Modul 2 Footprinting Scanning Enumeration

1

Modul 2Footprinting Scanning

Enumeration

Isbat Uzzin Nadhori

Informatical Engineering PENS-ITS

Politeknik Elektronika Negeri Surabaya

ITS - Surabaya

2

Intelligence Gathering Techniques

3 Major StepsFoot Printing

Scanning

Enumeration

Similar to MilitaryGather information on the target

Analyze weaknesses

Construct and launch attack

3

Gathering Process Overview

You can’t attack what you don’t know

4

Hacking Step

5

Hacking Step …

6

Gathering Process overview

HostsHosts

PortsPorts

ServicesServices

Vulnerabilities

Vulnerabilities

7

Footprinting

8

FootprintingFootprinting Footprinting is the ability to obtain essential information about an organization.

Commonly called network reconnaissance.

Result Gather information includes: –The technologies that are being used such as, Internet, Intranet, Remote Access and the Extranet.

–To explored the security policies and procedures

–take an unknown quality and reduce it

–Take a specific range of domain names, network blocks and individual IP addresses of a system that is directly connected to the Internet

This is done by employing various computer security techniques, as:• DNS queries nslookup, dig, Zone Transfer

• Network enumeration

• Network queries

• Operating system identification

• Organizational queries

When used in the computer security lexicon, "footprinting" generally refers to one of the pre-attack phases; tasks performed prior to doing the actual attack. Some of the tools used for footprinting areSam Spade, nslookup, traceroute, Nmap and neotrace.

• Ping sweeps• Point of contact queries• Port Scanning• Registrar queries (WHOIS queries)• SNMP queries• World Wide Web spidering

9

DNS QueryDNS Query

10

Network Query ToolsNetwork Query Tools

* Ping* NSlookup* Whois* IP block search* Dig* Traceroute* Finger* SMTP VRFY* Web browser keep-alive* DNS zone transfer* SMTP relay check* Usenet cancel check* Website download* Website search* Email header analysis* Email blacklist* Query Abuse address

11

Information to GatherInformation to Gather

Attacker’s point of viewAttacker’s point of viewIdentify potential target systemsIdentify potential target systems

Identify which types of attacks may be useful on target systemsIdentify which types of attacks may be useful on target systems

Defender’s point of viewDefender’s point of viewKnow available toolsKnow available tools

May be able to tell if system is being footprinted, be more prepared for May be able to tell if system is being footprinted, be more prepared for possible attackpossible attack

Vulnerability analysis: know what information you’re giving away, what Vulnerability analysis: know what information you’re giving away, what weaknesses you haveweaknesses you have

12

OS IdentificationOS Identification

13

Point of ContactPoint of Contact

14

Tools - LinuxTools - Linux Some basic Linux tools - lower level utilitiesSome basic Linux tools - lower level utilities

Local SystemLocal System

hostnamehostname

ifconfigifconfig

who, lastwho, last

Remote SystemsRemote Systems

pingping

traceroutetraceroute

nslookup, dignslookup, dig

whoiswhois

arp, netstat (also local system)arp, netstat (also local system)

Other toolsOther tools

lsoflsof

15

Tools – Linux (2)Tools – Linux (2)

Other utilitiesOther utilitieswireshark (packet sniffing)wireshark (packet sniffing)

nmap (port scanning) - more laternmap (port scanning) - more later

Ubuntu LinuxUbuntu Linux

Go to System / Administration / Network Tools – get Go to System / Administration / Network Tools – get interface to collection of tools: ping, netstat, traceroute, interface to collection of tools: ping, netstat, traceroute, port scan, nslookup, finger, whoisport scan, nslookup, finger, whois

16

Tools - WindowsTools - Windows

WindowsWindowsSam Spade (collected network tools)Sam Spade (collected network tools)

Wireshark (packet sniffer)Wireshark (packet sniffer)

