1 / 84

Footprinting Scanning Enumeration

Footprinting Scanning Enumeration. Isbat Uzzin Nadhori Informatical Engineering PENS-ITS. Intelligence Gathering Techniques. 3 Major Steps Foot Printing Scanning Enumeration Similar to Military Gather information on the target Analyze weaknesses Construct and launch attack.

Download Presentation

Footprinting Scanning Enumeration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Footprinting Scanning Enumeration Isbat Uzzin Nadhori Informatical Engineering PENS-ITS

  2. Intelligence Gathering Techniques • 3 Major Steps Foot Printing Scanning Enumeration • Similar to Military Gather information on the target Analyze weaknesses Construct and launch attack

  3. Googling your way insecurity • Intittle : “welcome to IIS 4.0”  to get list of Windows IIS 4.0 server which have had security vulnerabilities and usually easy pickings for attacker • “VNC Desktop” inurl:5800  allows remote users to connect and remote a user’s desktop • Filetype: pwd service  to get links reveal several usernames and password

  4. Gathering Process Overview • You can’t attack what you don’t know

  5. Hacking Step

  6. Hacking Step …

  7. Gathering Process overview Hosts Ports Services Vulnerabilities

  8. Footprinting

  9. Footprinting Footprinting is the ability to obtain essential information about an organization. Commonly called network reconnaissance. Result Gather information includes: The technologies that are being used such as, Internet, Intranet, Remote Access and the Extranet. To explored the security policies and procedures take an unknown quality and reduce it Take a specific range of domain names, network blocks and individual IP addresses of a system that is directly connected to the Internet This is done by employing various computer security techniques, as: DNS queries  nslookup, dig, Zone Transfer Network enumeration Network queries Operating system identification Organizational queries When used in the computer security lexicon, "footprinting" generally refers to one of the pre-attack phases; tasks performed prior to doing the actual attack. Some of the tools used for footprintingareSam Spade, nslookup, traceroute, Nmap and neotrace. • Ping sweeps • Point of contact queries • Port Scanning • Registrar queries (WHOIS queries) • SNMP queries • World Wide Web spidering

  10. Footprinting Steps Determine the scope of your activities Get proper authorization Publicly available information Whois and DNS enumeration DNS interrogation Network reconnaissance

  11. DNS Query

  12. Network Query Tools * Ping* NSlookup* Whois* IP block search* Dig* Traceroute* Finger* SMTP VRFY* Web browser keep-alive* DNS zone transfer* SMTP relay check* Usenet cancel check* Website download* Website search* Email header analysis* Email blacklist* Query Abuse address

  13. Information to Gather Attacker’s point of view Identify potential target systems Identify which types of attacks may be useful on target systems Defender’s point of view Know available tools May be able to tell if system is being footprinted, be more prepared for possible attack Vulnerability analysis: know what information you’re giving away, what weaknesses you have

  14. OS Identification

  15. Point of Contact

  16. Tools - Linux Some basic Linux tools - lower level utilities Local System hostname ifconfig who, last Remote Systems ping traceroute nslookup, dig whois arp, netstat (also local system) Other tools lsof

  17. Tools – Linux (2) Other utilities wireshark (packet sniffing) nmap (port scanning) - more later Ubuntu Linux Go to System / Administration / Network Tools – get interface to collection of tools: ping, netstat, traceroute, port scan, nslookup, finger, whois

  18. Tools - Windows Windows Sam Spade (collected network tools) Wireshark (packet sniffer) Command line tools ipconfig Many others…

