Data Gathering

• A hacker can’t do anything to you if they don’t know anything about you.

• The hacker requires:– A target

– Your ip address

– Your OS type

– What kernel are you using

– What services you are running

– What is your internet connection speed

How they choose a target • A hacker can get much information from posts made to

news groups and Mailing lists• Example (from fire-wall wizards news group):[fw-wiz] Problems with IPTables and DMZ portKlaus Leithner leithner@cortex.at Sat, 5 Jan 2002 11:35:57

I have a very urgent problem with a linux box running RedHat 7.2 and IPTables v. 1.2.3.

We need to replace our normal Firewall (a Watchguard FireBox II) with the following configuration :

Public IP - Address Range : 211.18.46.192 with a NetMask 255.255.255.192 Private IP – Address Range : 10.43.0.0 with a NetMask 255.255.0.0

We have a DMZ, which uses the public IP - Address Range.

How they choose a target Schemata:

(x) (Router : 211.18.46.193||

------------- (EXTERNAL INTERFACE : 211.18.46.194)| || Firewall |--------- (DMZ Interface : 211.18.46.195 All of our | | Server in the DMZ use IP-Adresses like

| | 211.18.46.X, and a gateway of 211.18.4.193)| |-------------

| (LAN INTERFACE : 10.43.0.1 we use NAT)||

We have a breakdown of our standard Firewall, and need to replace it assoon as possible with this linux - box. We have tried every trick, weknow and about 24 hours of work no chance !

Can anyone help us !!!

Thanks in advanceKlaus Leithner

How they choose a target

• Other targets include:– Entities with high speed internet

• Universities, governments, large corporations

– Entities with many disconnected policies and procedures• Governmental entities, medium/large corporations

– Well know entities• GM, Microsoft, MSU, NASA, etc…

– Entities with novice administrators• Home computers with cable modems, power left on.

– Entities that can give financial gain• Banks, stock brokers

– Entities that can provide trade secrets• Pharmaceutical Companies, Research Companies

How they get info on you• Domain lookup

– Whois database• A list of domains and the contact information associated with a

domain.– Example of a domain lookup:

>whois –a gm (you might need a host: whois.internic.net)GM.ST63.AREANA.NE.JPGM.HOTELRES.COMGM.GEEKFREET.NETGM.GARM.NETGM.ORGGM.NETGM.COMGM

How they get info on you• Domain lookup

– Example:>whois gm.com

Registrant: Domain Name Administrator General Motors Corporation 300 Renaissance Center Mail Code 482-C23-B21 Detroit MI 48265-3000 US domainname.admin@gm.com +1.3136654967 Fax: +1.1111111111 Domain Name: gm.com Administrative Contact: Domain Name Administrator General Motors Corporation 300 Renaissance Center Mail Code 482-C23-B21 Detroit MI 48265-3000 US domainname.admin@gm.com +1.3136654967 Fax: +1.1111111111

How they get info on you

• Domain lookup– Example (cont): Technical Contact, Zone Contact: DNS Technical Contact EDS NNAM 800 Tower Drive MS 4258 Troy MI 48098 US dnsmaster@eds.com +1.2482655000 Fax: +1.1111111111 Created on..............: 1992-01-15. Expires on..............: 2011-01-16. Record last updated on..: 2010-08-13. Domain servers in listed order: ns3.eds.com ns1.eds.com ns2.eds.com

How they get info on you

• DNS queries– Get the ip address of a given domain

– Example:host gm.com>

gm.com has address 170.224.60.167

• Network lookup– Again using the whois database

– Instead of giving a domain you give an ip address

How they get info on you• Network lookup

– Example>whois 170.224.60.167NetRange: 170.224.0.0 - 170.227.255.255NetName: IBM-COMMERCIALNameServer: RTPUSSXDNSB03.RALEIGH.MEBS.IHOST.COMNameServer: RTPUSSXDNSB04.RALEIGH.MEBS.IHOST.COMNameServer: BLDUSWXDNSB01.BOULDER.MEBS.IHOST.COMNameServer: BLDUSWXDNSB02.BOULDER.MEBS.IHOST.COM

OrgName: IBMAddress: 3039 Cornwallis RoadCity: Research Triangle ParkStateProv: NCPostalCode: 27709-2195Country: USRegDate: 1992-02-08Updated: 2006-09-15

How they get info on you

• Countermeasures– The whois database is required to register your

company for ip address.– Do not use actual names for the various

contacts. Instead use names like “tech support”– Do not give a direct phone number, give the

main office general phone number– This helps to prevents social engineering!

What machines are running?

• Now that the hacker has an ip range, what machines are actually there?

• Use ping sweeps– ICMP ping

• Send an ICMP echo request to each ip address in a range and if there is a reply then there is machine at the ip address

• Command: ping ipaddress

What machines are running?

