Teaching at City College San Francisco since 2000 PhD Physics Certified Ethical Hacker Security+,...

Teaching at City College San Francisco since 2000

PhD Physics Certified Ethical Hacker Security+, Network+, a bunch of MCPs Working on my CCNA Big fan of Defcon, OWASP, 2600,

HAKIN9, etc.

Ch 1: Footprinting Ch 2: Scanning Ch 3: Enumeration Ch 4: Hacking Windows Ch 5: Unix/Linux Ch 6: Remote Connectivity and VoIP

Hacking Ch 7: Network Devices Ch 8: Wireless Hacking Ch 9: Hacking Hardware Ch 10: Hacking Code Ch 11: Web Hacking Ch 12: Hacking the Internet User

Proj 2: HTTP Headers Proj 3: Hacking into a Kiosk Proj 4: Hacking into Kiosk2 Proj 5: Port Knocking Proj 6: SideJacking Gmail Proj 7: Password Recovery on Vista Proj 8: Firewalk Proj 9: Web Application Hacking: Hacme Travel Proj 10: Web Application Hacking: Hacme Bank Proj 11: Buffer Overflows with Damn

Vulnerable Linux Proj 12: Nikto and Cross-Site Scripting (XSS)

Proj 14: USB PocketKnife Proj 15: Stealing Cookies with Persistent XSS Proj 16: VoIP Proj 17: Fuzzing X-Lite with VoIPER Proj 18: SIPVicious scanning 3CX and Asterix

PBX Servers Proj 19: Capturing RAM Contents with Helix Proj X1: SideJacking Gmail on a Switched

Network Proj X2: Automatic Pwn with Metasploit Proj X3: SSLstrip Proj X4: Cracking Cisco Passwords

samsclass.info Click CNIT 124

Everything is available in Word documents

Download it, change it, use it freely

Chapter 1Chapter 1

FootprintingFootprinting

Google HackingGoogle Hacking

Find sensitive data about a company from Find sensitive data about a company from GoogleGoogleCompletely stealthy—you never send a Completely stealthy—you never send a single packet to the target (if you view the single packet to the target (if you view the cache)cache)To find passwords:To find passwords:– intitle:"Index of" passwd passwd.bakintitle:"Index of" passwd passwd.bak

See links Ch 1a, 1b on my Web page See links Ch 1a, 1b on my Web page (samsclass.info, click CNIT 124)(samsclass.info, click CNIT 124)

Other fun searchesOther fun searches

Nessus reports (link Ch 1c)Nessus reports (link Ch 1c)

More passwords (link Ch 1d)More passwords (link Ch 1d)

Be The BotBe The Bot

See pages the way Google's bot sees See pages the way Google's bot sees themthem

Custom User AgentsCustom User Agents

Add the "User Agent Switcher" Firefox Add the "User Agent Switcher" Firefox ExtensionExtension

Footprinting Footprinting

Gathering target information Gathering target information

"If you know the enemy and know "If you know the enemy and know yourself, you need not fear the result of a yourself, you need not fear the result of a hundred battles. If you know yourself but hundred battles. If you know yourself but not the enemy, for every victory gained not the enemy, for every victory gained you will also suffer a defeat. If you know you will also suffer a defeat. If you know neither the enemy nor yourself, you will neither the enemy nor yourself, you will succumb in every battle." succumb in every battle." – Sun Tzu on the Art of WarSun Tzu on the Art of War

Environments and the Critical Environments and the Critical Information Attackers Can Identify Information Attackers Can Identify

Internet Internet PresencePresence

IntranetIntranet

Remote AccessRemote Access (travelling (travelling

employees)employees)

ExtranetExtranet (vendors (vendors

and and business business partners)partners)

InternetInternetDomain nameDomain nameNetwork blocksNetwork blocksSpecific IP addresses of systems reachable via Specific IP addresses of systems reachable via the Internetthe InternetTCP and UDP services running on each system TCP and UDP services running on each system identifiedidentifiedSystem architecture (for example, Sparc vs. System architecture (for example, Sparc vs. xx 86)86)Access control mechanisms and related access Access control mechanisms and related access control lists (ACLs)control lists (ACLs)Intrusion-detection systems (IDSs)Intrusion-detection systems (IDSs)System enumeration (user and group names, System enumeration (user and group names, system banners, routing tables, and SNMP system banners, routing tables, and SNMP information) DNS hostnamesinformation) DNS hostnames

