Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CNIT 124:
Advanced Ethical
Hacking
Ch 5: Information Gathering
OSINT

Open Source Intelligence
Useful Info for a Pentest
• Employees who talk too much
– Twitter, Facebook, etc.
• Archived listservs may have technical
...
Netcraft
• Try ccsf.edu
Whois
CCSF.EDU
• Normal record
• Informative
• Compare to
kittenwar.com
• Privacy protections
Whois Limitations
• Data can be fake or concealed
• "whois microsoft.com" has a strange result
(NSFW) because it searches ...
Whois Limitations
DNS Queries
• dig samsclass.info
• dig samsclass.info aaaa
• dig samsclass.info ns
• dig samsclass.info soa
• dig samsclas...
• Link Ch 5a
Dig at a specific server
• dig samsclass.info any
– 10 records
• dig @8.8.8.8 samsclass.info any
– 18 records
• dig @coco....
DNS Cache Snooping Demo
• Make a new DNS record
• dig +norecurse @109.69.8.51 test360.samsclass.info
• Shows record, if it...
Find a Public Resolver
• Link Ch
5d
Nonrecursive Query
• Server has no data in its cache
• Doesn't ask other servers (nonrecursive)
• Finds no answer
– Comman...
Recursive Query
• DNS server asks other servers and finds
the record
• Note its TTL starts at 3600 seconds
Nonrecursive Query
• Now the data is in the cache
• This shows that someone has resolved that
site on this server recently
Demo: puntCAT Server
• Cache Snooping works simply on a single
server
• Public DNS Servers: Link Ch 5j
Demo: OpenDNS Cluster
• One recursive query puts it in one cache
• Cached record observed in 3/12 queries
Demo: OpenDNS Cluster
• Ten recursive queries puts it in more caches
Demo: OpenDNS Cluster
• Cached record observed in 6/10 queries
Watching TTL Count Down
Zone Transfers
• First find SOA
Performing Zone Transfer
University System of Georgia
• 1038
records
• Link Ch
5e
Fierce DNS Scanner
• included in
Kali
• Attempts a
zone
transfer
• Then brute-
forces
domain
names
Fierce on Zonetransfer.me
DNSqueries.com
• Link Ch 5h
Searching for Email Addresses
theHarvester
• Searches Google.
Bing, and other
sources for email
addresses
• Also finds sites
hosted at the same IP
Maltego
Port Scanning
Manual Port Scanning
• Some services show a banner as soon as a
connection is made
• The banner could be deceptive, howeve...
Nmap SYN Scan
• -sS switch
• Sends SYN, listens for SYN/ACK
• Doesn't complete the handshake, just
sends a RST
Nmap Scan Limitations
• Nmap is so popular, IDS and IPS systems
often detect it
• They may block all results
SYN Scan of Server 2008
Took 40 sec.
Version Scan
• -sV switch
• Grabs banners to determine version
Version Scan of Windows 2008
Took 110
sec.
UDP Scans
• -sU switch
• Sends packets to commonly-used UDP ports
• Packets are valid service requests
• Servers running o...
UDP Scan of Windows 2008
Took 1200
sec.
Scanning Specified Ports
• By default, Nmap scans 1000 "interesting"
ports
• You can specify ports with –p switch
• -p 80 ...
Nmap Version Scan Crashes Server
• Rarely
happens, but
is a possibility
CNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information Gathering
Upcoming SlideShare
Loading in …5
×

CNIT 124: Ch 5: Information Gathering

453 views

Published on

Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne

Course Web page:

https://samsclass.info/124/124_F17.shtml

Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)

