CIT 380: Securing Computer Systems
description
Transcript of CIT 380: Securing Computer Systems
![Page 1: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/1.jpg)
CIT 380: Securing Computer Systems Slide #1
CIT 380: Securing Computer Systems
Reconnaissance
![Page 2: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/2.jpg)
CIT 380: Securing Computer Systems Slide #2
Domain Name Registration
Domain registration information– Contact information: names, email, phone– Postal address– Registration dates– DNS servers
Obtaining registration information– http://www.internic.net/whois.html– whois command
IP Address Assignments– Find ownership information for IP address blocks– http://ws.arin.net/whois
![Page 3: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/3.jpg)
CIT 380: Securing Computer Systems Slide #3
whoisDomain Name: NKU.EDURegistrant: Northern Kentucky University Information Technology Lucas Admin Center 507, Nunn Dr Highland Heights, KY 41099
Administrative Contact: Kathy Bennett (859) 572-1577 [email protected]
Technical Contact: Douglas Wells (859) 572-5847 [email protected]
Name Servers: NS3.NKU.EDU 192.122.237.203 NS4.NKU.EDU 192.122.237.204
Domain record activated: 12-Jul-1994Domain record last updated: 21-Sep-2007
![Page 4: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/4.jpg)
CIT 380: Securing Computer Systems Slide #4
whois> host intel.comintel.com has address 198.175.96.33> whois 198.175.96.33[Querying whois.arin.net][whois.arin.net]Intel Corporation NETBLK-INTEL-IT (NET-198-175-64-0-1) 198.175.64.0 - 198.175.123.255Distributed Network Technical Support INTEL-IT33 (NET-
198-175-96-0-1) 198.175.96.0 - 198.175.96.255
# ARIN WHOIS database, last updated 2004-04-04 19:15# Enter ? for additional hints on searching ARIN's
WHOIS database.
![Page 5: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/5.jpg)
CIT 380: Securing Computer Systems Slide #5
Threats
• Social Engineering– Pose as administrative contact via phone/email to gain
information
• Wardialing– Search telephone exchange for modems
• Domain Hijacking– 1998 redirect of aol.com to autonete.net
• Further network investigation– DNS queries– Network scans of IP address space
![Page 6: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/6.jpg)
CIT 380: Securing Computer Systems Slide #6
Domain Name Service (DNS)
Root DNS Servers
edu DNS servers com DNS servers net DNS servers
nku.edu DNS servers
![Page 7: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/7.jpg)
CIT 380: Securing Computer Systems Slide #7
DNS Lookup
Client Local DNS Svr
Root DNS Svr
edu DNS Svr
nku.edu DNS Svr
www.nku.edu
192.122.237.7
www.nku.edu
Referral to nku.edu
www.nku.edu
Referral to
edu
www.nku.edu192.122.237.7
![Page 8: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/8.jpg)
CIT 380: Securing Computer Systems Slide #8
DNS Record Types
Record Type Purpose
A Maps a DNS name to an IP address.
HINFO Arbitrary host information.
MX Identifies a mail server.
NS Identifies a name server.
TXT Arbitrary text used for documentation.
![Page 9: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/9.jpg)
CIT 380: Securing Computer Systems Slide #9
DNS ReconnaissanceIdentify hosts one by one using nslookup or dig commands.
$ nslookup> www.nku.eduNon-authoritative answer:Name: www.nku.eduAddress: 192.122.237.7> set type=mx> nku.eduNon-authoritative answer:nku.edu mail exchanger = 100 sort1.mxsmtp.com.nku.edu mail exchanger = 200 sort2.mxsmtp.com.nku.edu mail exchanger = 300 sort3.mxsmtp.com.
Authoritative answers can be found from:nku.edu nameserver = ns4.nku.edu.nku.edu nameserver = ns3.nku.edu.ns3.nku.edu internet address = 192.122.237.203
![Page 10: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/10.jpg)
CIT 380: Securing Computer Systems Slide #10
DNS Zone Transfer
List all DNS information for a domain– Used to sync secondary DNS servers with primary.– Provide entire DNS database to attacker.
Commands– host –l –v –t any nku.edu– nslookup
•set type=any•ls –d nku.edu
Defenses– ACL for zone xfers only f/ secondary DNS servers.– Separate internal and external DNS databases.
![Page 11: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/11.jpg)
CIT 380: Securing Computer Systems Slide #11
Network Mapping
• DNS and whois searches have identified networks of interest.
