03-Footprinting - Rose

advertisement
Footprinting
 Definition: the gathering of information about a
potential system or network
 a.k.a. fingerprinting
 Attacker’s point of view
 Identify potential target systems
 Identify which types of attacks may be useful on target
systems
 Defender’s point of view
 Know available tools
 May be able to tell if system is being footprinted, be
more prepared for possible attack
 Vulnerability analysis: know what information you’re
giving away, what weaknesses you have
Information to Gather
 System (Local or Remote)
 IP Address, Name and Domain
 Operating System
 Type (Windows, Linux, Solaris)
 Version (98/NT/2000/2003/XP, Redhat, Fedora, SuSe, Ubuntu)
 Usernames
 File structure
 Open Ports (what services/programs are running on the
system)
 Physical Proximity/Location
Information to Gather (2)
 Networks / Enterprises
 System information for all hosts
 Network topology



Gateways
Firewalls
Overall topology
 Network traffic information
 Specialized servers
 Web, Database, FTP, Email, etc.
Defender Perspective






Identify information you’re giving away
Identify weaknesses in systems/network
Know when systems/network is being probed
Identify source of probe
Develop awareness of threat
Construct audit trail of activity
Tools – Linux (use “man” for help)
 Linux tools - lower level utilities
 Local System
 hostname
 ifconfig
 who, last
 Remote Systems
 ping
 traceroute, tracert
 finger (also local system)
 nslookup, dig
 whois
 arp, netstat (also local system)
 Other tools
 lsof
Tools – Linux (2)
 Other utilities
 ethereal/wireshark (packet sniffing)
 nmap (port scanning) - more later
Tools - Windows
 Windows
 Sam Spade (collected tools)

Whois,Ping, IPBlock, Dig, Traceroute, Finger, Browse Web, and Parse email
headers …
 ethereal (packet sniffer)
 Command line tools

ipconfig
 Many others…
hostname
 Determine name of current system
 Usage: hostname
 E.g. hostname
localhost.localdomain
 E.g. hostname
clics.cs.uwec.edu
// default
ifconfig
 Configure network interface
 Tells current IP numbers for host system
 Usage: ifconfig
 E.g. ifconfig
// command alone: display status
eth0 Link encap: Ethernet
HWaddr 00:0C:29:CD:F6:D3
inet addr: 192.168.172.128 . . .
lo
Link encap: Local
Loopback
inet addr: 127.0.0.1
...
who
 Basic tool to show users on current system
 Useful for identifying unusual activity (e.g. activity by
newly created accounts or inactive accounts)
 Usage: who
 E.g. who
root
paul
tty1
tty2
Jan 9 12:46
Jan 9 12:52
last
 Show last N users on system
 Default: since last cycling of file
 -N: last N lines
 Useful for identifying unusual activity in recent past
 Usage: last [-n]
 e.g. last -3
wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still logged in
flinstf pts/0
137.28.191.74 Sat Feb 5 15:38 still logged in
rubbleb pts/0
c48.193.173.92.e Sat Feb 5 14:38 - 15:25 (00:46)
ping
 Potential Uses
 Is system online?

Through response
 Gather name information

Through DNS
 Estimate relative physical location

Based on RTT (Round Trip Time) given in summary statistics
 Identify operating system



Based on TTL (packet Time To Live) on each packet line
TTL = number of hops allowed to get to system
64 is Linux default, 128 is Windows default (but can be changed!)
 Notes
 Uses ICMP packets
 Often blocked on many hosts
 Usage: ping system


E.g. ping ftp.redhat.com
E.g. ping localhost
traceroute
 Potential Uses
 Determine physical location of machine
 Gather network information (gateway, other internal
systems)
 Find system that’s dropping your packets – evidence of a
firewall
 Notes




Can use UDP or ICMP packets
Results often limited by firewalls
Several GUI-based traceroute utilities available
Usage: traceroute system

E.g. traceroute cs.umn.edu
traceroute example
[wagnerpj@data ~]$ traceroute cs.umn.edu
traceroute to cs.umn.edu (128.101.34.202), 30 hops max, 38
byte packets
1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220 ms 0.208 ms
2 v101.networking.cns.uwec.edu (137.28.9.1) 0.245 ms 0.229 ms 0.220 ms
3 uweauclairehub2-ge50.core.wiscnet.net (216.56.90.1) 1.315 ms 1.194 ms
1.343 ms
4 ***
<ctrl-c>
[wagnerpj@data ~]$
traceroute example - success
H:\>tracert www.google.com
Tracing route to www.google.akadns.net [64.233.167.99] over a maximum of 30 hops:
1
2
3
4
5
6
7
8
9
10
11
12
<1 ms
4 ms
2 ms
17 ms
18 ms
17 ms
18 ms
18 ms
15 ms
16 ms
21 ms
18 ms
<1 ms
6 ms
1 ms
17 ms
16 ms
18 ms
19 ms
17 ms
16 ms
16 ms
19 ms
16 ms
Trace complete.
<1 ms v61.networking.cns.uwec.edu [137.28.61.1]
3 ms UWEauClaireHub2-ge50.core.wiscnet.net [216.56.90.1]
2 ms r-uweauclaire-isp-gig2-0.wiscnet.net [140.189.8.141]
17 ms chi-edge-08.inet.qwest.net [65.113.85.5]
18 ms chi-core-02.inet.qwest.net [205.171.20.113]
19 ms cer-core-01.inet.qwest.net [205.171.205.34]
21 ms chp-brdr-01.inet.qwest.net [205.171.139.146]
18 ms P11-0.CHICR2.Chicago.opentransit.net [193.251.129.113]
16 ms Google-EU-Customers-2.GW.opentransit.net [193.251.249.30]
18 ms 216.239.46.10
17 ms 64.233.175.30
16 ms 64.233.167.99
finger
 Potential Uses
 Collect usernames
 Determine if user is currently logged in
 Notes
 Often blocked
 Usage: finger localuser or finger @system or finger
remoteuser@system



