Corso di Sicurezza delle Reti e dei Sistemi Software aa ...

Corso di Sicurezza delle Reti e dei Sistemi Software aa 2015/16

Ing. Antonio Pirozzi

Universita' degli Studi del Sannio

#whoami

• Research Fellow at University of Sannio

• Vuln. Researcher for Emaze spa

• ISWATlab co-founder and Researcher

Exercises workflow

Exercises workflow: phase1

You are here

Exercises workflow: phase1..

Reconnaissance :

Military Reconnaissance

Network Reconnaissance

Military observation of a region to locate an enemy or ascertain strategic features.

Process of acquiring information about a network.

Real scenarios...The Corporate network

Fonte: www.corporatecomputingsolutions.com

●Ping●Traceroute/tracert●Nmap●Dnsrecon●Dig●whois

Network Cartography

Corporate - Physical - Logical - Electronic - Infrastructure Assets - On-Location Gathering

Individual: - Social networks Profile - Internet Presence

Real scenarios...A bottom up view.

FONTE: http://www.potaroo.net/ispcol/2006-05/bgp.html

● Whois ASN : whois.radb.net● IP to BGP mapping : whois.cymru.com

BGP: routing protocol of the Internet.It selects the best path based on the shortest AS path.ASN: BGP routing domains

Showing BGP routes and AS’s Let's Do It

Public available informations

●Web pages●Location details (gmaps,gearth)●Employees stuffs (yellowpages,the harvester,..)●Current events●Privacy or security policies●Archived infos (wayback machines..)●Search engines (gdorks)●...

Whois infos

ICANN

➔APNIC➔ARIN➔LACNIC➔RIPE➔afriNIC

Asian-pacific regionNorth and south America, sub saharian Africa Latin America and CaribbeanEurope,part of Asia,north Africa and Middle East RegionsBoth region of Africa managed by ARIN and RIPE

RIRs Regional Internet Registry

Allocates IP addresses Blocks

RegistryRegisterRegistrant

Whois infos

How to find infos...

● Domain-related Searches● IP-related Searches (ip net blocks, BGP, AS,etc)

Whois.arin.net

ReconnaissanceIntelligence/info gathering

Open source intelligence (OSINT)

Also includes:● War driving.● Looking for information stored on discarded comp/devices.● Masquerading as an authorized network user.

Step 1: ScanningStep 2: Identify the server OS

Step 3: Banner grabbing

Step 4: Web server app scanDNSRecon● Zone Transfer● Wildcard Entries● DNS Lookup and Reverse DNS Lookup● Standard Record Enumeration● Cache Snooping● Zone Walking● Google Lookup

Semi-Passive

Passive Active

● Social media● Public website● Whois● Infrastructure

OSINT

Open Source Intelligence (OSINT) is intelligence collected from

publicly available sources. ≠ RUMINT, SIGINT, HUMINT, GEOINT

Why OSINT ??Allow you to obtain huge amount of intelligence from your target without sending a packet to him. Cit Practical OSINT - Shane MacDougall Derbycon 2013

Optimize an attack:

- password cracking / Social Engineering

Start...

https://www.youtube.com/watch?v=Z-LMQ03A_sw&feature=youtu.be

https://www.youtube.com/watch?v=Z-LMQ03A_sw&feature=youtu.be

OSINT

Tool deprecation is frequent...

It would be:

- OFFENSIVE- DEFENSIVE

Information gathering & OSINT tools:

- metagoofil- FOCA- the harvester- creepy- exiftool- waybackmachine- whois- socialmention- google Graph Search

WEB Site and social media:

http://trendsmap.com/Facebook GraphYandex (!,+,~~, &,&& , /, mime)http://search.nerdydata.com/http://mugshots.com/GOOGLEWaybackmachinesocialmentionrobtex

http://trendsmap.com/

http://search.nerdydata.com/

http://mugshots.com/

OSINT Process

Source Identification COLLECTION

DATAPROCESSING &INTEGRATION

DATAANALYSIS RESULTS

DEMO: MALTEGO

Reconnaissancesemi-passive: DNSrecon

• Standard Record EnumerationA RecordsNS RecordsMX RecordsTXT RecordsCNAME Records

● DNS Lookupdig

traversing the entire DNS hierarchy

● Reverse DNS Lookup● DNS Lookupdig

IP hostnamePTR

● Dnsrecon● Fierce.pl● Dnsenum● Subbroute● DNSmap

[Ab]USING DNS Reconnaissance:DNS Lookup

● What is the website’s IP address ?

[Ab]USING DNS Reconnaissance:DNS Lookup

●How to identify the name servers associated with a domain ?

[Ab]USING DNS Reconnaissance:

DNS Lookup

. What does the delegation path to my zone look like ?

[Ab]USING DNS Reconnaissance...

• DNS Enumeration 1/3:locating all DNS servers and DNS entries for an organization.

