2. 2
Intelligence Gathering Techniques
3 Major Steps
Foot Printing
Scanning
Enumeration
Similar to Military
Gather information on the target
Analyze weaknesses
Construct and launch attack
8. 8
Footprinting
Footprinting is the ability to obtain essential information about an
organization. Commonly called network reconnaissance.
Result Gather information includes:
–The technologies that are being used such as, Internet, Intranet, Remote Access and the
Extranet.
–To explored the security policies and procedures
–take an unknown quality and reduce it
–Take a specific range of domain names, network blocks and individual IP addresses of a
system that is directly connected to the Internet
This is done by employing various computer security techniques, as:
• DNS queries nslookup, dig, Zone Transfer
• Network enumeration
• Network queries
• Operating system identification
• Organizational queries
When used in the computer security lexicon, "footprinting" generally refers to
one of the pre-attack phases; tasks performed prior to doing the actual
attack. Some of the tools used for footprinting areSam
Spade, nslookup, traceroute, Nmap and neotrace.
• Ping sweeps
• Point of contact queries
• Port Scanning
• Registrar queries (WHOIS queries)
• SNMP queries
• World Wide Web spidering
11. 11
Information to Gather
Attacker’s point of view
Identify potential target systems
Identify which types of attacks may be useful on target systems
Defender’s point of view
Know available tools
May be able to tell if system is being footprinted, be more prepared for
possible attack
Vulnerability analysis: know what information you’re giving away, what
weaknesses you have
14. 14
Tools - Linux
Some basic Linux tools - lower level utilities
Local System
hostname
ifconfig
who, last
Remote Systems
ping
traceroute
nslookup, dig
whois
arp, netstat (also local system)
Other tools
lsof
15. 15
Tools – Linux (2)
Other utilities
wireshark (packet sniffing)
nmap (port scanning) - more later
Ubuntu Linux
Go to System / Administration / Network Tools – get
interface to collection of tools: ping, netstat, traceroute,
port scan, nslookup, finger, whois
16. 16
Tools - Windows
Windows
Sam Spade (collected network tools)
Wireshark (packet sniffer)
Command line tools
ipconfig
Many others…
17. 17
Traceroute
# traceroute ns1.target-company.com
traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets
1 fw-gw (209.197.192.1) 0.978 ms 0.886 ms 0.875 ms
2 s1-0-1-access (209.197.224.69) 4.816 ms 5.275 ms 3.969 ms
3 dallas.tx.core1.fastlane.net (209.197.224.1) 4.622 ms 9.439 ms 3.977 ms
4 atm8-0-024.CR-1.usdlls.savvis.net (209.44.32.217) 6.564 ms 5.639 ms 6.681 ms
5 Serial1-0-1.GW1.DFW1.ALTER.NET (157.130.128.53) 7.148 ms 6.595 ms 7.371 ms
6 103.ATM3-0.XR2.DFW4.ALTER.NET (146.188.240.38) 11.861 ms 11.669 ms 6.732 ms
7 152.63.96.85 (152.63.96.85) 10.565 ms 25.423 ms 25.369 ms
8 dfw2-core2-pt4-1-0.atlas.digex.net (206.181.125.153) 13.289 ms 10.585 ms
17.173 ms
9 dfw2-core1-fa8-1-0.atlas.digex.net (165.117.52.101) 44.951 ms 241.358 ms
248.838 ms
10 swbell-net.demarc.swbell.net (206.181.125.10) 12.242 ms 13.821 ms 27.618 ms
11 ded2-fa1-0-0.rcsntx.swbell.net (151.164.1.137) 25.299 ms 11.295 ms 23.958 ms
12 target-company-818777.cust-rtr.swbell.net (151.164.x.xxx) 52.104 ms 24.306
ms 17.248 ms
13 ns1.target-company.com (xxx.xx.xx.xx) 23.812 ms 24.383 ms 27.489 ms
23. 23
Traceroute - Network Mapping
Sun
Linux
Firewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
24. 24
Traceroute - Network Mapping
Sun
Linux
Firewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
Linux 2.0.38
xxx.xx.48.2
AIX 4.2.1
xxx.xx.48.1
Checkpoint Firewall-1
Solaris 2.7
xxx.xx.49.17
Checkpoint Firewall-1
Nortel VPN
xxx.xx.22. 7
Cisco 7206
204.70.xxx.xxx
Nortel CVX1800
151.164.x.xxx
IDS?
