Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Internet Security Foot Printing

advertisement 
Internet Security
Foot Printing
Defiana Arnaldy, M.Si
0818 0296 4763
deff_arnaldy@yahoo.com
Overview
 Definition of Foot Printing
 Internet foot printing
 Sun Tzu on the Art of War:
 "If you know the enemy and know yourself, you need not
fear the result of a hundred battles.
 If you know yourself but not the enemy, for every victory
gained you will also suffer a defeat.
 If you know neither the enemy nor yourself, you will
succumb in every battle."
WHAT IS FOOTPRINTING?
 Definition: the gathering of information about
a potential system or network (the fine art of
gathering target information)
 a.k.a. fingerprinting
 Attacker’s point of view
 Identify potential target systems
 Identify which types of attacks may be useful on
target systems
 Defender’s point of view
 Know available tools
 May be able to tell if system is being footprinted,
be more prepared for possible attack
 Vulnerability analysis: know what information
you’re giving away, what weaknesses you have
Information to Gather
 System (Local or Remote)
 IP Address, Name and Domain
 Operating System
Type (Windows, Linux, Solaris, Mac)
Version (98/NT/2000/2003/XP/Vista/7,
Redhat, Fedora, SuSe, Ubuntu, OS X)
 Usernames (and their passwords)
 File structure
 Open Ports (what services/programs are
running on the system)
Information to Gather (2)
 Networks / Enterprises
System information for all hosts
Network topology
Gateways
Firewalls
Overall topology
Network traffic information
Specialized servers
Web, Database, FTP, Email, etc.
Defender Perspective
 Identify information you’re giving away
 Identify weaknesses in systems/network
 Know when systems/network is being probed
 Identify source of probe
 Develop awareness of threat
 Construct audit trail of activity
Why Is Footprinting Necessary?
 Footprinting is necessary to systematically and
methodically ensure that all pieces of information related
to the aforementioned technologies are identified
 Footprinting is often the most arduous task of trying to
determine the security posture of an entity; however, it
is one of the most important.
 Footprinting must be performed accurately and in a
controlled fashion
 Without a sound methodology for performing this type of
reconnaissance, you are likely to miss key pieces of
information related to a specific technology or
organization
Internet Footprinting
 Step 1: Determine the Scope of Your Activities
 determine the scope of your footprinting activities
 Are you going to footprint the entire organization, or limit your
activities to certain subsidiaries or locations?
 What about business partner
disaster-recovery sites?
connections
(extranets),
or
 Are there other relationships or considerations?
 Unfortunately, hackers have no sympathy for our struggles.
They exploit our weaknesses in whatever forms they
manifest themselves. You do not want hackers to know
more about your security posture than you do!
 Step 2: Get Proper Authorization
 One thing hackers can usually disregard that you must pay
particular attention to is what we techies affectionately refer
to as layers eight and nine of the seven-layer OSI Model—
Politics and Funding
 Do you have authorization to proceed with your activities?
 what exactly are your activities?
 Is the authorization from the right person(s)?
 Is it in writing?
 Are the target IP addresses the right ones?
 Step 3: Publicly Available Information
 Company web pages
 Related organizations
 Location details
 Phone numbers, contact names, e-mail addresses, and personal
details
 Current events (mergers, acquisitions, layoffs, rapid growth,
etc.)
 Privacy or security policies, and technical details indicating the
types of security mechanisms in place
 Archived information
 Disgruntled employees
 Search engines, Usenet, and resumes
 Other information of interest
 Step 4: WHOIS & DNS Enumeration
 So who is "managing" the Internet today, you ask? These
core functions of the Internet are "managed" by a nonprofit
organization named the Internet Corporation for Assigned
Names and Numbers (ICANN; http://www.icann.org).
 ICANN is a technical coordination body for the Internet.
Created in October 1998 by a broad coalition of the
Internet's business, technical, academic, and user
communities, ICANN is assuming responsibility for a set of
technical functions previously performed under U.S.
government contract by the Internet Assigned Numbers
Authority (IANA; http://www.iana.org) and other groups.
(In practice, IANA still handles much of the day-to-day
operations, but these will eventually be transitioned to
ICANN.)
 Specifically, ICANN coordinates the assignment of the
following identifiers that must be globally unique for the
Internet to function:
 Internet domain names
 IP address numbers
 Protocol parameters and port numbers
 In addition, ICANN coordinates the stable operation of
the Internet's root DNS server system.
