cnit 124: advanced ethical hacking. casing the establishment case study
TRANSCRIPT
CNIT 124: Advanced Ethical CNIT 124: Advanced Ethical HackingHacking
CASING THE CASING THE ESTABLISHMENTESTABLISHMENT
CASE STUDYCASE STUDY
TOR (The Onion Router)TOR (The Onion Router)
Passes packets through proxies, Passes packets through proxies, concealing the source IPconcealing the source IP– Usually installed with Vidalia (the GUI) and Usually installed with Vidalia (the GUI) and
Privoxy (Web filtering proxy)Privoxy (Web filtering proxy)– Tor listens on port 9050Tor listens on port 9050– Privoxy listens on port 8118Privoxy listens on port 8118– Torbutton Firefox extension controls Tor useTorbutton Firefox extension controls Tor use
tor-resolve performs DNS resolution tor-resolve performs DNS resolution through Tor, concealing your IP Addressthrough Tor, concealing your IP Address
ProxychainsProxychains
Forces TCP connections to go through a proxyForces TCP connections to go through a proxy
Requires complete handshakeRequires complete handshake– SYN, SYN/ACK, ACKSYN, SYN/ACK, ACK
nmap through proxychainsnmap through proxychains
socatsocat
Relays bidirectional transfersRelays bidirectional transfers
socatsocat
This command opens a proxy listening on This command opens a proxy listening on localhost:8080 and forwards all requests localhost:8080 and forwards all requests through Tor to the target 10.10.10.100:80through Tor to the target 10.10.10.100:80
Using nc as a Web browserUsing nc as a Web browser
Chapter 1Chapter 1
FootprintingFootprinting
Google HackingGoogle Hacking
Find sensitive data about a company from Find sensitive data about a company from GoogleGoogleCompletely stealthy—you never send a Completely stealthy—you never send a single packet to the target (if you view the single packet to the target (if you view the cache)cache)To find passwords:To find passwords:– intitle:"Index of" passwd passwd.bakintitle:"Index of" passwd passwd.bak
See links Ch 1a, 1b on my Web page See links Ch 1a, 1b on my Web page (samsclass.info, click CNIT 124)(samsclass.info, click CNIT 124)
Other fun searchesOther fun searches
Nessus reports (link Ch 1c)Nessus reports (link Ch 1c)
More passwords (link Ch 1d)More passwords (link Ch 1d)
Be The BotBe The Bot
See pages the way Google's bot sees See pages the way Google's bot sees themthem
Custom User AgentsCustom User Agents
Add the "User Agent Switcher" Firefox Add the "User Agent Switcher" Firefox ExtensionExtension
Footprinting Footprinting
Gathering target information Gathering target information
"If you know the enemy and know "If you know the enemy and know yourself, you need not fear the result of a yourself, you need not fear the result of a hundred battles. If you know yourself but hundred battles. If you know yourself but not the enemy, for every victory gained not the enemy, for every victory gained you will also suffer a defeat. If you know you will also suffer a defeat. If you know neither the enemy nor yourself, you will neither the enemy nor yourself, you will succumb in every battle." succumb in every battle." – Sun Tzu on the Art of WarSun Tzu on the Art of War
Environments and the Critical Environments and the Critical Information Attackers Can Identify Information Attackers Can Identify
Internet Internet PresencePresence
IntranetIntranet
Remote AccessRemote Access (travelling (travelling
employees)employees)
ExtranetExtranet (vendors (vendors
and and business business partners)partners)
InternetInternetDomain nameDomain nameNetwork blocksNetwork blocksSpecific IP addresses of systems reachable via Specific IP addresses of systems reachable via the Internetthe InternetTCP and UDP services running on each system TCP and UDP services running on each system identifiedidentifiedSystem architecture (for example, Sparc vs. System architecture (for example, Sparc vs. xx 86)86)Access control mechanisms and related access Access control mechanisms and related access control lists (ACLs)control lists (ACLs)Intrusion-detection systems (IDSs)Intrusion-detection systems (IDSs)System enumeration (user and group names, System enumeration (user and group names, system banners, routing tables, and SNMP system banners, routing tables, and SNMP information) DNS hostnamesinformation) DNS hostnames
IntranetIntranetNetworking protocols in use (for example, IP, IPX, Networking protocols in use (for example, IP, IPX, DecNET, and so on)DecNET, and so on)Internal domain namesInternal domain namesNetwork blocksNetwork blocksSpecific IP addresses of systems reachable via the Specific IP addresses of systems reachable via the intranetintranetTCP and UDP services running on each system TCP and UDP services running on each system identifiedidentifiedSystem architecture (for example, SPARC vs. System architecture (for example, SPARC vs. xx 86) 86)Access control mechanisms and related ACLsAccess control mechanisms and related ACLsIntrusion-detection systemsIntrusion-detection systemsSystem enumeration (user and group names, system System enumeration (user and group names, system banners, routing tables, and SNMP information)banners, routing tables, and SNMP information)
