Reconnaissance - PowerPoint PPT Presentation

About This Presentation

Title:

Reconnaissance

Description:

Ultimate low-tech recon/attack method. Recon 6. Social ... Internet 'white pages' listing. Domain names, contact info, IP addresses .com, .net, .org, .edu ... – PowerPoint PPT presentation

Number of Views:242

Avg rating:3.0/5.0

Slides: 58

Provided by: marks9

Learn more at: http://www.cs.sjsu.edu

Category:

more less

Transcript and Presenter's Notes

Title: Reconnaissance

1
Reconnaissance
2
Attack Phases

Phase 1 Reconnaissance
Phase 2 Scanning
Phase 3 Gaining access
Application/OS attacks
Network attacks/DoS attacks
Phase 4 Maintaining access
Phase 5 Covering tracks and hiding

3
Recon

Before bank robber robs a bank
Visit the bank
Make friends with an employee (inside info)
Study alarm system, vault, security guards
routine, security cameras plscement, etc.
Plan arrival and get away
Most of this is not high tech
Similar ideas hold for info security

4
Social Engineering

Hypothetical examples
New admin asks secretary for help
Angry manager calls employee/admin asking for
password
Employee in the field calls another employee
for help with remote access
Real-world examples
Employees help white hat guy steal company IP
Person turns over secrets to trusted friend

5
Social Engineering

Social engineering
Defeats strongest crypto, best access control,
protocols, IDS, firewalls, software security,
etc., etc.
Attacker may not even touch keyboard
Ultimate low-tech recon/attack method

6
Social Engineering

Telephone based attacks
Company phone number may give attacker instant
credibility
Attacker might ask for voice mail service
Spoofed caller ID
Appears attacker has company phone number
Online services Telespoof, Camophone
Some VoIP software
Phone companies also sell such services

7
Camophone

Spoofed caller ID
Cost?
5 cents per minute

8
Social Engineering Defenses

Hard to defend against
Rooted in human nature
Many legitimate uses of social engineering
(police, sales people, etc.)
User education helps
Do not give out sensitive info (passwords)
Do not trust caller ID, etc.
May not want totally paranoid employees

9
Physical Security

If Trudy gets physical access
Might find logged in computer, post-it note with
passwords, etc.
Might install back door, keystroke logger, access
point to LAN, etc.
Could steal USB drives, laptop, computers, CDs,
etc.

10
Physical Access

How can attacker gain physical access?
Ask for it
Fake it
Physical break in
Or attacker might be employee
Then Trudy already has access
Limit employees physical access?

11
Defenses

Require badges for entry
What if someone forgets badge?
Biometrics for entry are useful
Iris scan, hand geometry,
Monitor what people take in/out
Laptop, USB drive, CD, Furby?
Miniaturization makes this difficult

12
Defenses

Use locks on file cabinets
Dont leave key in the lock
Automatic screen saver with pwd
Encrypted hard drives
Especially for those who travel
Need a way to recover encrypted files
But there are attacks

13
Dumpster Diving

What might Trudy find in trash?
CDs, DVDs, discarded machines, USB,
Diagrams of network architecture
Defenses
Destroy hard drive before discarding
Destroy media (degaussing is not enough)
Shred paper, etc.

14
Search the Fine Web

Fine is placeholder for another word
As in Read the Fine Documentation
Huge amount of info available on Web
Google it!
For example Google the MD5 hash value
20f1aeb7819d7858684c898d1e98c1bb

15
Google Hacking

Using Google to help in attacks
Not hacking Google
See, for example
Johnny Longs Website
Google hacking 101
Google selected as favorite hacking tool by
some infamous hackers

16
Google

Four important elements of Google
Google bot
Crawls Web looking for info to index
Google index
Billions served
Ranked using (secretive) algorithm
Why so secretive?

17
Google

Google cache
Copy of data that bots found
Includes html, doc, pdf, ppt, etc., etc.
Up to 101k of text each, no images
See also, Wayback Machine
Google API
Program need to Google too
Requires API key (free from Google)
Limited to 1k searches per day

18
Google

For any Google search
Max number of results limited to 1,000
Limits data mining capabilities
So searches must be precise
Use search directives
No space after directive, searches case
insensitive, max of 10 search terms

19
Google Search Directives

sitedomain
Searches particular domain
sitecs.sjsu.edu stamp
linkweb page
All sites linked to a given web page
linkwww.cs.sjsu.edu
intitleterm(s)
Web sites that include term(s) in title
sitecs.sjsu.edu intitleindex of stamp

20
Google Search Directives

relatedsite
Similar sites, based on Googles indexing
relatedwww.cs.sjsu.edu
cachepage
Display Web page from Googles cache
cachewww.cs.sjsu.edu
filetypesuffix
Like ppt, doc, etc.
filetypeppt sitecs.sjsu.edu stamp

21
Google Search Directives

rphonebookname and city or state
Residential phone book
rphonebookMark Stamp Los Gatos
bphonebookname and city or state
Business phone book
phonebookname and city or state
Residential and business phone books

22
Other Search Operations

Literal match ( )
metamorphic engines sitecs.sjsu.edu
Not (-)
Filter out sites that include term
sitecs.sjsu.edu -ty -lin
Plus ()
Include (normally filtered) term
Not the opposite of
sitecs.sjsu.edu stamp the

