Reconnaissance - PowerPoint PPT Presentation

About This Presentation
Title:

Reconnaissance

Description:

Ultimate low-tech recon/attack method. Recon 6. Social ... Internet 'white pages' listing. Domain names, contact info, IP addresses .com, .net, .org, .edu ... – PowerPoint PPT presentation

Number of Views:253
Avg rating:3.0/5.0
Slides: 58
Provided by: marks9
Learn more at: http://www.cs.sjsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Reconnaissance


1
Reconnaissance
2
Attack Phases
  • Phase 1 Reconnaissance
  • Phase 2 Scanning
  • Phase 3 Gaining access
  • Application/OS attacks
  • Network attacks/DoS attacks
  • Phase 4 Maintaining access
  • Phase 5 Covering tracks and hiding

3
Recon
  • Before bank robber robs a bank
  • Visit the bank
  • Make friends with an employee (inside info)
  • Study alarm system, vault, security guards
    routine, security cameras plscement, etc.
  • Plan arrival and get away
  • Most of this is not high tech
  • Similar ideas hold for info security

4
Social Engineering
  • Hypothetical examples
  • New admin asks secretary for help
  • Angry manager calls employee/admin asking for
    password
  • Employee in the field calls another employee
    for help with remote access
  • Real-world examples
  • Employees help white hat guy steal company IP
  • Person turns over secrets to trusted friend

5
Social Engineering
  • Social engineering
  • Defeats strongest crypto, best access control,
    protocols, IDS, firewalls, software security,
    etc., etc.
  • Attacker may not even touch keyboard
  • Ultimate low-tech recon/attack method

6
Social Engineering
  • Telephone based attacks
  • Company phone number may give attacker instant
    credibility
  • Attacker might ask for voice mail service
  • Spoofed caller ID
  • Appears attacker has company phone number
  • Online services Telespoof, Camophone
  • Some VoIP software
  • Phone companies also sell such services

7
Camophone
  • Spoofed caller ID
  • Cost?
  • 5 cents per minute

8
Social Engineering Defenses
  • Hard to defend against
  • Rooted in human nature
  • Many legitimate uses of social engineering
    (police, sales people, etc.)
  • User education helps
  • Do not give out sensitive info (passwords)
  • Do not trust caller ID, etc.
  • May not want totally paranoid employees

9
Physical Security
  • If Trudy gets physical access
  • Might find logged in computer, post-it note with
    passwords, etc.
  • Might install back door, keystroke logger, access
    point to LAN, etc.
  • Could steal USB drives, laptop, computers, CDs,
    etc.

10
Physical Access
  • How can attacker gain physical access?
  • Ask for it
  • Fake it
  • Physical break in
  • Or attacker might be employee
  • Then Trudy already has access
  • Limit employees physical access?

11
Defenses
  • Require badges for entry
  • What if someone forgets badge?
  • Biometrics for entry are useful
  • Iris scan, hand geometry,
  • Monitor what people take in/out
  • Laptop, USB drive, CD, Furby?
  • Miniaturization makes this difficult

12
Defenses
  • Use locks on file cabinets
  • Dont leave key in the lock
  • Automatic screen saver with pwd
  • Encrypted hard drives
  • Especially for those who travel
  • Need a way to recover encrypted files
  • But there are attacks

13
Dumpster Diving
  • What might Trudy find in trash?
  • CDs, DVDs, discarded machines, USB,
  • Diagrams of network architecture
  • Defenses
  • Destroy hard drive before discarding
  • Destroy media (degaussing is not enough)
  • Shred paper, etc.

14
Search the Fine Web
  • Fine is placeholder for another word
  • As in Read the Fine Documentation
  • Huge amount of info available on Web
  • Google it!
  • For example Google the MD5 hash value
  • 20f1aeb7819d7858684c898d1e98c1bb

15
Google Hacking
  • Using Google to help in attacks
  • Not hacking Google
  • See, for example
  • Johnny Longs Website
  • Google hacking 101
  • Google selected as favorite hacking tool by
    some infamous hackers

16
Google
  • Four important elements of Google
  • Google bot
  • Crawls Web looking for info to index
  • Google index
  • Billions served
  • Ranked using (secretive) algorithm
  • Why so secretive?

