Reconnaissance - Northern Kentucky University

Download Report

Transcript Reconnaissance - Northern Kentucky University

CIT 380: Securing Computer
Systems
Reconnaissance
CIT 380: Securing Computer Systems
Slide #1
Topics
1.
2.
3.
4.
Low Tech Reconnaissance
Network Information Sources
DNS Zone Transfers
Network Mapping
CIT 380: Securing Computer Systems
Slide #2
Reconnaissance
Collecting security-relevant information
about an organization, including:
–
–
–
–
–
–
Locations
Related entities
Personnel: names, phone numbers, email addrs
Privacy or security policies
Network and system configuration
Remote access methods
CIT 380: Securing Computer Systems
Slide #3
Low Tech Reconnaissance
1. Social Engineering
2. Physical Break-In
3. Dumpster Diving
CIT 380: Securing Computer Systems
Slide #4
Social Engineering
Attacker uses pretext to deceive
organization member into giving out
confidential information.
Pretexts include personas and reasons:
Personas
– New employee
– Sysadmin
– Manager
CIT 380: Securing Computer Systems
Reasons
– Lost password
– Contact name/phone
– Reset password
Slide #5
Social Engineering Defences
Security Policy
– Secure method for password resets.
– No requests for passwords.
Security Awareness Program
– Educate personnel about social attacks.
– Educate personnel about security policy.
CIT 380: Securing Computer Systems
Slide #6
Physical Break-In
Methods of Entry
– Employment.
– Enter on someone else’s coat tails.
Physical Access
–
–
–
–
–
Already logged in system.
System with password written down nearby.
Install hardware/software key loggers.
Plug in laptop to Ethernet port.
Take removable media or even hard disks.
CIT 380: Securing Computer Systems
Slide #7
Physical Defences
Security Policy
– Personnel cannot enter without card.
– No coat-tailing.
– Policy for ID card replacement/temporary IDs.
Security Mechanisms
–
–
–
–
–
Card reader access.
Guards.
Automatic screen locks after 5 minutes.
Locked file cabinets/drawers.
Encryption.
CIT 380: Securing Computer Systems
Slide #8
Dumpster Diving
Search trash for sensitive information
– Usernames and passwords,
– Phone directories,
– Network diagrams, etc.
2000: Oracle hired IGI (a PI company) to
investigate pro-Microsoft groups.
– IGI searched trash to discover MS funding of
supposedly independent advocacy groups.
CIT 380: Securing Computer Systems
Slide #9
Defences Against Dumpster Diving
Security Policy
– Require special disposal of confidential data.
– Includes paper, floppies, etc.
Security Mechanisms
– Paper shredder.
– De-gausser.
– Burning.
CIT 380: Securing Computer Systems
Slide #10
Information Resources
Organization web site
– Check HTML source for comments.
– Check robots.txt for interesting files.
Usenet postings
– Search groups.google.com for “@org” postings
– comp.security.*, comp.unix.*
Search news sources about organization:
– finance.yahoo.com
– news.google.com
– Edgar database (www.sec.gov/)
Send email to invalid address @org
– Identify mail server vendor and version.
– Email server topology and antivirus defences.
CIT 380: Securing Computer Systems
Slide #11
Google Hacking: Keywords
site: for site-specific searches
– site:orgname
– keywords: dial, dialup, login, password
– job postings listing required
programs/technologies
link: find related sites
– link:sitename
cache: see deleted pages or old versions
– cache:sitename
CIT 380: Securing Computer Systems
Slide #12
Google Hacking: Finding Directory Listings
intitle: for text in title, not body.
– intitle:index.of “parent directory”
– intitle:index.of name size
Combine with site: to specify your target.
CIT 380: Securing Computer Systems
Slide #13
Google Hacking: Finding Passwords
UNIX Passwords
intitle:"Index of..etc" passwd
MySql History (often includes passwords)
intitle:"Index of" .mysql_history
See Google Hack Database for more queries.
See www.googleguide.com for more about Google.
CIT 380: Securing Computer Systems
Slide #14
What if a page has been deleted?
Google Cache
– Google for cache:www.nku.edu
– Cached page data up to 101K.
Internet Archive
–
–
–
–
www.archive.org
Not searchable.
Enter URL of old site.
Select date of archive to view.
CIT 380: Securing Computer Systems
Slide #15
Defences against Google Hacking
Security Policy
– Limit personal information (SSN, phone, email) on site.
– Limit technical information posted to web site.
– Limit data exposure on web forums and newsgroups.
Security Mechanism
– Perform your own searches of web site.
– Use robots.txt to limit what pages are indexed.
– Beware that attackers will target pages hidden from
search engines by robots.txt.
