1
Modul 2Footprinting Scanning
Enumeration
Isbat Uzzin Nadhori
Informatical Engineering PENS-ITS
Politeknik Elektronika Negeri Surabaya
ITS - Surabaya
2
Intelligence Gathering Techniques
3 Major StepsFoot Printing
Scanning
Enumeration
Similar to MilitaryGather information on the target
Analyze weaknesses
Construct and launch attack
3
Gathering Process Overview
You can’t attack what you don’t know
4
Hacking Step
5
Hacking Step …
6
Gathering Process overview
HostsHosts
PortsPorts
ServicesServices
Vulnerabilities
Vulnerabilities
7
Footprinting
8
FootprintingFootprinting Footprinting is the ability to obtain essential information about an organization.
Commonly called network reconnaissance.
Result Gather information includes: –The technologies that are being used such as, Internet, Intranet, Remote Access and the Extranet.
–To explored the security policies and procedures
–take an unknown quality and reduce it
–Take a specific range of domain names, network blocks and individual IP addresses of a system that is directly connected to the Internet
This is done by employing various computer security techniques, as:• DNS queries nslookup, dig, Zone Transfer
• Network enumeration
• Network queries
• Operating system identification
• Organizational queries
When used in the computer security lexicon, "footprinting" generally refers to one of the pre-attack phases; tasks performed prior to doing the actual attack. Some of the tools used for footprinting areSam Spade, nslookup, traceroute, Nmap and neotrace.
• Ping sweeps• Point of contact queries• Port Scanning• Registrar queries (WHOIS queries)• SNMP queries• World Wide Web spidering
9
DNS QueryDNS Query
10
Network Query ToolsNetwork Query Tools
* Ping* NSlookup* Whois* IP block search* Dig* Traceroute* Finger* SMTP VRFY* Web browser keep-alive* DNS zone transfer* SMTP relay check* Usenet cancel check* Website download* Website search* Email header analysis* Email blacklist* Query Abuse address
11
Information to GatherInformation to Gather
Attacker’s point of viewAttacker’s point of viewIdentify potential target systemsIdentify potential target systems
Identify which types of attacks may be useful on target systemsIdentify which types of attacks may be useful on target systems
Defender’s point of viewDefender’s point of viewKnow available toolsKnow available tools
May be able to tell if system is being footprinted, be more prepared for May be able to tell if system is being footprinted, be more prepared for possible attackpossible attack
Vulnerability analysis: know what information you’re giving away, what Vulnerability analysis: know what information you’re giving away, what weaknesses you haveweaknesses you have
12
OS IdentificationOS Identification
13
Point of ContactPoint of Contact
14
Tools - LinuxTools - Linux Some basic Linux tools - lower level utilitiesSome basic Linux tools - lower level utilities
Local SystemLocal System
hostnamehostname
ifconfigifconfig
who, lastwho, last
Remote SystemsRemote Systems
pingping
traceroutetraceroute
nslookup, dignslookup, dig
whoiswhois
arp, netstat (also local system)arp, netstat (also local system)
Other toolsOther tools
lsoflsof
15
Tools – Linux (2)Tools – Linux (2)
Other utilitiesOther utilitieswireshark (packet sniffing)wireshark (packet sniffing)
nmap (port scanning) - more laternmap (port scanning) - more later
Ubuntu LinuxUbuntu Linux
Go to System / Administration / Network Tools – get Go to System / Administration / Network Tools – get interface to collection of tools: ping, netstat, traceroute, interface to collection of tools: ping, netstat, traceroute, port scan, nslookup, finger, whoisport scan, nslookup, finger, whois
16
Tools - WindowsTools - Windows
WindowsWindowsSam Spade (collected network tools)Sam Spade (collected network tools)
Wireshark (packet sniffer)Wireshark (packet sniffer)
