Footprinting Richard Newman “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the.

Slides:

Advertisements

Similar presentations

Module II Footprinting

Advertisements

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

Hacking Exposed 7 Network Security Secrets & Solutions

This module will familiarize you with the following:  Overview of the Reconnaissance Phase  Footprinting: An Introduction  Information Gathering Methodology.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 1 Implementing Secure Converged Wide Area Networks (ISCW)

Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.

Forces that Have Brought the world to it’s knees over the centuries.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

Footprinting February 16, 2010 MIS 4600 – MBA © Abdou Illia.

Week 2 -1 Week 2: Footprinting What is Footprinting? –Systematic collection of information on an intended target with the goal to create a complete profile.

Chapter 1 Introduction. Art of War  If you know the enemy and know yourself, you need not fear the result of a hundred battles.  If you know yourself.

Chapter 5 Phase 1: Reconnaissance. Reconnaissance  Finding as much information about the target as possible before launching the first attack packet.

CSC586 Network Forensics IP Tracing/Domain Name Tracing.

Authorization and Policy. Is principal P permitted to perform action A on object O? – Authorization system will provide yes/no answer Authorization.

Phishing Analysis. Ojectives Phishing Internet Protocol (IP) addresses Domain Name System (DNS) names Analyse “From” addresses Analyse URL’s Trace the.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

9.1. The Internet Domain Names and IP addresses. Aims Be able to compare terms such as Domain names and IP addresses URL,URI and URN Internet Registries.

 Find out initial information ◦ Open Source ◦ Whois ◦ Nslookup  Find out address range of the network ◦ ARIN (American registry for internet numbers)

Information Gathering Lesson 4. Steps for Gathering Information Find out initial information Open Source Whois Nslookup Find out address range of the.

SEC835 Database and Web application security Information Security Architecture.

CNIT 124: Advanced Ethical Hacking. CASING THE ESTABLISHMENT CASE STUDY.

Prepared by The Regional Internet Registries [APNIC, ARIN, LACNIC and RIPE NCC]

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:

CIS 450 – Network Security Chapter 3 – Information Gathering.

End-to-End Methodology. Testing Phases  Reconnaissance  Mapping  Discovery  Exploitation  Repeat…  Report.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Communication Between Networks How the Internet Got Its Name.

Network Assessment How intrusion techniques contribute to system/network security Network and system monitoring System mapping Ports, OS, applications.

 Teaching at City College San Francisco since 2000  PhD Physics  Certified Ethical Hacker  Security+, Network+, a bunch of MCPs  Working on my CCNA.

Data Security Overview. Data Security Periphery –Firewalls –Web Filtering –Intrusion Detection & Prevention Internal –Virus Protection –Anti Spy-ware.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Assessing a Target System Source: Chapter 3 Computer Security Fundamentals Chuck Easttom Prentice Hall, 2006.

JMU GenCyber Boot Camp Summer, Welcome Cyber Defense Boot camp for High School Teachers Cyber Defense Lab (ISAT/CS Room 140) Department of Computer.

Module 3 – Information Gathering  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability Identification.

ROAD TO EXPLOITATION Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.

TCOM Information Assurance Management Casing the Establishment.

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

Footprinting and Scanning

30 April 2003 ITU SG2, Geneva, Switzerland Axel Pawlik, RIPE NCC Information Document 21-E ITU-T Study Group 2 May 2003 Question:1/2 Source:TSB Title:The.

JMU GenCyber Boot Camp Summer, Introduction to Reconnaissance Information gathering – Social engineering – Physical break-in – Dumpster diving Scanning.

Footprinting. Traditional Hacking The traditional way to hack into a system the steps include: Footprint: Get a big picture of what the network is Scan.

Footprinting/Scanning/ Enumeration Lesson 9. Footprinting External attack: Enables attackers to create a profile of an organization’s security posture.

Sources of Network Intrusion Security threats from network intruders can come from both internal and external sources.  External Threats - External threats.

COMP1321 Digital Infrastructures Richard Henson University of Worcester April 2016.

Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of.

Modern information gathering Dave van Stein 9 april 2009.

Whois & Data Accuracy Across the RIRs. Terms ISP – An Internet Service Provider is allocated address space by an RIR for the purpose of providing connectivity.

Recrusoft A web product developed for Recruitment / Placement Agencies by Gridaxis softwares recrusoft.gridaxis.in Gridaxis Softwares.