IntranetIntranetNetworking protocols in use (for example, IP, IPX, Networking protocols in use (for example, IP, IPX, DecNET, and so on)DecNET, and so on)Internal domain namesInternal domain namesNetwork blocksNetwork blocksSpecific IP addresses of systems reachable via the Specific IP addresses of systems reachable via the intranetintranetTCP and UDP services running on each system TCP and UDP services running on each system identifiedidentifiedSystem architecture (for example, SPARC vs. System architecture (for example, SPARC vs. xx 86) 86)Access control mechanisms and related ACLsAccess control mechanisms and related ACLsIntrusion-detection systemsIntrusion-detection systemsSystem enumeration (user and group names, system System enumeration (user and group names, system banners, routing tables, and SNMP information)banners, routing tables, and SNMP information)

Remote accessRemote access

Analog/digital telephone numbersAnalog/digital telephone numbers

Remote system typeRemote system type

Authentication mechanismsAuthentication mechanisms

VPNs and related protocols (IPSec and VPNs and related protocols (IPSec and PPTP)PPTP)

ExtranetExtranet

Connection origination and destinationConnection origination and destination

Type of connectionType of connection

Access control mechanismAccess control mechanism

Internet FootprintingInternet Footprinting

Step 1: Determine the Scope of Your Step 1: Determine the Scope of Your Activities Activities

Step 2: Get Proper Authorization Step 2: Get Proper Authorization

Step 3: Publicly Available Information Step 3: Publicly Available Information

Step 4: WHOIS & DNS Enumeration Step 4: WHOIS & DNS Enumeration

Step 5: DNS Interrogation Step 5: DNS Interrogation

Step 6: Network Reconnaissance Step 6: Network Reconnaissance

Step 1: Determine the Scope of Step 1: Determine the Scope of Your Activities Your Activities

Entire organizationEntire organization

Certain locationsCertain locations

Business partner connections (extranets)Business partner connections (extranets)

Disaster-recovery sitesDisaster-recovery sites

Step 2: Get Proper Authorization Step 2: Get Proper Authorization

Ethical Hackers must have authorization in Ethical Hackers must have authorization in writing for their activitieswriting for their activities– "Get Out of Jail Free" "Get Out of Jail Free"

cardcard– Criminals omit this step Criminals omit this step

Image from Image from www.blackhatseo.frwww.blackhatseo.fr

Step 3: Publicly Available Step 3: Publicly Available Information Information

Company web pagesCompany web pages– Wget and Teleport Pro are good tools to Wget and Teleport Pro are good tools to

mirror Web sites for local analysis (links Ch mirror Web sites for local analysis (links Ch 1o & 1p)1o & 1p)

– Look for other sites beyond "www"Look for other sites beyond "www"– Outlook Web AccessOutlook Web Access

https://owa.company.com or https://owa.company.com or https://outlook.company.comhttps://outlook.company.com

– Virtual Private NetworksVirtual Private Networks http://vpn.company.com or http://vpn.company.com or http://www.company.com/vpnhttp://www.company.com/vpn


Related Related Organizations Organizations

Physical AddressPhysical Address– Dumpster-divingDumpster-diving– SurveillanceSurveillance– Social Social

EngineeringEngineeringTool: Google Earth Tool: Google Earth (link Ch 1q)(link Ch 1q)


Phone Numbers, Contact Names, E-mail Phone Numbers, Contact Names, E-mail Addresses, and Personal DetailsAddresses, and Personal Details

Current EventsCurrent Events– Mergers, scandals, layoffs, etc. create Mergers, scandals, layoffs, etc. create

security holessecurity holes

Privacy or Security Policies, and Technical Privacy or Security Policies, and Technical Details Indicating the Types of Security Details Indicating the Types of Security Mechanisms in Place Mechanisms in Place


Archived Information Archived Information – The Wayback Machine (link Ch 1t)The Wayback Machine (link Ch 1t)– Google CacheGoogle Cache

Disgruntled EmployeesDisgruntled EmployeesSearch EnginesSearch Engines– SiteDigger seems to be out of date—I tried to SiteDigger seems to be out of date—I tried to

get it to work with a Google AJAX key but it get it to work with a Google AJAX key but it doesn'tdoesn't

– Wikto is an alternative that might still work Wikto is an alternative that might still work (link Ch 1u)(link Ch 1u)

Step 3: Publicly Available Step 3: Publicly Available InformationInformation

UsenetUsenet– Groups.google.comGroups.google.com

ResumesResumes

iClicker Questions

What causes this CNN Web page to look so strange?

A. Altered monitor resolutionB. Unusual Web browserC. Altered User-AgentD. The CNN server has been hackedE. Ad-blocking software

1 of 3

Which item is not included in the footprinting stage?

