Corso di Sicurezza delle Reti e dei Sistemi Software aa ...
Transcript of Corso di Sicurezza delle Reti e dei Sistemi Software aa ...
Corso di Sicurezza delle Reti e dei Sistemi Software aa 2015/16
Ing. Antonio Pirozzi
Universita' degli Studi del Sannio
#whoami
• Research Fellow at University of Sannio
• Vuln. Researcher for Emaze spa
• ISWATlab co-founder and Researcher
Exercises workflow
Exercises workflow: phase1
You are here
Exercises workflow: phase1..
Reconnaissance :
Military Reconnaissance
Network Reconnaissance
Military observation of a region to locate an enemy or ascertain strategic features.
Process of acquiring information about a network.
Real scenarios...The Corporate network
Fonte: www.corporatecomputingsolutions.com
●Ping●Traceroute/tracert●Nmap●Dnsrecon●Dig●whois
Network Cartography
Corporate - Physical - Logical - Electronic - Infrastructure Assets - On-Location Gathering
Individual: - Social networks Profile - Internet Presence
Real scenarios...A bottom up view.
FONTE: http://www.potaroo.net/ispcol/2006-05/bgp.html
● Whois ASN : whois.radb.net● IP to BGP mapping : whois.cymru.com
BGP: routing protocol of the Internet.It selects the best path based on the shortest AS path.ASN: BGP routing domains
Showing BGP routes and AS’s Let's Do It
Public available informations
●Web pages●Location details (gmaps,gearth)●Employees stuffs (yellowpages,the harvester,..)●Current events●Privacy or security policies●Archived infos (wayback machines..)●Search engines (gdorks)●...
Whois infos
ICANN
➔APNIC➔ARIN➔LACNIC➔RIPE➔afriNIC
Asian-pacific regionNorth and south America, sub saharian Africa Latin America and CaribbeanEurope,part of Asia,north Africa and Middle East RegionsBoth region of Africa managed by ARIN and RIPE
RIRs Regional Internet Registry
Allocates IP addresses Blocks
RegistryRegisterRegistrant
Whois infos
How to find infos...
● Domain-related Searches● IP-related Searches (ip net blocks, BGP, AS,etc)
Whois.arin.net
ReconnaissanceIntelligence/info gathering
Open source intelligence (OSINT)
Also includes:● War driving.● Looking for information stored on discarded comp/devices.● Masquerading as an authorized network user.
Step 1: ScanningStep 2: Identify the server OS
Step 3: Banner grabbing
Step 4: Web server app scanDNSRecon● Zone Transfer● Wildcard Entries● DNS Lookup and Reverse DNS Lookup● Standard Record Enumeration● Cache Snooping● Zone Walking● Google Lookup
Semi-Passive
Passive Active
● Social media● Public website● Whois● Infrastructure
OSINT
Open Source Intelligence (OSINT) is intelligence collected from
publicly available sources. ≠ RUMINT, SIGINT, HUMINT, GEOINT
Why OSINT ??Allow you to obtain huge amount of intelligence from your target without sending a packet to him. Cit Practical OSINT - Shane MacDougall Derbycon 2013
Optimize an attack:
- password cracking / Social Engineering
Start...
https://www.youtube.com/watch?v=Z-LMQ03A_sw&feature=youtu.be
OSINT
Tool deprecation is frequent...
It would be:
- OFFENSIVE- DEFENSIVE
Information gathering & OSINT tools:
- metagoofil- FOCA- the harvester- creepy- exiftool- waybackmachine- whois- socialmention- google Graph Search
WEB Site and social media:
http://trendsmap.com/Facebook GraphYandex (!,+,~~, &,&& , /, mime)http://search.nerdydata.com/http://mugshots.com/GOOGLEWaybackmachinesocialmentionrobtex
OSINT Process
Source Identification COLLECTION
DATAPROCESSING &INTEGRATION
DATAANALYSIS RESULTS
DEMO: MALTEGO
Reconnaissancesemi-passive: DNSrecon
• Standard Record EnumerationA RecordsNS RecordsMX RecordsTXT RecordsCNAME Records
● DNS Lookupdig
traversing the entire DNS hierarchy
● Reverse DNS Lookup● DNS Lookupdig
IP hostnamePTR
● Dnsrecon● Fierce.pl● Dnsenum● Subbroute● DNSmap
[Ab]USING DNS Reconnaissance:DNS Lookup
● What is the website’s IP address ?
[Ab]USING DNS Reconnaissance:DNS Lookup
●How to identify the name servers associated with a domain ?
[Ab]USING DNS Reconnaissance:
DNS Lookup
. What does the delegation path to my zone look like ?
[Ab]USING DNS Reconnaissance...
• DNS Enumeration 1/3:locating all DNS servers and DNS entries for an organization.
Understanding Wildcard Entries
Wildcard : *.example.com. 3600 IN MX 10 host1.example.com.
Lookup for MX record for somerandomname.example.com return host1.example.com
Bypassing Wildcard entries
[Ab]USING DNS Reconnaissance...
• DNS Enumeration 2/3:
DNS Zone Transfer
● Fierce.pl● Dig● Dnsrecoon● ...
And what if transfer zone fails ??