 To be thorough, we could have done the same searches via the
command-line WHOIS client with the following three commands:
 [bash]$ whois com -h whois.iana.org
 [bash]$ whois keyhole.com -h whois.verisign-grs.com
 [bash]$ whois keyhole.com -h whois.omnis.com
 There are also several websites that attempt to automate this
process with varying degrees of success:
 http://www.allwhois.com
 http://www.uwhois.com
 http://www.internic.net/whois.html
 Last but not least, there are several GUIs available that will assist
you in your searches too:
 SamSpade http://www.samspade.org
 SuperScan http://www.foundstone.com
 NetScan Tools Pro http://www.nwpsw.com
 Step 5: DNS Interrogation
 After identifying all the associated domains, you can begin
to query the DNS. DNS is a distributed database used to
map IP addresses to hostnames, and vice versa. If DNS is
configured insecurely, it is possible to obtain revealing
information about the organization.
 One of the most serious misconfigurations a system
administrator can make is allowing untrusted Internet users
to perform a DNS zone transfer
 A zone transfer allows a secondary master server to
update its zone database from the primary master
 This provides for redundancy when running DNS, should
the primary name server become unavailable.
 Generally, a DNS zone transfer needs to be performed
only by secondary master DNS servers
 Many DNS servers, however, are misconfigured and
provide a copy of the zone to anyone who asks.
 A simple way to perform a zone transfer is to use the
nslookup client that is usually provided with most UNIX and
Windows implementations. We can use nslookup in
interactive mode, as follows:
 [bash]$ nslookup
 Default Server: ns1.example.net
 Address: 10.10.20.2
 > 216.182.1.1 Server: ns1.example.net
 Address: 10.10.20.2
 Name: gate.tellurian.net
 Address: 216.182.1.1
 > set type=any
 > ls -d Tellurian.net. >\> /tmp/zone_out
 Step 6: Network Reconnaissance
 Now that we have identified potential networks, we can
attempt to determine their network topology as well as
potential access paths into the network.
 To accomplish this task, we can use the traceroute
(ftp://www.ee.lbl.gov/traceroute.tar.gz)
program
that
comes with most flavors of UNIX and is provided in
Windows. In Windows, it is spelled tracert due to the 8.3
legacy filename issues.
 traceroute is a diagnostic tool originally written by Van
Jacobson that lets you view the route that an IP packet
follows from one host to the next. traceroute uses the timetolive (TTL) option in the IP packet to elicit an ICMP
TIME_EXCEEDED message from each router
 traceroute may allow you to discover the network
topology employed by the target network, in addition to
identifying access control devices (such as an
applicationbased firewall or packet-filtering routers) that
may be filtering our traffic
 Most of what we have done up to this point with
traceroute has been command-line oriented. For the
graphically inclined, you can use
 VisualRoute (http://www.visualroute.com),
 NeoTrace (http://www.neotrace.com), or
 Trout (http://www.foundstone.com)
Tools - Linux
 Some basic Linux tools - lower level utilities
 Local System
hostname
ifconfig
who, last
 Remote Systems
ping
traceroute
nslookup, dig
whois
arp, netstat (also local system)
 Other tools
lsof
Tools – Linux (2)
 Other utilities
 wireshark (packet sniffing)
 nmap (port scanning) - more later
 Ubuntu Linux
 Go to System / Administration / Network Tools – get interface
to collection of tools: ping, netstat, traceroute, port scan,
nslookup, finger, whois
Tools - Windows
 Windows
 Sam Spade (collected network tools)
 Wireshark (packet sniffer)
 Command line tools
 ipconfig
 Many others…
hostname
 Determine host name of current system
 Usage: hostname
 E.g. hostname
localhost.localdomain // default
 E.g. hostname
mobile.cs.uwec.edu
ifconfig
 Configure network interface
 Tells current IP numbers for host system
 Usage: ifconfig
 E.g. ifconfig
eth0
// command alone: display status
Link encap: Ethernet
HWaddr 00:0C:29:CD:F6:D3
inet addr: 192.168.172.128 . . .
lo
Link encap: Local
Loopback
inet addr: 127.0.0.1
...
who
 Basic tool to show users on current system
 Useful for identifying unusual activity (e.g. activity by
newly created accounts or inactive accounts)
 Usage: who
 E.g. who
root tty1 Jan 9 12:46
paul tty2 Jan 9 12:52
last
 Show last N users on system
 Default: since last cycling of file
 -N: last N lines
 Useful for identifying unusual activity in recent past
 Usage: last [-n]
 E.g. last -3
wagnerpj pts/1
137.28.253.254
flinstf
pts/0
137.28.191.74
rubbleb pts/0
c48.someu.edu
Sat Feb 5 15:40
Sat Feb 5 15:38
still logged in
still logged in
Sat Feb 5 14:38 - 15:25 (00:46)
ping
 Potential Uses
 Is system online?