A. IP Address blocksB. Operating systems in useC. Type of firewall usedD. Administrator passwordsE. Dial-in phone numbers

2 of 3

What makes an ethical hacker different from other sorts of hackers?

A. Using special government-approved hacking techniques

B. Working for a trusted company like SymantecC. Written authorization from the target system’s

ownerD. A private investigator’s licenseE. Certifications such as CISSP

3 of 3

Step 4: WHOIS & DNS Step 4: WHOIS & DNS EnumerationEnumeration

Two organizations manage domain Two organizations manage domain names, IP addresses, protocols and port names, IP addresses, protocols and port numbers on the Internetnumbers on the Internet– Internet Assigned Numbers Authority (IANA; Internet Assigned Numbers Authority (IANA;

http://www.iana.org)http://www.iana.org)– Internet Corporation for Assigned Names and Internet Corporation for Assigned Names and

Numbers (ICANN; http://www.icann.org) Numbers (ICANN; http://www.icann.org) – IANA still handles much of the day-to-day IANA still handles much of the day-to-day

operations, but these will eventually be operations, but these will eventually be transitioned to ICANN transitioned to ICANN

Step 4: WHOIS & DNS EnumerationStep 4: WHOIS & DNS Enumeration

Domain-Related Searches Domain-Related Searches – Every domain name, like msn.com, has a top-Every domain name, like msn.com, has a top-

level domain - .com, .net, .org, etc.level domain - .com, .net, .org, etc.

If we surf to http://whois.iana.org, we can If we surf to http://whois.iana.org, we can search for the authoritative registry for all search for the authoritative registry for all of .com of .com – .com is managed by Verisign.com is managed by Verisign


Verisign Whois (link Ch 1v)Verisign Whois (link Ch 1v)– Search for ccsf.edu and it gives the RegistrarSearch for ccsf.edu and it gives the Registrar

Whois.educause.netWhois.educause.net

Three steps:Three steps:– Authoritative Authoritative RRegistry for top-level domainegistry for top-level domain– Domain Domain RRegistraregistrar– Finds the Finds the RRegistrantegistrant


Automated tools do all three stepsAutomated tools do all three steps– Whois.comWhois.com– Sam SpadeSam Spade– Netscan Tools ProNetscan Tools Pro

They are not perfect. Sometimes you They are not perfect. Sometimes you need to do the three-step process need to do the three-step process manually.manually.


Once you've homed in on the correct Once you've homed in on the correct WHOIS server for your target, you WHOIS server for your target, you maymay be be able to perform other searches if the able to perform other searches if the registrar allows itregistrar allows itYou may be able to find all the domains You may be able to find all the domains that a particular DNS server hosts, for that a particular DNS server hosts, for instance, or any domain name that instance, or any domain name that contains a certain string contains a certain string – BUT a court decision in South Dakota just BUT a court decision in South Dakota just

declared this illegal (link Ch 1o)declared this illegal (link Ch 1o)


How IP addresses are assigned: How IP addresses are assigned: – The Address Supporting Organization (ASO The Address Supporting Organization (ASO

http://www.aso.icann.org) allocates IP http://www.aso.icann.org) allocates IP address blocks toaddress blocks to

– Regional Internet Registries (RIRs), which Regional Internet Registries (RIRs), which then allocate IPs to organizations, Internet then allocate IPs to organizations, Internet service providers (ISPs), etc.service providers (ISPs), etc.

– ARIN (http://www.arin.net) is the RIR for North ARIN (http://www.arin.net) is the RIR for North and South Americaand South America


IP-Related Searches IP-Related Searches – To track down an IP address:To track down an IP address:

Use arin.net (link Ch 1x)Use arin.net (link Ch 1x)

It may refer you to a different databaseIt may refer you to a different database

Examples:Examples:– 147.144.1.1 147.144.1.1 – 61.0.0.261.0.0.2


IP-Related Searches IP-Related Searches – Search by company name at arin.net to find IP Search by company name at arin.net to find IP

ranges, and AS numbersranges, and AS numbers– AS numbers are used by BGP (Border Gateway AS numbers are used by BGP (Border Gateway

Protocol) to prevent routing loops on Internet routers Protocol) to prevent routing loops on Internet routers (link Ch 1y) (link Ch 1y)

– Examples: Google, CCSFExamples: Google, CCSF


Administrative contact gives you name, Administrative contact gives you name, voice and fax numbersvoice and fax numbers

Useful for social engineeringUseful for social engineering

Authoritative DNS Server can be used for Authoritative DNS Server can be used for Zone Transfer attemptsZone Transfer attempts– But Zone Transfers may be illegal now (link But Zone Transfers may be illegal now (link

Ch 1s)Ch 1s)


