Cpre 532

1
Cpre 532

• Lecture 3

2
Outline

• Footprinting
• Background on scanning

3
Footprinting

• Footprinting builds profile of target
• People information
• Backdoor information
• Network
• Analogous to casing a bank

4
Information

• Internet
• Domain name
• Network addresses
• Topology of target network
• Intranet
• Obtain technology used
• VPNs
• Remote access
• Extranet
• Access control that the target uses

5
Steps

• Check web site
• Possible to download entire web site
• Can obtain
• Location
• Related sites
• Merger and acquisition
• Contact information
• Privacy policies
• use policy to infer what security is in place
• Comments in html source

6
Steps cont

• Newsgroups
• Look for posting from the targets IT team
• Tools
• FerretPro
• Advanced searching, Newsgroups, IRC, etc..
• AltaVista or other search engines
• Link www.issl.org, this search will find any
  web page that links to issl.org
• Used to find backdoors
• Employees usually link back to the company they
  work for, build employee list
• Public Databases
• State and local government databases
• Gather information on partnerships or
  subsidiaries, looking for trust relationship to
  exploit

7
Steps cont

• DNS (Domain Name Service)
• Registration information
• Use whois searches and domain query
• Finds organizational information
• Address of register
• Admin contact
• DNS server
• NSlookup will query DNS for IP address of target
• Domain table transfers (usually blocked)
• ls d acme.net gtgt file
• Tools for DNS
• Sam Spade whois lookup and zone transfers
• Network query
• Ask what networks belong to targets name

8
Steps cont

• Point of contact
• List of names
• Social engineering targets
• Trace route
• Unix program, in Nt called tracert
• Figures out the various machines along the path
  from attacker to target
• Uses time to live field
• The device that decreases the time to live field
  to zero sends a packet back to originator telling
  who killed the packet
• Visual Route is a graphical trace route, shows
  geography
• Graphical helpful for denial of service attack
• UDP
• Mostly blocked
• Port 53 is usually open for UDP, DNS service runs
  on port 53

9
Network Protocol Issues

• Precursor before we talk about scanning
• Timing / procedural
• Who talks first, who says what and when
• Think of a phone call conversations, there is a
  protocol, the person picking up the phone talks
  first
• Attacks usually involve valid packets that are
  out of order, arrive too fast, or are missing
  packets
• Example would be a syn flood attack
• Header attack
• Creation of invalid packets, different protocols
  handle bad packets differently
• Example Ping of Death, one packet and the
  machine would crash
• Source and destination address manipulation
• Switches can be confused by setting src and dest
  to the same address

10
Next Time

• Scanning phase

11
Questions