widely understood by network administrators.
Understand the pass-the-hash attack
This attack essentially means that an attacker who compromises a single internal host and obtains cached credentials can gain control of ANY other host provided it's reachable on port 139/445 on the network. The attack essentially works by authenticating with the NTLM hash and using PSEXEC to execute code on the remote machine.
As much as we would like to believe that all of the issues we discover on our networks are new and exciting, the sad truth is that there are a number of issues that come up time and time again.
The quicker you learn how to fix and find them the better.
So, in no particular order - here is a list of the most common network issues and how to find/fix them.
So, before we get started....
I want to quickly zoom through 5 essential tools for a Network Defence professional.
These are tools that I use multiple times, everyday and which save me countless hours of effort. Unfortunately, these tools are mostly tools that will exist in your mind... fortunately, they are quick and easy to learn! An evenings worth of learning the basics will give you a good jumping off point.
So, without further ado :
1) Be comfortable at a Linux command line
In this post I aim to explain to you some of the unique challenges that Network Defence offers and how its not just plugging in a firewall or Intrusion Detection System and forgetting about it.