Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network

DefenseDefense

Chapter 4Chapter 4Footprinting and Social EngineeringFootprinting and Social Engineering

Last modified 9-10-15

ObjectivesObjectives

Use Web tools for footprintingUse Web tools for footprinting Conduct competitive intelligenceConduct competitive intelligence Describe DNS zone transfersDescribe DNS zone transfers Identify the types of social Identify the types of social

engineeringengineering

Using Web Tools for Using Web Tools for FootprintingFootprinting

““Case the jointCase the joint””• Look over the locationLook over the location• Find weakness in security systemsFind weakness in security systems• Types of locks, alarmsTypes of locks, alarms

In computer jargon, this is called In computer jargon, this is called footprintingfootprinting• Discover information about Discover information about

The organizationThe organization Its networkIts network

Table 4-1 Summary of Web tools

Rafasoft.comRafasoft.com

Table 4-1 Summary of Web tools (cont’d.)

Conducting Competitive Conducting Competitive IntelligenceIntelligence

Numerous resources to find Numerous resources to find information legallyinformation legally

Competitive IntelligenceCompetitive Intelligence• Gathering information using technologyGathering information using technology

Identify methods others can use to find Identify methods others can use to find information about your organizationinformation about your organization

Limit amount of information company Limit amount of information company makes publicmakes public

Analyzing a CompanyAnalyzing a Company’’s Web s Web SiteSite

Web pages are an easy source of Web pages are an easy source of informationinformation

Many tools availableMany tools available BurpSuiteBurpSuite

• Powerful proxy for all platforms (uses Powerful proxy for all platforms (uses Java)Java)

• https://portswigger.net/burp/https://portswigger.net/burp/

Burp ConfigurationBurp Configuration "Proxy" tab, "Intercept" sub-tab"Proxy" tab, "Intercept" sub-tab

• Adjust to "Intercept is off"Adjust to "Intercept is off" "Proxy" tab, "Options" sub-tab"Proxy" tab, "Options" sub-tab

• Start running on port 8080Start running on port 8080

Proxy Settings in Firefox

At top right, click "3 bars" icon, then the Gear icon

In "Advanced", on the "Network" tab, click "Settings”

Surf an Insecure Site like aol.comSurf an Insecure Site like aol.com

"HTTP "HTTP History" History" tab tab shows shows each each request request and and responseresponse

Surf a Secure Site like samsclass.infoSurf a Secure Site like samsclass.info

Browser Browser detects detects Burp's Burp's MITM MITM attack attack and and warns warns youyou

Other Proxy FunctionsOther Proxy Functions

Intercept & Modify RequestsIntercept & Modify Requests Can exploit poorly-made shopping sitesCan exploit poorly-made shopping sites

SpiderSpider Finds all the pages in a siteFinds all the pages in a site Saves a local copy of themSaves a local copy of them

Scan for vulnerabilitiesScan for vulnerabilities Get authorization firstGet authorization first

Other ProxiesOther Proxies

Zed Attack Proxy from OWASPZed Attack Proxy from OWASP• Can scan for vulnerabilitiesCan scan for vulnerabilities

Tamper DataTamper Data• Firefox plug-in for easy interception and Firefox plug-in for easy interception and

alteration of requestsalteration of requests Chrome Developer ToolsChrome Developer Tools

• Click 3-bars, "More Tools", "Developer Tools"Click 3-bars, "More Tools", "Developer Tools"• Allows you to examine requests and Allows you to examine requests and

responsesresponses

TimelineTimeline

Shows requests & responses even for Shows requests & responses even for secure sitessecure sites

Using Other Footprinting ToolsUsing Other Footprinting Tools

WhoisWhois• Commonly used toolCommonly used tool• Gathers IP address and domain Gathers IP address and domain

informationinformation• Attackers can also use itAttackers can also use it

Host commandHost command• Can look up one IP address, or the whole Can look up one IP address, or the whole

DNS Zone fileDNS Zone file All the servers in the domainAll the servers in the domain

ARIN Whois ARIN Whois from Linuxfrom Linux

host mit.eduhost mit.edu nc whois.arin.netnc whois.arin.net 18.7.22.6918.7.22.69

This shows This shows registration registration information for the information for the domaindomain

Sam SpadeSam Spade

GUI toolGUI tool Available Available

for UNIX for UNIX and and WindowsWindows

Easy to useEasy to use

Maltego

Using E-mail AddressesUsing E-mail Addresses

E-mail addresses help you retrieve E-mail addresses help you retrieve even more information than the even more information than the previous commandsprevious commands

