Transcript Document

Computer Security
Workshop
Module 1 –
Footprinting / Packet Sniffing
Footprinting
Definition: the gathering of information about a
potential system or network

a.k.a. fingerprinting
Attacker’s point of view


Identify potential target systems
Identify which types of attacks may be useful on
target systems
Defender’s point of view



Know available tools
May be able to tell if system is being footprinted, be
more prepared for possible attack
Vulnerability analysis: know what information you’re
giving away, what weaknesses you have
Information to Gather
System (Local or Remote)


IP Address, Name and Domain
Operating System
Type (Windows, Linux, Solaris, Mac)
Version (98/NT/2000/2003/XP/Vista/7, Redhat, Fedora,
SuSe, Ubuntu, OS X)



Usernames (and their passwords)
File structure
Open Ports (what services/programs are running on
the system)
Information to Gather (2)
Networks / Enterprises


System information for all hosts
Network topology
Gateways
Firewalls
Overall topology


Network traffic information
Specialized servers
Web, Database, FTP, Email, etc.
Defender Perspective
Identify information you’re giving away
Identify weaknesses in systems/network
Know when systems/network is being
probed
Identify source of probe
Develop awareness of threat
Construct audit trail of activity
Tools - Linux
Some basic Linux tools - lower level utilities

Local System
hostname
ifconfig
who, last

Remote Systems
ping
traceroute
nslookup, dig
whois
arp, netstat (also local system)

Other tools
lsof
Tools – Linux (2)
Other utilities

wireshark (packet sniffing)
nmap (port scanning) - more later

Ubuntu Linux

Go to System / Administration / Network Tools –
get interface to collection of tools: ping, netstat,
traceroute, port scan, nslookup, finger, whois
Tools - Windows
Windows



Sam Spade (collected network tools)
Wireshark (packet sniffer)
Command line tools
ipconfig

Many others…
hostname
Determine host name of current system
Usage: hostname
E.g. hostname
localhost.localdomain
 E.g. hostname
mobile.cs.uwec.edu

// default
ifconfig
Configure network interface
Tells current IP numbers for host system
Usage: ifconfig
E.g. ifconfig // command alone: display status
eth0
Link encap: Ethernet
HWaddr 00:0C:29:CD:F6:D3
inet addr: 192.168.172.128 . . .
lo Link encap: Local
Loopback
inet addr: 127.0.0.1
...

who
Basic tool to show users on current
system
Useful for identifying unusual activity (e.g.
activity by newly created accounts or
inactive accounts)
Usage: who
E.g. who
root
tty1 Jan 9 12:46
paul
tty2 Jan 9 12:52

last
Show last N users on system


Default: since last cycling of file
-N: last N lines
Useful for identifying unusual activity in recent past
Usage: last [-n]

E.g. last -3
wagnerpj pts/1
flinstf pts/0
rubbleb pts/0
137.28.253.254 Sat Feb 5 15:40 still logged in
137.28.191.74 Sat Feb 5 15:38 still logged in
c48.someu.edu Sat Feb 5 14:38 - 15:25 (00:46)
ping
Potential Uses

Is system online?
Through response

Gather name information
Through DNS

Tentatively Identify operating system
Based on TTL (packet Time To Live) on each packet line
TTL = number of hops allowed to get to system
64 is Linux default, 128 is Windows default (but can be changed!)
Notes



Uses ICMP packets
Often blocked on many hosts; more useful within network
Usage: ping system
E.g. ping ftp.redhat.com
E.g. ping localhost
traceroute
Potential Uses



Determine physical location of machine
Gather network information (gateway, other internal
systems)
Find system that’s dropping your packets – evidence
of a firewall
Notes




Can use UDP or ICMP packets
Results often limited by firewalls
Several GUI-based traceroute utilities available
Usage: traceroute system
E.g. traceroute cs.umn.edu
traceroute example - blocked
[wagnerpj@data ~]$ traceroute cs.umn.edu
traceroute to cs.umn.edu (128.101.34.202), 30 hops max,
38 byte packets
1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220 ms 0.208
ms
2 v101.networking.cns.uwec.edu (137.28.9.1) 0.245 ms
0.229 ms 0.220 ms
3 uweauclairehub2-ge50.core.wiscnet.net (216.56.90.1)
1.315 ms 1.194 ms 1.343 ms
4 ***
<ctrl-c>
[wagnerpj@data ~]$
traceroute example - success
H:\>tracert www.google.com
Tracing route to www.google.akadns.net [64.233.167.99] over a maximum of 30 hops:
1
2
3
4
5
6
7
8
9
<1 ms <1 ms <1 ms v61.networking.cns.uwec.edu [137.28.61.1]
4 ms 6 ms 3 ms UWEauClaireHub2-ge50.core.wiscnet.net [216.56.90.1]
2 ms 1 ms 2 ms r-uweauclaire-isp-gig2-0.wiscnet.net [140.189.8.141]
17 ms 17 ms 17 ms chi-edge-08.inet.qwest.net [65.113.85.5]
18 ms 16 ms 18 ms chi-core-02.inet.qwest.net [205.171.20.113]
17 ms 18 ms 19 ms cer-core-01.inet.qwest.net [205.171.205.34]
18 ms 19 ms 21 ms chp-brdr-01.inet.qwest.net [205.171.139.146]
18 ms 17 ms 18 ms P11-0.CHICR2.Chicago.opentransit.net [193.251.129.113]
15 ms 16 ms 16 ms Google-EU-Customers-2.GW.opentransit.net
[193.251.249.30]
10 16 ms 16 ms 18 ms 216.239.46.10
11 21 ms 19 ms 17 ms 64.233.175.30
12 18 ms 16 ms 16 ms 64.233.167.99
Trace complete.
Visual Traceroute Example
whois
Potential Uses


