Lesson 9

advertisement
Footprinting/Scanning/
Enumeration
Lesson 9
Footprinting
External attack: Enables attackers to create a
profile of an organization’s security posture
including:
Domain name
Network blocks
IP addresses for Internet connected systems
TCP and UDP services running on systems
System HW and SW (OS and applications)
Possible security HW/SW (firewalls, IDS)
User and group names, system banners
Analog/Digital phone numbers, RAS
Footprinting
Internal attack: same goal but from inside of
the security perimeter – map out the network
and determine current security posture.
Identify:
Network protocols
Internal domain names
IP addresses for system on internal network
TCP and UDP services for internal systems
HW and SW for internal systems
IDS, firewalls, and other security devices
User and group names, system banners
Possible extranet or VPN connectivity
Open Source Search
Start with the organization’s web page if they
have one.
Locations/addresses
Phone numbers
Names of key individuals
Email addresses
Policies (e.g. privacy) or other security info
Review HTML source code for comments
News articles, press releases
GOOGLE or other search engine search
Search USENET for postings
EDGAR Search
EDGAR
For Publicly Traded Companies!
Network Enumeration
Goal is to identify domain names and
associated networks. Then want IP
addresses.
Whois databases valuable in this search
Access web sites with capability to search
Download and run programs that will help
Sam Spade (for Windows)
Sam Spade (IP Block Query)
Sam Spade (IP Block Query cont.)
Sam Spade (nslookup)
Sam Spade (traceroute)
DNS Zone Transfers
DNS is a distributed database used for mapping
IP addresses & hostnames.
A security problem is to allow DNS zone transfers from
unknown/untrusted Internet users. (Some
misconfigured systems may allow server to provide
zone transfer to anyone who asks.)
A zone transfer allows a secondary server to update its
info from the primary master.
Potential problem occurs if zone transfer is allowed and the
organization hasn’t segregated its internal (private) network
information from its external (public) information. – Thus,
internal hostnames and IP addresses may be revealed to
external sources.
This is akin to providing a blueprint of your internal network to
anybody who asks.
One way to accomplish zone transfer is to use nslookup
Textbook has discussion of how to do this
nslookup
Network Reconnaissance
Once we have identified potential networks we
need to determine potential access paths into the
network.
traceroute: lets you view the route that an IP packet
follows from one host to another.
Uses TTL (time to live) option in the IP packet as a “hop
counter”
Can identify border routers and possibly firewalls as they
will normally be the last system before our target.
May be additional internal routers and firewalls if our target is an
internal system.
If normal probes blocked, try sending probe via UDP port
53 (used for DNS queries) as they may be allowed past
firewall.
traceroute
Scanning
Ping – can be used to determine what systems in
a range of addresses are active. Known as a ping
sweep.
Sends ICMP ECHO request to target. If an ICMP
ECHO_REPLY is received, target is alive.
Number of different programs that can perform this (or
you can always do it one-by-one on your own…)
Linux: fping
Windows: Sam Spade (single), Pinger, WS_PingProPack
(commercial)
If ICMP traffic is blocked, this method won’t work, will
have to try something else, maybe skip to port
scanning.
Port Scanning – scan ports for an IP address (or
range) to see what services (ports) are available
Lots of tools to do these too, nmap, WS_PingProPack…
PING
Port Scan
Other ICMP queries
Other queries using ICMP may provide
further clues about target
Request time on system – may reveal
timezone system is in.
Request netmask – may allow you to
determine subnets being used
Time
Port Scanning
Connecting to TCP or UDP ports on target to
determine what services are running (in LISTENING
state).
Lots of different types of scans, some more “noisy”
than others
TCP connect scan – connect to port using 3-way handshake
TCP SYN scan – “half open” scan, don’t complete handshake
TCP FIN scan – Send a FIN packet, systems should send a RST
packet
UDP scan – send UCP packet, if system responds with “port
unreachable” then port is closed, otherwise port is open (or system
down or packet lost)
Lots of other scans, check book
Lots of programs to do scans – nmap, strobe, netcat, SuperScan
Port Scanning
Determining the OS
Knowing the OS of a target system can be very
useful. Number of methods to do this.
Active Stack Fingerprinting: While there is a lot of details
provided to vendors on how TCP/IP stacks should
respond for given protocols, not everything is always
spelled out. The way that systems respond to items that
are not specifically discussed can give a clue or actually
identify the OS.
An example: A FIN packet sent to an open port should be met
with no response. Windows NT, however, responds with a
FIN/ACK.
A number of other examples in text.
Passive Stack Fingerprinting: Watch traffic as it traverses
a network to identify the OS.
UNIX Tools – Network Mapper (nmap)
UNIX Tools – Network Mapper (nmap)
Enumeration – Telnet
UNIX or MS Windows
Provides a terminal connection to a running service
Usually used to login to a remote system running the telnetd
daemon – Very insecure, plaintext
Also useful in many reconnaissance activities
Obtaining HTTP Server information
Obtaining MAIL Server information and accounts
Usage: telnet target.com (port number)
A tool that may prove useful is netcat (though it is a
bit older).
A lot more info on enumeration available in text,
what you need depends on your targets.
UNIX Tools - Nessus
Nessus – Written by Hugo van der Kooij
and Jordan Hrycaj
http://www.nessus.org
Utilizes nmap to perform port scans
Will detect they type of service based on it’s
response not on it’s port number
Attempts to exploit known vulnerabilities
WARNING: Will perform DoS and DDoS
attacks
UNIX Tools - Nessus
Configuring Nessusd
Before you run nessus you need to follow the
following steps
Adding a new user
/usr/local/sbin/nessus-adduser
Create a login name
Chose “pass” for authentication type
Type Ctrl-d
Starting the daemon
As root type: nessusd –D
May take a minute to return to the shell
Starting X Windows
startx -- -nolisten -tcp
UNIX Tools - Nessus
Configuring the nessus client
UNIX Tools - Nessus
Setting up your scan: plugins
UNIX Tools - Nessus
Scanning Options
UNIX Tools - Nessus
Configuring the targets
UNIX Tools - Nessus
Save nessus reports to .html files
Remember to enable all but dangerous plugins
Everything you need to know, including all the
previous screen shots is available at
http://www.nessus.org
For information on configuring nessusd and nessus go
to: http://www.nessus.org/demo/index.html
nessus.README available on the lab systems in
/home/tools/nessus/
UNIX Tools - Nessus
Summary
What is the importance and significance of
this material?
It is time to start learning the “hands-on” tools
needed to perform an assessment.
How does this topic fit into the subject of
“Security Risk Analysis”?
You will need to be conduct all of these phases in
an assessment. You need to understand the tools
and have a familiarity with them.
Download