Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CNIT 124: Ch 5: Information Gathering

388 views

Published on

Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne

Course Web page:

https://samsclass.info/124/124_F17.shtml

Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)

Published in: Education
  • Be the first to comment

  • Be the first to like this

CNIT 124: Ch 5: Information Gathering

  1. 1. CNIT 124: Advanced Ethical Hacking Ch 5: Information Gathering
  2. 2. OSINT
 Open Source Intelligence
  3. 3. Useful Info for a Pentest • Employees who talk too much – Twitter, Facebook, etc. • Archived listservs may have technical questions • What software and hardware are they using? – Defenses such as firewalls – Security problems – Extra systems like ActiveMQ
  4. 4. Netcraft • Try ccsf.edu
  5. 5. Whois
  6. 6. CCSF.EDU • Normal record • Informative • Compare to kittenwar.com • Privacy protections
  7. 7. Whois Limitations • Data can be fake or concealed • "whois microsoft.com" has a strange result (NSFW) because it searches the whole FQDN, so people have added joke records • Seems to no longer work as of 9-16-17
  8. 8. Whois Limitations
  9. 9. DNS Queries • dig samsclass.info • dig samsclass.info aaaa • dig samsclass.info ns • dig samsclass.info soa • dig samsclass.info any
  10. 10. • Link Ch 5a
  11. 11. Dig at a specific server • dig samsclass.info any – 10 records • dig @8.8.8.8 samsclass.info any – 18 records • dig @coco.ns.cloudflare.com samsclass.info any – 10 records
  12. 12. DNS Cache Snooping Demo • Make a new DNS record • dig +norecurse @109.69.8.51 test360.samsclass.info • Shows record, if it's in the cache • dig @109.69.8.51 test360.samsclass.info • Caches record
  13. 13. Find a Public Resolver • Link Ch 5d
  14. 14. Nonrecursive Query • Server has no data in its cache • Doesn't ask other servers (nonrecursive) • Finds no answer – Command works the same way on Kali Linux and Mac OS X
  15. 15. Recursive Query • DNS server asks other servers and finds the record • Note its TTL starts at 3600 seconds
  16. 16. Nonrecursive Query • Now the data is in the cache • This shows that someone has resolved that site on this server recently
  17. 17. Demo: puntCAT Server • Cache Snooping works simply on a single server • Public DNS Servers: Link Ch 5j
  18. 18. Demo: OpenDNS Cluster • One recursive query puts it in one cache • Cached record observed in 3/12 queries
  19. 19. Demo: OpenDNS Cluster • Ten recursive queries puts it in more caches
  20. 20. Demo: OpenDNS Cluster • Cached record observed in 6/10 queries
  21. 21. Watching TTL Count Down
  22. 22. Zone Transfers • First find SOA
  23. 23. Performing Zone Transfer
  24. 24. University System of Georgia • 1038 records • Link Ch 5e
  25. 25. Fierce DNS Scanner • included in Kali • Attempts a zone transfer • Then brute- forces domain names
  26. 26. Fierce on Zonetransfer.me
  27. 27. DNSqueries.com • Link Ch 5h
  28. 28. Searching for Email Addresses
  29. 29. theHarvester • Searches Google. Bing, and other sources for email addresses • Also finds sites hosted at the same IP
  30. 30. Maltego
  31. 31. Port Scanning
  32. 32. Manual Port Scanning • Some services show a banner as soon as a connection is made • The banner could be deceptive, however • Many services, like HTTP and DNS, don't deliver a banner so easily
  33. 33. Nmap SYN Scan • -sS switch • Sends SYN, listens for SYN/ACK • Doesn't complete the handshake, just sends a RST
  34. 34. Nmap Scan Limitations • Nmap is so popular, IDS and IPS systems often detect it • They may block all results
  35. 35. SYN Scan of Server 2008 Took 40 sec.
  36. 36. Version Scan • -sV switch • Grabs banners to determine version
  37. 37. Version Scan of Windows 2008 Took 110 sec.
  38. 38. UDP Scans • -sU switch • Sends packets to commonly-used UDP ports • Packets are valid service requests • Servers running on default ports will reply • Closed ports return an "ICMP Unreachable" packet • Cannot tell an open port that doesn't reply from a filtered port
  39. 39. UDP Scan of Windows 2008 Took 1200 sec.
  40. 40. Scanning Specified Ports • By default, Nmap scans 1000 "interesting" ports • You can specify ports with –p switch • -p 80 will scan one port • -p 23, 25, 80 will scan three ports • -p 1-65535 will scan them all (slow)
  41. 41. Nmap Version Scan Crashes Server • Rarely happens, but is a possibility

×