recon this presentation is an amalgam of presentations by mark michael, randy marchany and ed...
TRANSCRIPT
Recon
This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.
I have edited and added material.
Dr. Stephen C. Hayne
Phase 1: Reconnaissance
Investigate the target using publicly available information
Use this information to plan your attack Use this information to plan your
escape
Low-Tech Reconnaissance
Social engineering Physical break-in Dumpster diving Eavesdropping Wiretapping
Lo-Tech: Social Engineering
Still the best way to get information. The GIBE virus that claims to be a
security fix from Microsoft is an example of this.
Calls to help desk about passwords. Calls to users from “help desk” about
passwords. Defense: user/sysadmin awareness
Lo-Tech: Physical Break-In Wiretaps into the wiring closets Drive up to a house, clip into their
outside phone box with a long set of wires and dial anywhere using their phone. Remember this is highly illegal.
Physical access to machine rooms or “secure” building under a variety of ruses.
Defense: badge checks, education, alarms and motion sensors.
Lo-Tech: Physical Break-In
Theft of laptops at airports Use encrypted file system
Screen savers 5 minute minimum, password protected
Lo-Tech: Dumpster Diving
Rummaging through the site’s trash looking for discarded information
Credit card slips, password information, old network maps, old server configuration listings
Oracle caught dumpster diving on Microsoft
Defense: paper shredders, proper trash disposal
Web-based Reconnaissance
Searching a company’s own website employee contact info with phone
numbers clues about corporate culture and
language business partners recent mergers and acquisitions technologies in use
NT? IIS? Oracle? Solaris?
helpful for social engineering attacks
Web-based Reconnaissance
Using search engines search for “www.companyname.com”
all websites that link to that URL potential business partners, vendors, clients
Forums (the virtual watering hole) newsgroups are asked technical questions
by company employees attackers can . . .
learn a company’s system mislead the employees
Web-based Reconnaissance
Defenses establish a company policy on web-
publication of sensitive information, especially about products used in the company and their configuration
establish a company policy on employees’ use of newsgroups/forums and mailing lists
surf newsgroups, etc. for sensitive info about your own company to see what has leaked out
The Domain Name System Hierarchical, highly distributed database IP addresses, domain names, mail-server info DNS servers : Internet :: 411 : phone system
D N S H ierarchy
gov DNS se rve rs
www.kings.edu students.king.edu www1.kings.edu
kings.edu DNS se rver
edu DNS se rve rs mil DNS se rve rs
Root DNS se rve rs
whois Databases
Domain names, network addresses, IT employees
Registrars (100s) compete to register domains mom’n’pops to giants, barebones to value-added
InterNIC whois db [www.internic.net/whois.html] lists registrars for .com, .net, .org domains
Allwhois whois db [www.allwhois.com/home.html] front-end for registrars in 59 countries
Other whois dbs [whois.nic.mil], [whois.nic.gov], [www.networksolutions.com] (for .edu domains)
ARIN IP Address Assignments
American Registry for Internet Numbers (ARIN) maintains information on who owns IP address ranges given a company name.
Scope: North and South America, Caribbean, sub-Saharan Africa
www.arin.net/whois/
RIPE, APNIC Address Assignments
Reseaux IP Europeens Network Coordination Centre (RIPE NCC) contains the IP address assignments for European networks. www.ripe.net
Asian assignments are at the Asia Pacific Network Information Center (APNIC) www.apnic.net
We’ve Got the Registrar, Now What?
Search at a particular registrar by . . . company name or human name (name) domain name (no keyword needed) IP address, host name or name server name (host) NIC handle (handle)
Can learn . . . administrative, technical, and billing contact names phone nos., e-mail addresses, postal addresses registration dates name servers
Defenses against DNS-based Recon
no OS in machine names & therefore DNS servers don’t include HINFO or TXT records for machines limit zone transfers to need-to-know IP addresses
DNS needs UDP Port 53 to resolve names TCP Port 53 is used for zone transfers
restrict it to known secondary DNS servers Split DNS a.k.a. Split-Brain a.k.a. Split-Horizon DNS
external DNS server: publicly accessible hosts only internal DNS server: DNS info for internal network
like proxy server; forwards requests beyond firewall
Interrogating DNS servers first identify a company “name/domain server” Windows & most UNIX flavors have: nslookup
zone transfer: “send all info about a domain” system names (may imply OS, machines’ purposes) IP addresses, mail-server names, etc.
most UNIXs flavors have: host some UNIXs flavors have: dig available for Windows : adig, nscan [nscan.hypermart.net/index.cgi?index=dns]
General Purpose Reconnaissance Tools
General Purpose Reconnaissance Tools
Sam Spade [www.samspade.org/ssw/] Windows, GUI, freeware web browser, ping, whois, IP block whois, nslookup, dig, DNS zone transfer, traceroute, finger, SMTP VRFY
CyberKit [www.cyberkit.net] NetScanTools
[www.netscantools.com/nstmain.html] iNetTools
[www.wildpackets.com/products/inettools/]
All traffic comes from web server, not client Attacker can remain more anonymous Some operated by . . .
high-integrity pros in security organizations shady characters . . . so don’t use your company’s ISP account
Some tests include DoS attacks . . . so check with your company’s legal department
http://www.securityspace.com/sspace/index.html
Web Reconnaissance Tools
Scanning Software
Languard GFI (for Windows)
NMAP (for Un*x)
Nessus: A Vulnerability Scanner for Linux
Nessus is a free, open-source general vulnerability scanner
As such, it is used by the white hat community and the black hats
Project started by Renaud Deraison
Available at www.nessus.org Consists of a client and
server, with modular plug-ins for individual tests