Remote accessRemote access
Analog/digital telephone numbersAnalog/digital telephone numbers
Remote system typeRemote system type
Authentication mechanismsAuthentication mechanisms
VPNs and related protocols (IPSec and VPNs and related protocols (IPSec and PPTP)PPTP)
ExtranetExtranet
Connection origination and destinationConnection origination and destination
Type of connectionType of connection
Access control mechanismAccess control mechanism
Internet FootprintingInternet Footprinting
Step 1: Determine the Scope of Your Step 1: Determine the Scope of Your Activities Activities
Step 2: Get Proper Authorization Step 2: Get Proper Authorization
Step 3: Publicly Available Information Step 3: Publicly Available Information
Step 4: WHOIS & DNS Enumeration Step 4: WHOIS & DNS Enumeration
Step 5: DNS Interrogation Step 5: DNS Interrogation
Step 6: Network Reconnaissance Step 6: Network Reconnaissance
Step 1: Determine the Scope of Step 1: Determine the Scope of Your Activities Your Activities
Entire organizationEntire organization
Certain locationsCertain locations
Business partner connections (extranets)Business partner connections (extranets)
Disaster-recovery sitesDisaster-recovery sites
Step 2: Get Proper Authorization Step 2: Get Proper Authorization
Ethical Hackers must have authorization in Ethical Hackers must have authorization in writing for their activitieswriting for their activities– "Get Out of Jail Free" "Get Out of Jail Free"
cardcard– Criminals omit this step Criminals omit this step
Image from Image from www.blackhatseo.frwww.blackhatseo.fr
Step 3: Publicly Available Step 3: Publicly Available Information Information
Company web pagesCompany web pages– Wget and Teleport Pro are good tools to Wget and Teleport Pro are good tools to
mirror Web sites for local analysis (links Ch mirror Web sites for local analysis (links Ch 1o & 1p)1o & 1p)
– Look for other sites beyond "www"Look for other sites beyond "www"– Outlook Web AccessOutlook Web Access
https://owa.company.com or https://owa.company.com or https://outlook.company.comhttps://outlook.company.com
– Virtual Private NetworksVirtual Private Networks http://vpn.company.com or http://vpn.company.com or http://www.company.com/vpn http://www.company.com/vpn
OWASP DirBusterOWASP DirBuster
Step 3: Publicly Available Step 3: Publicly Available Information Information
Related Related Organizations Organizations
Physical AddressPhysical Address– Dumpster-divingDumpster-diving– SurveillanceSurveillance– Social Social
EngineeringEngineeringTool: Google Earth Tool: Google Earth (link Ch 1q) and (link Ch 1q) and Google Maps Street Google Maps Street ViewView
Step 3: Publicly Available Step 3: Publicly Available Information Information
Phone Numbers, Contact Names, E-mail Phone Numbers, Contact Names, E-mail Addresses, and Personal DetailsAddresses, and Personal Details
Current EventsCurrent Events– Mergers, scandals, layoffs, etc. create Mergers, scandals, layoffs, etc. create
security holessecurity holes
Privacy or Security Policies, and Technical Privacy or Security Policies, and Technical Details Indicating the Types of Security Details Indicating the Types of Security Mechanisms in Place Mechanisms in Place
Step 3: Publicly Available Step 3: Publicly Available Information Information
Archived Information Archived Information – The Wayback Machine (link Ch 1t)The Wayback Machine (link Ch 1t)– Google CacheGoogle Cache
Disgruntled EmployeesDisgruntled Employees
SiteDigger (Link Ch 1z7)SiteDigger (Link Ch 1z7)
WiktoWikto
Link Ch 1z8Link Ch 1z8
FOCAFOCA
Searches file metadata (link Ch 1z9)Searches file metadata (link Ch 1z9)
SHODANSHODAN
Searches bannersSearches banners
SHODAN finding Vulnerable SHODAN finding Vulnerable SCADA SystemsSCADA Systems
Step 3: Publicly Available Step 3: Publicly Available InformationInformation
UsenetUsenet– Groups.google.comGroups.google.com
ResumesResumes
MaltegoMaltego
Data Data mining mining tooltool
Using MaltegoUsing Maltego
Link Ch 1z10Link Ch 1z10
Step 4: WHOIS & DNS Step 4: WHOIS & DNS EnumerationEnumeration
Two organizations manage domain Two organizations manage domain names, IP addresses, protocols and port names, IP addresses, protocols and port numbers on the Internetnumbers on the Internet– Internet Assigned Numbers Authority (IANA; Internet Assigned Numbers Authority (IANA;
http://www.iana.org)http://www.iana.org)– Internet Corporation for Assigned Names and Internet Corporation for Assigned Names and
Numbers (ICANN; http://www.icann.org) Numbers (ICANN; http://www.icann.org) – IANA still handles much of the day-to-day IANA still handles much of the day-to-day
operations, but these will eventually be operations, but these will eventually be transitioned to ICANN transitioned to ICANN
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
Domain-Related Searches Domain-Related Searches – Every domain name, like msn.com, has a top-Every domain name, like msn.com, has a top-
level domain - .com, .net, .org, etc.level domain - .com, .net, .org, etc.
