Teaching at City College San Francisco since 2000 PhD Physics Certified Ethical Hacker Security+,...
-
Upload
jeffry-burns -
Category
Documents
-
view
212 -
download
0
Transcript of Teaching at City College San Francisco since 2000 PhD Physics Certified Ethical Hacker Security+,...
Teaching at City College San Francisco since 2000
PhD Physics Certified Ethical Hacker Security+, Network+, a bunch of MCPs Working on my CCNA Big fan of Defcon, OWASP, 2600,
HAKIN9, etc.
Ch 1: Footprinting Ch 2: Scanning Ch 3: Enumeration Ch 4: Hacking Windows Ch 5: Unix/Linux Ch 6: Remote Connectivity and VoIP
Hacking Ch 7: Network Devices Ch 8: Wireless Hacking Ch 9: Hacking Hardware Ch 10: Hacking Code Ch 11: Web Hacking Ch 12: Hacking the Internet User
Proj 2: HTTP Headers Proj 3: Hacking into a Kiosk Proj 4: Hacking into Kiosk2 Proj 5: Port Knocking Proj 6: SideJacking Gmail Proj 7: Password Recovery on Vista Proj 8: Firewalk Proj 9: Web Application Hacking: Hacme Travel Proj 10: Web Application Hacking: Hacme Bank Proj 11: Buffer Overflows with Damn
Vulnerable Linux Proj 12: Nikto and Cross-Site Scripting (XSS)
Proj 14: USB PocketKnife Proj 15: Stealing Cookies with Persistent XSS Proj 16: VoIP Proj 17: Fuzzing X-Lite with VoIPER Proj 18: SIPVicious scanning 3CX and Asterix
PBX Servers Proj 19: Capturing RAM Contents with Helix Proj X1: SideJacking Gmail on a Switched
Network Proj X2: Automatic Pwn with Metasploit Proj X3: SSLstrip Proj X4: Cracking Cisco Passwords
samsclass.info Click CNIT 124
Everything is available in Word documents
Download it, change it, use it freely
Google HackingGoogle Hacking
Find sensitive data about a company from Find sensitive data about a company from GoogleGoogleCompletely stealthy—you never send a Completely stealthy—you never send a single packet to the target (if you view the single packet to the target (if you view the cache)cache)To find passwords:To find passwords:– intitle:"Index of" passwd passwd.bakintitle:"Index of" passwd passwd.bak
See links Ch 1a, 1b on my Web page See links Ch 1a, 1b on my Web page (samsclass.info, click CNIT 124)(samsclass.info, click CNIT 124)
Other fun searchesOther fun searches
Nessus reports (link Ch 1c)Nessus reports (link Ch 1c)
More passwords (link Ch 1d)More passwords (link Ch 1d)
Be The BotBe The Bot
See pages the way Google's bot sees See pages the way Google's bot sees themthem
Custom User AgentsCustom User Agents
Add the "User Agent Switcher" Firefox Add the "User Agent Switcher" Firefox ExtensionExtension
Footprinting Footprinting
Gathering target information Gathering target information
"If you know the enemy and know "If you know the enemy and know yourself, you need not fear the result of a yourself, you need not fear the result of a hundred battles. If you know yourself but hundred battles. If you know yourself but not the enemy, for every victory gained not the enemy, for every victory gained you will also suffer a defeat. If you know you will also suffer a defeat. If you know neither the enemy nor yourself, you will neither the enemy nor yourself, you will succumb in every battle." succumb in every battle." – Sun Tzu on the Art of WarSun Tzu on the Art of War
Environments and the Critical Environments and the Critical Information Attackers Can Identify Information Attackers Can Identify
Internet Internet PresencePresence
IntranetIntranet
Remote AccessRemote Access (travelling (travelling
employees)employees)
ExtranetExtranet (vendors (vendors
and and business business partners)partners)
InternetInternetDomain nameDomain nameNetwork blocksNetwork blocksSpecific IP addresses of systems reachable via Specific IP addresses of systems reachable via the Internetthe InternetTCP and UDP services running on each system TCP and UDP services running on each system identifiedidentifiedSystem architecture (for example, Sparc vs. System architecture (for example, Sparc vs. xx 86)86)Access control mechanisms and related access Access control mechanisms and related access control lists (ACLs)control lists (ACLs)Intrusion-detection systems (IDSs)Intrusion-detection systems (IDSs)System enumeration (user and group names, System enumeration (user and group names, system banners, routing tables, and SNMP system banners, routing tables, and SNMP information) DNS hostnamesinformation) DNS hostnames
