Footprinting and Scanning - PowerPoint Presentation

Slide1

Footprinting and ScanningSlide2

Protect from

Target acquisition and information gathering

footprintingscanningenumerationinitial accessprivilege escalationcovering tracksSlide3

Footprinting

gathering target information

profile of security postureSlide4

Scope of footprinting

Organization, region, location

open source searchweb page (save it offline, e.g. teleport )yahoo or other directoriessearch engines (Google , Bing, etc.)

publicly trade companies (e.g.

EDGAR

)

satellite images of a location using

Google Earth

.

countermeasures

remove unnecessary information from web pages

create security policies (see

Site Security Handbook

)Slide5

Network enumeration

Identify domain names and networks

registrar query. In Linux/UNIX issue whois “domain.”@whois.crsnic.net In Windows download whois

and use it at the command prompt

whois

“domain” as shown in this

example

. You can also do this online at

ARIN

or use the Dossier option in the

CentralOps

site. You can also use the Spade tool to get some of this information.

Please note that ARIN is only one of the

Regional Internet Registries

. Another source of information is

IANA

.

Please note the address, phone numbers, IP blocks assigned to the organization, administrator’s e-mail, etc.

countermeasures

: only administrative cleanup, because the information is required for registration.Slide6

DNS interrogation

Use the Spade tool to check DNS

.Use the dig tool in Spade to obtain the authoritative DNS for the organization (it will also provide mail server, etc, IP numbers).

A

zone transfer

asks the authoritative name server of an organization for all the information it knows about a domain (

it should not provide the information

).

Mail relay

check asks a mail server to relay mail for you (

it should not relay your message

).

Countermeasures

: deny all unauthorized inbound connections to port 53. You can also set directives at the DNS server. This prevents zone transfer, but not

nslookup

to each IP number.

Network Reconnaissance

traceroute (

tracert

) allows to study the network topology (identify the nodes in the network). See this

example

.Slide7

Scanning

After obtaining a list of network and IP addresses scanning starts:

ping sweeps (active machines): use nmap in Windows and in Linux/UNIX.

TCP port scanning

(open ports in active machines): SYN and connect scans work with most hosts. SYN is stealthier and may not be logged. In Windows use

SuperScan

or

Nmap

and in Linux/UNIX use

nmap

. See an

example

of

SuperScan

. BUT, hackers use scripts with binary files, not graphical tools.

UDP port scanning

: use

nmap

and also online

here

.

countermeasures

: detection using

TcpView

(see an

example

of what it logs). Later we will learn to install an IDS program (

snort

), the way to protect from ping sweeps and port scanning.

NAT

is a first step. See more free/shareware security tools

here

.Slide8

More in Scanning

OS detection

(stack fingerprinting):probe the TCP/IP stack because it varies with OSs. Requires at least one listening port to make determination. why is it important? There are hacker tools OS and Net device specific. In Linux/UNIX use

nmap

with -O. You can use the

Netcraft

site

to check the OS of a host running a Web server.

countermeasures: standards, filtering requests at firewall.

OS detection

(passive signatures):

monitoring the traffic the operating system can be detected, among other things.

Siphon

is a recent Linux/UNIX tool, but

nmap

is the main tool.

Once the OS is identified enumeration can take place .