If we surf to http://whois.iana.org, we can If we surf to http://whois.iana.org, we can search for the authoritative registry for all search for the authoritative registry for all of .com of .com – .com is managed by Verisign.com is managed by Verisign
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
Verisign Whois (link Ch 1v)Verisign Whois (link Ch 1v)– Search for ccsf.edu and it gives the RegistrarSearch for ccsf.edu and it gives the Registrar
Whois.educause.netWhois.educause.net
Three steps:Three steps:– Authoritative Authoritative RRegistry for top-level domainegistry for top-level domain– Domain Domain RRegistraregistrar– Finds the Finds the RRegistrantegistrant
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
Automated tools do all three stepsAutomated tools do all three steps– Whois.comWhois.com– Sam SpadeSam Spade– Netscan Tools ProNetscan Tools Pro
They are not perfect. Sometimes you They are not perfect. Sometimes you need to do the three-step process need to do the three-step process manually.manually.
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
Once you've homed in on the correct Once you've homed in on the correct WHOIS server for your target, you WHOIS server for your target, you maymay be be able to perform other searches if the able to perform other searches if the registrar allows itregistrar allows itYou may be able to find all the domains You may be able to find all the domains that a particular DNS server hosts, for that a particular DNS server hosts, for instance, or any domain name that instance, or any domain name that contains a certain string contains a certain string – BUT a court decision in North Dakota just BUT a court decision in North Dakota just
declared this illegal (link Ch 1s) (printed notes declared this illegal (link Ch 1s) (printed notes have the wrong state & link)have the wrong state & link)
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
How IP addresses are assigned: How IP addresses are assigned: – The Address Supporting Organization (ASO The Address Supporting Organization (ASO
http://www.aso.icann.org) allocates IP http://www.aso.icann.org) allocates IP address blocks toaddress blocks to
– Regional Internet Registries (RIRs), which Regional Internet Registries (RIRs), which then allocate IPs to organizations, Internet then allocate IPs to organizations, Internet service providers (ISPs), etc.service providers (ISPs), etc.
