Footprinting Project

8/17/2019 Footprinting Project

1/38

Footprinting MEMBERS

Name Fathername

Jafar Mehr ali

Mustafa Karim

Ali Zamen

Alireza Noormohammad

Abdul khaliq Mohammad Halim

Hussein Ahmad

Rahman

Aliakbar


2/38

Footprinting

•

Definition: the gathering of information

about a potential system or network

• a.k.a. fingerprinting

• Attacker’s point of view• Identify potential target systems

• Identify which types of attacks may be useful on

target systems

• Defender’s point of view


3/38

• Know available tools

• May be able to tell if system is being footprinted,

be more prepared for possible attack

• Vulnerability analysis: know what information

you’re giving away, what weaknesses you have

Information to Gather

• System (Local or Remote)

•

IP Address, Name and Domain• Operating System

• Type (Windows, Linux, Solaris, Mac)


4/38

• Version (98/NT/2000/2003/XP/Vista/7, Redhat,

Fedora, SuSe, Ubuntu, OS X)

•

Usernames (and their passwords)

• File structure

• Open Ports (what services/programs are running

on the system)


5/38

Information to Gather (2)

• Networks / Enterprises • System information for all hosts • Network topology

• Gateways •

Firewalls

• Overall topology

• Network traffic information

• Specialized servers

• Web, Database, FTP, Email, etc.


6/38

Defender Perspective

• Identify information you’re giving away

• Identify weaknesses in systems/network

•

Know when systems/network is beingprobed

• Identify source of probe

• Develop awareness of threat

• Construct audit trail of activity


7/38

Tools - Linux •

Some basic Linux tools - lower levelutilities • Local System

• hostname •

ifconfig • who, last

• Remote Systems • ping

• traceroute • nslookup, dig • whois

• arp, netstat (also local system)


8/38

Tools –

Linux (2)

• Other utilities • wireshark (packet sniffing)

• nmap (port scanning) - more later

• Ubuntu Linux • Go to System / Administration / Network Tools –

et interface to collection of tools: ping, netstat,

traceroute, port scan, nslookup, finger, whois


9/38


10/38

hostname

• Determine host name of current system

• Usage: hostname •

E.g. hostname localhost.localdomain

// default

• E.g. hostname

mobile.cs.uwec.edu


11/38

ifconfig •

Configure network interface • Tells current IP numbers for host system

• Usage: ifconfig •

E.g. ifconfig // command alone: display status eth0

Link encap: Ethernet

HWaddr 00:0C:29:CD:F6:D3

inet addr: 192.168.172.128

. . .

lo Link encap: Local

Loopback

inet addr: 127.0.0.1 . . .


12/38

who

• Basic tool to show users on current system

• Useful for identifying unusual activity (e.g.activity by newly created accounts orinactive accounts)

• Usage: who • E.g. who

root

tty1

Jan 9 12:46

paul

tty2

Jan 9 12:52


13/38

last

• Show last N users on system • Default: since last cycling of file • -

N: last N lines

• Useful for identifying unusual activity in recent past

• Usage: last [ - n] • E.g. last -

3

wagnerpj

pts/1 137.28.253.254 Sat Feb 5 15:40 still logged in

flinstf

pts/0 137.28.191.74 Sat Feb 5 15:38 still logged in

rubbleb

pts/0 c48.someu.edu Sat Feb 5 14:38 -

15:25 (00:46)


14/38


15/38

traceroute

• Potential Uses • Determine physical location of machine

• Gather network information (gateway, otherinternal systems)

• Find system that’s dropping your packets – evidence of a firewall

• Notes • Can use UDP or ICMP packets

•

Results often limited by firewalls

• Several GUI

-

based traceroute

utilities available

• Usage: traceroute

system

• E.g. traceroute cs.umn.edu


16/38

traceroute example -

Success

C:

\

Users

\

Temp>

tracert

telkomuniversity.ac.id

Tracing route to telkomuniversity.ac.id [10.14.203.238]

over a maximum of 30 hops:

1

1 ms


17/38

traceroute example -

blocked

C:

\

Users

\

Temp>

tracert

detik.com

Tracing route to detik.com [203.190.242.69]

over a maximum of 30 hops:

1 1 ms 1 ms 2 ms 192.168.60.1

2 5 ms 2 ms 2 ms 10.11.221.1

3 4 ms 9 ms 3 ms 10.0.0.254

4 * * * Request timed out.

5 * * * Request timed out.

Trace complete.

C:

\

Users

\

Temp>


18/38

Visual Traceroute Example


19/38

whois

• Potential Uses • Queries nicname/whois servers for Internet

registration information

•

Can gather contacts, names, geographicinformation, servers, … -

useful for socialengineering attacks

• Notes •

Usage: whois domain

• e.g. whois telkomuniversity.ac.id


20/38

whois example -

wildcards

•

whois uw%.edu

Your search has matched multiple domains.

