attack lifecycle many attacks against information systems follow a standard lifecycle: –stage 1:...

Attack Lifecycle

Many attacks against information systems follow a standard lifecycle:

– Stage 1: Info. gathering (reconnaissance) – Stage 2: Penetration / priv. escalation– Stage 3: Establish foothold– Stage 4: Operations and maintenance – Stage 5: Cleanup

Dr. Rob Cole, IST 815 Spring 2014

DNS Recon

•DNS is the Internet’s phone book: DNS provides valuable information with little risk to an attacker. •Types of DNS recon:

– Zone Transfer: copies of full DNS information for an organization available to an attacker if DNS is not properly configured

– Forward/reverse brute force lookup: name or IP address guess and lookup

•DNS recon is facilitated by a wide variety of software tools, e.g. nslookup, host, dig, fierce, dnsenum, dnsmap, etc.


DNS Recon, cont.


Reverse brute force lookup example

Whois Recon


Domain Name: PSU.EDURegistrant: Pennsylvania State University 114 USB2 University Park, PA 16802-1013 UNITED STATES

Administrative Contact: Educause Administrative POC The Pennsylvania State University USB2 University Park, PA 16802 UNITED STATES +1-814-865-4700 [email protected]

Technical Contact:

Educause Technical POC The Pennsylvania State University USB 2 University Park, PA 16802-1013 UNITED STATES +1-814-865-4700 [email protected] Servers: NS1.PSU.EDU 128.118.25.6 NS2.PSU.EDU 128.118.70.6

The whois service provides information about a registered domain including administrative and technical POC details and DNS information.

Addresses and phone numbers provide a basis for social engineering and dumpster diving attacks.

Output of whois psu.edu command

Whois Recon, cont.


Network associated with 130.203.135.84

Fingerprinting


Fingerprinting: the process of making a determination regarding the characteristics of a remote service or machine by observing traffic originating from that machine.

•Active: fingerprint based on responses to probe traffic•Passive: fingerprint by opportunistically observing traffic “on the wire” (covert)

•Typically based on target’s implementation of the relevant protocol•TCP protocol: operating systems differ in implementation – can be actively or passively fingerprinted (e.g. p0f, nmap tools)•HTTP protocol: web servers differ in response to malformed requests – active fingerprinting can ID these (e.g. httprint tool)

•Requires database of known signatures

OS Fingerprinting: p0f


label = s:unix:Linux:2.6.xsig = *:64:0:*:mss*4,*:mss,nop,ws:df:0sig = *:64:0:*:mss*4,*:mss,sok,ts,nop,ws:df:0sig = *:64:0:*:mss*4,*:mss,nop,nop,ts,nop,ws:df:0sig = *:64:0:*:mss*4,*:mss,nop,nop,sok,nop,ws:df:0

label = s:win:Windows:XPsig = *:128:0:*:65535,0:mss:df,id+:0sig = *:128:0:*:65535,0:mss,nop,ws:df,id+:0sig = *:128:0:*:65535,0:mss,nop,nop,sok:df,id+:0

Example TCP Fingerprint (p0f)

TTL Window Size

Port Scanning


Port Scanning: the process of sending probe packets to specific TCP or UDP ports in order to infer what applications are running on a target machine.•Various situations can be inferred, depending on the response.•Conducted with automated scanners, such as nmap

Condition TCP Response UDP Response

Host up, port open SYN-ACK Depends on application

Host up, port closed RST-ACK ICMP port unreachable

Host down ICMP host unreachable ICMP host unreachable

Firewall reject rule ICMP admin prohibited ICMP admin prohibited

Firewall drop rule NONE NONE

Other Reconnaissance


We’ve touched on just a few types of reconnaissance. Other forms include:

•Vulnerability scanning: Attempt to identify security flaws in running systems actively through port scanning and application-specific exploit attempts, e.g. Nessus•Dumpster diving: discarded internal phone lists, printer cover sheets with usernames, etc.•Open source recon: information publically disclosed on social media, tech support websites, etc. (e.g. code fragments)

attack lifecycle many attacks against information systems follow a standard lifecycle: –stage 1:...

Documents