Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recon 1 Reconnaissance Recon 2 Attack Phases  Phase 1: Reconnaissance  Phase 2: Scanning  Phase 3: Gaining access o Application/OS attacks o Network.

Similar presentations

Presentation on theme: "Recon 1 Reconnaissance Recon 2 Attack Phases  Phase 1: Reconnaissance  Phase 2: Scanning  Phase 3: Gaining access o Application/OS attacks o Network."— Presentation transcript:


2 Recon 1 Reconnaissance

3 Recon 2 Attack Phases  Phase 1: Reconnaissance  Phase 2: Scanning  Phase 3: Gaining access o Application/OS attacks o Network attacks/DoS attacks  Phase 4: Maintaining access  Phase 5: Covering tracks and hiding

4 Recon 3 Recon  Before bank robber robs a bank… o Visit the bank o Make friends with an employee (inside info) o Study alarm system, vault, security guard’s routine, security cameras plscement, etc. o Plan arrival and get away  Most of this is not high tech  Similar ideas hold for info security

5 Recon 4 Social Engineering  Hypothetical examples o New “admin” asks secretary for help o Angry “manager” calls employee/admin asking for password o “Employee” in the field calls another employee for help with remote access  Real-world examples o Employees help white hat guy steal company IP o Person turns over secrets to trusted “friend”

6 Recon 5 Social Engineering  Social engineering o Defeats strongest crypto, best access control, protocols, IDS, firewalls, software security, etc., etc.  Attacker may not even touch keyboard  Ultimate low-tech recon/attack method

7 Recon 6 Social Engineering  Telephone based attacks o Company phone number may give attacker instant credibility  Attacker might ask for voice mail service  Spoofed caller ID o Appears attacker has company phone number o Online services: Telespoof, Camophone o Some VoIP software o Phone companies also sell such services

8 Recon 7 Camophone  Spoofed caller ID  Cost?  5 cents per minute

9 Recon 8 Social Engineering Defenses  Hard to defend against o Rooted in human nature o Many legitimate uses of “social engineering” (police, sales people, etc.)  User education helps o Do not give out sensitive info (passwords) o Do not trust caller ID, etc.  May not want totally paranoid employees

10 Recon 9 Physical Security  If Trudy gets physical access…  Might find logged in computer, post-it note with passwords, etc.  Might install back door, keystroke logger, access point to LAN, etc.  Could steal USB drives, laptop, computers, CDs, etc.

11 Recon 10 Physical Access  How can attacker gain physical access? o Ask for it o Fake it o Physical break in  Or attacker might be employee o Then Trudy already has access o Limit employee’s physical access?

12 Recon 11 Defenses  Require badges for entry o What if someone forgets badge?  Biometrics for entry are useful o Iris scan, hand geometry, …  Monitor what people take in/out o Laptop, USB drive, CD, Furby?Furby o Miniaturization makes this difficult

13 Recon 12 Defenses  Use locks on file cabinets o Don’t leave key in the lock…  Automatic screen saver with pwd  Encrypted hard drives o Especially for those who travel o Need a way to recover encrypted files o But there are attacks…attacks

14 Recon 13 Dumpster Diving  What might Trudy find in trash? o CDs, DVDs, discarded machines, USB, … o Diagrams of network architecture  Defenses o Destroy hard drive before discarding o Destroy media (degaussing is not enough) o Shred paper, etc.

15 Recon 14 Search the “Fine” Web  “Fine” is placeholder for another word o As in “Read the ‘Fine’ Documentation”  Huge amount of info available on Web  Google it! o For example Google the MD5 hash value o 20f1aeb7819d c898d1e98c1bb 20f1aeb7819d c898d1e98c1bb

16 Recon 15 Google Hacking  Using Google to help in attacks o Not “hacking Google”  See, for example o Johnny Long’s Website Johnny Long’s Website o Google hacking 101 Google hacking 101  Google selected as “favorite hacking tool” by some infamous hackers

17 Recon 16 Google  Four important elements of Google 1. Google bot o Crawls Web looking for info to index 2. Google index o Billions served… o Ranked using (secretive) algorithm o Why so secretive?