17
Google
  • Google cache
  • Copy of data that bots found
  • Includes html, doc, pdf, ppt, etc., etc.
  • Up to 101k of text each, no images
  • See also, Wayback Machine
  • Google API
  • Program need to Google too
  • Requires API key (free from Google)
  • Limited to 1k searches per day

18
Google
  • For any Google search
  • Max number of results limited to 1,000
  • Limits data mining capabilities
  • So searches must be precise
  • Use search directives
  • No space after directive, searches case
    insensitive, max of 10 search terms

19
Google Search Directives
  • sitedomain
  • Searches particular domain
  • sitecs.sjsu.edu stamp
  • linkweb page
  • All sites linked to a given web page
  • linkwww.cs.sjsu.edu
  • intitleterm(s)
  • Web sites that include term(s) in title
  • sitecs.sjsu.edu intitleindex of stamp

20
Google Search Directives
  • relatedsite
  • Similar sites, based on Googles indexing
  • relatedwww.cs.sjsu.edu
  • cachepage
  • Display Web page from Googles cache
  • cachewww.cs.sjsu.edu
  • filetypesuffix
  • Like ppt, doc, etc.
  • filetypeppt sitecs.sjsu.edu stamp

21
Google Search Directives
  • rphonebookname and city or state
  • Residential phone book
  • rphonebookMark Stamp Los Gatos
  • bphonebookname and city or state
  • Business phone book
  • phonebookname and city or state
  • Residential and business phone books

22
Other Search Operations
  • Literal match ( )
  • metamorphic engines sitecs.sjsu.edu
  • Not (-)
  • Filter out sites that include term
  • sitecs.sjsu.edu -ty -lin
  • Plus ()
  • Include (normally filtered) term
  • Not the opposite of
  • sitecs.sjsu.edu stamp the

23
Interesting Searches
  • From the text
  • sitemybank.com filetypexls ssn
  • sitemybank.com ssn -filetypepdf
  • sitemybank.com filetypeasp
  • sitemybank.com filetypecgi
  • sitemybank.com filetypephp
  • sitemybank.com filetypejsp
  • sitecs.sjsu.edu filetypexls

24
Google Hacking Database
  • Google Hacking Database (GHDB)
  • Interesting searches
  • intitleindex of finance.xls
  • welcome to intranet
  • intitlegateway configuration menu
  • intitlesamba web administration tool
    intexthelp workgroup

25
GHDB
  • Intitlewelcome to IIS 4.0
  • we find that even if they've taken the time to
    change their main page, some dorks forget to
    change the titles of their default-installed web
    pages. This is an indicator that their web server
    is most likely running the now considered OLD
    IIS 4.0 and that at least portions of their main
    pages are still exactly the same as they were out
    of the box. Conclusion? The rest of the
    factory-installed stuff is most likely lingering
    around on these servers as well.
    Factory-installed default scripts FREE with
    operating system. Getting hacked by a script
    kiddie that found you on Google PRICELESS. For
    all the things money can't buy, there's a
    googleDork award.

26
Google
  • Suppose sensitive data is accessible
  • Removing it does not remove problem
  • Google cache, Wayback Machine
  • What about automated searches?
  • Google API
  • SiteDigger and Wikto

27
SiteDigger
  • User provides Google API key
  • One search
  • Uses GHDB
  • Does 1k Google searches
  • Your daily limit
  • Theres always tomorrow

28
Google
  • Lots of other interesting Google searches
  • Track current flights
  • Look up auto VIN
  • Look up product UPC
  • Google filters some sensitive data
  • SSNs, for example
  • Yahoo and MSN Search do less filtering

29
Newsgroups
  • Listening in at the virtual water cooler
  • Employees submit detailed questions
  • How to configure something
  • How to code something
  • How to troubleshoot a problem
  • Reveals info about products, config, etc.
  • sensitive information leakage on a grand scale
  • Attacker could even play active role
  • Give bad/incorrect advice

30
Newsgroups
  • To search groups
  • groups.google.com
  • Repackaged version of DejaNews

31
Organizations Website
  • Web site might reveal useful info
  • Employee contact info
  • Clues about corporate culture/language
  • Business partners
  • Recent mergers and acquisitions
  • Technology in use
  • Open jobs

32
Defenses Against Web Recon
  • Limit what goes on Web pages
  • No sensitive info
  • Limit info about products, configuration,
  • Security by obscurity?
  • no sense putting an expensive lock on your door
    and leaving milk and cookies outside so the lock
    picker can have a snack while he breaks in

33
Defenses Against Web Recon
  • Have a policy on use of newsgroups
  • Monitor publicly available info
  • Google/Wayback will remove sensitive data
  • Use robots.txt so Web pages not indexed
  • Tags noindex, nofollow, noarchive, nosnippet
  • Well-behaved crawlers will respect these, but
  • a sign to bad guys of sensitive data

