Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Reconnaissance.

Published byJoel Andrews Modified over 8 years ago

Similar presentations

Presentation on theme: "CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Reconnaissance."— Presentation transcript:

1 CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Reconnaissance

2 CIT 380: Securing Computer SystemsSlide #2 Topics 1.Low Tech Reconnaissance 2.Network Information Sources 3.DNS Zone Transfers 4.Network Mapping

3 CIT 380: Securing Computer SystemsSlide #3 Reconnaissance Collecting security-relevant information about an organization, including: –Locations –Related entities –Personnel: names, phone numbers, email addrs –Privacy or security policies –Network and system configuration –Remote access methods

4 CIT 380: Securing Computer SystemsSlide #4 Low Tech Reconnaissance 1.Social Engineering 2.Physical Break-In 3.Dumpster Diving

5 CIT 380: Securing Computer SystemsSlide #5 Social Engineering Attacker uses pretext to deceive organization member into giving out confidential information. Pretexts include personas and reasons: Personas –New employee –Sysadmin –Manager Reasons –Lost password –Contact name/phone –Reset password

6 CIT 380: Securing Computer SystemsSlide #6 Social Engineering Defences Security Policy –Secure method for password resets. –No requests for passwords. Security Awareness Program –Educate personnel about social attacks. –Educate personnel about security policy.

7 CIT 380: Securing Computer SystemsSlide #7 Physical Break-In Methods of Entry –Employment. –Enter on someone else’s coat tails. Physical Access –Already logged in system. –System with password written down nearby. –Install hardware/software key loggers. –Plug in laptop to Ethernet port. –Take removable media or even hard disks.

8 CIT 380: Securing Computer SystemsSlide #8 Physical Defences Security Policy –Personnel cannot enter without card. –No coat-tailing. –Policy for ID card replacement/temporary IDs. Security Mechanisms –Card reader access. –Guards. –Automatic screen locks after 5 minutes. –Locked file cabinets/drawers. –Encryption.

9 CIT 380: Securing Computer SystemsSlide #9 Dumpster Diving Search trash for sensitive information –Usernames and passwords, –Phone directories, –Network diagrams, etc. 2000: Oracle hired IGI (a PI company) to investigate pro-Microsoft groups. –IGI searched trash to discover MS funding of supposedly independent advocacy groups.

10 CIT 380: Securing Computer SystemsSlide #10 Defences Against Dumpster Diving Security Policy –Require special disposal of confidential data. –Includes paper, floppies, etc. Security Mechanisms –Paper shredder. –De-gausser. –Burning.

11 CIT 380: Securing Computer SystemsSlide #11 Information Resources Organization web site –Check HTML source for comments. –Check robots.txt for interesting files. Usenet postings –Search groups.google.com for “@org ” postings –comp.security.*, comp.unix.* Search news sources about organization: –finance.yahoo.com –news.google.com –Edgar database (www.sec.gov/)www.sec.gov/ Send email to invalid address @org –Identify mail server vendor and version. –Email server topology and antivirus defences.

12 CIT 380: Securing Computer SystemsSlide #12 Google Hacking: Keywords site: for site-specific searches –site:orgname –keywords: dial, dialup, login, password –job postings listing required programs/technologies link: find related sites –link:sitename cache: see deleted pages or old versions –cache:sitename

13 CIT 380: Securing Computer SystemsSlide #13 Google Hacking: Finding Directory Listings intitle: for text in title, not body. –intitle:index.of “parent directory” –intitle:index.of name size Combine with site: to specify your target.

14 CIT 380: Securing Computer SystemsSlide #14 Google Hacking: Finding Passwords UNIX Passwords intitle:"Index of..etc" passwd MySql History (often includes passwords) intitle:"Index of".mysql_history See Google Hack Database for more queries. See www.googleguide.com for more about Google.

15 CIT 380: Securing Computer SystemsSlide #15 What if a page has been deleted? Google Cache –Google for cache:www.nku.edu –Cached page data up to 101K. Internet Archive –www.archive.orgwww.archive.org –Not searchable. –Enter URL of old site. –Select date of archive to view.

