Routing - IST Akprind Yogyakarta
Download
Report
Transcript Routing - IST Akprind Yogyakarta
Footprinting Scanning
Enumeration
Isbat Uzzin Nadhori
Informatical Engineering PENS-ITS
1
Intelligence Gathering Techniques
3 Major Steps
Foot Printing
Scanning
Enumeration
Similar to Military
Gather information on the target
Analyze weaknesses
Construct and launch attack
2
Googling your way insecurity
Intittle : “welcome to IIS 4.0” to get list of Windows
IIS 4.0 server which have had security vulnerabilities
and usually easy pickings for attacker
“VNC Desktop” inurl:5800 allows remote users to
connect and remote a user’s desktop
Filetype: pwd service to get links reveal several
usernames and password
3
Gathering Process Overview
You can’t attack what you don’t know
4
Hacking Step
5
Hacking Step …
6
Gathering Process overview
Hosts
Ports
Services
Vulnerabilities
7
Footprinting
8
Footprinting
Footprinting is the ability to obtain essential information about an
organization. Commonly called network reconnaissance.
Result Gather information includes:
– The technologies that are being used such as, Internet, Intranet, Remote Access and the
Extranet.
– To explored the security policies and procedures
– take an unknown quality and reduce it
– Take a specific range of domain names, network blocks and individual IP addresses of a
system that is directly connected to the Internet
This is done by employing various computer security techniques, as:
•
DNS queries nslookup, dig, Zone Transfer
•
Network enumeration
•
Network queries
•
Operating system identification
•
Organizational queries
•
•
•
•
•
•
Ping sweeps
Point of contact queries
Port Scanning
Registrar queries (WHOIS queries)
SNMP queries
World Wide Web spidering
When used in the computer security lexicon, "footprinting" generally refers to
one of the pre-attack phases; tasks performed prior to doing the actual
attack. Some of the tools used for footprinting areSam
Spade, nslookup, traceroute, Nmap and neotrace.
9
Footprinting Steps
1. Determine the scope of your activities
2. Get proper authorization
3. Publicly available information
4. Whois and DNS enumeration
5. DNS interrogation
6. Network reconnaissance
10
DNS Query
11
Network Query Tools
* Ping
* NSlookup
* Whois
* IP block search
* Dig
* Traceroute
* Finger
* SMTP VRFY
* Web browser keep-alive
* DNS zone transfer
* SMTP relay check
* Usenet cancel check
* Website download
* Website search
* Email header analysis
* Email blacklist
* Query Abuse address
12
Information to Gather
Attacker’s point of view
Identify potential target systems
Identify which types of attacks may be useful on target systems
Defender’s point of view
Know available tools
May be able to tell if system is being footprinted, be more prepared for
possible attack
Vulnerability analysis: know what information you’re giving away, what
weaknesses you have
13
OS Identification
14
Point of Contact
15
Tools - Linux
Some basic Linux tools - lower level utilities
Local System
hostname
ifconfig
who, last
Remote Systems
ping
traceroute
nslookup, dig
whois
arp, netstat (also local system)
Other tools
lsof
16
Tools – Linux (2)
Other utilities
wireshark (packet sniffing)
nmap (port scanning) - more later
Ubuntu Linux
Go to System / Administration / Network Tools – get
interface to collection of tools: ping, netstat, traceroute,
port scan, nslookup, finger, whois
17
Tools - Windows
Windows
Sam Spade (collected network tools)
Wireshark (packet sniffer)
Command line tools
ipconfig
Many others…
18
Traceroute
# traceroute ns1.target-company.com
traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets
1
fw-gw (209.197.192.1)
0.978 ms
0.886 ms
2
s1-0-1-access (209.197.224.69)
3
dallas.tx.core1.fastlane.net (209.197.224.1)
4