• Next step: mapping the networks• traceroute
– explore network topology– identify firewalls
• ping scan– find currently up hosts
![Page 12: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/12.jpg)
CIT 380: Securing Computer Systems Slide #12
traceroute> traceroute www.washington.edutraceroute: Warning: www.washington.edu has multiple addresses; using
140.142.11.6traceroute to www.washington.edu (140.142.11.6), 30 hops max, 40 byte packets 1 nku10 (192.122.237.10) 1.642 ms 1.195 ms 1.001 ms 2 h98.188.140.67.ip.alltel.net (67.140.188.98) 1.716 ms 1.219 ms 1.492 ms 3 h89.188.140.67.ip.alltel.net (67.140.188.89) 5.493 ms 5.850 ms 5.523 ms 4 128.163.55.209 (128.163.55.209) 21.311 ms 21.992 ms 21.349 ms 5 143.215.193.1 (143.215.193.1) 22.730 ms 21.956 ms 22.482 ms 6 216.24.186.34 (216.24.186.34) 37.851 ms 37.949 ms 37.459 ms 7 denv-chic-36.layer3.nlr.net (216.24.186.5) 61.102 ms 61.290 ms 61.864 ms 8 seat-denv-58.layer3.nlr.net (216.24.186.7) 87.954 ms 87.546 ms 87.563 ms 9 209.124.179.45 (209.124.179.45) 86.930 ms 86.932 ms 86.544 ms10 209.124.191.133 (209.124.191.133) 87.087 ms 86.794 ms 87.296 ms11 uwcr-ads-01-vlan1802.cac.washington.edu (205.175.101.9) 86.938 ms 87.157
ms 86.930 ms12 uwcr-ads-01-vlan3839.cac.washington.edu (205.175.101.158) 87.700 ms
86.899 ms 86.699 ms13 acar-ads-01-vlan3802.cac.washington.edu (205.175.108.10) 87.058 ms 87.061
ms 86.638 ms14 www14.cac.washington.edu (140.142.11.6) 87.439 ms 87.137 ms 87.303 ms
![Page 13: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/13.jpg)
CIT 380: Securing Computer Systems Slide #13
Network Diagramming
• traceroute to multiple internal hosts– identify different paths– identify firewalls that prevent traceroute
• Draw map of network based on traceroutes
• Helpful Tools• firewalk: route tracing tool that bypasses many
firewall configurations that stop traceroute
• neotrace: geographic map of network route
![Page 14: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/14.jpg)
CIT 380: Securing Computer Systems Slide #14
Defenses
Firewalls– Restrict ingress of packet types commonly used
for network mapping, e.g. ICMP.
Detection– IDS can detect network mapping attempts,
letting you know which IPs are mapping your network.
![Page 15: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/15.jpg)
CIT 380: Securing Computer Systems Slide #15
Ping Scanning
• Send IP packet to each IP address in a network, checking for responses.
• Scan types– ICMP echo– TCP port 80– TCP/UDP specific port– Fragmented packets
![Page 16: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/16.jpg)
CIT 380: Securing Computer Systems Slide #16
Ping Scanning> nmap -sP 10.17.0.0/24Starting nmap 3.50 (
http://www.insecure.org/nmap/ ) at 2004-04-05 13:57 EDT
Host pc_elan.lc3net (10.17.0.1) appears to be up.Host 10.17.0.31 appears to be up.Host 10.17.0.35 appears to be up.Host sun02 (10.17.0.55) appears to be up.Host sun09 (10.17.0.64) appears to be up.Host pc208p01 (10.17.0.66) appears to be up.Host sun14 (10.17.0.80) appears to be up.Host 10.17.0.241 appears to be up.Host 10.17.0.247 appears to be up.Nmap run completed -- 256 IP addresses (54 hosts
up) scanned in 4.510 seconds
![Page 17: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/17.jpg)
CIT 380: Securing Computer Systems Slide #17
Defenses
Firewalls– Refuse ICMP echo ingress.
– Restrict TCP ports to necessary servers• port 80 only to web server
• port 25 only to mail server
Bypassing defences– Multiple sweeps with different target ports.
– ICMP timestamp and netmask request queries.
– Fragment scans.
![Page 18: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/18.jpg)
CIT 380: Securing Computer Systems Slide #18
Ping Scan vs Firewall
Firewall Ruleset– pass from any to 10.0.17.31 port 53
– pass from any to 10.0.17.35 port 25
– drop all
> nmap -sP 10.17.0.0/24Starting nmap 3.50 at 2004-04-05 13:57Nmap run completed -- 256 IP addresses (0 hosts up) scanned in 72.430 seconds
![Page 19: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/19.jpg)
CIT 380: Securing Computer Systems Slide #19
Ping Scan vs Firewall
Firewall Ruleset– pass from any to 10.0.17.31 port 25 keep state– pass from any port 53 to any keep state– drop all
> nmap -sP –PS25 10.17.0.0/24– bypasses first rule, finds any hosts listening on port 25
> nmap -sP –g 53 10.17.0.0/24– bypasses second rule, as packets look like DNS
response
![Page 20: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/20.jpg)
CIT 380: Securing Computer Systems Slide #20
Key Points
1. Reconnaissance– Don’t forget about low tech means.
– Organizations give away info on web sites.
2. Registration– whois
– ARIN
3. DNS– Recursive DNS query process.
– Types of DNS records.
– Zone transfers.
![Page 21: CIT 380: Securing Computer Systems](https://reader035.fdocuments.in/reader035/viewer/2022070416/5681505f550346895dbe6212/html5/thumbnails/21.jpg)
CIT 380: Securing Computer Systems Slide #21
References1. Matt Bishop, Introduction to Computer Security, Addison-Wesley,
2005.2. William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and
Internet Security, 2nd edition, 2003.3. Fyodor, “The Art of Port Scanning,”
http://www.insecure.org/nmap/nmap_doc.html4. Fyodor, NMAP man page,
http://www.insecure.org/nmap/data/nmap_manpage.html5. Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting,”
Phrack 54, http://www.insecure.org/nmap/nmap-fingerprinting-article.html
6. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003.
7. Johnny Long, Google Hacking for Penetration Testers, Snygress, 2004.8. Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed, 3rd
edition, McGraw-Hill, 2001.9. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.