Presentation is loading. Please wait.

Presentation is loading. Please wait.

Footprinting Definition: the gathering of information about a potential system or network a.k.a. fingerprinting Attacker’s point of view Identify potential.

Published by Modified over 10 years ago

Similar presentations

Presentation on theme: "Footprinting Definition: the gathering of information about a potential system or network a.k.a. fingerprinting Attacker’s point of view Identify potential."— Presentation transcript:

1

2 Footprinting Definition: the gathering of information about a potential system or network a.k.a. fingerprinting Attacker’s point of view Identify potential target systems Identify which types of attacks may be useful on target systems Defender’s point of view Know available tools May be able to tell if system is being footprinted, be more prepared for possible attack Vulnerability analysis: know what information you’re giving away, what weaknesses you have

3 Information to Gather System (Local or Remote) IP Address, Name and Domain Operating System Type (Windows, Linux, Solaris) Version (98/NT/2000/2003/XP, Redhat, Fedora, SuSe, Ubuntu) Usernames File structure Open Ports (what services/programs are running on the system) Physical Proximity/Location

4 Information to Gather (2) Networks / Enterprises System information for all hosts Network topology Gateways Firewalls Overall topology Network traffic information Specialized servers Web, Database, FTP, Email, etc.

5 Defender Perspective Identify information you’re giving away Identify weaknesses in systems/network Know when systems/network is being probed Identify source of probe Develop awareness of threat Construct audit trail of activity

6 Tools – Linux ( use “man” for help ) Linux tools - lower level utilities Local System hostname ifconfig who, last Remote Systems ping traceroute, tracert finger (also local system) nslookup, dig whois arp, netstat (also local system) Other tools lsof

7 Tools – Linux (2) Other utilities ethereal/wireshark (packet sniffing) nmap (port scanning) - more later

8 Tools - Windows Windows Sam Spade (collected tools) Whois,Ping, IPBlock, Dig, Traceroute, Finger, Browse Web, and Parse email headers … ethereal (packet sniffer) Command line tools ipconfig Many others…

9 hostname Determine name of current system Usage: hostname E.g. hostname localhost.localdomain// default E.g. hostname clics.cs.uwec.edu

10 ifconfig Configure network interface Tells current IP numbers for host system Usage: ifconfig E.g. ifconfig // command alone: display status eth0Link encap: Ethernet HWaddr 00:0C:29:CD:F6:D3 inet addr: 192.168.172.128... loLink encap: Local Loopback inet addr: 127.0.0.1...

11 who Basic tool to show users on current system Useful for identifying unusual activity (e.g. activity by newly created accounts or inactive accounts) Usage: who E.g. who roottty1Jan 9 12:46 paultty2Jan 9 12:52

12 last Show last N users on system Default: since last cycling of file -N: last N lines Useful for identifying unusual activity in recent past Usage: last [-n] e.g. last -3 wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still logged in flinstf pts/0 137.28.191.74 Sat Feb 5 15:38 still logged in rubbleb pts/0 c48.193.173.92.e Sat Feb 5 14:38 - 15:25 (00:46)

13 ping Potential Uses Is system online? Through response Gather name information Through DNS Estimate relative physical location Based on RTT (Round Trip Time) given in summary statistics Identify operating system Based on TTL (packet Time To Live) on each packet line TTL = number of hops allowed to get to system 64 is Linux default, 128 is Windows default (but can be changed!) Notes Uses ICMP packets Often blocked on many hosts Usage: ping system E.g. ping ftp.redhat.com E.g. ping localhost

14 traceroute Potential Uses Determine physical location of machine Gather network information (gateway, other internal systems) Find system that’s dropping your packets – evidence of a firewall Notes Can use UDP or ICMP packets Results often limited by firewalls Several GUI-based traceroute utilities available Usage: traceroute system E.g. traceroute cs.umn.edu

15 traceroute example [wagnerpj@data ~]$ traceroute cs.umn.edu traceroute to cs.umn.edu (128.101.34.202), 30 hops max, 38 byte packets 1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220 ms 0.208 ms 2 v101.networking.cns.uwec.edu (137.28.9.1) 0.245 ms 0.229 ms 0.220 ms 3 uweauclairehub2-ge50.core.wiscnet.net (216.56.90.1) 1.315 ms 1.194 ms 1.343 ms 4 * * * [wagnerpj@data ~]$

