03-Footprintingx - Rose
Download
Report
Transcript 03-Footprintingx - Rose
Footprinting
Definition: the gathering of information about a
potential system or network
a.k.a. fingerprinting
Attacker’s point of view
Identify potential target systems
Identify which types of attacks may be useful on target
systems
Defender’s point of view
Know available tools
May be able to tell if system is being footprinted, be
more prepared for possible attack
Vulnerability analysis: know what information you’re
giving away, what weaknesses you have
Information to Gather
System (Local or Remote)
IP Address, Name and Domain
Operating System
Type (Windows, Linux, Solaris)
Version (98/NT/2000/2003/XP, Redhat, Fedora, SuSe, Ubuntu)
Usernames
File structure
Open Ports (what services/programs are running on the
system)
Physical Proximity/Location
Information to Gather (2)
Networks / Enterprises
System information for all hosts
Network topology
Gateways
Firewalls
Overall topology
Network traffic information
Specialized servers
Web, Database, FTP, Email, etc.
Defender Perspective
Identify information you’re giving away
Identify weaknesses in systems/network
Know when systems/network is being probed
Identify source of probe
Develop awareness of threat
Construct audit trail of activity
Tools – Linux (use “man” for help)
Linux tools - lower level utilities
Local System
hostname
ifconfig
who, last
Remote Systems
ping
traceroute, tracert
finger (also local system)
nslookup, dig
whois
arp, netstat (also local system)
Other tools
lsof
Tools – Linux (2)
Other utilities
ethereal/wireshark (packet sniffing)
nmap (port scanning) - more later
Tools - Windows
Windows
Sam Spade (collected tools)
Whois,Ping, IPBlock, Dig, Traceroute, Finger, Browse Web, and Parse email
headers …
ethereal (packet sniffer)
Command line tools
ipconfig
Many others…
hostname
Determine name of current system
Usage: hostname
E.g. hostname
localhost.localdomain
E.g. hostname
clics.cs.uwec.edu
// default
ifconfig
Configure network interface
Tells current IP numbers for host system
Usage: ifconfig
E.g. ifconfig
// command alone: display status
eth0 Link encap: Ethernet
HWaddr 00:0C:29:CD:F6:D3
inet addr: 192.168.172.128 . . .
lo
Link encap: Local
Loopback
inet addr: 127.0.0.1
...
who
Basic tool to show users on current system
Useful for identifying unusual activity (e.g. activity by
newly created accounts or inactive accounts)
Usage: who
E.g. who
root
paul
tty1
tty2
Jan 9 12:46
Jan 9 12:52
last
Show last N users on system
Default: since last cycling of file
-N: last N lines
Useful for identifying unusual activity in recent past
Usage: last [-n]
e.g. last -3
wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still logged in
flinstf pts/0
137.28.191.74 Sat Feb 5 15:38 still logged in
rubbleb pts/0
c48.193.173.92.e Sat Feb 5 14:38 - 15:25 (00:46)
ping
Potential Uses
Is system online?
Through response
Gather name information
Through DNS
Estimate relative physical location
Based on RTT (Round Trip Time) given in summary statistics
Identify operating system
Based on TTL (packet Time To Live) on each packet line
TTL = number of hops allowed to get to system
64 is Linux default, 128 is Windows default (but can be changed!)
Notes
Uses ICMP packets
Often blocked on many hosts
Usage: ping system
E.g. ping ftp.redhat.com
E.g. ping localhost
traceroute
Potential Uses
Determine physical location of machine
Gather network information (gateway, other internal
systems)
Find system that’s dropping your packets – evidence of a
firewall
Notes
Can use UDP or ICMP packets
Results often limited by firewalls
Several GUI-based traceroute utilities available
Usage: traceroute system
E.g. traceroute cs.umn.edu
traceroute example
[wagnerpj@data ~]$ traceroute cs.umn.edu
traceroute to cs.umn.edu (128.101.34.202), 30 hops max, 38
byte packets
1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220 ms 0.208 ms
2 v101.networking.cns.uwec.edu (137.28.9.1) 0.245 ms 0.229 ms 0.220 ms
3 uweauclairehub2-ge50.core.wiscnet.net (216.56.90.1) 1.315 ms 1.194 ms
1.343 ms
4 ***
<ctrl-c>
[wagnerpj@data ~]$
traceroute example - success
H:\>tracert www.google.com
Tracing route to www.google.akadns.net [64.233.167.99] over a maximum of 30 hops:
1
2
3
4
5
6
7
8
9
10
11
12
<1 ms
4 ms
2 ms
17 ms
18 ms
17 ms
18 ms
18 ms
15 ms
16 ms
21 ms
18 ms
<1 ms
6 ms
1 ms
17 ms
16 ms
18 ms
19 ms
17 ms
16 ms
16 ms
19 ms
16 ms
Trace complete.
