1 / 21

Data Gathering

Data Gathering. A hacker can’t do anything to you if they don’t know anything about you. The hacker requires: A target Your ip address Your OS type What kernel are you using What services you are running What is your internet connection speed. How they choose a target.

essien
Download Presentation

Data Gathering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Data Gathering • A hacker can’t do anything to you if they don’t know anything about you. • The hacker requires: • A target • Your ip address • Your OS type • What kernel are you using • What services you are running • What is your internet connection speed

  2. How they choose a target • A hacker can get much information from posts made to news groups and Mailing lists • Example (from fire-wall wizards news group): [fw-wiz] Problems with IPTables and DMZ port Klaus Leithner leithner@cortex.at Sat, 5 Jan 2002 11:35:57 I have a very urgent problem with a linux box running RedHat 7.2 and IPTables v. 1.2.3. We need to replace our normal Firewall (a Watchguard FireBox II) with the following configuration : Public IP - Address Range : 211.18.46.192 with a NetMask 255.255.255.192 Private IP – Address Range : 10.43.0.0 with a NetMask 255.255.0.0 We have a DMZ, which uses the public IP - Address Range.

  3. How they choose a target Schemata: (x) (Router : 211.18.46.193 | | ------------- (EXTERNAL INTERFACE : 211.18.46.194) | | | Firewall |--------- (DMZ Interface : 211.18.46.195 All of our | | Server in the DMZ use IP-Adresses like | | 211.18.46.X, and a gateway of 211.18.4.193) | | ------------- | (LAN INTERFACE : 10.43.0.1 we use NAT) | | We have a breakdown of our standard Firewall, and need to replace it as soon as possible with this linux - box. We have tried every trick, we know and about 24 hours of work no chance ! Can anyone help us !!! Thanks in advance Klaus Leithner

  4. How they choose a target • Other targets include: • Entities with high speed internet • Universities, governments, large corporations • Entities with many disconnected policies and procedures • Governmental entities, medium/large corporations • Well know entities • GM, Microsoft, MSU, NASA, etc… • Entities with novice administrators • Home computers with cable modems, power left on. • Entities that can give financial gain • Banks, stock brokers • Entities that can provide trade secrets • Pharmaceutical Companies, Research Companies

  5. How they get info on you • Domain lookup • Whois database • A list of domains and the contact information associated with a domain. • Example of a domain lookup: >whois –a gm (you might need a host: whois.internic.net) GM.ST63.AREANA.NE.JP GM.HOTELRES.COM GM.GEEKFREET.NET GM.GARM.NET GM.ORG GM.NET GM.COM GM

  6. How they get info on you • Domain lookup • Example: >whois gm.com Registrant: Domain Name Administrator General Motors Corporation 300 Renaissance Center Mail Code 482-C23-B21 Detroit MI 48265-3000 US domainname.admin@gm.com +1.3136654967 Fax: +1.1111111111 Domain Name: gm.com Administrative Contact: Domain Name Administrator General Motors Corporation 300 Renaissance Center Mail Code 482-C23-B21 Detroit MI 48265-3000 US domainname.admin@gm.com +1.3136654967 Fax: +1.1111111111

  7. How they get info on you • Domain lookup • Example (cont): Technical Contact, Zone Contact: DNS Technical Contact EDS NNAM 800 Tower Drive MS 4258 Troy MI 48098 US dnsmaster@eds.com +1.2482655000 Fax: +1.1111111111 Created on..............: 1992-01-15. Expires on..............: 2011-01-16. Record last updated on..: 2010-08-13. Domain servers in listed order: ns3.eds.com ns1.eds.com ns2.eds.com

  8. How they get info on you • DNS queries • Get the ip address of a given domain • Example: host gm.com> gm.com has address 170.224.60.167 • Network lookup • Again using the whois database • Instead of giving a domain you give an ip address

  9. How they get info on you • Network lookup • Example >whois 170.224.60.167 NetRange: 170.224.0.0 - 170.227.255.255 NetName: IBM-COMMERCIAL NameServer: RTPUSSXDNSB03.RALEIGH.MEBS.IHOST.COM NameServer: RTPUSSXDNSB04.RALEIGH.MEBS.IHOST.COM NameServer: BLDUSWXDNSB01.BOULDER.MEBS.IHOST.COM NameServer: BLDUSWXDNSB02.BOULDER.MEBS.IHOST.COM OrgName: IBM Address: 3039 Cornwallis Road City: Research Triangle Park StateProv: NC PostalCode: 27709-2195 Country: US RegDate: 1992-02-08 Updated: 2006-09-15

  10. How they get info on you • Countermeasures • The whois database is required to register your company for ip address. • Do not use actual names for the various contacts. Instead use names like “tech support” • Do not give a direct phone number, give the main office general phone number • This helps to prevents social engineering!

