Transcript Footprinting and Scanning

Footprinting and Scanning
Footprinting
 gathering target information
 profile of security posture
Internet
Intranet
Domain name, network
blocks, IP addresses open to
Net, TCP and UDP services
running, ACLs, IDSes
Protocols (IP,NETBIOS),
internal domain names, etc
Remote access
Phone numbers, remote
control, telnet, authentication
Extranet
Connection origination,
destination, type, access
control
Scope of footprinting
 Organization, region, location
 open source search
–
–
–
–
–
web page (save it offline, e.g. teleport )
yahoo or other directories
multiple search engines (All-in-One , Dogpile)
advanced search (e.g. AltaVista)
publicly trade companies (e.g. EDGAR)
 countermeasures
– remove unnecessary information from web pages
– create security policies (see Site Security Handbook)
Network enumeration
 Identify domain names and networks
– registrar query. In Linux/UNIX issue whois
“domain.”@whois.crsnic.net In Windows download CyberKit and
perform the query. Then use the domain.xxx to find the registrar.
– organizational query. Use name organization name and query the
respective registrar, as shown in this example.
– domain query. Given all possible domains start with one of them
and query the registrar about the domain. Note phones, DNS, etc.
– network query. The ARIN database can provide information on IP
blocks assigned to an organization. Query whois.arin.net.
– countermeasures: only administrative cleanup, because the
information is required for registration.
DNS interrogation
 Use the Spade tool to check DNS.
– Use the dig tool in Spade to obtain the authoritative DNS for the
organization (it will also provide mail server, etc, IP numbers).
– A zone transfer asks the authoritative name server of an
organization for all the information it knows about a domain (it
should not provide the information).
– Mail relay check asks a mail server to relay mail for you (it should
not relay your message).
– Countermeasures: deny all unauthorized inbound connections to
port 53. You can also set directives to the DNS server (see book).
This prevents zone transfer, but not nslookup to each IP number.
 Network Reconnaissance
– traceroute (tracert) allows to study the network topology (identify
the nodes in the network). See this example.
Scanning
 After obtaining a list of network and IP addresses
scanning starts:
– ping sweeps (active machines): user pinger in Windows and nmap
in Linux/UNIX. This is an example of pinger.
– TCP port scanning (open ports in active machines): SYN and
connect scans work with most hosts. SYN is stealthier and may not
be logged. In Windows NT use SuperScan and in Linux/UNIX use
nmap. See an example of SuperScan. BUT, hackers use scripts with
binary files, not graphical tools.
– UDP port scanning: use WUPS in Windows as shown here.
– countermeasures: detection using active ports (see an example of
what it logs). Later we will learn to install an IDS program (snort),
the way to protect from ping sweeps and port scanning. NAT is a
first step. See more free/shareware security tools here.
More in Scanning
 OS detection (stack fingerprinting):
– probe the TCP/IP stack,because it varies with OSs. Requires at
least one listening port to make determination. See textbook (pages
62-63) for types of probe.
– why is it important? There are hacker tools OS and Net device
specific. In Linux/UNIX use nmap with -O. You can use the
Netcraft site to check the OS of a host running a Web server.
– countermeasures: standards, filtering requests at firewall.
 OS detection (passive signatures):
– monitoring the traffic the operating system can be detected, among
other things. Siphon is a recent Linux/UNIX tool.
– Once the OS is identified enumeration can take place (to be seen in
next class meeting).