Presentation is loading. Please wait.

Presentation is loading. Please wait.

CNIT 124: Advanced Ethical Hacking. CASING THE ESTABLISHMENT CASE STUDY.

Published byChristal Shields Modified over 8 years ago

Similar presentations

Presentation on theme: "CNIT 124: Advanced Ethical Hacking. CASING THE ESTABLISHMENT CASE STUDY."— Presentation transcript:

1 CNIT 124: Advanced Ethical Hacking

2 CASING THE ESTABLISHMENT CASE STUDY

3 TOR (The Onion Router) Passes packets through proxies, concealing the source IP –Usually installed with Vidalia (the GUI) and Privoxy (Web filtering proxy) –Tor listens on port 9050 –Privoxy listens on port 8118 –Torbutton Firefox extension controls Tor use tor-resolve performs DNS resolution through Tor, concealing your IP Address

4 Proxychains Forces TCP connections to go through a proxy Requires complete handshake –SYN, SYN/ACK, ACK

5 nmap through proxychains

6 socat Relays bidirectional transfers

7 socat This command opens a proxy listening on localhost:8080 and forwards all requests through Tor to the target 10.10.10.100:80

8 Using nc as a Web browser

9 Chapter 1 Footprinting

10 Google Hacking Find sensitive data about a company from Google Completely stealthy—you never send a single packet to the target (if you view the cache) To find passwords: –intitle:"Index of" passwd passwd.bak See links Ch 1a, 1b on my Web page (samsclass.info, click CNIT 124)

11 Other fun searches Nessus reports (link Ch 1c) More passwords (link Ch 1d)

12 Be The Bot See pages the way Google's bot sees them

13 Custom User Agents Add the "User Agent Switcher" Firefox Extension

14 Footprinting Gathering target information "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." –Sun Tzu on the Art of War

15 Environments and the Critical Information Attackers Can Identify Internet Presence Intranet Remote Access (travelling employees) Extranet (vendors and business partners)

16 Internet Domain name Network blocks Specific IP addresses of systems reachable via the Internet TCP and UDP services running on each system identified System architecture (for example, Sparc vs. x 86) Access control mechanisms and related access control lists (ACLs) Intrusion-detection systems (IDSs) System enumeration (user and group names, system banners, routing tables, and SNMP information) DNS hostnames

17 Intranet Networking protocols in use (for example, IP, IPX, DecNET, and so on) Internal domain names Network blocks Specific IP addresses of systems reachable via the intranet TCP and UDP services running on each system identified System architecture (for example, SPARC vs. x 86) Access control mechanisms and related ACLs Intrusion-detection systems System enumeration (user and group names, system banners, routing tables, and SNMP information)

18 Remote access Analog/digital telephone numbers Remote system type Authentication mechanisms VPNs and related protocols (IPSec and PPTP)

19 Extranet Connection origination and destination Type of connection Access control mechanism

20 Internet Footprinting Step 1: Determine the Scope of Your Activities Step 2: Get Proper Authorization Step 3: Publicly Available Information Step 4: WHOIS & DNS Enumeration Step 5: DNS Interrogation Step 6: Network Reconnaissance

21 Step 1: Determine the Scope of Your Activities Entire organization Certain locations Business partner connections (extranets) Disaster-recovery sites

22 Step 2: Get Proper Authorization Ethical Hackers must have authorization in writing for their activities –"Get Out of Jail Free" card –Criminals omit this step Image from www.blackhatseo.fr

23 Step 3: Publicly Available Information Company web pages –Wget and Teleport Pro are good tools to mirror Web sites for local analysis (links Ch 1o & 1p) –Look for other sites beyond "www" –Outlook Web Access https://owa.company.com or https://outlook.company.com –Virtual Private Networks http://vpn.company.com or http://www.company.com/vpn http://vpn.company.com or http://www.company.com/vpn

24 OWASP DirBuster

25 Step 3: Publicly Available Information Related Organizations Physical Address –Dumpster-diving –Surveillance –Social Engineering Tool: Google Earth (link Ch 1q) and Google Maps Street View

26 Step 3: Publicly Available Information Phone Numbers, Contact Names, E-mail Addresses, and Personal Details Current Events –Mergers, scandals, layoffs, etc. create security holes Privacy or Security Policies, and Technical Details Indicating the Types of Security Mechanisms in Place

27 Step 3: Publicly Available Information Archived Information –The Wayback Machine (link Ch 1t) –Google Cache Disgruntled Employees

28 SiteDigger (Link Ch 1z7)

29 Wikto Link Ch 1z8

30 FOCA Searches file metadata (link Ch 1z9)

31 SHODAN Searches banners

32 SHODAN finding Vulnerable SCADA Systems

33 Step 3: Publicly Available Information Usenet –Groups.google.com Resumes

34 Maltego Data mining tool

35 Using Maltego Link Ch 1z10

36 Step 4: WHOIS & DNS Enumeration Two organizations manage domain names, IP addresses, protocols and port numbers on the Internet –Internet Assigned Numbers Authority (IANA; http://www.iana.org) –Internet Corporation for Assigned Names and Numbers (ICANN; http://www.icann.org) –IANA still handles much of the day-to-day operations, but these will eventually be transitioned to ICANN

37 Step 4: WHOIS & DNS Enumeration Domain-Related Searches –Every domain name, like msn.com, has a top- level domain -.com,.net,.org, etc. If we surf to http://whois.iana.org, we can search for the authoritative registry for all of.com –.com is managed by Verisign

38 Step 4: WHOIS & DNS Enumeration

39 Verisign Whois (link Ch 1v) –Search for ccsf.edu and it gives the Registrar Whois.educause.net Three steps: –Authoritative Registry for top-level domain –Domain Registrar –Finds the Registrant

40 Step 4: WHOIS & DNS Enumeration Automated tools do all three steps –Whois.com –Sam Spade –Netscan Tools Pro They are not perfect. Sometimes you need to do the three-step process manually.

