Transcript document

Network Security
Footprinting / Packet Sniffing
Footprinting
Definition: the gathering of information about a
potential system or network

a.k.a. fingerprinting
Attacker’s point of view


Identify potential target systems
Identify which types of attacks may be useful on
target systems
Defender’s point of view



Know available tools
May be able to tell if system is being footprinted, be
more prepared for possible attack
Vulnerability analysis: know what information you’re
giving away, what weaknesses you have
Information to Gather
System (Local or Remote)


IP Address, Name and Domain
Operating System
Type (Windows, Linux, Solaris)
Version (98/NT/2000, Redhat 7/8/9,Fedora,SuSe)




Usernames
File structure
Open Ports (what services/programs are running on
the system)
Physical Proximity/Location
Information to Gather (2)
Networks / Enterprises


System information for all hosts
Network topology
Gateways
Firewalls
Overall topology


Network traffic information
Specialized servers
Web, Database, FTP, Email, etc.
Defender Perspective
Identify information you’re giving away
Identify weaknesses in systems/network
Know when systems/network is being
probed
Identify source of probe
Develop awareness of threat
Construct audit trail of activity
Tools - Linux
Linux tools - lower level utilities

Local System
hostname
ifconfig
who, last

Remote Systems
ping
traceroute
finger (also local system)
nslookup, dig
whois
arp, netstat (also local system)

Other tools
lsof
Tools – Linux (2)
Other utilities


ethereal (packet sniffing)
nmap (port scanning) - more later
Tools - Windows
Windows



Sam Spade (collected tools)
ethereal (packet sniffer)
Command line tools
ipconfig

Many others…
hostname
Determine name of current system
Usage: hostname
E.g. hostname
localhost.localdomain
 E.g. hostname
clics.cs.uwec.edu

// default
ifconfig
Configure network interface
Tells current IP numbers for host system
Usage: ifconfig
E.g. ifconfig // command alone: display status
eth0
Link encap: Ethernet
HWaddr 00:0C:29:CD:F6:D3
inet addr: 192.168.172.128 . . .
lo Link encap: Local
Loopback
inet addr: 127.0.0.1
...

who
Basic tool to show users on current
system
Useful for identifying unusual activity (e.g.
activity by newly created accounts or
inactive accounts)
Usage: who
E.g. who
root
tty1 Jan 9 12:46
paul
tty2 Jan 9 12:52

last
Show last N users on system


Default: since last cycling of file
-N: last N lines
Useful for identifying unusual activity in recent past
Usage: last [-n]
E.g. last -3
wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still
logged in
flinstf pts/0
137.28.191.74 Sat Feb 5 15:38 still
logged in
rubbleb pts/0
c48.193.173.92.e Sat Feb 5 14:38 15:25 (00:46)

ping
Potential Uses

Is system online?
Through response

Gather name information
Through DNS

Estimate relative physical location
Based on RTT (Round Trip Time) given in summary statistics

Identify operating system
Based on TTL (packet Time To Live) on each packet line
TTL = number of hops allowed to get to system
64 is Linux default, 128 is Windows default (but can be changed!)
Notes



Uses ICMP packets
Often blocked on many hosts
Usage: ping system
E.g. ping ftp.redhat.com
E.g. ping localhost
traceroute
Potential Uses



Determine physical location of machine
Gather network information (gateway, other internal
systems)
Find system that’s dropping your packets – evidence
of a firewall
Notes



Can use UDP or ICMP packets
Results often limited by firewalls
Usage: traceroute system
E.g. traceroute cs.umn.edu
traceroute example
[wagnerpj@data ~]$ traceroute cs.umn.edu
traceroute to cs.umn.edu (128.101.34.202), 30 hops max,
38 byte packets
1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220 ms 0.208
ms
2 v101.networking.cns.uwec.edu (137.28.9.1) 0.245 ms
0.229 ms 0.220 ms
3 uweauclairehub2-ge50.core.wiscnet.net (216.56.90.1)
1.315 ms 1.194 ms 1.343 ms
4 ***
<ctrl-c>
[wagnerpj@data ~]$
traceroute example - success
H:\>tracert www.google.com
Tracing route to www.google.akadns.net [64.233.167.99] over a maximum of 30 hops:
1
2
3
4
5
6
7
8
9
<1 ms <1 ms <1 ms v61.networking.cns.uwec.edu [137.28.61.1]
4 ms 6 ms 3 ms UWEauClaireHub2-ge50.core.wiscnet.net [216.56.90.1]
2 ms 1 ms 2 ms r-uweauclaire-isp-gig2-0.wiscnet.net [140.189.8.141]
17 ms 17 ms 17 ms chi-edge-08.inet.qwest.net [65.113.85.5]
18 ms 16 ms 18 ms chi-core-02.inet.qwest.net [205.171.20.113]
17 ms 18 ms 19 ms cer-core-01.inet.qwest.net [205.171.205.34]
18 ms 19 ms 21 ms chp-brdr-01.inet.qwest.net [205.171.139.146]
18 ms 17 ms 18 ms P11-0.CHICR2.Chicago.opentransit.net [193.251.129.113]
15 ms 16 ms 16 ms Google-EU-Customers-2.GW.opentransit.net
[193.251.249.30]
10 16 ms 16 ms 18 ms 216.239.46.10
11 21 ms 19 ms 17 ms 64.233.175.30
12 18 ms 16 ms 16 ms 64.233.167.99
Trace complete.
finger
Potential Uses


