Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reconnaissance Recon 1.

Similar presentations

Presentation on theme: "Reconnaissance Recon 1."— Presentation transcript:

1 Reconnaissance Recon

2 Attack Phases Phase 1: Reconnaissance Phase 2: Scanning
Phase 3: Gaining access Application/OS attacks Network attacks/DoS attacks Phase 4: Maintaining access Phase 5: Covering tracks and hiding Recon

3 Recon Before bank robber robs a bank… Most of this is not high tech
Visit the bank Make friends with an employee (inside info) Study alarm system, vault, security guard’s routine, security cameras plscement, etc. Plan arrival and get away Most of this is not high tech Similar ideas hold for info security Recon

4 Social Engineering Hypothetical examples Real-world examples
New “admin” asks secretary for help Angry “manager” calls employee/admin asking for password “Employee” in the field calls another employee for help with remote access Real-world examples Employees help white hat guy steal company IP Person turns over secrets to trusted “friend” Recon

5 Social Engineering Social engineering
Defeats strongest crypto, best access control, protocols, IDS, firewalls, software security, etc., etc. Attacker may not even touch keyboard Ultimate low-tech recon/attack method Recon

6 Social Engineering Telephone based attacks
Company phone number may give attacker instant credibility Attacker might ask for voice mail service Spoofed caller ID Appears attacker has company phone number Online services: Telespoof, Camophone Some VoIP software Phone companies also sell such services Recon

7 Camophone Spoofed caller ID Cost? 5 cents per minute Recon

8 Social Engineering Defenses
Hard to defend against Rooted in human nature Many legitimate uses of “social engineering” (police, sales people, etc.) User education helps Do not give out sensitive info (passwords) Do not trust caller ID, etc. May not want totally paranoid employees Recon

9 Physical Security If Trudy gets physical access…
Might find logged in computer, post-it note with passwords, etc. Might install back door, keystroke logger, access point to LAN, etc. Could steal USB drives, laptop, computers, CDs, etc. Recon

10 Physical Access How can attacker gain physical access?
Ask for it Fake it Physical break in Or attacker might be employee Then Trudy already has access Limit employee’s physical access? Recon

11 Defenses Require badges for entry Biometrics for entry are useful
What if someone forgets badge? Biometrics for entry are useful Iris scan, hand geometry, … Monitor what people take in/out Laptop, USB drive, CD, Furby? Miniaturization makes this difficult Recon

12 Defenses Use locks on file cabinets Automatic screen saver with pwd
Don’t leave key in the lock… Automatic screen saver with pwd Encrypted hard drives Especially for those who travel Need a way to recover encrypted files But there are attacks… Recon

13 Dumpster Diving What might Trudy find in trash? Defenses
CDs, DVDs, discarded machines, USB, … Diagrams of network architecture Defenses Destroy hard drive before discarding Destroy media (degaussing is not enough) Shred paper, etc. Recon

14 Search the “Fine” Web “Fine” is placeholder for another word
As in “Read the ‘Fine’ Documentation” Huge amount of info available on Web Google it! For example Google the MD5 hash value 20f1aeb7819d c898d1e98c1bb Recon

15 Google Hacking Using Google to help in attacks See, for example
Not “hacking Google” See, for example Johnny Long’s Website Google hacking 101 Google selected as “favorite hacking tool” by some infamous hackers Recon

16 Google Four important elements of Google Google bot Google index
Crawls Web looking for info to index Google index Billions served… Ranked using (secretive) algorithm Why so secretive? Recon

17 Google Google cache Google API Copy of data that bots found
Includes html, doc, pdf, ppt, etc., etc. Up to 101k of text each, no images See also, Wayback Machine Google API Program need to Google too Requires API “key” (free from Google) Limited to 1k searches per day Recon

18 Google For any Google search… So searches must be precise
Max number of results limited to 1,000 Limits data mining capabilities So searches must be precise Use “search directives” No space after directive, searches case insensitive, max of 10 search terms Recon

19 Google Search Directives
site:[domain] Searches particular domain stamp link:[web page] All sites linked to a given web page intitle:[term(s)] Web sites that include “term(s)” in title intitle:”index of” stamp Recon

20 Google Search Directives
related:[site] Similar sites, based on Google’s indexing cache:[page] Display Web page from Google’s cache filetype:[suffix] Like ppt, doc, etc. filetype:ppt stamp Recon

21 Google Search Directives
rphonebook:[name and city or state] Residential phone book rphonebook:Mark Stamp Los Gatos bphonebook:[name and city or state] Business phone book phonebook:[name and city or state] Residential and business phone books Recon

22 Other Search Operations
Literal match (“ ”) “metamorphic engines” Not (-) Filter out sites that include term -ty -lin Plus (+) Include (normally filtered) term Not the opposite of “+” stamp +the Recon

23 Interesting Searches From the text filetype:xls ssn ssn -filetype:pdf filetype:asp filetype:cgi filetype:php filetype:jsp filetype:xls Recon

24 Google Hacking Database
Google Hacking Database (GHDB) Interesting searches intitle:”index of” finance.xls “welcome to intranet” intitle:”gateway configuration menu” intitle:”samba web administration tool” intext:”help workgroup” Recon

25 GHDB Intitle:”welcome to IIS 4.0”
“… we find that even if they've taken the time to change their main page, some dorks forget to change the titles of their default-installed web pages. This is an indicator that their web server is most likely running … the now considered OLD IIS 4.0 and that at least portions of their main pages are still exactly the same as they were out of the box. Conclusion? The rest of the factory-installed stuff is most likely lingering around on these servers as well. … Factory-installed default scripts: FREE with operating system. Getting hacked by a script kiddie that found you on Google: PRICELESS. For all the things money can't buy, there's a googleDork award.” Recon

