Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Footprinting - Download as PowerPoint

VIEWS: 45 PAGES: 35

									                 Footprinting
• Introduction

• What information needed to be identify

• How to get these information
                   Introduction
• What is footprinting
   – Create a complete profile of an organization’s security
     posture
• Why is footprinting necessary
   – You would not miss key pieces of information related
     to specific technology
• Who does attacking
   – Script kiddie
   – Special Purpose attackers
      • Malicious insider
      • Temporary employee
      • Hacker
Introduction: Purpose of attackers
•   Just for fun
•   Try their tools
•   Get information
•   Steal Bandwidth
•   Use your computer to attack
•   Get privilege account
 What information needed to be
           identify
• Internet
  –   Domain name
  –   Network blocks
  –   IP address (can be reached)
  –   IDS, Firewall (if possible)
  –   System enumeration
  What information needed to be
            identify
• Intranet
   –   Network protocols in use
   –   Internal domain name
   –   IP address via the intranet
   –   System architecture
   –   Access control mechanisms and ACLs
   –   IDS
   –   System enumeration
   –   Routing tables
         Steps of footprinting
• Determine the scope of your activities
  – Webferret (A tool)
  – www.dogpile.com, altavista, edgar
  – Social Engineering
     • An example of gather information
• Network Enumeration
• DNS interrogation
• Network Reconnaissance
  Determine the scope of your activities
• Step 1: Peruse the target organization’s web page,
  look for information about:
   – Locations: to get an idea of the physical location of the server
   – Related companies or entities: to determine point with weaker
     security, to start from
   – Merger or acquisition news: to determine possible weak points in
     the network
   – Phone numbers: to have a place to dial in from outside
   – Contact names and email addresses: to obtain use names
   – Privacy or security policies indicating the types of security
     mechanisms in place: to find the type of security mechanisms in
     place
   – Links to other web servers related to the organization: to determine
     possible weak points
• (Give an example of web page; our web site)
          A Tool: Webferret
• Search 15 search engines at the same time
• Log your search results
             Webferret: setting
• Search the entire page, search the abstract and title,
  search the URL
• None, Remove duplicate URLs, Remove duplicate
  titles, …..
Search Result
                  Edgar search
• Financial search site (http://www.sec.gov/cgi-
  bin/srch-edgar)
• Hacking exposed suggest we read 10-Q and 10-K
• Example : search ―amazon‖
  – Q-10
     • Balance Sheet
  – K-10
     • Can get many contact information (amazon’s)
                     What Q-10 says
•   PART I. FINANCIAL INFORMATION
•   Item 1. Financial Statements (Unaudited)
     – Consolidated Balance Sheets—March 31, 2001 and December 31, 2000
     – Consolidated Statements of Operations—Three months ended March 31, 2001 and
       2000
     – Consolidated Statements of Cash Flows—Three months ended March 31, 2001 and
       2000
     – Notes to Consolidated Financial Statements—March 31, 2001
•   Item 2. Management’s Discussion and Analysis of Financial Condition and
    Results of Operations
•   Item 3. Quantitative and Qualitative Disclosure of Market Risk
•   PART II. OTHER INFORMATION
•   Item 1. Legal Proceedings
•   …………..
            What 10-K says
• PART I
• Item 1. Business
• Item 2. PropertiesItem 3. Legal Proceedings
• Item 4. Submission of Matters to a Vote of
  Security Holders
• PART II Item 5. Market for the Registrant's
  Common Stock and Related Stockholder
  Matters
• Item 6. Selected Consolidated Financial Data
• Item 7. Management's Discussion and
  Analysis of Financial Condition and Results of
  Operations
       Is these information useful?
    An Example of Social Engineering
• Story From: Taiwan.cnet.com
• Goal: find everything related to someone
   – Assumption: We know his/her name, location of his/her
     working place
   – Target victim: Margaret Truman (false name)
• Step1: Search engine
   – Yahoo, people search get phone number and address
     (wrong place; hundred miles away)
   – Bigfoot, InfoSpace  find nothing
   – AOL, Netfind, Switchboard bingo
             The Story (contd.)
• Step 2: Find his/her full name
   – Found some books she wrote, and articles she wrote
      • Know her college name, and the year she graduated
      • She teach somewhere
   – The address book of her college tell me ―her abandon e-
     mail address‖
      • Her name is E. Margaret Truman (Margaret is her middle name)
• Step 3: Find her SSN (Social Security Number)
   – Private investigator (On Web Site)
      • In 24 hours
          – Real full name: Erin Margaret Truman
          – SSN
          The Story (contd.)
• Get private information
  – Experian, Equifax, TransUnion
     • 犯罪紀錄
       駕駛肇事記錄
       車、船、飛機所有權紀錄
       財產所有權紀錄
       破產紀錄
       生父母的所在地/收領養小孩
    Gather information: Our web site
•    你好:
     > > 我是一家資訊公司的MIS,
     > > 對貴公司區域聯防很有興趣,
     > > 可否e-mail相關資訊給我。
     > > 謝謝