E.g. finger chidanan(user on local system)
E.g. finger @csse.rose-hulman.edu (all on remote system)
E.g. finger chidanan@csse.rose-hulman.edu (user on remote
system)
whois
 Potential Uses
 Queries nicname/whois servers for Internet registration
information
 Can gather contacts, names, geographic information,
servers, … - useful for social engineering attacks
 Notes
 Usage: whois domain

e.g. whois netcom.com
whois example - basic
Domain Name: UWEC.EDU
Registrant:
University of Wisconsin - Eau Claire
105 Garfield Avenue
Eau Claire, WI 54702-4004
UNITED STATES
Contacts:
Administrative Contact:
Computing and Networking Services
105 Garfield Ave
Eau Claire, WI 54701
UNITED STATES
(715) 836-5711
networking@uwec.edu
Name Servers:
TOMATO.UWEC.EDU
LETTUCE.UWEC.EDU
BACON.UWEC.EDU
137.28.1.17
137.28.1.18
137.28.5.194
whois example - wildcards
 whois uw%.edu
Your search has matched multiple domains.
Below are the domains you matched (up to 100). For specific
information on one of these domains, please search on that
domain.
UW.EDU
UWA.EDU
UWB.EDU
UWC.EDU
UWEC.EDU
UWEST.EDU
UWEX.EDU
….
nslookup
 Potential Uses
 Query internet name servers
 Find name for IP address, and vice versa
 Notes
 Now deprecated – generally use dig
 Sometimes useful when dig fails
 Usage
 nslookup xxxxxxx
// name or IP addr.


E.g. nslookup data.cs.uwec.edu
E.g. dig data.cs.uwec.edu
dig
 Potential Uses
 Domain Name Service (DNS) lookup utility
 Associate name with IP address and vice versa
 Notes
 Many command options
 General usage: dig <somehost>


E.g. dig data.cs.uwec.edu
E.g. dig 137.28.109.33
arp
 Tracks addresses, interfaces accessed by system
 Possible uses
 Find adjacent systems
 Notes
 arp
// display names
 arp –n
// display numeric addresses
netstat
 Shows connections, routing information, statistics
 Possible uses
 find adjacent machines, used ports
 Notes
 Many flags
 netstat
 netstat –s
 netstat – r
 netstat – p
 netstat – l
// open sockets, etc.
// summary statistics
// routing tables
// programs
// listening sockets
lsof
 Lists open files on your system
 Useful to see what processes are working with what
files, possibly identify tampering
 Usage: lsof
Windows Tools
 Sam Spade
 “swiss army knife” of footprinting
 Has most of the Linux tools
 Plus other functionality
 Usage
 Start application
 Fill in name or IP address
 Choose option desired in menus
Packet Sniffers
 Definition: Hardware or software that can display
network traffic packet information
 Usage
 Network traffic analysis
 Example packet sniffers
 tcpdump (command line, Linux)
 ethereal (Linux, Windows – open source)
 others…
Limitations – Packet Sniffing
 Packet sniffers only catch what they can see
 Users attached to hub – can see everything
 Users attached to switch – can see own traffic only
 Wireless – wireless access point is like hub
 Need to be able to put NIC in “promiscuous” mode to
be able to process all traffic, not just traffic for/from
itself
 NIC must support
 Need privilege (e.g. root in Linux)
OSI Network Protocol
 Layer 7 – Application (incl. app. content)
 Layer 6 – Presentation
 Layer 5 – Session
 Layer 4 – Transport (incl. protocol, port)
 Layer 3 – Network (incl. source, dest)
 Layer 2 – Data Link
 Layer 1 – Physical
ethereal / wireshark
 Created as tool to examine network problems in 1997
 Various contributors added packet dissectors, fixes,
upgrades; released 1998
 Works with other packet filter formats
 Information
 http://www.wireshark.org
 http://www.ethereal.com
 Demonstration
Using ethereal
 Prompt>>ethereal &
(in Linux)
 Capture/Start/OK
 Capture window shows accumulated totals for different




types of packets
Stop – packets now displayed
Top window – packet summary
 Can sort by column – source, destination, protocol are
useful
Middle window – packet breakdown
 Click on + icons for detail at each packet level
Bottom window – packet content
Ethereal capture analysis
 Can save a session to a capture file
 Can reopen file later for further analysis
 Open capture file
 Identify and follow different TCP streams
 Select TCP packet, Tools/Follow TCP Stream
 CLICScapture.cap has http, https, ftp, ssh
 Any interesting information out there?
Related Tools
 Hunt
 TCP sniffer
 Watch and reset connections
 Hijack sessions
 Spoof MAC
 Spoof DNS
Related Tool
 EtherPEG – image capture on network
 http://www.etherpeg.com
 Demonstration
 See http://www.menshevik.com/showme on windows
Summary
 Basic tools can generate much information
 Remember principle of accumulating information
 Attacker will build on smaller pieces to get bigger
pieces
 Moral: don’t give away information if you can avoid
it
Download