When it comes to hacking, and network security, most holes are found by accident. It’s important to pro actively scan your network for problems so that you are not caught by surprise later. With computer and network security you have to make sure you have permission to do the scanning, or you could find yourself in a world of hurt. It is illegal to access data that is not yours and you don’t have permission to access. I’m writing this post for personal networking purposes, so that you can protect your own networks, not so that you can do harm to another person.
At work, I’m not on the LAN team, nor am I ‘officially’ part of the network security team, but I have permission from both teams to help test our public wireless network since they know I enjoy hacking and network security. They are short-staffed and do not have the manpower or time to manage every aspect of such a large wireless network, 100% of the time. I have personally found a few other security holes on our wireless network, and helped to secure it because I have found banking data, and other account information floating around for anyone to see, and now those things are closed and secured again the way they should be.
Today I found a problem, that caused me to alert the LAN team immediately without even taking the time to get multiple tests, and extra proof, since they know I know what I’m talking about, having proof of concept is enough for them to take me seriously. Today I was using rediscover (which I’ve posted about before) and found a few MAC addresses that were by non standard manufactures (at least our company standard.) Since it was a manufacture I don’t normally see, it drew my curiosity and I decided to nmap the host. I found normal ports running like windows file sharing (smb) and Remote Desktop, but nmap was also able to give me the user ID, and operating system.
The first point of alarm is that all peer communication is supposed to be turned off on our public network, and I should not even be able to tell a host is live, let alone see what services are running. To make sure I was seeing a true report of services, I fired up my RDP client, and was presented with a windows login screen. Since this is a security issue of itself, so I did a user lookup, and went to the internal IT group who supports this user. My friend who supports him, noticed that he was using a hard-wired connection to the LAN, which means that he was connected both to the corporate LAN (with all the sensitive data, AND the wide open wireless network) so if an attacker was able to compromise this users machine, they would have access to a treasure trove of intellectual Property.
The moral of the story is this; Constantly check your network for its security, and ONLY use one connection at a time. If you are using a wired connection, disable your wireless, because otherwise you open your LAN to attack, and if you are using wireless, don’t plug into a LAN.