18 Recon 17 Google 3. Google cache o Copy of data that bots found o Includes html, doc, pdf, ppt, etc., etc. o Up to 101k of text each, no images o See also, Wayback MachineWayback Machine 4. Google API o Program need to Google too o Requires API “key” (free from Google) o Limited to 1k searches per day

19 Recon 18 Google  For any Google search… o Max number of results limited to 1,000 o Limits data mining capabilities  So searches must be precise  Use “search directives” o No space after directive, searches case insensitive, max of 10 search terms

20 Recon 19 Google Search Directives  site:[domain] o Searches particular domain o stamp  link:[web page] o All sites linked to a given web page o  intitle:[term(s)] o Web sites that include “term(s)” in title o intitle:”index of” stamp

21 Recon 20 Google Search Directives  related:[site] o Similar sites, based on Google’s indexing o  cache:[page] o Display Web page from Google’s cache o  filetype:[suffix] o Like ppt, doc, etc. o filetype:ppt stamp

22 Recon 21 Google Search Directives  rphonebook:[name and city or state] o Residential phone book o rphonebook:Mark Stamp Los Gatos  bphonebook:[name and city or state] o Business phone book  phonebook:[name and city or state] o Residential and business phone books

23 Recon 22 Other Search Operations  Literal match (“ ”) o “metamorphic engines”  Not (-) o Filter out sites that include term o -ty -lin  Plus (+) o Include (normally filtered) term o Not the opposite of “+” o stamp +the

24 Recon 23 Interesting Searches  From the text o filetype:xls ssn o ssn -filetype:pdf o filetype:asp o filetype:cgi o filetype:php o filetype:jsp o filetype:xls

25 Recon 24 Google Hacking Database  Google Hacking Database (GHDB) Google Hacking Database  Interesting searches o intitle:”index of” finance.xls o “welcome to intranet” o intitle:”gateway configuration menu” o intitle:”samba web administration tool” intext:”help workgroup”

26 Recon 25 GHDB  Intitle:”welcome to IIS 4.0”  “… w e find that even if they've taken the time to change their main page, some dorks forget to change the titles of their default-installed web pages. This is an indicator that their web server is most likely running … the now considered OLD IIS 4.0 and that at least portions of their main pages are still exactly the same as they were out of the box. Conclusion? The rest of the factory-installed stuff is most likely lingering around on these servers as well. … Factory-installed default scripts: FREE with operating system. Getting hacked by a script kiddie that found you on Google: PRICELESS. For all the things money can't buy, there's a googleDork award.”

27 Recon 26 Google  Suppose sensitive data is accessible o Removing it does not remove problem o Google cache, Wayback Machine  What about automated searches? o Google API o SiteDigger and Wikto

28 Recon 27 SiteDigger  User provides Google API key  One search… o Uses GHDB o Does 1k Google searches o Your daily limit o There’s always tomorrow…

29 Recon 28 Google  Lots of other interesting Google searches o Track current flights o Look up auto VIN o Look up product UPC  Google filters some sensitive data o SSNs, for example  Yahoo and MSN Search do less filtering

30 Recon 29 Newsgroups  “Listening in at the virtual water cooler”  Employees submit detailed questions o How to configure something o How to code something o How to troubleshoot a problem  Reveals info about products, config, etc. o “sensitive information leakage on a grand scale”  Attacker could even play active role o Give bad/incorrect advice

31 Recon 30 Newsgroups  To search groups o o Repackaged version of DejaNews

32 Recon 31 Organization’s Website  Web site might reveal useful info o Employee contact info o Clues about corporate culture/language o Business partners o Recent mergers and acquisitions o Technology in use o Open jobs

33 Recon 32 Defenses Against Web Recon  Limit what goes on Web pages o No sensitive info o Limit info about products, configuration, …  Security by obscurity? o “…no sense putting an expensive lock on your door and leaving milk and cookies outside so the lock picker can have a snack” while he breaks in

34 Recon 33 Defenses Against Web Recon  Have a policy on use of newsgroups  Monitor publicly available info  Google/Wayback will remove sensitive data  Use robots.txt so Web pages not indexed o Tags: noindex, nofollow, noarchive, nosnippet o Well-behaved crawlers will respect these, but… o …a sign to bad guys of sensitive data

35 Recon 34 Whois Databases  Internet “white pages” listing o Domain names, contact info, IP addresses,.net,.org,.edu  ICANN oversees registration process o Hundreds of actual registrars

