Nir Gottlieb - The Final Project From Netcraft Academy's UX Design Course
Information Gathering. Before an attack What information do we need? WHOIS details OS & web server...
-
Upload
matthew-little -
Category
Documents
-
view
212 -
download
0
Transcript of Information Gathering. Before an attack What information do we need? WHOIS details OS & web server...
Information Gathering
Information GatheringBefore an attack
What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information, Zone transfers, reverse DNS lookups Open ports?
Information GatheringLegal issues
Is gathering information on a target legal? Yes BUT, port scans are considered to be an attacks so check
local laws for further information Other information gathering techniques are, for the most part,
legal but please check before you proceed
Information GatheringWHOIS
www.dk-hostmaster.dk www.whois.net
What information to look for: Owner Administrative contact Technical contact
Information GatheringOS & web server details
www.netcraft.com http://uptime.netcraft.com/up/graph?site=www.whitehouse.gov
Information GatheringDNS information
www.whois.net
What information to look for: Find the DNS server details
Now what? C:\>nslookup
> server <DNS SERVER FROM ABOVE>> set type=any // return all records> ls –d <THE DOMAIN>
Information GatheringDNS information (cont.)
Reverse DNS lookup Ping –a <IP> (we can also use nmap as described in the next section)
Information GatheringOpen ports?
We have to install a few things WinPcap 3.1: http://www.winpcap.org/install/default.htm
Installer for Windows 95/98/ME/NT4/2000/XP/2003/Vista
NMAP: http://www.insecure.org/nmap/nmap_download.html
Latest stable Nmap command-line zipfile: nmap-3.93-win32.zip
Information GatheringOpen ports (cont)?
Performing a quick and simple port scan SYN scan: nmap –sS –P0 –p- <IP> (C:SYN; S:SYN/ACK; C:RST) CONNECT scan: nmap –sT –P0 –p- <IP> (three way handshake:
C:SYN; S:SYN/ACK; C:ACK; CS; SC) SRC port: nmap –sS –P0 –p- -g53 <IP> Ping sweep: nmap –sP <IP RANGE> Reverse DNS: nmap –sP –R <[ IP | IP RANGE ]>
Information GatheringTry it on a site you use
Lets try one together Gather WHOIS details OS & web server details (NetCraft) DNS information, Zone transfers, reverse DNS lookups
(www.dnsstuff.com)
Web applications
Web applicationsWhat are web applications?
www.securityfocus.com www.ezenta.com www.reversing.be www.whitehouse.gov msdn.microsoft.com
Any application that uses the HTTP protocol to communicate with its clients
Web applicationsWhat are web applications? (cont.)
REQUEST:GET /html/default.asp HTTP/1.1Host: www.ezenta.comConnection: closeAccept-Encoding: gzip
RESPONSE:HTTP/1.1 200 OKConnection: close Content-Type:text/htmlContent-Encoding:gzip
Web applicationsWhat are web applications? (cont.)
Lets have a look at the raw data on the wire…
Web platforms
Web platformsWhat technologies exist?
JAVA (i.e. Servlets, JSP) ASP .NET (C#, J#, ASP, C++) PHP Lotus Notes Cold Fusion Native Code (i.e. ISAPI) CGI (i.e. Perl, C) BEA WebLogic IBM WebSphere Zope (i.e. Python)
Web platformsWhat is the difference?
Programming language Performance Features Integration Stability Administration Ease of use Security What else?
Web platformsASP
Have tendency to be vulnerable, no/limited built-in facilities
Web platformsPHP
Global variables can be problematic
Web platformsLotus Notes
ACLs on NSF files are often poorly configured
Web platformsCGI
Native code = native code issues (b0f)
Web platformsJava and .NET security
Source files can be decompiled and read Any secrets are exposed
Connection string information User credentials Internal addresses
What tools exist to help us? Java: DJ Decompiler
(http://members.fortunecity.com/neshkov/dj.html) .NET: Salamander (http://www.remotesoft.com/salamander/)
Web platformsNative code versus web technologies
Whats the difference between them with respect to getting the source? Native code = ASM VM code = byte code
Reversing native code The original source code is not available Programme flow is harder to follow (IDA Pro can help)
”Reversing” VM code The original code is readable DJ turns *.class, *.jar files into Java code Salamander: exe’s or dll’s into VB or C# .NET
Web platformsReversing demo
Native code Java .NET
Web platformsProtection
Dongles VM code: Obfuscation techniques
Salamander HASP
Native code: packers Exe Shield Armadillo ASProtect Anticrack
Web platformsSummary
You dont have to break the law to gather info. Although port scanning in illegal
Platforms, some better than others/more security aware
?