CIT 380: Securing Computer Systems
Slide #16
Domain Name Registration
Domain registration information
–
–
–
–
Contact information: names, email, phone
Postal address
Registration dates
DNS servers
Obtaining registration information
– http://www.internic.net/whois.html
– whois command
IP Address Assignments
– Find ownership information for IP address blocks
– http://ws.arin.net/whois
CIT 380: Securing Computer Systems
Slide #17
whois
Domain Name: NKU.EDU
Registrant:
Northern Kentucky University
Information Technology Lucas Admin Center 507, Nunn Dr
Highland Heights, KY 41099
Administrative Contact:
Kathy Bennett
(859) 572-1577
[email protected]
Technical Contact:
Douglas Wells
(859) 572-5847
[email protected]
Name Servers:
NS3.NKU.EDU
NS4.NKU.EDU
192.122.237.203
192.122.237.204
Domain record activated:
12-Jul-1994
Domain record last updated: 21-Sep-2007
CIT 380: Securing Computer Systems
Slide #18
whois
> host intel.com
intel.com has address 198.175.96.33
> whois 198.175.96.33
[Querying whois.arin.net]
[whois.arin.net]
Intel Corporation NETBLK-INTEL-IT (NET-198-175-64-0-1)
198.175.64.0 - 198.175.123.255
Distributed Network Technical Support INTEL-IT33 (NET198-175-96-0-1)
198.175.96.0 - 198.175.96.255
# ARIN WHOIS database, last updated 2004-04-04 19:15
# Enter ? for additional hints on searching ARIN's
WHOIS database.
CIT 380: Securing Computer Systems
Slide #19
Threats
• Social Engineering
– Pose as administrative contact via phone/email to gain
information
• Wardialing
– Search telephone exchange for modems
• Domain Hijacking
– 1998 redirect of aol.com to autonete.net
• Further network investigation
– DNS queries
– Network scans of IP address space
CIT 380: Securing Computer Systems
Slide #20
Domain Name Service (DNS)
Root DNS Servers
edu DNS servers
com DNS servers
net DNS servers
nku.edu DNS servers
CIT 380: Securing Computer Systems
Slide #21
DNS Lookup
Root DNS Svr
www.nku.edu
www.nku.edu
Client
192.122.237.7
Local DNS Svr
Referral to nku.edu
edu DNS Svr
nku.edu DNS Svr
CIT 380: Securing Computer Systems
Slide #22
DNS Record Types
Record Type Purpose
A
Maps a DNS name to an IP address.
HINFO
Arbitrary host information.
MX
Identifies a mail server.
NS
Identifies a name server.
TXT
Arbitrary text used for
documentation.
CIT 380: Securing Computer Systems
Slide #23
DNS Reconnaissance
Identify hosts one by one using nslookup or dig commands.
$ nslookup
> www.nku.edu
Non-authoritative answer:
Name:
www.nku.edu
Address: 192.122.237.7
> set type=mx
> nku.edu
Non-authoritative answer:
nku.edu mail exchanger = 100 sort1.mxsmtp.com.
nku.edu mail exchanger = 200 sort2.mxsmtp.com.
nku.edu mail exchanger = 300 sort3.mxsmtp.com.
Authoritative answers can be found from:
nku.edu nameserver = ns4.nku.edu.
nku.edu nameserver = ns3.nku.edu.
ns3.nku.edu
internet address = 192.122.237.203
CIT 380: Securing Computer Systems
Slide #24
DNS Zone Transfer
List all DNS information for a domain
– Used to sync secondary DNS servers with primary.
– Provide entire DNS database to attacker.
Commands
– host –l –v –t any nku.edu
– nslookup
• set type=any
• ls –d nku.edu
Defences
– ACL for zone xfers only f/ secondary DNS servers.
– Separate internal and external DNS databases.
CIT 380: Securing Computer Systems
Slide #25
Network Mapping
• DNS and whois searches have identified
networks of interest.
