Protect from Target acquisition and information gathering footprinting scanning enumeration initial access privilege escalation covering tracks Footprinting gathering target information profile of security posture ID: 635162
Download Presentation The PPT/PDF document "Footprinting and Scanning" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Footprinting and ScanningSlide2
Protect from
Target acquisition and information gathering
footprintingscanningenumerationinitial accessprivilege escalationcovering tracksSlide3
Footprinting
gathering target information
profile of security postureSlide4
Scope of footprinting
Organization, region, location
open source searchweb page (save it offline, e.g. teleport )yahoo or other directoriessearch engines (Google , Bing, etc.)
publicly trade companies (e.g.
EDGAR
)
satellite images of a location using
Google Earth
.
countermeasures
remove unnecessary information from web pages
create security policies (see
Site Security Handbook
)Slide5
Network enumeration
Identify domain names and networks
registrar query. In Linux/UNIX issue whois “domain.”@whois.crsnic.net In Windows download whois
and use it at the command prompt
whois
“domain” as shown in this
example
. You can also do this online at
ARIN
or use the Dossier option in the
CentralOps
site. You can also use the Spade tool to get some of this information.
Please note that ARIN is only one of the
Regional Internet Registries
. Another source of information is
IANA
.
Please note the address, phone numbers, IP blocks assigned to the organization, administrator’s e-mail, etc.
countermeasures
: only administrative cleanup, because the information is required for registration.Slide6
DNS interrogation
Use the Spade tool to check DNS
.Use the dig tool in Spade to obtain the authoritative DNS for the organization (it will also provide mail server, etc, IP numbers).
A
zone transfer
asks the authoritative name server of an organization for all the information it knows about a domain (
it should not provide the information
).
Mail relay
check asks a mail server to relay mail for you (
it should not relay your message
).
Countermeasures
: deny all unauthorized inbound connections to port 53. You can also set directives at the DNS server. This prevents zone transfer, but not
nslookup
to each IP number.
Network Reconnaissance
traceroute (
tracert
) allows to study the network topology (identify the nodes in the network). See this
example
.Slide7
Scanning
After obtaining a list of network and IP addresses scanning starts:
ping sweeps (active machines): use nmap in Windows and in Linux/UNIX.
TCP port scanning
(open ports in active machines): SYN and connect scans work with most hosts. SYN is stealthier and may not be logged. In Windows use
SuperScan
or
Nmap
and in Linux/UNIX use
nmap
. See an
example
of
SuperScan
. BUT, hackers use scripts with binary files, not graphical tools.
UDP port scanning
: use
nmap
and also online
here
.
countermeasures
: detection using
TcpView
(see an
example
of what it logs). Later we will learn to install an IDS program (
snort
), the way to protect from ping sweeps and port scanning.
NAT
is a first step. See more free/shareware security tools
here
.Slide8
More in Scanning
OS detection
(stack fingerprinting):probe the TCP/IP stack because it varies with OSs. Requires at least one listening port to make determination. why is it important? There are hacker tools OS and Net device specific. In Linux/UNIX use
nmap
with -O. You can use the
Netcraft
site
to check the OS of a host running a Web server.
countermeasures: standards, filtering requests at firewall.
OS detection
(passive signatures):
monitoring the traffic the operating system can be detected, among other things.
Siphon
is a recent Linux/UNIX tool, but
nmap
is the main tool.
Once the OS is identified enumeration can take place .