Public Database Security Public Database Security Countermeasures Countermeasures – When an administrator leaves an When an administrator leaves an

organization, update the registration databaseorganization, update the registration database– That prevents an ex-employee from changing That prevents an ex-employee from changing

domain informationdomain information– You could also put in fake "honeytrap" data in You could also put in fake "honeytrap" data in

the registrationthe registration

eBay's domain was hijacked (link Ch 1z1)eBay's domain was hijacked (link Ch 1z1)


Zone TransfersZone Transfers– Gives you a list of all the hosts when it worksGives you a list of all the hosts when it works– Usually blocked, and maybe even illegal nowUsually blocked, and maybe even illegal now– Demonstration (with Ubuntu)Demonstration (with Ubuntu)

dig soa hackthissite.orgdig soa hackthissite.org– ANSWER shows SOA is dns1.nettica.comANSWER shows SOA is dns1.nettica.com

dig @ dns1.nettica.com hackthissite.org axfrdig @ dns1.nettica.com hackthissite.org axfr

Step 5: DNS Interrogation Step 5: DNS Interrogation Determine Mail Exchange (MX) Records Determine Mail Exchange (MX) Records – You can do it on Windows with NSLOOKUP in You can do it on Windows with NSLOOKUP in

Interactive modeInteractive mode


DNS Security CountermeasuresDNS Security Countermeasures– Restrict zone transfers to only authorized Restrict zone transfers to only authorized

servers servers – You can also block them at the firewallYou can also block them at the firewall

DNS name lookups are UDP Port 53DNS name lookups are UDP Port 53

Zone transfers are TCP Port 53Zone transfers are TCP Port 53


DNS Security Countermeasures DNS Security Countermeasures – Attackers could still perform reverse lookups Attackers could still perform reverse lookups

against all IP addresses for a given net block against all IP addresses for a given net block – So, external nameservers should provide So, external nameservers should provide

information only about systems directly information only about systems directly connected to the Internet connected to the Internet

Step 6: Network Reconnaissance Step 6: Network Reconnaissance

TracerouteTraceroute– Can find route to target, locate firewalls, Can find route to target, locate firewalls,

routers, etc.routers, etc.

Windows Tracert uses ICMPWindows Tracert uses ICMP

Linux Traceroute uses UDP by defaultLinux Traceroute uses UDP by default

TracertTracert

NeoTraceNeoTrace

NeoTrace combines Tracert and Whois to NeoTrace combines Tracert and Whois to make a visual map (link Ch 1z2)make a visual map (link Ch 1z2)

Step 6: Network ReconnaissanceStep 6: Network Reconnaissance

Cain & Abel has a customizable Cain & Abel has a customizable Traceroute function that lets you use any Traceroute function that lets you use any TCP or UCP port, or ICMPTCP or UCP port, or ICMP– Link Ch 1z4Link Ch 1z4– But it didn't work when I tried it on XP or VistaBut it didn't work when I tried it on XP or Vista


Firewalk uses traceroute techniques to Firewalk uses traceroute techniques to find ports and protocols that get past find ports and protocols that get past firewallsfirewalls

We will discuss Firewalk later (Chapter 11)We will discuss Firewalk later (Chapter 11)


CountermeasuresCountermeasures– Many of the commercial network intrusion-Many of the commercial network intrusion-

detection systems (NIDS) and intrusion detection systems (NIDS) and intrusion prevention systems (IPS) will detect this type prevention systems (IPS) will detect this type of network reconnaissance of network reconnaissance

– Snort – the standard IDS(link Ch 1z5)Snort – the standard IDS(link Ch 1z5)– RotoRouter – Detects traceroutes and sends RotoRouter – Detects traceroutes and sends

fake responses (link Ch 1z6)fake responses (link Ch 1z6)


CountermeasuresCountermeasures– You may be able to configure your border You may be able to configure your border

routers to limit ICMP and UDP traffic to routers to limit ICMP and UDP traffic to specific systems, thus minimizing your specific systems, thus minimizing your exposure exposure

– Last modified 7-6-09Last modified 7-6-09

iClicker Questions

Which technique gives you a complete list of hosts at a company with their IP addresses and names?

A. IANA queryB. Google searchC. NSLOOKUPD. Zone TransferE. Traceroute

1 of 3

Which technique gives you the name of the administrator who controls the DNS registration for a company?


2 of 3

Which technique shows the path your packets take to reach a company’s server?


3 of 3

Teaching at City College San Francisco since 2000 PhD Physics Certified Ethical Hacker Security+,...

Documents

Transcript of Teaching at City College San Francisco since 2000 PhD Physics Certified Ethical Hacker Security+,...