Find e-mail address formatFind e-mail address format• Guess other employeesGuess other employees’’ e-mail accounts e-mail accounts

Tool to find corporate employee Tool to find corporate employee informationinformation• Groups.google.comGroups.google.com

Using HTTP BasicsUsing HTTP Basics

HTTP operates on port 80HTTP operates on port 80 Use HTTP language to pull Use HTTP language to pull

information from a Web serverinformation from a Web server Basic understanding of HTTP is Basic understanding of HTTP is

beneficial for security testersbeneficial for security testers Return codesReturn codes

• Reveal information about server OSReveal information about server OS

Using HTTP Basics (continued)Using HTTP Basics (continued)

HTTP methodsHTTP methods• GET / HTTP/1.1. is the most basic GET / HTTP/1.1. is the most basic

methodmethod• Can determine information about server Can determine information about server

OS from the serverOS from the server’’s generated output s generated output

Using Telnet as a BrowserUsing Telnet as a Browser

Use WindowsUse Windows• If Telnet is not installed, use Control If Telnet is not installed, use Control

Panel, Programs and Features, Panel, Programs and Features, Add/Remove Windows ComponentsAdd/Remove Windows Components

telnet samsclass.info 80telnet samsclass.info 80 Press Ctrl+]Press Ctrl+] Set localechoSet localecho Press Enter twicePress Enter twice

Using the OPTIONS MethodUsing the OPTIONS Method

Using the GET MethodUsing the GET Method

Other Methods of Gathering Other Methods of Gathering InformationInformation

CookiesCookies Web bugsWeb bugs

Detecting Cookies and Web Detecting Cookies and Web BugsBugs

CookieCookie• Text file generated by a Web serverText file generated by a Web server• Stored on a userStored on a user’’s browsers browser• Information sent back to Web server Information sent back to Web server

when user returnswhen user returns• Used to customize Web pagesUsed to customize Web pages• Some cookies store personal informationSome cookies store personal information

Security issueSecurity issue

Viewing CookiesViewing Cookies

In FirefoxIn Firefox Tools, Options Tools, Options Privacy tabPrivacy tab Show CookiesShow Cookies

Detecting Cookies and Web Detecting Cookies and Web Bugs (continued)Bugs (continued)

Web bugWeb bug• 1-pixel x 1-pixel image file (usually 1-pixel x 1-pixel image file (usually

transparent)transparent)• Referenced in an <IMG> tagReferenced in an <IMG> tag• Usually works with a cookieUsually works with a cookie• Purpose similar to that of spyware and Purpose similar to that of spyware and

adwareadware• Comes from third-party companies Comes from third-party companies

specializing in data collectionspecializing in data collection

GhosteryGhostery

Firefox & Chrome extension to reveal Web bugsFirefox & Chrome extension to reveal Web bugs Count of trackers appears in status barCount of trackers appears in status bar

• Link Ch 4jLink Ch 4j

Using Domain Name Service Using Domain Name Service (DNS) Zone Transfers(DNS) Zone Transfers

DNSDNS• Resolves host names to IP addressesResolves host names to IP addresses• People prefer using URLs to IP addressesPeople prefer using URLs to IP addresses

Zone Transfer toolsZone Transfer tools• DigDig• HostHost

Primary DNS ServerPrimary DNS Server

Determining companyDetermining company’’s primary DNS s primary DNS serverserver• Look for the Start of Authority (SOA) Look for the Start of Authority (SOA)

recordrecord• Shows zones or IP addressesShows zones or IP addresses

Using dig to find the SOAUsing dig to find the SOA

dig soa mit.edudig soa mit.edu Shows three Shows three

servers, with IP servers, with IP addressesaddresses

This is a start at This is a start at mapping the MIT mapping the MIT networknetwork

Using (DNS) Zone TransfersUsing (DNS) Zone Transfers

Zone TransferZone Transfer• Enables you to see all hosts on a Enables you to see all hosts on a

networknetwork• Gives you organizationGives you organization’’s network s network

diagramdiagram MIT has protected their network – zone MIT has protected their network – zone

transfers no longer worktransfers no longer work dig @BITSY.mit.edu mit.edu axfrdig @BITSY.mit.edu mit.edu axfr Command fails nowCommand fails now

Blocking Zone TransfersBlocking Zone Transfers

• See link Ch 4eSee link Ch 4e

Introduction to Social Introduction to Social EngineeringEngineering

Older than computersOlder than computers Targets the human component of a Targets the human component of a

networknetwork GoalsGoals

• Obtain confidential information Obtain confidential information (passwords)(passwords)

• Obtain personal informationObtain personal information

Link Ch 4lLink Ch 4l

Link Ch 4mLink Ch 4m

HB Gary Federal HackedHB Gary Federal Hacked

Link Ch 4nLink Ch 4n

TacticsTactics

• PersuasionPersuasion• IntimidationIntimidation• CoercionCoercion• Extortion/blackmailingExtortion/blackmailing

Introduction to Social Introduction to Social Engineering (continued)Engineering (continued)

The biggest security threat to The biggest security threat to networksnetworks

Most difficult to protect againstMost difficult to protect against Main idea:Main idea:

• ““Why to crack a password when you can Why to crack a password when you can simply ask for it?simply ask for it?””

