Footprinting
-
Upload
sandra4211 -
Category
Documents
-
view
685 -
download
0
Transcript of Footprinting
![Page 1: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/1.jpg)
Finding Information
![Page 2: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/2.jpg)
But first some humor• BLAMESTORMING: Sitting around in a group, discussing why a server went down,
and who was responsible. • SEAGULL MANAGER: A manager who flies in, makes a lot of noise, craps on
everything, and then leaves. • CUBE FARM: An office filled with cubicles. • MOUSE POTATO: The on-line, wired generation's answer to the couch potato. • STRESS PUPPY: An admin who seems to thrive on being stressed out, whiney, and
complains about stupid users all day. • SWIPEOUT: An access card that has been rendered useless because the magnetic
strip is worn away from extensive use. • PERCUSSIVE MAINTENANCE: The fine art of whacking the crap out of an electronic
device to get it to work again. • 404: A completely clueless end-user. • OHNOSECOND: That fraction of time after hitting Enter, in which you realize that
you've just permanently erased a big database. • Inoculatte: Taking coffee intravenously when you are pulling an all-nighter getting that
database online from the backup tapes.
![Page 3: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/3.jpg)
Go from
• We are going to go from a URL– www.juniata.edu
• To knowing available ports, addresses, and Operating system
![Page 4: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/4.jpg)
Basic information
• For www.juniata.edu find the following– TCP/IP address– OS
• Not fair to:– call Joel– ask Matt or Ned– rely on what you already know
• Who did it and how?
![Page 5: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/5.jpg)
My machine
• Starting nmap V. 3.00 ( www.insecure.org/nmap )• Interesting ports on THOMAS-LAP.juniata.edu (172.16.27.133):• (The 1597 ports scanned but not shown below are in state: closed)• Port State Service• 25/tcp open smtp • 135/tcp open loc-srv • 139/tcp open netbios-ssn • 445/tcp open microsoft-ds • Remote operating system guess: Windows Millennium Edition (Me),
Win 2000, or WinXP• Nmap run completed -- 1 IP address (1 host up) scanned in 20
seconds
![Page 7: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/7.jpg)
Ping (locally)
![Page 8: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/8.jpg)
WhoisRegistrant:NASCAR, Inc. (NASCAR4-DOM) 1801 W. Int'l Speedway Blvd Daytona Beach, FL 32114 US
Domain Name: NASCAR.COM
Administrative Contact: Hills, Antony (AHB122) [email protected] NASCAR, Inc. 1801 West International Speedway Blvd. Daytona Beach, Fl 32120 US 904-253-0611 904-947-6558 Technical Contact: TBS Server Operations (TS309-ORG) [email protected] Turner Broadcasting System, Inc. One CNN Center Atlanta, GA 30348 US 404-827-5000 Fax- 404-827-1593
Record expires on 29-Dec-2006. Record created on 28-Dec-1995. Database last updated on 6-Feb-2003 15:32:40 EST.
