SLIDE 1 ISA 330 Introduction to Proactive System Security Philip Robbins – September 28, 2013
Information Security & Assurance Program University of Hawai'i West Oahu Week #3
1
Footprinting, Scanning, and Enumeration
SLIDE 2 2
Footprinting, Scanning, and Enumeration
Topics
- Review Quiz #1
- Class Tools (VB, BT5r3 & MS2)
- Footprinting
- Port Scanning
- Enumeration
- Quiz #2
- Assignment #2
SLIDE 3 3
Class Tools
Creating a local virtual test environment…
Install BT5R3 and MS2 VM on Oracle VirtualBox.
Backtrack 5R3
user: root password: toor
Metasploitable 2.0
user: msfadmin password: msfadmin
SLIDE 4
4
Install VirtualBox
SLIDE 5
5
Install VirtualBox
SLIDE 6
6
Install Metasploitable 2.0
SLIDE 7
7
Install Metasploitable 2.0
SLIDE 8
8
Install Metasploitable 2.0
SLIDE 9
9
Install Metasploitable 2.0
SLIDE 10
10
Install Metasploitable 2.0
SLIDE 11
11
Metasploitable 2.0 (MS2)
SLIDE 12
12
Metasploitable 2.0
SLIDE 13
13
Install Backtrack 5R3
SLIDE 14
14
Install Backtrack 5R3
SLIDE 15
15
Install Backtrack 5R3
SLIDE 16
16
Install Backtrack 5R3
SLIDE 17
17
Install Backtrack 5R3
SLIDE 18
18
Install Backtrack 5R3
SLIDE 19
19
Backtrack (BT5R3)
SLIDE 20
20
Anatomy of an Attack
Perform Reconnaissance Scan Target Network Research Vulnerabilities Perform Attack Create Backdoor Enumerate Network Exfiltrate Cover Tracks
SLIDE 21 21
Footprinting
‐ The process of gathering information on a company’s network. ‐ Nonintrusive (Passive) Profiling v.s. Active Profiling What kind of information? ‐ Weaknesses in security posture ‐ Remote access capabilities ‐ Domain Names ‐ IP addresses ‐ Networking Protocols / Services ‐ User information, logins, telephones numbers, etc.
With just a URL, you can determine which Web server and OS a company is using; learn the names of employees.
SLIDE 22 22
Reconnaissance
Identify corporate email addresses for employees.
SLIDE 23 23
Reconnaissance
http://www.whois.net/ Gather IP and domain information.
SLIDE 24 24
Reconnaissance
http://www.whois.net/
SLIDE 25 25
Reconnaissance
http://www.rafasoft.com/ Extract contact data, such as email, phone, and fax information, from selected target.
SLIDE 26 26
Reconnaissance
http://www.rafasoft.com/
SLIDE 27 27
Reconnaissance
http://www.informatica64/FOCA Extract metadata from documents on Websites to reveal the document creator’s network logon and email address.
SLIDE 28 28
Reconnaissance
http://www.informatica64/FOCA
SLIDE 29 29
Reconnaissance
Gather IP and domain information.
SLIDE 30 30
Reconnaissance
SLIDE 31 31
Reconnaissance
SLIDE 32 32
Reconnaissance
- Domain Name System Zone Transfers
Transfer all DNS name server records.
‐ DNS uses name servers for resolving hostnames to IP ‐ Zone Transfers enables you to see /analyze / diagram hosts on the organization’s network ‐ Use the “dig” or “host” commands
SLIDE 33 33
Reconnaissance
Tool for querying DNS name servers.
SLIDE 34 34
Reconnaissance
SLIDE 35 35
Reconnaissance
To determine the primary DNS server look for a Start of Authority (SOA) record.
SLIDE 36 36
Reconnaissance
Look for any: SOA, NS, MX.
SLIDE 37 37
Reconnaissance
Reverse lookup Specify ns Connection refused; no success. Using AFXR protocol to dig
SLIDE 38 38
Reconnaissance
Success!
SLIDE 39 39
Reconnaissance
Same as dig??
