SlideShare a Scribd company logo

Dafgjgghhghfhjgghjhgy06-Footprinting.pptx

Download as PPTX, PDF
A
AlfredObia1

Hugh

Technology
1 of 34
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail
All materials is licensed under a Creative Commons “Share Alike” license. • http://creativecommons.org/licenses/by-sa/3.0/ 2
# whoami • Ali Al-Shemery • Ph.D., MS.c., and BS.c., Jordan • More than 14 years of Technical Background (mainly Linux/Unix and Infosec) • Technical Instructor for more than 10 years (Infosec, and Linux Courses) • Hold more than 15 well known Technical Certificates • Infosec & Linux are my main Interests 3
Footprinting Walking the trails to a target
Outline • External Footprinting – Identify External Ranges – Passive, and Active • Internal Footprinting – Identify Internal Ranges – Passive, and Active 5
External Footprinting
Identify Customer External Ranges • The major goals of intelligence gathering during a penetration test is to determine hosts which will be in scope. • Common techniques to identify: – WHOIS searches on the domains and the ranges – reverse DNS lookups – DNS brute forcing 7
Passive Recon - WHOIS Lookups • Determine TLD for the domain, and which WHOIS server contains the information we're after. • WHOIS information is based upon a tree hierarchy. • ICANN (IANA) is the authoritative registry for all of the TLDs. • Middle East WHOIS lookup (registrar): RIPE NCC, http://www.ripe.net/lir-services/member- support/info/list-of-members/mideast • DEMO (whois) 8
Passive Recon - NetCraft • Internet monitoring company that monitors uptimes and provides server operating system detection. • Site Report returns information such as: – IP address – Name servers – Reverse DNS – Netblock owner – DNS admin – Domain registry • DEMO 9
Passive Recon - URL(s) • Extract list of URLs from a web page – list-urls.py • Search for files in a domain – goofile.py – FOCA • DEMO 10
Online Tools • Central Ops, http://centralops.net/ • Wayback Machine: http://archive.org/ • Zone-h Defacement Archive, http://zone-h.org/ • Domain Tools, http://www.domaintools.com/ • DNS Stuff, http://www.dnsstuff.com • MX Toolbox, http://mxtoolbox.com • RIPE, http://www.ripe.net/data-tools/db • WHOIS, http://www.whois.com/whois/ • WHOIS, http://www.whois.sc/ • What Is My IP, http://www.whatismyip.com/ • InterNIC, http://www.internic.net/ 11
Google for Pentesting • Check Johnny Long’s presentation @Blackhat … • Google Dorks, http://www.exploit- db.com/google-dorks/ • Google Hacking Database (GHDB), http://www.hackersforcharity.org/ghdb • Assignment #1: Write about 10 Google Dorks. 12
ShodanHQ • ShodanHQ.com is a computer search engine. • Examining the response of the devices it contacts on the Internet. Information gathered such as: – Target OS, Web server software version – Checks if default user/pass are being used – Can identify webcam, firewalls, and VoIP devices – Can identify network printers • Need Help? www.shodanhq.com/browse • Registration is required to make the most effective use of the site. 13
Active Footprinting • Port Scanning – Next Week 14
DNS Discovery • Performed by looking at the WHOIS records for the domain's authoritative nameserver. • Variations of the main domain name should be checked, and the website should be checked for references to other domains which could be under the target's control. 15
DNS Discovery – DNS Types • A Host’s IP address. • MX Host/domain’s mail exchanger(s) • NS Host or domain’s name server(s) • CNAME Host’s canonical name allowing additional names or aliases • SOA Authority for the domain • SRV Service location record often used with Session Initiation Protocol (SIP) and the Extensible Messaging and Presence Protocol (XMPP) • RP Responsible person • PTR Pointer to a canonical name, used for reverse lookups 16
Zone Transfers • DNS zone transfer, also known as AXFR, is a type of DNS transaction. • It is a mechanism designed to replicate the databases containing the DNS data across a set of DNS servers. • Zone transfer comes in two flavors, full (AXFR) and incremental (IXFR). • Tools commonly used: host, dig, and nmap • DEMO 17
Reverse DNS • Reverse DNS can be used to obtain valid server names in use within an organizational. • There is a caveat that it must have a PTR (reverse) DNS record for it to resolve a name from a provided IP address. 18
Forward DNS • Some call it “DNS Bruteforcing” • Not only zone transfers! • Discover additional host names that are not commonly known. – fierce.pl – dnsenum.pl – dnsrecon.py • DEMO 19
