Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Modul 2 Footprinting Scanning Enumeration Isbat Uzzin Nadhori Informatical Engineering PENS-ITS Politeknik Elektronika Negeri Surabaya ITS - Surabaya.

Similar presentations


Presentation on theme: "1 Modul 2 Footprinting Scanning Enumeration Isbat Uzzin Nadhori Informatical Engineering PENS-ITS Politeknik Elektronika Negeri Surabaya ITS - Surabaya."— Presentation transcript:

1 1 Modul 2 Footprinting Scanning Enumeration Isbat Uzzin Nadhori Informatical Engineering PENS-ITS Politeknik Elektronika Negeri Surabaya ITS - Surabaya

2 2 Intelligence Gathering Techniques  3 Major Steps Foot Printing Scanning Enumeration  Similar to Military Gather information on the target Analyze weaknesses Construct and launch attack

3 3 Gathering Process Overview  You can’t attack what you don’t know

4 4 Hacking Step

5 5 Hacking Step …

6 6 Gathering Process overview Hosts Ports Services Vulnerabilities

7 7 Footprinting

8 8 Footprinting  Footprinting is the ability to obtain essential information about an organization. Commonly called network reconnaissance.  Result Gather information includes: –The technologies that are being used such as, Internet, Intranet, Remote Access and the Extranet. –To explored the security policies and procedures –take an unknown quality and reduce it –Take a specific range of domain names, network blocks and individual IP addresses of a system that is directly connected to the Internet  This is done by employing various computer security techniques, as: DNS queries  nslookup, dig, Zone TransferDNS Network enumeration Network queries Operating system identificationOperating system Organizational queries  When used in the computer security lexicon, "footprinting" generally refers to one of the pre-attack phases; tasks performed prior to doing the actual attack. Some of the tools used for footprinting areSam Spade, nslookup, traceroute, Nmap and neotrace.Sam SpadenslookuptracerouteNmap Ping sweepsPing Point of contact queries Port Scanning Registrar queries (WHOIS queries)WHOIS SNMP queriesSNMP World Wide Web spideringWorld Wide Web

9 9 DNS Query

10 10 Network Query Tools * Ping * NSlookup * Whois * IP block search * Dig * Traceroute * Finger * SMTP VRFY * Web browser keep-alive * DNS zone transfer * SMTP relay check * Usenet cancel check * Website download * Website search * header analysis * blacklist * Query Abuse address

11 11 Information to Gather  Attacker’s point of view Identify potential target systems Identify which types of attacks may be useful on target systems  Defender’s point of view Know available tools May be able to tell if system is being footprinted, be more prepared for possible attack Vulnerability analysis: know what information you’re giving away, what weaknesses you have

12 12 OS Identification

13 13 Point of Contact

14 14 Tools - Linux  Some basic Linux tools - lower level utilities Local System hostnameifconfig who, last Remote Systems pingtraceroute nslookup, dig whois arp, netstat (also local system) Other tools lsof

15 15 Tools – Linux (2)  Other utilities wireshark (packet sniffing) nmap (port scanning) - more later Ubuntu Linux Go to System / Administration / Network Tools – get interface to collection of tools: ping, netstat, traceroute, port scan, nslookup, finger, whois

16 16 Tools - Windows  Windows Sam Spade (collected network tools) Wireshark (packet sniffer) Command line tools ipconfig Many others…

17 17 Traceroute # traceroute ns1.target-company.com traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets 1 fw-gw ( ) ms ms ms 2 s1-0-1-access ( ) ms ms ms 3 dallas.tx.core1.fastlane.net ( ) ms ms ms 4 atm CR-1.usdlls.savvis.net ( ) ms ms ms 5 Serial1-0-1.GW1.DFW1.ALTER.NET ( ) ms ms ms ATM3-0.XR2.DFW4.ALTER.NET ( ) ms ms ms ( ) ms ms ms 8 dfw2-core2-pt4-1-0.atlas.digex.net ( ) ms ms ms 9 dfw2-core1-fa8-1-0.atlas.digex.net ( ) ms ms ms 10 swbell-net.demarc.swbell.net ( ) ms ms ms 11 ded2-fa1-0-0.rcsntx.swbell.net ( ) ms ms ms 12 target-company cust-rtr.swbell.net ( x.xxx) ms ms ms 13ns1.target-company.com (xxx.xx.xx.xx) ms ms ms