Understanding Wildcard Entries

Wildcard : *.example.com. 3600 IN MX 10 host1.example.com.

Lookup for MX record for somerandomname.example.com return host1.example.com

Bypassing Wildcard entries


• DNS Enumeration 2/3:

DNS Zone Transfer

● Fierce.pl● Dig● Dnsrecoon● ...

And what if transfer zone fails ??

AXFR Records


• DNS Enumeration 3/3:

DNS reverse lookups and DNS brute-forcing will help you enumerate DNS entries.

Response:

Wordlist

If Wildcards are set If Wildcards are NOT set

addgfdgs.example.com

1.2.3.5

Example.com 1.2.3.4

OK The subdomain Exists //The subdomain does not exist


• Misc:DNS Cache Snooping

Non-Recursive Queries

● checking the time the query takes to process.● checking the TTL

ENABLED DISABLED

● nslookup -norecursive

Exercise

Facebook.comMyspace.comReddit.comMashable.com

OSINT and DNS Reconnaissance on:

Each domain for each group

Expected Deliverables: general report(spreadsheet), maltego graph

Active Reconnaissance: Network Recon

• Nmap

• hping3

● TCP SYN Scan (-sS)● TCP connect() scan (-sT)● UDP Scan (-sU)● TCP FIN Xmas and Null scans● Ping Scan (-sP)● Version Detection (-sV)● Idle Scan (-sI)● OS detection● TCP Ack Scan● Traceroute● Evading Firewalls: Not in this module

Port states :

● Open● Closed● Filtered● Unfiltered● Open/Filtered● Closed/Filtered

https://nmap.org/book/man-port-scanning-basics.html

• TCP SYN Scan (-sS) :

often referred to as "half-open" scanning, because you don't open a full TCP connection.

● nmap -sS 192.168.1.1

Requires root


• TCP connect() scan (-sT):

TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges.The system call completes connections to open target ports.

● nmap -sT 192.168.1.1


• UDP Scan (-sU) :

DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common, It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.If an ICMP port unreachable error (type 3, code 3) is returned, the port is closed.Other ICMP unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13) mark the port as filtered.If no response is received after retransmissions, the port is classified as open|filtered.

● nmap -sU 192.168.1.1● nmap -sS -sU -Pn 192.168.1.1

Requires root


• TCP FIN Xmas and Null scans

● NULL scan (-sN) : Does not set any bits (TCP flag header is 0).● FIN scan (-sF) : Sets just the TCP FIN bit.● Xmas scan (-sX) : Sets the FIN, PSH, and URG flags,

lighting the packet up like a Christmas tree.

Page 65 of RFC 793 says that “if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response


• Ping Scan (-sP):

● nmap -sP 192.168.1.1-254

nmap will ping every address in that range and return the IP of hosts that respond.


• Version Detection (-sV) :

● nmap -sV --version-intensity 9 192.168.1.1

Starting nmap 3.45 Interesting ports PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 3.7.1p1 (Protocol 1.99) 25/tcp open smtp 80/tcp open http Apache httpd 1.3.27 ((Unix) mod_gzip/1.3.26.1a FrontPage/5.0.2.2510 PHP/4.3.2 mod_ssl/2.8.13 OpenSSL/0.9.7a) 443/tcp open ssl/http Apache httpd 1.3.27 ((Unix) mod_gzip/ ...) 993/tcp open ssl/imap UW Imapd 2001.315 995/tcp open ssl/pop3 Openwall popa3d 8888/tcp open ssl/unknown

An intensity level between 0-9 can be specified. Default is 7


• Idle Scan (-sI) :

Open ports

https://nmap.org/book/idlescan.html

nmap -P0 -p <port> -sI <zombie IP> <target IP>



Closed ports




Filtered ports



• OS detection :

For operating system detection -O flag can be used

nmap -O -v 192.168.1.1

Nmap sends a series of TCP and UDP packets to the remote host and examines every bit in the responses. After performing dozens of tests such as :● TCP ISN sampling, ● TCP options support and ordering, ● IP ID sampling, and ● the initial window size check

Requires root


• TCP Ack Scan :

nmap -sA 192.168.1.1

● No RST Packet is returned: port is filtered

Usually used to map firewall rulesets and distinguish between stateful and stateless firewalls,


And more.....


1) Scan for the Conficker virus on your LAN ect.

$ nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 192.168.1.1-254


2) Scan Network for Rogue APs.

$ nmap -sS -O --open --script=rogueap.nse 192.168.1.1-10

ReconnaissanceActive: Network Recon

3) Find host sharing same IP

nmap -p 80 --script hostmap-bfk.nse nmap.org


• 4). Traceroute Geolocation


nmap --traceroute --script traceroute-geolocation.nse -p 80 hackertarget.com

Corso di Sicurezza delle Reti e dei Sistemi Software aa ...

Documents

Transcript of Corso di Sicurezza delle Reti e dei Sistemi Software aa ...