Modul 2 - Footprinting Scanning Enumeration

advertisement
Modul 2
Footprinting Scanning
Enumeration
Isbat Uzzin Nadhori
Informatical Engineering PENS-ITS
Politeknik Elektronika Negeri Surabaya
ITS - Surabaya
1
Intelligence Gathering Techniques
 3 Major Steps
Foot Printing
Scanning
Enumeration
 Similar to Military
Gather information on the target
Analyze weaknesses
Construct and launch attack
2
Gathering Process Overview

You can’t attack what you don’t know
3
Hacking Step
4
Hacking Step …
5
Gathering Process overview
Hosts
Ports
Services
Vulnerabilities
6
Footprinting
7
Footprinting
 Footprinting is the ability to obtain essential information about an
organization. Commonly called network reconnaissance.
 Result Gather information includes:
– The technologies that are being used such as, Internet, Intranet, Remote Access and the
Extranet.
– To explored the security policies and procedures
– take an unknown quality and reduce it
– Take a specific range of domain names, network blocks and individual IP addresses of a
system that is directly connected to the Internet
 This is done by employing various computer security techniques, as:
•
DNS queries  nslookup, dig, Zone Transfer
•
Network enumeration
•
Network queries
•
Operating system identification
•
Organizational queries
•
•
•
•
•
•
Ping sweeps
Point of contact queries
Port Scanning
Registrar queries (WHOIS queries)
SNMP queries
World Wide Web spidering
 When used in the computer security lexicon, "footprinting" generally refers to
one of the pre-attack phases; tasks performed prior to doing the actual
attack. Some of the tools used for footprinting areSam
Spade, nslookup, traceroute, Nmap and neotrace.
8
DNS Query
9
Network Query Tools
* Ping
* NSlookup
* Whois
* IP block search
* Dig
* Traceroute
* Finger
* SMTP VRFY
* Web browser keep-alive
* DNS zone transfer
* SMTP relay check
* Usenet cancel check
* Website download
* Website search
* Email header analysis
* Email blacklist
* Query Abuse address
10
Information to Gather
 Attacker’s point of view
Identify potential target systems
Identify which types of attacks may be useful on target systems
 Defender’s point of view
Know available tools
May be able to tell if system is being footprinted, be more prepared for
possible attack
Vulnerability analysis: know what information you’re giving away, what
weaknesses you have
11
OS Identification
12
Point of Contact
13
Tools - Linux
 Some basic Linux tools - lower level utilities
Local System
hostname
ifconfig
who, last
Remote Systems
ping
traceroute
nslookup, dig
whois
arp, netstat (also local system)
Other tools
lsof
14
Tools – Linux (2)
 Other utilities
wireshark (packet sniffing)
nmap (port scanning) - more later
Ubuntu Linux
Go to System / Administration / Network Tools – get
interface to collection of tools: ping, netstat, traceroute,
port scan, nslookup, finger, whois
15
Tools - Windows
 Windows
Sam Spade (collected network tools)
Wireshark (packet sniffer)
Command line tools
ipconfig
Many others…
16
Traceroute
# traceroute ns1.target-company.com
traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets
1
fw-gw (209.197.192.1)
0.978 ms
0.886 ms
2
s1-0-1-access (209.197.224.69)
3
dallas.tx.core1.fastlane.net (209.197.224.1)
4
atm8-0-024.CR-1.usdlls.savvis.net (209.44.32.217)
5
Serial1-0-1.GW1.DFW1.ALTER.NET (157.130.128.53)
6
103.ATM3-0.XR2.DFW4.ALTER.NET (146.188.240.38)
7
152.63.96.85 (152.63.96.85)
8
dfw2-core2-pt4-1-0.atlas.digex.net (206.181.125.153)