25. 25
Domain Name: UWEC.EDU
Registrant:
University of Wisconsin - Eau Claire
105 Garfield Avenue
Eau Claire, WI 54702-4004
UNITED STATES
Contacts:
Administrative Contact:
Computing and Networking Services
105 Garfield Ave
Eau Claire, WI 54701
UNITED STATES
(715) 836-5711
networking@uwec.edu
Name Servers:
TOMATO.UWEC.EDU 137.28.1.17
LETTUCE.UWEC.EDU 137.28.1.18
BACON.UWEC.EDU 137.28.5.194
Whois
27. 27
Introduction
Scanning can be compared to a thief checking all the doors and
windows of a house he wants to break into.
Scanning- The art of detecting which systems are alive and
reachable via the internet and what services they offer, using
techniques such as ping sweeps, port scans and operating
system identification, is called scanning.
The kind of information collected here has to do with the
following:
1) TCP/UDP services running on each system identified.
2) System architecture (Sparc, Alpha, x86)
3) Specific IP address of systems reachable via the internet.
4) Operating System type.
28. 28
Ping Sweeps
ping sweep is a method that can establish a range of IP
addresses which map to live hosts.
ICMP Sweeps (ICMP ECHO requests)
Broadcast ICMP
Non Echo ICMP
TCP Sweeps
UDP Sweeps
30. 30
Broadcast ICMP
Intruder Network
ICMP ECHO request
ICMP ECHO reply
ICMP ECHO reply
ICMP ECHO reply
Can Distinguish between UNIX and WINDOWS machine
UNIX machine answers to requests directed to the network
address.
WINDOWS machine will ignore it.
31. 31
PING SWEEPS
NON – ECHO ICMP
Example ICMP Type 13 – (Time Stamp)
Originate Time Stamp
- The time the sender last touched the message before sending
Receive Time Stamp
- The echoer first touched it on receipt.
Transmit Time Stamp
- The echoer last touched on sending it.
32. 32
PING Sweeps
TCP Sweeps
Server
Client
C(SYN:PortNo & ISN)
S (SYN & ISN) + ACK[ C (SYN+!) ]
RESET (not active)
S(ISN+1)
When will a RESET be sent?
When RFC does not appear correct while appearing.
RFC = (Destination (IP + port number) & Source( IP & port
number))
33. 33
PING Sweeps
Depends on ICMP PORT UNREACHABLE message.
UDP data gram
ICMP PORT UNREACHABLE
Unreliable because
• Routers can drop UDP packets
•UDP services may not respond when correctly probed
•Firewalls are configured to drop UDP
•Relies on fact that non-active UDP port will respond
Target System
35. 35
Port Scanning Types
TCP Connect() Scan
SYN packet
SYN/ACK listening
RST/ACK (port not listening)
SYN/ACK
A connection is terminated after the full length connection establishment
process has been completed
36. 36
Port Scanning Type
TCP SYN Scan (half open scanning)
SYN packet
SYN/ACK listening
RST/ACK (port not listening)
We immediately tear down the connection by sending a RESET
37. 37
Port Scanning Type
Stealth Scan
A scanning technique family doing the following
Pass through filtering rules.
Not to be logged by the targeted system logging mechanism
Try to hide themselves at the usual site / network traffic.
The frequently used stealth mapping techniques are.
SYN/ACK scan
FIN scans
XMAS scans
NULL scans
39. 39
PORT Scanning
“Random” Port Scan
Randomizing the sequence of ports probed may prevent detection.
Slow Scan
Some hackers are very patient and can use network scanners that spread out the
scan over a long period of time. The scan rate can be, for example, as low as 2
packets per day per target site.
Fragmentation scanning
In case of TCP the 8 octets of data (minimum fragment size) are enough to
contain the source and destination port numbers. This will force the TCP flags
field into the second fragment.
Decoy
Some network scanners include options for Decoys or spoofed address in their
attacks.
Coordinated Scans
If multiple IPs probe a target network, each one probes a certain service on a
certain machine in a different time period, and therefore it would be nearly
impossible to detect these scans.
42. 42
Operating System Detection
DNS HINFO Record
The host information record is a pair of strings identifying
the host’s hardware type and the operating system
www IN HINFO “Sparc Ultra 5” “Solaris 2.6”
One of the oldest technique
43. 43
Operating System Detection
TCP/IP Finger Printing
The ideas to send specific TCP packets to the target IP
and observe the response which will be unique to
certain group or individual operations.
Types of probes used to determine the OS type
The FIN Probe, The Bogus Flag Probe, TCP initial
sequence number sampling, Don’t Fragment bit, TCP
initial window, ACK value, ICMP error Message
Quenching, ICMP message quoting, ICMP error
message Echoing Integrity, Type of service,
fragmentation handling, TCP options
44. 44
Firewalking
Gather information about a remote network protected
by a firewall
Purpose
Mapping open ports on a firewall
Mapping a network behind a firewall
If the firewall’s policy is to drop ICMP ECHO Request/Reply
this technique is very effective.