23
Interesting Searches

From the text
sitemybank.com filetypexls ssn
sitemybank.com ssn -filetypepdf
sitemybank.com filetypeasp
sitemybank.com filetypecgi
sitemybank.com filetypephp
sitemybank.com filetypejsp
sitecs.sjsu.edu filetypexls

24
Google Hacking Database

Google Hacking Database (GHDB)
Interesting searches
intitleindex of finance.xls
welcome to intranet
intitlegateway configuration menu
intitlesamba web administration tool
intexthelp workgroup

25
GHDB

Intitlewelcome to IIS 4.0
we find that even if they've taken the time to
change their main page, some dorks forget to
change the titles of their default-installed web
pages. This is an indicator that their web server
is most likely running the now considered OLD
IIS 4.0 and that at least portions of their main
pages are still exactly the same as they were out
of the box. Conclusion? The rest of the
factory-installed stuff is most likely lingering
around on these servers as well.
Factory-installed default scripts FREE with
operating system. Getting hacked by a script
kiddie that found you on Google PRICELESS. For
all the things money can't buy, there's a
googleDork award.

26
Google

Suppose sensitive data is accessible
Removing it does not remove problem
Google cache, Wayback Machine
What about automated searches?
Google API
SiteDigger and Wikto

27
SiteDigger

User provides Google API key
One search
Uses GHDB
Does 1k Google searches
Your daily limit
Theres always tomorrow

28
Google

Lots of other interesting Google searches
Track current flights
Look up auto VIN
Look up product UPC
Google filters some sensitive data
SSNs, for example
Yahoo and MSN Search do less filtering

29
Newsgroups

Listening in at the virtual water cooler
Employees submit detailed questions
How to configure something
How to code something
How to troubleshoot a problem
Reveals info about products, config, etc.
sensitive information leakage on a grand scale
Attacker could even play active role
Give bad/incorrect advice

30
Newsgroups

To search groups
groups.google.com
Repackaged version of DejaNews

31
Organizations Website

Web site might reveal useful info
Employee contact info
Clues about corporate culture/language
Business partners
Recent mergers and acquisitions
Technology in use
Open jobs

32
Defenses Against Web Recon

Limit what goes on Web pages
No sensitive info
Limit info about products, configuration,
Security by obscurity?
no sense putting an expensive lock on your door
and leaving milk and cookies outside so the lock
picker can have a snack while he breaks in

33
Defenses Against Web Recon

Have a policy on use of newsgroups
Monitor publicly available info
Google/Wayback will remove sensitive data
Use robots.txt so Web pages not indexed
Tags noindex, nofollow, noarchive, nosnippet
Well-behaved crawlers will respect these, but
a sign to bad guys of sensitive data

34
Whois Databases

Internet white pages listing
Domain names, contact info, IP addresses
.com, .net, .org, .edu
ICANN oversees registration process
Hundreds of actual registrars

35
InterNIC

InterNIC (Internet Network Info Center)
First place to look
Info on domain name registration services

36
InterNIC

Whois info available from InterNIC
com,net,org,edu
Other sites for other top level domains

37
Whois

Once registrar is known, attacker can contact it
More detailed Whois info
Network Solutions in this example

38
Whois

Info includes
Names
Telephone numbers
Email addresses
Name (DNS) servers
And so on

39
IP Address Assignment

ARIN (American Registry for Internet Numbers)
Info about who owns IP address or range of
addresses
Similar organizations for Europe, Asia, Latin
America,

40
Defense Against Whois Search

Bad idea to put false info into databases
Important that people can contact you
For example, if attack launched from your site
No real defense against Whois
Anonymous registration services exist
Author is not fond of these
Better to train against social engineering

41
Domain Name System

DNS
A hierarchical distributed database
Like a (hierarchical distributed) telephone
directory
Converts human-friendly names into
computer-friendly IP addresses
Internet is impossible without DNS

42
DNS

13 root DNS servers
A single point of failure for Internet

43
DNS

DNS example
Recursive and iterative searches
Resolved locally, if possible
Lots and lots of caching

44
DNS

DNS cache on Windows machine

45
DNS

Gives IP address of a domain
Lots of other info
DNS record types
Address domain name/IP address (or vice-versa)
Host information info about system
Mail exchange mail system info
Name server DNS servers
Text arbitrary text string

46
Interrogating DNS

Attacker determines DNS servers
From registrars Whois database
Use nslookup (or dig in Linux) to interrogate
name servers
Zone transfer (all info about domain)
See example from text --- IP addresses, mail
server names, OS types, etc.

47
DNS Recon Defenses

Remove info on OS types, etc.
Restrict zone transfers
To primary and secondary name servers
Employ split DNS
Allow outside DNS activity related to Web, mail,
FTP, , servers
No outside DNS directly from internal network

48
Split DNS

Internal DNS server acts as proxy
Relays requests to external DNS
Internal users can resolve internal and external

49
General-Purpose Recon Tools

Sam Spade
Detective character in Dashiell Hammetts novel,
The Maltese Falcon
Humphrey Bogart
Also a general Web-based recon tool
Research and attack portals
For more specific info

50
Sam Spade

All the bells and whistles
Some of Sam Spades capabilities
ping, whois lookups, IP block whois, nslookup,
DNS zone transfer, traceroute, finger
SMTP VRFY --- is given email address valid?
Web browser --- view raw HTTP interaction
Web crawler --- grab entire web site

51
Sam Spade