Recon

This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.

I have edited and added material.

Dr. Stephen C. Hayne

Phase 1: Reconnaissance

Investigate the target using publicly available information

Use this information to plan your attack Use this information to plan your

escape

Low-Tech Reconnaissance

Social engineering Physical break-in Dumpster diving Eavesdropping Wiretapping

Lo-Tech: Social Engineering

Still the best way to get information. The GIBE virus that claims to be a

security fix from Microsoft is an example of this.

Calls to help desk about passwords. Calls to users from “help desk” about

passwords. Defense: user/sysadmin awareness

Lo-Tech: Physical Break-In Wiretaps into the wiring closets Drive up to a house, clip into their

outside phone box with a long set of wires and dial anywhere using their phone. Remember this is highly illegal.

Physical access to machine rooms or “secure” building under a variety of ruses.

Defense: badge checks, education, alarms and motion sensors.

Lo-Tech: Physical Break-In

Theft of laptops at airports Use encrypted file system

Screen savers 5 minute minimum, password protected

Lo-Tech: Dumpster Diving

Rummaging through the site’s trash looking for discarded information

Credit card slips, password information, old network maps, old server configuration listings

Oracle caught dumpster diving on Microsoft

Defense: paper shredders, proper trash disposal

Web-based Reconnaissance

Searching a company’s own website employee contact info with phone

numbers clues about corporate culture and

language business partners recent mergers and acquisitions technologies in use

NT? IIS? Oracle? Solaris?

helpful for social engineering attacks

Web-based Reconnaissance

Using search engines search for “www.companyname.com”

all websites that link to that URL potential business partners, vendors, clients

Forums (the virtual watering hole) newsgroups are asked technical questions

by company employees attackers can . . .

learn a company’s system mislead the employees

Web-based Reconnaissance

Defenses establish a company policy on web-

publication of sensitive information, especially about products used in the company and their configuration

establish a company policy on employees’ use of newsgroups/forums and mailing lists

surf newsgroups, etc. for sensitive info about your own company to see what has leaked out

The Domain Name System Hierarchical, highly distributed database IP addresses, domain names, mail-server info DNS servers : Internet :: 411 : phone system

D N S H ierarchy

gov DNS se rve rs

www.kings.edu students.king.edu www1.kings.edu

kings.edu DNS se rver

edu DNS se rve rs mil DNS se rve rs

Root DNS se rve rs

whois Databases

Domain names, network addresses, IT employees

Registrars (100s) compete to register domains mom’n’pops to giants, barebones to value-added

InterNIC whois db [www.internic.net/whois.html] lists registrars for .com, .net, .org domains

Allwhois whois db [www.allwhois.com/home.html] front-end for registrars in 59 countries

Other whois dbs [whois.nic.mil], [whois.nic.gov], [www.networksolutions.com] (for .edu domains)

ARIN IP Address Assignments

American Registry for Internet Numbers (ARIN) maintains information on who owns IP address ranges given a company name.

Scope: North and South America, Caribbean, sub-Saharan Africa

www.arin.net/whois/

RIPE, APNIC Address Assignments

Reseaux IP Europeens Network Coordination Centre (RIPE NCC) contains the IP address assignments for European networks. www.ripe.net

Asian assignments are at the Asia Pacific Network Information Center (APNIC) www.apnic.net

We’ve Got the Registrar, Now What?

Search at a particular registrar by . . . company name or human name (name) domain name (no keyword needed) IP address, host name or name server name (host) NIC handle (handle)

Can learn . . . administrative, technical, and billing contact names phone nos., e-mail addresses, postal addresses registration dates name servers

Defenses against DNS-based Recon

no OS in machine names & therefore DNS servers don’t include HINFO or TXT records for machines limit zone transfers to need-to-know IP addresses

DNS needs UDP Port 53 to resolve names TCP Port 53 is used for zone transfers

restrict it to known secondary DNS servers Split DNS a.k.a. Split-Brain a.k.a. Split-Horizon DNS

external DNS server: publicly accessible hosts only internal DNS server: DNS info for internal network

like proxy server; forwards requests beyond firewall

Interrogating DNS servers first identify a company “name/domain server” Windows & most UNIX flavors have: nslookup

zone transfer: “send all info about a domain” system names (may imply OS, machines’ purposes) IP addresses, mail-server names, etc.

most UNIXs flavors have: host some UNIXs flavors have: dig available for Windows : adig, nscan [nscan.hypermart.net/index.cgi?index=dns]

General Purpose Reconnaissance Tools

General Purpose Reconnaissance Tools

Sam Spade [www.samspade.org/ssw/] Windows, GUI, freeware web browser, ping, whois, IP block whois, nslookup, dig, DNS zone transfer, traceroute, finger, SMTP VRFY

CyberKit [www.cyberkit.net] NetScanTools

[www.netscantools.com/nstmain.html] iNetTools

[www.wildpackets.com/products/inettools/]

All traffic comes from web server, not client Attacker can remain more anonymous Some operated by . . .

high-integrity pros in security organizations shady characters . . . so don’t use your company’s ISP account

Some tests include DoS attacks . . . so check with your company’s legal department

http://www.securityspace.com/sspace/index.html

Web Reconnaissance Tools

Scanning Software

Languard GFI (for Windows)

NMAP (for Un*x)

Nessus: A Vulnerability Scanner for Linux

Nessus is a free, open-source general vulnerability scanner

As such, it is used by the white hat community and the black hats

Project started by Renaud Deraison

Available at www.nessus.org Consists of a client and

server, with modular plug-ins for individual tests