Command line toolsCommand line tools
ipconfigipconfig
Many others…Many others…
17
Traceroute# traceroute ns1.target-company.com
traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets
1 fw-gw (209.197.192.1) 0.978 ms 0.886 ms 0.875 ms
2 s1-0-1-access (209.197.224.69) 4.816 ms 5.275 ms 3.969 ms
3 dallas.tx.core1.fastlane.net (209.197.224.1) 4.622 ms 9.439 ms 3.977 ms
4 atm8-0-024.CR-1.usdlls.savvis.net (209.44.32.217) 6.564 ms 5.639 ms 6.681 ms
5 Serial1-0-1.GW1.DFW1.ALTER.NET (157.130.128.53) 7.148 ms 6.595 ms 7.371 ms
6 103.ATM3-0.XR2.DFW4.ALTER.NET (146.188.240.38) 11.861 ms 11.669 ms 6.732 ms
7 152.63.96.85 (152.63.96.85) 10.565 ms 25.423 ms 25.369 ms
8 dfw2-core2-pt4-1-0.atlas.digex.net (206.181.125.153) 13.289 ms 10.585 ms
17.173 ms
9 dfw2-core1-fa8-1-0.atlas.digex.net (165.117.52.101) 44.951 ms 241.358 ms
248.838 ms
10 swbell-net.demarc.swbell.net (206.181.125.10) 12.242 ms 13.821 ms 27.618 ms
11 ded2-fa1-0-0.rcsntx.swbell.net (151.164.1.137) 25.299 ms 11.295 ms 23.958 ms
12 target-company-818777.cust-rtr.swbell.net (151.164.x.xxx) 52.104 ms 24.306
ms 17.248 ms
13 ns1.target-company.com (xxx.xx.xx.xx) 23.812 ms 24.383 ms 27.489 ms
18
Traceroute - Network Mapping
cw
swb
Internet Routers
19
Traceroute - Network Mapping
cw
swb
Internet Routers
20
Traceroute - Network Mapping
Firewall
DMZ
cw
swb
VPN
Internet Routers
21
Traceroute - Network Mapping
Firewall
DMZ
www
ftp
cw
swb
VPN
Internet Routers
22
Traceroute - Network Mapping
Firewall
DMZ
www
ftp
cw
swb
VPN
Internet Routers
23
Traceroute - Network Mapping
Sun
LinuxFirewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
24
Traceroute - Network Mapping
Sun
LinuxFirewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
Linux 2.0.38xxx.xx.48.2
AIX 4.2.1xxx.xx.48.1
Checkpoint Firewall-1Solaris 2.7xxx.xx.49.17
Checkpoint Firewall-1Nortel VPNxxx.xx.22. 7
Cisco 7206204.70.xxx.xxx
Nortel CVX1800151.164.x.xxx
IDS?
25
Domain Name: UWEC.EDUDomain Name: UWEC.EDU
Registrant:Registrant:
University of Wisconsin - Eau ClaireUniversity of Wisconsin - Eau Claire
105 Garfield Avenue105 Garfield Avenue
Eau Claire, WI 54702-4004Eau Claire, WI 54702-4004
UNITED STATESUNITED STATES
Contacts:Contacts:
Administrative Contact:Administrative Contact:
Computing and Networking ServicesComputing and Networking Services
105 Garfield Ave105 Garfield Ave
Eau Claire, WI 54701Eau Claire, WI 54701
UNITED STATESUNITED STATES
(715) 836-5711(715) 836-5711
[email protected]@uwec.edu
Name Servers:Name Servers:
TOMATO.UWEC.EDU 137.28.1.17TOMATO.UWEC.EDU 137.28.1.17
LETTUCE.UWEC.EDU 137.28.1.18LETTUCE.UWEC.EDU 137.28.1.18
BACON.UWEC.EDU 137.28.5.194BACON.UWEC.EDU 137.28.5.194
WhoisWhois
26
Scanning
27
Introduction
Scanning can be compared to a thief checking all the doors and windows of a house he wants to break into.
Scanning- The art of detecting which systems are alive and reachable via the internet and what services they offer, using techniques such as ping sweeps, port scans and operating system identification, is called scanning.
The kind of information collected here has to do with the following:
1) TCP/UDP services running on each system identified.
2) System architecture (Sparc, Alpha, x86)
3) Specific IP address of systems reachable via the internet.
4) Operating System type.
28
Ping Sweeps
ping sweep is a method that can establish a range of IP addresses which map to live hosts.
ICMP Sweeps (ICMP ECHO requests)
Broadcast ICMP
Non Echo ICMP
TCP Sweeps
UDP Sweeps
29
PING SWEEPS
ICMP SWEEPS
ICMP ECHO request
ICMP ECHO replyTarget alive
Intruder
Querying multiple hosts – Ping sweep is fairly slow
Examples UNIX – fping and gping
WINDOWS - Pinger
30
Broadcast ICMPIntruder Network
ICMP ECHO request
ICMP ECHO reply
ICMP ECHO reply
ICMP ECHO reply
Can Distinguish between UNIX and WINDOWS machine
UNIX machine answers to requests directed to the network address.