16 traceroute example - success H:\>tracert www.google.comwww.google.com Tracing route to www.google.akadns.net [64.233.167.99] over a maximum of 30 hops:www.google.akadns.net 1 <1 ms <1 ms <1 ms v61.networking.cns.uwec.edu [137.28.61.1] 2 4 ms 6 ms 3 ms UWEauClaireHub2-ge50.core.wiscnet.net [216.56.90.1] 3 2 ms 1 ms 2 ms r-uweauclaire-isp-gig2-0.wiscnet.net [140.189.8.141] 4 17 ms 17 ms 17 ms chi-edge-08.inet.qwest.net [65.113.85.5] 5 18 ms 16 ms 18 ms chi-core-02.inet.qwest.net [205.171.20.113] 6 17 ms 18 ms 19 ms cer-core-01.inet.qwest.net [205.171.205.34] 7 18 ms 19 ms 21 ms chp-brdr-01.inet.qwest.net [205.171.139.146] 8 18 ms 17 ms 18 ms P11-0.CHICR2.Chicago.opentransit.net [193.251.129.113] 9 15 ms 16 ms 16 ms Google-EU-Customers-2.GW.opentransit.net [193.251.249.30] 10 16 ms 16 ms 18 ms 216.239.46.10 11 21 ms 19 ms 17 ms 64.233.175.30 12 18 ms 16 ms 16 ms 64.233.167.99 Trace complete.

17 finger Potential Uses Collect usernames Determine if user is currently logged in Notes Often blocked Usage: finger localuser or finger @system or finger remoteuser@system E.g. finger chidanan(user on local system) E.g. finger @csse.rose-hulman.edu (all on remote system) E.g. finger chidanan@csse.rose-hulman.edu (user on remote system)

18 whois Potential Uses Queries nicname/whois servers for Internet registration information Can gather contacts, names, geographic information, servers, … - useful for social engineering attacks Notes Usage: whois domain e.g. whois netcom.com

19 whois example - basic Domain Name: UWEC.EDU Registrant: University of Wisconsin - Eau Claire 105 Garfield Avenue Eau Claire, WI 54702-4004 UNITED STATES Contacts: Administrative Contact: Computing and Networking Services 105 Garfield Ave Eau Claire, WI 54701 UNITED STATES (715) 836-5711 networking@uwec.edu Name Servers: TOMATO.UWEC.EDU 137.28.1.17 LETTUCE.UWEC.EDU 137.28.1.18 BACON.UWEC.EDU 137.28.5.194

20 whois example - wildcards whois uw%.edu Your search has matched multiple domains. Below are the domains you matched (up to 100). For specific information on one of these domains, please search on that domain. UW.EDU UWA.EDU UWB.EDU UWC.EDU UWEC.EDU UWEST.EDU UWEX.EDU ….

21 nslookup Potential Uses Query internet name servers Find name for IP address, and vice versa Notes Now deprecated – generally use dig Sometimes useful when dig fails Usage nslookup xxxxxxx// name or IP addr. E.g. nslookup data.cs.uwec.edu E.g. dig data.cs.uwec.edu

22 dig Potential Uses Domain Name Service (DNS) lookup utility Associate name with IP address and vice versa Notes Many command options General usage: dig E.g. dig data.cs.uwec.edu E.g. dig 137.28.109.33

23 arp Tracks addresses, interfaces accessed by system Possible uses Find adjacent systems Notes arp// display names arp –n// display numeric addresses

24 netstat Shows connections, routing information, statistics Possible uses find adjacent machines, used ports Notes Many flags netstat // open sockets, etc. netstat –s // summary statistics netstat – r// routing tables netstat – p// programs netstat – l// listening sockets

25 lsof Lists open files on your system Useful to see what processes are working with what files, possibly identify tampering Usage: lsof

26 Windows Tools Sam Spade “swiss army knife” of footprinting Has most of the Linux tools Plus other functionality Usage Start application Fill in name or IP address Choose option desired in menus

27 Packet Sniffers Definition: Hardware or software that can display network traffic packet information Usage Network traffic analysis Example packet sniffers tcpdump (command line, Linux) ethereal (Linux, Windows – open source) others…