SLIDE 40 40
Reconnaissance
SLIDE 41 41
Reconnaissance
SLIDE 42 42
Reconnaissance
Used for banner grabs…
SLIDE 43 43
Reconnaissance
SLIDE 44 44
Reconnaissance
SLIDE 45 45
Reconnaissance
SLIDE 46 46
Reconnaissance
https://code.google.com/p/andiparos/downloads/list Capture Web server information and possible vulnerabilities in a Web site’s pages. (Through a Proxy)
SLIDE 47 47
Reconnaissance
Method of gathering information about a person visiting a web site or if an email was read.
‐ Works with cookies ‐ Embedded 1 pixel x 1 pixel image (GIF) file ‐ Invisible (matches web page background) ‐ Referenced in an <IMG> tag ‐ You have to reach out and download image (transaction logged) ‐ IP address ‐ Time accessed / viewed ‐ Type of browser ‐ Used to verify if email is valid (HTML based w/ auto image view)
SLIDE 48 48
Reconnaissance
- HTTP Methods (RFC‐2616, HTTP/1.1)
Gather content from web servers using HTTP methods.
‐ Hypertext Transfer Protocol (HTTP) ‐ Request / Response protocol between client (web browser) and server (web site). ‐ Port 80 ‐ GET Retrieves data ‐ HEAD Retrieves only header info of HTML doc ‐ OPTIONS Available Options ‐ TRACE Remote loopback of request message ‐ CONNECT Switch to tunneled connection (SSL) ‐ DELETE Request origin server delete identified resource ‐ PUT Request entity be stored ‐ POST Allows data to be posted
SLIDE 49 49
Reconnaissance
- HTTP Methods (RFC‐2616, HTTP/1.1)
SLIDE 50 50
Reconnaissance
SLIDE 51 51
Reconnaissance
- HEAD 192.168.56.101 (MS2)
header info of HTML doc
SLIDE 52 52
Reconnaissance
Psychological manipulation of people into performing actions or divulging information.
Looking over somebody’s shoulder to get information (passwords / PINs).
Sifting through garbage to find information that has been discarded that may prove useful.
A person tagging along with another person who is authorized to gain entry into a restricted area.
Attempting to acquire information by masquerading as a trustworthy entity.
SLIDE 53 53
Reconnaissance
Psychological manipulation of people into performing actions or divulging information.
Top SE Techniques:
Urgency – “I need the info now before you know what hits the fan…” Quid pro quo – “Give me what I need and I will give you a…” Status quo – “Everyone does it, don’t worry about it…” Kindness – “Thank you so much for… giving me the keys to the kingdom” Position – “When I say jump you say how high…” Other Techniques: Familiarity Creating a hostile situation / distraction Get a job there
SLIDE 54 54
Reconnaissance
Attempting to acquire information by masquerading as a trustworthy entity.
SLIDE 55 55
Reconnaissance
Attempting to acquire information by masquerading as a trustworthy entity.
wtf…that’s not FB!
SLIDE 56 56
Reconnaissance
Phishing attempts directed at specific individuals or companies.
SLIDE 57 57
Scanning
‐ Examining a range of IP addresses to determine which services are running. ‐ Automated tools ping each port on a network computer. ‐ Remember many programs use port numbers outside the range
‐ After a hacker discovers an open port / service, finding a vulnerability or exploit isn’t that difficult. ‐ Port scanning is legal. ‐ Moving away from passive to active info gathering.
SLIDE 58 58
Scanning
- TCP 3‐way Handshake Review
1) A ‐‐> B SYN my sequence number is X 2) A <‐‐ B ACK your sequence number is X 3) A <‐‐ B SYN my sequence number is Y 4) A ‐‐> B ACK your sequence number is Y
A B
SLIDE 59 59
Scanning
- Popular types of Port / Service Scans
‐ SYN Scan (nmap ‐sS)
Full TCP connection is never made; RSK/ACK always sent or received to close session. Considered a stealth scan.
‐ Connect Scan (nmap –sT)
Full TCP connection made with three‐way handshake. Connection is logged.
‐ NULL Scan (nmap –sN)
All packet flags are turned off. Expected result on an open port is no response; packet is discarded. Expected result on an closed port is a RST packet.
SLIDE 60 60
Scanning
- Popular types of Port / Service Scans
‐ XMAS Scan (nmap ‐sX)
FIN, PSH, URG flags are set. Expected result on an open port is no response; packet is discarded. Expected result on an closed port is a RST packet.