4.816 ms
10.565 ms
0.875 ms
5.275 ms
3.969 ms
4.622 ms
9.439 ms
6.564 ms
7.148 ms
11.861 ms
25.423 ms
3.977 ms
5.639 ms
6.595 ms
11.669 ms
6.681 ms
7.371 ms
6.732 ms
25.369 ms
13.289 ms
10.585 ms
17.173 ms
9
dfw2-core1-fa8-1-0.atlas.digex.net (165.117.52.101)
44.951 ms
241.358 ms
248.838 ms
10
swbell-net.demarc.swbell.net (206.181.125.10)
11
ded2-fa1-0-0.rcsntx.swbell.net (151.164.1.137)
25.299 ms
11.295 ms
23.958 ms
12
target-company-818777.cust-rtr.swbell.net (151.164.x.xxx)
52.104 ms
24.306
ms
13
12.242 ms
13.821 ms
27.618 ms
17.248 ms
ns1.target-company.com (xxx.xx.xx.xx)
23.812 ms
24.383 ms
27.489 ms
17
Traceroute - Network Mapping
cw
swb
Internet Routers
18
Traceroute - Network Mapping
cw
swb
Internet Routers
19
Traceroute - Network Mapping
VPN
cw
Firewall
swb
DMZ
Internet Routers
20
Traceroute - Network Mapping
VPN
cw
Firewall
www
swb
ftp
DMZ
Internet Routers
21
Traceroute - Network Mapping
VPN
cw
Firewall
www
swb
ftp
DMZ
Internet Routers
22
Traceroute - Network Mapping
VPN
NT
cw
Firewall
Linux
www
Sun
swb
ftp
Hosts Inside
DMZ
Internet Routers
23
Traceroute - Network Mapping
VPN
Checkpoint Firewall-1
Nortel VPN
xxx.xx.22. 7
NT
cw
Nortel CVX1800
151.164.x.xxx
Firewall
Linux
www
Sun
Checkpoint Firewall-1
Solaris 2.7
xxx.xx.49.17
AIX 4.2.1
xxx.xx.48.1
IDS?
swb
Cisco 7206
204.70.xxx.xxx
ftp
Linux 2.0.38
xxx.xx.48.2
Hosts Inside
DMZ
Internet Routers
24
Whois
Domain Name: UWEC.EDU
Registrant:
University of Wisconsin - Eau Claire
105 Garfield Avenue
Eau Claire, WI 54702-4004
UNITED STATES
Contacts:
Administrative Contact:
Computing and Networking Services
105 Garfield Ave
Eau Claire, WI 54701
UNITED STATES
(715) 836-5711
networking@uwec.edu
Name Servers:
TOMATO.UWEC.EDU
137.28.1.17
LETTUCE.UWEC.EDU
137.28.1.18
BACON.UWEC.EDU
137.28.5.194
25
Scanning
26
Introduction
 Scanning can be compared to a thief checking all the doors and
windows of a house he wants to break into.
 Scanning- The art of detecting which systems are alive and
reachable via the internet and what services they offer, using
techniques such as ping sweeps, port scans and operating
system identification, is called scanning.
The kind of information collected here has to do with the
following:
1) TCP/UDP services running on each system identified.
2) System architecture (Sparc, Alpha, x86)
3) Specific IP address of systems reachable via the internet.
4) Operating System type.
27
Ping Sweeps
ping sweep is a method that can establish a range of IP
addresses which map to live hosts.
 ICMP Sweeps (ICMP ECHO requests)
 Broadcast ICMP
 Non Echo ICMP
 TCP Sweeps
 UDP Sweeps
28
PING SWEEPS
ICMP SWEEPS
ICMP ECHO request
Target alive
ICMP ECHO reply
Intruder
Querying multiple hosts – Ping sweep is fairly slow
Examples UNIX
– fping and gping
WINDOWS
- Pinger
29
Broadcast ICMP
Intruder
Network
ICMP ECHO reply
ICMP ECHO request
ICMP ECHO reply
ICMP ECHO reply
Can Distinguish between UNIX and WINDOWS machine
UNIX machine answers to requests directed to the network
address.
WINDOWS machine will ignore it.
30
PING SWEEPS
NON – ECHO ICMP
Example ICMP Type 13 – (Time Stamp)
 Originate Time Stamp
- The time the sender last touched the message before sending
 Receive Time Stamp
- The echoer first touched it on receipt.
 Transmit Time Stamp
- The echoer last touched on sending it.
31
PING Sweeps
TCP Sweeps
C(SYN:PortNo & ISN)
S (SYN & ISN) + ACK[ C (SYN+!) ]
Client
RESET (not active)
Server
S(ISN+1)
When will a RESET be sent?
When RFC does not appear correct while appearing.
