1 / 35

Computer Security Workshop

Computer Security Workshop. Module 1 – Footprinting / Packet Sniffing. Footprinting. Definition: the gathering of information about a potential system or network a.k.a. fingerprinting Attacker’s point of view Identify potential target systems

marcy
Download Presentation

Computer Security Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Security Workshop Module 1 – Footprinting / Packet Sniffing

  2. Footprinting • Definition: the gathering of information about a potential system or network • a.k.a. fingerprinting • Attacker’s point of view • Identify potential target systems • Identify which types of attacks may be useful on target systems • Defender’s point of view • Know available tools • May be able to tell if system is being footprinted, be more prepared for possible attack • Vulnerability analysis: know what information you’re giving away, what weaknesses you have

  3. Information to Gather • System (Local or Remote) • IP Address, Name and Domain • Operating System • Type (Windows, Linux, Solaris, Mac) • Version (98/NT/2000/2003/XP/Vista/7, Redhat, Fedora, SuSe, Ubuntu, OS X) • Usernames (and their passwords) • File structure • Open Ports (what services/programs are running on the system)

  4. Information to Gather (2) • Networks / Enterprises • System information for all hosts • Network topology • Gateways • Firewalls • Overall topology • Network traffic information • Specialized servers • Web, Database, FTP, Email, etc.

  5. Defender Perspective • Identify information you’re giving away • Identify weaknesses in systems/network • Know when systems/network is being probed • Identify source of probe • Develop awareness of threat • Construct audit trail of activity

  6. Tools - Linux • Some basic Linux tools - lower level utilities • Local System • hostname • ifconfig • who, last • Remote Systems • ping • traceroute • nslookup, dig • whois • arp, netstat (also local system) • Other tools • lsof

  7. Tools – Linux (2) • Other utilities • wireshark (packet sniffing) • nmap (port scanning) - more later • Ubuntu Linux • Go to System / Administration / Network Tools – get interface to collection of tools: ping, netstat, traceroute, port scan, nslookup, finger, whois

  8. Tools - Windows • Windows • Sam Spade (collected network tools) • Wireshark (packet sniffer) • Command line tools • ipconfig • Many others…

  9. hostname • Determine host name of current system • Usage: hostname • E.g. hostname localhost.localdomain // default • E.g. hostname mobile.cs.uwec.edu

  10. ifconfig • Configure network interface • Tells current IP numbers for host system • Usage: ifconfig • E.g. ifconfig // command alone: display status eth0 Link encap: Ethernet HWaddr 00:0C:29:CD:F6:D3 inet addr: 192.168.172.128 . . . lo Link encap: Local Loopback inet addr: 127.0.0.1 . . .

  11. who • Basic tool to show users on current system • Useful for identifying unusual activity (e.g. activity by newly created accounts or inactive accounts) • Usage: who • E.g. who root tty1 Jan 9 12:46 paul tty2 Jan 9 12:52

  12. last • Show last N users on system • Default: since last cycling of file • -N: last N lines • Useful for identifying unusual activity in recent past • Usage: last [-n] • E.g. last -3 wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still logged in flinstf pts/0 137.28.191.74 Sat Feb 5 15:38 still logged in rubbleb pts/0 c48.someu.edu Sat Feb 5 14:38 - 15:25 (00:46)

  13. ping • Potential Uses • Is system online? • Through response • Gather name information • Through DNS • Tentatively Identify operating system • Based on TTL (packet Time To Live) on each packet line • TTL = number of hops allowed to get to system • 64 is Linux default, 128 is Windows default (but can be changed!) • Notes • Uses ICMP packets • Often blocked on many hosts; more useful within network • Usage: ping system • E.g. ping ftp.redhat.com • E.g. ping localhost

  14. traceroute • Potential Uses • Determine physical location of machine • Gather network information (gateway, other internal systems) • Find system that’s dropping your packets – evidence of a firewall • Notes • Can use UDP or ICMP packets • Results often limited by firewalls • Several GUI-based traceroute utilities available • Usage: traceroutesystem • E.g. traceroute cs.umn.edu

  15. traceroute example - blocked [wagnerpj@data ~]$ traceroute cs.umn.edu traceroute to cs.umn.edu (128.101.34.202), 30 hops max, 38 byte packets 1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220 ms 0.208 ms 2 v101.networking.cns.uwec.edu (137.28.9.1) 0.245 ms 0.229 ms 0.220 ms 3 uweauclairehub2-ge50.core.wiscnet.net (216.56.90.1) 1.315 ms 1.194 ms 1.343 ms 4 * * * <ctrl-c> [wagnerpj@data ~]$

  16. traceroute example - success H:\>tracert www.google.com Tracing route to www.google.akadns.net [64.233.167.99] over a maximum of 30 hops: 1    <1 ms    <1 ms    <1 ms  v61.networking.cns.uwec.edu [137.28.61.1] 2     4 ms     6 ms     3 ms  UWEauClaireHub2-ge50.core.wiscnet.net [216.56.90.1] 3     2 ms     1 ms     2 ms  r-uweauclaire-isp-gig2-0.wiscnet.net [140.189.8.141] 4    17 ms    17 ms    17 ms  chi-edge-08.inet.qwest.net [65.113.85.5] 5    18 ms    16 ms    18 ms  chi-core-02.inet.qwest.net [205.171.20.113] 6    17 ms    18 ms    19 ms  cer-core-01.inet.qwest.net [205.171.205.34] 7    18 ms    19 ms    21 ms  chp-brdr-01.inet.qwest.net [205.171.139.146] 8    18 ms    17 ms    18 ms  P11-0.CHICR2.Chicago.opentransit.net [193.251.129.113] 9    15 ms    16 ms    16 ms  Google-EU-Customers-2.GW.opentransit.net [193.251.249.30] 10    16 ms    16 ms    18 ms  216.239.46.10 11    21 ms    19 ms    17 ms  64.233.175.30 12    18 ms    16 ms    16 ms  64.233.167.99 Trace complete.