 Through response
 Gather name information
 Through DNS
 Tentatively Identify operating system
 Based on TTL (packet Time To Live) on each packet line
 TTL = number of hops allowed to get to system
 64 is Linux default, 128 is Windows default (but can be
changed!)
 Notes
 Uses ICMP packets
 Often blocked on many hosts; more useful within network
 Usage: ping system
 E.g. ping ftp.redhat.com
 E.g. ping localhost
traceroute
 Potential Uses
 Determine physical location of machine
 Gather network information (gateway, other
internal systems)
 Find system that’s dropping your packets –
evidence of a firewall
 Notes
 Can use UDP or ICMP packets
 Results often limited by firewalls
 Several GUI-based traceroute utilities available
 Usage: traceroute system
 E.g. traceroute cs.umn.edu
traceroute example - blocked
[wagnerpj@data ~]$ traceroute cs.umn.edu
traceroute to cs.umn.edu (128.101.34.202), 30
hops max, 38 byte packets
1 137.28.109.2 (137.28.109.2) 0.247 ms
0.220 ms 0.208 ms
2 v101.networking.cns.uwec.edu (137.28.9.1)
0.245 ms 0.229 ms 0.220 ms
3 uweauclairehub2-ge50.core.wiscnet.net
(216.56.90.1) 1.315 ms 1.194 ms 1.343 ms
4 ***
<ctrl-c>
[wagnerpj@data ~]$
traceroute example - success
H:\>tracert www.google.com
Tracing route to www.google.akadns.net [64.233.167.99] over a maximum of 30 hops:
1
2
3
4
5
6
7
8
9
<1 ms <1 ms <1 ms v61.networking.cns.uwec.edu [137.28.61.1]
4 ms
6 ms
3 ms UWEauClaireHub2-ge50.core.wiscnet.net [216.56.90.1]
2 ms
1 ms
2 ms r-uweauclaire-isp-gig2-0.wiscnet.net [140.189.8.141]
17 ms 17 ms 17 ms chi-edge-08.inet.qwest.net [65.113.85.5]
18 ms 16 ms 18 ms chi-core-02.inet.qwest.net [205.171.20.113]
17 ms 18 ms 19 ms cer-core-01.inet.qwest.net [205.171.205.34]
18 ms 19 ms 21 ms chp-brdr-01.inet.qwest.net [205.171.139.146]
18 ms 17 ms 18 ms P11-0.CHICR2.Chicago.opentransit.net [193.251.129.113]
15 ms 16 ms 16 ms Google-EU-Customers-2.GW.opentransit.net
[193.251.249.30]
10 16 ms 16 ms 18 ms 216.239.46.10
11 21 ms 19 ms 17 ms 64.233.175.30
12 18 ms 16 ms 16 ms 64.233.167.99
Trace complete.
Visual Traceroute Example
whois
 Potential Uses
 Queries nicname/whois servers for Internet registration
information
 Can gather contacts, names, geographic information,
servers, … - useful for social engineering attacks
 Notes
 Usage: whois domain
 e.g. whois netcom.com
whois example - basic
Domain Name: UWEC.EDU
Registrant:
University of Wisconsin - Eau Claire
105 Garfield Avenue
Eau Claire, WI 54702-4004
UNITED STATES
Contacts:
Administrative Contact:
Computing and Networking Services
105 Garfield Ave
Eau Claire, WI 54701
UNITED STATES
(715) 836-5711
networking@uwec.edu
Name Servers:
TOMATO.UWEC.EDU
LETTUCE.UWEC.EDU
BACON.UWEC.EDU
137.28.1.17
137.28.1.18
137.28.5.194
whois example - wildcards
 whois uw%.edu
Your search has matched multiple domains.
Below are the domains you matched (up to 100). For
specific
information on one of these domains, please search on
that domain.
UW.EDU
UWA.EDU
UWB.EDU
UWC.EDU
UWEC.EDU
UWEST.EDU
UWEX.EDU
….
nslookup
 Potential Uses
 Query internet name servers
 Find name for IP address, and vice versa
 Notes
 Now deprecated – generally use dig
 Sometimes useful when dig fails
 Usage
 nslookup xxxxxxx
// name or IP addr.