• Users divulge their passwords to IT Users divulge their passwords to IT personnelpersonnel

Social Engineer Studies Human Social Engineer Studies Human BehaviorBehavior

• Recognize personality traitsRecognize personality traits• Understand how to read body languageUnderstand how to read body language

Introduction to Social Introduction to Social Engineering (continued)Engineering (continued)

TechniquesTechniques• UrgencyUrgency• Quid pro quoQuid pro quo• Status quoStatus quo• KindnessKindness• PositionPosition

Preventing Social EngineeringPreventing Social Engineering

Train user not to reveal any Train user not to reveal any information to outsidersinformation to outsiders

Verify caller identityVerify caller identity• Ask questionsAsk questions• Call back to confirmCall back to confirm

Security drillsSecurity drills

DEF CON Social Engineering DEF CON Social Engineering ContestContest

Link Ch 4kLink Ch 4k

The Art of Shoulder SurfingThe Art of Shoulder Surfing

Shoulder surferShoulder surfer• Reads what users enter on keyboardsReads what users enter on keyboards

Logon namesLogon names PasswordsPasswords PINsPINs

Tools for Shoulder SurfingTools for Shoulder Surfing

Binoculars or telescopes or cameras Binoculars or telescopes or cameras in cell phonesin cell phones

Knowledge of key positions and Knowledge of key positions and typing techniquestyping techniques

Knowledge of popular letter Knowledge of popular letter substitutionssubstitutions• s equals $, a equals @s equals $, a equals @

The Art of Shoulder Surfing The Art of Shoulder Surfing (continued)(continued)

PreventionPrevention• Avoid typing when someone is nearbyAvoid typing when someone is nearby• Avoid typing when someone nearby is Avoid typing when someone nearby is

talking on cell phonetalking on cell phone• Computer monitors should face away Computer monitors should face away

from door or cubicle entrywayfrom door or cubicle entryway• Immediately change password if you Immediately change password if you

suspect someone is observing yoususpect someone is observing you

Dumpster DivingDumpster Diving

Attacker finds information in victimAttacker finds information in victim’’s s trashtrash• Discarded computer manualsDiscarded computer manuals

Notes or passwords written in themNotes or passwords written in them• Telephone directoriesTelephone directories• Calendars with schedulesCalendars with schedules• Financial reportsFinancial reports• Interoffice memosInteroffice memos• Company policyCompany policy• Utility billsUtility bills• Resumes of employeesResumes of employees

The Art of Dumpster Diving The Art of Dumpster Diving (continued)(continued)

PreventionPrevention• Educate your users about dumpster Educate your users about dumpster

divingdiving• Proper trash disposalProper trash disposal• Use Use ““disk shredderdisk shredder”” software to erase software to erase

disks before discarding themdisks before discarding them Software writes random bitsSoftware writes random bits Done at least seven timesDone at least seven times

• Discard computer manuals offsiteDiscard computer manuals offsite• Shred documents before disposalShred documents before disposal

PiggybackingPiggybacking

Trailing closely behind an employee Trailing closely behind an employee cleared to enter restricted areascleared to enter restricted areas

How it works:How it works:• Watch authorized personnel enter an areaWatch authorized personnel enter an area• Quickly join them at security entranceQuickly join them at security entrance• Exploit the desire of other to be polite and Exploit the desire of other to be polite and

helpfulhelpful• Attacker wears a fake badge or security Attacker wears a fake badge or security

cardcard

Piggybacking PreventionPiggybacking Prevention

• Use turnstilesUse turnstiles• Train personnel to notify the presence of Train personnel to notify the presence of

strangersstrangers• Do not hold secured doors for anyoneDo not hold secured doors for anyone

Even for people you knowEven for people you know

• All employees must use secure cardsAll employees must use secure cards

PhishingPhishing

Deceptive emails or text messagesDeceptive emails or text messages Can take money, passwords, or Can take money, passwords, or

install malware on your computerinstall malware on your computer