RFC = (Destination (IP + port number) & Source( IP & port
number))
32
PING Sweeps
Depends on ICMP PORT UNREACHABLE message.
UDP data gram
ICMP PORT UNREACHABLE
Unreliable because
Target System
• Routers can drop UDP packets
•UDP services may not respond when correctly probed
•Firewalls are configured to drop UDP
•Relies on fact that non-active UDP port will respond
33
PORT SCANNING
Types:
 TCP Connect() Scan
 TCP SYN Scan( Half open scanning)
 Stealth Scan
 Explicit Stealth Mapping Techniques
SYN/ACL , FIN, XMAS and NULL
 Inverse Mapping
Reset Scans, Domain Query Answers
 Proxy Scanning / FTP Bounce Scanning
 TCP Reverse Ident Scanning
34
Port Scanning Types
 TCP Connect() Scan
SYN packet
SYN/ACK listening
RST/ACK (port not listening)
SYN/ACK
A connection is terminated after the full length connection establishment
process has been completed
35
Port Scanning Type
 TCP SYN Scan (half open scanning)
SYN packet
SYN/ACK listening
RST/ACK (port not listening)
We immediately tear down the connection by sending a RESET
36
Port Scanning Type
Stealth Scan
A scanning technique family doing the following
 Pass through filtering rules.
 Not to be logged by the targeted system logging mechanism
 Try to hide themselves at the usual site / network traffic.
The frequently used stealth mapping techniques are.
 SYN/ACK scan
 FIN scans
 XMAS scans
 NULL scans
37
PORT Scanning
Techniques:
 Random Port scan
 Slow Scan
 Fragmentation Scanning
 Decoy
 Coordinated Scans
38
PORT Scanning
“Random” Port Scan
Randomizing the sequence of ports probed may prevent detection.
Slow Scan
Some hackers are very patient and can use network scanners that spread out the
scan over a long period of time. The scan rate can be, for example, as low as 2
packets per day per target site.
Fragmentation scanning
In case of TCP the 8 octets of data (minimum fragment size) are enough to
contain the source and destination port numbers. This will force the TCP flags
field into the second fragment.
Decoy
Some network scanners include options for Decoys or spoofed address in their
attacks.
Coordinated Scans
If multiple IPs probe a target network, each one probes a certain service on a
certain machine in a different time period, and therefore it would be nearly
impossible to detect these scans.
39
Operating System Detection
 Banner Grabbing
 DNS HINFO Record
 TCP/IP Stack Fingerprinting
40
Operating System Detection
41
Operating System Detection
 DNS HINFO Record
The host information record is a pair of strings identifying
the host’s hardware type and the operating system
www IN HINFO “Sparc Ultra 5” “Solaris 2.6”
One of the oldest technique
42
Operating System Detection
 TCP/IP Finger Printing
The ideas to send specific TCP packets to the target IP
and observe the response which will be unique to
certain group or individual operations.
Types of probes used to determine the OS type
The FIN Probe, The Bogus Flag Probe, TCP initial
sequence number sampling, Don’t Fragment bit, TCP
initial window, ACK value, ICMP error Message
Quenching, ICMP message quoting, ICMP error
message Echoing Integrity, Type of service,
fragmentation handling, TCP options
43
Firewalking
 Gather information about a remote network protected
by a firewall
 Purpose
Mapping open ports on a firewall
Mapping a network behind a firewall
If the firewall’s policy is to drop ICMP ECHO Request/Reply
this technique is very effective.
44
How does Firewalking work?
 It uses a traceroute-like packet filtering to
determine whether or not a particular packet
can pass through a packet-filtering device.
 Traceroute is dependent on IP layer(TTL field),
any transport protocol can be used the same
way(TCP, UDP, and ICMP).
45
What Firewalking needs?
 The IP address of the last known gateway
before the firewall takes place.
Serves as WAYPOINT
 The IP address of a host located behind the
firewall.
Used as a destination to direct packet flow
46
Getting the Waypoint
 If we try to traceroute the machine behind a
firewall and get blocked by an ACL filter that
prohibits the probe, the last gateway which
responded(the firewall itself can be determined)
 Firewall becomes the waypoint.
47
Getting the Destination
 Traceroute the same machine with a different
traceroute-probe using a different transport protocol.
 If we get a response
That particular traffic is allowed by the firewall
We know a host behind the firewall.