• Use ping sweeps– Nmap ping sweep

• Send an ICMP echo packet as well as a connection request to the http port (80).

• Command: nmap –sP iprange

• Counter measures– Configure a firewall to not allow TCP/IP echo requests

and prevent ICMP echo replies• But it stops all pings, some of which maybe useful.

– Can’t prevent probing of open ports

Where is a machine?

• It is useful to the hacker to know where a machine is located.

• It is also helpful to know “connected” a computer is

• Traceroute– Lists all the routers between your computer to an another

– Displays the time for each hop

– Displays the ip address and common name of each router.

– By examining the names of the routers you can generally guess where a router is, it band width, and equipment.

Where is a machine?

• ExampleTracetroute gm.com

1 router (148.61.162.254) 0.342 ms 0.288 ms 0.275 ms

2 fw-lab.gvsu.edu (148.61.17.22) 0.906 ms 0.485 ms 0.463 ms

3 router.gvsu.edu (148.61.6.1) 2.136 ms 1.829 ms 1.480 ms

4 s0-1-0.nl-port1.mich.net (198.108.23.74) 4.013 ms 3.418 ms 12.013 ms

5 at-1-1-0x20.nl-chi3.mich.net (198.108.22.169) 21.982 ms 15.438 ms 12.870 ms

6 acr2-so-6-1-0.Chicago.cw.net (208.172.1.169) 58.108 ms 35.452 ms 36.204 ms

7 cable-and-wireless-peering.Chicago.cw.net (208.172.1.222) 69.233 ms 70.475 ms 69.281 ms

8 0.so-5-2-0.XL1.CHI2.ALTER.NET (152.63.68.2) 73.590 ms 70.233 ms 68.240 ms

9 0.so-2-0-0.TL1.CHI2.ALTER.NET (152.63.67.125) 69.726 ms 73.297 ms 71.348 ms

10 0.so-1-2-0.TL1.DCA6.ALTER.NET (152.63.1.93) 48.134 ms 48.167 ms 47.825 ms

11 0.so-4-0-0.CL1.GSO1.ALTER.NET (152.63.39.137) 59.292 ms 58.914 ms 56.003 ms

12 189.ATM7-0.GW4.GSO1.ALTER.NET (152.63.33.213) 57.321 ms 56.504 ms 58.668 ms

13 usibm-gw.customer.alter.net (157.130.39.38) 61.277 ms 60.298 ms 60.273 ms

Where is a machine?

• How Traceroute works– Send UDP packets through the internet with the time to live set to

1

– Waits for the ICMP time expired reply

– Increase the time to live by one and send again.

– Each time it gets a ICMP time expired reply it gets the next step in the route.

• Countermeasures– You can’t do anything about how you are connected to the

internet, nor the ICMP time expire reply

– You can block ICMP packets in and out of your organization

– You should NOT name machines in a way that revels information

What is running on the machine?

• When a network service is made available it opens a port in the range of 0 – 65535.

• There are “well know” port numbers opened by established programs.– They are in the range from 0 –1024. Only privileged commands

may use a “well know” port number– telnet 23– ftp 21– smtp 25– ssh 22

• There are also port number generally accepted as being used for certain purposes– See /etc/services for a list know to your machine

What is running on the machine?• Port scanning

– TCP• A program sends a syn request to each port in a range and sees if a

syn/ack is returned.• Or it can send a fin packet, and see if the computer responds• Or it can send a ack packet, and an open port will respond with a rst

packet, because their is no established connection• Or …• TCP scanning is relatively fast because of it’s connection orientated

nature

– UDP• A program sends a udp packet to the port and has to wait to see if an

ICMP port unreachable is returned• UDP scanning is slow because it must wait for the ICMP return

message. There is limit for the rate of returned ICMP error messages.

What is running on the machine?

• Port scanning– Tools:

• Netcat

• Strobe

• Nmap

• Satan

• Saint

• eEye Retina Scanner (windows)

• Typhoon

• Mscan

• Sscan

What is running on the machine?• Port scanning

– Countermeasures• Port scan detectors

– Lestat– Pkdump– Scan detect– Astraro portscan detect– Shadow scan– Resentment.org– Scanlogd– Port sentry

• Most organizations treat port scans as a prelude to an attack and consider them hostile! – They are a good idea to do to your own organization, but make

sure your have permission first!

What OS is running on the machine?

• Network banners– Many services announce what the OS is.– telnet into any of your security machines

• OS detection can be done by sending a series of illegal tcp/ip packets to a machine

• Each OS will respond differently to the packets– By comparing the responses to a database each OS can

be determined

• Tools– Queso– Nmap

What OS is running on the machine?

• Counter measures– Stop services from broadcasting the OS or protocol

being used

– Install a proxy firewall, that way the OS identified will be that of the firewall and not your machine.