1 / 38

Finding Information

Finding Information. But first some humor. BLAMESTORMING: Sitting around in a group, discussing why a server went down, and who was responsible. SEAGULL MANAGER: A manager who flies in, makes a lot of noise, craps on everything, and then leaves. CUBE FARM: An office filled with cubicles.

amina
Download Presentation

Finding Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Finding Information

  2. But first some humor • BLAMESTORMING: Sitting around in a group, discussing why a server went down, and who was responsible. • SEAGULL MANAGER: A manager who flies in, makes a lot of noise, craps on everything, and then leaves. • CUBE FARM: An office filled with cubicles. • MOUSE POTATO: The on-line, wired generation's answer to the couch potato. • STRESS PUPPY: An admin who seems to thrive on being stressed out, whiney, and complains about stupid users all day. • SWIPEOUT: An access card that has been rendered useless because the magnetic strip is worn away from extensive use. • PERCUSSIVE MAINTENANCE: The fine art of whacking the crap out of an electronic device to get it to work again. • 404: A completely clueless end-user. • OHNOSECOND: That fraction of time after hitting Enter, in which you realize that you've just permanently erased a big database. • Inoculatte: Taking coffee intravenously when you are pulling an all-nighter getting that database online from the backup tapes.

  3. Go from • We are going to go from a URL • www.juniata.edu • To knowing available ports, addresses, and Operating system

  4. Basic information • For www.juniata.edu find the following • TCP/IP address • OS • Not fair to: • call Joel • ask Matt or Ned • rely on what you already know • Who did it and how?

  5. My machine • Starting nmap V. 3.00 ( www.insecure.org/nmap ) • Interesting ports on THOMAS-LAP.juniata.edu (172.16.27.133): • (The 1597 ports scanned but not shown below are in state: closed) • Port State Service • 25/tcp open smtp • 135/tcp open loc-srv • 139/tcp open netbios-ssn • 445/tcp open microsoft-ds • Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or WinXP • Nmap run completed -- 1 IP address (1 host up) scanned in 20 seconds

  6. Step one • Basic information about www.juniata.edu • ping • whois • nslookup

  7. Ping (locally)

  8. Whois Registrant: NASCAR, Inc. (NASCAR4-DOM) 1801 W. Int'l Speedway Blvd Daytona Beach, FL 32114 US Domain Name: NASCAR.COM Administrative Contact: Hills, Antony (AHB122) jcantrell@NASCAR.COM NASCAR, Inc. 1801 West International Speedway Blvd. Daytona Beach, Fl 32120 US 904-253-0611 904-947-6558 Technical Contact: TBS Server Operations (TS309-ORG) hostmaster@TBSNAMES.TURNER.COM Turner Broadcasting System, Inc. One CNN Center Atlanta, GA 30348 US 404-827-5000 Fax- 404-827-1593 Record expires on 29-Dec-2006. Record created on 28-Dec-1995. Database last updated on 6-Feb-2003 15:32:40 EST. Domain servers in listed order: TWDNS-01.NS.AOL.COM 149.174.213.151 TWDNS-02.NS.AOL.COM 152.163.239.216 TWDNS-03.NS.AOL.COM 205.188.146.88 TWDNS-04.NS.AOL.COM 64.12.147.120

  9. Us Domain Name: JUNIATA.EDU Registrant: Juniata College 1700 Moore Street Huntingdon, PA 16652 UNITED STATES Contacts: Administrative Contact: Anne Wood Juniata College BSC Huntingdon, PA 16652 UNITED STATES (814) 641-5310 wood@juniata.edu Technical Contact: Anne Wood Juniata College BSC Huntingdon, PA 16652 UNITED STATES (814) 641-5310 wood@juniata.edu Name Servers: NS1.JUNIATA.EDU 192.112.102.3 NS2.JUNIATA.EDU 192.112.102.4

  10. Nslookup (inside) • Can ask for all records in name server:

  11. ARIN search OrgName: Juniata College OrgID: JUNIAT Address: 1700 Moore Street City: Huntingdon StateProv: PA PostalCode: 16652 Country: US NetRange: 192.112.102.0 - 192.112.102.255 CIDR: 192.112.102.0/24 NetName: JC NetHandle: NET-192-112-102-0-1 Parent: NET-192-0-0-0-0 NetType: Direct Assignment NameServer: NS1.JUNIATA.EDU NameServer: NS2.JUNIATA.EDU Comment: RegDate: 1991-08-07 Updated: 2002-03-05 TechHandle: AM202-ARIN TechName: Wood, Anne TechPhone: +1-814-641-5310 TechEmail: sysadmin@juniata.edu OrgTechHandle: AM202-ARIN OrgTechName: Wood, Anne OrgTechPhone: +1-814-641-5310 OrgTechEmail: sysadmin@juniata.edu # ARIN WHOIS database, last updated 2003-02-05 20:00 # Enter ? for additional hints on searching ARIN's WHOIS database.