  17. Visual Traceroute Example

  18. whois • Potential Uses • Queries nicname/whois servers for Internet registration information • Can gather contacts, names, geographic information, servers, … - useful for social engineering attacks • Notes • Usage: whois domain • e.g. whois netcom.com

  19. whois example - basic Domain Name: UWEC.EDU Registrant: University of Wisconsin - Eau Claire 105 Garfield Avenue Eau Claire, WI 54702-4004 UNITED STATES Contacts: Administrative Contact: Computing and Networking Services 105 Garfield Ave Eau Claire, WI 54701 UNITED STATES (715) 836-5711 networking@uwec.edu Name Servers: TOMATO.UWEC.EDU 137.28.1.17 LETTUCE.UWEC.EDU 137.28.1.18 BACON.UWEC.EDU 137.28.5.194

  20. whois example - wildcards • whois uw%.edu Your search has matched multiple domains. Below are the domains you matched (up to 100). For specific information on one of these domains, please search on that domain. UW.EDU UWA.EDU UWB.EDU UWC.EDU UWEC.EDU UWEST.EDU UWEX.EDU ….

  21. nslookup • Potential Uses • Query internet name servers • Find name for IP address, and vice versa • Notes • Now deprecated – generally use dig • Sometimes useful when dig fails • Usage • nslookup xxxxxxx // name or IP addr. • E.g. nslookup data.cs.uwec.edu • E.g. dig data.cs.uwec.edu

  22. dig • Potential Uses • Domain Name Service (DNS) lookup utility • Associate name with IP address and vice versa • Notes • Many command options • General usage: dig <somehost> • E.g. dig data.cs.uwec.edu • E.g. dig 137.28.109.33

  23. arp • Tracks addresses, interfaces accessed by system • Possible uses • Find systems that your system has recently talked to • Notes • arp // display names • arp –n // display numeric addresses

  24. netstat • Shows connections, routing information, statistics • Possible uses • find systems that your system has recently talked to, find recently used ports • Notes • Many flags • netstat // open sockets, etc. • netstat –s // summary statistics • netstat – r // routing tables • netstat – p // programs • netstat – l // listening sockets

  25. lsof • Lists open files on your system • Useful to see what processes are working with what files, possibly identify tampering • Usage: lsof

  26. Windows Tools • Sam Spade • “swiss army knife” of footprinting • Has most of the Linux tools • Plus other functionality • Usage • Start application • Fill in name or IP address • Choose option desired in menus

  27. Packet Sniffers • Definition: Hardware or software that can display network traffic packet information • Usage • Network traffic analysis • Example packet sniffers • tcpdump (command line, Linux) • wireshark (GUI interface, Linux, Windows – open source) • others…

  28. Limitations – Packet Sniffing • Packet sniffers only catch what they can see • Users attached to hub – can see everything • Users attached to switch – only see own traffic • Wireless – wireless access point is like hub • Need to be able to put your network interface card (NIC) in “promiscuous” mode to be able to process all traffic, not just traffic for/from itself • NIC must support • Need privilege (e.g. root in Linux)

  29. OSI Network Protocol • Layer 7 – Application (incl. app. content) • Layer 6 – Presentation • Layer 5 – Session • Layer 4 – Transport (incl. protocol, port) • Layer 3 – Network (incl. source, dest) • Layer 2 – Data Link • Layer 1 – Physical

  30. wireshark • Created as tool to examine network problems in 1997 • Various contributors added pieces; released 1998 • Name change (2007): ethereal -> wireshark • Works with other packet filter formats • Information • http://www.wireshark.org • Demonstration

  31. Using wireshark • Ubuntu – Applications / Internet / Wireshark (as root) • Enter your administrative account pw: user • Capture/Interfaces/eth0:, Start • Capture window shows accumulated totals for different types of packets • Stop – packets now displayed • Top window – packet summary • Can sort by column – source, destination, protocol are useful • Middle window – packet breakdown • Click on + icons for detail at each packet level • Bottom window – packet content

  32. Wireshark capture analysis • Can save a session to a capture file • Can reopen file later for further analysis • Open capture file • Ubuntu: /home/user/Support/MOBILEcapture.cap • W2K3: C:\Support\MOBILEcapture.cap • Identify and follow different TCP streams • Select TCP packet, Analyze/Follow TCP Stream • MOBILEcapture.cap has http, https, ftp, ssh streams • Any interesting information out there? • HINT: follow stream on an ftp packet

  33. Related Tool • Hunt • TCP sniffer • Watch and reset connections • Hijack sessions • Spoof MAC address • Spoof DNS name

  34. Related Tool • EtherPEG – image capture on network • http://www.etherpeg.com

  35. Summary • Basic tools can generate much information • Remember principle of accumulating information • Attacker will build on smaller pieces to get bigger pieces • Message to defenders: don’t give away any information if you can avoid it

More Related