Ch04 Footprinting and Social Engineering
description
Transcript of Ch04 Footprinting and Social Engineering
Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network
DefenseDefense
Chapter 4Chapter 4Footprinting and Social EngineeringFootprinting and Social Engineering
Last modified 2-23-09
22
ObjectivesObjectives
Use Web tools for footprintingUse Web tools for footprinting Conduct competitive intelligenceConduct competitive intelligence Describe DNS zone transfersDescribe DNS zone transfers Identify the types of social Identify the types of social
engineeringengineering
33
Using Web Tools for Using Web Tools for FootprintingFootprinting
““Case the joint”Case the joint”• Look over the locationLook over the location• Find weakness in security systemsFind weakness in security systems• Types of locks, alarmsTypes of locks, alarms
In computer jargon, this is called In computer jargon, this is called footprintingfootprinting• Discover information about Discover information about
The organizationThe organization Its networkIts network
44
Web Tools for FootprintingWeb Tools for Footprinting
55
Conducting Competitive Conducting Competitive IntelligenceIntelligence
Numerous resources to find Numerous resources to find information legallyinformation legally
Competitive IntelligenceCompetitive Intelligence• Gathering information using technologyGathering information using technology
Identify methods others can use to find Identify methods others can use to find information about your organizationinformation about your organization
Limit amount of information company Limit amount of information company makes publicmakes public
66
Analyzing a Company’s Web Analyzing a Company’s Web SiteSite
Web pages are an easy source of Web pages are an easy source of informationinformation
Many tools availableMany tools available ParosParos
• Powerful tool for UNIX and WindowsPowerful tool for UNIX and Windows• www.parosproxy.orgwww.parosproxy.org• Requires having Java J2SE installedRequires having Java J2SE installed
www.sun.comwww.sun.com
77
Analyzing a Company’s Web Analyzing a Company’s Web Site (continued)Site (continued)
ParosParos• Start ParosStart Paros• Set proxy server in a browserSet proxy server in a browser• Then go to a site in the browserThen go to a site in the browser
mtsconsulting.net is a good testmtsconsulting.net is a good test
• Analyze -> Spider to find all the pagesAnalyze -> Spider to find all the pages
88
Setting a Proxy Server in FirefoxSetting a Proxy Server in Firefox
• ToolsTools• OptionsOptions• AdvancedAdvanced• SettingsSettings
Then go toThen go to• mtjconsulting.commtjconsulting.com
99
Spider ResultsSpider Results
In Paros:In Paros:• AnalyzeAnalyze• SpiderSpider
Finds all the pages Finds all the pages in a sitein a site
Don’t scan any Don’t scan any sites without sites without permission!permission!
Just Just mtjconsulting.commtjconsulting.com
1010
Scan ResultsScan Results
In Paros:In Paros:• AnalyzeAnalyze• ScanScan
Finds security Finds security risks in a siterisks in a site
Again, don’t scan Again, don’t scan sites without sites without permission!permission!
1111
Using Other Footprinting ToolsUsing Other Footprinting Tools
WhoisWhois• Commonly used toolCommonly used tool• Gathers IP address and domain Gathers IP address and domain
informationinformation• Attackers can also use itAttackers can also use it
Host commandHost command• Can look up one IP address, or the whole Can look up one IP address, or the whole
DNS Zone fileDNS Zone file All the servers in the domainAll the servers in the domain
1212
ARIN Whois ARIN Whois from Linuxfrom Linux
host mit.eduhost mit.edu nc whois.arin.netnc whois.arin.net 18.7.22.6918.7.22.69
This shows This shows registration registration information for the information for the domaindomain
1313
Sam SpadeSam Spade
GUI toolGUI tool Available Available
for UNIX for UNIX and and WindowsWindows
Easy to useEasy to use
1414
Using E-mail AddressesUsing E-mail Addresses
E-mail addresses help you retrieve E-mail addresses help you retrieve even more information than the even more information than the previous commandsprevious commands
Find e-mail address formatFind e-mail address format• Guess other employees’ e-mail accountsGuess other employees’ e-mail accounts
Tool to find corporate employee Tool to find corporate employee informationinformation• Groups.google.comGroups.google.com
1515
Using HTTP BasicsUsing HTTP Basics
HTTP operates on port 80HTTP operates on port 80 Use HTTP language to pull Use HTTP language to pull
information from a Web serverinformation from a Web server Basic understanding of HTTP is Basic understanding of HTTP is
beneficial for security testersbeneficial for security testers Return codesReturn codes
• Reveal information about server OSReveal information about server OS
1616
1717
1818
Using HTTP Basics (continued)Using HTTP Basics (continued)
