Information Gathering

Information GatheringBefore an attack

What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information, Zone transfers, reverse DNS lookups Open ports?

Information GatheringLegal issues

Is gathering information on a target legal? Yes BUT, port scans are considered to be an attacks so check

local laws for further information Other information gathering techniques are, for the most part,

legal but please check before you proceed

Information GatheringWHOIS

www.dk-hostmaster.dk www.whois.net

What information to look for: Owner Administrative contact Technical contact

Information GatheringOS & web server details

www.netcraft.com http://uptime.netcraft.com/up/graph?site=www.whitehouse.gov

Information GatheringDNS information

www.whois.net

What information to look for: Find the DNS server details

Now what? C:\>nslookup

> server <DNS SERVER FROM ABOVE>> set type=any // return all records> ls –d <THE DOMAIN>

Information GatheringDNS information (cont.)

Reverse DNS lookup Ping –a <IP> (we can also use nmap as described in the next section)

Information GatheringOpen ports?

We have to install a few things WinPcap 3.1: http://www.winpcap.org/install/default.htm

Installer for Windows 95/98/ME/NT4/2000/XP/2003/Vista

NMAP: http://www.insecure.org/nmap/nmap_download.html

Latest stable Nmap command-line zipfile: nmap-3.93-win32.zip

Information GatheringOpen ports (cont)?

Performing a quick and simple port scan SYN scan: nmap –sS –P0 –p- <IP> (C:SYN; S:SYN/ACK; C:RST) CONNECT scan: nmap –sT –P0 –p- <IP> (three way handshake:

C:SYN; S:SYN/ACK; C:ACK; CS; SC) SRC port: nmap –sS –P0 –p- -g53 <IP> Ping sweep: nmap –sP <IP RANGE> Reverse DNS: nmap –sP –R <[ IP | IP RANGE ]>

Information GatheringTry it on a site you use

Lets try one together Gather WHOIS details OS & web server details (NetCraft) DNS information, Zone transfers, reverse DNS lookups

(www.dnsstuff.com)

Web applications

Web applicationsWhat are web applications?

www.securityfocus.com www.ezenta.com www.reversing.be www.whitehouse.gov msdn.microsoft.com

Any application that uses the HTTP protocol to communicate with its clients

Web applicationsWhat are web applications? (cont.)

REQUEST:GET /html/default.asp HTTP/1.1Host: www.ezenta.comConnection: closeAccept-Encoding: gzip

RESPONSE:HTTP/1.1 200 OKConnection: close Content-Type:text/htmlContent-Encoding:gzip

Web applicationsWhat are web applications? (cont.)

Lets have a look at the raw data on the wire…

Web platforms

Web platformsWhat technologies exist?

JAVA (i.e. Servlets, JSP) ASP .NET (C#, J#, ASP, C++) PHP Lotus Notes Cold Fusion Native Code (i.e. ISAPI) CGI (i.e. Perl, C) BEA WebLogic IBM WebSphere Zope (i.e. Python)

Web platformsWhat is the difference?

Programming language Performance Features Integration Stability Administration Ease of use Security What else?

Web platformsASP

Have tendency to be vulnerable, no/limited built-in facilities

Web platformsPHP

Global variables can be problematic

Web platformsLotus Notes

ACLs on NSF files are often poorly configured

Web platformsCGI

Native code = native code issues (b0f)

Web platformsJava and .NET security

Source files can be decompiled and read Any secrets are exposed

Connection string information User credentials Internal addresses

What tools exist to help us? Java: DJ Decompiler

(http://members.fortunecity.com/neshkov/dj.html) .NET: Salamander (http://www.remotesoft.com/salamander/)

Web platformsNative code versus web technologies

Whats the difference between them with respect to getting the source? Native code = ASM VM code = byte code

Reversing native code The original source code is not available Programme flow is harder to follow (IDA Pro can help)

”Reversing” VM code The original code is readable DJ turns *.class, *.jar files into Java code Salamander: exe’s or dll’s into VB or C# .NET

Web platformsReversing demo

Native code Java .NET

Web platformsProtection

Dongles VM code: Obfuscation techniques

Salamander HASP

Native code: packers Exe Shield Armadillo ASProtect Anticrack

Web platformsSummary

You dont have to break the law to gather info. Although port scanning in illegal

Platforms, some better than others/more security aware

?