WINDOWS machine will ignore it.
31
PING SWEEPS
NON – ECHO ICMPExample ICMP Type 13 – (Time Stamp)
Originate Time Stamp
- The time the sender last touched the message before sending
Receive Time Stamp
- The echoer first touched it on receipt.
Transmit Time Stamp
- The echoer last touched on sending it.
32
PING Sweeps
TCP Sweeps
ServerClient
C(SYN:PortNo & ISN)
S (SYN & ISN) + ACK[ C (SYN+!) ]
RESET (not active)
S(ISN+1)
When will a RESET be sent?
When RFC does not appear correct while appearing.
RFC = (Destination (IP + port number) & Source( IP & port number))
33
PING Sweeps
Depends on ICMP PORT UNREACHABLE message.
UDP data gram
ICMP PORT UNREACHABLE
Unreliable because
• Routers can drop UDP packets
•UDP services may not respond when correctly probed
•Firewalls are configured to drop UDP
•Relies on fact that non-active UDP port will respond
Target System
34
PORT SCANNING
Types:
TCP Connect() Scan
TCP SYN Scan( Half open scanning)
Stealth Scan
Explicit Stealth Mapping Techniques
SYN/ACL , FIN, XMAS and NULL
Inverse Mapping
Reset Scans, Domain Query Answers
Proxy Scanning / FTP Bounce Scanning
TCP Reverse Ident Scanning
35
Port Scanning Types
TCP Connect() Scan
SYN packet
SYN/ACK listening
RST/ACK (port not listening)
SYN/ACK
A connection is terminated after the full length connection establishment process has been completed
36
Port Scanning Type
TCP SYN Scan (half open scanning)
SYN packet
SYN/ACK listening
RST/ACK (port not listening)
We immediately tear down the connection by sending a RESET
37
Port Scanning TypeStealth Scan
A scanning technique family doing the following
Pass through filtering rules.
Not to be logged by the targeted system logging mechanism
Try to hide themselves at the usual site / network traffic.
The frequently used stealth mapping techniques are.
SYN/ACK scan
FIN scans
XMAS scans
NULL scans
38
PORT Scanning
Techniques:
Random Port scan
Slow Scan
Fragmentation Scanning
Decoy
Coordinated Scans
39
PORT Scanning“Random” Port Scan
Randomizing the sequence of ports probed may prevent detection.
Slow Scan
Some hackers are very patient and can use network scanners that spread out the scan over a long period of time. The scan rate can be, for example, as low as 2 packets per day per target site.
Fragmentation scanning
In case of TCP the 8 octets of data (minimum fragment size) are enough to contain the source and destination port numbers. This will force the TCP flags field into the second fragment.
Decoy
Some network scanners include options for Decoys or spoofed address in their attacks.
Coordinated Scans
If multiple IPs probe a target network, each one probes a certain service on a certain machine in a different time period, and therefore it would be nearly impossible to detect these scans.
40
Operating System Detection
Banner Grabbing
DNS HINFO Record
TCP/IP Stack Fingerprinting
41
Operating System Detection
42
Operating System Detection
DNS HINFO Record
The host information record is a pair of strings identifying the host’s hardware type and the operating system
www IN HINFO “Sparc Ultra 5” “Solaris 2.6”
One of the oldest technique
43
Operating System Detection
TCP/IP Finger Printing
The ideas to send specific TCP packets to the target IP and observe the response which will be unique to certain group or individual operations.
Types of probes used to determine the OS type
The FIN Probe, The Bogus Flag Probe, TCP initial sequence number sampling, Don’t Fragment bit, TCP initial window, ACK value, ICMP error Message Quenching, ICMP message quoting, ICMP error message Echoing Integrity, Type of service, fragmentation handling, TCP options
44
Firewalking
Gather information about a remote network protected by a firewall
PurposeMapping open ports on a firewall
Mapping a network behind a firewall
If the firewall’s policy is to drop ICMP ECHO Request/Reply this technique is very effective.
45
How does Firewalking work?
It uses a traceroute-like packet filtering to determine whether or not a particular packet can pass through a packet-filtering device.
Traceroute is dependent on IP layer(TTL field), any transport protocol can be used the same way(TCP, UDP, and ICMP).
46
What Firewalking needs?
The IP address of the last known gateway before the firewall takes place.
Serves as WAYPOINT
The IP address of a host located behind the firewall.