18 18 Traceroute - Network Mapping cw swb Internet Routers

19 19 Traceroute - Network Mapping cw swb Internet Routers

20 20 Traceroute - Network Mapping Firewall DMZ cw swb VPN Internet Routers

21 21 Traceroute - Network Mapping Firewall DMZ www ftp cw swb VPN Internet Routers

22 22 Traceroute - Network Mapping Firewall DMZ www ftp cw swb VPN Internet Routers

23 23 Traceroute - Network Mapping Sun Linux Firewall NT Hosts InsideDMZ www ftp cw swb VPN Internet Routers

24 24 Traceroute - Network Mapping Sun Linux Firewall NT Hosts InsideDMZ www ftp cw swb VPN Internet Routers Linux xxx.xx.48.2 AIX xxx.xx.48.1 Checkpoint Firewall-1 Solaris 2.7 xxx.xx Checkpoint Firewall-1 Nortel VPN xxx.xx Cisco xxx.xxx Nortel CVX x.xxx IDS?

25 25 Domain Name: UWEC.EDU Registrant: University of Wisconsin - Eau Claire University of Wisconsin - Eau Claire 105 Garfield Avenue 105 Garfield Avenue Eau Claire, WI Eau Claire, WI UNITED STATES UNITED STATESContacts: Administrative Contact: Administrative Contact: Computing and Networking Services Computing and Networking Services 105 Garfield Ave 105 Garfield Ave Eau Claire, WI Eau Claire, WI UNITED STATES UNITED STATES (715) (715) Name Servers: TOMATO.UWEC.EDU TOMATO.UWEC.EDU LETTUCE.UWEC.EDU LETTUCE.UWEC.EDU BACON.UWEC.EDU BACON.UWEC.EDU Whois

26 26 Scanning

27 27 Introduction  Scanning can be compared to a thief checking all the doors and windows of a house he wants to break into.  Scanning- The art of detecting which systems are alive and reachable via the internet and what services they offer, using techniques such as ping sweeps, port scans and operating system identification, is called scanning. The kind of information collected here has to do with the following: 1) TCP/UDP services running on each system identified. 2) System architecture (Sparc, Alpha, x86) 3) Specific IP address of systems reachable via the internet. 4) Operating System type.

28 28 Ping Sweeps pingping sweep is a method that can establish a range of IP addresses which map to live hosts.IP addresses  ICMP Sweeps (ICMP ECHO requests)  Broadcast ICMP  Non Echo ICMP  TCP Sweeps  UDP Sweeps

29 29 PING SWEEPS ICMP SWEEPS ICMP ECHO request ICMP ECHO reply Target alive Intruder Querying multiple hosts – Ping sweep is fairly slow Examples UNIX – fping and gping WINDOWS - Pinger

30 30 Broadcast ICMP Intruder Network ICMP ECHO request ICMP ECHO reply Can Distinguish between UNIX and WINDOWS machine UNIX machine answers to requests directed to the network address. WINDOWS machine will ignore it.

31 31 PING SWEEPS NON – ECHO ICMP Example ICMP Type 13 – (Time Stamp)  Originate Time Stamp - The time the sender last touched the message before sending  Receive Time Stamp - The echoer first touched it on receipt.  Transmit Time Stamp - The echoer last touched on sending it.