‐ ACK Scan (nmap –sA)
Used to get past firewalls / filtering devices. A returned RST packet indicates that the packet filter was fooled.
‐ FIN Scan (nmap –sF)
FIN packet flag is sent. Expected result on an closed port is a RST packet.
SLIDE 61 61
Scanning
- Popular types of Port / Service Scans
‐ UDP Scan (nmap ‐sU)
UDP packet sent to target. Expected result on an open port is an ICMP “Port Unreachable” message (not guaranteed).
SLIDE 63 63
Reconnaissance
The most popular port scanning tool.
SLIDE 64 64
Reconnaissance
The most popular port scanning tool.
SLIDE 65 65
Scanning
- nmap 192.168.56.101 (against MS2)
SLIDE 66 66
Scanning
- nmap –A –v 192.168.56.101 (against MS2)
SLIDE 67 67
Scanning
- nmap –A –v 192.168.56.101 (against MS2)
SLIDE 68 68
Scanning
- nmap –A –v 192.168.56.101 (against MS2)
SLIDE 69 69
Scanning
- nmap –A –v 192.168.56.101 (against MS2)
SLIDE 70 70
Scanning
- nmap –A –v 192.168.56.101 (against MS2)
SLIDE 71 71
Scanning
- nmap –A –v 192.168.56.101 (against MS2)
SLIDE 72 72
Scanning
- nmap 192.168.56.102 (against BT5R3)
SLIDE 73 73
Scanning
- nmap –sS ‐v 192.168.56.101 (against MS2)
SLIDE 74 74
Scanning
- nmap –sS ‐v 192.168.56.100‐200 (range)
SLIDE 75 75
Reconnaissance
Conduct tests on large networks and consolidate tools for large‐scale endeavors.
‐ Ideal for large networks. ‐ Scans 65,535 ports in 3‐7 seconds. ‐ Port scanning using TCP, ICMP, and IP. ‐ Optimizes UDP scanning.
SLIDE 76 76
Reconnaissance
A command‐line tool that allows you to ping multiple IP addresses simultaneously (determining which computers are “live”).
SLIDE 77 77
Reconnaissance
ping vs fping: specify a range
SLIDE 78 78
Reconnaissance
Allows you to ping sweep multiple IP addresses simultaneously while bypassing filtering devices (using modified IP packets).
SLIDE 79 79
Reconnaissance
SLIDE 80 80
Reconnaissance
SLIDE 81 81
Reconnaissance
set flags just like nmap…
SLIDE 82
82
Enumeration
‐ Next step after port scanning. ‐ Actually connecting to the system and obtaining information about users, passwords, and shared resources. ‐ Active / intrusive v.s. Passive
SLIDE 83 83
REVIEW: OS Vulnerabilities
- Network Basic Input / Output System (NetBIOS)
‐ OSI Session Layer 5. ‐ Software that allows us to interact with a shared network resources or devices. ‐ NetBIOS frees an application from understanding the details
‐ Still used today for ensuring backward capability. ‐ Uses ports open to the internet: UDP/137 UDP/138 TCP/139
SLIDE 84 84
REVIEW: OS Vulnerabilities
- Network Basic Input / Output System (NetBIOS)
Why is NetBIOs over TCP/IP considered a security risk again?
SLIDE 85 85
REVIEW: OS Vulnerabilities
- Network Basic Input / Output System (NetBIOS)
Why is NetBIOs over TCP/IP considered a security risk again?
SLIDE 86 86
Enumeration
- Network Basic Input / Output System (NetBIOS)
‐ Names have 16 char limit; 15 useable char limit. ‐ Last char reserved for service identification (00 to FF). ‐ Hackers attack Domain Controllers because of the type of info. ‐ Null Sessions (NS) is a serious vulnerability for NetBIOS systems. ‐ NS still present on Windows XP ‐ NS disabled by default in Windows Server 2003 ‐ NS not available in Windows Vista and Server 2008 ‐ NBTstat command used.
SLIDE 87
87
Enumeration
SLIDE 88
88
Enumeration
SLIDE 89 89
Enumeration
NetBIOS over TCP/IP scan finds computers running NETBIOS.