41 Step 4: WHOIS & DNS Enumeration Once you've homed in on the correct WHOIS server for your target, you may be able to perform other searches if the registrar allows it You may be able to find all the domains that a particular DNS server hosts, for instance, or any domain name that contains a certain string –BUT a court decision in North Dakota just declared this illegal (link Ch 1s) (printed notes have the wrong state & link)

42 Step 4: WHOIS & DNS Enumeration How IP addresses are assigned: –The Address Supporting Organization (ASO http://www.aso.icann.org) allocates IP address blocks to –Regional Internet Registries (RIRs), which then allocate IPs to organizations, Internet service providers (ISPs), etc. –ARIN (http://www.arin.net) is the RIR for North and South America

43 Internet Registry Regions http://www.iana.org/numbers/

44 2013: The End

45 Step 4: WHOIS & DNS Enumeration IP-Related Searches –To track down an IP address: Use arin.net (link Ch 1x) It may refer you to a different database Examples: –147.144.1.1 –61.0.0.2

46 Step 4: WHOIS & DNS Enumeration IP-Related Searches –Search by company name at arin.net to find IP ranges, and AS numbers –AS numbers are used by BGP (Border Gateway Protocol) to prevent routing loops on Internet routers (link Ch 1y) –Examples: Google, CCSF

47 Step 4: WHOIS & DNS Enumeration Administrative contact gives you name, voice and fax numbers Useful for social engineering Authoritative DNS Server can be used for Zone Transfer attempts –But Zone Transfers may be illegal now (link Ch 1s)

48 Step 4: WHOIS & DNS Enumeration Public Database Security Countermeasures –When an administrator leaves an organization, update the registration database –That prevents an ex-employee from changing domain information –You could also put in fake "honeytrap" data in the registration eBay's domain was hijacked (link Ch 1z1)

49 Step 5: DNS Interrogation Zone Transfers –Gives you a list of all the hosts when it works –Usually blocked, and maybe even illegal now 14% of 1 million tested domains were vulnerable (link Ch 1z12)

50 Step 5: DNS Interrogation Determine Mail Exchange (MX) Records –You can do it on Windows with NSLOOKUP in Interactive mode

51 Excellent Tutorial Link Ch 1z11

52 Step 5: DNS Interrogation DNS Security Countermeasures –Restrict zone transfers to only authorized servers –You can also block them at the firewall DNS name lookups are UDP Port 53 Zone transfers are TCP Port 53 Note: DNSSEC means that normal name lookups are sometimes on TCP 53 now

53 Step 5: DNS Interrogation DNS Security Countermeasures –Attackers could still perform reverse lookups against all IP addresses for a given net block –So, external nameservers should provide information only about systems directly connected to the Internet

54 Step 6: Network Reconnaissance Traceroute –Can find route to target, locate firewalls, routers, etc. Windows Tracert uses ICMP Linux Traceroute uses UDP by default

55 Tracert

56 NeoTrace NeoTrace combines Tracert and Whois to make a visual map (link Ch 1z2)

57 Step 6: Network Reconnaissance Firewalk uses traceroute techniques to find ports and protocols that get past firewalls Uses low TTL values and gathers data from ICMP Time Exceeded messages –This should be even more effective with IPv6 because ICMPv6 is mandatory and cannot be blocked as well

58 Step 6: Network Reconnaissance Countermeasures –Many of the commercial network intrusion- detection systems (NIDS) and intrusion prevention systems (IPS) will detect this type of network reconnaissance –Snort – the standard IDS(link Ch 1z5) –Bro-IDS is another open source free NIDS

59 Step 6: Network Reconnaissance Countermeasures –You may be able to configure your border routers to limit ICMP and UDP traffic to specific systems, thus minimizing your exposure

Download ppt "CNIT 124: Advanced Ethical Hacking. CASING THE ESTABLISHMENT CASE STUDY."

Similar presentations

Module II Footprinting

Module II Footprinting
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Hacking Exposed 7 Network Security Secrets & Solutions

Hacking Exposed 7 Network Security Secrets & Solutions
Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.

Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Forces that Have Brought the world to it’s knees over the centuries.

Forces that Have Brought the world to it’s knees over the centuries.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Week 2 -1 Week 2: Footprinting What is Footprinting? –Systematic collection of information on an intended target with the goal to create a complete profile.

Week 2 -1 Week 2: Footprinting What is Footprinting? –Systematic collection of information on an intended target with the goal to create a complete profile.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Chapter 5 Phase 1: Reconnaissance. Reconnaissance  Finding as much information about the target as possible before launching the first attack packet.

Chapter 5 Phase 1: Reconnaissance. Reconnaissance  Finding as much information about the target as possible before launching the first attack packet.
CSC586 Network Forensics IP Tracing/Domain Name Tracing.

CSC586 Network Forensics IP Tracing/Domain Name Tracing.
Computer Security and Penetration Testing

Computer Security and Penetration Testing

Similar presentations

Ads by Google