16 CIT 380: Securing Computer SystemsSlide #16 Defences against Google Hacking Security Policy –Limit personal information (SSN, phone, email) on site. –Limit technical information posted to web site. –Limit data exposure on web forums and newsgroups. Security Mechanism –Perform your own searches of web site. –Use robots.txt to limit what pages are indexed. –Beware that attackers will target pages hidden from search engines by robots.txt.

17 CIT 380: Securing Computer SystemsSlide #17 Domain Name Registration Domain registration information –Contact information: names, email, phone –Postal address –Registration dates –DNS servers Obtaining registration information –http://www.internic.net/whois.html –whois command IP Address Assignments –Find ownership information for IP address blocks –http://ws.arin.net/whois

18 CIT 380: Securing Computer SystemsSlide #18 whois Domain Name: NKU.EDU Registrant: Northern Kentucky University Information Technology Lucas Admin Center 507, Nunn Dr Highland Heights, KY 41099 Administrative Contact: Kathy Bennett (859) 572-1577 bennettk2@nku.edu Technical Contact: Douglas Wells (859) 572-5847 wellsdj@nku.edu Name Servers: NS3.NKU.EDU 192.122.237.203 NS4.NKU.EDU 192.122.237.204 Domain record activated: 12-Jul-1994 Domain record last updated: 21-Sep-2007

19 CIT 380: Securing Computer SystemsSlide #19 whois > host intel.com intel.com has address 198.175.96.33 > whois 198.175.96.33 [Querying whois.arin.net] [whois.arin.net] Intel Corporation NETBLK-INTEL-IT (NET-198-175-64-0-1) 198.175.64.0 - 198.175.123.255 Distributed Network Technical Support INTEL-IT33 (NET- 198-175-96-0-1) 198.175.96.0 - 198.175.96.255 # ARIN WHOIS database, last updated 2004-04-04 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database.

20 CIT 380: Securing Computer SystemsSlide #20 Threats Social Engineering –Pose as administrative contact via phone/email to gain information Wardialing –Search telephone exchange for modems Domain Hijacking –1998 redirect of aol.com to autonete.net Further network investigation –DNS queries –Network scans of IP address space

21 CIT 380: Securing Computer SystemsSlide #21 Domain Name Service (DNS) Root DNS Servers edu DNS servers com DNS serversnet DNS servers nku.edu DNS servers

22 CIT 380: Securing Computer SystemsSlide #22 DNS Lookup Client Local DNS Svr Root DNS Svr edu DNS Svr nku.edu DNS Svr www.nku.edu 192.122.237.7 www.nku.edu Referral to nku.edu www.nku.edu Referral to edu www.nku.edu 192.122.237.7

23 CIT 380: Securing Computer SystemsSlide #23 DNS Record Types Record TypePurpose AMaps a DNS name to an IP address. HINFOArbitrary host information. MXIdentifies a mail server. NSIdentifies a name server. TXTArbitrary text used for documentation.

24 CIT 380: Securing Computer SystemsSlide #24 DNS Reconnaissance Identify hosts one by one using nslookup or dig commands. $ nslookup > www.nku.edu Non-authoritative answer: Name: www.nku.edu Address: 192.122.237.7 > set type=mx > nku.edu Non-authoritative answer: nku.edu mail exchanger = 100 sort1.mxsmtp.com. nku.edu mail exchanger = 200 sort2.mxsmtp.com. nku.edu mail exchanger = 300 sort3.mxsmtp.com. Authoritative answers can be found from: nku.edu nameserver = ns4.nku.edu. nku.edu nameserver = ns3.nku.edu. ns3.nku.edu internet address = 192.122.237.203

25 CIT 380: Securing Computer SystemsSlide #25 DNS Zone Transfer List all DNS information for a domain –Used to sync secondary DNS servers with primary. –Provide entire DNS database to attacker. Commands –host –l –v –t any nku.edu –nslookup set type=any ls –d nku.edu Defences –ACL for zone xfers only f/ secondary DNS servers. –Separate internal and external DNS databases.