IntranetIntranetNetworking protocols in use (for example, IP, IPX, Networking protocols in use (for example, IP, IPX, DecNET, and so on)DecNET, and so on)Internal domain namesInternal domain namesNetwork blocksNetwork blocksSpecific IP addresses of systems reachable via the Specific IP addresses of systems reachable via the intranetintranetTCP and UDP services running on each system TCP and UDP services running on each system identifiedidentifiedSystem architecture (for example, SPARC vs. System architecture (for example, SPARC vs. xx 86) 86)Access control mechanisms and related ACLsAccess control mechanisms and related ACLsIntrusion-detection systemsIntrusion-detection systemsSystem enumeration (user and group names, system System enumeration (user and group names, system banners, routing tables, and SNMP information)banners, routing tables, and SNMP information)
Remote accessRemote access
Analog/digital telephone numbersAnalog/digital telephone numbers
Remote system typeRemote system type
Authentication mechanismsAuthentication mechanisms
VPNs and related protocols (IPSec and VPNs and related protocols (IPSec and PPTP)PPTP)
ExtranetExtranet
Connection origination and destinationConnection origination and destination
Type of connectionType of connection
Access control mechanismAccess control mechanism
Internet FootprintingInternet Footprinting
Step 1: Determine the Scope of Your Step 1: Determine the Scope of Your Activities Activities
Step 2: Get Proper Authorization Step 2: Get Proper Authorization
Step 3: Publicly Available Information Step 3: Publicly Available Information
Step 4: WHOIS & DNS Enumeration Step 4: WHOIS & DNS Enumeration
Step 5: DNS Interrogation Step 5: DNS Interrogation
Step 6: Network Reconnaissance Step 6: Network Reconnaissance
Step 1: Determine the Scope of Step 1: Determine the Scope of Your Activities Your Activities
Entire organizationEntire organization
Certain locationsCertain locations
Business partner connections (extranets)Business partner connections (extranets)
Disaster-recovery sitesDisaster-recovery sites
Step 2: Get Proper Authorization Step 2: Get Proper Authorization
Ethical Hackers must have authorization in Ethical Hackers must have authorization in writing for their activitieswriting for their activities– "Get Out of Jail Free" "Get Out of Jail Free"
cardcard– Criminals omit this step Criminals omit this step
Image from Image from www.blackhatseo.frwww.blackhatseo.fr
Step 3: Publicly Available Step 3: Publicly Available Information Information
Company web pagesCompany web pages– Wget and Teleport Pro are good tools to Wget and Teleport Pro are good tools to
mirror Web sites for local analysis (links Ch mirror Web sites for local analysis (links Ch 1o & 1p)1o & 1p)
– Look for other sites beyond "www"Look for other sites beyond "www"– Outlook Web AccessOutlook Web Access
https://owa.company.com or https://owa.company.com or https://outlook.company.comhttps://outlook.company.com
– Virtual Private NetworksVirtual Private Networks http://vpn.company.com or http://vpn.company.com or http://www.company.com/vpnhttp://www.company.com/vpn
Step 3: Publicly Available Step 3: Publicly Available Information Information
Related Related Organizations Organizations
Physical AddressPhysical Address– Dumpster-divingDumpster-diving– SurveillanceSurveillance– Social Social
EngineeringEngineeringTool: Google Earth Tool: Google Earth (link Ch 1q)(link Ch 1q)
Step 3: Publicly Available Step 3: Publicly Available Information Information
Phone Numbers, Contact Names, E-mail Phone Numbers, Contact Names, E-mail Addresses, and Personal DetailsAddresses, and Personal Details
Current EventsCurrent Events– Mergers, scandals, layoffs, etc. create Mergers, scandals, layoffs, etc. create
security holessecurity holes
Privacy or Security Policies, and Technical Privacy or Security Policies, and Technical Details Indicating the Types of Security Details Indicating the Types of Security Mechanisms in Place Mechanisms in Place
Step 3: Publicly Available Step 3: Publicly Available Information Information
Archived Information Archived Information – The Wayback Machine (link Ch 1t)The Wayback Machine (link Ch 1t)– Google CacheGoogle Cache
Disgruntled EmployeesDisgruntled EmployeesSearch EnginesSearch Engines– SiteDigger seems to be out of date—I tried to SiteDigger seems to be out of date—I tried to
get it to work with a Google AJAX key but it get it to work with a Google AJAX key but it doesn'tdoesn't
– Wikto is an alternative that might still work Wikto is an alternative that might still work (link Ch 1u)(link Ch 1u)
Step 3: Publicly Available Step 3: Publicly Available InformationInformation
UsenetUsenet– Groups.google.comGroups.google.com
ResumesResumes
What causes this CNN Web page to look so strange?
A. Altered monitor resolutionB. Unusual Web browserC. Altered User-AgentD. The CNN server has been hackedE. Ad-blocking software
1 of 3
Which item is not included in the footprinting stage?