atm8-0-024.CR-1.usdlls.savvis.net (209.44.32.217)
5
Serial1-0-1.GW1.DFW1.ALTER.NET (157.130.128.53)
6
103.ATM3-0.XR2.DFW4.ALTER.NET (146.188.240.38)
7
152.63.96.85 (152.63.96.85)
8
dfw2-core2-pt4-1-0.atlas.digex.net (206.181.125.153)
4.816 ms
10.565 ms
0.875 ms
5.275 ms
3.969 ms
4.622 ms
9.439 ms
6.564 ms
7.148 ms
11.861 ms
25.423 ms
3.977 ms
5.639 ms
6.595 ms
11.669 ms
6.681 ms
7.371 ms
6.732 ms
25.369 ms
13.289 ms
10.585 ms
17.173 ms
9
dfw2-core1-fa8-1-0.atlas.digex.net (165.117.52.101)
44.951 ms
241.358 ms
248.838 ms
10
swbell-net.demarc.swbell.net (206.181.125.10)
11
ded2-fa1-0-0.rcsntx.swbell.net (151.164.1.137)
25.299 ms
11.295 ms
23.958 ms
12
target-company-818777.cust-rtr.swbell.net (151.164.x.xxx)
52.104 ms
24.306
ms
13
12.242 ms
13.821 ms
27.618 ms
17.248 ms
ns1.target-company.com (xxx.xx.xx.xx)
23.812 ms
24.383 ms
27.489 ms
19
Traceroute - Network Mapping
cw
swb
Internet Routers
20
Traceroute - Network Mapping
cw
swb
Internet Routers
21
Traceroute - Network Mapping
VPN
cw
Firewall
swb
DMZ
Internet Routers
22
Traceroute - Network Mapping
VPN
cw
Firewall
www
swb
ftp
DMZ
Internet Routers
23
Traceroute - Network Mapping
VPN
cw
Firewall
www
swb
ftp
DMZ
Internet Routers
24
Traceroute - Network Mapping
VPN
NT
cw
Firewall
Linux
www
Sun
swb
ftp
Hosts Inside
DMZ
Internet Routers
25
Traceroute - Network Mapping
VPN
Checkpoint Firewall-1
Nortel VPN
xxx.xx.22. 7
NT
cw
Nortel CVX1800
151.164.x.xxx
Firewall
Linux
www
Sun
Checkpoint Firewall-1
Solaris 2.7
xxx.xx.49.17
AIX 4.2.1
xxx.xx.48.1
IDS?
swb
Cisco 7206
204.70.xxx.xxx
ftp
Linux 2.0.38
xxx.xx.48.2
Hosts Inside
DMZ
Internet Routers
26
Whois
Domain Name: UWEC.EDU
Registrant:
University of Wisconsin - Eau Claire
105 Garfield Avenue
Eau Claire, WI 54702-4004
UNITED STATES
Contacts:
Administrative Contact:
Computing and Networking Services
105 Garfield Ave
Eau Claire, WI 54701
UNITED STATES
(715) 836-5711
[email protected]
Name Servers:
TOMATO.UWEC.EDU
137.28.1.17
LETTUCE.UWEC.EDU
137.28.1.18
BACON.UWEC.EDU
137.28.5.194
27
Scanning
[determining if the
system is alive]
28
Introduction
Scanning can be compared to a thief checking all the doors and
windows of a house he wants to break into.
Scanning- The art of detecting which systems are alive and
reachable via the internet and what services they offer, using
techniques such as ping sweeps, port scans and operating
system identification, is called scanning.
The kind of information collected here has to do with the
following:
1) TCP/UDP services running on each system identified.
2) System architecture (Sparc, Alpha, x86)
3) Specific IP address of systems reachable via the internet.
4) Operating System type.
29
Ping Sweeps
ping sweep is a method that can establish a range of IP
addresses which map to live hosts.
ICMP Sweeps (ICMP ECHO requests)
Broadcast ICMP
Non Echo ICMP
TCP Sweeps
UDP Sweeps
30
PING SWEEPS
ICMP SWEEPS
ICMP ECHO request
Target alive
ICMP ECHO reply
Intruder
Querying multiple hosts – Ping sweep is fairly slow
Examples UNIX
– fping and gping
WINDOWS
- Pinger
31
Broadcast ICMP
Intruder
Network
ICMP ECHO reply
ICMP ECHO request
ICMP ECHO reply
ICMP ECHO reply
Can Distinguish between UNIX and WINDOWS machine
UNIX machine answers to requests directed to the network
address.
WINDOWS machine will ignore it.
32
PING SWEEPS
NON – ECHO ICMP
Example ICMP Type 13 – (Time Stamp)
Originate Time Stamp
- The time the sender last touched the message before sending
Receive Time Stamp
- The echoer first touched it on receipt.
Transmit Time Stamp
- The echoer last touched on sending it.
33
PING Sweeps
TCP Sweeps
C(SYN:PortNo & ISN)
S (SYN & ISN) + ACK[ C (SYN+!) ]
Client
RESET (not active)
Server
S(ISN+1)
When will a RESET be sent?
When RFC does not appear correct while appearing.