AXFR Records
[Ab]USING DNS Reconnaissance...
• DNS Enumeration 3/3:
DNS reverse lookups and DNS brute-forcing will help you enumerate DNS entries.
Response:
Wordlist
If Wildcards are set If Wildcards are NOT set
addgfdgs.example.com
1.2.3.5
Example.com 1.2.3.4
OK The subdomain Exists //The subdomain does not exist
[Ab]USING DNS Reconnaissance...
• Misc:DNS Cache Snooping
Non-Recursive Queries
● checking the time the query takes to process.● checking the TTL
ENABLED DISABLED
● nslookup -norecursive
Exercise
Facebook.comMyspace.comReddit.comMashable.com
OSINT and DNS Reconnaissance on:
Each domain for each group
Expected Deliverables: general report(spreadsheet), maltego graph
Active Reconnaissance: Network Recon
• Nmap
• hping3
● TCP SYN Scan (-sS)● TCP connect() scan (-sT)● UDP Scan (-sU)● TCP FIN Xmas and Null scans● Ping Scan (-sP)● Version Detection (-sV)● Idle Scan (-sI)● OS detection● TCP Ack Scan● Traceroute● Evading Firewalls: Not in this module
Port states :
● Open● Closed● Filtered● Unfiltered● Open/Filtered● Closed/Filtered
https://nmap.org/book/man-port-scanning-basics.html
• TCP SYN Scan (-sS) :
often referred to as "half-open" scanning, because you don't open a full TCP connection.
● nmap -sS 192.168.1.1
Requires root
Active Reconnaissance: Network Recon
• TCP connect() scan (-sT):
TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges.The system call completes connections to open target ports.
● nmap -sT 192.168.1.1
Active Reconnaissance: Network Recon
• UDP Scan (-sU) :
DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common, It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.If an ICMP port unreachable error (type 3, code 3) is returned, the port is closed.Other ICMP unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13) mark the port as filtered.If no response is received after retransmissions, the port is classified as open|filtered.
● nmap -sU 192.168.1.1● nmap -sS -sU -Pn 192.168.1.1
Requires root
Active Reconnaissance: Network Recon
• TCP FIN Xmas and Null scans
● NULL scan (-sN) : Does not set any bits (TCP flag header is 0).● FIN scan (-sF) : Sets just the TCP FIN bit.● Xmas scan (-sX) : Sets the FIN, PSH, and URG flags,
lighting the packet up like a Christmas tree.
Page 65 of RFC 793 says that “if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response
Active Reconnaissance: Network Recon
• Ping Scan (-sP):
● nmap -sP 192.168.1.1-254
nmap will ping every address in that range and return the IP of hosts that respond.
Active Reconnaissance: Network Recon
• Version Detection (-sV) :
● nmap -sV --version-intensity 9 192.168.1.1
Starting nmap 3.45 Interesting ports PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 3.7.1p1 (Protocol 1.99) 25/tcp open smtp 80/tcp open http Apache httpd 1.3.27 ((Unix) mod_gzip/1.3.26.1a FrontPage/5.0.2.2510 PHP/4.3.2 mod_ssl/2.8.13 OpenSSL/0.9.7a) 443/tcp open ssl/http Apache httpd 1.3.27 ((Unix) mod_gzip/ ...) 993/tcp open ssl/imap UW Imapd 2001.315 995/tcp open ssl/pop3 Openwall popa3d 8888/tcp open ssl/unknown
An intensity level between 0-9 can be specified. Default is 7
Active Reconnaissance: Network Recon
• Idle Scan (-sI) :
Open ports
https://nmap.org/book/idlescan.html
nmap -P0 -p <port> -sI <zombie IP> <target IP>
Active Reconnaissance: Network Recon
• Idle Scan (-sI) :
Closed ports
https://nmap.org/book/idlescan.html
Active Reconnaissance: Network Recon
• Idle Scan (-sI) :
Filtered ports
https://nmap.org/book/idlescan.html
Active Reconnaissance: Network Recon
• OS detection :
For operating system detection -O flag can be used
nmap -O -v 192.168.1.1
Nmap sends a series of TCP and UDP packets to the remote host and examines every bit in the responses. After performing dozens of tests such as :● TCP ISN sampling, ● TCP options support and ordering, ● IP ID sampling, and ● the initial window size check
Requires root
Active Reconnaissance: Network Recon
• TCP Ack Scan :
nmap -sA 192.168.1.1
● No RST Packet is returned: port is filtered
Usually used to map firewall rulesets and distinguish between stateful and stateless firewalls,
Active Reconnaissance: Network Recon
And more.....
Active Reconnaissance: Network Recon
1) Scan for the Conficker virus on your LAN ect.
$ nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 192.168.1.1-254
Active Reconnaissance: Network Recon
2) Scan Network for Rogue APs.
$ nmap -sS -O --open --script=rogueap.nse 192.168.1.1-10
ReconnaissanceActive: Network Recon
3) Find host sharing same IP
nmap -p 80 --script hostmap-bfk.nse nmap.org
ReconnaissanceActive: Network Recon
• 4). Traceroute Geolocation
ReconnaissanceActive: Network Recon
nmap --traceroute --script traceroute-geolocation.nse -p 80 hackertarget.com