5_recon.ppt
DESCRIPTION
TRANSCRIPT
Recon 1
Reconnaissance
Recon 2
Attack Phases Phase 1: Reconnaissance Phase 2: Scanning Phase 3: Gaining access
o Application/OS attackso Network attacks/DoS attacks
Phase 4: Maintaining access Phase 5: Covering tracks and hiding
Recon 3
Recon Before bank robber robs a bank…
o Visit the banko Make friends with an employee (inside info)o Study alarm system, vault, security guard’s
routine, security cameras plscement, etc.o Plan arrival and get away
Most of this is not high tech Similar ideas hold for info security
Recon 4
Social Engineering Hypothetical examples
o New “admin” asks secretary for helpo Angry “manager” calls employee/admin
asking for passwordo “Employee” in the field calls another
employee for help with remote access Real-world examples
o Employees help white hat guy steal company IP
o Person turns over secrets to trusted “friend”
Recon 5
Social Engineering Social engineering
o Defeats strongest crypto, best access control, protocols, IDS, firewalls, software security, etc., etc.
Attacker may not even touch keyboard
Ultimate low-tech recon/attack method
Recon 6
Social Engineering Telephone based attacks
o Company phone number may give attacker instant credibility
Attacker might ask for voice mail service
Spoofed caller IDo Appears attacker has company phone
numbero Online services: Telespoof, Camophoneo Some VoIP softwareo Phone companies also sell such services
Recon 7
Camophone
Spoofed caller ID
Cost? 5 cents
per minute
Recon 8
Social Engineering Defenses
Hard to defend againsto Rooted in human natureo Many legitimate uses of “social engineering”
(police, sales people, etc.) User education helps
o Do not give out sensitive info (passwords)o Do not trust caller ID, etc.
May not want totally paranoid employees
Recon 9
Physical Security If Trudy gets physical access… Might find logged in computer,
post-it note with passwords, etc. Might install back door, keystroke
logger, access point to LAN, etc. Could steal USB drives, laptop,
computers, CDs, etc.
Recon 10
Physical Access How can attacker gain physical
access?o Ask for ito Fake ito Physical break in
Or attacker might be employeeo Then Trudy already has accesso Limit employee’s physical access?
Recon 11
Defenses Require badges for entry
o What if someone forgets badge? Biometrics for entry are useful
o Iris scan, hand geometry, … Monitor what people take in/out
o Laptop, USB drive, CD, Furby?o Miniaturization makes this difficult
Recon 12
Defenses Use locks on file cabinets
o Don’t leave key in the lock… Automatic screen saver with pwd Encrypted hard drives
o Especially for those who travelo Need a way to recover encrypted fileso But there are attacks…
Recon 13
Dumpster Diving What might Trudy find in trash?
o CDs, DVDs, discarded machines, USB, …
o Diagrams of network architecture Defenses
o Destroy hard drive before discardingo Destroy media (degaussing is not
enough)o Shred paper, etc.
Recon 14
Search the “Fine” Web “Fine” is placeholder for another word
o As in “Read the ‘Fine’ Documentation” Huge amount of info available on Web Google it!
