By
Maroti Deshmukh
12MCMB02
Agenda
 Introduction
 Reconnaissance techniques
Low-Technology Reconnaissance
Search the Fine Web
Whois Database
Dom...
Reconnaissance
 A preliminary survey to gain information.
 Finding as much information about the target as
possible befo...
Low-Technology Reconnaissance
 Social Engineering
 Physical Break-In
 Dumpster Diving
Social Engineering
 Finding pretext(false reason) to obtain
privileged information or services.
 Social engineering invo...
Social Engineering
 Defense
User awareness.
If someone unknown to the user calls on the
phone looking to verify compute...
Physical Break-In
 Methods
Attacker with physical access to your
computer systems might find that a user
walked away fro...
Physical Break-In
 Defense
Security badges.
Physically lock down servers.
Use locks on cabinets containing sensitive
i...
Dumpster Diving
 Retrieving sensitive information from trash.
 Attackers use dumpster diving to find discarded
paper, CD...
Search the Fine Web(STFW)
 Searching an organization’s own web site
 Using search engines
 Listen in at the virtual wat...
Searching an Organization’s Own Web
Site
 Employees’ contact information and phone
numbers.
 Clues about the corporate c...
Using Search Engines
 Conduct search based on organization name,
product names, employee names.
 Retrieve information ab...
Listening in at the Virtual Watering
Hole: Usenet
 Posting of questions by employees to technical
Newsgroups.
 Google ne...
Defenses against Web searches
 An attempt to increase security by keeping
elements of a security strategy secret known as...
Whois Databases
 Contain information regarding assignment of
Internet addresses, domain names, and individual
contacts.
...
Figure 5.2 List of accredited registrars on the InterNIC site
Figure 5.3 Using the InterNIC whois database to find the target’s registrar
Figure 5.4 Looking up a domain name at a particular registrar
Figure 5.5 Results of a registrar whois search
Figure 5.6 Searching for IP Address Assignments in ARIN
Defenses Against Whois
Searches
 You must make sure that your registration data
is accurate so that the proper person can...
DNS
 DNS is a hierarchical database distributed
around the world that stores a variety of
information, including IP addre...
Fig 5.7 DNS Hierarchy
Fig 5.8 Recursive search to resolve a domain name to IP address
Interrogating DNS Servers
 So how does an attacker get DNS information?
First, the attacker needs to determine one or mor...
Defenses from DNS-based
Reconnaissance
 Make sure you aren't leaking additional
information through DNS.
 Your domain na...
Split DNS
 Internal users can resolve both internal and external names.
 External users can only access external names.
Other techniques
 The first set consists of completely integrated
client executables, such as Sam Spade, which
are run on...
General Purpose Reconnaissance GUI
Client Tools for MS Windows
 Sam Spade
 CyberKit
 NetScan Tools
 iNetTools
Web-based Reconnaissance Tools:
Research and Attack Portals
 An attacker accesses these tools using a browser,
typing in ...
References
 Counter Hack A Step-by-Step Guide to
Computer Attacks and Effective Defenses by
Ed Skoudis
 www.wikipedia.co...
Thank You…
Upcoming SlideShare
Loading in …5
×

Reconnaissance

688 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
688
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
23
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Reconnaissance