Domain servers in listed order:
TWDNS-01.NS.AOL.COM 149.174.213.151 TWDNS-02.NS.AOL.COM 152.163.239.216 TWDNS-03.NS.AOL.COM 205.188.146.88 TWDNS-04.NS.AOL.COM 64.12.147.120
![Page 9: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/9.jpg)
Us
Domain Name: JUNIATA.EDU Registrant: Juniata College 1700 Moore Street Huntingdon,
PA 16652 UNITED STATES Contacts: Administrative Contact: Anne Wood Juniata
College BSC Huntingdon, PA 16652 UNITED STATES (814) 641-5310 [email protected]
Technical Contact: Anne Wood Juniata College BSC Huntingdon, PA 16652 UNITED STATES (814) 641-5310 [email protected] Name
Servers: NS1.JUNIATA.EDU 192.112.102.3 NS2.JUNIATA.EDU 192.112.102.4
![Page 10: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/10.jpg)
Nslookup (inside)
• Can ask for all records in name server:
![Page 11: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/11.jpg)
ARIN searchOrgName: Juniata CollegeOrgID: JUNIATAddress: 1700 Moore StreetCity: HuntingdonStateProv: PAPostalCode: 16652Country: US
NetRange: 192.112.102.0 - 192.112.102.255CIDR: 192.112.102.0/24NetName: JCNetHandle: NET-192-112-102-0-1Parent: NET-192-0-0-0-0NetType: Direct AssignmentNameServer: NS1.JUNIATA.EDUNameServer: NS2.JUNIATA.EDUComment:RegDate: 1991-08-07Updated: 2002-03-05
TechHandle: AM202-ARINTechName: Wood, AnneTechPhone: +1-814-641-5310TechEmail: [email protected]
OrgTechHandle: AM202-ARINOrgTechName: Wood, AnneOrgTechPhone: +1-814-641-5310OrgTechEmail: [email protected]
# ARIN WHOIS database, last updated 2003-02-05 20:00# Enter ? for additional hints on searching ARIN's WHOIS database.
![Page 12: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/12.jpg)
Ping sweep find active addresses
![Page 13: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/13.jpg)
How about Mars?
![Page 14: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/14.jpg)
Nmap of Mars
• Starting nmap V. 3.00 ( www.insecure.org/nmap )• Interesting ports on mars.juniata.edu (172.16.17.214):• (The 1585 ports scanned but not shown below are in state: closed)• Port State Service• 21/tcp open ftp • 22/tcp open ssh • 23/tcp open telnet • 25/tcp open smtp • 111/tcp open sunrpc • 515/tcp open printer • 2049/tcp open nfs • 4045/tcp open lockd • 6000/tcp open X11 • 6112/tcp open dtspc • 7100/tcp open font-service • 12345/tcp open NetBus • 32771/tcp open sometimes-rpc5 • 32776/tcp open sometimes-rpc15 • 32777/tcp open sometimes-rpc17 • 32778/tcp open sometimes-rpc19 • Remote operating system guess: Solaris 8 early access beta through actual release• Up• time 37.983 days (since Mon Dec 30 14:26:29 2002)• Nmap run completed -- 1 IP address (1 host up) scanned in 58 seconds
![Page 15: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/15.jpg)
www.juniata.edu
• Is this right– TCP/IP address 172.16.17.209– Outside 192.112.102.5– OS
• Linux Kernel 2.4.0 - 2.5.20• Linux 2.4.19-pre4 on Alpha
– www.netcraft.com– Nmap
![Page 16: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/16.jpg)
Output for www.juniata.edu• Starting nmap V. 3.00 ( www.insecure.org/nmap )• Interesting ports on www.juniata.edu (172.16.17.209):• (The 1594 ports scanned but not shown below are in state: closed)• Port State Service• 21/tcp open ftp • 22/tcp open ssh • 80/tcp open http • 111/tcp open sunrpc • 139/tcp open netbios-ssn • 873/tcp open rsync • 12345/tcp open NetBus • Remote OS guesses: Linux Kernel 2.4.0 - 2.5.20, Linux 2.4.19-pre4
on Alpha• Nmap run completed -- 1 IP address (1 host up) scanned in 5
seconds
![Page 17: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/17.jpg)
What else
• Ping sweep looking for other active machines
• Do tracert to understand network– from outside in, typically have router then
firewall just before destination.– Nmap router and firewall to get OS
• War dailing for open modems
![Page 18: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/18.jpg)
tracert
![Page 19: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/19.jpg)
tracert from outside to .5
![Page 20: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/20.jpg)
tracert from outside to .3
![Page 21: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/21.jpg)
From outside to .4
![Page 22: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/22.jpg)
From outside to .22
![Page 23: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/23.jpg)
From outside to .9
![Page 24: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/24.jpg)
Vulnerability scanners
![Page 25: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/25.jpg)
Red teaming page 90
• Who is page 91– Protection page 92– Name risk for social engineering
• Can use Special name to catch or initials A. Wood• Although this info can be found other ways
remember the easiest is what most people use
– Split DNS servers one for external, minimum required information for the outside world
– Inside DNS with other name resolution not required by the outside world.