Collect usernames
Determine if user is currently logged in
Notes


Often blocked
Usage: finger localuser or finger @system or finger
remoteuser@system
E.g. finger wagnerpj (user on local system)
E.g. finger @cs.umn.edu (all on remote system)
E.g. finger [email protected] (user on remote system)
whois
Potential Uses


Queries nicname/whois servers for Internet
registration information
Can gather contacts, names, geographic
information, servers, … - useful for social
engineering attacks
Notes

Usage: whois domain
e.g. whois netcom.com
whois example - basic
Domain Name: UWEC.EDU
Registrant:
University of Wisconsin - Eau Claire
105 Garfield Avenue
Eau Claire, WI 54702-4004
UNITED STATES
Contacts:
Administrative Contact:
Computing and Networking Services
105 Garfield Ave
Eau Claire, WI 54701
UNITED STATES
(715) 836-5711
[email protected]
Name Servers:
TOMATO.UWEC.EDU
LETTUCE.UWEC.EDU
BACON.UWEC.EDU
137.28.1.17
137.28.1.18
137.28.5.194
whois example - wildcards
whois uw%.edu
Your search has matched multiple domains.
Below are the domains you matched (up to 100). For
specific
information on one of these domains, please search on that
domain.
UW.EDU
UWA.EDU
UWB.EDU
UWC.EDU
UWEC.EDU
UWEST.EDU
UWEX.EDU
….
nslookup
Potential Uses


Query internet name servers
Find name for IP address, and vice versa
Notes


Now deprecated – generally use dig
Sometimes useful when dig fails
Usage

nslookup xxxxxxx
// name or IP addr.
E.g. nslookup data.cs.uwec.edu
E.g. dig data.cs.uwec.edu
dig
Potential Uses


Domain Name Service (DNS) lookup utility
Associate name with IP address and vice
versa
Notes


Many command options
General usage: dig <somehost>
E.g. dig data.cs.uwec.edu
E.g. dig 137.28.109.33
arp
Tracks addresses, interfaces accessed by
system
Possible uses

Find adjacent systems
Notes


arp
arp –n
// display names
// display numeric addresses
netstat
Shows connections, routing information,
statistics
Possible uses

find adjacent machines, used ports
Notes

Many flags
netstat
netstat –s
netstat – r
netstat – p
netstat – l
// open sockets, etc.
// summary statistics
// routing tables
// programs
// listening sockets
lsof
Lists open files on your system
Useful to see what processes are working
with what files, possibly identify tampering
Usage: lsof
Windows Tools
Sam Spade



“swiss army knife” of footprinting
Has most of the Linux tools
Plus other functionality
Usage



Start application
Fill in name or IP address
Choose option desired in menus
Packet Sniffers
Definition: Hardware or software that can
display network traffic packet information
Usage

Network traffic analysis
Example packet sniffers



tcpdump (command line, Linux)
ethereal (Linux, Windows – open source)
others…
Limitations – Packet Sniffing
Packet sniffers only catch what they can
see


Users attached to hub – can see everything
Users attached to switch – can see own traffic
only
Need to be able to put NIC in
“promiscuous” mode to be able to process
all traffic, not just traffic for/from itself


NIC must support
Need privilege (e.g. root in Linux)
OSI Network Protocol
Layer 7 – Application (incl. app. content)
Layer 6 – Presentation
Layer 5 – Session
Layer 4 – Transport (incl. protocol, port)
Layer 3 – Network (incl. source, dest)
Layer 2 – Data Link
Layer 1 – Physical
ethereal
Created as tool to examine network
problems in 1997
Various contributors added packet
dissectors, fixes, upgrades; released 1998
Works with other packet filter formats
Information: http://www.ethereal.com
Demonstration
Using ethereal
# ethereal
Capture/Start/OK
Capture window shows accumulated totals for
different types of packets
Stop – packets now displayed
Top window – packet summary

Can sort by column – source, destination, protocol
are useful
Middle window – packet breakdown

Click on + icons for detail at each packet level
Bottom window – packet content
Ethereal capture analysis
Can save a session to a capture file
Can reopen file later for further analysis
Open capture file (disable network name
resolution for faster opening and “reset” the
filter):


Linux: /usr/local/Support/CLICScapture.cap
Windows: C:\Support\CLICScapture.cap
Identify and follow different TCP streams


Select TCP packet, Tools/Follow TCP Stream
CLICScapture.cap has http, https, ftp, ssh
Any interesting information out there?
Related Tools
Hunt





TCP sniffer
Watch and reset connections
Hijack sessions
Spoof MAC
Spoof DNS
Related Tool
EtherPEG – image capture on network

http://www.etherpeg.com
Demonstration

See http://www.menshevik.com/showme on
windows
Summary
Basic tools can generate much
information
Remember principle of accumulating
information

Attacker will build on smaller pieces to get
bigger pieces
Moral: don’t give away information if you
can avoid it