Information Gathering. Before an attack What information do we need? WHOIS details OS & web server...
-
Upload
matthew-little -
Category
Documents
-
view
219 -
download
0
Transcript of Information Gathering. Before an attack What information do we need? WHOIS details OS & web server...
![Page 1: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/1.jpg)
Information Gathering
![Page 2: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/2.jpg)
Information GatheringBefore an attack
What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information, Zone transfers, reverse DNS lookups Open ports?
![Page 3: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/3.jpg)
Information GatheringLegal issues
Is gathering information on a target legal? Yes BUT, port scans are considered to be an attacks so check
local laws for further information Other information gathering techniques are, for the most part,
legal but please check before you proceed
![Page 4: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/4.jpg)
Information GatheringWHOIS
www.dk-hostmaster.dk www.whois.net
What information to look for: Owner Administrative contact Technical contact
![Page 5: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/5.jpg)
Information GatheringOS & web server details
www.netcraft.com http://uptime.netcraft.com/up/graph?site=www.whitehouse.gov
![Page 6: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/6.jpg)
Information GatheringDNS information
www.whois.net
What information to look for: Find the DNS server details
Now what? C:\>nslookup
> server <DNS SERVER FROM ABOVE>> set type=any // return all records> ls –d <THE DOMAIN>
![Page 7: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/7.jpg)
Information GatheringDNS information (cont.)
Reverse DNS lookup Ping –a <IP> (we can also use nmap as described in the next section)
![Page 8: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/8.jpg)
Information GatheringOpen ports?
We have to install a few things WinPcap 3.1: http://www.winpcap.org/install/default.htm
Installer for Windows 95/98/ME/NT4/2000/XP/2003/Vista
NMAP: http://www.insecure.org/nmap/nmap_download.html
Latest stable Nmap command-line zipfile: nmap-3.93-win32.zip
![Page 9: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/9.jpg)
Information GatheringOpen ports (cont)?
Performing a quick and simple port scan SYN scan: nmap –sS –P0 –p- <IP> (C:SYN; S:SYN/ACK; C:RST) CONNECT scan: nmap –sT –P0 –p- <IP> (three way handshake:
C:SYN; S:SYN/ACK; C:ACK; CS; SC) SRC port: nmap –sS –P0 –p- -g53 <IP> Ping sweep: nmap –sP <IP RANGE> Reverse DNS: nmap –sP –R <[ IP | IP RANGE ]>
![Page 10: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/10.jpg)
Information GatheringTry it on a site you use
Lets try one together Gather WHOIS details OS & web server details (NetCraft) DNS information, Zone transfers, reverse DNS lookups
(www.dnsstuff.com)
![Page 11: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/11.jpg)
Web applications
![Page 12: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/12.jpg)
Web applicationsWhat are web applications?
www.securityfocus.com www.ezenta.com www.reversing.be www.whitehouse.gov msdn.microsoft.com
Any application that uses the HTTP protocol to communicate with its clients
![Page 13: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/13.jpg)
Web applicationsWhat are web applications? (cont.)
REQUEST:GET /html/default.asp HTTP/1.1Host: www.ezenta.comConnection: closeAccept-Encoding: gzip
RESPONSE:HTTP/1.1 200 OKConnection: close Content-Type:text/htmlContent-Encoding:gzip
![Page 14: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/14.jpg)
Web applicationsWhat are web applications? (cont.)
Lets have a look at the raw data on the wire…
![Page 15: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/15.jpg)
![Page 16: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/16.jpg)
Web platforms
![Page 17: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/17.jpg)
Web platformsWhat technologies exist?
JAVA (i.e. Servlets, JSP) ASP .NET (C#, J#, ASP, C++) PHP Lotus Notes Cold Fusion Native Code (i.e. ISAPI) CGI (i.e. Perl, C) BEA WebLogic IBM WebSphere Zope (i.e. Python)
![Page 18: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/18.jpg)
Web platformsWhat is the difference?
Programming language Performance Features Integration Stability Administration Ease of use Security What else?
![Page 19: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/19.jpg)
Web platformsASP
Have tendency to be vulnerable, no/limited built-in facilities
![Page 20: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/20.jpg)
Web platformsPHP
Global variables can be problematic
![Page 21: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/21.jpg)
Web platformsLotus Notes
ACLs on NSF files are often poorly configured
![Page 22: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/22.jpg)
Web platformsCGI
Native code = native code issues (b0f)
![Page 23: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/23.jpg)
Web platformsJava and .NET security
Source files can be decompiled and read Any secrets are exposed
Connection string information User credentials Internal addresses
What tools exist to help us? Java: DJ Decompiler
(http://members.fortunecity.com/neshkov/dj.html) .NET: Salamander (http://www.remotesoft.com/salamander/)
![Page 24: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/24.jpg)
Web platformsNative code versus web technologies
Whats the difference between them with respect to getting the source? Native code = ASM VM code = byte code
Reversing native code The original source code is not available Programme flow is harder to follow (IDA Pro can help)
”Reversing” VM code The original code is readable DJ turns *.class, *.jar files into Java code Salamander: exe’s or dll’s into VB or C# .NET
![Page 25: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/25.jpg)
Web platformsReversing demo
Native code Java .NET
![Page 26: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/26.jpg)
Web platformsProtection
Dongles VM code: Obfuscation techniques
Salamander HASP
Native code: packers Exe Shield Armadillo ASProtect Anticrack
![Page 27: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/27.jpg)
Web platformsSummary
You dont have to break the law to gather info. Although port scanning in illegal
Platforms, some better than others/more security aware
![Page 28: Information Gathering. Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information,](https://reader036.fdocuments.net/reader036/viewer/2022070305/55152b71550346a87d8b563a/html5/thumbnails/28.jpg)
?