Used as a destination to direct packet flow
47
Getting the Waypoint
If we try to traceroute the machine behind a firewall and get blocked by an ACL filter that prohibits the probe, the last gateway which responded(the firewall itself can be determined)
Firewall becomes the waypoint.
48
Getting the Destination
Traceroute the same machine with a different traceroute-probe using a different transport protocol.
If we get a responseThat particular traffic is allowed by the firewall
We know a host behind the firewall.
If we are continuously blocked, then this kind of traffic is blocked.
Sending packets to every host behind the packet-filtering device can generate an accurate map of a network’s topology.
49
How to identify/avoid threats?
Long-standing rule for Unix System administrators to turn off any services that aren’t in use
For personal workstations!Hackers have access to utilities to scan the servers but so do you!.
Hackers look in for open ports. So we can our servers first and know what the hackers will see and close any ports that shouldn’t be open.
50
Some tools to help us
NmapIt is a utility that scans a particular server and informs us which ports are open.
EtherealIt is a utility that will scan the network and help us decode what is going on.
We can watch the network traffice and find out if hackers can see anything that will help them break into our systems.
51
Enumeration
52
52
Introduction to Enumeration Enumeration extracts information about:
–Resources or shares on the network
–User names or groups assigned on the network
–Last time user logged on
–User’s password
Before enumeration, you use Port scanning and footprinting
–To Determine OS being used
Intrusive process
53
53
NBTscan
NBT (NetBIOS over TCP/IP)–is the Windows networking protocol
–used for shared folders and printers
NBTscan–Tool for enumerating Microsoft OSs
54
54
Null Session Information
Using these NULL connections allows you to gather the following information from the host:
–List of users and groups
–List of machines
–List of shares
–Users and host SIDs (Security Identifiers)
•From brown.edu (link Ch 6b)
55
55
Demonstration of Null Sessions
Start Win 2000 Pro
Share a folder
From a Win XP command prompt–NET VIEW \\ip-address Fails
–NET USE \\ip-address\IPC$ "" /u:""
•Creates the null session
•Username="" Password=""
–NET VIEW \\ip-address Works now
56
56
Demonstration of Enumeration Download Winfo from link
Ch 6g
Run it – see all the information!
57
57
NetBIOS Enumeration Tools
Net view command–Shows whether there are any shared resources on a network host
58
58
NetBIOS Enumeration Tools (continued)
Net use command–Used to connect to a computer with shared folders or files
59
Net use
60
61
61
Additional Enumeration Tools NetScanTools Pro
DumpSec
Hyena
NessusWX
62
62
NetScanTools Pro Produces a graphical view of NetBIOS running on a network
Enumerates any shares running on the computer
Verifies whether access is available for shared resource using its Universal Naming Convention (UNC) name
Costs about $250 per machine (link Ch 6i)
63
63
64
64
65
65
DumpSec
Enumeration tool for Microsoft systems
Produced by Foundstone, Inc.
Allows user to connect to a server and “dump” the following information
–Permissions for shares
–Permissions for printers
–Permissions for the Registry
–Users in column or table format
–Policies and rights
–Services
66
DumpSec
67
67
Hyena
Excellent GUI product for managing and securing Microsoft OSs
Shows shares and user logon names for Windows servers and domain controllers
Displays graphical representation of:–Microsoft Terminal Services
–Microsoft Windows Network
–Web Client Network
–Find User/Group
68
68
69
69
NessusWX This is the client part of Nessus
Allows enumeration of different OSs on a large network
Running NessusWX–Be sure Nessus server is up and running
–Open the NessusWX client application
–To connect your client with the Nessus server
•Click Communications, Connect from the menu on the session window
•Enter server’s name
•Log on the Nessus server
70
70
71
71
72
72
NessusWX (continued)
Nessus identifies –NetBIOS names in use
–Shared resources
–Vulnerabilities with shared resources
•Also offers solutions to those vulnerabilities
–OS version
–OS vulnerabilities
–Firewall vulnerabilities
73
73
74
74
75
75
76
76
77
77
Enumerating the *NIX Operating System
Several variations–Solaris
–SunOS
–HP-UX
–Linux
–Ultrix
–AIX
–BSD UNIX
–FreeBSD
–OpenBSD
78
78
UNIX Enumeration
Finger utility–Most popular tool for security testers
–Finds out who is logged in to a *NIX system
–Determine owner of any process
Nessus–Another important *NIX enumeration tool
79
79
80
80
81
Footprinting And Enumeration using netcraft.com