36 Recon 35 InterNIC  InterNIC (Internet Network Info Center) o First place to look o Info on domain name registration services

37 Recon 36 InterNIC  Whois info available from InterNIC o com,net,org,edu  Other sites for other top level domains

38 Recon 37 Whois  Once registrar is known, attacker can contact it o More detailed Whois info o Network Solutions in this example

39 Recon 38 Whois  Info includes o Names o Telephone numbers o addresses o Name (DNS) servers o And so on…

40 Recon 39 IP Address Assignment  ARIN (American Registry for Internet Numbers) o Info about who owns IP address or range of addresses  Similar organizations for Europe, Asia, Latin America, …

41 Recon 40 Defense Against Whois Search  Bad idea to put false info into databases o Important that people can contact you o For example, if attack launched from your site  No real defense against Whois  Anonymous registration services exist o Author is not fond of these o Better to train against social engineering

42 Recon 41 Domain Name System  DNS o A hierarchical distributed database o Like a (hierarchical distributed) telephone directory o Converts human-friendly names into computer-friendly IP addresses  Internet is impossible without DNS

43 Recon 42 DNS  13 root DNS servers o A “single point” of failure for Internet

44 Recon 43 DNS  DNS example o Recursive and iterative searches o Resolved locally, if possible o Lots and lots of caching

45 Recon 44 DNS  DNS cache on Windows machine

46 Recon 45 DNS  Gives IP address of a domain  Lots of other info  DNS record types o Address: domain name/IP address (or vice-versa) o Host information: info about system o Mail exchange: mail system info o Name server: DNS servers o Text: arbitrary text string

47 Recon 46 Interrogating DNS  Attacker determines DNS servers o From registrar’s Whois database  Use nslookup (or dig in Linux) to interrogate name servers o Zone transfer (all info about domain) o See example from text --- IP addresses, mail server names, OS types, etc.

48 Recon 47 DNS Recon Defenses  Remove info on OS types, etc.  Restrict zone transfers o To primary and secondary name servers  Employ “split DNS” o Allow outside DNS activity related to Web, mail, FTP, …, servers o No outside DNS directly from internal network

49 Recon 48 Split DNS  Internal DNS server acts as proxy o Relays requests to external DNS o Internal users can resolve internal and external

50 Recon 49 General-Purpose Recon Tools  Sam Spade Sam Spade o Detective character in Dashiell Hammett’s novel, The Maltese Falcon o Humphrey Bogart o Also a general Web-based recon tool  Research and attack portals o For more specific info

51 Recon 50 Sam Spade  All the bells and whistles  Some of Sam Spade’s capabilities o ping, whois lookups, IP block whois, nslookup, DNS zone transfer, traceroute, finger o SMTP VRFY --- is given address valid? o Web browser --- view raw HTTP interaction o Web crawler --- grab entire web site

52 Recon 51 Sam Spade  “The incredibly useful Sam Spade user interface”

53 Recon 52 Other General Recon Tools  Active Whois Browser Active Whois Browser o Whois and DNS tool, $19.95  NetScanTools Pro NetScanTools Pro o Costs $249+  iNetTools iNetTools o Feature-limited, but free

54 Recon 53 Web-based Recon Tools  Some “run by rather shady operators” o o o o o o o

55 Recon 54 AttackPortal  AttackPortal o Helps attacker remain anonymous o This site is moribund (2005)

56 Recon 55 Conclusion  Attacker can gain useful info from variety of sources o From social engineering to automated tools… o …and everything in between  Useful info might include o Contact info, IP addresses, domain names o Possibly system details, technologies used, …  Building blocks for actual attacks

57 Recon 56 Summary  Sophisticated attacks likely to start with recon phase  Low-tech recon techniques o Social engineering o Spoofed caller ID o Physical access o Dumpster diving

58 Recon 57 Summary  Higher-tech techniques o Google hacking, SiteDigger, GHDB o Whois databases, InterNIC, ARIN o DNS, nslookup, dig o Sam Spade, client-side recon tools o Web-based recon tools

Download ppt "Recon 1 Reconnaissance Recon 2 Attack Phases  Phase 1: Reconnaissance  Phase 2: Scanning  Phase 3: Gaining access o Application/OS attacks o Network."

Similar presentations

Ads by Google