  19. Traceroute # traceroute ns1.target-company.com traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets 1 fw-gw (209.197.192.1) 0.978 ms 0.886 ms 0.875 ms 2 s1-0-1-access (209.197.224.69) 4.816 ms 5.275 ms 3.969 ms 3 dallas.tx.core1.fastlane.net (209.197.224.1) 4.622 ms 9.439 ms 3.977 ms 4 atm8-0-024.CR-1.usdlls.savvis.net (209.44.32.217) 6.564 ms 5.639 ms 6.681 ms 5 Serial1-0-1.GW1.DFW1.ALTER.NET (157.130.128.53) 7.148 ms 6.595 ms 7.371 ms 6 103.ATM3-0.XR2.DFW4.ALTER.NET (146.188.240.38) 11.861 ms 11.669 ms 6.732 ms 7 152.63.96.85 (152.63.96.85) 10.565 ms 25.423 ms 25.369 ms 8 dfw2-core2-pt4-1-0.atlas.digex.net (206.181.125.153) 13.289 ms 10.585 ms 17.173 ms 9 dfw2-core1-fa8-1-0.atlas.digex.net (165.117.52.101) 44.951 ms 241.358 ms 248.838 ms 10 swbell-net.demarc.swbell.net (206.181.125.10) 12.242 ms 13.821 ms 27.618 ms 11 ded2-fa1-0-0.rcsntx.swbell.net (151.164.1.137) 25.299 ms 11.295 ms 23.958 ms 12 target-company-818777.cust-rtr.swbell.net (151.164.x.xxx) 52.104 ms 24.306 ms 17.248 ms • ns1.target-company.com (xxx.xx.xx.xx) 23.812 ms 24.383 ms 27.489 ms

  20. Traceroute - Network Mapping cw swb Internet Routers

  21. Traceroute - Network Mapping cw swb Internet Routers

  22. Traceroute - Network Mapping VPN cw Firewall swb DMZ Internet Routers

  23. Traceroute - Network Mapping VPN cw Firewall www swb ftp DMZ Internet Routers

  24. Traceroute - Network Mapping VPN cw Firewall www swb ftp DMZ Internet Routers

  25. Traceroute - Network Mapping VPN NT cw Firewall Linux www Sun swb ftp Hosts Inside DMZ Internet Routers

  26. Traceroute - Network Mapping Checkpoint Firewall-1 Nortel VPN xxx.xx.22. 7 VPN NT cw Nortel CVX1800 151.164.x.xxx Firewall Linux IDS? Checkpoint Firewall-1 Solaris 2.7 xxx.xx.49.17 www AIX 4.2.1 xxx.xx.48.1 Sun swb ftp Cisco 7206 204.70.xxx.xxx Linux 2.0.38 xxx.xx.48.2 Hosts Inside DMZ Internet Routers

  27. Domain Name: UWEC.EDU Registrant: University of Wisconsin - Eau Claire 105 Garfield Avenue Eau Claire, WI 54702-4004 UNITED STATES Contacts: Administrative Contact: Computing and Networking Services 105 Garfield Ave Eau Claire, WI 54701 UNITED STATES (715) 836-5711 networking@uwec.edu Name Servers: TOMATO.UWEC.EDU 137.28.1.17 LETTUCE.UWEC.EDU 137.28.1.18 BACON.UWEC.EDU 137.28.5.194 Whois

  28. Scanning[determining if the system is alive]

  29. Introduction • Scanning can be compared to a thief checking all the doors and windows of a house he wants to break into. • Scanning- The art of detecting which systems are alive and reachable via the internet and what services they offer, using techniques such as ping sweeps, port scans and operating system identification, is called scanning. The kind of information collected here has to do with the following: 1) TCP/UDP services running on each system identified. 2) System architecture (Sparc, Alpha, x86) 3) Specific IP address of systems reachable via the internet. 4) Operating System type.

  30. Ping Sweeps ping sweep is a method that can establish a range of IP addresses which map to live hosts. • ICMP Sweeps (ICMP ECHO requests) • Broadcast ICMP • Non Echo ICMP • TCP Sweeps • UDP Sweeps

  31. PING SWEEPS ICMP SWEEPS ICMP ECHO request ICMP ECHO reply Intruder Target alive Querying multiple hosts – Ping sweep is fairly slow Examples UNIX – fping and gping WINDOWS - Pinger

  32. Broadcast ICMP Intruder Network ICMP ECHO reply ICMP ECHO request ICMP ECHO reply ICMP ECHO reply Can Distinguish between UNIX and WINDOWS machine UNIX machine answers to requests directed to the network address. WINDOWS machine will ignore it.

  33. PING SWEEPS NON – ECHO ICMP Example ICMP Type 13 – (Time Stamp) • Originate Time Stamp - The time the sender last touched the message before sending • Receive Time Stamp - The echoer first touched it on receipt. • Transmit Time Stamp - The echoer last touched on sending it.

