Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
653
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
10
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • When doing some of this we must remember that we are “inside”
  • ping www.juniata.edu 172.16.17.209 OS, first try telnet banner often gives os Used Nmap Nmap uses TCP/IP stack fingerprinting to determine OS
  • Must give certain information by default nascar.com
  • now have name server need to do nslookup
  • Also open file NSLOOK has all records. What does this do for me? Good time to explain NAT
  • What is most interesting here? What do I have so far? What do I need? Can find active machines via ping sweep (in nmap Need to find OS how??? Telnet Nmap Queso Need ports, have addresses can do port scan across all addresses, pro’s? con’s? Need OS http://ws.arin.net/cgi-bin/whois.pl
  • Is it true?
  • BTW this is the “inside look” address Outside I would need to confirm from “outside” Also NetCraft.com
  • Nmap can do decoy scans…..
  • Used to help develop map See Cheops in book
  • web page
  • name server
  • Name server
  • blackboard
  • webmail
  • Formerly SATAN, has the power to be used for good or evil. If I have the addresses this is the easy way out, let a tool look for and show me the potential vulnerabilities.
  • remember security versus functionality
  • Good time to use these actual addresses and detail NAT use my laptop as example of NAT
  • 10 host pack 448 dollars

Transcript

  • 1. Finding Information
  • 2. But first some humor
    • BLAMESTORMING: Sitting around in a group, discussing why a server went down, and who was responsible.
    • SEAGULL MANAGER: A manager who flies in, makes a lot of noise, craps on everything, and then leaves.
    • CUBE FARM: An office filled with cubicles.
    • MOUSE POTATO: The on-line, wired generation's answer to the couch potato.
    • STRESS PUPPY: An admin who seems to thrive on being stressed out, whiney, and complains about stupid users all day.
    • SWIPEOUT: An access card that has been rendered useless because the magnetic strip is worn away from extensive use.
    • PERCUSSIVE MAINTENANCE: The fine art of whacking the crap out of an electronic device to get it to work again.
    • 404: A completely clueless end-user.
    • OHNOSECOND: That fraction of time after hitting Enter, in which you realize that you've just permanently erased a big database.
    • Inoculatte: Taking coffee intravenously when you are pulling an all-nighter getting that database online from the backup tapes.
  • 3. Go from
    • We are going to go from a URL
      • www.juniata.edu
    • To knowing available ports, addresses, and Operating system
  • 4. Basic information
    • For www.juniata.edu find the following
      • TCP/IP address
      • OS
    • Not fair to:
      • call Joel
      • ask Matt or Ned
      • rely on what you already know
    • Who did it and how?
  • 5. My machine
    • Starting nmap V. 3.00 ( www.insecure.org/nmap )
    • Interesting ports on THOMAS-LAP.juniata.edu (172.16.27.133):
    • (The 1597 ports scanned but not shown below are in state: closed)
    • Port State Service
    • 25/tcp open smtp
    • 135/tcp open loc-srv
    • 139/tcp open netbios-ssn
    • 445/tcp open microsoft-ds
    • Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or WinXP
    • Nmap run completed -- 1 IP address (1 host up) scanned in 20 seconds
  • 6. Step one
    • Basic information about www.juniata.edu
      • ping
      • whois
      • nslookup
  • 7. Ping (locally)
  • 8. Whois
    • Registrant:
    • NASCAR, Inc. (NASCAR4-DOM)
    • 1801 W. Int'l Speedway Blvd
    • Daytona Beach, FL 32114
    • US
    • Domain Name: NASCAR.COM
    • Administrative Contact:
    • Hills, Antony (AHB122) [email_address]
    • NASCAR, Inc.
    • 1801 West International Speedway Blvd.
    • Daytona Beach, Fl 32120
    • US
    • 904-253-0611 904-947-6558
    • Technical Contact:
    • TBS Server Operations (TS309-ORG) [email_address]
    • Turner Broadcasting System, Inc.
    • One CNN Center
    • Atlanta, GA 30348
    • US
    • 404-827-5000
    • Fax- 404-827-1593
    • Record expires on 29-Dec-2006.
    • Record created on 28-Dec-1995.
    • Database last updated on 6-Feb-2003 15:32:40 EST.
