Recon - Dr. Stephen C. Hayne
Download
Report
Transcript Recon - Dr. Stephen C. Hayne
Recon
This presentation is an amalgam of presentations by Mark
Michael, Randy Marchany and Ed Skoudis.
I have edited and added material.
Dr. Stephen C. Hayne
Phase 1: Reconnaissance
Investigate the target using publicly
available information
Use this information to plan your attack
Use this information to plan your escape
Low-Tech Reconnaissance
Social engineering
Physical break-in
Dumpster diving
Eavesdropping
Wiretapping
Lo-Tech: Social Engineering
Still the best way to get information.
The GIBE virus that claims to be a security
fix from Microsoft is an example of this.
Calls to help desk about passwords.
Calls to users from “help desk” about
passwords.
Defense: user/sysadmin awareness
Lo-Tech: Physical Break-In
Wiretaps into the wiring closets
Drive up to a house, clip into their outside
phone box with a long set of wires and dial
anywhere using their phone. Remember this
is highly illegal.
Physical access to machine rooms or
“secure” building under a variety of ruses.
Defense: badge checks, education, alarms
and motion sensors.
Lo-Tech: Physical Break-In
Theft of laptops at airports
Use encrypted file system
Screen savers
5 minute minimum, password protected
Lo-Tech: Dumpster Diving
Rummaging through the site’s trash looking
for discarded information
Credit card slips, password information, old
network maps, old server configuration
listings
Oracle caught dumpster diving on Microsoft
Defense: paper shredders, proper trash
disposal
Web-based Reconnaissance
Searching a company’s own website
employee contact info with phone
numbers
clues about corporate culture and
language
business partners
recent mergers and acquisitions
technologies in use
NT? IIS? Oracle? Solaris?
helpful for
social
engineering
attacks
Web-based Reconnaissance
Using search engines
search for “www.companyname.com”
all websites that link to that URL
potential business partners, vendors, clients
Forums (the virtual watering hole)
newsgroups are asked technical questions by
company employees
attackers can . . .
learn a company’s system
mislead the employees
Web-based Reconnaissance
Defenses
establish a company policy on web-publication
of sensitive information, especially about
products used in the company and their
configuration
establish a company policy on employees’ use of
newsgroups/forums and mailing lists
surf newsgroups, etc. for sensitive info about
your own company to see what has leaked out
The Domain Name System
Hierarchical, highly distributed database
IP addresses, domain names, mail-server info
DNS servers : Internet :: 411 : phone system
DNS Hierarchy
Root DNS servers
gov DNS servers
edu DNS servers
mil DNS servers
kings.edu DNS server
www.kings.edu
students.king.edu
www1.kings.edu
whois Databases
Domain names, network addresses, IT employees
Registrars (100s) compete to register domains
InterNIC whois db [www.internic.net/whois.html]
lists registrars for .com, .net, .org domains
Allwhois whois db [www.allwhois.com/home.html]
mom’n’pops to giants, barebones to value-added
front-end for registrars in 59 countries
Other whois dbs [whois.nic.mil], [whois.nic.gov],
[www.networksolutions.com] (for .edu domains)
ARIN IP Address Assignments
American Registry for Internet Numbers
(ARIN) maintains information on who owns
IP address ranges given a company name.
Scope: North and South America,
Caribbean, sub-Saharan Africa
www.arin.net/whois/
RIPE, APNIC Address Assignments
Reseaux IP Europeens Network Coordination
Centre (RIPE NCC) contains the IP address
assignments for European networks.
www.ripe.net
Asian assignments are at the Asia Pacific
Network Information Center (APNIC)
www.apnic.net
We’ve Got the Registrar, Now
What?
Search at a particular registrar by . . .
company name or human name (name)
domain name (no keyword needed)
IP address, host name or name server name (host)
NIC handle (handle)
Can learn . . .
administrative, technical, and billing contact names
phone nos., e-mail addresses, postal addresses
registration dates
name servers
Defenses against DNS-based Recon
no OS in machine names & therefore DNS servers
don’t include HINFO or TXT records for machines
limit zone transfers to need-to-know IP addresses
DNS needs UDP Port 53 to resolve names
TCP Port 53 is used for zone transfers
restrict it to known secondary DNS servers
Split DNS a.k.a. Split-Brain a.k.a. Split-Horizon DNS
external DNS server: publicly accessible hosts only
internal DNS server: DNS info for internal network
like proxy server; forwards requests beyond firewall
General Purpose Reconnaissance Tools
Interrogating DNS servers
first identify a company “name/domain server”
Windows & most UNIX flavors have: nslookup
zone transfer: “send all info about a domain”
system names (may imply OS, machines’ purposes)
IP addresses, mail-server names, etc.
most UNIXs flavors have: host
some UNIXs flavors have: dig
available for Windows : adig, nscan
[nscan.hypermart.net/index.cgi?index=dns]
General Purpose Reconnaissance Tools
Sam Spade [www.samspade.org/ssw/]
Windows, GUI, freeware
web browser, ping, whois, IP block whois,
nslookup, dig, DNS zone transfer, traceroute,
finger, SMTP VRFY
CyberKit [www.cyberkit.net]
NetScanTools [www.netscantools.com/nstmain.html]
iNetTools [www.wildpackets.com/products/inettools/]
Web Reconnaissance Tools
All traffic comes from web server, not client
Attacker can remain more anonymous
Some operated by . . .
Some tests include DoS attacks . . .
high-integrity pros in security organizations
shady characters
. . . so don’t use your company’s ISP account
so check with your company’s legal department
http://www.securityspace.com/sspace/index.html
Scanning Software
Languard GFI (for Windows)
NMAP (for Un*x)
Nessus: A Vulnerability
Scanner for Linux
Nessus is a free, open-source
general vulnerability scanner
As such, it is used by the
white hat community and the
black hats
Project started by Renaud
Deraison
Available at www.nessus.org
Consists of a client and server,
with modular plug-ins for
individual tests