  34. PING Sweeps TCP Sweeps C(SYN:PortNo & ISN) S (SYN & ISN) + ACK[ C (SYN+!) ] RESET (not active) Client Server S(ISN+1) When will a RESET be sent? When RFC does not appear correct while appearing. RFC = (Destination (IP + port number) & Source( IP & port number))

  35. PING Sweeps Depends on ICMP PORT UNREACHABLE message. UDP data gram ICMP PORT UNREACHABLE Target System • Unreliable because • Routers can drop UDP packets • UDP services may not respond when correctly probed • Firewalls are configured to drop UDP • Relies on fact that non-active UDP port will respond

  36. PORT SCANNING Types: • TCP Connect() Scan • TCP SYN Scan( Half open scanning) • Stealth Scan • Explicit Stealth Mapping Techniques SYN/ACL , FIN, XMAS and NULL • Inverse Mapping Reset Scans, Domain Query Answers • Proxy Scanning / FTP Bounce Scanning • TCP Reverse Ident Scanning

  37. Port Scanning Types • TCP Connect() Scan SYN packet SYN/ACK listening RST/ACK (port not listening) SYN/ACK A connection is terminated after the full length connection establishment process has been completed

  38. Port Scanning Type • TCP SYN Scan (half open scanning) SYN packet SYN/ACK listening RST/ACK (port not listening) We immediately tear down the connection by sending a RESET

  39. Port Scanning Type Stealth Scan A scanning technique family doing the following • Pass through filtering rules. • Not to be logged by the targeted system logging mechanism • Try to hide themselves at the usual site / network traffic. The frequently used stealth mapping techniques are. • SYN/ACK scan • FIN scans • XMAS scans • NULL scans

  40. PORT Scanning Techniques: • Random Port scan • Slow Scan • Fragmentation Scanning • Decoy • Coordinated Scans

  41. PORT Scanning “Random” Port Scan Randomizing the sequence of ports probed may prevent detection. Slow Scan Some hackers are very patient and can use network scanners that spread out the scan over a long period of time. The scan rate can be, for example, as low as 2 packets per day per target site. Fragmentation scanning In case of TCP the 8 octets of data (minimum fragment size) are enough to contain the source and destination port numbers. This will force the TCP flags field into the second fragment. Decoy Some network scanners include options for Decoys or spoofed address in their attacks. Coordinated Scans If multiple IPs probe a target network, each one probes a certain service on a certain machine in a different time period, and therefore it would be nearly impossible to detect these scans.

  42. Operating System Detection • Banner Grabbing • DNS HINFO Record • TCP/IP Stack Fingerprinting

  43. Operating System Detection

  44. Operating System Detection • DNS HINFO Record The host information record is a pair of strings identifying the host’s hardware type and the operating system www IN HINFO “Sparc Ultra 5” “Solaris 2.6” One of the oldest technique

  45. Operating System Detection • TCP/IP Finger Printing The ideas to send specific TCP packets to the target IP and observe the response which will be unique to certain group or individual operations. Types of probes used to determine the OS type The FIN Probe, The Bogus Flag Probe, TCP initial sequence number sampling, Don’t Fragment bit, TCP initial window, ACK value, ICMP error Message Quenching, ICMP message quoting, ICMP error message Echoing Integrity, Type of service, fragmentation handling, TCP options

  46. Firewalking • Gather information about a remote network protected by a firewall • Purpose Mapping open ports on a firewall Mapping a network behind a firewall If the firewall’s policy is to drop ICMP ECHO Request/Reply this technique is very effective.

  47. How does Firewalking work? • It uses a traceroute-like packet filtering to determine whether or not a particular packet can pass through a packet-filtering device. • Traceroute is dependent on IP layer(TTL field), any transport protocol can be used the same way(TCP, UDP, and ICMP).

  48. What Firewalking needs? • The IP address of the last known gateway before the firewall takes place. Serves as WAYPOINT • The IP address of a host located behind the firewall. Used as a destination to direct packet flow

  49. Getting the Waypoint • If we try to traceroute the machine behind a firewall and get blocked by an ACL filter that prohibits the probe, the last gateway which responded(the firewall itself can be determined) • Firewall becomes the waypoint.

  50. Getting the Destination • Traceroute the same machine with a different traceroute-probe using a different transport protocol. • If we get a response That particular traffic is allowed by the firewall We know a host behind the firewall. • If we are continuously blocked, then this kind of traffic is blocked. • Sending packets to every host behind the packet-filtering device can generate an accurate map of a network’s topology.

More Related