CIS 450 Network Security

1
CIS 450 Network Security

• Chapter 3 Information Gathering

2

• Attacker has to understand the environment he is
  going after

3
Steps for Gathering Information

• Find Out Initial Information
• Attacker has to have some initial information
  such as an IP address or domain name
• Open Source Information company web
  site/related web sites
• Whois - http//www.networksolutions.com/en_US/whoi
  s/index.jhtml
• Nslookup - http//www.kloth.net/services/nslookup.
  php

4
Find Out Address Range (or Subnet Mask) of Network

• Attacker wants to know is to make sure attack is
  concentrated on one, not several networks
• A larger address space might mean a larger
  company with better security
• ARIN (American Registry for Internet Numbers) -
  http//www.arin.net/
• Traceroute modifies the Time to Live (TTL)
  field to determine the path a packet takes
  through the network - http//www.opus1.com/www/tr
  aceroute.html

5
Find Active Machines

• Ping finds active machines on a network -
  http//www.fifi.org/services/ping
• Ping War scan more than one machine at a time -
  http//www.digilextechnologies.com/index.html

6
Find Open Ports or Access Points

• Port Scanners runs through a series of ports to
  see which ones are open.
• TCP Connect Scan tries to connect to each port
  on machine
• TCP SYN scan stealthier than a connect scan
• FIN scan Most systems do not log these packets
• ACK scan gets around the firewall to scan an
  internal host
• Nmap - http//www.insecure.org/nmap/
• War Dialers programs for finding modems on a
  network
• THC-Scan - http//www.securityfocus.com/tools/47

7
Figure Out the Operating System

• Done by sending remote host unusual packets or
  packets that do not make sense
• Each OS handles these packets differently
• Queso
• Nmap

8
Figure Out Which Services Are Running on Each Port

• Knowing what specific service is running enables
  the attacker to look up exploits and launch known
  vulnerabilities against the service
• Default Port and OS Based on common
  configuration and software attacker can make a
  best guess of what services are running on each
  port
• Telnet
• Vulnerability scanners programs that can be run
  against a site that give a hacker a list of
  vulnerabilities on the target host

9
Map Out the Network

• Attacker maps out the network to figure out the
  best way to break in
• Traceroute determines the path from source to
  destination
• Visual Ping
• Cheops - http//www.marko.net/cheops/

10
Protection

• Whois
• Use a position title with a general number rather
  than a specific person
• List your phone number but make up a fictitious
  name and email
• Run your own DNS server with split DNS
• Nslookup
• Minimize the records that appear in your DNS
  records
• Any IP address listed should be statically mapped
  through a firewall with only a specific port
  allowed through (e.g. mail server should be
  behind firewall with a non-routable address)

11
Protection

• ARIN Web Search
• Only use addresses that ARIN can trace for
  external devices such as routers and firewalls.
  All other devices should use a private address
  and should be behind a firewall
• Traceroute
• Use private addresses inside your firewall
• Ping
• Use private addresses inside your firewall

12
Protection

• Map the Network
• PortScan and Fingerprinting
• Have a firewall that properly blocks traffic and
  only allows traffic on specific ports to specific
  machines