Phase 1: ReconnaissanceCounter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective

Defenses (2nd Edition)

ISBN-10: 0131481045ISBN-13: 978-0131481046

Reconnaissance vs. Enumeration

● Both are involved in preliminary data collection, but each is unique

● Reconnaissance○ Passively engages the target○ Searching public records, corporate documents,

search results

● Enumeration○ Actively engages the target to gain information○ Ping sweeps, port scans, fingerprinting

Reconnaissance

● Obtain information○ construct a topology (i.e. map)○ understand the domain

● Applying for graduate school or a job

● Jigsaw Puzzle

Search the Fine Web (STFW)

● Public information○ domain names, network addresses, contact

information, etc.

● Indistinguishable from normal user behavior○ no alarms tripped

● Query the ultimate scanner● Bots

○ crawl websites○ visiting reachable locations via hyperlinks

● Index○ searchable with results presented by pagerank

● Cache○ snapshot○ first 101k (may be more now)

● API○ automated web-searches○ 1,000 searches per day

■ 1,000 results

Google

Google Search Directives

● site:[domain]● link:[web page]● intitle:[term(s)]

○ site:cs.fsu.edu intitle: "index of"● related:[site]

○ based on googles indexing algorithm● cache:[page]● filetype:[suffix]● rphonebook:[name and city or state]● bphonebook:[name and city or state]● phonebook:[name and city or state]

Google Search Operators

● Literal matches (" ")○ when order matters

● Not (-)○ remove results that contain the given term

● Plus (+)○ don't exclude common term○ +the +how

http://www.googleguide.com/advanced_operators.html

Examplehttp://www.cs.fsu.edu

CS Example

site:cs.fsu.edu loginsite:cs.fsu.edu login filetype:phpsite:cs.fsu.edu inurl:login filetype:php

site:cs.fsu.edu inurl:bakercache:http://www.cs.fsu.edu/~baker/pls/

Internet Archive (Way-back Machine)

● http://archive.org/web/web.php

● http://wayback.archive.org/web/*/http://www.cs.fsu.edu

Perusing Targets Website

● Go to it !● Note

○ employees' contact info, specifically phone #'s○ corporate lingo

■ physical office locations, star employees, etc.○ business partners○ recent mergers and aquisitions○ technologies in use

■ LAMP vs. M$○ open job requisitions

■ cisco cert XXX required

Defense Against Search Engine and Web-Based Reconnaissance

● Theory: security through obscurity is broken● Practice: it works

● Create policies● Periodically measure effectiveness of set

policies

Defense Against Search Engine and Web-Based Reconnaissance

● Google bot respects robots.txt○ Tells well-behaved Web crawlers not to search

certain directories, files, or the entire Web site○ noindex: don't include given page in index○ nofollow: don't follow links on given page○ noarchive: given page should be indexed, but not

cached○ nosnippet: Google should obtain summary snippets

for use in search results○ site:fsu.edu inurl:robots.txt○ http://geomag.gfdi.fsu.edu/robots.txt○ double-edged sword

● Explicitly ask google to remove cache entries

Tool Time

Foundstone's SiteDigger

● http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx

Wikto (Roelof Timmingh)

● Windows version of nikto○ perl website vulnerability scanner

● http://www.sensepost.com/labs/tools/pentest/wikto

DNS Fingerprinting

Record Types:SRV - Service - Host name, port number of servers with servicesSOA - Start of Authority - Primary NS for the zoneNS - Name Server MX - Mail Exchange - Identifies e-mail serversCNAME - Canonical Name - Domain name aliasesA - Address - maps an IP to a host

● 'dig' can be used to dump Name Server records○ Typical usage is 'dig @[ns-server] [domain] [query-type]'○ Example: 'dig @8.8.8.8 google.com any'

● 'whois' dumps registration information about○ Typical usage 'whois [domain]'○ Example: 'whois google.com'

● 'traceroute' provides routing information between you and the host○ entries of the form * * * indicate a hop which does not respond to

ICMP requests, usually firewalls or routers○ Typical usage is 'traceroute [host]'○ Example: 'traceroute google.com'

● ARIN WHOIS

Now what?

We have all this great data after all of these tools

This is where pentesters and hackers dive into social engineering to get more info, and perhaps even access to a system.

Low-Technology Reconnaissance

● Definition: social engineering: any act where you try to manipulate a person to accomplish a goal and that that goal may or may not be in the target's interest (i.e. disclose info).

● Leverage prior research (dig, google results, social media)

Social Engineering

● Usually you gather info first, before this step● Then with that info and some cunning,

manipulate more info out of people working in the target.

● Human's have a weakness for helping others, so the most common vector for social engineering is "Hey could you please help me...." See: http://www.pcworld.com/article/182180/top_5_social_engineering_exploit_techniques.html

Persuasion: Exploiting evolutionary Triggers

● The grouper and the Sabertooth blenny● The Harvard 70's compliance study

○ Goal is to study compliance (or what is the minimum we need to do to get someone to do a favor?)■ Discovered that the magic word is: "because"

○ Discovered 6 specific human quirks to exploit:■ Reciprocity (we tend to return favors, regardless of original favor)

■ Consistency (we try to be consistent) -Once you give a bum money, its really hard to turn down further requests

■ Social Proof (we tend to try and fit in) -laugh tracks, crowd theory

■ Liking (we tend to cooperate with those who seem to like us) - bad cop / good cop

■ Authority (we cooperate with those who seem to be in charge) - lab coats, badges, and mohawks

■ Scarcity (We'll over value apparently scarce resources) - Xmas toy crazes, limited time offers...

● Information scarcity and censorship

Follow up reference

Robert Cialdini's book, Influence: The Psychology of Persuasian

A GREAT presentation about this by Dr. W. Philip Kegelmeyer: http://csmr.ca.sandia.gov/~wpk/avi/2007.06.28_TT_PhilipKegelmeyer_ThePsychologyofPersuasion.avi

^Seriously worth watching

Social Engineering

● Social Engineering is usually the easiest way into a system. See Anonymous's takedown of HBGary as an example.○ a $40B company "ruined" by a single social

engineering attack!○ (see step #8): http://thestrayworld.

com/2011/02/17/how-the-anonymous-broke-into-hbgary/

A good read: http://news.cnet.com/8301-27080_3-20013901-245.html

A great resource for SE defenses / training

http://social-engineer.org/

Concluding Remarks

We demonstrated techniques used by both hackers and penetration testers. The take away is:● Know your google-fu● Hackers do their homework, and the internet

makes it easy● Security through obscurity does work in

practice● The ease-of-information gathering works

both FOR and AGAINST you and attackers● Humans are the weakest link