Presentation is loading. Please wait.

Presentation is loading. Please wait.

Footprinting/Scanning/ Enumeration Lesson 9. Footprinting External attack: Enables attackers to create a profile of an organization’s security posture.

Published byThomasine Stanley Modified over 8 years ago

Similar presentations

Presentation on theme: "Footprinting/Scanning/ Enumeration Lesson 9. Footprinting External attack: Enables attackers to create a profile of an organization’s security posture."— Presentation transcript:

1 Footprinting/Scanning/ Enumeration Lesson 9

2 Footprinting External attack: Enables attackers to create a profile of an organization’s security posture including: Domain name Network blocks IP addresses for Internet connected systems TCP and UDP services running on systems System HW and SW (OS and applications) Possible security HW/SW (firewalls, IDS) User and group names, system banners Analog/Digital phone numbers, RAS

3 Footprinting Internal attack: same goal but from inside of the security perimeter – map out the network and determine current security posture. Identify: Network protocols Internal domain names IP addresses for system on internal network TCP and UDP services for internal systems HW and SW for internal systems IDS, firewalls, and other security devices User and group names, system banners Possible extranet or VPN connectivity

4 Open Source Search Start with the organization’s web page if they have one. Locations/addresses Phone numbers Names of key individuals Email addresses Policies (e.g. privacy) or other security info Review HTML source code for comments News articles, press releases GOOGLE or other search engine search Search USENET for postings EDGAR Search

5 EDGAR For Publicly Traded Companies!

6 Network Enumeration Goal is to identify domain names and associated networks. Then want IP addresses. Whois databases valuable in this search Access web sites with capability to search Download and run programs that will help Sam Spade (for Windows)

7 Sam Spade (IP Block Query)

8 Sam Spade (IP Block Query cont.)

9 Sam Spade (nslookup)

10 Sam Spade (traceroute)

11 DNS Zone Transfers DNS is a distributed database used for mapping IP addresses & hostnames. A security problem is to allow DNS zone transfers from unknown/untrusted Internet users. (Some misconfigured systems may allow server to provide zone transfer to anyone who asks.) A zone transfer allows a secondary server to update its info from the primary master. Potential problem occurs if zone transfer is allowed and the organization hasn’t segregated its internal (private) network information from its external (public) information. – Thus, internal hostnames and IP addresses may be revealed to external sources. This is akin to providing a blueprint of your internal network to anybody who asks. One way to accomplish zone transfer is to use nslookup Textbook has discussion of how to do this

12 nslookup

13 Network Reconnaissance Once we have identified potential networks we need to determine potential access paths into the network. traceroute: lets you view the route that an IP packet follows from one host to another. Uses TTL (time to live) option in the IP packet as a “hop counter” Can identify border routers and possibly firewalls as they will normally be the last system before our target. May be additional internal routers and firewalls if our target is an internal system. If normal probes blocked, try sending probe via UDP port 53 (used for DNS queries) as they may be allowed past firewall.

14 traceroute

15 Scanning Ping – can be used to determine what systems in a range of addresses are active. Known as a ping sweep. Sends ICMP ECHO request to target. If an ICMP ECHO_REPLY is received, target is alive. Number of different programs that can perform this (or you can always do it one-by-one on your own…) Linux: fping Windows: Sam Spade (single), Pinger, WS_PingProPack (commercial) If ICMP traffic is blocked, this method won’t work, will have to try something else, maybe skip to port scanning. Port Scanning – scan ports for an IP address (or range) to see what services (ports) are available Lots of tools to do these too, nmap, WS_PingProPack…

16 PING

17 Port Scan

18 Other ICMP queries Other queries using ICMP may provide further clues about target Request time on system – may reveal timezone system is in. Request netmask – may allow you to determine subnets being used