SMTP • SMTP bounce back, also called a Non-Delivery Report/Receipt (NDR), a (failed) Delivery Status Notification (DSN) message, a Non-Delivery Notification (NDN) or simply a bounce, is an automated electronic mail message from a mail system informing the sender of another message about a delivery problem. • Done by simply creating a bogus address (Blah_blah_address@target.com) within the target's domain. 20
SMTP – Tools • SMTP User Enumerator, smtp-user-enum – smtp-user-enum.pl -M VRFY -U users.txt -t 10.0.0.1 • SMTP Scan, smtpscan • SMTP Relay Checker, smtprc • Swiss Army Knife for SMTP, swaks • Nmap NSE script, smtp-enum-users.nse • DEMO (Online Central Ops): – Central Ops (Email Dossier), http://centralops.net/co/ – Manually 21
Banner Grabbing • An enumeration technique used to glean information about computer systems on a network and the services running its open ports. • Banner grabbing is used to identify network the version of applications and operating system that the target host are running. • Usually performed on: HTTP, FTP, and SMTP • Tools commonly used: Telnet, Nmap, and Netcat 22
SNMP Sweeps • SNMP offer tons of information about a specific system. • The SNMP protocol is a stateless, datagram oriented protocol. • Unfortunately SNMP servers don't respond to requests with invalid community strings and the underlying UDP protocol does not reliably report closed UDP ports. This means that "no response" from a probed IP address can mean either of the following: – machine unreachable – SNMP server not running – invalid community string – the response datagram has not yet arrived 23
Web Application Discovery • Identifying weak web applications can be a particularly fruitful activity during a penetration test. • More on this when we reach Web Penetration Testing 24
Virtual Host Detection & Enumeration • Web servers often host multiple "virtual" hosts to consolidate functionality on a single server. • If multiple servers point to the same DNS address, they may be hosted on the same server. • Tools such as Bing search can be used to map an IP address to a set of virtual hosts. 25
Establish External Target List • Once the activities above have been completed, a list of users, emails, domains, applications, hosts and services should be compiled. – Mapping versions – Identifying patch levels – Looking for weak web applications – Identify lockout threshold – Error Based – Identify weak ports for attack – Outdated Systems – Virtualization platforms vs VMs – Storage infrastructure 26
Internal Footprinting
Passive Footprinting • If the tester has access to the internal network, packet sniffing can provide a great deal of information. • Use techniques like those implemented in p0f to identify systems. # p0f –o cap.txt -i eth0 -M -V -v -p -t 28
Identify Customer Internal Ranges • Start by identifying the local subnet, then modify slightly to reach other subnets. • Check routing tables of hosts. • Most popular technique used is checking DHCP servers. 29
Active Footprinting • We can perform all the external active footprinting techniques here. Port Scanning: • Internal port scanning differs from external port scanning, because of the higher bandwidth available, and the ability to get more accurate response. Next Week 30
? • Countermeasure • Mitigation • Remediation 31
Assingment(s) Assignment #2: • Gathering information about a website from Google cache, is it an Active or Passive Recon? Assignment #3: • Choose a target that you have permission to, maybe yourself and try to gather as much information found publicly as you can. Write a report about that. 32
SUMMARY • We saw what is intelligence gathering • The OSINT three • What corporate info to gather • What individual info to gather • Understood the covert gathering types • What is footprinting • Difference between active and passive footprinting • Main external and internal footprinting information resources • How to use Google when performing intelligence gathering • Discusses mitigation to footprinting 33
References • Effective meetings, http://www.businessandthegeek.com/?p=112 • Penetration Testing Standards, http://www.pentest-standard.org/ • FOCA, http://www.informatica64.com/foca/ • Foundstone, • Johnny Long, Blackhat, Google Hacking for Penetration Testers, • Exploit-DB, Google Dorks, • NetGlub, • Paterva Maltego, • WHOIS lookup references – ICANN - http://www.icann.org – IANA - http://www.iana.com – NRO - http://www.nro.net – AFRINIC - http://www.afrinic.net – APNIC - http://www.apnic.net – ARIN - http://ws.arin.net – LACNIC - http://www.lacnic.net – RIPE - http://www.ripe.net , RIPE NCC • SensePost BiLE Suite, http://www.sensepost.com/labs/tools/misc • List of DNS Record Types, http://en.wikipedia.org/wiki/List_of_DNS_record_types 34