– ARIN (http://www.arin.net) is the RIR for North ARIN (http://www.arin.net) is the RIR for North and South Americaand South America
Internet Registry RegionsInternet Registry Regionshttp://www.iana.org/numbers/
2013: The End2013: The End
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
IP-Related Searches IP-Related Searches – To track down an IP address:To track down an IP address:
Use arin.net (link Ch 1x)Use arin.net (link Ch 1x)
It may refer you to a different databaseIt may refer you to a different database
Examples:Examples:– 147.144.1.1 147.144.1.1 – 61.0.0.261.0.0.2
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
IP-Related Searches IP-Related Searches – Search by company name at arin.net to find IP Search by company name at arin.net to find IP
ranges, and AS numbersranges, and AS numbers– AS numbers are used by BGP (Border Gateway AS numbers are used by BGP (Border Gateway
Protocol) to prevent routing loops on Internet routers Protocol) to prevent routing loops on Internet routers (link Ch 1y) (link Ch 1y)
– Examples: Google, CCSFExamples: Google, CCSF
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
Administrative contact gives you name, Administrative contact gives you name, voice and fax numbersvoice and fax numbers
Useful for social engineeringUseful for social engineering
Authoritative DNS Server can be used for Authoritative DNS Server can be used for Zone Transfer attemptsZone Transfer attempts– But Zone Transfers may be illegal now (link But Zone Transfers may be illegal now (link
Ch 1s)Ch 1s)
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
Public Database Security Public Database Security Countermeasures Countermeasures – When an administrator leaves an When an administrator leaves an
organization, update the registration databaseorganization, update the registration database– That prevents an ex-employee from changing That prevents an ex-employee from changing
domain informationdomain information– You could also put in fake "honeytrap" data in You could also put in fake "honeytrap" data in
the registrationthe registration
eBay's domain was hijacked (link Ch 1z1)eBay's domain was hijacked (link Ch 1z1)
Step 5: DNS Interrogation Step 5: DNS Interrogation
Zone TransfersZone Transfers– Gives you a list of all the hosts when it worksGives you a list of all the hosts when it works– Usually blocked, and maybe even illegal nowUsually blocked, and maybe even illegal now
14% of 1 million tested domains were 14% of 1 million tested domains were vulnerable (link Ch 1z12)vulnerable (link Ch 1z12)
Step 5: DNS Interrogation Step 5: DNS Interrogation Determine Mail Exchange (MX) Records Determine Mail Exchange (MX) Records – You can do it on Windows with NSLOOKUP in You can do it on Windows with NSLOOKUP in
Interactive modeInteractive mode
Excellent TutorialExcellent Tutorial
Link Ch 1z11Link Ch 1z11
Step 5: DNS Interrogation Step 5: DNS Interrogation
DNS Security CountermeasuresDNS Security Countermeasures– Restrict zone transfers to only authorized Restrict zone transfers to only authorized
servers servers – You can also block them at the firewallYou can also block them at the firewall
DNS name lookups are UDP Port 53DNS name lookups are UDP Port 53
Zone transfers are TCP Port 53Zone transfers are TCP Port 53
Note: DNSSEC means that normal name lookups Note: DNSSEC means that normal name lookups are sometimes on TCP 53 noware sometimes on TCP 53 now
Step 5: DNS Interrogation Step 5: DNS Interrogation
DNS Security Countermeasures DNS Security Countermeasures – Attackers could still perform reverse lookups Attackers could still perform reverse lookups
against all IP addresses for a given net block against all IP addresses for a given net block – So, external nameservers should provide So, external nameservers should provide
information only about systems directly information only about systems directly connected to the Internet connected to the Internet
Step 6: Network Reconnaissance Step 6: Network Reconnaissance
TracerouteTraceroute– Can find route to target, locate firewalls, Can find route to target, locate firewalls,
routers, etc.routers, etc.
Windows Tracert uses ICMPWindows Tracert uses ICMP
Linux Traceroute uses UDP by defaultLinux Traceroute uses UDP by default
TracertTracert
NeoTraceNeoTrace
NeoTrace combines Tracert and Whois to NeoTrace combines Tracert and Whois to make a visual map (link Ch 1z2)make a visual map (link Ch 1z2)
Step 6: Network ReconnaissanceStep 6: Network Reconnaissance
Firewalk uses traceroute techniques to Firewalk uses traceroute techniques to find ports and protocols that get past find ports and protocols that get past firewallsfirewalls
Uses low TTL values and gathers data Uses low TTL values and gathers data from ICMP Time Exceeded messagesfrom ICMP Time Exceeded messages– This should be even more effective with IPv6 This should be even more effective with IPv6
because ICMPv6 is mandatory and cannot be because ICMPv6 is mandatory and cannot be blocked as wellblocked as well
Step 6: Network ReconnaissanceStep 6: Network Reconnaissance
CountermeasuresCountermeasures– Many of the commercial network intrusion-Many of the commercial network intrusion-
detection systems (NIDS) and intrusion detection systems (NIDS) and intrusion prevention systems (IPS) will detect this type prevention systems (IPS) will detect this type of network reconnaissance of network reconnaissance
– Snort – the standard IDS(link Ch 1z5)Snort – the standard IDS(link Ch 1z5)– Bro-IDS is another open source free NIDSBro-IDS is another open source free NIDS
Step 6: Network ReconnaissanceStep 6: Network Reconnaissance
CountermeasuresCountermeasures– You may be able to configure your border You may be able to configure your border
routers to limit ICMP and UDP traffic to routers to limit ICMP and UDP traffic to specific systems, thus minimizing your specific systems, thus minimizing your exposure exposure