Command line toolsCommand line tools

ipconfigipconfig

Many others…Many others…

17

Traceroute# traceroute ns1.target-company.com

traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets

1 fw-gw (209.197.192.1) 0.978 ms 0.886 ms 0.875 ms

2 s1-0-1-access (209.197.224.69) 4.816 ms 5.275 ms 3.969 ms

3 dallas.tx.core1.fastlane.net (209.197.224.1) 4.622 ms 9.439 ms 3.977 ms

4 atm8-0-024.CR-1.usdlls.savvis.net (209.44.32.217) 6.564 ms 5.639 ms 6.681 ms

5 Serial1-0-1.GW1.DFW1.ALTER.NET (157.130.128.53) 7.148 ms 6.595 ms 7.371 ms

6 103.ATM3-0.XR2.DFW4.ALTER.NET (146.188.240.38) 11.861 ms 11.669 ms 6.732 ms

7 152.63.96.85 (152.63.96.85) 10.565 ms 25.423 ms 25.369 ms

8 dfw2-core2-pt4-1-0.atlas.digex.net (206.181.125.153) 13.289 ms 10.585 ms

17.173 ms

9 dfw2-core1-fa8-1-0.atlas.digex.net (165.117.52.101) 44.951 ms 241.358 ms

248.838 ms

10 swbell-net.demarc.swbell.net (206.181.125.10) 12.242 ms 13.821 ms 27.618 ms

11 ded2-fa1-0-0.rcsntx.swbell.net (151.164.1.137) 25.299 ms 11.295 ms 23.958 ms

12 target-company-818777.cust-rtr.swbell.net (151.164.x.xxx) 52.104 ms 24.306

ms 17.248 ms

13 ns1.target-company.com (xxx.xx.xx.xx) 23.812 ms 24.383 ms 27.489 ms

18

Traceroute - Network Mapping

cw

swb

Internet Routers

19


cw

swb

Internet Routers

20


Firewall

DMZ

cw

swb

VPN

Internet Routers

21


Firewall

DMZ

www

ftp

cw

swb

VPN

Internet Routers

22


Firewall

DMZ

www

ftp

cw

swb

VPN

Internet Routers

23


Sun

LinuxFirewall

NT

Hosts Inside DMZ

www

ftp

cw

swb

VPN

Internet Routers

24


Sun

LinuxFirewall

NT

Hosts Inside DMZ

www

ftp

cw

swb

VPN

Internet Routers

Linux 2.0.38xxx.xx.48.2

AIX 4.2.1xxx.xx.48.1

Checkpoint Firewall-1Solaris 2.7xxx.xx.49.17

Checkpoint Firewall-1Nortel VPNxxx.xx.22. 7

Cisco 7206204.70.xxx.xxx

Nortel CVX1800151.164.x.xxx

IDS?

25

Domain Name: UWEC.EDUDomain Name: UWEC.EDU

Registrant:Registrant:

University of Wisconsin - Eau ClaireUniversity of Wisconsin - Eau Claire

105 Garfield Avenue105 Garfield Avenue

Eau Claire, WI 54702-4004Eau Claire, WI 54702-4004

UNITED STATESUNITED STATES

Contacts:Contacts:

Administrative Contact:Administrative Contact:

Computing and Networking ServicesComputing and Networking Services

105 Garfield Ave105 Garfield Ave

Eau Claire, WI 54701Eau Claire, WI 54701

UNITED STATESUNITED STATES

(715) 836-5711(715) 836-5711

[email protected]@uwec.edu

Name Servers:Name Servers:

TOMATO.UWEC.EDU 137.28.1.17TOMATO.UWEC.EDU 137.28.1.17

LETTUCE.UWEC.EDU 137.28.1.18LETTUCE.UWEC.EDU 137.28.1.18

BACON.UWEC.EDU 137.28.5.194BACON.UWEC.EDU 137.28.5.194

WhoisWhois

26

Scanning

27

Introduction

Scanning can be compared to a thief checking all the doors and windows of a house he wants to break into.

Scanning- The art of detecting which systems are alive and reachable via the internet and what services they offer, using techniques such as ping sweeps, port scans and operating system identification, is called scanning.

The kind of information collected here has to do with the following:

1) TCP/UDP services running on each system identified.

2) System architecture (Sparc, Alpha, x86)

3) Specific IP address of systems reachable via the internet.

4) Operating System type.

28

Ping Sweeps

ping sweep is a method that can establish a range of IP addresses which map to live hosts.

ICMP Sweeps (ICMP ECHO requests)

Broadcast ICMP

Non Echo ICMP

TCP Sweeps

UDP Sweeps

29

PING SWEEPS

ICMP SWEEPS

ICMP ECHO request

ICMP ECHO replyTarget alive

Intruder

Querying multiple hosts – Ping sweep is fairly slow

Examples UNIX – fping and gping

WINDOWS - Pinger

30

Broadcast ICMPIntruder Network

ICMP ECHO request

ICMP ECHO reply

ICMP ECHO reply

ICMP ECHO reply

Can Distinguish between UNIX and WINDOWS machine

UNIX machine answers to requests directed to the network address.