45. 45
How does Firewalking work?
It uses a traceroute-like packet filtering to
determine whether or not a particular packet
can pass through a packet-filtering device.
Traceroute is dependent on IP layer(TTL field),
any transport protocol can be used the same
way(TCP, UDP, and ICMP).
46. 46
What Firewalking needs?
The IP address of the last known gateway
before the firewall takes place.
Serves as WAYPOINT
The IP address of a host located behind the
firewall.
Used as a destination to direct packet flow
47. 47
Getting the Waypoint
If we try to traceroute the machine behind a
firewall and get blocked by an ACL filter that
prohibits the probe, the last gateway which
responded(the firewall itself can be determined)
Firewall becomes the waypoint.
48. 48
Getting the Destination
Traceroute the same machine with a different
traceroute-probe using a different transport protocol.
If we get a response
That particular traffic is allowed by the firewall
We know a host behind the firewall.
If we are continuously blocked, then this kind of traffic
is blocked.
Sending packets to every host behind the packet-
filtering device can generate an accurate map of a
network’s topology.
49. 49
How to identify/avoid threats?
Long-standing rule for Unix System
administrators to turn off any services that
aren’t in use
For personal workstations!
Hackers have access to utilities to scan the servers
but so do you!.
Hackers look in for open ports. So we can our
servers first and know what the hackers will see and
close any ports that shouldn’t be open.
50. 50
Some tools to help us
Nmap
It is a utility that scans a particular server and informs
us which ports are open.
Ethereal
It is a utility that will scan the network and help us
decode what is going on.
We can watch the network traffice and find out if
hackers can see anything that will help them break
into our systems.
52. 52
52
Introduction to Enumeration
Enumeration extracts information about:
–Resources or shares on the network
–User names or groups assigned on the network
–Last time user logged on
–User’s password
Before enumeration, you use Port scanning and
footprinting
–To Determine OS being used
Intrusive process
53. 53
53
NBTscan
NBT (NetBIOS over TCP/IP)
–is the Windows networking protocol
–used for shared folders and printers
NBTscan
–Tool for enumerating Microsoft OSs
54. 54
54
Null Session Information
Using these NULL connections allows you to gather the
following information from the host:
–List of users and groups
–List of machines
–List of shares
–Users and host SIDs (Security Identifiers)
•From brown.edu (link Ch 6b)
55. 55
55
Demonstration of Null Sessions
Start Win 2000 Pro
Share a folder
From a Win XP command prompt
–NET VIEW ip-address Fails
–NET USE ip-addressIPC$ "" /u:""
•Creates the null session
•Username="" Password=""
–NET VIEW ip-address Works now
62. 62
62
NetScanTools Pro
Produces a graphical view of NetBIOS running on a network
Enumerates any shares running on the computer
Verifies whether access is available for shared resource
using its Universal Naming Convention (UNC) name
Costs about $250 per machine (link Ch 6i)
65. 65
65
DumpSec
Enumeration tool for Microsoft systems
Produced by Foundstone, Inc.
Allows user to connect to a server and “dump” the
following information
–Permissions for shares
–Permissions for printers
–Permissions for the Registry
–Users in column or table format
–Policies and rights
–Services
67. 67
67
Hyena
Excellent GUI product for managing and securing
Microsoft OSs
Shows shares and user logon names for Windows
servers and domain controllers
Displays graphical representation of:
–Microsoft Terminal Services
–Microsoft Windows Network
–Web Client Network
–Find User/Group
69. 69
69
NessusWX
This is the client part of Nessus
Allows enumeration of different OSs on a large network
Running NessusWX
–Be sure Nessus server is up and running
–Open the NessusWX client application
–To connect your client with the Nessus server
•Click Communications, Connect from the menu on the session
window
•Enter server’s name
•Log on the Nessus server
72. 72
72
NessusWX (continued)
Nessus identifies
–NetBIOS names in use
–Shared resources
–Vulnerabilities with shared resources
•Also offers solutions to those vulnerabilities
–OS version
–OS vulnerabilities
–Firewall vulnerabilities
77. 77
77
Enumerating the *NIX Operating System
Several variations
–Solaris
–SunOS
–HP-UX
–Linux
–Ultrix
–AIX
–BSD UNIX
–FreeBSD
–OpenBSD
78. 78
78
UNIX Enumeration
Finger utility
–Most popular tool for security testers
–Finds out who is logged in to a *NIX system
–Determine owner of any process
Nessus
–Another important *NIX enumeration tool
