Computer Security Workshop

1
Computer Security Workshop

• Module 1
• Footprinting / Packet Sniffing

2
Footprinting

• Definition the gathering of information about a
  potential system or network
• a.k.a. fingerprinting
• Attackers point of view
• Identify potential target systems
• Identify which types of attacks may be useful on
  target systems
• Defenders point of view
• Know available tools
• May be able to tell if system is being
  footprinted, be more prepared for possible attack
• Vulnerability analysis know what information
  youre giving away, what weaknesses you have

3
Information to Gather

• System (Local or Remote)
• IP Address, Name and Domain
• Operating System
• Type (Windows, Linux, Solaris, Mac)
• Version (98/NT/2000/2003/XP/Vista/7, Redhat,
  Fedora, SuSe, Ubuntu, OS X)
• Usernames (and their passwords)
• File structure
• Open Ports (what services/programs are running on
  the system)

4
Information to Gather (2)

• Networks / Enterprises
• System information for all hosts
• Network topology
• Gateways
• Firewalls
• Overall topology
• Network traffic information
• Specialized servers
• Web, Database, FTP, Email, etc.

5
Defender Perspective

• Identify information youre giving away
• Identify weaknesses in systems/network
• Know when systems/network is being probed
• Identify source of probe
• Develop awareness of threat
• Construct audit trail of activity

6
Tools - Linux

• Some basic Linux tools - lower level utilities
• Local System
• hostname
• ifconfig
• who, last
• Remote Systems
• ping
• traceroute
• nslookup, dig
• whois
• arp, netstat (also local system)
• Other tools
• lsof

7
Tools Linux (2)

• Other utilities
• wireshark (packet sniffing)
• nmap (port scanning) - more later
• Ubuntu Linux
• Go to System / Administration / Network Tools
  get interface to collection of tools ping,
  netstat, traceroute, port scan, nslookup, finger,
  whois

8
Tools - Windows

• Windows
• Sam Spade (collected network tools)
• Wireshark (packet sniffer)
• Command line tools
• ipconfig
• Many others

9
hostname

• Determine host name of current system
• Usage hostname
• E.g. hostname
• localhost.localdomain // default
• E.g. hostname
• mobile.cs.uwec.edu

10
ifconfig

• Configure network interface
• Tells current IP numbers for host system
• Usage ifconfig
• E.g. ifconfig // command alone display status
• eth0 Link encap Ethernet
• HWaddr 000C29CDF6D3
• inet addr 192.168.172.128 . . .
• lo Link encap Local
• Loopback
• inet addr 127.0.0.1 . . .

11
who

• Basic tool to show users on current system
• Useful for identifying unusual activity (e.g.
  activity by newly created accounts or inactive
  accounts)
• Usage who
• E.g. who
• root tty1 Jan 9 1246
• paul tty2 Jan 9 1252

12
last

• Show last N users on system
• Default since last cycling of file
• -N last N lines
• Useful for identifying unusual activity in recent
  past
• Usage last -n
• E.g. last -3
• wagnerpj pts/1 137.28.253.254 Sat Feb 5
  1540 still logged in
• flinstf pts/0 137.28.191.74 Sat Feb
  5 1538 still logged in
• rubbleb pts/0 c48.someu.edu Sat Feb 5
  1438 - 1525 (0046)

13
ping

• Potential Uses
• Is system online?
• Through response
• Gather name information
• Through DNS
• Tentatively Identify operating system
• Based on TTL (packet Time To Live) on each packet
  line
• TTL number of hops allowed to get to system
• 64 is Linux default, 128 is Windows default (but
  can be changed!)
• Notes
• Uses ICMP packets
• Often blocked on many hosts more useful within
  network
• Usage ping system
• E.g. ping ftp.redhat.com
• E.g. ping localhost

14
traceroute

• Potential Uses
• Determine physical location of machine
• Gather network information (gateway, other
  internal systems)
• Find system thats dropping your packets
  evidence of a firewall
• Notes
• Can use UDP or ICMP packets
• Results often limited by firewalls
• Several GUI-based traceroute utilities available
• Usage traceroute system
• E.g. traceroute cs.umn.edu

15
traceroute example - blocked

• wagnerpj_at_data traceroute cs.umn.edu
• traceroute to cs.umn.edu (128.101.34.202), 30
  hops max, 38 byte packets
• 1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220
  ms 0.208 ms
• 2 v101.networking.cns.uwec.edu (137.28.9.1)
  0.245 ms 0.229 ms 0.220 ms
• 3 uweauclairehub2-ge50.core.wiscnet.net
  (216.56.90.1) 1.315 ms 1.194 ms 1.343 ms
• 4
• ltctrl-cgt
• wagnerpj_at_data

16
traceroute example - success

• H\gttracert www.google.com
• Tracing route to www.google.akadns.net
  64.233.167.99 over a maximum of 30 hops
•  
• 1    lt1 ms    lt1 ms    lt1 ms  v61.networking.cns.u
  wec.edu 137.28.61.1
• 2     4 ms     6 ms     3 ms  UWEauClaireHub2-ge50
  .core.wiscnet.net 216.56.90.1
• 3     2 ms     1 ms     2 ms  r-uweauclaire-isp-gi
  g2-0.wiscnet.net 140.189.8.141
• 4    17 ms    17 ms    17 ms  chi-edge-08.inet.qwe
  st.net 65.113.85.5
• 5    18 ms    16 ms    18 ms  chi-core-02.inet.qwe
  st.net 205.171.20.113
• 6    17 ms    18 ms    19 ms  cer-core-01.inet.qwe
  st.net 205.171.205.34
• 7    18 ms    19 ms    21 ms  chp-brdr-01.inet.qwe
  st.net 205.171.139.146
• 8    18 ms    17 ms    18 ms  P11-0.CHICR2.Chicago
  .opentransit.net 193.251.129.113
• 9    15 ms    16 ms    16 ms  Google-EU-Customers-
  2.GW.opentransit.net 193.251.249.30
• 10    16 ms    16 ms    18 ms  216.239.46.10
• 11    21 ms    19 ms    17 ms  64.233.175.30
• 12    18 ms    16 ms    16 ms  64.233.167.99
•  
• Trace complete.