A. IP Address blocksB. Operating systems in useC. Type of firewall usedD. Administrator passwordsE. Dial-in phone numbers
2 of 3
What makes an ethical hacker different from other sorts of hackers?
A. Using special government-approved hacking techniques
B. Working for a trusted company like SymantecC. Written authorization from the target system’s
ownerD. A private investigator’s licenseE. Certifications such as CISSP
3 of 3
Step 4: WHOIS & DNS Step 4: WHOIS & DNS EnumerationEnumeration
Two organizations manage domain Two organizations manage domain names, IP addresses, protocols and port names, IP addresses, protocols and port numbers on the Internetnumbers on the Internet– Internet Assigned Numbers Authority (IANA; Internet Assigned Numbers Authority (IANA;
http://www.iana.org)http://www.iana.org)– Internet Corporation for Assigned Names and Internet Corporation for Assigned Names and
Numbers (ICANN; http://www.icann.org) Numbers (ICANN; http://www.icann.org) – IANA still handles much of the day-to-day IANA still handles much of the day-to-day
operations, but these will eventually be operations, but these will eventually be transitioned to ICANN transitioned to ICANN
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
Domain-Related Searches Domain-Related Searches – Every domain name, like msn.com, has a top-Every domain name, like msn.com, has a top-
level domain - .com, .net, .org, etc.level domain - .com, .net, .org, etc.
If we surf to http://whois.iana.org, we can If we surf to http://whois.iana.org, we can search for the authoritative registry for all search for the authoritative registry for all of .com of .com – .com is managed by Verisign.com is managed by Verisign
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
Verisign Whois (link Ch 1v)Verisign Whois (link Ch 1v)– Search for ccsf.edu and it gives the RegistrarSearch for ccsf.edu and it gives the Registrar
Whois.educause.netWhois.educause.net
Three steps:Three steps:– Authoritative Authoritative RRegistry for top-level domainegistry for top-level domain– Domain Domain RRegistraregistrar– Finds the Finds the RRegistrantegistrant
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
Automated tools do all three stepsAutomated tools do all three steps– Whois.comWhois.com– Sam SpadeSam Spade– Netscan Tools ProNetscan Tools Pro
They are not perfect. Sometimes you They are not perfect. Sometimes you need to do the three-step process need to do the three-step process manually.manually.
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
Once you've homed in on the correct Once you've homed in on the correct WHOIS server for your target, you WHOIS server for your target, you maymay be be able to perform other searches if the able to perform other searches if the registrar allows itregistrar allows itYou may be able to find all the domains You may be able to find all the domains that a particular DNS server hosts, for that a particular DNS server hosts, for instance, or any domain name that instance, or any domain name that contains a certain string contains a certain string – BUT a court decision in South Dakota just BUT a court decision in South Dakota just
declared this illegal (link Ch 1o)declared this illegal (link Ch 1o)
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
How IP addresses are assigned: How IP addresses are assigned: – The Address Supporting Organization (ASO The Address Supporting Organization (ASO
http://www.aso.icann.org) allocates IP http://www.aso.icann.org) allocates IP address blocks toaddress blocks to
– Regional Internet Registries (RIRs), which Regional Internet Registries (RIRs), which then allocate IPs to organizations, Internet then allocate IPs to organizations, Internet service providers (ISPs), etc.service providers (ISPs), etc.
– ARIN (http://www.arin.net) is the RIR for North ARIN (http://www.arin.net) is the RIR for North and South Americaand South America
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
IP-Related Searches IP-Related Searches – To track down an IP address:To track down an IP address:
Use arin.net (link Ch 1x)Use arin.net (link Ch 1x)
It may refer you to a different databaseIt may refer you to a different database
Examples:Examples:– 147.144.1.1 147.144.1.1 – 61.0.0.261.0.0.2
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
IP-Related Searches IP-Related Searches – Search by company name at arin.net to find IP Search by company name at arin.net to find IP
ranges, and AS numbersranges, and AS numbers– AS numbers are used by BGP (Border Gateway AS numbers are used by BGP (Border Gateway
Protocol) to prevent routing loops on Internet routers Protocol) to prevent routing loops on Internet routers (link Ch 1y) (link Ch 1y)
– Examples: Google, CCSFExamples: Google, CCSF
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
Administrative contact gives you name, Administrative contact gives you name, voice and fax numbersvoice and fax numbers
Useful for social engineeringUseful for social engineering