 If we are continuously blocked, then this kind of traffic
is blocked.
 Sending packets to every host behind the packetfiltering device can generate an accurate map of a
network’s topology.
48
How to identify/avoid threats?
 Long-standing rule for Unix System
administrators to turn off any services that
aren’t in use
 For personal workstations!
Hackers have access to utilities to scan the servers
but so do you!.
Hackers look in for open ports. So we can our
servers first and know what the hackers will see and
close any ports that shouldn’t be open.
49
Some tools to help us
 Nmap
It is a utility that scans a particular server and informs
us which ports are open.
 Ethereal
It is a utility that will scan the network and help us
decode what is going on.
We can watch the network traffice and find out if
hackers can see anything that will help them break
into our systems.
50
Enumeration
51
Introduction to Enumeration
 Enumeration extracts information about:
–Resources or shares on the network
–User names or groups assigned on the network
–Last time user logged on
–User’s password
 Before enumeration, you use Port scanning and
footprinting
–To Determine OS being used
 Intrusive process
52
52
NBTscan
 NBT (NetBIOS over TCP/IP)
–is the Windows networking protocol
–used for shared folders and printers
 NBTscan
–Tool for enumerating Microsoft OSs
53
53
Null Session Information
 Using these NULL connections allows you to gather the
following information from the host:
–List of users and groups
–List of machines
–List of shares
–Users and host SIDs (Security Identifiers)
•From brown.edu (link Ch 6b)
54
54
Demonstration of Null Sessions
 Start Win 2000 Pro
 Share a folder
 From a Win XP command prompt
–NET VIEW \\ip-address
Fails
–NET USE \\ip-address\IPC$ "" /u:""
•Creates the null session
•Username="" Password=""
–NET VIEW \\ip-address
Works now
55
55
Demonstration
of Enumeration
 Download Winfo from link
Ch 6g
 Run it – see all the
information!
56
56
NetBIOS Enumeration Tools
 Net view command
–Shows whether there are any shared resources on a network host
57
57
NetBIOS Enumeration Tools (continued)
 Net use command
–Used to connect to a computer with shared folders or files
58
58
Net use
59
60
Additional Enumeration Tools
 NetScanTools Pro
 DumpSec
 Hyena
 NessusWX
61
61
NetScanTools Pro
 Produces a graphical view of NetBIOS running on a network
 Enumerates any shares running on the computer
 Verifies whether access is available for shared resource
using its Universal Naming Convention (UNC) name
 Costs about $250 per machine (link Ch 6i)
62
62
63
63
64
64
DumpSec
 Enumeration tool for Microsoft systems
 Produced by Foundstone, Inc.
 Allows user to connect to a server and “dump” the
following information
–Permissions for shares
–Permissions for printers
–Permissions for the Registry
–Users in column or table format
–Policies and rights
–Services
65
65
DumpSec
66
Hyena
 Excellent GUI product for managing and securing
Microsoft OSs
 Shows shares and user logon names for Windows
servers and domain controllers
 Displays graphical representation of:
–Microsoft Terminal Services
–Microsoft Windows Network
–Web Client Network
–Find User/Group
67
67
68
68
NessusWX
 This is the client part of Nessus
 Allows enumeration of different OSs on a large network
 Running NessusWX
–Be sure Nessus server is up and running
–Open the NessusWX client application
–To connect your client with the Nessus server
•Click Communications, Connect from the menu on the session
window
•Enter server’s name
•Log on the Nessus server
69
69
70
70
71
71
NessusWX (continued)
 Nessus identifies
–NetBIOS names in use
–Shared resources
–Vulnerabilities with shared resources
•Also offers solutions to those vulnerabilities
–OS version
–OS vulnerabilities
–Firewall vulnerabilities
72
72
73
73
74
74
75
75
76
76
Enumerating the *NIX Operating System
 Several variations
–Solaris
–SunOS
–HP-UX
–Linux
–Ultrix
–AIX
–BSD UNIX
–FreeBSD
–OpenBSD
77
77
UNIX Enumeration
 Finger utility
–Most popular tool for security testers
–Finds out who is logged in to a *NIX system
–Determine owner of any process
 Nessus
–Another important *NIX enumeration tool
78
78
79
79
80
80
Footprinting And Enumeration using
netcraft.com
81
Download