Footprinting/Scanning/ Enumeration - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

Footprinting/Scanning/ Enumeration

Description:

Title: Susceptibilities Author: Roberto De Leon Last modified by: Robert J. Kaufman Created Date: 12/2/2001 5:36:57 AM Document presentation format – PowerPoint PPT presentation

Number of Views:1242
Avg rating:3.0/5.0
Slides: 35
Provided by: RobertoD152
Category:

less

Transcript and Presenter's Notes

Title: Footprinting/Scanning/ Enumeration


1
Footprinting/Scanning/Enumeration
  • Lesson 9

2
Footprinting
  • External attack Enables attackers to create a
    profile of an organizations security posture
    including
  • Domain name
  • Network blocks
  • IP addresses for Internet connected systems
  • TCP and UDP services running on systems
  • System HW and SW (OS and applications)
  • Possible security HW/SW (firewalls, IDS)
  • User and group names, system banners
  • Analog/Digital phone numbers, RAS

3
Footprinting
  • Internal attack same goal but from inside of
    the security perimeter map out the network and
    determine current security posture. Identify
  • Network protocols
  • Internal domain names
  • IP addresses for system on internal network
  • TCP and UDP services for internal systems
  • HW and SW for internal systems
  • IDS, firewalls, and other security devices
  • User and group names, system banners
  • Possible extranet or VPN connectivity

4
Open Source Search
  • Start with the organizations web page if they
    have one.
  • Locations/addresses
  • Phone numbers
  • Names of key individuals
  • Email addresses
  • Policies (e.g. privacy) or other security info
  • Review HTML source code for comments
  • News articles, press releases
  • GOOGLE or other search engine search
  • Search USENET for postings
  • EDGAR Search

5
EDGAR
  • For Publicly Traded Companies!

6
Network Enumeration
  • Goal is to identify domain names and associated
    networks. Then want IP addresses.
  • Whois databases valuable in this search
  • Access web sites with capability to search
  • Download and run programs that will help
  • Sam Spade (for Windows)

7
Sam Spade (IP Block Query)
8
Sam Spade (IP Block Query cont.)
9
Sam Spade (nslookup)
10
Sam Spade (traceroute)
11
DNS Zone Transfers
  • DNS is a distributed database used for mapping IP
    addresses hostnames.
  • A security problem is to allow DNS zone transfers
    from unknown/untrusted Internet users. (Some
    misconfigured systems may allow server to provide
    zone transfer to anyone who asks.)
  • A zone transfer allows a secondary server to
    update its info from the primary master.
  • Potential problem occurs if zone transfer is
    allowed and the organization hasnt segregated
    its internal (private) network information from
    its external (public) information. Thus,
    internal hostnames and IP addresses may be
    revealed to external sources.
  • This is akin to providing a blueprint of your
    internal network to anybody who asks.
  • One way to accomplish zone transfer is to use
    nslookup
  • Textbook has discussion of how to do this

12
nslookup
13
Network Reconnaissance
  • Once we have identified potential networks we
    need to determine potential access paths into the
    network.
  • traceroute lets you view the route that an IP
    packet follows from one host to another.
  • Uses TTL (time to live) option in the IP packet
    as a hop counter
  • Can identify border routers and possibly
    firewalls as they will normally be the last
    system before our target.
  • May be additional internal routers and firewalls
    if our target is an internal system.
  • If normal probes blocked, try sending probe via
    UDP port 53 (used for DNS queries) as they may be
    allowed past firewall.

