Footprinting and Scanning

1
Footprinting and Scanning
2
Protect from

• Target acquisition and information gathering
• footprinting
• scanning
• enumeration
• initial access
• privilege escalation
• covering tracks

3
Footprinting

• gathering target information
• profile of security posture

4
Scope of footprinting

• Organization, region, location
• open source search
• web page (save it offline, e.g. teleport )
• yahoo or other directories
• multiple search engines (All-in-One , Dogpile)
• advanced search (e.g. AltaVista)
• publicly trade companies (e.g. EDGAR)
• countermeasures
• remove unnecessary information from web pages
• create security policies (see Site Security
  Handbook)

5
Network enumeration

• Identify domain names and networks
• registrar query. In Linux/UNIX issue whois
  domain._at_whois.crsnic.net In Windows download
  CyberKit and perform the query. Then use the
  domain.xxx to find the registrar.
• organizational query. Use name organization name
  and query the respective registrar, as shown in
  this example.
• domain query. Given all possible domains start
  with one of them and query the registrar about
  the domain. Note phones, DNS, etc.
• network query. The ARIN database can provide
  information on IP blocks assigned to an
  organization. Query whois.arin.net.
• countermeasures only administrative cleanup,
  because the information is required for
  registration.

6
DNS interrogation

• Use the Spade tool to check DNS.
• Use the dig tool in Spade to obtain the
  authoritative DNS for the organization (it will
  also provide mail server, etc, IP numbers).
• A zone transfer asks the authoritative name
  server of an organization for all the information
  it knows about a domain (it should not provide
  the information).
• Mail relay check asks a mail server to relay mail
  for you (it should not relay your message).
• Countermeasures deny all unauthorized inbound
  connections to port 53. You can also set
  directives to the DNS server (see book). This
  prevents zone transfer, but not nslookup to each
  IP number.
• Network Reconnaissance
• traceroute (tracert) allows to study the network
  topology (identify the nodes in the network). See
  this example.

7
Scanning

• After obtaining a list of network and IP
  addresses scanning starts
• ping sweeps (active machines) user pinger in
  Windows and nmap in Linux/UNIX. This is an
  example of pinger.
• TCP port scanning (open ports in active
  machines) SYN and connect scans work with most
  hosts. SYN is stealthier and may not be logged.
  In Windows NT use SuperScan and in Linux/UNIX
  use nmap. See an example of SuperScan. BUT,
  hackers use scripts with binary files, not
  graphical tools.
• UDP port scanning use WUPS in Windows as shown
  here.
• countermeasures detection using active ports
  (see an example of what it logs). Later we will
  learn to install an IDS program (snort), the way
  to protect from ping sweeps and port scanning.
  NAT is a first step. See more free/shareware
  security tools here.

8
More in Scanning

• OS detection (stack fingerprinting)
• probe the TCP/IP stack,because it varies with
  OSs. Requires at least one listening port to make
  determination. See textbook (pages 62-63) for
  types of probe.
• why is it important? There are hacker tools OS
  and Net device specific. In Linux/UNIX use nmap
  with -O. You can use the Netcraft site to check
  the OS of a host running a Web server.
• countermeasures standards, filtering requests at
  firewall.
• OS detection (passive signatures)
• monitoring the traffic the operating system can
  be detected, among other things. Siphon is a
  recent Linux/UNIX tool.
• Once the OS is identified enumeration can take
  place (to be seen in next class meeting).