Joe Miller, CISSP, CISA TRM Engagement Manager Secretary, ISACA Phoenix Program Director, ISSA Phoenix Qualified

fied Security Assessor (QSA) Payment Card Industry (PCI)

Footprinting and Scanning Networks

Common Methodologies
Open Source Security Testing Methodology Manual (OSSTMM)
http://www.isecom.org/osstmm/

Information Systems Security Assessment Framework (ISSAF)

http://www.oissg.org/content/view/71/71/

NIST Guideline on Network Security Testing

http://csrc.nist.gov/publications/nistpubs/

Hacking Exposed Books

http://www.hackingexposed.com/Contents/contents.htm

Methodology
Simplified Attack & Pen Methodology
Footprinting Scanning Enumeration Exploitation

Methodology
Footprinting
Who are they? Discovery of technology information Public information gathering Search Engines, DNS entries, Whois, job sites, etc.

Scanning Enumeration Exploitation

Methodology
Footprinting Scanning
Identify all entry points and communication paths Network Scanning (TCP/IP ports and services)

Enumeration Exploitation

Methodology
Footprinting Scanning Enumeration
Mapping all information from any given service (usually without any privileges, or basic user privileges) Machines, Users, Groups, Shares, Trusts SMB, WWW, LDAP, SNMP, SMTP, FTP, etc.

Exploitation

Methodology
Footprinting Scanning Enumeration Exploitation
Gaining Access and Taking Control of the system, files or processes or privileges. (User-level, Admin-Level) Known Vulnerabilities, Weak Configurations Passwords Attacks and Social Engineering

Footprinting the Target

Footprinting
What is footprinting?
The process of identifying information about a specific environment Discovering the topology and identifying possible points of attack the attack surface Plan the attack

Footprinting
Purpose: Build a profile of the target
Reconnaissance of open source information Gathering of public information about the organization Finding technology information about servers, routers, firewalls, etc. Search Engines, DNS entries, Whois, etc. Advertisements, IT job openings, company web sites, Google groups, Blogs, etc.

Footprinting
What are we looking for?
Internet Presence:
IP Address ranges Domain Names Mail Exchanges MX records in DNS Public Web Servers

Publicly available sensitive information

Physical Locations Technology information in job postings, blogs or Google group postings Phone Numbers Organizational Charts Employee Names/Titles/Phone Numbers/etc

Footprinting Tools
IP Address Ranges
Domain Name Servers (DNS) DNS Traceroute Search Engines

Domain Names
DNS Search Engines

Mail Exchanges
DNS Search Engines?

Public Web Servers

Search Engines

Footprinting - WhoIs
WhoIs Query of Internet Registries
InterNIC + 5 Regional Internet Registries Ref: http://www.arin.net/community/rirs.html
AfriNIC Africa APNIC - Asia/Pacific ARIN North America LACNIC - Central and South America RIPE NCC Europe, Middle East, Central Asia InterNIC ICANN Public Domain Name Registration Info

3rd Party Whois Tools

Geektools.com - http://www.geektools.com/whois.php SamSpade.org http://www.samspade.org DNSStuff.com http://www.dnsstuff.com

Footprinting - NSLOOKUP
Nslookup
Queries Domain Name Server information (IP Address to Hostname) Lookup IP to Domain Name Mapping
Nslookup.exe [ip address or host name]

Zone Transfer Dumps entire table

Nslookup.exe > server = [authoritative server] > set type = any > ls d [target_network_name]

Footprinting - NSLOOKUP
Nslookup
Lookup IP to Domain Name Mapping
Nslookup.exe [ip address or host name]

Zone Transfer Dumps entire table

Nslookup.exe > server = x.x.100.53 (set default server) > set type = MX (type of records to search for) > ls d jeffersonwells.com

Footprinting Tool - Google

Google, Yahoo, Live.com, etc.
Gather information about a targeted organization Evaluate web sites for known security issues Identify files that are accidentally exposed to the public

Footprinting Tool - Google

Helpful Google Queries
Related sites:
related:www.someaddr.com

Search a specific site:

site:www.someaddr.com search_terms Useful terms are .doc, .xls, .mdb, .pdf

Use Google to search group or blog postings

Footprinting Tool Google

Google Advanced Operators
AND: + OR: | Synonym: ~ site:www.jeffersonwells.com inurl:robots.txt link:www.jeffersonwells.com intitle:jefferson wells filetype:xls

Footprinting Tool - Traceroute

Traceroute and Windows Tracert
Usage:
tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name Tracert www.jeffersonwells.com

Online: www.traceroute.org

Footprinting Tool Who Is

Who Is?
Tools
Unix/Linux systems have the whois tool by default Sam Spade is the most user friendly suite of footprinting tools Web Tool
http://www.internic.net/whois.html <- to find registrar Go to local registrar site to lookup further information

Footprinting Tool - Nslookup

Nslookup
Lookup IP and Host Information
Nslookup.exe [ip address or host name]

Zone Transfer
Nslookup.exe > server = [authoritative server] > set type = any > ls d [target_network_name]

Footprinting Tool Sam Spade

Sam Spade The ultimate in convenience Footprinting and Enumeration Tool
Try DIG if the nslookup zone transfer fails Has ping utility IP address block for domain names Traceroute

Download shareware version or SamSpade.org website

Footprinting Tool Web-Based

Current Examples www.samspade.org network-tools.com

Footprinting Tool Sam Spade

Sam Spade WebBased Enumeration Tools

Footprinting Tools - WebBased

Methodology
Footprinting Scanning
Identify all entry points and communication paths Network Scanning (TCP/IP ports and services) Phone Scanning (Wardialing) Wireless Scanning (Wardriving)

Enumeration Exploitation

Scanning
Types of scanning
Host (Ping) Scanning Port Scanning Vulnerability Scanning War Dialing War Driving

Host Scanning
Hackers perform host scanning to locate and identify hosts on the network. Usually by pinging a range of IP addresses. Host which respond to pings may be targeted for attack.