SLIDE 93 93
Enumeration
Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain.
SLIDE 96 96
Enumeration
Connects a computer to or disconnects a computer from a shared resource, or displays information about computer
- connections. Used without parameters, net use retrieves a list of network connections.
SLIDE 98 98
Enumeration
Enumeration tool for Windows systems allowing users to connect to a server and “dump” permissions for shares. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares.
SLIDE 100 100
Enumeration
Used to enumerate Windows computers on a network.
SLIDE 101 101
Enumeration
SLIDE 102 102
Enumeration
SLIDE 103 103
Review Questions
To find information about the key IT personnel responsible for a company’s domain, you might use which of the following tools? (Choose all that apply.)
a. Whois. b. Whatis. c. SamSpade. d. Nbtstat.
SLIDE 104 104
Review Questions
To find information about the key IT personnel responsible for a company’s domain, you might use which of the following tools? (Choose all that apply.)
a. Whois. b. Whatis. c. SamSpade. d. Nbtstat.
SLIDE 105 105
Review Questions
Which is one of the most vulnerable components to network attacks?
a. TCP/IP. b. WINS. c. DHCP. d. DNS.
SLIDE 106 106
Review Questions
Which is one of the most vulnerable components to network attacks?
a. TCP/IP. b. WINS. c. DHCP. d. DNS.
SLIDE 107 107
Review Questions
Which of the following contains host records for a domain?
a. DNS b. WINS c. Linux server d. UNIX Web Clients
SLIDE 108 108
Review Questions
Which of the following contains host records for a domain?
a. DNS b. WINS c. Linux server d. UNIX Web Clients
SLIDE 109 109
Review Questions
Which of the following enables you to view all host computers on a network?
a. SOA b. ipconfig c. Zone Transfers d. HTTP HEAD method
SLIDE 110 110
Review Questions
Which of the following enables you to view all host computers on a network?
a. SOA b. ipconfig c. Zone Transfers d. HTTP HEAD method
SLIDE 111 111
Review Questions
What’s one way to gather information about a domain?
a. View the header of an e‐mail you send to an e‐mail account that doesn’t exist. b. Use the ipconfig command. c. Use the ifconfig command. d. Connect via Telnet to TCP port 53.
SLIDE 112 112
Review Questions
What’s one way to gather information about a domain?
a. View the header of an e‐mail you send to an e‐mail account that doesn’t exist. b. Use the ipconfig command. c. Use the ifconfig command. d. Connect via Telnet to TCP port 53.
SLIDE 113 113
Review Questions
To determine a company’s primary DNS server, you can look for a DNS server containing which of the following?
a. Cname record. b. Host record. c. PTR record. d. SOA record.
SLIDE 114 114
Review Questions
To determine a company’s primary DNS server, you can look for a DNS server containing which of the following?
a. Cname record. b. Host record. c. PTR record. d. SOA record.
SLIDE 115 115
Review Questions
Which of the following tools can assist you in finding general information about an organization and its employees? (Choose all that apply.)
a.
b. http://groups.google.com c. netcat d. nmap
SLIDE 116 116
Review Questions
Which of the following tools can assist you in finding general information about an organization and its employees? (Choose all that apply.)
a.
b. http://groups.google.com c. netcat d. nmap
SLIDE 117 117
Review Questions
What’s the first method a security tester should attempt to find a password for a computer on the network?
a. Use a scanning tool. b. Install a sniffer on the network. c. Ask the user. d. Install a password‐cracking program.
SLIDE 118 118
Review Questions
What’s the first method a security tester should attempt to find a password for a computer on the network?
a. Use a scanning tool. b. Install a sniffer on the network. c. Ask the user. d. Install a password‐cracking program.
