cnit 124: advanced ethical hacking. casing the establishment case study

CNIT 124: Advanced Ethical CNIT 124: Advanced Ethical HackingHacking

CASING THE CASING THE ESTABLISHMENTESTABLISHMENT

CASE STUDYCASE STUDY

TOR (The Onion Router)TOR (The Onion Router)

Passes packets through proxies, Passes packets through proxies, concealing the source IPconcealing the source IP– Usually installed with Vidalia (the GUI) and Usually installed with Vidalia (the GUI) and

Privoxy (Web filtering proxy)Privoxy (Web filtering proxy)– Tor listens on port 9050Tor listens on port 9050– Privoxy listens on port 8118Privoxy listens on port 8118– Torbutton Firefox extension controls Tor useTorbutton Firefox extension controls Tor use

tor-resolve performs DNS resolution tor-resolve performs DNS resolution through Tor, concealing your IP Addressthrough Tor, concealing your IP Address

ProxychainsProxychains

Forces TCP connections to go through a proxyForces TCP connections to go through a proxy

Requires complete handshakeRequires complete handshake– SYN, SYN/ACK, ACKSYN, SYN/ACK, ACK

nmap through proxychainsnmap through proxychains

socatsocat

Relays bidirectional transfersRelays bidirectional transfers

socatsocat

This command opens a proxy listening on This command opens a proxy listening on localhost:8080 and forwards all requests localhost:8080 and forwards all requests through Tor to the target 10.10.10.100:80through Tor to the target 10.10.10.100:80

Using nc as a Web browserUsing nc as a Web browser

Chapter 1Chapter 1

FootprintingFootprinting

Google HackingGoogle Hacking

Find sensitive data about a company from Find sensitive data about a company from GoogleGoogleCompletely stealthy—you never send a Completely stealthy—you never send a single packet to the target (if you view the single packet to the target (if you view the cache)cache)To find passwords:To find passwords:– intitle:"Index of" passwd passwd.bakintitle:"Index of" passwd passwd.bak

See links Ch 1a, 1b on my Web page See links Ch 1a, 1b on my Web page (samsclass.info, click CNIT 124)(samsclass.info, click CNIT 124)

Other fun searchesOther fun searches

Nessus reports (link Ch 1c)Nessus reports (link Ch 1c)

More passwords (link Ch 1d)More passwords (link Ch 1d)

Be The BotBe The Bot

See pages the way Google's bot sees See pages the way Google's bot sees themthem

Custom User AgentsCustom User Agents

Add the "User Agent Switcher" Firefox Add the "User Agent Switcher" Firefox ExtensionExtension

Footprinting Footprinting

Gathering target information Gathering target information

"If you know the enemy and know "If you know the enemy and know yourself, you need not fear the result of a yourself, you need not fear the result of a hundred battles. If you know yourself but hundred battles. If you know yourself but not the enemy, for every victory gained not the enemy, for every victory gained you will also suffer a defeat. If you know you will also suffer a defeat. If you know neither the enemy nor yourself, you will neither the enemy nor yourself, you will succumb in every battle." succumb in every battle." – Sun Tzu on the Art of WarSun Tzu on the Art of War

Environments and the Critical Environments and the Critical Information Attackers Can Identify Information Attackers Can Identify

Internet Internet PresencePresence

IntranetIntranet

Remote AccessRemote Access (travelling (travelling

employees)employees)

ExtranetExtranet (vendors (vendors

and and business business partners)partners)

InternetInternetDomain nameDomain nameNetwork blocksNetwork blocksSpecific IP addresses of systems reachable via Specific IP addresses of systems reachable via the Internetthe InternetTCP and UDP services running on each system TCP and UDP services running on each system identifiedidentifiedSystem architecture (for example, Sparc vs. System architecture (for example, Sparc vs. xx 86)86)Access control mechanisms and related access Access control mechanisms and related access control lists (ACLs)control lists (ACLs)Intrusion-detection systems (IDSs)Intrusion-detection systems (IDSs)System enumeration (user and group names, System enumeration (user and group names, system banners, routing tables, and SNMP system banners, routing tables, and SNMP information) DNS hostnamesinformation) DNS hostnames