Queries nicname/whois servers for Internet
registration information
Can gather contacts, names, geographic
information, servers, … - useful for social
engineering attacks
Notes

Usage: whois domain
e.g. whois netcom.com
whois example - basic
Domain Name: UWEC.EDU
Registrant:
University of Wisconsin - Eau Claire
105 Garfield Avenue
Eau Claire, WI 54702-4004
UNITED STATES
Contacts:
Administrative Contact:
Computing and Networking Services
105 Garfield Ave
Eau Claire, WI 54701
UNITED STATES
(715) 836-5711
[email protected]
Name Servers:
TOMATO.UWEC.EDU
LETTUCE.UWEC.EDU
BACON.UWEC.EDU
137.28.1.17
137.28.1.18
137.28.5.194
whois example - wildcards
whois uw%.edu
Your search has matched multiple domains.
Below are the domains you matched (up to 100). For
specific
information on one of these domains, please search on that
domain.
UW.EDU
UWA.EDU
UWB.EDU
UWC.EDU
UWEC.EDU
UWEST.EDU
UWEX.EDU
….
nslookup
Potential Uses


Query internet name servers
Find name for IP address, and vice versa
Notes


Now deprecated – generally use dig
Sometimes useful when dig fails
Usage

nslookup xxxxxxx
// name or IP addr.
E.g. nslookup data.cs.uwec.edu
E.g. dig data.cs.uwec.edu
dig
Potential Uses


Domain Name Service (DNS) lookup utility
Associate name with IP address and vice
versa
Notes


Many command options
General usage: dig <somehost>
E.g. dig data.cs.uwec.edu
E.g. dig 137.28.109.33
arp
Tracks addresses, interfaces accessed by
system
Possible uses

Find systems that your system has recently
talked to
Notes


arp
arp –n
// display names
// display numeric addresses
netstat
Shows connections, routing information,
statistics
Possible uses

find systems that your system has recently talked to,
find recently used ports
Notes

Many flags
netstat
netstat –s
netstat – r
netstat – p
netstat – l
// open sockets, etc.
// summary statistics
// routing tables
// programs
// listening sockets
lsof
Lists open files on your system
Useful to see what processes are working
with what files, possibly identify tampering
Usage: lsof
Windows Tools
Sam Spade



“swiss army knife” of footprinting
Has most of the Linux tools
Plus other functionality
Usage



Start application
Fill in name or IP address
Choose option desired in menus
Packet Sniffers
Definition: Hardware or software that can
display network traffic packet information
Usage

Network traffic analysis
Example packet sniffers



tcpdump (command line, Linux)
wireshark (GUI interface, Linux, Windows –
open source)
others…
Limitations – Packet Sniffing
Packet sniffers only catch what they can
see



Users attached to hub – can see everything
Users attached to switch – only see own traffic
Wireless – wireless access point is like hub
Need to be able to put your network
interface card (NIC) in “promiscuous” mode
to be able to process all traffic, not just
traffic for/from itself


NIC must support
Need privilege (e.g. root in Linux)
OSI Network Protocol
Layer 7 – Application (incl. app.
content)
Layer 6 – Presentation
Layer 5 – Session
Layer 4 – Transport (incl. protocol,
port)
Layer 3 – Network (incl. source, dest)
Layer 2 – Data Link
Layer 1 – Physical
wireshark
Created as tool to examine network
problems in 1997
Various contributors added pieces;
released 1998
Name change (2007): ethereal ->
wireshark
Works with other packet filter formats
Information

http://www.wireshark.org
Demonstration
Using wireshark
Ubuntu – Applications / Internet / Wireshark (as root)


Enter your administrative account pw: user
Capture/Interfaces/eth0:, Start
Capture window shows accumulated totals for different
types of packets
Stop – packets now displayed
Top window – packet summary

Can sort by column – source, destination, protocol are useful
Middle window – packet breakdown

Click on + icons for detail at each packet level
Bottom window – packet content
Wireshark capture analysis
Can save a session to a capture file
Can reopen file later for further analysis
Open capture file


Ubuntu: /home/user/Support/MOBILEcapture.cap
W2K3: C:\Support\MOBILEcapture.cap
Identify and follow different TCP streams


Select TCP packet, Analyze/Follow TCP Stream
MOBILEcapture.cap has http, https, ftp, ssh streams
Any interesting information out there?

HINT: follow stream on an ftp packet
Related Tool
Hunt





TCP sniffer
Watch and reset connections
Hijack sessions
Spoof MAC address
Spoof DNS name
Related Tool
EtherPEG – image capture on network

http://www.etherpeg.com
Summary
Basic tools can generate much
information
Remember principle of accumulating
information

Attacker will build on smaller pieces to get
bigger pieces
Message to defenders: don’t give away
any information if you can avoid it