28 Limitations – Packet Sniffing Packet sniffers only catch what they can see Users attached to hub – can see everything Users attached to switch – can see own traffic only Wireless – wireless access point is like hub Need to be able to put NIC in “promiscuous” mode to be able to process all traffic, not just traffic for/from itself NIC must support Need privilege (e.g. root in Linux)

29 OSI Network Protocol Layer 7 – Application (incl. app. content) Layer 6 – Presentation Layer 5 – Session Layer 4 – Transport (incl. protocol, port) Layer 3 – Network (incl. source, dest) Layer 2 – Data Link Layer 1 – Physical

30 ethereal / wireshark Created as tool to examine network problems in 1997 Various contributors added packet dissectors, fixes, upgrades; released 1998 Works with other packet filter formats Information http://www.wireshark.org http://www.ethereal.com Demonstration

31 Using ethereal Prompt>>ethereal & (in Linux) Capture/Start/OK Capture window shows accumulated totals for different types of packets Stop – packets now displayed Top window – packet summary Can sort by column – source, destination, protocol are useful Middle window – packet breakdown Click on + icons for detail at each packet level Bottom window – packet content

32 Ethereal capture analysis Can save a session to a capture file Can reopen file later for further analysis Open capture file Identify and follow different TCP streams Select TCP packet, Tools/Follow TCP Stream CLICScapture.cap has http, https, ftp, ssh Any interesting information out there?

33 Related Tools Hunt TCP sniffer Watch and reset connections Hijack sessions Spoof MAC Spoof DNS

34 Related Tool EtherPEG – image capture on network http://www.etherpeg.com Demonstration See http://www.menshevik.com/showme on windowshttp://www.menshevik.com/showme

35 Summary Basic tools can generate much information Remember principle of accumulating information Attacker will build on smaller pieces to get bigger pieces Moral: don’t give away information if you can avoid it

Download ppt "Footprinting Definition: the gathering of information about a potential system or network a.k.a. fingerprinting Attacker’s point of view Identify potential."

Similar presentations

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Chapter 13: Troubleshooting network connectivity Unit objectives Identify TCP/IP troubleshooting tools Discuss the Telnet utility and its functions Discuss.

Chapter 13: Troubleshooting network connectivity Unit objectives Identify TCP/IP troubleshooting tools Discuss the Telnet utility and its functions Discuss.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Network Analyzer Example

Network Analyzer Example
Network Debugging Organizational Communications and Technologies Prithvi Rao H. John Heinz III School of Public Policy and Management Carnegie Mellon University.

Network Debugging Organizational Communications and Technologies Prithvi Rao H. John Heinz III School of Public Policy and Management Carnegie Mellon University.
Common network diagnostic and configuration utilities A ‘toolkit’ for network users and managers when ‘troubleshooting’ is needed on your network.

Common network diagnostic and configuration utilities A ‘toolkit’ for network users and managers when ‘troubleshooting’ is needed on your network.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Network Security Footprinting / Packet Sniffing. Footprinting Definition: the gathering of information about a potential system or network a.k.a. fingerprinting.

Network Security Footprinting / Packet Sniffing. Footprinting Definition: the gathering of information about a potential system or network a.k.a. fingerprinting.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:

Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:
Linux Networking Commands

Linux Networking Commands
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.
Module 1: Reviewing the Suite of TCP/IP Protocols.

Module 1: Reviewing the Suite of TCP/IP Protocols.
Chapter Twelve Using TCP/IP on the Network. Objectives Here, we’ll examine how to configure TCP/IP. The concepts of subnetting will be examined in detail.

Chapter Twelve Using TCP/IP on the Network. Objectives Here, we’ll examine how to configure TCP/IP. The concepts of subnetting will be examined in detail.
Networking Feb. 6, 2008 by Larry Finger. Networking Hardware Glossary RJ45 – Official name for 8-pin connector Cat 5, 5E or 6 - Cable suitable for “high”-speed.

Networking Feb. 6, 2008 by Larry Finger. Networking Hardware Glossary RJ45 – Official name for 8-pin connector Cat 5, 5E or 6 - Cable suitable for “high”-speed.
Module 7: Configuring TCP/IP Addressing and Name Resolution.

Module 7: Configuring TCP/IP Addressing and Name Resolution.

Similar presentations

Ads by Google