 E.g. nslookup data.cs.uwec.edu
 E.g. dig data.cs.uwec.edu
dig
 Potential Uses
 Domain Name Service (DNS) lookup utility
 Associate name with IP address and vice versa
 Notes
 Many command options
 General usage: dig <somehost>
 E.g. dig data.cs.uwec.edu
 E.g. dig 137.28.109.33
arp
 Tracks addresses, interfaces accessed by system
 Possible uses
 Find systems that your system has recently talked to
 Notes
 arp
 arp –n
// display names
// display numeric addresses
netstat
 Shows connections, routing
information, statistics
 Possible uses
 find systems that your system has recently
talked to, find recently used ports
 Notes
 Many flags
netstat
netstat
netstat
netstat
netstat
–s
–r
–p
–l
// open sockets, etc.
// summary statistics
// routing tables
// programs
// listening sockets
lsof
 Lists open files on your system
 Useful to see what processes are working with what
files, possibly identify tampering
 Usage: lsof
Windows Tools
 Sam Spade
 “swiss army knife” of footprinting
 Has most of the Linux tools
 Plus other functionality
 Usage
 Start application
 Fill in name or IP address
 Choose option desired in menus
Packet Sniffers
 Definition: Hardware or software that can display
network traffic packet information
 Usage
 Network traffic analysis
 Example packet sniffers
 tcpdump (command line, Linux)
 wireshark (GUI interface, Linux, Windows – open source)
 others…
Limitations – Packet Sniffing
 Packet sniffers only catch what they can see
 Users attached to hub – can see everything
 Users attached to switch – only see own traffic
 Wireless – wireless access point is like hub
 Need to be able to put your network interface card (NIC) in
“promiscuous” mode to be able to process all traffic, not just traffic
for/from itself
 NIC must support
 Need privilege (e.g. root in Linux)
OSI Network Protocol
 Layer 7 – Application (incl. app. content)
 Layer 6 – Presentation
 Layer 5 – Session
 Layer 4 – Transport (incl. protocol, port)
 Layer 3 – Network (incl. source, dest)
 Layer 2 – Data Link
 Layer 1 – Physical
wireshark
 Created as tool to examine network problems in 1997
 Various contributors added pieces; released 1998
 Name change (2007): ethereal -> wireshark
 Works with other packet filter formats
 Information
 http://www.wireshark.org
 Demonstration
Using wireshark
 Ubuntu – Applications / Internet / Wireshark (as
root)
 Enter your administrative account pw: user
 Capture/Interfaces/eth0:, Start
 Capture window shows accumulated totals for
different types of packets
 Stop – packets now displayed
 Top window – packet summary
 Can sort by column – source, destination, protocol are
useful
 Middle window – packet breakdown
 Click on + icons for detail at each packet level
 Bottom window – packet content
Wireshark capture analysis
 Can save a session to a capture file
 Can reopen file later for further analysis
 Open capture file
 Ubuntu: /home/user/Support/MOBILEcapture.cap
 W2K3: C:\Support\MOBILEcapture.cap
 Identify and follow different TCP streams
 Select TCP packet, Analyze/Follow TCP Stream
 MOBILEcapture.cap has http, https, ftp, ssh streams
 Any interesting information out there?
 HINT: follow stream on an ftp packet
Related Tool
 Hunt
 TCP sniffer
 Watch and reset connections
 Hijack sessions
 Spoof MAC address
 Spoof DNS name
Related Tool
 EtherPEG – image capture on network
 http://www.etherpeg.com
Summary
 Basic tools can generate much information
 Remember principle of accumulating information
 Attacker will build on smaller pieces to get bigger pieces
 Message to defenders: don’t give away any information if you
can avoid it
Refference
 McClure S., Joel S. Hacking Exposed 5th .
Related documents
03-Footprinting - Rose
03-Footprinting - Rose
Algebra 1 Preparing for Success Packet
Algebra 1 Preparing for Success Packet
Summer Review Packet for Students Entering Algebra 1
Summer Review Packet for Students Entering Algebra 1
Document5309537 5309537
Document5309537 5309537
Sportfolio Criteria - JCB Physical Education
Sportfolio Criteria - JCB Physical Education
Warriors of the net questions 1. What three things are put on the
Warriors of the net questions 1. What three things are put on the
Thick Whois
Thick Whois
Download
advertisement