IntranetIntranetNetworking protocols in use (for example, IP, IPX, Networking protocols in use (for example, IP, IPX, DecNET, and so on)DecNET, and so on)Internal domain namesInternal domain namesNetwork blocksNetwork blocksSpecific IP addresses of systems reachable via the Specific IP addresses of systems reachable via the intranetintranetTCP and UDP services running on each system TCP and UDP services running on each system identifiedidentifiedSystem architecture (for example, SPARC vs. System architecture (for example, SPARC vs. xx 86) 86)Access control mechanisms and related ACLsAccess control mechanisms and related ACLsIntrusion-detection systemsIntrusion-detection systemsSystem enumeration (user and group names, system System enumeration (user and group names, system banners, routing tables, and SNMP information)banners, routing tables, and SNMP information)

Remote accessRemote access

Analog/digital telephone numbersAnalog/digital telephone numbers

Remote system typeRemote system type

Authentication mechanismsAuthentication mechanisms

VPNs and related protocols (IPSec and VPNs and related protocols (IPSec and PPTP)PPTP)

ExtranetExtranet

Connection origination and destinationConnection origination and destination

Type of connectionType of connection

Access control mechanismAccess control mechanism

Internet FootprintingInternet Footprinting

Step 1: Determine the Scope of Your Step 1: Determine the Scope of Your Activities Activities

Step 2: Get Proper Authorization Step 2: Get Proper Authorization

Step 3: Publicly Available Information Step 3: Publicly Available Information

Step 4: WHOIS & DNS Enumeration Step 4: WHOIS & DNS Enumeration

Step 5: DNS Interrogation Step 5: DNS Interrogation

Step 6: Network Reconnaissance Step 6: Network Reconnaissance

Step 1: Determine the Scope of Step 1: Determine the Scope of Your Activities Your Activities

Entire organizationEntire organization

Certain locationsCertain locations

Business partner connections (extranets)Business partner connections (extranets)

Disaster-recovery sitesDisaster-recovery sites

Step 2: Get Proper Authorization Step 2: Get Proper Authorization

Ethical Hackers must have authorization in Ethical Hackers must have authorization in writing for their activitieswriting for their activities– "Get Out of Jail Free" "Get Out of Jail Free"

cardcard– Criminals omit this step Criminals omit this step

Image from Image from www.blackhatseo.frwww.blackhatseo.fr

Step 3: Publicly Available Step 3: Publicly Available Information Information

Company web pagesCompany web pages– Wget and Teleport Pro are good tools to Wget and Teleport Pro are good tools to

mirror Web sites for local analysis (links Ch mirror Web sites for local analysis (links Ch 1o & 1p)1o & 1p)

– Look for other sites beyond "www"Look for other sites beyond "www"– Outlook Web AccessOutlook Web Access

https://owa.company.com or https://owa.company.com or https://outlook.company.comhttps://outlook.company.com

– Virtual Private NetworksVirtual Private Networks http://vpn.company.com or http://vpn.company.com or http://www.company.com/vpn http://www.company.com/vpn

OWASP DirBusterOWASP DirBuster


Related Related Organizations Organizations

Physical AddressPhysical Address– Dumpster-divingDumpster-diving– SurveillanceSurveillance– Social Social

EngineeringEngineeringTool: Google Earth Tool: Google Earth (link Ch 1q) and (link Ch 1q) and Google Maps Street Google Maps Street ViewView


Phone Numbers, Contact Names, E-mail Phone Numbers, Contact Names, E-mail Addresses, and Personal DetailsAddresses, and Personal Details

Current EventsCurrent Events– Mergers, scandals, layoffs, etc. create Mergers, scandals, layoffs, etc. create

security holessecurity holes

Privacy or Security Policies, and Technical Privacy or Security Policies, and Technical Details Indicating the Types of Security Details Indicating the Types of Security Mechanisms in Place Mechanisms in Place


Archived Information Archived Information – The Wayback Machine (link Ch 1t)The Wayback Machine (link Ch 1t)– Google CacheGoogle Cache

Disgruntled EmployeesDisgruntled Employees

SiteDigger (Link Ch 1z7)SiteDigger (Link Ch 1z7)

WiktoWikto

Link Ch 1z8Link Ch 1z8

FOCAFOCA

Searches file metadata (link Ch 1z9)Searches file metadata (link Ch 1z9)