Published in: Education
  • Be the first to comment

  • Be the first to like this

CNIT 124: Ch 5: Information Gathering

  1. 1. CNIT 124: Advanced Ethical Hacking Ch 5: Information Gathering
  2. 2. OSINT
 Open Source Intelligence
  3. 3. Useful Info for a Pentest • Employees who talk too much – Twitter, Facebook, etc. • Archived listservs may have technical questions • What software and hardware are they using? – Defenses such as firewalls – Security problems – Extra systems like ActiveMQ
  4. 4. Netcraft • Try ccsf.edu
  5. 5. Whois
  6. 6. CCSF.EDU • Normal record • Informative • Compare to kittenwar.com • Privacy protections
  7. 7. Whois Limitations • Data can be fake or concealed • "whois microsoft.com" has a strange result (NSFW) because it searches the whole FQDN, so people have added joke records • Seems to no longer work as of 9-16-17
  8. 8. Whois Limitations
  9. 9. DNS Queries • dig samsclass.info • dig samsclass.info aaaa • dig samsclass.info ns • dig samsclass.info soa • dig samsclass.info any
  10. 10. • Link Ch 5a
  11. 11. Dig at a specific server • dig samsclass.info any – 10 records • dig @8.8.8.8 samsclass.info any – 18 records • dig @coco.ns.cloudflare.com samsclass.info any – 10 records
  12. 12. DNS Cache Snooping Demo • Make a new DNS record • dig +norecurse @109.69.8.51 test360.samsclass.info • Shows record, if it's in the cache • dig @109.69.8.51 test360.samsclass.info • Caches record
  13. 13. Find a Public Resolver • Link Ch 5d
  14. 14. Nonrecursive Query • Server has no data in its cache • Doesn't ask other servers (nonrecursive) • Finds no answer – Command works the same way on Kali Linux and Mac OS X
  15. 15. Recursive Query • DNS server asks other servers and finds the record • Note its TTL starts at 3600 seconds
  16. 16. Nonrecursive Query • Now the data is in the cache • This shows that someone has resolved that site on this server recently
  17. 17. Demo: puntCAT Server • Cache Snooping works simply on a single server • Public DNS Servers: Link Ch 5j
  18. 18. Demo: OpenDNS Cluster • One recursive query puts it in one cache • Cached record observed in 3/12 queries
  19. 19. Demo: OpenDNS Cluster • Ten recursive queries puts it in more caches
  20. 20. Demo: OpenDNS Cluster • Cached record observed in 6/10 queries
  21. 21. Watching TTL Count Down
  22. 22. Zone Transfers • First find SOA
  23. 23. Performing Zone Transfer
  24. 24. University System of Georgia • 1038 records • Link Ch 5e
  25. 25. Fierce DNS Scanner • included in Kali • Attempts a zone transfer • Then brute- forces domain names
  26. 26. Fierce on Zonetransfer.me
  27. 27. DNSqueries.com • Link Ch 5h
  28. 28. Searching for Email Addresses
  29. 29. theHarvester • Searches Google. Bing, and other sources for email addresses • Also finds sites hosted at the same IP
  30. 30. Maltego
  31. 31. Port Scanning
  32. 32. Manual Port Scanning • Some services show a banner as soon as a connection is made • The banner could be deceptive, however • Many services, like HTTP and DNS, don't deliver a banner so easily
  33. 33. Nmap SYN Scan • -sS switch • Sends SYN, listens for SYN/ACK • Doesn't complete the handshake, just sends a RST
  34. 34. Nmap Scan Limitations • Nmap is so popular, IDS and IPS systems often detect it • They may block all results
  35. 35. SYN Scan of Server 2008 Took 40 sec.
  36. 36. Version Scan • -sV switch • Grabs banners to determine version
  37. 37. Version Scan of Windows 2008 Took 110 sec.
  38. 38. UDP Scans • -sU switch • Sends packets to commonly-used UDP ports • Packets are valid service requests • Servers running on default ports will reply • Closed ports return an "ICMP Unreachable" packet • Cannot tell an open port that doesn't reply from a filtered port
  39. 39. UDP Scan of Windows 2008 Took 1200 sec.
  40. 40. Scanning Specified Ports • By default, Nmap scans 1000 "interesting" ports • You can specify ports with –p switch • -p 80 will scan one port • -p 23, 25, 80 will scan three ports • -p 1-65535 will scan them all (slow)
  41. 41. Nmap Version Scan Crashes Server • Rarely happens, but is a possibility

×