32 32 PING Sweeps TCP Sweeps Server Client C(SYN:PortNo & ISN) S (SYN & ISN) + ACK[ C (SYN+!) ] RESET (not active) S(ISN+1) When will a RESET be sent? When RFC does not appear correct while appearing. RFC = (Destination (IP + port number) & Source( IP & port number))

33 33 PING Sweeps Depends on ICMP PORT UNREACHABLE message. UDP data gram ICMP PORT UNREACHABLE Unreliable because Routers can drop UDP packets UDP services may not respond when correctly probed Firewalls are configured to drop UDP Relies on fact that non-active UDP port will respond Target System

34 34 PORT SCANNING Types:  TCP Connect() Scan  TCP SYN Scan( Half open scanning)  Stealth Scan  Explicit Stealth Mapping Techniques SYN/ACL, FIN, XMAS and NULL  Inverse Mapping Reset Scans, Domain Query Answers  Proxy Scanning / FTP Bounce Scanning  TCP Reverse Ident Scanning

35 35 Port Scanning Types  TCP Connect() Scan SYN packet SYN/ACK listening RST/ACK (port not listening) SYN/ACK A connection is terminated after the full length connection establishment process has been completed

36 36 Port Scanning Type  TCP SYN Scan (half open scanning) SYN packet SYN/ACK listening RST/ACK (port not listening) We immediately tear down the connection by sending a RESET

37 37 Port Scanning Type Stealth Scan A scanning technique family doing the following  Pass through filtering rules.  Not to be logged by the targeted system logging mechanism  Try to hide themselves at the usual site / network traffic. The frequently used stealth mapping techniques are.  SYN/ACK scan  FIN scans  XMAS scans  NULL scans

38 38 PORT Scanning Techniques:  Random Port scan  Slow Scan  Fragmentation Scanning  Decoy  Coordinated Scans

39 39 PORT Scanning “Random” Port Scan Randomizing the sequence of ports probed may prevent detection. Slow Scan Some hackers are very patient and can use network scanners that spread out the scan over a long period of time. The scan rate can be, for example, as low as 2 packets per day per target site. Fragmentation scanning In case of TCP the 8 octets of data (minimum fragment size) are enough to contain the source and destination port numbers. This will force the TCP flags field into the second fragment. Decoy Some network scanners include options for Decoys or spoofed address in their attacks. Coordinated Scans If multiple IPs probe a target network, each one probes a certain service on a certain machine in a different time period, and therefore it would be nearly impossible to detect these scans.

40 40 Operating System Detection  Banner Grabbing  DNS HINFO Record  TCP/IP Stack Fingerprinting

41 41 Operating System Detection

42 42 Operating System Detection  DNS HINFO Record The host information record is a pair of strings identifying the host’s hardware type and the operating system www IN HINFO “Sparc Ultra 5” “Solaris 2.6” One of the oldest technique

43 43 Operating System Detection  TCP/IP Finger Printing The ideas to send specific TCP packets to the target IP and observe the response which will be unique to certain group or individual operations. Types of probes used to determine the OS type The FIN Probe, The Bogus Flag Probe, TCP initial sequence number sampling, Don’t Fragment bit, TCP initial window, ACK value, ICMP error Message Quenching, ICMP message quoting, ICMP error message Echoing Integrity, Type of service, fragmentation handling, TCP options

44 44 Firewalking  Gather information about a remote network protected by a firewall  Purpose Mapping open ports on a firewall Mapping a network behind a firewall If the firewall’s policy is to drop ICMP ECHO Request/Reply this technique is very effective.

45 45 How does Firewalking work?  It uses a traceroute-like packet filtering to determine whether or not a particular packet can pass through a packet-filtering device.  Traceroute is dependent on IP layer(TTL field), any transport protocol can be used the same way(TCP, UDP, and ICMP).

46 46 What Firewalking needs?  The IP address of the last known gateway before the firewall takes place. Serves as WAYPOINT  The IP address of a host located behind the firewall. Used as a destination to direct packet flow

47 47 Getting the Waypoint  If we try to traceroute the machine behind a firewall and get blocked by an ACL filter that prohibits the probe, the last gateway which responded(the firewall itself can be determined)  Firewall becomes the waypoint.

48 48 Getting the Destination  Traceroute the same machine with a different traceroute-probe using a different transport protocol.  If we get a response That particular traffic is allowed by the firewall We know a host behind the firewall.  If we are continuously blocked, then this kind of traffic is blocked.  Sending packets to every host behind the packet- filtering device can generate an accurate map of a network’s topology.