34
Whois Databases
  • Internet white pages listing
  • Domain names, contact info, IP addresses
  • .com, .net, .org, .edu
  • ICANN oversees registration process
  • Hundreds of actual registrars

35
InterNIC
  • InterNIC (Internet Network Info Center)
  • First place to look
  • Info on domain name registration services

36
InterNIC
  • Whois info available from InterNIC
  • com,net,org,edu
  • Other sites for other top level domains

37
Whois
  • Once registrar is known, attacker can contact it
  • More detailed Whois info
  • Network Solutions in this example

38
Whois
  • Info includes
  • Names
  • Telephone numbers
  • Email addresses
  • Name (DNS) servers
  • And so on

39
IP Address Assignment
  • ARIN (American Registry for Internet Numbers)
  • Info about who owns IP address or range of
    addresses
  • Similar organizations for Europe, Asia, Latin
    America,

40
Defense Against Whois Search
  • Bad idea to put false info into databases
  • Important that people can contact you
  • For example, if attack launched from your site
  • No real defense against Whois
  • Anonymous registration services exist
  • Author is not fond of these
  • Better to train against social engineering

41
Domain Name System
  • DNS
  • A hierarchical distributed database
  • Like a (hierarchical distributed) telephone
    directory
  • Converts human-friendly names into
    computer-friendly IP addresses
  • Internet is impossible without DNS

42
DNS
  • 13 root DNS servers
  • A single point of failure for Internet

43
DNS
  • DNS example
  • Recursive and iterative searches
  • Resolved locally, if possible
  • Lots and lots of caching

44
DNS
  • DNS cache on Windows machine

45
DNS
  • Gives IP address of a domain
  • Lots of other info
  • DNS record types
  • Address domain name/IP address (or vice-versa)
  • Host information info about system
  • Mail exchange mail system info
  • Name server DNS servers
  • Text arbitrary text string

46
Interrogating DNS
  • Attacker determines DNS servers
  • From registrars Whois database
  • Use nslookup (or dig in Linux) to interrogate
    name servers
  • Zone transfer (all info about domain)
  • See example from text --- IP addresses, mail
    server names, OS types, etc.

47
DNS Recon Defenses
  • Remove info on OS types, etc.
  • Restrict zone transfers
  • To primary and secondary name servers
  • Employ split DNS
  • Allow outside DNS activity related to Web, mail,
    FTP, , servers
  • No outside DNS directly from internal network

48
Split DNS
  • Internal DNS server acts as proxy
  • Relays requests to external DNS
  • Internal users can resolve internal and external

49
General-Purpose Recon Tools
  • Sam Spade
  • Detective character in Dashiell Hammetts novel,
    The Maltese Falcon
  • Humphrey Bogart
  • Also a general Web-based recon tool
  • Research and attack portals
  • For more specific info

50
Sam Spade
  • All the bells and whistles
  • Some of Sam Spades capabilities
  • ping, whois lookups, IP block whois, nslookup,
    DNS zone transfer, traceroute, finger
  • SMTP VRFY --- is given email address valid?
  • Web browser --- view raw HTTP interaction
  • Web crawler --- grab entire web site

51
Sam Spade
  • The incredibly useful Sam Spade user interface

52
Other General Recon Tools
  • Active Whois Browser
  • Whois and DNS tool, 19.95
  • NetScanTools Pro
  • Costs 249
  • iNetTools
  • Feature-limited, but free

53
Web-based Recon Tools
  • Some run by rather shady operators
  • www.samspade.org
  • www.dnsstuff.com
  • www.traceroute.org
  • www.networktools.com
  • www.cotse.com/refs.htm
  • www.securityspace.com
  • www.dlsreports.com

54
AttackPortal
  • AttackPortal
  • Helps attacker remain anonymous
  • This site is moribund (2005)

55
Conclusion
  • Attacker can gain useful info from variety of
    sources
  • From social engineering to automated tools
  • and everything in between
  • Useful info might include
  • Contact info, IP addresses, domain names
  • Possibly system details, technologies used,
  • Building blocks for actual attacks

56
Summary
  • Sophisticated attacks likely to start with recon
    phase
  • Low-tech recon techniques
  • Social engineering
  • Spoofed caller ID
  • Physical access
  • Dumpster diving

57
Summary
  • Higher-tech techniques
  • Google hacking, SiteDigger, GHDB
  • Whois databases, InterNIC, ARIN
  • DNS, nslookup, dig
  • Sam Spade, client-side recon tools
  • Web-based recon tools
Write a Comment
User Comments (0)
About PowerShow.com