o For example Google the MD5 hash valueo 20f1aeb7819d7858684c898d1e98c1bb
Recon 15
Google Hacking Using Google to help in attacks
o Not “hacking Google” See, for example
o Johnny Long’s Websiteo Google hacking 101
Google selected as “favorite hacking tool” by some infamous hackers
Recon 16
Google Four important elements of
Google1. Google bot
o Crawls Web looking for info to index
2. Google indexo Billions served…o Ranked using (secretive) algorithmo Why so secretive?
Recon 17
Google3. Google cache
o Copy of data that bots foundo Includes html, doc, pdf, ppt, etc., etc.o Up to 101k of text each, no imageso See also, Wayback Machine
4. Google APIo Program need to Google tooo Requires API “key” (free from Google)o Limited to 1k searches per day
Recon 18
Google For any Google search…
o Max number of results limited to 1,000
o Limits data mining capabilities So searches must be precise Use “search directives”
o No space after directive, searches case insensitive, max of 10 search terms
Recon 19
Google Search Directives site:[domain]
o Searches particular domaino site:cs.sjsu.edu stamp
link:[web page]o All sites linked to a given web pageo link:www.cs.sjsu.edu
intitle:[term(s)]o Web sites that include “term(s)” in titleo site:cs.sjsu.edu intitle:”index of” stamp
Recon 20
Google Search Directives related:[site]
o Similar sites, based on Google’s indexingo related:www.cs.sjsu.edu
cache:[page]o Display Web page from Google’s cacheo cache:www.cs.sjsu.edu
filetype:[suffix]o Like ppt, doc, etc.o filetype:ppt site:cs.sjsu.edu stamp
Recon 21
Google Search Directives rphonebook:[name and city or state]
o Residential phone booko rphonebook:Mark Stamp Los Gatos
bphonebook:[name and city or state]o Business phone book
phonebook:[name and city or state]o Residential and business phone books
Recon 22
Other Search Operations Literal match (“ ”)
o “metamorphic engines” site:cs.sjsu.edu Not (-)
o Filter out sites that include termo site:cs.sjsu.edu -ty -lin
Plus (+)o Include (normally filtered) termo Not the opposite of “+”o site:cs.sjsu.edu stamp +the
Recon 23
Interesting Searches From the text
o site:mybank.com filetype:xls ssno site:mybank.com ssn -filetype:pdfo site:mybank.com filetype:aspo site:mybank.com filetype:cgio site:mybank.com filetype:phpo site:mybank.com filetype:jspo site:cs.sjsu.edu filetype:xls
Recon 24
Google Hacking Database Google Hacking Database (GHDB) Interesting searches
o intitle:”index of” finance.xlso “welcome to intranet”o intitle:”gateway configuration menu”o intitle:”samba web administration
tool” intext:”help workgroup”
Recon 25
GHDB Intitle:”welcome to IIS 4.0” “… we find that even if they've taken the time to
change their main page, some dorks forget to change the titles of their default-installed web pages. This is an indicator that their web server is most likely running … the now considered OLD IIS 4.0 and that at least portions of their main pages are still exactly the same as they were out of the box. Conclusion? The rest of the factory-installed stuff is most likely lingering around on these servers as well. … Factory-installed default scripts: FREE with operating system. Getting hacked by a script kiddie that found you on Google: PRICELESS. For all the things money can't buy, there's a googleDork award.”
Recon 26
Google Suppose sensitive data is
accessibleo Removing it does not remove
problemo Google cache, Wayback Machine
What about automated searches?o Google APIo SiteDigger and Wikto
Recon 27
SiteDigger User provides
Google API key One search…
o Uses GHDBo Does 1k Google
searcheso Your daily limito There’s always
tomorrow…
Recon 28
Google Lots of other interesting Google searches
o Track current flightso Look up auto VINo Look up product UPC
Google filters some sensitive datao SSNs, for example
Yahoo and MSN Search do less filtering
Recon 29
Newsgroups “Listening in at the virtual water cooler” Employees submit detailed questions
o How to configure somethingo How to code somethingo How to troubleshoot a problem
Reveals info about products, config, etc.o “sensitive information leakage on a grand
scale” Attacker could even play active role
o Give bad/incorrect advice
Recon 30
Newsgroups To search groups
o groups.google.como Repackaged version of DejaNews
Recon 31
Organization’s Website Web site might reveal useful info
o Employee contact infoo Clues about corporate
culture/languageo Business partnerso Recent mergers and acquisitionso Technology in useo Open jobs
Recon 32
Defenses Against Web Recon
Limit what goes on Web pageso No sensitive infoo Limit info about products, configuration, …
Security by obscurity?o “…no sense putting an expensive lock on