<1 ms v61.networking.cns.uwec.edu [137.28.61.1]
3 ms UWEauClaireHub2-ge50.core.wiscnet.net [216.56.90.1]
2 ms r-uweauclaire-isp-gig2-0.wiscnet.net [140.189.8.141]
17 ms chi-edge-08.inet.qwest.net [65.113.85.5]
18 ms chi-core-02.inet.qwest.net [205.171.20.113]
19 ms cer-core-01.inet.qwest.net [205.171.205.34]
21 ms chp-brdr-01.inet.qwest.net [205.171.139.146]
18 ms P11-0.CHICR2.Chicago.opentransit.net [193.251.129.113]
16 ms Google-EU-Customers-2.GW.opentransit.net [193.251.249.30]
18 ms 216.239.46.10
17 ms 64.233.175.30
16 ms 64.233.167.99
finger
Potential Uses
Collect usernames
Determine if user is currently logged in
Notes
Often blocked
Usage: finger localuser or finger @system or finger
remoteuser@system
E.g. finger chidanan(user on local system)
E.g. finger @csse.rose-hulman.edu (all on remote system)
E.g. finger [email protected] (user on remote
system)
whois
Potential Uses
Queries nicname/whois servers for Internet registration
information
Can gather contacts, names, geographic information,
servers, … - useful for social engineering attacks
Notes
Usage: whois domain
e.g. whois netcom.com
whois example - basic
Domain Name: UWEC.EDU
Registrant:
University of Wisconsin - Eau Claire
105 Garfield Avenue
Eau Claire, WI 54702-4004
UNITED STATES
Contacts:
Administrative Contact:
Computing and Networking Services
105 Garfield Ave
Eau Claire, WI 54701
UNITED STATES
(715) 836-5711
[email protected]
Name Servers:
TOMATO.UWEC.EDU
LETTUCE.UWEC.EDU
BACON.UWEC.EDU
137.28.1.17
137.28.1.18
137.28.5.194
whois example - wildcards
whois uw%.edu
Your search has matched multiple domains.
Below are the domains you matched (up to 100). For specific
information on one of these domains, please search on that
domain.
UW.EDU
UWA.EDU
UWB.EDU
UWC.EDU
UWEC.EDU
UWEST.EDU
UWEX.EDU
….
nslookup
Potential Uses
Query internet name servers
Find name for IP address, and vice versa
Notes
Now deprecated – generally use dig
Sometimes useful when dig fails
Usage
nslookup xxxxxxx
// name or IP addr.
E.g. nslookup data.cs.uwec.edu
E.g. dig data.cs.uwec.edu
dig
Potential Uses
Domain Name Service (DNS) lookup utility
Associate name with IP address and vice versa
Notes
Many command options
General usage: dig <somehost>
E.g. dig data.cs.uwec.edu
E.g. dig 137.28.109.33
arp
Tracks addresses, interfaces accessed by system
Possible uses
Find adjacent systems
Notes
arp
// display names
arp –n
// display numeric addresses
netstat
Shows connections, routing information, statistics
Possible uses
find adjacent machines, used ports
Notes
Many flags
netstat
netstat –s
netstat – r
netstat – p
netstat – l
// open sockets, etc.
// summary statistics
// routing tables
// programs
// listening sockets
lsof
Lists open files on your system
Useful to see what processes are working with what
files, possibly identify tampering
Usage: lsof
Windows Tools
Sam Spade
“swiss army knife” of footprinting
Has most of the Linux tools
Plus other functionality
Usage
Start application
Fill in name or IP address
Choose option desired in menus
Packet Sniffers
Definition: Hardware or software that can display
network traffic packet information
Usage
Network traffic analysis
Example packet sniffers
tcpdump (command line, Linux)
ethereal (Linux, Windows – open source)
others…
Limitations – Packet Sniffing
Packet sniffers only catch what they can see
Users attached to hub – can see everything
Users attached to switch – can see own traffic only
Wireless – wireless access point is like hub
Need to be able to put NIC in “promiscuous” mode to
be able to process all traffic, not just traffic for/from
itself
NIC must support
Need privilege (e.g. root in Linux)
OSI Network Protocol
Layer 7 – Application (incl. app. content)
Layer 6 – Presentation
Layer 5 – Session
Layer 4 – Transport (incl. protocol, port)
Layer 3 – Network (incl. source, dest)
Layer 2 – Data Link
Layer 1 – Physical
ethereal / wireshark
Created as tool to examine network problems in 1997
Various contributors added packet dissectors, fixes,
upgrades; released 1998
Works with other packet filter formats
Information
http://www.wireshark.org
http://www.ethereal.com
Demonstration
Using ethereal
Prompt>>ethereal &
(in Linux)
Capture/Start/OK
Capture window shows accumulated totals for different
types of packets
Stop – packets now displayed
Top window – packet summary
Can sort by column – source, destination, protocol are
useful
Middle window – packet breakdown
Click on + icons for detail at each packet level
Bottom window – packet content
Ethereal capture analysis
Can save a session to a capture file
Can reopen file later for further analysis
Open capture file
Identify and follow different TCP streams
Select TCP packet, Tools/Follow TCP Stream
CLICScapture.cap has http, https, ftp, ssh
Any interesting information out there?
Related Tools
Hunt
TCP sniffer
Watch and reset connections
Hijack sessions
Spoof MAC
Spoof DNS
Related Tool
EtherPEG – image capture on network
http://www.etherpeg.com
Demonstration
See http://www.menshevik.com/showme on windows
Summary
Basic tools can generate much information
Remember principle of accumulating information
Attacker will build on smaller pieces to get bigger
pieces
Moral: don’t give away information if you can avoid
it