    agnes <agnes@gennet.com.tw>
    To: MKD- 詹壹翔 <nike@gennet.com.tw>
    Sent: Friday, June 08, 2001 3:43 PM
    Subject: Fw: 產品資訊




•    詹壹翔 (Nike Chan)
     TEL:02-2696-2366
     M/B:0922-416803
     e-mail: nike@gennet.com.tw
    Our crew revealed their personal
       information to everyone?
•   黃俊民,中央大學資管系83級A班,學號:801011
•   , 家中電話:02-25772696
•   公司電話:02-26962366-213
•   居家電話:02-25772696, 0950330322*099
•   住址:北市寧安街68巷10之4號1F




• Stewart@www.gennet.com.tw failure
• Try Stewart@www.gennet.com.tw
• 俊民你好:

  我是林志成,好久不見,不知道你現在在台華科技從事什麼工
  作?,
  ,最近事情不太順利,有沒有機會介紹一下。
  謝謝
• stewart@mail.gennet.com.tw
• Goal: MIS account
 Information Found on internet:
     An term project report
       • Smurf Denial of Service
• 前言

• 本實驗室於這學期購進「台華科技-伺服
  器防火牆ServerGuard」一套並架設於
  140.128.101.110上……..
 Information Found on internet
• 美商網虎與趨勢及台華科技今起聯盟ˉ01/18/00
  12:35:18
• *中央社記者鄭定華台北十八日電+為防止L
  inux未來壯大後會成為駭客入侵的目標,
  國內Linux系統團隊美商網虎公司今天與
  防毒軟體公司趨勢科技以及防火牆研發廠商台
  華科技簽約進行策略聯盟,將提供企業機構完
  整的Linux全方位防毒解決方案。
 Information Found on internet:
• 轉投資概況-業外收益î :英群自今年1Q處分
  信群科技(已與錸德(2349)合併;目前持股仍有
  39900張,成本約10元)後,未再進一步處分信
  群(將任其轉換為錸德持股),其後將視營運
  資金狀況做為調節之用。持股28%之台華科技,
  預估今年1H可認列1-2,000萬元以上,與從事電
  源轉換器(直/交流電)產銷之矩創科技(預
  估今年可認1,000萬元以上)同為重點長投事業。
  2Q資產處分利益將大為減少,僅少量處分承啟
  科技(5341)及台華科技持股所得利益
           Network Enumeration
• Step2: Identify domain name and associated
  networks related to particular organization
• Search:
   – InterNIC database, run by Network Solutions
   – American Registry for Internet Numbers (ARIN)
• Looking for the following type of information:
   – Registrar:Displays specific registrar information and associated
     whois servers
   – Organization: Display all information related to a particular
     organization
   – Domain: Displays all information related to a particular domain
   – Network: Displays all information related to a particular network
     or IP address
   – Point of Contact (POC): Displays all information related to a
     specific person
  Network Enumeration: Tools
• Whois
  – For windows: http://www.networksoultion.com,
    http://www.arin.net
  – For Unix: whois
  – …..
  – Whois server: www.ripe.net, whois.apnic.net,
    whois.nic.gov, whois.nic.mil
              Registrar Query