your door and leaving milk and cookies outside so the lock picker can have a snack” while he breaks in
Recon 33
Defenses Against Web Recon
Have a policy on use of newsgroups Monitor publicly available info Google/Wayback will remove sensitive data Use robots.txt so Web pages not indexed
o Tags: noindex, nofollow, noarchive, nosnippeto Well-behaved crawlers will respect these, but…o …a sign to bad guys of sensitive data
Recon 34
Whois Databases Internet “white pages” listing
o Domain names, contact info, IP addresses
o .com, .net, .org, .edu ICANN oversees registration process
o Hundreds of actual registrars
Recon 35
InterNIC
InterNIC (Internet Network Info Center)o First place to look o Info on domain
name registration services
Recon 36
InterNIC
Whois info available from InterNICo com,net,org,e
du Other sites for
other top level domains
Recon 37
Whois
Once registrar is known, attacker can contact ito More detailed
Whois infoo Network
Solutions in this example
Recon 38
Whois
Info includeso Nameso Telephone
numberso Email addresseso Name (DNS)
serverso And so on…
Recon 39
IP Address Assignment ARIN (American Registry for
Internet Numbers)o Info about who owns IP address or
range of addresses Similar organizations for Europe,
Asia, Latin America, …
Recon 40
Defense Against Whois Search
Bad idea to put false info into databaseso Important that people can contact youo For example, if attack launched from your
site No real defense against Whois Anonymous registration services exist
o Author is not fond of theseo Better to train against social engineering
Recon 41
Domain Name System DNS
o A hierarchical distributed databaseo Like a (hierarchical distributed)
telephone directoryo Converts human-friendly names into
computer-friendly IP addresses Internet is impossible without DNS
Recon 42
DNS 13 root DNS servers
o A “single point” of failure for Internet
Recon 43
DNS DNS example
o Recursive and iterative searches
o Resolved locally, if possible
o Lots and lots of caching
Recon 44
DNS DNS cache on Windows machine
Recon 45
DNS Gives IP address of a domain Lots of other info DNS record types
o Address: domain name/IP address (or vice-versa)
o Host information: info about systemo Mail exchange: mail system infoo Name server: DNS serverso Text: arbitrary text string
Recon 46
Interrogating DNS Attacker determines DNS servers
o From registrar’s Whois database Use nslookup (or dig in Linux) to
interrogate name serverso Zone transfer (all info about domain)o See example from text --- IP
addresses, mail server names, OS types, etc.
Recon 47
DNS Recon Defenses Remove info on OS types, etc. Restrict zone transfers
o To primary and secondary name servers Employ “split DNS”
o Allow outside DNS activity related to Web, mail, FTP, …, servers
o No outside DNS directly from internal network
Recon 48
Split DNS Internal DNS server acts as proxy
o Relays requests to external DNSo Internal users can resolve internal and external
Recon 49
General-Purpose Recon Tools
Sam Spadeo Detective character in Dashiell
Hammett’s novel, The Maltese Falcono Humphrey Bogarto Also a general Web-based recon tool
Research and attack portalso For more specific info
Recon 50
Sam Spade All the bells and whistles Some of Sam Spade’s capabilities
o ping, whois lookups, IP block whois, nslookup, DNS zone transfer, traceroute, finger
o SMTP VRFY --- is given email address valid?o Web browser --- view raw HTTP interactiono Web crawler --- grab entire web site
Recon 51
Sam Spade
“The incredibly useful Sam Spade user interface”
Recon 52
Other General Recon Tools Active Whois Browser
o Whois and DNS tool, $19.95 NetScanTools Pro
o Costs $249+ iNetTools
o Feature-limited, but free
Recon 53
Web-based Recon Tools Some “run by rather shady
operators”o www.samspade.orgo www.dnsstuff.como www.traceroute.orgo www.networktools.como www.cotse.com/refs.htmo www.securityspace.como www.dlsreports.com
Recon 54
AttackPortal AttackPortal
o Helps attacker remain anonymous
o This site is moribund (2005)
Recon 55
Conclusion Attacker can gain useful info from
variety of sourceso From social engineering to automated tools…o …and everything in between
Useful info might includeo Contact info, IP addresses, domain nameso Possibly system details, technologies used,
… Building blocks for actual attacks
Recon 56
Summary Sophisticated attacks likely to start
with recon phase Low-tech recon techniques
o Social engineeringo Spoofed caller IDo Physical accesso Dumpster diving
Recon 57
Summary Higher-tech techniques
o Google hacking, SiteDigger, GHDBo Whois databases, InterNIC, ARINo DNS, nslookup, digo Sam Spade, client-side recon toolso Web-based recon tools