26 CIT 380: Securing Computer SystemsSlide #26 Network Mapping DNS and whois searches have identified networks of interest. Next step: mapping the networks traceroute –explore network topology –identify firewalls ping scan –find currently up hosts

27 CIT 380: Securing Computer SystemsSlide #27 traceroute > traceroute www.washington.edu traceroute: Warning: www.washington.edu has multiple addresses; using 140.142.11.6 traceroute to www.washington.edu (140.142.11.6), 30 hops max, 40 byte packets 1 nku10 (192.122.237.10) 1.642 ms 1.195 ms 1.001 ms 2 h98.188.140.67.ip.alltel.net (67.140.188.98) 1.716 ms 1.219 ms 1.492 ms 3 h89.188.140.67.ip.alltel.net (67.140.188.89) 5.493 ms 5.850 ms 5.523 ms 4 128.163.55.209 (128.163.55.209) 21.311 ms 21.992 ms 21.349 ms 5 143.215.193.1 (143.215.193.1) 22.730 ms 21.956 ms 22.482 ms 6 216.24.186.34 (216.24.186.34) 37.851 ms 37.949 ms 37.459 ms 7 denv-chic-36.layer3.nlr.net (216.24.186.5) 61.102 ms 61.290 ms 61.864 ms 8 seat-denv-58.layer3.nlr.net (216.24.186.7) 87.954 ms 87.546 ms 87.563 ms 9 209.124.179.45 (209.124.179.45) 86.930 ms 86.932 ms 86.544 ms 10 209.124.191.133 (209.124.191.133) 87.087 ms 86.794 ms 87.296 ms 11 uwcr-ads-01-vlan1802.cac.washington.edu (205.175.101.9) 86.938 ms 87.157 ms 86.930 ms 12 uwcr-ads-01-vlan3839.cac.washington.edu (205.175.101.158) 87.700 ms 86.899 ms 86.699 ms 13 acar-ads-01-vlan3802.cac.washington.edu (205.175.108.10) 87.058 ms 87.061 ms 86.638 ms 14 www14.cac.washington.edu (140.142.11.6) 87.439 ms 87.137 ms 87.303 ms

28 CIT 380: Securing Computer SystemsSlide #28 Network Diagramming traceroute to multiple internal hosts –identify different paths –identify firewalls that prevent traceroute Draw map of network based on traceroutes Helpful Tools firewalk: route tracing tool that bypasses many firewall configurations that stop traceroute neotrace: geographic map of network route

29 CIT 380: Securing Computer SystemsSlide #29 Defences Firewalls –Restrict ingress of packet types commonly used for network mapping, e.g. ICMP. Detection –IDS can detect network mapping attempts, letting you know which IPs are mapping your network.

30 CIT 380: Securing Computer SystemsSlide #30 Ping Scanning Send IP packet to each IP address in a network, checking for responses. Scan types –ICMP echo –TCP port 80 –TCP/UDP specific port –Fragmented packets

31 CIT 380: Securing Computer SystemsSlide #31 Ping Scanning > nmap -sP 10.17.0.0/24 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-04-05 13:57 EDT Host pc_elan.lc3net (10.17.0.1) appears to be up. Host 10.17.0.31 appears to be up. Host 10.17.0.35 appears to be up. Host sun02 (10.17.0.55) appears to be up. Host sun09 (10.17.0.64) appears to be up. Host pc208p01 (10.17.0.66) appears to be up. Host sun14 (10.17.0.80) appears to be up. Host 10.17.0.241 appears to be up. Host 10.17.0.247 appears to be up. Nmap run completed -- 256 IP addresses (54 hosts up) scanned in 4.510 seconds

32 CIT 380: Securing Computer SystemsSlide #32 Defences Firewalls –Refuse ICMP echo ingress. –Restrict TCP ports to necessary servers port 80 only to web server port 25 only to mail server Bypassing defences –Multiple sweeps with different target ports. –ICMP timestamp and netmask request queries. –Fragment scans.

