Intro by gjmpzlaezgx

VIEWS: 4 PAGES: 57

									        Reconnaissance




Recon                    1
             Attack Phases
 Phase 1: Reconnaissance
 Phase 2: Scanning
 Phase 3: Gaining access
    o Application/OS attacks
    o Network attacks/DoS attacks
 Phase 4: Maintaining access
 Phase 5: Covering tracks and hiding



Recon                                   2
                      Recon
   Before bank robber robs a bank…
    o Visit the bank
    o Make friends with an employee (inside info)
    o Study alarm system, vault, security guard‟s
      routine, security cameras plscement, etc.
    o Plan arrival and get away
 Most of this is not high tech
 Similar ideas hold for info security




Recon                                               3
          Social Engineering
   Hypothetical examples
    o New “admin” asks secretary for help
    o Angry “manager” calls employee/admin asking for
      password
    o “Employee” in the field calls another employee
      for help with remote access
   Real-world examples
    o Employees help white hat guy steal company IP
    o Person turns over secrets to trusted “friend”


Recon                                                  4
           Social Engineering
 Social   engineering
   o Defeats strongest crypto, best access
     control, protocols, IDS, firewalls, software
     security, etc., etc.
 Attacker  may not even touch keyboard
 Ultimate low-tech recon/attack method




Recon                                        5
             Social Engineering
   Telephone based attacks
    o Company phone number may give attacker
        instant credibility
 Attacker might ask for voice mail service
 Spoofed caller ID
    o   Appears attacker has company phone number
    o   Online services: Telespoof, Camophone
    o   Some VoIP software
    o   Phone companies also sell such services


Recon                                               6
                Camophone
 Spoofed
  caller ID
 Cost?
 5 cents per
  minute




  Recon                     7
Social Engineering Defenses
   Hard to defend against
    o Rooted in human nature
    o Many legitimate uses of “social engineering”
        (police, sales people, etc.)
   User education helps
    o Do not give out sensitive info (passwords)
    o Do not trust caller ID, etc.
   May not want totally paranoid employees


Recon                                                8
        Physical Security
 If Trudy gets physical access…
 Might find logged in computer, post-it
  note with passwords, etc.
 Might install back door, keystroke
  logger, access point to LAN, etc.
 Could steal USB drives, laptop,
  computers, CDs, etc.


Recon                                 9
            Physical Access
 How can attacker gain physical
  access?
    o Ask for it
    o Fake it
    o Physical break in
 Or    attacker might be employee
    o Then Trudy already has access
    o Limit employee‟s physical access?

Recon                                     10
                Defenses
 Require   badges for entry
    o What if someone forgets badge?
 Biometrics    for entry are useful
    o Iris scan, hand geometry, …
 Monitor    what people take in/out
    o Laptop, USB drive, CD, Furby?
    o Miniaturization makes this difficult


Recon                                        11
                 Defenses
 Use   locks on file cabinets
    o Don‟t leave key in the lock…
 Automatic screen saver with pwd
 Encrypted hard drives
    o Especially for those who travel
    o Need a way to recover encrypted files
    o But there are attacks…


Recon                                         12
           Dumpster Diving
 What    might Trudy find in trash?
    o CDs, DVDs, discarded machines, USB, …
    o Diagrams of network architecture
 Defenses
    o Destroy hard drive before discarding
    o Destroy media (degaussing is not enough)
    o Shred paper, etc.



Recon                                       13
        Search the “Fine” Web
 “Fine”   is placeholder for another word
    o As in “Read the „Fine‟ Documentation”
 Huge amount of info available on Web
 Google it!
    o For example Google the MD5 hash value
    o 20f1aeb7819d7858684c898d1e98c1bb



Recon                                         14
            Google Hacking
 Using   Google to help in attacks
    o Not “hacking Google”
 See,   for example
    o Johnny Long‟s Website
    o Google hacking 101
 Google  selected as “favorite hacking
  tool” by some infamous hackers


Recon                                     15
                    Google
       Four important elements of Google
1.      Google bot
     o   Crawls Web looking for info to index
2.      Google index
     o   Billions served…
     o   Ranked using (secretive) algorithm
     o   Why so secretive?