Recommended

Subdomain Enumeration
Subdomain EnumerationSubdomain Enumeration
Subdomain EnumerationAkshayPandurangi
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 
CNIT 123: Ch 4: Footprinting and Social Engineering
CNIT 123: Ch 4: Footprinting and Social EngineeringCNIT 123: Ch 4: Footprinting and Social Engineering
CNIT 123: Ch 4: Footprinting and Social EngineeringSam Bowne
 
Malicious Domain Profiling
Malicious Domain Profiling Malicious Domain Profiling
Malicious Domain Profiling E Hacking
 
DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Responsepm123008
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMPShaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 

Recommended

Subdomain Enumeration
Subdomain EnumerationSubdomain Enumeration
Subdomain EnumerationAkshayPandurangi
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 
CNIT 123: Ch 4: Footprinting and Social Engineering
CNIT 123: Ch 4: Footprinting and Social EngineeringCNIT 123: Ch 4: Footprinting and Social Engineering
CNIT 123: Ch 4: Footprinting and Social EngineeringSam Bowne
 
Malicious Domain Profiling
Malicious Domain Profiling Malicious Domain Profiling
Malicious Domain Profiling E Hacking
 
DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Responsepm123008
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMPShaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Cyber Security Project : Comprehensive Vulnerability Analysis Report.pptx
Cyber Security Project : Comprehensive Vulnerability Analysis Report.pptxCyber Security Project : Comprehensive Vulnerability Analysis Report.pptx
Cyber Security Project : Comprehensive Vulnerability Analysis Report.pptxBoston Institute of Analytics
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration toolsJenishChauhan4
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51martinvoelk
 
lecture5.pptx
lecture5.pptxlecture5.pptx
lecture5.pptxLlobarro2
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020n|u - The Open Security Community
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesSam Bowne
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Brandon Arvanaghi
 
Troubleshooting Network and Network Utilities
Troubleshooting Network and Network UtilitiesTroubleshooting Network and Network Utilities
Troubleshooting Network and Network UtilitiesRubal Sagwal
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
 
Harden Security Devices Against Increasingly Sophisticated Evasions
Harden Security Devices Against Increasingly Sophisticated EvasionsHarden Security Devices Against Increasingly Sophisticated Evasions
Harden Security Devices Against Increasingly Sophisticated EvasionsIxia
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
Computer Network Part 1
Computer Network Part 1Computer Network Part 1
Computer Network Part 1Jayaseelan Vejayon
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly BrokenThe Security of Things Forum
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and SecurityAPNIC
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

More Related Content

Similar to Dafgjgghhghfhjgghjhgy06-Footprinting.pptx

Cyber Security Project : Comprehensive Vulnerability Analysis Report.pptx
Cyber Security Project : Comprehensive Vulnerability Analysis Report.pptxCyber Security Project : Comprehensive Vulnerability Analysis Report.pptx
Cyber Security Project : Comprehensive Vulnerability Analysis Report.pptxBoston Institute of Analytics
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration toolsJenishChauhan4
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51martinvoelk
 
lecture5.pptx
lecture5.pptxlecture5.pptx
lecture5.pptxLlobarro2
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesSam Bowne
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Brandon Arvanaghi
 
Troubleshooting Network and Network Utilities
Troubleshooting Network and Network UtilitiesTroubleshooting Network and Network Utilities
Troubleshooting Network and Network UtilitiesRubal Sagwal
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
 
Harden Security Devices Against Increasingly Sophisticated Evasions
Harden Security Devices Against Increasingly Sophisticated EvasionsHarden Security Devices Against Increasingly Sophisticated Evasions
Harden Security Devices Against Increasingly Sophisticated EvasionsIxia
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and SecurityAPNIC
 

Similar to Dafgjgghhghfhjgghjhgy06-Footprinting.pptx (20)

Cyber Security Project : Comprehensive Vulnerability Analysis Report.pptx
Cyber Security Project : Comprehensive Vulnerability Analysis Report.pptxCyber Security Project : Comprehensive Vulnerability Analysis Report.pptx
Cyber Security Project : Comprehensive Vulnerability Analysis Report.pptx
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration tools
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51
 
lecture5.pptx
lecture5.pptxlecture5.pptx
lecture5.pptx
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
Troubleshooting Network and Network Utilities
Troubleshooting Network and Network UtilitiesTroubleshooting Network and Network Utilities
Troubleshooting Network and Network Utilities
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
 
Harden Security Devices Against Increasingly Sophisticated Evasions
Harden Security Devices Against Increasingly Sophisticated EvasionsHarden Security Devices Against Increasingly Sophisticated Evasions
Harden Security Devices Against Increasingly Sophisticated Evasions
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
Computer Network Part 1
Computer Network Part 1Computer Network Part 1
Computer Network Part 1
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
 