Host Scan/Ping Scan

192.168.10.102
192.168.10.101 192.168.10.103 192.168.10.55 192.168.10.54 192.168.10.104 192.168.10.56 192.168.10.61 192.168.10.62 192.168.10.64

192.168.10.100

Port Scanning
Hackers perform Port Scans to determine what services a host may be running. By knowing the services the hacker can attempt attacks against known vulnerabilities in the service. Port scans attempt to make initial connection to service running on a particular port number. Port scans are invasive and are easily detected by Intrusion Detection and/or firewalls.

Network Basics
Ports
A port is where a service listens for connections Common services use common well-known ports Could use any port as long as both the server and the client know which port to connect to Ports allow different services to be available from one location or IP Address

Network Basics
IP Addresses
An address is comprised of two parts- a network address and a host address and determined by the subnet mask. A simple example is 192.168.1.1 with a subnet mask of 255.255.255.0.
192.168.1 is the network address (the 192.168.1.0 network) and .1 is a host address on that network.

Network Basics
Services
The network protocol that listens for incoming connection requests and links the server application with the client Typically each service runs on a set of specific ports In actuality, any service can run on any port
Therefore, you should put only limited trust in port/service mappings.

Use an application scanner (service detection) to ensure find out what application is really running on that port. Nmap has service detection

Port Scanning
Database
192.168.10.102

Linux
192.168.10.101

Web
192.168.10.103 192.168.10.55

192.168.10.54

192.168.10.104 192.168.10.56 192.168.10.61 192.168.10.62 192.168.10.64

Mail Server

Web

192.168.10.100

Now What?... Getting to Know Your Applications

1

10
21 23

192.168.10.100

FTP Telnet

What Version? Known Vulnerabilities? Poor Configuration? Default Passwords?

Examples for WWW Known Vulnerabilities in Server? Hosting Known Vulnerable CGIs? Using SSL? Permissions/Authentication Enforced? Can we get Directory Listing? Examples for SMB Null Connections? Enumerate Users? Enumerate Shares? Registry Access?

49 53

80
135 161 389 445 1433

WWW MS RPC

SMB SQL

Vulnerability Scanning
What is vulnerability scanning?
Used to find known flaws within an application or network. These scanning tools are typically signature based and can only find vulnerabilities that the tools know about. Many good commercial and freeware tools are available.

Scanning Tools
Host & Port Scanning
Nmap

Vulnerability Scanning
GFI and Nessus

War Dialing
Phone Sweep

War Driving
NetStumbler Kismet

Host and Port Scanners

Scanning Tool - Nmap

The only port scanner youll need Pros
FREE Continually Updated OS Detection and Service Detection Support for both Windows and Unix

Cons
No standard Graphical User Interface
LINK: (www.insecure.org)

Scanning Tool- SuperScan

Pros FREE download from Foundstone Very stable, Fairly fast Graphical User Interface Cons Windows version only No stealth options, no Firewall Evasion Service Detection/Application Mapping LINK: (www.foundstone.com)

Scanning Tool- SuperScan

Vulnerability Scanners

Scanning Tool Nessus

Pros
Nessus is free Large plugin or signature base You can customize and create new plugins

Cons
Tenable took Nessus private (closed source) Purchasing plans for new plugins Shareware plug-ins are seven days behind
LINK: (www.nessus.org)

Scanning Tool Nessus

Scanning Tool GFI LANguard Network Security Scanner

Pros
Port Scanner, Enumeration, and Vulnerability Scanner Many features such as SNMP and SQL brute force Great for Windows networks

Cons
Lacks extensive signatures for other operating systems Look to Nessus for scanning heterogeneous networks

LINK: (www.gfi.com)

Scanning Tool GFI LANguard Network Security Scanner

Scanning Tool GFI LANguard Network Security Scanner

Scanning Tool Phone Sweep

Phone Sweep
Great commercial war dialing software! Pros
Many configuration options Identifies most major modem and fax manufacturers Builtin password brute forcing

Cons
EXPENSIVE!

Alternatives to Phone Sweep

THCScan

LINK: (www.sandstorm.net)

Scanning Tool NetStumber

NetStumber
Popular Free Wireless Scanner Uses Active Scanning Techniques Pros
Fast (active scanning) Easy to Use Graphical Interface

Cons
Noisy Does not detect Cloaked Networks Does not capture data

LINK: (www.netstumbler.com)

Scanning Tool NetStumber

Scanning Tool Kismet

Kismet
The Free Wireless Scanner the Pros Use Uses Passive Scanning Techniques Pros
More Stealthy Can Capture Data within Packets

Cons
Slower Detection (passive) No Windows Version No GUI

LINK: (www.kismetwireless.com)

Scanning Tool Kismet

LINK: (www.kismetwireless.com)

Thank You!
Joseph.Miller@JeffersonWells.com (480)540-3588