![Page 26: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/26.jpg)
Nslookup
• Used to get IP address of servers
• Get range of IPs to explore address spaces
• Protection– Must provide DNS data to be “seen”– The least you provide the better.
![Page 27: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/27.jpg)
ARIN
• Gets address range and subnet
• Protection– NAT with private addresses behind the
firewall except for external resources help minimize damage
![Page 28: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/28.jpg)
Tracert
• Used to explore and “map” system
• routes in (necessary to know for Denail of service)
• Protection– only way to stop is to disable ICMP traffic
(which tracert uses)– disables a lot of “features/functionality”– again security versus features/functionality
![Page 29: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/29.jpg)
ping
• Used to find active addresses
• Run different times of day– used to find “servers” from “workstations”– only works if uses turn off workstations
• Protection– again NAT can’t “See” internal addresses– ICMP again used for ping
![Page 30: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/30.jpg)
port scan and fingerprinting
• Open ports and operating systems
• Used to find vulnerabilities
• Protection– firewall only allows traffic on specific ports to
specific machines– less info the better gives limited view– IDS
![Page 31: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/31.jpg)
Information Gathered
• We now know valid IPs– open ports– Operating systems– map of network (ip of router firewall)
• Time to discover vulnerabilities and export
• Use tool, SAINT for example
• Explore and find vulnerabilities
![Page 32: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/32.jpg)
Some other scans of home machines
• Starting nmap V. 3.00 ( www.insecure.org/nmap )• Warning: OS detection will be MUCH less reliable because we did not find at least 1
open and 1 closed TCP port• Insufficient responses for TCP sequencing (0), OS detection may be less accurate• Interesting ports on HOME1 (192.168.2.9):• (The 1596 ports scanned but not shown below are in state: filtered)• Port State Service• 21/tcp open ftp • 139/tcp open netbios-ssn • 389/tcp open ldap • 1002/tcp open unknown • 1720/tcp open H.323/Q.931 • Remote OS guesses: AIX v4.2, Linux 1.3.20 (X86), Windows XP Professional RC1+
through final release, Cayman 2E <http://www.cayman.com/>• Nmap run completed -- 1 IP address (1 host up) scanned in 413 seconds
![Page 33: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/33.jpg)
More open ports• Starting nmap V. 3.00 ( www.insecure.org/nmap )• Insufficient responses for TCP sequencing (0), OS detection may be less accurate• Insufficient responses for TCP sequencing (2), OS detection may be less accurate• Interesting ports on thomas-tablet.juniata.edu (192.168.2.52):• (The 1590 ports scanned but not shown below are in state: closed)• Port State Service• 80/tcp open http • 135/tcp open loc-srv • 139/tcp open netbios-ssn • 443/tcp open https • 445/tcp open microsoft-ds • 1002/tcp open unknown • 1025/tcp open NFS-or-IIS • 1026/tcp open LSA-or-nterm • 1027/tcp open IIS • 1720/tcp open H.323/Q.931 • 5000/tcp open UPnP
![Page 34: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/34.jpg)
Of course todays footprinting must include wireless
• http://www.wellenreiter.net/index.html
![Page 35: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/35.jpg)
Wellenreiter more passive then netStumbler
![Page 36: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/36.jpg)
NetStumbler
![Page 37: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/37.jpg)
Want to boost your Antenna?
• http://mali.geekcorps.org/article.php3?id_article=39
• Look at HomeToJc in netstumbler
![Page 38: Footprinting](https://reader036.fdocuments.in/reader036/viewer/2022070317/5568ddfad8b42a287a8b46d6/html5/thumbnails/38.jpg)
Fport