SLIDE 119 119
Review Questions
Discovering a user’s password be observing the keys he
- r she presses is called which of the following?
a. Password hashing b. Password crunching c. Piggybacking d. Shoulder surfing
SLIDE 120 120
Review Questions
Discovering a user’s password be observing the keys he
- r she presses is called which of the following?
a. Password hashing b. Password crunching c. Piggybacking d. Shoulder surfing
SLIDE 121 121
Review Questions
Entering a company’s restricted area by following closely behind an authorized person is referred to as which of the following?
a. Shoulder surfing b. Piggybacking c. False entering d. Social Engineering
SLIDE 122 122
Review Questions
Entering a company’s restricted area by following closely behind an authorized person is referred to as which of the following?
a. Shoulder surfing b. Piggybacking c. False entering d. Social Engineering
SLIDE 123 123
Review Questions
What social engineering technique involves telling an employee that you’re calling from the CEO’s office and need certain information ASAP?
a. Urgency b. Status quo c. Position of authority d. Quid pro quo
SLIDE 124 124
Review Questions
What social engineering technique involves telling an employee that you’re calling from the CEO’s office and need certain information ASAP?
a. Urgency b. Status quo c. Position of authority d. Quid pro quo
SLIDE 125 125
Review Questions
Security testers and hackers use which of the following to determine which services are running on a host?
a. Zone transfer b. Zone scanning c. Encryption algorithms d. Port scanning
SLIDE 126 126
Review Questions
Security testers and hackers use which of the following to determine which services are running on a host?
a. Zone transfer b. Zone scanning c. Encryption algorithms d. Port scanning
SLIDE 127 127
Review Questions
Which flags are set on a packet sent with the nmap –sX 192.168.56.101 command?
a. FIN b. PSH c. SYN d. URG
SLIDE 128 128
Review Questions
Which flags are set on a packet sent with the nmap –sX 192.168.56.101 command?
a. FIN b. PSH c. SYN d. URG
SLIDE 129 129
Review Questions
Which nmap command verifies whether the SSH port is
- pen on any computers in the 192.168.1.0
network? (Choose all that apply.)
- a. nmap –v 192.168.1.0-254 –p 22
- b. nmap –v 192.168.1.0-254 –p 23
- c. nmap –v 192.168.1.0-254 –s 22
- d. nmap –v 192.168.1.0/24 –p 22
SLIDE 130 130
Review Questions
Which nmap command verifies whether the SSH port is
- pen on any computers in the 192.168.1.0
network? (Choose all that apply.)
- a. nmap –v 192.168.1.0-254 –p 22
- b. nmap –v 192.168.1.0-254 –p 23
- c. nmap –v 192.168.1.0-254 –s 22
- d. nmap –v 192.168.1.0/24 –p 22
SLIDE 131 131
Review Questions
A closed port responds to a SYN packet with which of the following packets?
a. FIN b. SYN‐ACK c. SYN d. RST
SLIDE 132 132
Review Questions
A closed port responds to a SYN packet with which of the following packets?
a. FIN b. SYN‐ACK c. SYN d. RST
SLIDE 133 133
Review Questions
Which type of scan is usually used to bypass a firewall or packet‐filtering device?
a. ACK scan b. SYN scan c. XMAS scan d. FIN scan
SLIDE 134 134
Review Questions
Which type of scan is usually used to bypass a firewall or packet‐filtering device?
a. ACK scan b. SYN scan c. XMAS scan d. FIN scan
SLIDE 135 135
Review Questions
A FIN packet sent to a closed port responds with which
a. FIN b. SYN‐ACK c. RST d. SYN
SLIDE 136 136
Review Questions
A FIN packet sent to a closed port responds with which
a. FIN b. SYN‐ACK c. RST d. SYN
SLIDE 137 137
Review Questions
Which type of scan send a packet with all flags set to NULL?
a. NULL b. VOID c. SYN d. XMAS
SLIDE 138 138
Review Questions
Which type of scan send a packet with all flags set to NULL?
a. NULL b. VOID c. SYN d. XMAS
SLIDE 139 139
Review Questions
To bypass some ICMP‐filtering devices on a network, an attacker might send which type of packets to scan the network for vulnerable services?
a. PING packets b. SYN packets c. ACK packets d. Echo Request packets
SLIDE 140 140
Review Questions
To bypass some ICMP‐filtering devices on a network, an attacker might send which type of packets to scan the network for vulnerable services?
a. PING packets b. SYN packets c. ACK packets d. Echo Request packets
SLIDE 141 141
Review Questions
Which of the following is a tool for creating a custom TCP/IP packet and sending it to a host computer?
a. Tracert b. Traceroute c. Hping d. Nmapping
SLIDE 142 142
Review Questions
Which of the following is a tool for creating a custom TCP/IP packet and sending it to a host computer?