26 Google Suppose sensitive data is accessible
Removing it does not remove problem Google cache, Wayback Machine What about automated searches? Google API SiteDigger and Wikto Recon

27 SiteDigger User provides Google API key One search… Uses GHDB
Does 1k Google searches Your daily limit There’s always tomorrow… Recon

28 Google Lots of other interesting Google searches
Track current flights Look up auto VIN Look up product UPC Google filters some sensitive data SSNs, for example Yahoo and MSN Search do less filtering Recon

29 Newsgroups “Listening in at the virtual water cooler”
Employees submit detailed questions How to configure something How to code something How to troubleshoot a problem Reveals info about products, config, etc. “sensitive information leakage on a grand scale” Attacker could even play active role Give bad/incorrect advice Recon

30 Newsgroups To search groups
Repackaged version of DejaNews Recon

31 Organization’s Website
Web site might reveal useful info Employee contact info Clues about corporate culture/language Business partners Recent mergers and acquisitions Technology in use Open jobs Recon

32 Defenses Against Web Recon
Limit what goes on Web pages No sensitive info Limit info about products, configuration, … Security by obscurity? “…no sense putting an expensive lock on your door and leaving milk and cookies outside so the lock picker can have a snack” while he breaks in Recon

33 Defenses Against Web Recon
Have a policy on use of newsgroups Monitor publicly available info Google/Wayback will remove sensitive data Use robots.txt so Web pages not indexed Tags: noindex, nofollow, noarchive, nosnippet Well-behaved crawlers will respect these, but… …a sign to bad guys of sensitive data Recon

34 Whois Databases Internet “white pages” listing
Domain names, contact info, IP addresses .com, .net, .org, .edu ICANN oversees registration process Hundreds of actual registrars Recon

35 InterNIC InterNIC (Internet Network Info Center) First place to look
Info on domain name registration services Recon

36 InterNIC Whois info available from InterNIC
com,net,org,edu Other sites for other top level domains Recon

37 Whois Once registrar is known, attacker can contact it
More detailed Whois info Network Solutions in this example Recon

38 Whois Info includes Names Telephone numbers Email addresses
Name (DNS) servers And so on… Recon

39 IP Address Assignment ARIN (American Registry for Internet Numbers)
Info about who owns IP address or range of addresses Similar organizations for Europe, Asia, Latin America, … Recon

40 Defense Against Whois Search
Bad idea to put false info into databases Important that people can contact you For example, if attack launched from your site No real defense against Whois Anonymous registration services exist Author is not fond of these Better to train against social engineering Recon

41 Domain Name System DNS Internet is impossible without DNS
A hierarchical distributed database Like a (hierarchical distributed) telephone directory Converts human-friendly names into computer-friendly IP addresses Internet is impossible without DNS Recon

42 DNS 13 root DNS servers A “single point” of failure for Internet

43 DNS DNS example Recursive and iterative searches
Resolved locally, if possible Lots and lots of caching Recon

44 DNS DNS cache on Windows machine Recon

45 DNS Gives IP address of a domain Lots of other info DNS record types
Address: domain name/IP address (or vice-versa) Host information: info about system Mail exchange: mail system info Name server: DNS servers Text: arbitrary text string Recon

46 Interrogating DNS Attacker determines DNS servers
From registrar’s Whois database Use nslookup (or dig in Linux) to interrogate name servers Zone transfer (all info about domain) See example from text --- IP addresses, mail server names, OS types, etc. Recon

47 DNS Recon Defenses Remove info on OS types, etc.
Restrict zone transfers To primary and secondary name servers Employ “split DNS” Allow outside DNS activity related to Web, mail, FTP, …, servers No outside DNS directly from internal network Recon

48 Split DNS Internal DNS server acts as proxy
Relays requests to external DNS Internal users can resolve internal and external Recon

49 General-Purpose Recon Tools
Sam Spade Detective character in Dashiell Hammett’s novel, The Maltese Falcon Humphrey Bogart Also a general Web-based recon tool Research and attack portals For more specific info Recon

50 Sam Spade All the bells and whistles Some of Sam Spade’s capabilities
ping, whois lookups, IP block whois, nslookup, DNS zone transfer, traceroute, finger SMTP VRFY --- is given address valid? Web browser --- view raw HTTP interaction Web crawler --- grab entire web site Recon

51 Sam Spade “The incredibly useful Sam Spade user interface” Recon

52 Other General Recon Tools
Active Whois Browser Whois and DNS tool, $19.95 NetScanTools Pro Costs $249+ iNetTools Feature-limited, but free Recon

53 Web-based Recon Tools Some “run by rather shady operators”

54 AttackPortal AttackPortal Helps attacker remain anonymous
This site is moribund (2005) Recon

55 Conclusion Attacker can gain useful info from variety of sources
From social engineering to automated tools… …and everything in between Useful info might include Contact info, IP addresses, domain names Possibly system details, technologies used, … Building blocks for actual attacks Recon

56 Summary Sophisticated attacks likely to start with recon phase
Low-tech recon techniques Social engineering Spoofed caller ID Physical access Dumpster diving Recon

57 Summary Higher-tech techniques Google hacking, SiteDigger, GHDB
Whois databases, InterNIC, ARIN DNS, nslookup, dig Sam Spade, client-side recon tools Web-based recon tools Recon

Download ppt "Reconnaissance Recon 1."

Similar presentations

Ads by Google