WINDOWS machine will ignore it.

31

PING SWEEPS

NON – ECHO ICMPExample ICMP Type 13 – (Time Stamp)

Originate Time Stamp

- The time the sender last touched the message before sending

Receive Time Stamp

- The echoer first touched it on receipt.

Transmit Time Stamp

- The echoer last touched on sending it.

32

PING Sweeps

TCP Sweeps

ServerClient

C(SYN:PortNo & ISN)

S (SYN & ISN) + ACK[ C (SYN+!) ]

RESET (not active)

S(ISN+1)

When will a RESET be sent?

When RFC does not appear correct while appearing.

RFC = (Destination (IP + port number) & Source( IP & port number))

33

PING Sweeps

Depends on ICMP PORT UNREACHABLE message.

UDP data gram

ICMP PORT UNREACHABLE

Unreliable because

• Routers can drop UDP packets

•UDP services may not respond when correctly probed

•Firewalls are configured to drop UDP

•Relies on fact that non-active UDP port will respond

Target System

34

PORT SCANNING

Types:

TCP Connect() Scan

TCP SYN Scan( Half open scanning)

Stealth Scan

Explicit Stealth Mapping Techniques

SYN/ACL , FIN, XMAS and NULL

Inverse Mapping

Reset Scans, Domain Query Answers

Proxy Scanning / FTP Bounce Scanning

TCP Reverse Ident Scanning

35

Port Scanning Types

TCP Connect() Scan

SYN packet

SYN/ACK listening

RST/ACK (port not listening)

SYN/ACK

A connection is terminated after the full length connection establishment process has been completed

36

Port Scanning Type

TCP SYN Scan (half open scanning)

SYN packet

SYN/ACK listening

RST/ACK (port not listening)

We immediately tear down the connection by sending a RESET

37

Port Scanning TypeStealth Scan

A scanning technique family doing the following

Pass through filtering rules.

Not to be logged by the targeted system logging mechanism

Try to hide themselves at the usual site / network traffic.

The frequently used stealth mapping techniques are.

SYN/ACK scan

FIN scans

XMAS scans

NULL scans

38

PORT Scanning

Techniques:

Random Port scan

Slow Scan

Fragmentation Scanning

Decoy

Coordinated Scans

39

PORT Scanning“Random” Port Scan

Randomizing the sequence of ports probed may prevent detection.

Slow Scan

Some hackers are very patient and can use network scanners that spread out the scan over a long period of time. The scan rate can be, for example, as low as 2 packets per day per target site.

Fragmentation scanning

In case of TCP the 8 octets of data (minimum fragment size) are enough to contain the source and destination port numbers. This will force the TCP flags field into the second fragment.

Decoy

Some network scanners include options for Decoys or spoofed address in their attacks.

Coordinated Scans

If multiple IPs probe a target network, each one probes a certain service on a certain machine in a different time period, and therefore it would be nearly impossible to detect these scans.

40

Operating System Detection

Banner Grabbing

DNS HINFO Record

TCP/IP Stack Fingerprinting

41


42


DNS HINFO Record

The host information record is a pair of strings identifying the host’s hardware type and the operating system

www IN HINFO “Sparc Ultra 5” “Solaris 2.6”

One of the oldest technique

43


TCP/IP Finger Printing

The ideas to send specific TCP packets to the target IP and observe the response which will be unique to certain group or individual operations.

Types of probes used to determine the OS type

The FIN Probe, The Bogus Flag Probe, TCP initial sequence number sampling, Don’t Fragment bit, TCP initial window, ACK value, ICMP error Message Quenching, ICMP message quoting, ICMP error message Echoing Integrity, Type of service, fragmentation handling, TCP options

44

Firewalking

Gather information about a remote network protected by a firewall

PurposeMapping open ports on a firewall

Mapping a network behind a firewall

If the firewall’s policy is to drop ICMP ECHO Request/Reply this technique is very effective.

45

How does Firewalking work?

It uses a traceroute-like packet filtering to determine whether or not a particular packet can pass through a packet-filtering device.

Traceroute is dependent on IP layer(TTL field), any transport protocol can be used the same way(TCP, UDP, and ICMP).

46

What Firewalking needs?

The IP address of the last known gateway before the firewall takes place.

Serves as WAYPOINT

The IP address of a host located behind the firewall.

Used as a destination to direct packet flow

47

Getting the Waypoint

If we try to traceroute the machine behind a firewall and get blocked by an ACL filter that prohibits the probe, the last gateway which responded(the firewall itself can be determined)

Firewall becomes the waypoint.