RFC = (Destination (IP + port number) & Source( IP & port
number))
34
PING Sweeps
Depends on ICMP PORT UNREACHABLE message.
UDP data gram
ICMP PORT UNREACHABLE
Unreliable because
Target System
• Routers can drop UDP packets
•UDP services may not respond when correctly probed
•Firewalls are configured to drop UDP
•Relies on fact that non-active UDP port will respond
35
PORT SCANNING
Types:
TCP Connect() Scan
TCP SYN Scan( Half open scanning)
Stealth Scan
Explicit Stealth Mapping Techniques
SYN/ACL , FIN, XMAS and NULL
Inverse Mapping
Reset Scans, Domain Query Answers
Proxy Scanning / FTP Bounce Scanning
TCP Reverse Ident Scanning
36
Port Scanning Types
TCP Connect() Scan
SYN packet
SYN/ACK listening
RST/ACK (port not listening)
SYN/ACK
A connection is terminated after the full length connection establishment
process has been completed
37
Port Scanning Type
TCP SYN Scan (half open scanning)
SYN packet
SYN/ACK listening
RST/ACK (port not listening)
We immediately tear down the connection by sending a RESET
38
Port Scanning Type
Stealth Scan
A scanning technique family doing the following
Pass through filtering rules.
Not to be logged by the targeted system logging mechanism
Try to hide themselves at the usual site / network traffic.
The frequently used stealth mapping techniques are.
SYN/ACK scan
FIN scans
XMAS scans
NULL scans
39
PORT Scanning
Techniques:
Random Port scan
Slow Scan
Fragmentation Scanning
Decoy
Coordinated Scans
40
PORT Scanning
“Random” Port Scan
Randomizing the sequence of ports probed may prevent detection.
Slow Scan
Some hackers are very patient and can use network scanners that spread out the
scan over a long period of time. The scan rate can be, for example, as low as 2
packets per day per target site.
Fragmentation scanning
In case of TCP the 8 octets of data (minimum fragment size) are enough to
contain the source and destination port numbers. This will force the TCP flags
field into the second fragment.
Decoy
Some network scanners include options for Decoys or spoofed address in their
attacks.
Coordinated Scans
If multiple IPs probe a target network, each one probes a certain service on a
certain machine in a different time period, and therefore it would be nearly
impossible to detect these scans.
41
Operating System Detection
Banner Grabbing
DNS HINFO Record
TCP/IP Stack Fingerprinting
42
Operating System Detection
43
Operating System Detection
DNS HINFO Record
The host information record is a pair of strings identifying
the host’s hardware type and the operating system
www IN HINFO “Sparc Ultra 5” “Solaris 2.6”
One of the oldest technique
44
Operating System Detection
TCP/IP Finger Printing
The ideas to send specific TCP packets to the target IP
and observe the response which will be unique to
certain group or individual operations.
Types of probes used to determine the OS type
The FIN Probe, The Bogus Flag Probe, TCP initial
sequence number sampling, Don’t Fragment bit, TCP
initial window, ACK value, ICMP error Message
Quenching, ICMP message quoting, ICMP error
message Echoing Integrity, Type of service,
fragmentation handling, TCP options
45
Firewalking
Gather information about a remote network protected
by a firewall
Purpose
Mapping open ports on a firewall
Mapping a network behind a firewall
If the firewall’s policy is to drop ICMP ECHO Request/Reply
this technique is very effective.
46
How does Firewalking work?
It uses a traceroute-like packet filtering to
determine whether or not a particular packet
can pass through a packet-filtering device.
Traceroute is dependent on IP layer(TTL field),
any transport protocol can be used the same
way(TCP, UDP, and ICMP).
47
What Firewalking needs?
The IP address of the last known gateway
before the firewall takes place.
Serves as WAYPOINT
The IP address of a host located behind the
firewall.
Used as a destination to direct packet flow
48
Getting the Waypoint
If we try to traceroute the machine behind a
firewall and get blocked by an ACL filter that
prohibits the probe, the last gateway which
responded(the firewall itself can be determined)
Firewall becomes the waypoint.
49
Getting the Destination
Traceroute the same machine with a different
traceroute-probe using a different transport protocol.
If we get a response
That particular traffic is allowed by the firewall
We know a host behind the firewall.
If we are continuously blocked, then this kind of traffic
is blocked.
Sending packets to every host behind the packetfiltering device can generate an accurate map of a
network’s topology.
50
How to identify/avoid threats?