14
traceroute
15
Scanning
  • Ping can be used to determine what systems in a
    range of addresses are active. Known as a ping
    sweep.
  • Sends ICMP ECHO request to target. If an ICMP
    ECHO_REPLY is received, target is alive.
  • Number of different programs that can perform
    this (or you can always do it one-by-one on your
    own)
  • Linux fping
  • Windows Sam Spade (single), Pinger,
    WS_PingProPack (commercial)
  • If ICMP traffic is blocked, this method wont
    work, will have to try something else, maybe skip
    to port scanning.
  • Port Scanning scan ports for an IP address (or
    range) to see what services (ports) are available
  • Lots of tools to do these too, nmap,
    WS_PingProPack

16
PING
17
Port Scan
18
Other ICMP queries
  • Other queries using ICMP may provide further
    clues about target
  • Request time on system may reveal timezone
    system is in.
  • Request netmask may allow you to determine
    subnets being used

19
Time
20
Port Scanning
  • Connecting to TCP or UDP ports on target to
    determine what services are running (in LISTENING
    state).
  • Lots of different types of scans, some more
    noisy than others
  • TCP connect scan connect to port using 3-way
    handshake
  • TCP SYN scan half open scan, dont complete
    handshake
  • TCP FIN scan Send a FIN packet, systems should
    send a RST packet
  • UDP scan send UCP packet, if system responds
    with port unreachable then port is closed,
    otherwise port is open (or system down or packet
    lost)
  • Lots of other scans, check book
  • Lots of programs to do scans nmap, strobe,
    netcat, SuperScan

21
Port Scanning
22
Determining the OS
  • Knowing the OS of a target system can be very
    useful. Number of methods to do this.
  • Active Stack Fingerprinting While there is a lot
    of details provided to vendors on how TCP/IP
    stacks should respond for given protocols, not
    everything is always spelled out. The way that
    systems respond to items that are not
    specifically discussed can give a clue or
    actually identify the OS.
  • An example A FIN packet sent to an open port
    should be met with no response. Windows NT,
    however, responds with a FIN/ACK.
  • A number of other examples in text.
  • Passive Stack Fingerprinting Watch traffic as it
    traverses a network to identify the OS.

23
UNIX Tools Network Mapper (nmap)
24
UNIX Tools Network Mapper (nmap)
25
Enumeration Telnet
  • UNIX or MS Windows
  • Provides a terminal connection to a running
    service
  • Usually used to login to a remote system running
    the telnetd daemon Very insecure, plaintext
  • Also useful in many reconnaissance activities
  • Obtaining HTTP Server information
  • Obtaining MAIL Server information and accounts
  • Usage telnet target.com (port number)
  • A tool that may prove useful is netcat (though it
    is a bit older).
  • A lot more info on enumeration available in text,
    what you need depends on your targets.

26
UNIX Tools - Nessus
  • Nessus Written by Hugo van der Kooij and Jordan
    Hrycaj
  • http//www.nessus.org
  • Utilizes nmap to perform port scans
  • Will detect they type of service based on its
    response not on its port number
  • Attempts to exploit known vulnerabilities
  • WARNING Will perform DoS and DDoS attacks

27
UNIX Tools - Nessus
  • Configuring Nessusd
  • Before you run nessus you need to follow the
    following steps
  • Adding a new user
  • /usr/local/sbin/nessus-adduser
  • Create a login name
  • Chose pass for authentication type
  • Type Ctrl-d
  • Starting the daemon
  • As root type nessusd D
  • May take a minute to return to the shell
  • Starting X Windows
  • startx -- -nolisten -tcp

28
UNIX Tools - Nessus
  • Configuring the nessus client

29
UNIX Tools - Nessus
  • Setting up your scan plugins

30
UNIX Tools - Nessus
  • Scanning Options

31
UNIX Tools - Nessus
  • Configuring the targets

32
UNIX Tools - Nessus
  • Save nessus reports to .html files
  • Remember to enable all but dangerous plugins
  • Everything you need to know, including all the
    previous screen shots is available at
    http//www.nessus.org
  • For information on configuring nessusd and nessus
    go to http//www.nessus.org/demo/index.html
  • nessus.README available on the lab systems in
    /home/tools/nessus/

33
UNIX Tools - Nessus
34
Summary
  • What is the importance and significance of this
    material?
  • It is time to start learning the hands-on tools
    needed to perform an assessment.
  • How does this topic fit into the subject of
    Security Risk Analysis?
  • You will need to be conduct all of these phases
    in an assessment. You need to understand the
    tools and have a familiarity with them.
Write a Comment
User Comments (0)
About PowerShow.com