  1. 1. By Maroti Deshmukh 12MCMB02
  2. 2. Agenda  Introduction  Reconnaissance techniques Low-Technology Reconnaissance Search the Fine Web Whois Database Domain Name System (DNS) Other techniques
  3. 3. Reconnaissance  A preliminary survey to gain information.  Finding as much information about the target as possible before launching the first attack packet.  Many computer attackers first investigate their target using publicly available information. By conducting determined, methodical reconnaissance, attackers can determine how best to mount their attacks successfully.
  4. 4. Low-Technology Reconnaissance  Social Engineering  Physical Break-In  Dumpster Diving
  5. 5. Social Engineering  Finding pretext(false reason) to obtain privileged information or services.  Social engineering involves an attacker calling employees at the target organization on the phone and fool them into revealing sensitive information.
  6. 6. Social Engineering  Defense User awareness. If someone unknown to the user calls on the phone looking to verify computer configurations, passwords, or other sensitive items, the user should not give out the sensitive data, no matter how friendly or urgent the request, without verifying the requestor's identity.
  7. 7. Physical Break-In  Methods Attacker with physical access to your computer systems might find that a user walked away from a machine while logged in, giving them instant access to accounts and data. Attackers might plant backdoors on your internal systems. Physical access to an Ethernet plug in the wall.
  8. 8. Physical Break-In  Defense Security badges. Physically lock down servers. Use locks on cabinets containing sensitive information. Use automatic password-protected screen savers. Encrypt stored files.
  9. 9. Dumpster Diving  Retrieving sensitive information from trash.  Attackers use dumpster diving to find discarded paper, CDs, DVDs, floppy disks, tapes, and hard drives containing sensitive data.  Defense Paper and media shredders are the best defence against dumpster diving. Provide a separate trash for sensitive information.
  10. 10. Search the Fine Web(STFW)  Searching an organization’s own web site  Using search engines  Listen in at the virtual watering hole: USENET
  11. 11. Searching an Organization’s Own Web Site  Employees’ contact information and phone numbers.  Clues about the corporate culture and language.  Business partners.  Server and application platforms in use.
  12. 12. Using Search Engines  Conduct search based on organization name, product names, employee names.  Retrieve information about history, current events, and future plans of the target organization.  Search for links to target organization via link www.companyname.com in a search engine.
  13. 13. Listening in at the Virtual Watering Hole: Usenet  Posting of questions by employees to technical Newsgroups.  Google newsgroup archive web search engine at http://groups.google.com
  14. 14. Defenses against Web searches  An attempt to increase security by keeping elements of a security strategy secret known as Security by obscurity.  Security policy regarding posting of sensitive information on web site, newsgroups, and mailing lists.
  15. 15. Whois Databases  Contain information regarding assignment of Internet addresses, domain names, and individual contacts.  Internet Corporation for Assigned Names and Numbers (ICANN)  Complete list of accredited registrars available at www.internic.net/alpha.html  InterNIC whois database available at www.internic.net/whois.html  Whois database for organizations outside the United States available at www.allwhois.com/home.html web site.
  16. 16. Figure 5.2 List of accredited registrars on the InterNIC site
  17. 17. Figure 5.3 Using the InterNIC whois database to find the target’s registrar
  18. 18. Figure 5.4 Looking up a domain name at a particular registrar
  19. 19. Figure 5.5 Results of a registrar whois search
  20. 20. Figure 5.6 Searching for IP Address Assignments in ARIN
  21. 21. Defenses Against Whois Searches  You must make sure that your registration data is accurate so that the proper person can be contacted without interruption if an incident occurs.  Make sure there is no extraneous information in your registration records that could be used by an attacker, such as account names for an administrator.
  22. 22. DNS  DNS is a hierarchical database distributed around the world that stores a variety of information, including IP addresses, domain names, and mail server information.
  23. 23. Fig 5.7 DNS Hierarchy
  24. 24. Fig 5.8 Recursive search to resolve a domain name to IP address
  25. 25. Interrogating DNS Servers  So how does an attacker get DNS information? First, the attacker needs to determine one or more DNS servers for the target organization.  Using this DNS server information, an attacker has a variety of tools to choose from for getting DNS information.  Attackers typically attempt to perform a zone transfer.
  26. 26. Defenses from DNS-based Reconnaissance  Make sure you aren't leaking additional information through DNS.  Your domain names should not indicate any machine's operating system type.  Do not include HINFO or TXT records.  Restrict zone transfers to secondary DNS only.  Configure firewall .  Split-Horizon DNS.
  27. 27. Split DNS  Internal users can resolve both internal and external names.  External users can only access external names.
  28. 28. Other techniques  The first set consists of completely integrated client executables, such as Sam Spade, which are run on an end user's machine and perform recon queries on behalf of that user.  The second category includes a Web-based tools, accessed across the Internet using a Web browser.
  29. 29. General Purpose Reconnaissance GUI Client Tools for MS Windows  Sam Spade  CyberKit  NetScan Tools  iNetTools
  30. 30. Web-based Reconnaissance Tools: Research and Attack Portals  An attacker accesses these tools using a browser, typing in the target name or IP address into a Web form.  www.samspade.org  www.dnsstuff.com  www.traceroute.org  www.network-tools.com  www.cotse.com/refs.htm  www.securityspace.com  www.dslreports.com/scan  www.attackportal.net
  31. 31. References  Counter Hack A Step-by-Step Guide to Computer Attacks and Effective Defenses by Ed Skoudis  www.wikipedia.com  www.securityspace.com  www.attackportal.net
  32. 32. Thank You…

×