HTTP methodsHTTP methods• GET / HTTP/1.1. is the most basic GET / HTTP/1.1. is the most basic
methodmethod• Can determine information about server Can determine information about server
OS from the server’s generated output OS from the server’s generated output
1919
2020
Using Netcat as Using Netcat as a Browsera Browser
Use Ubuntu LinuxUse Ubuntu Linux nc www.ccsf.edu 80nc www.ccsf.edu 80 HEAD / HTTP/1.0HEAD / HTTP/1.0
• Gets headerGets header GET / HTTP/1.0GET / HTTP/1.0
• Gets whole Web pageGets whole Web page• Open Open www.ccsf.edu in a browser and in a browser and
compare to source codecompare to source code Activity 4-3 in your book does not workActivity 4-3 in your book does not work
2121
Example: OPTIONS Example: OPTIONS (Not in Lecture Notes)(Not in Lecture Notes)
To use HTTP OPTIONS MethodTo use HTTP OPTIONS Method In a Linux Terminal WindowIn a Linux Terminal Window
nc www.w3.org 80
OPTIONS * HTTP/1.1
Host: www.w3.org:80
Press Enter twicePress Enter twice• See links Ch 4c, 4dSee links Ch 4c, 4d
2222
Other Methods of Gathering Other Methods of Gathering InformationInformation
CookiesCookies Web bugsWeb bugs
2323
Detecting Cookies and Web Detecting Cookies and Web BugsBugs
CookieCookie• Text file generated by a Web serverText file generated by a Web server• Stored on a user’s browserStored on a user’s browser• Information sent back to Web server Information sent back to Web server
when user returnswhen user returns• Used to customize Web pagesUsed to customize Web pages• Some cookies store personal informationSome cookies store personal information
Security issueSecurity issue
2424
Viewing CookiesViewing Cookies
In FirefoxIn Firefox Tools, Options Tools, Options Privacy tabPrivacy tab Show CookiesShow Cookies
2525
Detecting Cookies and Web Detecting Cookies and Web Bugs (continued)Bugs (continued)
Web bugWeb bug• 1-pixel x 1-pixel image file (usually 1-pixel x 1-pixel image file (usually
transparent)transparent)• Referenced in an <IMG> tagReferenced in an <IMG> tag• Usually works with a cookieUsually works with a cookie• Purpose similar to that of spyware and Purpose similar to that of spyware and
adwareadware• Comes from third-party companies Comes from third-party companies
specializing in data collectionspecializing in data collection
BugnosisBugnosis
Bugnosis is gone,Bugnosis is gone, but Firefox has but Firefox has an experimental an experimental extension namedextension named FoxbeaconFoxbeacon
• http://www.shyyonk.net/foxbeacon/download.htmlhttp://www.shyyonk.net/foxbeacon/download.html See links Ch 4g, 4hSee links Ch 4g, 4h 2626
2727
Using Domain Name Service Using Domain Name Service (DNS) Zone Transfers(DNS) Zone Transfers
DNSDNS• Resolves host names to IP addressesResolves host names to IP addresses• People prefer using URLs to IP addressesPeople prefer using URLs to IP addresses• Extremely vulnerableExtremely vulnerable
Zone Transfer toolsZone Transfer tools• DigDig• HostHost
2828
Primary DNS ServerPrimary DNS Server
Determining company’s primary DNS Determining company’s primary DNS serverserver• Look for the Start of Authority (SOA) Look for the Start of Authority (SOA)
recordrecord• Shows zones or IP addressesShows zones or IP addresses
2929
Using dig to find the SOAUsing dig to find the SOA
dig soa mit.edudig soa mit.edu Shows three Shows three
servers, with IP servers, with IP addressesaddresses
This is a start at This is a start at mapping the MIT mapping the MIT networknetwork
3030
Using (DNS) Zone TransfersUsing (DNS) Zone Transfers
Zone TransferZone Transfer• Enables you to see all hosts on a Enables you to see all hosts on a
networknetwork• Gives you organization’s network Gives you organization’s network
diagramdiagram MIT has protected their network – zone MIT has protected their network – zone
transfers no longer worktransfers no longer work dig @BITSY.mit.edu mit.edu axfrdig @BITSY.mit.edu mit.edu axfr Command fails nowCommand fails now
3131
Blocking Zone TransfersBlocking Zone Transfers(not in Lecture Notes)(not in Lecture Notes)
• See link Ch 4eSee link Ch 4e
3232
Introduction to Social Introduction to Social EngineeringEngineering
Older than computersOlder than computers Targets the human component of a Targets the human component of a
networknetwork GoalsGoals
• Obtain confidential information Obtain confidential information (passwords)(passwords)
• Obtain personal informationObtain personal information
3333
TacticsTactics
• PersuasionPersuasion• IntimidationIntimidation• CoercionCoercion• Extortion/blackmailingExtortion/blackmailing
3434
Introduction to Social Introduction to Social Engineering (continued)Engineering (continued)
The biggest security threat to The biggest security threat to networksnetworks
Most difficult to protect againstMost difficult to protect against Main idea:Main idea:
• ““Why to crack a password when you can Why to crack a password when you can simply ask for it?”simply ask for it?”