Recently uploaded

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Recently uploaded (20)

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Dafgjgghhghfhjgghjhgy06-Footprinting.pptx

  • 1. Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail
  • 2. All materials is licensed under a Creative Commons “Share Alike” license. • http://creativecommons.org/licenses/by-sa/3.0/ 2
  • 3. # whoami • Ali Al-Shemery • Ph.D., MS.c., and BS.c., Jordan • More than 14 years of Technical Background (mainly Linux/Unix and Infosec) • Technical Instructor for more than 10 years (Infosec, and Linux Courses) • Hold more than 15 well known Technical Certificates • Infosec & Linux are my main Interests 3
  • 5. Outline • External Footprinting – Identify External Ranges – Passive, and Active • Internal Footprinting – Identify Internal Ranges – Passive, and Active 5
  • 7. Identify Customer External Ranges • The major goals of intelligence gathering during a penetration test is to determine hosts which will be in scope. • Common techniques to identify: – WHOIS searches on the domains and the ranges – reverse DNS lookups – DNS brute forcing 7
  • 8. Passive Recon - WHOIS Lookups • Determine TLD for the domain, and which WHOIS server contains the information we're after. • WHOIS information is based upon a tree hierarchy. • ICANN (IANA) is the authoritative registry for all of the TLDs. • Middle East WHOIS lookup (registrar): RIPE NCC, http://www.ripe.net/lir-services/member- support/info/list-of-members/mideast • DEMO (whois) 8
  • 9. Passive Recon - NetCraft • Internet monitoring company that monitors uptimes and provides server operating system detection. • Site Report returns information such as: – IP address – Name servers – Reverse DNS – Netblock owner – DNS admin – Domain registry • DEMO 9
  • 10. Passive Recon - URL(s) • Extract list of URLs from a web page – list-urls.py • Search for files in a domain – goofile.py – FOCA • DEMO 10
  • 11. Online Tools • Central Ops, http://centralops.net/ • Wayback Machine: http://archive.org/ • Zone-h Defacement Archive, http://zone-h.org/ • Domain Tools, http://www.domaintools.com/ • DNS Stuff, http://www.dnsstuff.com • MX Toolbox, http://mxtoolbox.com • RIPE, http://www.ripe.net/data-tools/db • WHOIS, http://www.whois.com/whois/ • WHOIS, http://www.whois.sc/ • What Is My IP, http://www.whatismyip.com/ • InterNIC, http://www.internic.net/ 11
  • 12. Google for Pentesting • Check Johnny Long’s presentation @Blackhat … • Google Dorks, http://www.exploit- db.com/google-dorks/ • Google Hacking Database (GHDB), http://www.hackersforcharity.org/ghdb • Assignment #1: Write about 10 Google Dorks. 12
  • 13. ShodanHQ • ShodanHQ.com is a computer search engine. • Examining the response of the devices it contacts on the Internet. Information gathered such as: – Target OS, Web server software version – Checks if default user/pass are being used – Can identify webcam, firewalls, and VoIP devices – Can identify network printers • Need Help? www.shodanhq.com/browse • Registration is required to make the most effective use of the site. 13
  • 14. Active Footprinting • Port Scanning – Next Week 14
  • 15. DNS Discovery • Performed by looking at the WHOIS records for the domain's authoritative nameserver. • Variations of the main domain name should be checked, and the website should be checked for references to other domains which could be under the target's control. 15
  • 16. DNS Discovery – DNS Types • A Host’s IP address. • MX Host/domain’s mail exchanger(s) • NS Host or domain’s name server(s) • CNAME Host’s canonical name allowing additional names or aliases • SOA Authority for the domain • SRV Service location record often used with Session Initiation Protocol (SIP) and the Extensible Messaging and Presence Protocol (XMPP) • RP Responsible person • PTR Pointer to a canonical name, used for reverse lookups 16
  • 17. Zone Transfers • DNS zone transfer, also known as AXFR, is a type of DNS transaction. • It is a mechanism designed to replicate the databases containing the DNS data across a set of DNS servers. • Zone transfer comes in two flavors, full (AXFR) and incremental (IXFR). • Tools commonly used: host, dig, and nmap • DEMO 17
  • 18. Reverse DNS • Reverse DNS can be used to obtain valid server names in use within an organizational. • There is a caveat that it must have a PTR (reverse) DNS record for it to resolve a name from a provided IP address. 18
  • 19. Forward DNS • Some call it “DNS Bruteforcing” • Not only zone transfers! • Discover additional host names that are not commonly known. – fierce.pl – dnsenum.pl – dnsrecon.py • DEMO 19