  12. Ping sweep find active addresses

  13. How about Mars?

  14. Nmap of Mars • Starting nmap V. 3.00 ( www.insecure.org/nmap ) • Interesting ports on mars.juniata.edu (172.16.17.214): • (The 1585 ports scanned but not shown below are in state: closed) • Port State Service • 21/tcp open ftp • 22/tcp open ssh • 23/tcp open telnet • 25/tcp open smtp • 111/tcp open sunrpc • 515/tcp open printer • 2049/tcp open nfs • 4045/tcp open lockd • 6000/tcp open X11 • 6112/tcp open dtspc • 7100/tcp open font-service • 12345/tcp open NetBus • 32771/tcp open sometimes-rpc5 • 32776/tcp open sometimes-rpc15 • 32777/tcp open sometimes-rpc17 • 32778/tcp open sometimes-rpc19 • Remote operating system guess: Solaris 8 early access beta through actual release • Up • time 37.983 days (since Mon Dec 30 14:26:29 2002) • Nmap run completed -- 1 IP address (1 host up) scanned in 58 seconds

  15. www.juniata.edu • Is this right • TCP/IP address 172.16.17.209 • Outside 192.112.102.5 • OS • Linux Kernel 2.4.0 - 2.5.20 • Linux 2.4.19-pre4 on Alpha • www.netcraft.com • Nmap

  16. Output for www.juniata.edu • Starting nmap V. 3.00 ( www.insecure.org/nmap ) • Interesting ports on www.juniata.edu (172.16.17.209): • (The 1594 ports scanned but not shown below are in state: closed) • Port State Service • 21/tcp open ftp • 22/tcp open ssh • 80/tcp open http • 111/tcp open sunrpc • 139/tcp open netbios-ssn • 873/tcp open rsync • 12345/tcp open NetBus • Remote OS guesses: Linux Kernel 2.4.0 - 2.5.20, Linux 2.4.19-pre4 on Alpha • Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds

  17. What else • Ping sweep looking for other active machines • Do tracert to understand network • from outside in, typically have router then firewall just before destination. • Nmap router and firewall to get OS • War dailing for open modems

  18. tracert

  19. tracert from outside to .5

  20. tracert from outside to .3

  21. From outside to .4

  22. From outside to .22

  23. From outside to .9

  24. Vulnerability scanners

  25. Red teaming page 90 • Who is page 91 • Protection page 92 • Name risk for social engineering • Can use Special name to catch or initials A. Wood • Although this info can be found other ways remember the easiest is what most people use • Split DNS servers one for external, minimum required information for the outside world • Inside DNS with other name resolution not required by the outside world.

  26. Nslookup • Used to get IP address of servers • Get range of IPs to explore address spaces • Protection • Must provide DNS data to be “seen” • The least you provide the better.

  27. ARIN • Gets address range and subnet • Protection • NAT with private addresses behind the firewall except for external resources help minimize damage

  28. Tracert • Used to explore and “map” system • routes in (necessary to know for Denail of service) • Protection • only way to stop is to disable ICMP traffic (which tracert uses) • disables a lot of “features/functionality” • again security versus features/functionality

  29. ping • Used to find active addresses • Run different times of day • used to find “servers” from “workstations” • only works if uses turn off workstations • Protection • again NAT can’t “See” internal addresses • ICMP again used for ping

  30. port scan and fingerprinting • Open ports and operating systems • Used to find vulnerabilities • Protection • firewall only allows traffic on specific ports to specific machines • less info the better gives limited view • IDS

  31. Information Gathered • We now know valid IPs • open ports • Operating systems • map of network (ip of router firewall) • Time to discover vulnerabilities and export • Use tool, SAINT for example • Explore and find vulnerabilities

  32. Some other scans of home machines • Starting nmap V. 3.00 ( www.insecure.org/nmap ) • Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port • Insufficient responses for TCP sequencing (0), OS detection may be less accurate • Interesting ports on HOME1 (192.168.2.9): • (The 1596 ports scanned but not shown below are in state: filtered) • Port State Service • 21/tcp open ftp • 139/tcp open netbios-ssn • 389/tcp open ldap • 1002/tcp open unknown • 1720/tcp open H.323/Q.931 • Remote OS guesses: AIX v4.2, Linux 1.3.20 (X86), Windows XP Professional RC1+ through final release, Cayman 2E <http://www.cayman.com/> • Nmap run completed -- 1 IP address (1 host up) scanned in 413 seconds

  33. More open ports • Starting nmap V. 3.00 ( www.insecure.org/nmap ) • Insufficient responses for TCP sequencing (0), OS detection may be less accurate • Insufficient responses for TCP sequencing (2), OS detection may be less accurate • Interesting ports on thomas-tablet.juniata.edu (192.168.2.52): • (The 1590 ports scanned but not shown below are in state: closed) • Port State Service • 80/tcp open http • 135/tcp open loc-srv • 139/tcp open netbios-ssn • 443/tcp open https • 445/tcp open microsoft-ds • 1002/tcp open unknown • 1025/tcp open NFS-or-IIS • 1026/tcp open LSA-or-nterm • 1027/tcp open IIS • 1720/tcp open H.323/Q.931 • 5000/tcp open UPnP

  34. Of course todays footprinting must include wireless • http://www.wellenreiter.net/index.html

  35. Wellenreiter more passive then netStumbler

  36. NetStumbler

  37. Want to boost your Antenna? • http://mali.geekcorps.org/article.php3?id_article=39 • Look at HomeToJc in netstumbler

  38. Fport

More Related