49 49 How to identify/avoid threats?  Long-standing rule for Unix System administrators to turn off any services that aren’t in use  For personal workstations! Hackers have access to utilities to scan the servers but so do you!. Hackers look in for open ports. So we can our servers first and know what the hackers will see and close any ports that shouldn’t be open.

50 50 Some tools to help us  Nmap It is a utility that scans a particular server and informs us which ports are open.  Ethereal It is a utility that will scan the network and help us decode what is going on. We can watch the network traffice and find out if hackers can see anything that will help them break into our systems.

51 51 Enumeration

52 52 Introduction to Enumeration  Enumeration extracts information about: –Resources or shares on the network –User names or groups assigned on the network –Last time user logged on –User’s password  Before enumeration, you use Port scanning and footprinting –To Determine OS being used  Intrusive process

53 53 NBTscan  NBT (NetBIOS over TCP/IP) –is the Windows networking protocol –used for shared folders and printers  NBTscan –Tool for enumerating Microsoft OSs

54 54 Null Session Information  Using these NULL connections allows you to gather the following information from the host: –List of users and groups –List of machines –List of shares –Users and host SIDs (Security Identifiers) From brown.edu (link Ch 6b)

55 55 Demonstration of Null Sessions  Start Win 2000 Pro  Share a folder  From a Win XP command prompt –NET VIEW \\ip-address Fails –NET USE \\ip-address\IPC$ "" /u:"" Creates the null session Username="" Password="" –NET VIEW \\ip-address Works now

56 56 Demonstration of Enumeration  Download Winfo from link Ch 6g  Run it – see all the information!

57 57 NetBIOS Enumeration Tools  Net view command –Shows whether there are any shared resources on a network host

58 58 NetBIOS Enumeration Tools (continued)  Net use command –Used to connect to a computer with shared folders or files

59 59 Net use

60 60

61 61 Additional Enumeration Tools  NetScanTools Pro  DumpSec  Hyena  NessusWX

62 62 NetScanTools Pro  Produces a graphical view of NetBIOS running on a network  Enumerates any shares running on the computer  Verifies whether access is available for shared resource using its Universal Naming Convention (UNC) name  Costs about $250 per machine (link Ch 6i)

63 63

64 64

65 65 DumpSec  Enumeration tool for Microsoft systems  Produced by Foundstone, Inc.  Allows user to connect to a server and “dump” the following information –Permissions for shares –Permissions for printers –Permissions for the Registry –Users in column or table format –Policies and rights –Services

66 66 DumpSec

67 67 Hyena  Excellent GUI product for managing and securing Microsoft OSs  Shows shares and user logon names for Windows servers and domain controllers  Displays graphical representation of: –Microsoft Terminal Services –Microsoft Windows Network –Web Client Network –Find User/Group

68 68

69 69 NessusWX  This is the client part of Nessus  Allows enumeration of different OSs on a large network  Running NessusWX –Be sure Nessus server is up and running –Open the NessusWX client application –To connect your client with the Nessus server Click Communications, Connect from the menu on the session window Enter server’s name Log on the Nessus server

70 70

71 71

72 72 NessusWX (continued)  Nessus identifies –NetBIOS names in use –Shared resources –Vulnerabilities with shared resources Also offers solutions to those vulnerabilities –OS version –OS vulnerabilities –Firewall vulnerabilities

73 73

74 74

75 75

76 76

77 77 Enumerating the *NIX Operating System  Several variations –Solaris –SunOS –HP-UX –Linux –Ultrix –AIX –BSD UNIX –FreeBSD –OpenBSD

78 78 UNIX Enumeration  Finger utility –Most popular tool for security testers –Finds out who is logged in to a *NIX system –Determine owner of any process  Nessus –Another important *NIX enumeration tool

79 79

80 80

81 81 Footprinting And Enumeration using netcraft.com


Download ppt "1 Modul 2 Footprinting Scanning Enumeration Isbat Uzzin Nadhori Informatical Engineering PENS-ITS Politeknik Elektronika Negeri Surabaya ITS - Surabaya."

Similar presentations


Ads by Google