• Get information from ―WWW.internic.net‖
  –   Domain Name: TRENDMICRO.COM
  –   Registrar: NETWORK SOLUTIONS, INC.
  –   Whois Server: whois.networksolutions.com
  –   Referral URL: http://www.networksolutions.com
  –   Name Server: WNS.TRENDMICRO.COM
  –   Name Server: WNSE.TRENDMICRO.COM
  –   Updated Date: 02-may-2001 Organization Query
Domain Query: what we want are
•   The registrant
•   The domain name
•   The administrative contact
•   When the record was created and updated
•   The primary and secondary DNS servers
                Domain Query
• Get information from networksoultions.com
  – Registrant: Trend Micro, Inc. (TRENDMICRO-DOM) 10101 N. De
    Anza Blvd., 4th Floor Cupertino, CA 95014 US
  – Domain Name: TRENDMICRO.COM
  – Administrative Contact: Trend, Dnsadmin (DTZ188)
    dnsadmin@TRENDMICRO.COM Trend Micro, Inc 2nd Flr.
    Cupertino, CA 95014 US 408-2571500 408-2572003
  – Technical Contact: Chen, Jing (JC33946)
    jing_chen@TRENDMICRO.COM Trend Micro.com 10101 N. De
    Anza Blvd Cupertino, CA 95014 US 408-2571500 408-2572003
  – Billing Contact: Marienlund, Robin (RM26662)
    robin_marienlund@TRENDMICRO.COM Trend Micro, Inc 10101 N.
    De Anza Blvd Cupertino, CA 95014 408-8636307 (FAX) 408-
    2554521
  – Record last updated on 02-May-2001. Record expires on 21-Apr-
    2003. Record created on 20-Apr-1995. Database last updated on
    11-Jun-2001 12:56:00 EDT. Domain servers in listed order:
  – WNS.TRENDMICRO.COM 208.185.125.8
  – WNSE.TRENDMICRO.COM 216.33.22.8
               Network Query
• Get information from networksoultions.com
  – Abovenet Communications, Inc. (NETBLK-ABOVENET-6) 50 W.
    San Fernando St., Suite 1010 San Jose, CA 95113 US
  – Netname: ABOVENET-6
  – Netblock: 208.184.0.0 - 208.185.255.255
  – Maintainer: ABVE
  – Coordinator: Metromedia Fiber Networks/AboveNet (NOC41-ORG-
    ARIN) noc@ABOVE.NET 408-367-6666 Fax- 408-367-6688
  – Domain System inverse mapping provided by: NS.ABOVE.NET
    207.126.96.162 NS3.ABOVE.NET 207.126.105.146
  – ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
  – Record last updated on 27-Apr-2001.
  – Database last updated on 9-Jun-2001 23:04:36 EDT.
 Domain Hijacking raised security Issue