Recon                                           16
                        Google
3.   Google cache
     o   Copy of data that bots found
     o   Includes html, doc, pdf, ppt, etc., etc.
     o   Up to 101k of text each, no images
     o   See also, Wayback Machine
4.   Google API
     o   Program need to Google too
     o   Requires API “key” (free from Google)
     o   Limited to 1k searches per day


Recon                                               17
                  Google
 For   any Google search…
    o Max number of results limited to 1,000
    o Limits data mining capabilities
 So searches must be precise
 Use “search directives”
    o No space after directive, searches case
      insensitive, max of 10 search terms


Recon                                          18
    Google Search Directives
   site:[domain]
    o Searches particular domain
    o site:cs.sjsu.edu stamp
   link:[web page]
    o All sites linked to a given web page
    o link:www.cs.sjsu.edu
   intitle:[term(s)]
    o Web sites that include “term(s)” in title
    o site:cs.sjsu.edu intitle:”index of” stamp


Recon                                             19
    Google Search Directives
   related:[site]
    o Similar sites, based on Google‟s indexing
    o related:www.cs.sjsu.edu
   cache:[page]
    o Display Web page from Google‟s cache
    o cache:www.cs.sjsu.edu
   filetype:[suffix]
    o Like ppt, doc, etc.
    o filetype:ppt site:cs.sjsu.edu stamp


Recon                                             20
    Google Search Directives
 rphonebook:[name      and city or state]
    o Residential phone book
    o rphonebook:Mark Stamp Los Gatos
 bphonebook:[name      and city or state]
    o Business phone book
 phonebook:[name      and city or state]
    o Residential and business phone books


Recon                                        21
    Other Search Operations
   Literal match (“ ”)
    o “metamorphic engines” site:cs.sjsu.edu
   Not (-)
    o Filter out sites that include term
    o site:cs.sjsu.edu -ty -lin
   Plus (+)
    o Include (normally filtered) term
    o Not the opposite of “+”
    o site:cs.sjsu.edu stamp +the


Recon                                          22
         Interesting Searches
   From the text
    o   site:mybank.com filetype:xls ssn
    o   site:mybank.com ssn -filetype:pdf
    o   site:mybank.com filetype:asp
    o   site:mybank.com filetype:cgi
    o   site:mybank.com filetype:php
    o   site:mybank.com filetype:jsp
    o   site:cs.sjsu.edu filetype:xls



Recon                                       23
    Google Hacking Database
 Google Hacking Database (GHDB)
 Interesting searches
    o   intitle:”index of” finance.xls
    o   “welcome to intranet”
    o   intitle:”gateway configuration menu”
    o   intitle:”samba web administration tool”
        intext:”help workgroup”



Recon                                             24
                           GHDB
 Intitle:”welcome to IIS 4.0”
 “… we find that even if they've taken the time to change
    their main page, some dorks forget to change the titles of
    their default-installed web pages. This is an indicator that
    their web server is most likely running … the now
    considered OLD IIS 4.0 and that at least portions of their
    main pages are still exactly the same as they were out of
    the box. Conclusion? The rest of the factory-installed stuff
    is most likely lingering around on these servers as well. …
    Factory-installed default scripts: FREE with operating
    system. Getting hacked by a script kiddie that found you
    on Google: PRICELESS. For all the things money can't
    buy, there's a googleDork award.”
    Recon                                                   25
                   Google
 Suppose    sensitive data is accessible
    o Removing it does not remove problem
    o Google cache, Wayback Machine
 What    about automated searches?
    o Google API
    o SiteDigger and Wikto



Recon                                       26
SiteDigger
 User provides
  Google API key
 One search…
    o Uses GHDB
    o Does 1k Google
      searches
    o Your daily limit
    o There‟s always
      tomorrow…



    Recon                27
                     Google
   Lots of other interesting Google searches
    o Track current flights
    o Look up auto VIN
    o Look up product UPC
   Google filters some sensitive data
    o SSNs, for example
   Yahoo and MSN Search do less filtering



Recon                                           28
                 Newsgroups
 “Listening in at the virtual water cooler”
 Employees submit detailed questions
    o How to configure something
    o How to code something
    o How to troubleshoot a problem
   Reveals info about products, config, etc.
    o “sensitive information leakage on a grand scale”
   Attacker could even play active role
    o Give bad/incorrect advice


 Recon                                               29
              Newsgroups
 To    search groups
    o groups.google.com
    o Repackaged version of DejaNews




Recon                                  30
        Organization‟s Website
 Web      site might reveal useful info
    o   Employee contact info
    o   Clues about corporate culture/language
    o   Business partners
    o   Recent mergers and acquisitions
    o   Technology in use
    o   Open jobs



Recon                                            31
Defenses Against Web Recon
   Limit what goes on Web pages
    o No sensitive info
    o Limit info about products, configuration, …
   Security by obscurity?
    o “…no sense putting an expensive lock on your
        door and leaving milk and cookies outside so the
        lock picker can have a snack” while he breaks in




Recon                                                 32
Defenses Against Web Recon
 Have a policy on use of newsgroups
 Monitor publicly available info
 Google/Wayback will remove sensitive data
 Use robots.txt so Web pages not indexed
    o Tags: noindex, nofollow, noarchive, nosnippet
    o Well-behaved crawlers will respect these, but…
    o …a sign to bad guys of sensitive data



Recon                                                 33
          Whois Databases
 Internet    “white pages” listing
   o Domain names, contact info, IP addresses
   o .com, .net, .org, .edu
 ICANN     oversees registration process
   o Hundreds of actual registrars