  11. What machines are running? • Now that the hacker has an ip range, what machines are actually there? • Use ping sweeps • ICMP ping • Send an ICMP echo request to each ip address in a range and if there is a reply then there is machine at the ip address • Command: ping ipaddress

  12. What machines are running? • Use ping sweeps • Nmap ping sweep • Send an ICMP echo packet as well as a connection request to the http port (80). • Command: nmap –sP iprange • Counter measures • Configure a firewall to not allow TCP/IP echo requests and prevent ICMP echo replies • But it stops all pings, some of which maybe useful. • Can’t prevent probing of open ports 

  13. Where is a machine? • It is useful to the hacker to know where a machine is located. • It is also helpful to know “connected” a computer is • Traceroute • Lists all the routers between your computer to an another • Displays the time for each hop • Displays the ip address and common name of each router. • By examining the names of the routers you can generally guess where a router is, it band width, and equipment.

  14. Where is a machine? • Example Tracetroute gm.com 1 router (148.61.162.254) 0.342 ms 0.288 ms 0.275 ms 2 fw-lab.gvsu.edu (148.61.17.22) 0.906 ms 0.485 ms 0.463 ms 3 router.gvsu.edu (148.61.6.1) 2.136 ms 1.829 ms 1.480 ms 4 s0-1-0.nl-port1.mich.net (198.108.23.74) 4.013 ms 3.418 ms 12.013 ms 5 at-1-1-0x20.nl-chi3.mich.net (198.108.22.169) 21.982 ms 15.438 ms 12.870 ms 6 acr2-so-6-1-0.Chicago.cw.net (208.172.1.169) 58.108 ms 35.452 ms 36.204 ms 7 cable-and-wireless-peering.Chicago.cw.net (208.172.1.222) 69.233 ms 70.475 ms 69.281 ms 8 0.so-5-2-0.XL1.CHI2.ALTER.NET (152.63.68.2) 73.590 ms 70.233 ms 68.240 ms 9 0.so-2-0-0.TL1.CHI2.ALTER.NET (152.63.67.125) 69.726 ms 73.297 ms 71.348 ms 10 0.so-1-2-0.TL1.DCA6.ALTER.NET (152.63.1.93) 48.134 ms 48.167 ms 47.825 ms 11 0.so-4-0-0.CL1.GSO1.ALTER.NET (152.63.39.137) 59.292 ms 58.914 ms 56.003 ms 12 189.ATM7-0.GW4.GSO1.ALTER.NET (152.63.33.213) 57.321 ms 56.504 ms 58.668 ms 13 usibm-gw.customer.alter.net (157.130.39.38) 61.277 ms 60.298 ms 60.273 ms

  15. Where is a machine? • How Traceroute works • Send UDP packets through the internet with the time to live set to 1 • Waits for the ICMP time expired reply • Increase the time to live by one and send again. • Each time it gets a ICMP time expired reply it gets the next step in the route. • Countermeasures • You can’t do anything about how you are connected to the internet, nor the ICMP time expire reply • You can block ICMP packets in and out of your organization • You should NOT name machines in a way that revels information

  16. What is running on the machine? • When a network service is made available it opens a port in the range of 0 – 65535. • There are “well know” port numbers opened by established programs. • They are in the range from 0 –1024. Only privileged commands may use a “well know” port number • telnet 23 • ftp 21 • smtp 25 • ssh 22 • There are also port number generally accepted as being used for certain purposes • See /etc/services for a list know to your machine

  17. What is running on the machine? • Port scanning • TCP • A program sends a syn request to each port in a range and sees if a syn/ack is returned. • Or it can send a fin packet, and see if the computer responds • Or it can send a ack packet, and an open port will respond with a rst packet, because their is no established connection • Or … • TCP scanning is relatively fast because of it’s connection orientated nature • UDP • A program sends a udp packet to the port and has to wait to see if an ICMP port unreachable is returned • UDP scanning is slow because it must wait for the ICMP return message. There is limit for the rate of returned ICMP error messages.

  18. What is running on the machine? • Port scanning • Tools: • Netcat • Strobe • Nmap • Satan • Saint • eEye Retina Scanner (windows) • Typhoon • Mscan • Sscan

  19. What is running on the machine? • Port scanning • Countermeasures • Port scan detectors • Lestat • Pkdump • Scan detect • Astraro portscan detect • Shadow scan • Resentment.org • Scanlogd • Port sentry • Most organizations treat port scans as a prelude to an attack and consider them hostile! • They are a good idea to do to your own organization, but make sure your have permission first!

  20. What OS is running on the machine? • Network banners • Many services announce what the OS is. • telnet into any of your security machines • OS detection can be done by sending a series of illegal tcp/ip packets to a machine • Each OS will respond differently to the packets • By comparing the responses to a database each OS can be determined • Tools • Queso • Nmap

  21. What OS is running on the machine? • Counter measures • Stop services from broadcasting the OS or protocol being used • Install a proxy firewall, that way the OS identified will be that of the firewall and not your machine.

More Related