Cybersecurity Computer Science Innovations, LLC
Fingerprinting So, we have a file at the top level of a Web site. It is called robots.txt It specifies where to find content and What content to avoid. What can this tell us from a fingerprinting perspective? Tells us the stuff we wish to protect.
Fingerprinting Perspective Take down the robots.txt Take down the sitemaps Try to take down the disallows Use wget …
Lab Fingerprint Web Server Use wget Use wget Use more robots.txt Use wget Use more Use Try to wget disallowed files.
What Did We Learn? What can we do with robots.txt from a fingerprint perspective. Part of directory structure. Show's you what they do not want to share. Why does wget not pull disallow information? Hint man wget. It adhere's to the robots.txt protocol. How could we get disallowed information? What type of licensing is wget? Open Source. We can get the source. Change it and go after the disallow.
Web Site Fingerprinting Best Practices: 1) Use robots.txt for things you want found by a search engine and disallow for things you do not want found. 2) Use a tool (if you are a penetration tester) to work around the disallow in robots.txt. Remember disallow is a protocol. 3) Use security in the web server to protect sensitive files.
Network 101 Typically three types of networks A, B, C Differ by.... netmask A netmask B netmask C netmask So how does this work.
OSI Networking Model Application - Applications running on top - ssh Presentation --- Map data between representations. Session --- Support conversation. Transport --- Put stuff in order, end to end Network – communicate with routing Data Link --- communicate without routing Physical --- Cable
Data Link Layer Data link – no routing Scott Brian
Command to See Network Ifconfig -a Scott inet addr: Bcast: Mask: Brian … Netmask What does that mean.
Netmask Class C network. Only route if you differ by more than the last octet. No Routing necessary. Only differ by where the Netmask is 0 therefore resolved at the data link layer. MAC/IP. The conversion between MAC and IP is datalink.
More Netmask is a B network only route if differ by left- most two octets Routing? No. Why? The only values that differ are where you have a bit pattern of 1111's is an A network and does it require routing. Only differs by where it is 1.
Netmask Concluded Class C network Netmask What is that in HEX? – FFFF.FFFF.FFFF.0000 What is that in Binary? – So Class C network one computer is and one is Need Routing?
Netmask Lab Class C Network – and Need routing? Yes. Differs by third Class A Network – and need routing? no. – and need routing? yes Question for a router Cisco– who makes it – Dlink Netgear, who makes it?
A Little Further in the Network Find the router.. – Unix – Command netstat -rn ifconfig -a eth0 Link encap:Ethernet HWaddr c8:0a:a9:b5:9d:db inet addr: Bcast: Mask: netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface U eth U eth UG eth0
DHCP Distributed Hosts Configuration Protocol Machine comes up and looks for a DHCP server Gets an IP address, Netmask and DNS. What vulnerability do we have here.
DHCP - Vulnerability Get on Network and put your own DHCP Server up The DNS Server it give or serves up is yours. And it routes to spoofed web sites. Why does this work? Because it looks for the first DHCP sever. The one that responds first will be the one closest to the computer asking. Unless you have an intrusion detection systems, you will get away with this. An intrusion detection system at the network layer would find this. Part of a penetration test.
What About DNS? Domain Name Service. Maps names to IP addresses. It is given to us by DHCP Unix find it? More /etc/resolv.conf more /etc/resolv.conf # Generated by NetworkManager nameserver
On My Network is the DNS Server and the Router Netmask is It is CISCO like???? That is what we found out. To do on Windows ipconfig /all Lab.... Tell me what you have on your Windows box?
Conventions Class C – Generally x.x Class A (bigger network) Generally 10.x.x.x. Gateway … generally. What ever you are working with.1 DHCP Server is generally the Gateway.
What is DHCP? Distributed Hosts Configuration Protocol Turn on a computer, get the IP address, DNS Server, Router, and any Routes. Broadcasts for it. In other words, comes up, says who is my DHCP? First one wins.
What is wrong with our Network, via Conventions? C Network, why netmask IP address starts with 10, which is an A network Should start with ???? Router ends in.254, what does it typically do? –.1
Review Fingerprinting Why do we Fingerprint? To learn about the system. If you are an adversary, you want to find something easy. If you are a security professional, you want to see how hard your systems are. Most common tool is nmap. Nmap can help you work around an IDS. Inspects traffic to tell you about products and ports. Nmap is a TCP/IP expert, Xmas, Stealth, etc.
Network use Netmask Typical network --- cisco … Ip address of the router is C So if I talk to to Do I need to route? No? So if the address differs by the octet with a 0 in the netmask no routing.
Network Route When Addresses differ from where there is a 1. For If we wish to go from to Do we need to route? Yes How do we find our router? Use netstat -rn
Talk About Addresses TCP/IP protocol We agree to not route what addresses: what you get when you do not get a dhcp address x CISCO x DLINK
Network Topology So, I want three networks to be separate and have one external address to the internet. How do I do this? external address internal Network x gtw Internal ( ) Network x gtw Internal ( ) Network x gtw Internal ( )
What Did We Learn 1) Netmask determines your address range.. Route when difference is in the area of 1's on netmask. 2) Router must be on same subnet as network it is routing. 3) How do we find netmask Unix (ifconfig -a) windows ipconfig /all 4) How do we find router – netstat -rn 5) How do we find dns server windows its ipconfig /all Use more /etc/resolv.conf
Tracking Let's say, I sent an to Mo and I wanted assurance that he has read it. itself is a datagram. In the message Tools that do this for you. Put a link that does not require a click and sends that to a server for recordiing.
Tracking This can be a servlet that returns a graphic. When the is read, the servlet it called (it has to show the graphic). While getting the graphic, it denotes the fact that the was read.
Fingerprinting Lab Tell me what I am running nmap thestreits.com By using nmap Tell me what hosts on your subnet are running. By using nmap
Fingerprinting We want to see what is on our network. If you are bad.... then you are looking for easy things. We want to make sure, we are not one of those easy things. So for Bad People, Fingerprinting is a way to find easy systems to crack. For Security Professionals, hardening our systems.
Best Practices Only SSH login and only through a private key. Open Ports 22 (private key only) and 443 This is for externally facing Servers So how do we find out?
How Do We Fingerprint Command - telnet host port Then send it commands Then get what's running by parsing the results of commands. telnet 80 Trying HEAD Apache/ (Ubuntu) Server at localhost Port 80
Instead Of Telnet to a port. Writing a socket level program Ping ping PING ( ) 56(84) bytes of data. 64 bytes from pool bltmmd.fios.verizon.net ( ): icmp_req=1 ttl=52 time=24.7 ms
We Use Nmap What is good about Nmap? Price.... Free Runs on every system. Around a long time – stable. Defacto Standard. Does a lot of things.
nmap We can see what systems are up on a subnet We can see what ports are open We can see what tools are runinng on the open ports. We don't have to fool around with TCP/IP
Two Movies on nmap Let's watch a youtube movie on nmap.
Lab Tell me what is running on my machine. Do it two ways. First telnet port HEAD port 80. Telnet 80www.scottstreit.com – HEAD Then do an nmap on my box. Tell me what is running. Tell me what hosts are up on our 10. subnet.
Let's Simulate nmap telnet 80 Trying Connected to Escape character is '^]'. head 501 Method Not Implemented Method Not Implemented head to /index.html not supported. Apache/ (Ubuntu) Server at localhost Port 80 Connection closed by foreign host.