1 / 34

Network Reconnaissance

Network Reconnaissance. What is?. Military reconnaissance a mission conducted to confirm or deny prior intelligence (if any) about enemy threat and or the terrain of a given area. Network reconnaissance process of acquiring information about a network. Why?.

kishi
Download Presentation

Network Reconnaissance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Reconnaissance

  2. What is? • Military reconnaissance • a mission conducted to confirm or deny prior intelligence (if any) about enemy threat and or the terrain of a given area. • Network reconnaissance • process of acquiring information about a network

  3. Why? • Hackers use reconnaissance as the first step in an effective attack • Seeing what is on the "other side of the hill" is crucial to decide what type of attack to launch • Generally, goals of reconnaissance on a target network are to discover: • IP addresses of hosts • Accessible UDP and TCP ports • OS type

  4. Footprinting/Fingerprinting steps • Information Gathering • accumulating data regarding a specific network environment, usually for the purpose of finding ways to intrude into the environment • Locate the network • What addresses can be targeted and are available for additional scanning and analysis • Identify active machines • Which machine is actively connected to the network and reachable • Open ports and underlying applications • Which ports and applications are accessible • OS Fingerprinting • Identifying targeted Oss as well as systems response • Network mapping • Create blueprint of organization

  5. Information Gathering • Get data regarding network environment such as • Organization web site, Location, contact person, Phone number • Common Tools • Registrar query : whois • Domain name and resource lookup • Search Tools

  6. Locate the network range What range of IP addresses are available for scanning and further enumeration Common Tools : whois

  7. Tool: WHOIS Search • WhoIs – Query of Internet Registries • Ref: http://www.arin.net/community/rirs.html • AfriNIC – Africa • APNIC - Asia/Pacific • ARIN – North America • LACNIC - Central and South America • RIPE NCC – Europe, Middle East, Central Asia • InterNIC– ICANN Public Domain Name Registration Info • 3rd Party Whois Tools • Geektools - http://www.geektools.com/whois.php • DomainTools – http://www.domaintools.com/ • DNSStuff – http://www.dnsstuff.com

  8. Tool: WHOIS web interface

  9. Tool: - Google • Google, Yahoo, Live.com, etc. • Gather information about a targeted organization • Evaluate web sites for known security issues • Identify files that are accidentally exposed to the public

  10. Tool: - Google search • Helpful Google Queries • Related sites: • related:www.someaddr.com • Search a specific site: • site:www.someaddr.com search_terms • Use Google to search group or blog postings

  11. Tool: – Google operators Google Advanced Operators AND: “+” OR: “|” Synonym: “~” site:www.jeffersonwells.com inurl:robots.txt link:www.jeffersonwells.com intitle:“jefferson wells” filetype:xls

  12. Tool: NSLOOKUP • Queries Domain Name Server information • IP and Domain Name Mapping • Zone Transfer – Dumps entire table • Check mail server

  13. Tool: NSLOOKUP • Zone Transfer – Dumps entire table $ nslookup > server = A.B.C.D > ls somedomain.com

  14. Tool: NSLOOKUP • MX record $ nslookup > set type = MX > somedomain.com

  15. Network Identifier Tools • Identifying active computers and services • Common Tools • ping, ping6 • help verifying whether a host is active • traceroute, traceroute6 • determine the route to a node

  16. Tool: ping • ping [hostname|ip_address] • ping6 [hostname|ip_address] • ping -R [hostname|ip_address]

  17. Tool: traceroute • tracert • Windows • traceroute • Unix

  18. Tool: How Traceroute work Launch a probe packet towards DST, with a TTL of 1 Every router hop decrements the IP TTL of the packet by 1 When the TTL hits 0, packet is dropped, router sends ICMP TTL Exceed packet to SRC with the original probe packet as payload SRC receives this ICMP message, displays a traceroute “hop” Repeat from step 1, with TTL incremented by 1 each time, until.. DST host receives probe, returns ICMP Dest Unreachable

  19. Tool: Traceroute Report Hop • Traceroute packet with TTL of 1 enters router via the ingress interface. • Router decrements TTL to 0, drops packet, generates ICMP TTL Exceed • ICMP packet dst address is set to the original traceroute probe source (SRC) • ICMP packet src address is set to the IP of the ingress router interface • Traceroute shows a result based on the src address of the ICMP packet • The above traceroute will read:172.16.2.1 10.3.2.2 • You have NO visibility into the return path or the egress interface used

  20. Tool: Traceroute Latency Calculation • How is traceroute latency calculated? • Timestamp when the probe packet is launched • Timestamp when the ICMP response is received • Calculate the difference to determine round-trip time • Routers along the path donot do anytime “processing” • They simply reflect the original packet’s data back to the SRC • Many implementations encode the original launch timestamp into the probe packet, to increase accuracy and reduce state • Most Importantly: only the ROUNDTRIP is measured • Traceroute is showing you the hops on the forward path • But showing you latency based on the forward PLUS reverse path. Any delays on the reverse path will affect your results!

  21. Tool: InterpreteTraceroute DNS • Interpreting DNS is one of the most important aspects of correctly using traceroute • Information you can uncover includes: • Physical Router Locations • Interface Types and Capacities • Router Type and Roles • Network Boundaries and Relationships

  22. Tool: Traceroute Reading Tips • Router’s name may include Exchange Point • MAE, NAP, PAIX • Router names may be the IATA 3-letter code of the nearest airport or CLLI code in their node name • Other abbreviation • http://www.sarangworld.com/TRACEROUTE/showdb-2.php3 • Interface name

  23. Tool: Common Location US Major Cities

  24. Tool: Common Location Major Cities

  25. Tool: Common Interface Naming

  26. Tool: Router Type/Role • Knowing the role of a router can be useful • But every network is different, and uses different naming conventions • May not always follow naming rules • Generally speaking, May need guessing the context and get a basic understanding of the roles • Core routers–CR, Core, GBR, BB • Peering routers–BR, Border, Edge, IGR, Peer • Customer routers–AR, Aggr, Cust, CAR, GW

  27. Tool: DNS Interface type • Most networks will try to put interface info into DNS • Though this many not always be up to date • Many large networks use automatically generated DNS • As well as capacity, and maybe even the make/model of router • Examples: • xe-11-1-0.edge1.Washington1.Level2.net • XE-#/#/# is Juniper 10GE port. The device has at least 12 slots • It’s at least a 40G/slot router since it has a 10GE PIC in slot 1 • It must be Juniper MX960, no other device could fit this profile

  28. Tool: Sample Traceroute $ traceroute www.hellers.com $ traceroute www.mit.edu

  29. Identifying Active Machines • Attackers will want to know if machines are alive before they attempt to attack. One of the most basic methods of identifying active machines is to perform a sweep • Common Tools • ping, traceroute • Network scanning tools • nmap, superscan

  30. Finding Open Ports • Open services • Common tools • Port scanning tools • nmap, superscan

  31. OS Fingerprinting • Passive fingerprint • Sniffing technique • Examine packets for certain characteristics such as • The IP TTL value • The TCP Window Size • The IP DF Option • The IP Type of Service (TOS) Option • Active Fingerprint • Injects the packets into the network • Examines the subtle differences that exist between different vendor implementations of the TCP/IP stack • Common tools : nmap

  32. Mapping the Network Gained enough information to build network map Network mapping provides the hacker with a blueprint of the organization. May use manual or automated ways to compile this information

  33. Summary

  34. Q&A

More Related