48

Getting the Destination

Traceroute the same machine with a different traceroute-probe using a different transport protocol.

If we get a responseThat particular traffic is allowed by the firewall

We know a host behind the firewall.

If we are continuously blocked, then this kind of traffic is blocked.

Sending packets to every host behind the packet-filtering device can generate an accurate map of a network’s topology.

49

How to identify/avoid threats?

Long-standing rule for Unix System administrators to turn off any services that aren’t in use

For personal workstations!Hackers have access to utilities to scan the servers but so do you!.

Hackers look in for open ports. So we can our servers first and know what the hackers will see and close any ports that shouldn’t be open.

50

Some tools to help us

NmapIt is a utility that scans a particular server and informs us which ports are open.

EtherealIt is a utility that will scan the network and help us decode what is going on.

We can watch the network traffice and find out if hackers can see anything that will help them break into our systems.

51

Enumeration

52

52

Introduction to Enumeration Enumeration extracts information about:

–Resources or shares on the network

–User names or groups assigned on the network

–Last time user logged on

–User’s password

Before enumeration, you use Port scanning and footprinting

–To Determine OS being used

Intrusive process

53

53

NBTscan

NBT (NetBIOS over TCP/IP)–is the Windows networking protocol

–used for shared folders and printers

NBTscan–Tool for enumerating Microsoft OSs

54

54

Null Session Information

Using these NULL connections allows you to gather the following information from the host:

–List of users and groups

–List of machines

–List of shares

–Users and host SIDs (Security Identifiers)

•From brown.edu (link Ch 6b)

55

55

Demonstration of Null Sessions

Start Win 2000 Pro

Share a folder

From a Win XP command prompt–NET VIEW \\ip-address Fails

–NET USE \\ip-address\IPC$ "" /u:""

•Creates the null session

•Username="" Password=""

–NET VIEW \\ip-address Works now

56

56

Demonstration of Enumeration Download Winfo from link

Ch 6g

Run it – see all the information!

57

57

NetBIOS Enumeration Tools

Net view command–Shows whether there are any shared resources on a network host

58

58

NetBIOS Enumeration Tools (continued)

Net use command–Used to connect to a computer with shared folders or files

59

Net use

61

61

Additional Enumeration Tools NetScanTools Pro

DumpSec

Hyena

NessusWX

62

62

NetScanTools Pro Produces a graphical view of NetBIOS running on a network

Enumerates any shares running on the computer

Verifies whether access is available for shared resource using its Universal Naming Convention (UNC) name

Costs about $250 per machine (link Ch 6i)

63

63

64

64

65

65

DumpSec

Enumeration tool for Microsoft systems

Produced by Foundstone, Inc.

Allows user to connect to a server and “dump” the following information

–Permissions for shares

–Permissions for printers

–Permissions for the Registry

–Users in column or table format

–Policies and rights

–Services

66

DumpSec

67

67

Hyena

Excellent GUI product for managing and securing Microsoft OSs

Shows shares and user logon names for Windows servers and domain controllers

Displays graphical representation of:–Microsoft Terminal Services

–Microsoft Windows Network

–Web Client Network

–Find User/Group

68

68

69

69

NessusWX This is the client part of Nessus

Allows enumeration of different OSs on a large network

Running NessusWX–Be sure Nessus server is up and running

–Open the NessusWX client application

–To connect your client with the Nessus server

•Click Communications, Connect from the menu on the session window

•Enter server’s name

•Log on the Nessus server

70

70

71

71

72

72

NessusWX (continued)

Nessus identifies –NetBIOS names in use

–Shared resources

–Vulnerabilities with shared resources

•Also offers solutions to those vulnerabilities

–OS version

–OS vulnerabilities

–Firewall vulnerabilities

73

73

74

74

75

75

76

76

77

77

Enumerating the *NIX Operating System

Several variations–Solaris

–SunOS

–HP-UX

–Linux

–Ultrix

–AIX

–BSD UNIX

–FreeBSD

–OpenBSD

78

78

UNIX Enumeration

Finger utility–Most popular tool for security testers

–Finds out who is logged in to a *NIX system

–Determine owner of any process

Nessus–Another important *NIX enumeration tool

79

79

80

80

81

Footprinting And Enumeration using netcraft.com

Modul 2 Footprinting Scanning Enumeration

Documents

Transcript of Modul 2 Footprinting Scanning Enumeration