Professional Documents
Culture Documents
Methodology Footprinting&Scanning
Methodology Footprinting&Scanning
Methodology Footprinting&Scanning
Common Methodologies
Open Source Security Testing Methodology Manual (OSSTMM)
http://www.isecom.org/osstmm/
Methodology
Simplified Attack & Pen Methodology
Footprinting Scanning Enumeration Exploitation
Methodology
Footprinting
Who are they? Discovery of technology information Public information gathering Search Engines, DNS entries, Whois, job sites, etc.
Methodology
Footprinting Scanning
Identify all entry points and communication paths Network Scanning (TCP/IP ports and services)
Enumeration Exploitation
Methodology
Footprinting Scanning Enumeration
Mapping all information from any given service (usually without any privileges, or basic user privileges) Machines, Users, Groups, Shares, Trusts SMB, WWW, LDAP, SNMP, SMTP, FTP, etc.
Exploitation
Methodology
Footprinting Scanning Enumeration Exploitation
Gaining Access and Taking Control of the system, files or processes or privileges. (User-level, Admin-Level) Known Vulnerabilities, Weak Configurations Passwords Attacks and Social Engineering
Footprinting
What is footprinting?
The process of identifying information about a specific environment Discovering the topology and identifying possible points of attack the attack surface Plan the attack
Footprinting
Purpose: Build a profile of the target
Reconnaissance of open source information Gathering of public information about the organization Finding technology information about servers, routers, firewalls, etc. Search Engines, DNS entries, Whois, etc. Advertisements, IT job openings, company web sites, Google groups, Blogs, etc.
Footprinting
What are we looking for?
Internet Presence:
IP Address ranges Domain Names Mail Exchanges MX records in DNS Public Web Servers
Footprinting Tools
IP Address Ranges
Domain Name Servers (DNS) DNS Traceroute Search Engines
Domain Names
DNS Search Engines
Mail Exchanges
DNS Search Engines?
Footprinting - WhoIs
WhoIs Query of Internet Registries
InterNIC + 5 Regional Internet Registries Ref: http://www.arin.net/community/rirs.html
AfriNIC Africa APNIC - Asia/Pacific ARIN North America LACNIC - Central and South America RIPE NCC Europe, Middle East, Central Asia InterNIC ICANN Public Domain Name Registration Info
Footprinting - NSLOOKUP
Nslookup
Queries Domain Name Server information (IP Address to Hostname) Lookup IP to Domain Name Mapping
Nslookup.exe [ip address or host name]
Footprinting - NSLOOKUP
Nslookup
Lookup IP to Domain Name Mapping
Nslookup.exe [ip address or host name]
Online: www.traceroute.org
Zone Transfer
Nslookup.exe > server = [authoritative server] > set type = any > ls d [target_network_name]
Methodology
Footprinting Scanning
Identify all entry points and communication paths Network Scanning (TCP/IP ports and services) Phone Scanning (Wardialing) Wireless Scanning (Wardriving)
Enumeration Exploitation
Scanning
Types of scanning
Host (Ping) Scanning Port Scanning Vulnerability Scanning War Dialing War Driving
Host Scanning
Hackers perform host scanning to locate and identify hosts on the network. Usually by pinging a range of IP addresses. Host which respond to pings may be targeted for attack.
192.168.10.100
Port Scanning
Hackers perform Port Scans to determine what services a host may be running. By knowing the services the hacker can attempt attacks against known vulnerabilities in the service. Port scans attempt to make initial connection to service running on a particular port number. Port scans are invasive and are easily detected by Intrusion Detection and/or firewalls.
Network Basics
Ports
A port is where a service listens for connections Common services use common well-known ports Could use any port as long as both the server and the client know which port to connect to Ports allow different services to be available from one location or IP Address
Network Basics
IP Addresses
An address is comprised of two parts- a network address and a host address and determined by the subnet mask. A simple example is 192.168.1.1 with a subnet mask of 255.255.255.0.
192.168.1 is the network address (the 192.168.1.0 network) and .1 is a host address on that network.
Network Basics
Services
The network protocol that listens for incoming connection requests and links the server application with the client Typically each service runs on a set of specific ports In actuality, any service can run on any port
Therefore, you should put only limited trust in port/service mappings.
Use an application scanner (service detection) to ensure find out what application is really running on that port. Nmap has service detection
Port Scanning
Database
192.168.10.102
Linux
192.168.10.101
Web
192.168.10.103 192.168.10.55
192.168.10.54
Mail Server
Web
192.168.10.100
10
21 23
192.168.10.100
FTP Telnet
49 53
80
135 161 389 445 1433
WWW MS RPC
SMB SQL
Vulnerability Scanning
What is vulnerability scanning?
Used to find known flaws within an application or network. These scanning tools are typically signature based and can only find vulnerabilities that the tools know about. Many good commercial and freeware tools are available.
Scanning Tools
Host & Port Scanning
Nmap
Vulnerability Scanning
GFI and Nessus
War Dialing
Phone Sweep
War Driving
NetStumbler Kismet
Cons
No standard Graphical User Interface
LINK: (www.insecure.org)
Vulnerability Scanners
Cons
Tenable took Nessus private (closed source) Purchasing plans for new plugins Shareware plug-ins are seven days behind
LINK: (www.nessus.org)
Cons
Lacks extensive signatures for other operating systems Look to Nessus for scanning heterogeneous networks
LINK: (www.gfi.com)
Cons
EXPENSIVE!
LINK: (www.sandstorm.net)
Cons
Noisy Does not detect Cloaked Networks Does not capture data
LINK: (www.netstumbler.com)
Cons
Slower Detection (passive) No Windows Version No GUI
LINK: (www.kismetwireless.com)
LINK: (www.kismetwireless.com)
Thank You!
Joseph.Miller@JeffersonWells.com (480)540-3588