SHODANSHODAN

Searches bannersSearches banners

SHODAN finding Vulnerable SHODAN finding Vulnerable SCADA SystemsSCADA Systems

Step 3: Publicly Available Step 3: Publicly Available InformationInformation

UsenetUsenet– Groups.google.comGroups.google.com

ResumesResumes

MaltegoMaltego

Data Data mining mining tooltool

Using MaltegoUsing Maltego


Step 4: WHOIS & DNS Step 4: WHOIS & DNS EnumerationEnumeration

Two organizations manage domain Two organizations manage domain names, IP addresses, protocols and port names, IP addresses, protocols and port numbers on the Internetnumbers on the Internet– Internet Assigned Numbers Authority (IANA; Internet Assigned Numbers Authority (IANA;

http://www.iana.org)http://www.iana.org)– Internet Corporation for Assigned Names and Internet Corporation for Assigned Names and

Numbers (ICANN; http://www.icann.org) Numbers (ICANN; http://www.icann.org) – IANA still handles much of the day-to-day IANA still handles much of the day-to-day

operations, but these will eventually be operations, but these will eventually be transitioned to ICANN transitioned to ICANN

Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration

Domain-Related Searches Domain-Related Searches – Every domain name, like msn.com, has a top-Every domain name, like msn.com, has a top-

level domain - .com, .net, .org, etc.level domain - .com, .net, .org, etc.

If we surf to http://whois.iana.org, we can If we surf to http://whois.iana.org, we can search for the authoritative registry for all search for the authoritative registry for all of .com of .com – .com is managed by Verisign.com is managed by Verisign


Verisign Whois (link Ch 1v)Verisign Whois (link Ch 1v)– Search for ccsf.edu and it gives the RegistrarSearch for ccsf.edu and it gives the Registrar

Whois.educause.netWhois.educause.net

Three steps:Three steps:– Authoritative Authoritative RRegistry for top-level domainegistry for top-level domain– Domain Domain RRegistraregistrar– Finds the Finds the RRegistrantegistrant


Automated tools do all three stepsAutomated tools do all three steps– Whois.comWhois.com– Sam SpadeSam Spade– Netscan Tools ProNetscan Tools Pro

They are not perfect. Sometimes you They are not perfect. Sometimes you need to do the three-step process need to do the three-step process manually.manually.


Once you've homed in on the correct Once you've homed in on the correct WHOIS server for your target, you WHOIS server for your target, you maymay be be able to perform other searches if the able to perform other searches if the registrar allows itregistrar allows itYou may be able to find all the domains You may be able to find all the domains that a particular DNS server hosts, for that a particular DNS server hosts, for instance, or any domain name that instance, or any domain name that contains a certain string contains a certain string – BUT a court decision in North Dakota just BUT a court decision in North Dakota just

declared this illegal (link Ch 1s) (printed notes declared this illegal (link Ch 1s) (printed notes have the wrong state & link)have the wrong state & link)


How IP addresses are assigned: How IP addresses are assigned: – The Address Supporting Organization (ASO The Address Supporting Organization (ASO

http://www.aso.icann.org) allocates IP http://www.aso.icann.org) allocates IP address blocks toaddress blocks to

– Regional Internet Registries (RIRs), which Regional Internet Registries (RIRs), which then allocate IPs to organizations, Internet then allocate IPs to organizations, Internet service providers (ISPs), etc.service providers (ISPs), etc.

– ARIN (http://www.arin.net) is the RIR for North ARIN (http://www.arin.net) is the RIR for North and South Americaand South America

Internet Registry RegionsInternet Registry Regionshttp://www.iana.org/numbers/

2013: The End2013: The End


IP-Related Searches IP-Related Searches – To track down an IP address:To track down an IP address:

Use arin.net (link Ch 1x)Use arin.net (link Ch 1x)

It may refer you to a different databaseIt may refer you to a different database

Examples:Examples:– 147.144.1.1 147.144.1.1 – 61.0.0.261.0.0.2


IP-Related Searches IP-Related Searches – Search by company name at arin.net to find IP Search by company name at arin.net to find IP

ranges, and AS numbersranges, and AS numbers– AS numbers are used by BGP (Border Gateway AS numbers are used by BGP (Border Gateway

Protocol) to prevent routing loops on Internet routers Protocol) to prevent routing loops on Internet routers (link Ch 1y) (link Ch 1y)

– Examples: Google, CCSFExamples: Google, CCSF


Administrative contact gives you name, Administrative contact gives you name, voice and fax numbersvoice and fax numbers

