attack lifecycle many attacks against information systems follow a standard lifecycle: –stage 1:...
TRANSCRIPT
Attack Lifecycle
Many attacks against information systems follow a standard lifecycle:
– Stage 1: Info. gathering (reconnaissance) – Stage 2: Penetration / priv. escalation– Stage 3: Establish foothold– Stage 4: Operations and maintenance – Stage 5: Cleanup
Dr. Rob Cole, IST 815 Spring 2014
DNS Recon
•DNS is the Internet’s phone book: DNS provides valuable information with little risk to an attacker. •Types of DNS recon:
– Zone Transfer: copies of full DNS information for an organization available to an attacker if DNS is not properly configured
– Forward/reverse brute force lookup: name or IP address guess and lookup
•DNS recon is facilitated by a wide variety of software tools, e.g. nslookup, host, dig, fierce, dnsenum, dnsmap, etc.
Dr. Rob Cole, IST 815 Spring 2014
DNS Recon, cont.
Dr. Rob Cole, IST 815 Spring 2014
Reverse brute force lookup example
Whois Recon
Dr. Rob Cole, IST 815 Spring 2014
Domain Name: PSU.EDURegistrant: Pennsylvania State University 114 USB2 University Park, PA 16802-1013 UNITED STATES
Administrative Contact: Educause Administrative POC The Pennsylvania State University USB2 University Park, PA 16802 UNITED STATES +1-814-865-4700 [email protected]
Technical Contact:
Educause Technical POC The Pennsylvania State University USB 2 University Park, PA 16802-1013 UNITED STATES +1-814-865-4700 [email protected] Servers: NS1.PSU.EDU 128.118.25.6 NS2.PSU.EDU 128.118.70.6
The whois service provides information about a registered domain including administrative and technical POC details and DNS information.
Addresses and phone numbers provide a basis for social engineering and dumpster diving attacks.
Output of whois psu.edu command
Whois Recon, cont.
Dr. Rob Cole, IST 815 Spring 2014
Network associated with 130.203.135.84
Fingerprinting
Dr. Rob Cole, IST 815 Spring 2014
Fingerprinting: the process of making a determination regarding the characteristics of a remote service or machine by observing traffic originating from that machine.
•Active: fingerprint based on responses to probe traffic•Passive: fingerprint by opportunistically observing traffic “on the wire” (covert)
•Typically based on target’s implementation of the relevant protocol•TCP protocol: operating systems differ in implementation – can be actively or passively fingerprinted (e.g. p0f, nmap tools)•HTTP protocol: web servers differ in response to malformed requests – active fingerprinting can ID these (e.g. httprint tool)
•Requires database of known signatures
OS Fingerprinting: p0f
Dr. Rob Cole, IST 815 Spring 2014
label = s:unix:Linux:2.6.xsig = *:64:0:*:mss*4,*:mss,nop,ws:df:0sig = *:64:0:*:mss*4,*:mss,sok,ts,nop,ws:df:0sig = *:64:0:*:mss*4,*:mss,nop,nop,ts,nop,ws:df:0sig = *:64:0:*:mss*4,*:mss,nop,nop,sok,nop,ws:df:0
label = s:win:Windows:XPsig = *:128:0:*:65535,0:mss:df,id+:0sig = *:128:0:*:65535,0:mss,nop,ws:df,id+:0sig = *:128:0:*:65535,0:mss,nop,nop,sok:df,id+:0
Example TCP Fingerprint (p0f)
TTL Window Size
Port Scanning
Dr. Rob Cole, IST 815 Spring 2014
Port Scanning: the process of sending probe packets to specific TCP or UDP ports in order to infer what applications are running on a target machine.•Various situations can be inferred, depending on the response.•Conducted with automated scanners, such as nmap
Condition TCP Response UDP Response
Host up, port open SYN-ACK Depends on application
Host up, port closed RST-ACK ICMP port unreachable
Host down ICMP host unreachable ICMP host unreachable
Firewall reject rule ICMP admin prohibited ICMP admin prohibited
Firewall drop rule NONE NONE
Other Reconnaissance
Dr. Rob Cole, IST 815 Spring 2014
We’ve touched on just a few types of reconnaissance. Other forms include:
•Vulnerability scanning: Attempt to identify security flaws in running systems actively through port scanning and application-specific exploit attempts, e.g. Nessus•Dumpster diving: discarded internal phone lists, printer cover sheets with usernames, etc.•Open source recon: information publically disclosed on social media, tech support websites, etc. (e.g. code fragments)