Below are the domains you matched (up to 100). For specific

information on one of these domains, please search on that domain.

UW.EDU

UWA.EDU

UWB.EDU

UWC.EDU

UWEC.EDU

UWEST.EDU

UWEX.EDU

….


21/38

nslookup

• Potential Uses • Query internet name servers

• Find name for IP address, and vice versa

•

Notes

• Now deprecated –

enerally use dig

• Sometimes useful when dig fails

• Usage •

nslookup xxxxxxx // name or IP addr. • E.g. nslookup academic.telkomuniversity.ac.id

• E.g. dig academic.telkomuniversity.ac.id


22/38

dig

• Potential Uses • Domain Name Service (DNS) lookup utility

• Associate name with IP address and vice versa

• Notes • Many command options

• General usage: dig

• E.g. dig academic.telkomuniversity.ac.id • E.g. dig 10.14.203.238


23/38

arp

• Tracks addresses, interfaces accessed bysystem

• Possible uses • Find systems that your system has recently talked

to

• Notes •

arp // display names • arp – n // display numeric addresses


24/38

netstat

• Shows connections, routing information,statistics

• Possible uses

•

find systems that your system has recentlytalked to, find recently used ports

• Notes

• Many flags

• netstat // open sockets, etc. •

netstat – s // summary statistics • netstat

– r // routing tables • netstat

–

p

// programs

• netstat – l // listening sockets


25/38

Windows Tools

• Sam Spade • “swiss army knife” of footprinting

• Has most of the Linux tools

• Plus other functionality

• Usage • Start application

• Fill in name or IP address

• Choose option desired in menus


26/38

Packet Sniffers

• Definition: Hardware or software that candisplay network traffic packet information

• Usage • Network traffic analysis

• Example packet sniffers • tcpdump (command line, Linux)

•

wireshark (GUI interface, Linux, Windows – opensource)

• others…


27/38

Limitations – Packet Sniffing•

Packet sniffers only catch what they can see• Users attached to hub – can see everything

• Users attached to switch – only see own traffic

•

Wireless – wireless access point is like hub

• Need to be able to put your network

interface card (NIC) in “promiscuous” mode

to be able to process all traffic, not justtraffic for/from itself


28/38

• NIC must support

• Need privilege (e.g. root in Linux)


29/38

OSI Network Protocol

• Layer 7 – Application (incl. app. content)

• Layer 6 – Presentation

• Layer 5 – Session

• Layer 4 –

ransport (incl. protocol, port)

• Layer 3 – Network (incl. source, dest)

• Layer 2 – Data Link

• Layer 1 –

Physical


30/38

wireshark •

Created as tool to examine network problems in1997

• Various contributors added pieces; released 1998

• Name change (2007): ethereal - > wireshark

• Works with other packet filter formats

• Information • http://www.wireshark.or

• Demonstration

http://www.wireshark.org/http://www.wireshark.org/http://www.wireshark.org/http://www.wireshark.org/


31/38

Using wireshark

• Ubuntu – Applications / Internet / Wireshark ( as root )

• Enter your administrative account pw: user

• Capture/Interfaces/eth0:, Start

• Capture window shows accumulated totals for differenttypes of packets

• Stop –

packets now displayed

• Top window –

packet summary

• Can sort by column – source, destination, protocol are useful

• Middle window –

packet breakdown

• Click on + icons for detail at each packet level

• Bottom window –

packet content


32/38

Wireshark capture analysis

•

Can save a session to a capture file

• Can reopen file later for further analysis

• Open capture file

•

Ubuntu: /home/user/Support/MOBILEcapture.cap

• W2K3: C:\Support\MOBILEcapture.cap

• Identify and follow different TCP streams


33/38

• Select TCP packet, Analyze/Follow TCP Stream •

MOBILEcapture.cap has http, https, ftp, ssh streams • Any

interesting information out there?

• HINT: follow stream on an ftp packet


34/38

Related Tool

• Hunt • TCP sniffer

• Watch and reset connections

• Hijack sessions

• Spoof MAC address

• Spoof DNS name


35/38

Related Tool

• EtherPEG – image capture on network • http://www.etherpeg.co

m

http://www.etherpeg.com/http://www.etherpeg.com/http://www.etherpeg.com/http://www.etherpeg.com/http://www.etherpeg.com/http://www.etherpeg.com/


36/38

Summary

• Basic tools can generate much information

• Remember principle of accumulatinginformation • Attacker will build on smaller pieces to get bigger

pieces

• Message to defenders: don’t give away any

information if you can avoid it


37/38

Ref

• www.cs.uwec.edu


38/38

Thank You IF any Question :D

Footprinting Project

Documents

Transcript of Footprinting Project