WHAT IS FOOTPRINTING?. FOOTPRINTING  Active  Passive - Passive footprinting is a method in which the attacker never makes any contact with the target.

1 NETWORKS Lecture Review – Last Lecture Computer Crimes Typical Vulnerabilities Typical Attack Protocols.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

JMU GenCyber Boot Camp Summer, 2016

Footprinting and Scanning

ICANN Multi-Stakeholder Model

Footprinting and Scanning

CSC300 Offensive Security Dr. Ronny L. Bull, Ph. D

FootPrinting CS391.

Edvinas Pranculis MM, CISA, CISM

Learning objectives By the end of this unit you should: Explain

Passive Research Section 2 11/29/2018.

SunGard Reconnaissance

Footprinting. Сбор данных

IPv6 Allocation Service in JPNIC

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Footprinting Richard Newman “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” - Sun Tzu

What is Footprinting? Determining profile of potential targets - Domain names (external and internal) - IP addresses, subnets (blocks and specific) - Services - System architecture - Access control list (ACL) info - Intrusion Detection Systems (IDSs) - Protocols used - phone numbers/blocks - Authentication mechanisms - VPNs and remote access protocols - Personnel names, usernames, addresses

Why Footprinting? - Publicly available info – Hard to prevent all of it from being available – Many legitimate searches mask recon efforts - Obtain potential target list - Obtain info for social engineering attacks – Spear phishing – Tech help calls - Determine relationships with other entities

Internet Footprinting 1. Determine scope – Be thorough and systematic 2. Get proper authorization – Written, from right person(s), detail what is allowed 3. Public info – Related organizations, personnel, current events, policies, etc. 4. Whois and DNS – Admin info, domain/subdomain names, IP addresses 5. DNS Interrogation – Mapping host names to IP addresses, internal IP addresses, etc. 6. Network reconnaissance – Network topology, access paths

Public Information - 1 Popularity = 9, Simplicity = 9, Impact = 2 => Risk = 7 1. Company web pages – Include other likely suspects (www1, web, test, etc.) – Review HTML source – may be best done off-line – Wget (gnu) – Unix/Linux; Teleport Pro (tenmax) – Windows – DirBuster (OWASP) – hidden files/directories – Remote access (Outlook Web Access, WebConnect,...) – VPNs – get vendor, version number, assistance contact info 2. Related organizations – Outsourced web development, e.g. – Aggregated data

Public Information Location info – Physical access – Social engineering hints – Wireless networks – MAC addrs from Google street car shodanhq.com/research/geomac – Dumpster diving 4. Employee info – One username -> better guesses at other user names – Phone number -> physical address – Personal info (social media, blackbookonline.info, etc.) – Employee directories (paid service) – Resumes (monster.com, etc.) and job postings (more details) – Disgruntled employees

Public Information Current Events – Company provided info – Trade rags, bulletin boards, etc. – SEC for publicly traded companies (EDGAR db at sec.gov) – Times of change (mergers, acquisitions, etc.) open holes – Times of plenty (rapid growth – mundane stuff lags) 6. Archived info – WayBack machine (archive.org) – Cached google (etc.) pages – May change to remove revealing info 7. Search Engines and Data Relationships – Special searches for remote access, misconfiguration, etc. – Google Hacking Database hackersforcharity.org – Athena 2.0 (snakeoillabs.com), SiteDigger 2.0 (foundstone.com) – Metadata search (FOCA – informatica64.com/foca) – SHODAN (shodanhq.com)

Public Information - 4 Countermeasures - think carefully about what you must reveal and what not - educate employees - monitor related organizations See RFC 2196 Site Security Handbook faqs.org/rfcs/rfc2196.html

Whois and DNS Enum - 1 Popularity = 9, Simplicity = 9, Impact = 3 => Risk = 7 1. ICANN/IANA – ASO – address supporting organization – GNSO – generic names supporting organization – CCNSO – Country code domain name supporting organization 2. ASO distributes IP ranges to Regional Internet Registries – APNIC – ARIN – LACNIC – RIPE – AfriNIC

Whois and DNS Enum Domain-related searches – Registry – Registrar – Registrant – Whois.iana.org, internic.net/whois.html, etc. – SuperScan, NetScan Tools 4. IP-related searches – Search at registrar's site to get right registrar, etc. Countermeasures – Pseudonym for admin (see “LA Confidential”) – Phone number outside of company block (maybe 800 number) – Pay extra for unlisted domain – Require good authentication for updates (registry hijacking prevention)