  • 20. SMTP • SMTP bounce back, also called a Non-Delivery Report/Receipt (NDR), a (failed) Delivery Status Notification (DSN) message, a Non-Delivery Notification (NDN) or simply a bounce, is an automated electronic mail message from a mail system informing the sender of another message about a delivery problem. • Done by simply creating a bogus address (Blah_blah_address@target.com) within the target's domain. 20
  • 21. SMTP – Tools • SMTP User Enumerator, smtp-user-enum – smtp-user-enum.pl -M VRFY -U users.txt -t 10.0.0.1 • SMTP Scan, smtpscan • SMTP Relay Checker, smtprc • Swiss Army Knife for SMTP, swaks • Nmap NSE script, smtp-enum-users.nse • DEMO (Online Central Ops): – Central Ops (Email Dossier), http://centralops.net/co/ – Manually 21
  • 22. Banner Grabbing • An enumeration technique used to glean information about computer systems on a network and the services running its open ports. • Banner grabbing is used to identify network the version of applications and operating system that the target host are running. • Usually performed on: HTTP, FTP, and SMTP • Tools commonly used: Telnet, Nmap, and Netcat 22
  • 23. SNMP Sweeps • SNMP offer tons of information about a specific system. • The SNMP protocol is a stateless, datagram oriented protocol. • Unfortunately SNMP servers don't respond to requests with invalid community strings and the underlying UDP protocol does not reliably report closed UDP ports. This means that "no response" from a probed IP address can mean either of the following: – machine unreachable – SNMP server not running – invalid community string – the response datagram has not yet arrived 23
  • 24. Web Application Discovery • Identifying weak web applications can be a particularly fruitful activity during a penetration test. • More on this when we reach Web Penetration Testing 24
  • 25. Virtual Host Detection & Enumeration • Web servers often host multiple "virtual" hosts to consolidate functionality on a single server. • If multiple servers point to the same DNS address, they may be hosted on the same server. • Tools such as Bing search can be used to map an IP address to a set of virtual hosts. 25
  • 26. Establish External Target List • Once the activities above have been completed, a list of users, emails, domains, applications, hosts and services should be compiled. – Mapping versions – Identifying patch levels – Looking for weak web applications – Identify lockout threshold – Error Based – Identify weak ports for attack – Outdated Systems – Virtualization platforms vs VMs – Storage infrastructure 26
  • 28. Passive Footprinting • If the tester has access to the internal network, packet sniffing can provide a great deal of information. • Use techniques like those implemented in p0f to identify systems. # p0f –o cap.txt -i eth0 -M -V -v -p -t 28
  • 29. Identify Customer Internal Ranges • Start by identifying the local subnet, then modify slightly to reach other subnets. • Check routing tables of hosts. • Most popular technique used is checking DHCP servers. 29
  • 30. Active Footprinting • We can perform all the external active footprinting techniques here. Port Scanning: • Internal port scanning differs from external port scanning, because of the higher bandwidth available, and the ability to get more accurate response. Next Week 30
  • 32. Assingment(s) Assignment #2: • Gathering information about a website from Google cache, is it an Active or Passive Recon? Assignment #3: • Choose a target that you have permission to, maybe yourself and try to gather as much information found publicly as you can. Write a report about that. 32
  • 33. SUMMARY • We saw what is intelligence gathering • The OSINT three • What corporate info to gather • What individual info to gather • Understood the covert gathering types • What is footprinting • Difference between active and passive footprinting • Main external and internal footprinting information resources • How to use Google when performing intelligence gathering • Discusses mitigation to footprinting 33
  • 34. References • Effective meetings, http://www.businessandthegeek.com/?p=112 • Penetration Testing Standards, http://www.pentest-standard.org/ • FOCA, http://www.informatica64.com/foca/ • Foundstone, • Johnny Long, Blackhat, Google Hacking for Penetration Testers, • Exploit-DB, Google Dorks, • NetGlub, • Paterva Maltego, • WHOIS lookup references – ICANN - http://www.icann.org – IANA - http://www.iana.com – NRO - http://www.nro.net – AFRINIC - http://www.afrinic.net – APNIC - http://www.apnic.net – ARIN - http://ws.arin.net – LACNIC - http://www.lacnic.net – RIPE - http://www.ripe.net , RIPE NCC • SensePost BiLE Suite, http://www.sensepost.com/labs/tools/misc • List of DNS Record Types, http://en.wikipedia.org/wiki/List_of_DNS_record_types 34