    • Domain servers in listed order:
    • TWDNS-01.NS.AOL.COM 149.174.213.151
    • TWDNS-02.NS.AOL.COM 152.163.239.216
    • TWDNS-03.NS.AOL.COM 205.188.146.88
    • TWDNS-04.NS.AOL.COM 64.12.147.120
  • 9. Us
    • Domain Name: JUNIATA.EDU
    • Registrant: Juniata College 1700 Moore Street Huntingdon, PA 16652 UNITED STATES
    • Contacts: Administrative Contact: Anne Wood Juniata College BSC Huntingdon, PA 16652 UNITED STATES (814) 641-5310 wood@juniata.edu
    • Technical Contact: Anne Wood Juniata College BSC Huntingdon, PA 16652 UNITED STATES (814) 641-5310 wood@juniata.edu Name
    • Servers: NS1.JUNIATA.EDU 192.112.102.3 NS2.JUNIATA.EDU 192.112.102.4
  • 10. Nslookup (inside)
    • Can ask for all records in name server:
  • 11. ARIN search
    • OrgName: Juniata College
    • OrgID: JUNIAT
    • Address: 1700 Moore Street
    • City: Huntingdon
    • StateProv: PA
    • PostalCode: 16652
    • Country: US
    • NetRange: 192.112.102.0 - 192.112.102.255
    • CIDR: 192.112.102.0/24
    • NetName: JC
    • NetHandle: NET-192-112-102-0-1
    • Parent: NET-192-0-0-0-0
    • NetType: Direct Assignment
    • NameServer: NS1.JUNIATA.EDU
    • NameServer: NS2.JUNIATA.EDU
    • Comment:
    • RegDate: 1991-08-07
    • Updated: 2002-03-05
    • TechHandle: AM202-ARIN
    • TechName: Wood, Anne
    • TechPhone: +1-814-641-5310
    • TechEmail: [email_address]
    • OrgTechHandle: AM202-ARIN
    • OrgTechName: Wood, Anne
    • OrgTechPhone: +1-814-641-5310
    • OrgTechEmail: [email_address]
    • # ARIN WHOIS database, last updated 2003-02-05 20:00
    • # Enter ? for additional hints on searching ARIN's WHOIS database.
  • 12. Ping sweep find active addresses
  • 13. How about Mars?
  • 14. Nmap of Mars
    • Starting nmap V. 3.00 ( www.insecure.org/nmap )
    • Interesting ports on mars.juniata.edu (172.16.17.214):
    • (The 1585 ports scanned but not shown below are in state: closed)
    • Port State Service
    • 21/tcp open ftp
    • 22/tcp open ssh
    • 23/tcp open telnet
    • 25/tcp open smtp
    • 111/tcp open sunrpc
    • 515/tcp open printer
    • 2049/tcp open nfs
    • 4045/tcp open lockd
    • 6000/tcp open X11
    • 6112/tcp open dtspc
    • 7100/tcp open font-service
    • 12345/tcp open NetBus
    • 32771/tcp open sometimes-rpc5
    • 32776/tcp open sometimes-rpc15
    • 32777/tcp open sometimes-rpc17
    • 32778/tcp open sometimes-rpc19
    • Remote operating system guess: Solaris 8 early access beta through actual release
    • Up
    • time 37.983 days (since Mon Dec 30 14:26:29 2002)
    • Nmap run completed -- 1 IP address (1 host up) scanned in 58 seconds
  • 15. www.juniata.edu
    • Is this right
      • TCP/IP address 172.16.17.209
      • Outside 192.112.102.5
      • OS
        • Linux Kernel 2.4.0 - 2.5.20
        • Linux 2.4.19-pre4 on Alpha
      • www.netcraft.com
      • Nmap
  • 16. Output for www.juniata.edu
    • Starting nmap V. 3.00 ( www.insecure.org/nmap )
    • Interesting ports on www.juniata.edu (172.16.17.209):
    • (The 1594 ports scanned but not shown below are in state: closed)
    • Port State Service
    • 21/tcp open ftp
    • 22/tcp open ssh
    • 80/tcp open http
    • 111/tcp open sunrpc
    • 139/tcp open netbios-ssn
    • 873/tcp open rsync
    • 12345/tcp open NetBus
    • Remote OS guesses: Linux Kernel 2.4.0 - 2.5.20, Linux 2.4.19-pre4 on Alpha
    • Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds
  • 17. What else
    • Ping sweep looking for other active machines
    • Do tracert to understand network
      • from outside in, typically have router then firewall just before destination.