• Starting from: (May 29)Contacted NSI and told
  NetSol to change the ―contact name‖ and ―DNS/IP
  address‖of web.net and bali.com
• NSI allows change to be made if
   – Email is from whois record(Email-FROM)
• Change administrative contact, and technical
  contact
• The original registrar: TUCOWS?
• Bali.com, sex.net…(recovered)
• Web.net?
              The story: Now
• Domain Name: WEB.NET Registrar: TUCOWS, INC.
  Whois Server: whois.opensrs.net Referral URL:
  http://www.opensrs.org Name Server: NS2.WEB.NET
  Name Server: NS.WEB.NET Name Server:
  NS3.WEB.NET Updated Date: 09-jan-2001
• Last update of whois database: Tue, 12 Jun 2001
  02:09:13 EDT
• The previous information has been obtained either
  directly from the registrant or a registrar of the
  domain name other than Network Solutions. Network
  Solutions, therefore, does not guarantee its accuracy
  or completeness.
• Still Bill Tandoco
  Domain name hijacking: AOL
• Oct. 16, 1998, Aol is victim, by Washington
  post
• June 23, 1999: AOL Accused of Stealing
  web address for new search site
  – A new jersey woman
  – AOLsearch.com (African-American OnLine
    Search)
  – Wrong contact address  lose domain name
        Result from NSI ―whois‖
• AOL search status
• Access to America Online, Inc.'s WHOIS service is for
  information purposes. America Online, Inc. makes this service
  available "AS IS" and does not guarantee its accuracy or
  availability. By submitting a WHOIS query, you agree that you
  will use this service and the information we provide only for
  lawful purposes and that, under no circumstances will you use
  this service or the information we provide to: (1) allow, enable,
  or otherwise support the transmission of mass unsolicited,
  commercial advertising or solicitations via email (spam); or (2)
  enable high volume, automated, electronic processes that apply
  to America Online, Inc. (or its systems). America Online, Inc.
  reserves the right to modify these terms at any time. By
  accessing and using our WHOIS service, you agree to these
  terms.
           DNS Interrogation
• Step3: DNS is a distributed database used to
  map IP address to hostnames and vice versa
  – Zone transfer
     • Misconfigurations: allow untrusted internet users to
       perform DNS zone transfer
     • Example: command nslookup, host, dig in unix
        – HINFO…..
            » OS, test systems
     Network Reconnaissance
• Ones you have identified potential networks,
  we can attempt to determine their network
  topology as well as potential access path
  into the network
  – Example: traceroute in unix
     • Number of routers
                 Topology Finding
• traceroute to www.trend.com.tw (202.132.197.8),
  30 hops max, 40 byte packets
   –    1 r254.e1-213.csie.ncu.edu.tw (140.115.50.254) 1 ms 1 ms 1 ms
   –   2 203.72.244.33 (203.72.244.33) 2 ms 2 ms 5 ms
   –   3 203.72.244.225 (203.72.244.225) 4 ms 3 ms 4 ms
   –   4 203.72.38.100 (203.72.38.100) 7 ms 13 ms 11 ms
   –   5 140.111.4.227 (140.111.4.227) 7 ms 6 ms 5 ms
   –   6 R58-131.seed.net.tw (139.175.58.131) 5 ms 4 ms 6 ms
   –   7 139.175.70.2 (139.175.70.2) 6 ms 6 ms 13 ms
   –   8 192.72.48.114 (192.72.48.114) 5 ms 6 ms 6 ms
   –   9 fe-5-0-0.ar01.cn.tw.iasiaworks.net (202.132.174.67) 8 ms 7 ms 7 ms
   –   10 202.132.197.8 (202.132.197.8) 6 ms 5 ms 5 ms
                       Tracroute –S –p 53
                      www.trendmicro.com
• traceroute to trendmicro.com (216.33.22.216), 30
  hops max, 40 byte packets
•   1 140.115.50.254 (140.115.50.254) 2 ms 1 ms 1 ms
•   2 203.72.244.33 (203.72.244.33) 2 ms 2 ms 2 ms
•   3 203.72.244.225 (203.72.244.225) 4 ms 5 ms 2 ms
•   4 TANet-defaultgateway.edu.tw (203.72.38.101) 6 ms 4 ms 4 ms
•   5 TANet-Internet.edu.tw (210.70.55.38) 272 ms * 262 ms
•   6 12.126.195.13 (12.126.195.13) 326 ms * 275 ms
•   7 gbr1-p70.sffca.ip.att.net (12.123.13.58) 282 ms 282 ms *
•   8 gr2-p340.sffca.ip.att.net (12.123.12.233) 259 ms 290 ms 338 ms
•   9 * att-gw.sf.exodus.net (192.205.32.106) 369 ms 340 ms
•   10 * * 216.33.147.52 (216.33.147.52) 302 ms
•   11 * * *
•   12 * dcr04-g4-0.sntc03.exodus.net (216.33.153.68) 339 ms *
•   13 csr01-ve240.sntc03.exodus.net (216.33.153.197) 419 ms * *
•   ***
•   ***
•   29 203.72.244.225 (203.72.244.225) 9 ms * *

								
To top