• Users divulge their passwords to IT Users divulge their passwords to IT personnelpersonnel
3535
Studies human behaviorStudies human behavior
• Recognize personality traitsRecognize personality traits• Understand how to read body languageUnderstand how to read body language
3636
Introduction to Social Introduction to Social Engineering (continued)Engineering (continued)
TechniquesTechniques• UrgencyUrgency• Quid pro quoQuid pro quo• Status quoStatus quo• KindnessKindness• PositionPosition
3737
Preventing Social EngineeringPreventing Social Engineering
Train user not to reveal any Train user not to reveal any information to outsidersinformation to outsiders
Verify caller identityVerify caller identity• Ask questionsAsk questions• Call back to confirmCall back to confirm
Security drillsSecurity drills
3838
3939
4040
4141
The Art of Shoulder SurfingThe Art of Shoulder Surfing
Shoulder surferShoulder surfer• Reads what users enter on keyboardsReads what users enter on keyboards
Logon namesLogon names PasswordsPasswords PINsPINs
4242
Tools for Shoulder SurfingTools for Shoulder Surfing
Binoculars or telescopes or cameras Binoculars or telescopes or cameras in cell phonesin cell phones
Knowledge of key positions and Knowledge of key positions and typing techniquestyping techniques
Knowledge of popular letter Knowledge of popular letter substitutionssubstitutions• s equals $, a equals @s equals $, a equals @
4343
The Art of Shoulder Surfing The Art of Shoulder Surfing (continued)(continued)
PreventionPrevention• Avoid typing when someone is nearbyAvoid typing when someone is nearby• Avoid typing when someone nearby is Avoid typing when someone nearby is
talking on cell phonetalking on cell phone• Computer monitors should face away Computer monitors should face away
from door or cubicle entrywayfrom door or cubicle entryway• Immediately change password if you Immediately change password if you
suspect someone is observing yoususpect someone is observing you
4444
Dumpster DivingDumpster Diving
Attacker finds information in victim’s Attacker finds information in victim’s trashtrash• Discarded computer manualsDiscarded computer manuals
Notes or passwords written in themNotes or passwords written in them• Telephone directoriesTelephone directories• Calendars with schedulesCalendars with schedules• Financial reportsFinancial reports• Interoffice memosInteroffice memos• Company policyCompany policy• Utility billsUtility bills• Resumes of employeesResumes of employees
4545
The Art of Dumpster Diving The Art of Dumpster Diving (continued)(continued)
PreventionPrevention• Educate your users about dumpster Educate your users about dumpster
divingdiving• Proper trash disposalProper trash disposal• Use “disk shredder” software to erase Use “disk shredder” software to erase
disks before discarding themdisks before discarding them Software writes random bitsSoftware writes random bits Done at least seven timesDone at least seven times
• Discard computer manuals offsiteDiscard computer manuals offsite• Shred documents before disposalShred documents before disposal
4646
The Art of PiggybackingThe Art of Piggybacking
Trailing closely behind an employee Trailing closely behind an employee cleared to enter restricted areascleared to enter restricted areas
How it works:How it works:• Watch authorized personnel enter an areaWatch authorized personnel enter an area• Quickly join them at security entranceQuickly join them at security entrance• Exploit the desire of other to be polite and Exploit the desire of other to be polite and
helpfulhelpful• Attacker wears a fake badge or security Attacker wears a fake badge or security
cardcard
4747
The Art of Piggybacking The Art of Piggybacking (continued)(continued)
PreventionPrevention• Use turnstilesUse turnstiles• Train personnel to notify the presence of Train personnel to notify the presence of
strangersstrangers• Do not hold secured doors for anyoneDo not hold secured doors for anyone
Even for people you knowEven for people you know
• All employees must use secure cardsAll employees must use secure cards