a. Tracert b. Traceroute c. Hping d. Nmapping
SLIDE 143 143
Review Questions
Which of the following testing processes is the most intrusive?
a. Port scanning b. Enumeration c. Null scanning d. Numeration
SLIDE 144 144
Review Questions
Which of the following testing processes is the most intrusive?
a. Port scanning b. Enumeration c. Null scanning d. Numeration
SLIDE 145 145
Review Questions
Enumeration of Windows systems can be more difficult if which port is filtered?
a. 110 UDP b. 443 UDP c. 80 TCP d. 139 TCP
SLIDE 146 146
Review Questions
Enumeration of Windows systems can be more difficult if which port is filtered?
a. 110 UDP b. 443 UDP c. 80 TCP d. 139 TCP
SLIDE 147 147
Review Questions
A null session is enabled by default in all the following versions except?
a. Windows 95 b. Windows Server 2008 c. Windows 98 d. Windows 2000
SLIDE 148 148
Review Questions
A null session is enabled by default in all the following versions except?
a. Windows 95 b. Windows Server 2008 c. Windows 98 d. Windows 2000
SLIDE 149 149
Review Questions
To identify the NetBIOS names of systems on the 193.145.85.0 network, which of the following commands do you use?
a. nbtscan 193.145.85.0/24 b. nbtscan 193.145.85.0‐255 c. nbtstat 193.145.85.0/24 d. netstat 193.145.85.0/24
SLIDE 150 150
Review Questions
To identify the NetBIOS names of systems on the 193.145.85.0 network, which of the following commands do you use?
a. nbtscan 193.145.85.0/24 b. nbtscan 193.145.85.0‐255 c. nbtstat 193.145.85.0/24 d. netstat 193.145.85.0/24
SLIDE 151 151
Review Questions
Which of the following is a Windows command‐line utility for seeing NetBIOS shares on a network?
a. net use b. net user c. net view d. nbtuser
SLIDE 152 152
Review Questions
Which of the following is a Windows command‐line utility for seeing NetBIOS shares on a network?
a. net use b. net user c. net view d. nbtuser
SLIDE 153 153
Review Questions
A NetBIOS name can contain a maximum of how many characters?
a. 10 b. 11 c. 15 d. 16
SLIDE 154 154
Review Questions
A NetBIOS name can contain a maximum of how many characters?
a. 10 b. 11 c. 15 d. 16
SLIDE 155 155
Review Questions
Which of the following commands connects to a computer containing shared files and folders?
a. net view b. net use c. netstat d. nbtstat
SLIDE 156 156
Review Questions
Which of the following commands connects to a computer containing shared files and folders?
a. net view b. net use c. netstat d. nbtstat
SLIDE 157 157
Review Questions
Which ports are most vulnerable to NetBIOS attacks?
a. 135 to 137 b. 389 to 1023 c. 135 to 139 d. 110 and 115
SLIDE 158 158
Review Questions
Which ports are most vulnerable to NetBIOS attacks?
a. 135 to 137 b. 389 to 1023 c. 135 to 139 d. 110 and 115
SLIDE 159 159
Review Questions
What is the best method of preventing NetBIOS attacks?
a. Filtering certain ports at the firewall b. Telling users to create difficult‐to‐guess passwords c. Pausing the Workstation service. d. Stopping the Workstations service.
SLIDE 160 160
Review Questions
What is the best method of preventing NetBIOS attacks?
a. Filtering certain ports at the firewall b. Telling users to create difficult‐to‐guess passwords c. Pausing the Workstation service. d. Stopping the Workstations service.
SLIDE 161 161
Review Questions
Which of the following is a commonly used UNIX enumeration tool?
a. Netcat b. Nbtstat c. Netstat d. Finger
SLIDE 162 162
Review Questions
Which of the following is a commonly used UNIX enumeration tool?
a. Netcat b. Nbtstat c. Netstat d. Finger
SLIDE 163 163
Quiz #2
- Short answer, closed book, closed notes.
SLIDE 164
164
Questions?
probbins@hawaii.edu
www2.hawaii.edu/~probbins https://www.dorkatron.com/docs/ISA330/
