CEH - Enumerating on a Firewalled Network
-
I have followed through the course (although I am not quite done yet), and have an agreement with a medium sized business to test what I am learning on their network.
So far from the Scanning phases I have gathered a block of 64 IPs, a Cisco Router of some sort that has SNMP v3 running as well as NTP. A series of Win 7 Pro boxes running RDP (was able to use Nessus to capture usernames from logged in sessions), and two FTP servers open to the outside.
I tried a series of default login/pwd combos using Hydra against the ftp servers (no luck), and tried the most likely administrator's login against 2 million pwd list, but still no luck.
NTP seems to be properly secured (can't get it to spit out using monlist or anything else of much use).
Tried Scanning for Windows leakage using Super Scan 4.1, but no luck (seems firewall effectively blocks everything here).
As near as I can tell, there is a Fortinet FortiOS firewall of some sort.
Is there anything I am missing as to how to get around/through the firewall to enumerate? Or is the next step basically some sort of Active Social Engineering attack at this point?
I love the class/show, and echo the comments of others asking for many more hands on demos. I would like the cert. but the experience of understanding the process first hand is much more valuable in landing a position or a gig.
Thanks for your help in advance.
-
See if that Fortinet has the infamous back door.
http://www.securityweek.com/backdoor-found-several-fortinet-products
https://www.exploit-db.com/exploits/39224/
https://thehackernews.com/2016/01/fortinet-firewall-password-hack.html