Recon                                      34
    InterNIC
   InterNIC
    (Internet
    Network Info
    Center)
    o First place to look
    o Info on domain
       name registration
       services



    Recon                   35
InterNIC
   Whois info
    available from
    InterNIC
     o com,net,org,edu
   Other sites for
    other top level
    domains



    Recon                36
    Whois
 Once registrar is
 known, attacker
 can contact it
  o More detailed
    Whois info
  o Network Solutions
    in this example



  Recon                 37
   Whois

 Info   includes
  o Names
  o Telephone numbers
  o Email addresses
  o Name (DNS)
    servers
  o And so on…


 Recon                  38
        IP Address Assignment
 ARIN  (American Registry for
  Internet Numbers)
    o Info about who owns IP address or range
      of addresses
 Similar organizations for Europe,
  Asia, Latin America, …



Recon                                      39
Defense Against Whois Search
   Bad idea to put false info into databases
     o Important that people can contact you
     o For example, if attack launched from your site
 No real defense against Whois
 Anonymous registration services exist
     o Author is not fond of these
     o Better to train against social engineering




 Recon                                              40
        Domain Name System
 DNS
    o A hierarchical distributed database
    o Like a (hierarchical distributed)
      telephone directory
    o Converts human-friendly names into
      computer-friendly IP addresses
 Internet    is impossible without DNS


Recon                                       41
                     DNS
 13    root DNS servers
    o A “single point” of failure for Internet




Recon                                            42
                    DNS
 DNS     example
 o Recursive and
   iterative
   searches
 o Resolved
   locally, if
   possible
 o Lots and lots
   of caching


  Recon                   43
                DNS
 DNS   cache on Windows machine




Recon                              44
                        DNS
 Gives IP address of a domain
 Lots of other info
 DNS record types
    o   Address: domain name/IP address (or vice-versa)
    o   Host information: info about system
    o   Mail exchange: mail system info
    o   Name server: DNS servers
    o   Text: arbitrary text string



Recon                                              45
        Interrogating DNS
 Attacker    determines DNS servers
    o From registrar‟s Whois database
 Use  nslookup (or dig in Linux) to
  interrogate name servers
    o Zone transfer (all info about domain)
    o See example from text --- IP addresses,
      mail server names, OS types, etc.



Recon                                      46
        DNS Recon Defenses
 Remove info on OS types, etc.
 Restrict zone transfers
    o To primary and secondary name servers
   Employ “split DNS”
    o Allow outside DNS activity related to Web,
      mail, FTP, …, servers
    o No outside DNS directly from internal network




Recon                                              47
                  Split DNS
   Internal DNS server acts as proxy
    o Relays requests to external DNS
    o Internal users can resolve internal and external




Recon                                               48
General-Purpose Recon Tools
 Sam   Spade
    o Detective character in Dashiell
      Hammett‟s novel, The Maltese Falcon
    o Humphrey Bogart
    o Also a general Web-based recon tool
 Research    and attack portals
    o For more specific info



Recon                                       49
                 Sam Spade
 All the bells and whistles
 Some of Sam Spade‟s capabilities
    o ping, whois lookups, IP block whois, nslookup,
      DNS zone transfer, traceroute, finger
    o SMTP VRFY --- is given email address valid?
    o Web browser --- view raw HTTP interaction
    o Web crawler --- grab entire web site




Recon                                                  50
Sam Spade
 “The
 incredibly
 useful Sam
 Spade user
 interface”




  Recon       51
  Other General Recon Tools
 Active   Whois Browser
    o Whois and DNS tool, $19.95
 NetScanTools      Pro
    o Costs $249+
 iNetTools
    o Feature-limited, but free



Recon                              52
        Web-based Recon Tools
 Some      “run by rather shady operators”
    o   www.samspade.org
    o   www.dnsstuff.com
    o   www.traceroute.org
    o   www.networktools.com
    o   www.cotse.com/refs.htm
    o   www.securityspace.com
    o   www.dlsreports.com


Recon                                    53
                   AttackPortal
 AttackPortal
  o Helps
    attacker
    remain
    anonymous
  o This site is
    moribund
    (2005)


  Recon                           54
                  Conclusion
   Attacker can gain useful info from variety
    of sources
    o From social engineering to automated tools…
    o …and everything in between
   Useful info might include
    o Contact info, IP addresses, domain names
    o Possibly system details, technologies used, …
   Building blocks for actual attacks


Recon                                                 55
                   Summary
 Sophisticated attacks likely to start
  with recon phase
 Low-tech recon techniques
    o   Social engineering
    o   Spoofed caller ID
    o   Physical access
    o   Dumpster diving


Recon                                     56
                Summary
 Higher-tech    techniques
    o Google hacking, SiteDigger, GHDB
    o Whois databases, InterNIC, ARIN
    o DNS, nslookup, dig
    o Sam Spade, client-side recon tools
    o Web-based recon tools



Recon                                      57

								
To top