19 Time

20 Port Scanning Connecting to TCP or UDP ports on target to determine what services are running (in LISTENING state). Lots of different types of scans, some more “noisy” than others TCP connect scan – connect to port using 3-way handshake TCP SYN scan – “half open” scan, don’t complete handshake TCP FIN scan – Send a FIN packet, systems should send a RST packet UDP scan – send UCP packet, if system responds with “port unreachable” then port is closed, otherwise port is open (or system down or packet lost) Lots of other scans, check book Lots of programs to do scans – nmap, strobe, netcat, SuperScan

21 Port Scanning

22 Determining the OS Knowing the OS of a target system can be very useful. Number of methods to do this. Active Stack Fingerprinting: While there is a lot of details provided to vendors on how TCP/IP stacks should respond for given protocols, not everything is always spelled out. The way that systems respond to items that are not specifically discussed can give a clue or actually identify the OS. An example: A FIN packet sent to an open port should be met with no response. Windows NT, however, responds with a FIN/ACK. A number of other examples in text. Passive Stack Fingerprinting: Watch traffic as it traverses a network to identify the OS.

23 UNIX Tools – Network Mapper (nmap)

24

25 Enumeration – Telnet UNIX or MS Windows Provides a terminal connection to a running service Usually used to login to a remote system running the telnetd daemon – Very insecure, plaintext Also useful in many reconnaissance activities Obtaining HTTP Server information Obtaining MAIL Server information and accounts Usage: telnet target.com (port number) A tool that may prove useful is netcat (though it is a bit older). A lot more info on enumeration available in text, what you need depends on your targets.

26 UNIX Tools - Nessus Nessus – Written by Hugo van der Kooij and Jordan Hrycaj http://www.nessus.org Utilizes nmap to perform port scans Will detect they type of service based on it’s response not on it’s port number Attempts to exploit known vulnerabilities WARNING: Will perform DoS and DDoS attacks

27 UNIX Tools - Nessus Configuring Nessusd Before you run nessus you need to follow the following steps Adding a new user /usr/local/sbin/nessus-adduser Create a login name Chose “pass” for authentication type Type Ctrl-d Starting the daemon As root type: nessusd –D May take a minute to return to the shell Starting X Windows startx -- -nolisten -tcp

28 UNIX Tools - Nessus Configuring the nessus client

29 UNIX Tools - Nessus Setting up your scan: plugins

30 UNIX Tools - Nessus Scanning Options

31 UNIX Tools - Nessus Configuring the targets

32 UNIX Tools - Nessus Save nessus reports to.html files Remember to enable all but dangerous plugins Everything you need to know, including all the previous screen shots is available at http://www.nessus.org For information on configuring nessusd and nessus go to: http://www.nessus.org/demo/index.html nessus.README available on the lab systems in /home/tools/nessus/

33 UNIX Tools - Nessus

34 Summary What is the importance and significance of this material? It is time to start learning the “hands-on” tools needed to perform an assessment. How does this topic fit into the subject of “Security Risk Analysis”? You will need to be conduct all of these phases in an assessment. You need to understand the tools and have a familiarity with them.

Download ppt "Footprinting/Scanning/ Enumeration Lesson 9. Footprinting External attack: Enables attackers to create a profile of an organization’s security posture."

Similar presentations

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Network Mapping  Identify Live Hosts  Determine running Services TCP Port Scanning UDP Port Scanning Banner Grabbing ARP Discovery  Identify Perimeter.

Network Mapping  Identify Live Hosts  Determine running Services TCP Port Scanning UDP Port Scanning Banner Grabbing ARP Discovery  Identify Perimeter.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Port Scanning.

Port Scanning.
Ana Chanaba Robert Huylo

Ana Chanaba Robert Huylo
Module 7: Configuring TCP/IP Addressing and Name Resolution.

Module 7: Configuring TCP/IP Addressing and Name Resolution.
Data Gathering A hacker can’t do anything to you if they don’t know anything about you. The hacker requires: –A target –Your ip address –Your OS type –What.

Data Gathering A hacker can’t do anything to you if they don’t know anything about you. The hacker requires: –A target –Your ip address –Your OS type –What.

Similar presentations

Ads by Google