17
Visual Traceroute Example
18
whois

• Potential Uses
• Queries nicname/whois servers for Internet
  registration information
• Can gather contacts, names, geographic
  information, servers, - useful for social
  engineering attacks
• Notes
• Usage whois domain
• e.g. whois netcom.com

19
whois example - basic

• Domain Name UWEC.EDU
• Registrant
• University of Wisconsin - Eau Claire
• 105 Garfield Avenue
• Eau Claire, WI 54702-4004
• UNITED STATES
• Contacts
• Administrative Contact
• Computing and Networking Services
• 105 Garfield Ave
• Eau Claire, WI 54701
• UNITED STATES
• (715) 836-5711
• networking_at_uwec.edu
• Name Servers

20
whois example - wildcards

• whois uw.edu
• Your search has matched multiple domains.
• Below are the domains you matched (up to 100).
  For specific
• information on one of these domains, please
  search on that domain.
• UW.EDU
• UWA.EDU
• UWB.EDU
• UWC.EDU
• UWEC.EDU
• UWEST.EDU
• UWEX.EDU
• .

21
nslookup

• Potential Uses
• Query internet name servers
• Find name for IP address, and vice versa
• Notes
• Now deprecated generally use dig
• Sometimes useful when dig fails
• Usage
• nslookup xxxxxxx // name or IP addr.
• E.g. nslookup data.cs.uwec.edu
• E.g. dig data.cs.uwec.edu

22
dig

• Potential Uses
• Domain Name Service (DNS) lookup utility
• Associate name with IP address and vice versa
• Notes
• Many command options
• General usage dig ltsomehostgt
• E.g. dig data.cs.uwec.edu
• E.g. dig 137.28.109.33

23
arp

• Tracks addresses, interfaces accessed by system
• Possible uses
• Find systems that your system has recently talked
  to
• Notes
• arp // display names
• arp n // display numeric addresses

24
netstat

• Shows connections, routing information,
  statistics
• Possible uses
• find systems that your system has recently talked
  to, find recently used ports
• Notes
• Many flags
• netstat // open sockets, etc.
• netstat s // summary statistics
• netstat r // routing tables
• netstat p // programs
• netstat l // listening sockets

25
lsof

• Lists open files on your system
• Useful to see what processes are working with
  what files, possibly identify tampering
• Usage lsof

26
Windows Tools

• Sam Spade
• swiss army knife of footprinting
• Has most of the Linux tools
• Plus other functionality
• Usage
• Start application
• Fill in name or IP address
• Choose option desired in menus

27
Packet Sniffers

• Definition Hardware or software that can display
  network traffic packet information
• Usage
• Network traffic analysis
• Example packet sniffers
• tcpdump (command line, Linux)
• wireshark (GUI interface, Linux, Windows open
  source)
• others

28
Limitations Packet Sniffing

• Packet sniffers only catch what they can see
• Users attached to hub can see everything
• Users attached to switch only see own traffic
• Wireless wireless access point is like hub
• Need to be able to put your network interface
  card (NIC) in promiscuous mode to be able to
  process all traffic, not just traffic for/from
  itself
• NIC must support
• Need privilege (e.g. root in Linux)

29
OSI Network Protocol

• Layer 7 Application (incl. app. content)
• Layer 6 Presentation
• Layer 5 Session
• Layer 4 Transport (incl. protocol, port)
• Layer 3 Network (incl. source, dest)
• Layer 2 Data Link
• Layer 1 Physical

30
wireshark

• Created as tool to examine network problems in
  1997
• Various contributors added pieces released 1998
• Name change (2007) ethereal -gt wireshark
• Works with other packet filter formats
• Information
• http//www.wireshark.org
• Demonstration

31
Using wireshark

• Ubuntu Applications / Internet / Wireshark (as
  root)
• Enter your administrative account pw user
• Capture/Interfaces/eth0, Start
• Capture window shows accumulated totals for
  different types of packets
• Stop packets now displayed
• Top window packet summary
• Can sort by column source, destination,
  protocol are useful
• Middle window packet breakdown
• Click on icons for detail at each packet level
• Bottom window packet content

32
Wireshark capture analysis

• Can save a session to a capture file
• Can reopen file later for further analysis
• Open capture file
• Ubuntu /home/user/Support/MOBILEcapture.cap
• W2K3 C\Support\MOBILEcapture.cap
• Identify and follow different TCP streams
• Select TCP packet, Analyze/Follow TCP Stream
• MOBILEcapture.cap has http, https, ftp, ssh
  streams
• Any interesting information out there?
• HINT follow stream on an ftp packet

33
Related Tool

• Hunt
• TCP sniffer
• Watch and reset connections
• Hijack sessions
• Spoof MAC address
• Spoof DNS name

34
Related Tool

• EtherPEG image capture on network
• http//www.etherpeg.com

35
Summary

• Basic tools can generate much information
• Remember principle of accumulating information
• Attacker will build on smaller pieces to get
  bigger pieces
• Message to defenders dont give away any
  information if you can avoid it