• Next step: mapping the networks
• traceroute
– explore network topology
– identify firewalls
• ping scan
– find currently up hosts
CIT 380: Securing Computer Systems
Slide #26
traceroute
> traceroute www.washington.edu
traceroute: Warning: www.washington.edu has multiple addresses; using
140.142.11.6
traceroute to www.washington.edu (140.142.11.6), 30 hops max, 40 byte packets
1 nku10 (192.122.237.10) 1.642 ms 1.195 ms 1.001 ms
2 h98.188.140.67.ip.alltel.net (67.140.188.98) 1.716 ms 1.219 ms 1.492 ms
3 h89.188.140.67.ip.alltel.net (67.140.188.89) 5.493 ms 5.850 ms 5.523 ms
4 128.163.55.209 (128.163.55.209) 21.311 ms 21.992 ms 21.349 ms
5 143.215.193.1 (143.215.193.1) 22.730 ms 21.956 ms 22.482 ms
6 216.24.186.34 (216.24.186.34) 37.851 ms 37.949 ms 37.459 ms
7 denv-chic-36.layer3.nlr.net (216.24.186.5) 61.102 ms 61.290 ms 61.864 ms
8 seat-denv-58.layer3.nlr.net (216.24.186.7) 87.954 ms 87.546 ms 87.563 ms
9 209.124.179.45 (209.124.179.45) 86.930 ms 86.932 ms 86.544 ms
10 209.124.191.133 (209.124.191.133) 87.087 ms 86.794 ms 87.296 ms
11 uwcr-ads-01-vlan1802.cac.washington.edu (205.175.101.9) 86.938 ms 87.157
ms 86.930 ms
12 uwcr-ads-01-vlan3839.cac.washington.edu (205.175.101.158) 87.700 ms
86.899 ms 86.699 ms
13 acar-ads-01-vlan3802.cac.washington.edu (205.175.108.10) 87.058 ms 87.061
ms 86.638 ms
14 www14.cac.washington.edu (140.142.11.6) 87.439 ms 87.137 ms 87.303 ms
CIT 380: Securing Computer Systems
Slide #27
Network Diagramming
• traceroute to multiple internal hosts
– identify different paths
– identify firewalls that prevent traceroute
• Draw map of network based on traceroutes
• Helpful Tools
• firewalk: route tracing tool that bypasses many
firewall configurations that stop traceroute
• neotrace: geographic map of network route
CIT 380: Securing Computer Systems
Slide #28
Defences
Firewalls
– Restrict ingress of packet types commonly used
for network mapping, e.g. ICMP.
Detection
– IDS can detect network mapping attempts,
letting you know which IPs are mapping your
network.
CIT 380: Securing Computer Systems
Slide #29
Ping Scanning
• Send IP packet to each IP address in a
network, checking for responses.
• Scan types
–
–
–
–
ICMP echo
TCP port 80
TCP/UDP specific port
Fragmented packets
CIT 380: Securing Computer Systems
Slide #30
Ping Scanning
> nmap -sP 10.17.0.0/24
Starting nmap 3.50 (
http://www.insecure.org/nmap/ ) at 2004-04-05
13:57 EDT
Host pc_elan.lc3net (10.17.0.1) appears to be up.
Host 10.17.0.31 appears to be up.
Host 10.17.0.35 appears to be up.
Host sun02 (10.17.0.55) appears to be up.
Host sun09 (10.17.0.64) appears to be up.
Host pc208p01 (10.17.0.66) appears to be up.
Host sun14 (10.17.0.80) appears to be up.
Host 10.17.0.241 appears to be up.
Host 10.17.0.247 appears to be up.
Nmap run completed -- 256 IP addresses (54 hosts
up) scanned in 4.510 seconds
CIT 380: Securing Computer Systems
Slide #31
Defences
Firewalls
– Refuse ICMP echo ingress.
– Restrict TCP ports to necessary servers
• port 80 only to web server
• port 25 only to mail server
Bypassing defences
– Multiple sweeps with different target ports.
– ICMP timestamp and netmask request queries.
– Fragment scans.
CIT 380: Securing Computer Systems
Slide #32
Ping Scan vs Firewall
Firewall Ruleset
– pass from any to 10.0.17.31 port 53
– pass from any to 10.0.17.35 port 25
– drop all
> nmap -sP 10.17.0.0/24
Starting nmap 3.50 at 2004-04-05 13:57
Nmap run completed -- 256 IP addresses (0
hosts up) scanned in 72.430 seconds
CIT 380: Securing Computer Systems
Slide #33
Ping Scan vs Firewall
Firewall Ruleset
– pass from any to 10.0.17.31 port 25 keep state
– pass from any port 53 to any keep state
– drop all
> nmap -sP –PS25 10.17.0.0/24
– bypasses first rule, finds any hosts listening on port 25
> nmap -sP –g 53 10.17.0.0/24
– bypasses second rule, as packets look like DNS
response
CIT 380: Securing Computer Systems
Slide #34
Key Points
1. Reconnaissance
– Don’t forget about low tech means.
– Organizations give away info on web sites.
2. Registration
– whois
– ARIN
3. DNS
– Recursive DNS query process.
– Types of DNS records.
– Zone transfers.
CIT 380: Securing Computer Systems
Slide #35
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.
William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and
Internet Security, 2nd edition, 2003.
Fyodor, “The Art of Port Scanning,”
http://www.insecure.org/nmap/nmap_doc.html
Fyodor, NMAP man page,
http://www.insecure.org/nmap/data/nmap_manpage.html
Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting,”
Phrack 54, http://www.insecure.org/nmap/nmap-fingerprintingarticle.html
Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX
and Internet Security, 3rd edition, O’Reilly & Associates, 2003.
Johnny Long, Google Hacking for Penetration Testers, Snygress, 2004.
Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed, 3rd
edition, McGraw-Hill, 2001.
Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.
CIT 380: Securing Computer Systems
Slide #36