Detection: use traceroute to find the border router.
Port Scanning: Use Nmap or SuperScan and WUPS to scan TCP and UDP ports. In linux use dig to obtain information: e.g. dig -t mx ubalt.edu
- Routers ports (book page 398). If no ports found means security is in place.
- If you find ports open you may be able to identify the type of device (routers, switches, hubs) and their manufacturers.
OS Identification: using Nmap and other tools seen previously.
Penetration: Once telnet or shell ports are found we can connect and use the data base of passwords to login if the administrator failed to change the default password, but brute force also can be used.
SNMP: allow to check status, configuration and change the configuration. You should restrict its use, if allowing it at all through your border router.
BackDoors: accounts meant for vendors to enable them to bypass a locked-out administrator, but which offer hackers a back door. Vendors like 3Com,Bay, Cisco, Shiva have created these accounts. Change the defaults!! See also more details in the book, if you manage one of these devices.