Useful for social engineeringUseful for social engineering

Authoritative DNS Server can be used for Authoritative DNS Server can be used for Zone Transfer attemptsZone Transfer attempts– But Zone Transfers may be illegal now (link But Zone Transfers may be illegal now (link

Ch 1s)Ch 1s)


Public Database Security Public Database Security Countermeasures Countermeasures – When an administrator leaves an When an administrator leaves an

organization, update the registration databaseorganization, update the registration database– That prevents an ex-employee from changing That prevents an ex-employee from changing

domain informationdomain information– You could also put in fake "honeytrap" data in You could also put in fake "honeytrap" data in

the registrationthe registration

eBay's domain was hijacked (link Ch 1z1)eBay's domain was hijacked (link Ch 1z1)


Zone TransfersZone Transfers– Gives you a list of all the hosts when it worksGives you a list of all the hosts when it works– Usually blocked, and maybe even illegal nowUsually blocked, and maybe even illegal now

14% of 1 million tested domains were 14% of 1 million tested domains were vulnerable (link Ch 1z12)vulnerable (link Ch 1z12)

Step 5: DNS Interrogation Step 5: DNS Interrogation Determine Mail Exchange (MX) Records Determine Mail Exchange (MX) Records – You can do it on Windows with NSLOOKUP in You can do it on Windows with NSLOOKUP in

Interactive modeInteractive mode

Excellent TutorialExcellent Tutorial



DNS Security CountermeasuresDNS Security Countermeasures– Restrict zone transfers to only authorized Restrict zone transfers to only authorized

servers servers – You can also block them at the firewallYou can also block them at the firewall

DNS name lookups are UDP Port 53DNS name lookups are UDP Port 53

Zone transfers are TCP Port 53Zone transfers are TCP Port 53

Note: DNSSEC means that normal name lookups Note: DNSSEC means that normal name lookups are sometimes on TCP 53 noware sometimes on TCP 53 now


DNS Security Countermeasures DNS Security Countermeasures – Attackers could still perform reverse lookups Attackers could still perform reverse lookups

against all IP addresses for a given net block against all IP addresses for a given net block – So, external nameservers should provide So, external nameservers should provide

information only about systems directly information only about systems directly connected to the Internet connected to the Internet

Step 6: Network Reconnaissance Step 6: Network Reconnaissance

TracerouteTraceroute– Can find route to target, locate firewalls, Can find route to target, locate firewalls,

routers, etc.routers, etc.

Windows Tracert uses ICMPWindows Tracert uses ICMP

Linux Traceroute uses UDP by defaultLinux Traceroute uses UDP by default

TracertTracert

NeoTraceNeoTrace

NeoTrace combines Tracert and Whois to NeoTrace combines Tracert and Whois to make a visual map (link Ch 1z2)make a visual map (link Ch 1z2)

Step 6: Network ReconnaissanceStep 6: Network Reconnaissance

Firewalk uses traceroute techniques to Firewalk uses traceroute techniques to find ports and protocols that get past find ports and protocols that get past firewallsfirewalls

Uses low TTL values and gathers data Uses low TTL values and gathers data from ICMP Time Exceeded messagesfrom ICMP Time Exceeded messages– This should be even more effective with IPv6 This should be even more effective with IPv6

because ICMPv6 is mandatory and cannot be because ICMPv6 is mandatory and cannot be blocked as wellblocked as well


CountermeasuresCountermeasures– Many of the commercial network intrusion-Many of the commercial network intrusion-

detection systems (NIDS) and intrusion detection systems (NIDS) and intrusion prevention systems (IPS) will detect this type prevention systems (IPS) will detect this type of network reconnaissance of network reconnaissance

– Snort – the standard IDS(link Ch 1z5)Snort – the standard IDS(link Ch 1z5)– Bro-IDS is another open source free NIDSBro-IDS is another open source free NIDS


CountermeasuresCountermeasures– You may be able to configure your border You may be able to configure your border

routers to limit ICMP and UDP traffic to routers to limit ICMP and UDP traffic to specific systems, thus minimizing your specific systems, thus minimizing your exposure exposure

cnit 124: advanced ethical hacking. casing the establishment case study

Documents

footprinting slide

proxychains slide

ack slide

pptp slide

d slide

snmp information slide

ip address slide

network reconnaissance