Long-standing rule for Unix System
administrators to turn off any services that
aren’t in use
For personal workstations!
Hackers have access to utilities to scan the servers
but so do you!.
Hackers look in for open ports. So we can our
servers first and know what the hackers will see and
close any ports that shouldn’t be open.
51
Some tools to help us
Nmap
It is a utility that scans a particular server and informs
us which ports are open.
Ethereal
It is a utility that will scan the network and help us
decode what is going on.
We can watch the network traffice and find out if
hackers can see anything that will help them break
into our systems.
52
Enumeration
53
Introduction to Enumeration
Enumeration extracts information about:
–Resources or shares on the network
–User names or groups assigned on the network
–Last time user logged on
–User’s password
Before enumeration, you use Port scanning and
footprinting
–To Determine OS being used
Intrusive process
54
54
NBTscan
NBT (NetBIOS over TCP/IP)
–is the Windows networking protocol
–used for shared folders and printers
NBTscan
–Tool for enumerating Microsoft OSs
55
55
Null Session Information
A null session is an anonymous connection to a freely
accessible network share called IPC$ on Windowsbased servers. It allows immediate read and write
access withWindows NT/2000 and read-access
with Windows XP and 2003.
Using these NULL connections allows you to gather the
following information from the host:
–List of users and groups
–List of machines
–List of shares
–Users and host SIDs (Security Identifiers)
56
56
From a NULL session, hackers can call APIs and use
Remote Procedure calls to enumerate information.
These techniques can, and will provide information on
passwords, groups, services, users and even active
processors.
NULL session access can also even be used for
escalating privileges and perform DoS attacks
To establish such a connection from a DOS-prompt
these commands can be used:
–net use \\IP address_or_host name\ipc$ "" /user:""
–net use
57
Demonstration of Null Sessions
Start Win 2000 Pro
Share a folder
From a Win XP command prompt
–NET VIEW \\ip-address
Fails
–NET USE \\ip-address\IPC$ "" /u:""
•Creates the null session
•Username="" Password=""
–NET VIEW \\ip-address
Works now
58
58
Demonstration
of Enumeration
Download Winfo
Run it – see all the
information!
59
59
NetBIOS Enumeration Tools
Net view command
–Shows whether there are any shared resources on a network host
60
60
NetBIOS Enumeration Tools (continued)
Net use command
–Used to connect to a computer with shared folders or files
61
61
Net use
62
63
Additional Enumeration Tools
NetScanTools Pro
DumpSec
Hyena
NessusWX
64
64
NetScanTools Pro
Produces a graphical view of NetBIOS running on a network
Enumerates any shares running on the computer
Verifies whether access is available for shared resource
using its Universal Naming Convention (UNC) name
Costs about $250 per machine (link Ch 6i)
65
65
66
66
67
67
DumpSec
Enumeration tool for Microsoft systems
Produced by Foundstone, Inc.
Allows user to connect to a server and “dump” the
following information
–Permissions for shares
–Permissions for printers
–Permissions for the Registry
–Users in column or table format
–Policies and rights
–Services
68
68
DumpSec
69
Hyena
Excellent GUI product for managing and securing
Microsoft OSs
Shows shares and user logon names for Windows
servers and domain controllers
Displays graphical representation of:
–Microsoft Terminal Services
–Microsoft Windows Network
–Web Client Network
–Find User/Group
70
70
71
71
NessusWX
This is the client part of Nessus
Allows enumeration of different OSs on a large network
Running NessusWX
–Be sure Nessus server is up and running
–Open the NessusWX client application
–To connect your client with the Nessus server
•Click Communications, Connect from the menu on the session
window
•Enter server’s name
•Log on the Nessus server
72
72
73
73
74
74
NessusWX (continued)
Nessus identifies
–NetBIOS names in use
–Shared resources
–Vulnerabilities with shared resources
•Also offers solutions to those vulnerabilities
–OS version
–OS vulnerabilities
–Firewall vulnerabilities
75
75
76
76
77
77
78
78
79
79
Enumerating the *NIX Operating System
Several variations
–Solaris
–SunOS
–HP-UX
–Linux
–Ultrix
–AIX
–BSD UNIX
–FreeBSD
–OpenBSD
80
80
UNIX Enumeration
Finger utility
–Most popular tool for security testers
–Finds out who is logged in to a *NIX system
–Determine owner of any process
Nessus
–Another important *NIX enumeration tool
81
81
82
82
83
83
Footprinting And Enumeration using
netcraft.com
84