      • Nmap router and firewall to get OS
    • War dailing for open modems
  • 18. tracert
  • 19. tracert from outside to .5
  • 20. tracert from outside to .3
  • 21. From outside to .4
  • 22. From outside to .22
  • 23. From outside to .9
  • 24. Vulnerability scanners
  • 25. Red teaming page 90
    • Who is page 91
      • Protection page 92
      • Name risk for social engineering
        • Can use Special name to catch or initials A. Wood
        • Although this info can be found other ways remember the easiest is what most people use
      • Split DNS servers one for external, minimum required information for the outside world
      • Inside DNS with other name resolution not required by the outside world.
  • 26. Nslookup
    • Used to get IP address of servers
    • Get range of IPs to explore address spaces
    • Protection
      • Must provide DNS data to be “seen”
      • The least you provide the better.
  • 27. ARIN
    • Gets address range and subnet
    • Protection
      • NAT with private addresses behind the firewall except for external resources help minimize damage
  • 28. Tracert
    • Used to explore and “map” system
    • routes in (necessary to know for Denail of service)
    • Protection
      • only way to stop is to disable ICMP traffic (which tracert uses)
      • disables a lot of “features/functionality”
      • again security versus features/functionality
  • 29. ping
    • Used to find active addresses
    • Run different times of day
      • used to find “servers” from “workstations”
      • only works if uses turn off workstations
    • Protection
      • again NAT can’t “See” internal addresses
      • ICMP again used for ping
  • 30. port scan and fingerprinting
    • Open ports and operating systems
    • Used to find vulnerabilities
    • Protection
      • firewall only allows traffic on specific ports to specific machines
      • less info the better gives limited view
      • IDS
  • 31. Information Gathered
    • We now know valid IPs
      • open ports
      • Operating systems
      • map of network (ip of router firewall)
    • Time to discover vulnerabilities and export
    • Use tool, SAINT for example
    • Explore and find vulnerabilities
  • 32. Some other scans of home machines
    • Starting nmap V. 3.00 ( www.insecure.org/nmap )
    • Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
    • Insufficient responses for TCP sequencing (0), OS detection may be less accurate
    • Interesting ports on HOME1 (192.168.2.9):
    • (The 1596 ports scanned but not shown below are in state: filtered)
    • Port State Service
    • 21/tcp open ftp
    • 139/tcp open netbios-ssn
    • 389/tcp open ldap
    • 1002/tcp open unknown
    • 1720/tcp open H.323/Q.931
    • Remote OS guesses: AIX v4.2, Linux 1.3.20 (X86), Windows XP Professional RC1+ through final release, Cayman 2E <http://www.cayman.com/>
    • Nmap run completed -- 1 IP address (1 host up) scanned in 413 seconds
  • 33. More open ports
    • Starting nmap V. 3.00 ( www.insecure.org/nmap )
    • Insufficient responses for TCP sequencing (0), OS detection may be less accurate
    • Insufficient responses for TCP sequencing (2), OS detection may be less accurate
    • Interesting ports on thomas-tablet.juniata.edu (192.168.2.52):
    • (The 1590 ports scanned but not shown below are in state: closed)
    • Port State Service
    • 80/tcp open http
    • 135/tcp open loc-srv
    • 139/tcp open netbios-ssn
    • 443/tcp open https
    • 445/tcp open microsoft-ds
    • 1002/tcp open unknown
    • 1025/tcp open NFS-or-IIS
    • 1026/tcp open LSA-or-nterm
    • 1027/tcp open IIS
    • 1720/tcp open H.323/Q.931
    • 5000/tcp open UPnP
  • 34. Of course todays footprinting must include wireless
    • http://www.wellenreiter.net/index.html
  • 35. Wellenreiter more passive then netStumbler
  • 36. NetStumbler
  • 37. Want to boost your Antenna?
    • http://mali.geekcorps.org/article.php3?id_article=39
    • Look at HomeToJc in netstumbler
  • 38. Fport