Authoritative DNS Server can be used for Authoritative DNS Server can be used for Zone Transfer attemptsZone Transfer attempts– But Zone Transfers may be illegal now (link But Zone Transfers may be illegal now (link
Ch 1s)Ch 1s)
Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration
Public Database Security Public Database Security Countermeasures Countermeasures – When an administrator leaves an When an administrator leaves an
organization, update the registration databaseorganization, update the registration database– That prevents an ex-employee from changing That prevents an ex-employee from changing
domain informationdomain information– You could also put in fake "honeytrap" data in You could also put in fake "honeytrap" data in
the registrationthe registration
eBay's domain was hijacked (link Ch 1z1)eBay's domain was hijacked (link Ch 1z1)
Step 5: DNS Interrogation Step 5: DNS Interrogation
Zone TransfersZone Transfers– Gives you a list of all the hosts when it worksGives you a list of all the hosts when it works– Usually blocked, and maybe even illegal nowUsually blocked, and maybe even illegal now– Demonstration (with Ubuntu)Demonstration (with Ubuntu)
dig soa hackthissite.orgdig soa hackthissite.org– ANSWER shows SOA is dns1.nettica.comANSWER shows SOA is dns1.nettica.com
dig @ dns1.nettica.com hackthissite.org axfrdig @ dns1.nettica.com hackthissite.org axfr
Step 5: DNS Interrogation Step 5: DNS Interrogation Determine Mail Exchange (MX) Records Determine Mail Exchange (MX) Records – You can do it on Windows with NSLOOKUP in You can do it on Windows with NSLOOKUP in
Interactive modeInteractive mode
Step 5: DNS Interrogation Step 5: DNS Interrogation
DNS Security CountermeasuresDNS Security Countermeasures– Restrict zone transfers to only authorized Restrict zone transfers to only authorized
servers servers – You can also block them at the firewallYou can also block them at the firewall
DNS name lookups are UDP Port 53DNS name lookups are UDP Port 53
Zone transfers are TCP Port 53Zone transfers are TCP Port 53
Step 5: DNS Interrogation Step 5: DNS Interrogation
DNS Security Countermeasures DNS Security Countermeasures – Attackers could still perform reverse lookups Attackers could still perform reverse lookups
against all IP addresses for a given net block against all IP addresses for a given net block – So, external nameservers should provide So, external nameservers should provide
information only about systems directly information only about systems directly connected to the Internet connected to the Internet
Step 6: Network Reconnaissance Step 6: Network Reconnaissance
TracerouteTraceroute– Can find route to target, locate firewalls, Can find route to target, locate firewalls,
routers, etc.routers, etc.
Windows Tracert uses ICMPWindows Tracert uses ICMP
Linux Traceroute uses UDP by defaultLinux Traceroute uses UDP by default
NeoTraceNeoTrace
NeoTrace combines Tracert and Whois to NeoTrace combines Tracert and Whois to make a visual map (link Ch 1z2)make a visual map (link Ch 1z2)
Step 6: Network ReconnaissanceStep 6: Network Reconnaissance
Cain & Abel has a customizable Cain & Abel has a customizable Traceroute function that lets you use any Traceroute function that lets you use any TCP or UCP port, or ICMPTCP or UCP port, or ICMP– Link Ch 1z4Link Ch 1z4– But it didn't work when I tried it on XP or VistaBut it didn't work when I tried it on XP or Vista
Step 6: Network ReconnaissanceStep 6: Network Reconnaissance
Firewalk uses traceroute techniques to Firewalk uses traceroute techniques to find ports and protocols that get past find ports and protocols that get past firewallsfirewalls
We will discuss Firewalk later (Chapter 11)We will discuss Firewalk later (Chapter 11)
Step 6: Network ReconnaissanceStep 6: Network Reconnaissance
CountermeasuresCountermeasures– Many of the commercial network intrusion-Many of the commercial network intrusion-
detection systems (NIDS) and intrusion detection systems (NIDS) and intrusion prevention systems (IPS) will detect this type prevention systems (IPS) will detect this type of network reconnaissance of network reconnaissance
– Snort – the standard IDS(link Ch 1z5)Snort – the standard IDS(link Ch 1z5)– RotoRouter – Detects traceroutes and sends RotoRouter – Detects traceroutes and sends
fake responses (link Ch 1z6)fake responses (link Ch 1z6)
Step 6: Network ReconnaissanceStep 6: Network Reconnaissance
CountermeasuresCountermeasures– You may be able to configure your border You may be able to configure your border
routers to limit ICMP and UDP traffic to routers to limit ICMP and UDP traffic to specific systems, thus minimizing your specific systems, thus minimizing your exposure exposure
– Last modified 7-6-09Last modified 7-6-09
Which technique gives you a complete list of hosts at a company with their IP addresses and names?
A. IANA queryB. Google searchC. NSLOOKUPD. Zone TransferE. Traceroute
1 of 3
Which technique gives you the name of the administrator who controls the DNS registration for a company?
A. IANA queryB. Google searchC. NSLOOKUPD. Zone TransferE. Traceroute
2 of 3