33 CIT 380: Securing Computer SystemsSlide #33 Ping Scan vs Firewall Firewall Ruleset –pass from any to 10.0.17.31 port 53 –pass from any to 10.0.17.35 port 25 –drop all > nmap -sP 10.17.0.0/24 Starting nmap 3.50 at 2004-04-05 13:57 Nmap run completed -- 256 IP addresses (0 hosts up) scanned in 72.430 seconds

34 CIT 380: Securing Computer SystemsSlide #34 Ping Scan vs Firewall Firewall Ruleset –pass from any to 10.0.17.31 port 25 keep state –pass from any port 53 to any keep state –drop all > nmap -sP –PS25 10.17.0.0/24 –bypasses first rule, finds any hosts listening on port 25 > nmap -sP –g 53 10.17.0.0/24 –bypasses second rule, as packets look like DNS response

35 CIT 380: Securing Computer SystemsSlide #35 Key Points 1.Reconnaissance –Don’t forget about low tech means. –Organizations give away info on web sites. 2.Registration –whois –ARIN 3.DNS –Recursive DNS query process. –Types of DNS records. –Zone transfers.

36 CIT 380: Securing Computer SystemsSlide #36 References 1.Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. 2.William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2 nd edition, 2003. 3.Fyodor, “The Art of Port Scanning,” http://www.insecure.org/nmap/nmap_doc.html http://www.insecure.org/nmap/nmap_doc.html 4.Fyodor, NMAP man page, http://www.insecure.org/nmap/data/nmap_manpage.html http://www.insecure.org/nmap/data/nmap_manpage.html 5.Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting,” Phrack 54, http://www.insecure.org/nmap/nmap-fingerprinting- article.html 6.Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3 rd edition, O’Reilly & Associates, 2003. 7.Johnny Long, Google Hacking for Penetration Testers, Snygress, 2004. 8.Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed, 3 rd edition, McGraw-Hill, 2001. 9.Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.

Download ppt "CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Reconnaissance."

Similar presentations

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.

Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies.
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
Week 2 -1 Week 2: Footprinting What is Footprinting? –Systematic collection of information on an intended target with the goal to create a complete profile.

Week 2 -1 Week 2: Footprinting What is Footprinting? –Systematic collection of information on an intended target with the goal to create a complete profile.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Chapter 5 Phase 1: Reconnaissance. Reconnaissance  Finding as much information about the target as possible before launching the first attack packet.

Chapter 5 Phase 1: Reconnaissance. Reconnaissance  Finding as much information about the target as possible before launching the first attack packet.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Reconnaissance Steps. EC-Council Gathering information from Open Sources  Owner of IP-address range  Address Range  Domain Names  Computing Platforms.

Reconnaissance Steps. EC-Council Gathering information from Open Sources  Owner of IP-address range  Address Range  Domain Names  Computing Platforms.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Penetration Testing.

Penetration Testing.
Module 7: Configuring TCP/IP Addressing and Name Resolution.

Module 7: Configuring TCP/IP Addressing and Name Resolution.
 Find out initial information ◦ Open Source ◦ Whois ◦ Nslookup  Find out address range of the network ◦ ARIN (American registry for internet numbers)

 Find out initial information ◦ Open Source ◦ Whois ◦ Nslookup  Find out address range of the network ◦ ARIN (American registry for internet numbers)
Information Gathering Lesson 4. Steps for Gathering Information Find out initial information Open Source Whois Nslookup Find out address range of the.

Information Gathering Lesson 4. Steps for Gathering Information Find out initial information Open Source Whois Nslookup Find out address range of the.
Footprinting Richard Newman “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the.

Footprinting Richard Newman “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the.
Name Resolution Domain Name System.

Name Resolution Domain Name System.

Similar presentations

Ads by Google