Information Gathering

1
Information Gathering

• TSM 352
• Cole Chapter 3

2
Introduction

• Before an attacker can run an exploit, he needs
  to understand the environment he is going after.
• If adequate information is gathered, access is
  almost guaranteed.
• From the defenders point of view, this means
  that it is important to recognize an
  information-gathering operation that is taking
  place. This will provide you with an advance
  notice of a potential attack.
• In this lesson we will learn about some of the
  types of information gathering techniques and the
  kinds of information that are most commonly
  available.

3
Steps for Gathering Information

• 1. Find out Initial Information
• Open Sourc, Whois, NSLookup/Dig
• 2. Find IP Range of Network
• ARIN, Traceroute
• 3. Find Active Machines
• PING
• 4. Find Open Ports/Services
• Portscanners, War Dialers
• 5. Fingerprint Discover OS
• Queso, NMap
• 6. Determine Services
• Default Port, Telnet, Vulnerability Scanners
• 7. Map the Network
• Traceroute

4
Find out Initial Information

• An attacker with a purpose will know your address
  and concentrate solely on your systems.
• Some attackers (script kiddies) will randomly
  scan, looking for vulnerable systems.
• As long as your systems are more secure than most
  of the others, this second category of attacker
  is not likely to prey on you.

5
Open Source Information

• General Information
• Employee Information
• Business Information
• Newsgroups
• Links to Company/Personal Web Sites
• HTML Source Code
• Open Source Defense
• It would be impossible to remove all public
  information.
• Being aware of what is out there is absolutely
  necessary, however.
• Two steps
• Remove unnecessary information
• Keep a list of all the information that is there
  and insure that your helpdesk personnel are aware
  of it
• Occasionally do as the hacker and perform a open
  source search looking for incriminating
  information.

6
whois

• A program (a single command in Linux), used as a
  starting point to gathering information about an
  online entity. To use in Linux, simply type
• whois ltdomain namegt, for example
• whois murraynet.com
• With Windows systems you will need to download
  and run a program designed to perform information
  gathering. One of the best of these is SamSpade.
• From the output, the attacker usually gathers the
  following information
• Administrative contact usually with email
  address and mailing address. Often a phone
  number.
• Name server(s)
• Mail Server(s)
• Dates when the records were last updated and when
  they will expire.
• Some IP addresses notably of the name servers
  useful in our next step

7
nslookup

• The next step in finding more information is to
  query the domain name server for the entity under
  scrutiny.
• Both windows (NT/2k) and Linux have the Nslookup
  command as part of their operating system
• It provides information concerning other machines
  on the network.
• Some DNS servers may allow zone transfers
• The attacker will definitely gain some
  information about additional machines that are
  online for the company, and maybe even an idea of
  their purpose (for example, mail server, web
  server, etc.)

8
Finding a Range of IP Addresses

• Now that the attacker will want to map out the
  full range of the entitys network.
• He can find out this information through Internet
  number registration organizations, such as ARIN
  (American Registry for Internet Numbers).
• ARIN (and all of the others) lets anyone search
  its database to find which IP ranges are
  registered to which organizations. This tool will
  provide information concerning the companys
  range of addresses, and if they are subnetted
  from a larger organization. ARIN (and all of the
  others) can be accessed and queried through a
  browser. However, from Linux you can use the
  whois command and simply specify the registry
• whois h whois.arin.net .google
• Again, SamSpade for windows will find IP address
  ranges for you.
• For more information consult the man pages for
  whois, and/or the following
• whois h whois.arin.net ?

9
Traceroute

• Traceroute provides a way to find out which
  machines border the targets network. This
  leads to determining which machines are the
  routers and the firewalls.
• Most companies have firewalls, so the last hop of
  the traceroute output would be the destination
  machine, the second to last might be the
  firewall, and the third would most likely be the
  border router.
• Also, by tracerouting to various IP address, an
  attacker can determine whether or not these
  machines are on the same network.

10
Finding Active Machines

• Once the IP range has been determined, the next
  phase of information gathering is to locate
  machines which are online.
• PINGing is the most common method for making this
  determination. However, as we will find out, it
  is very easy to prevent PING probing, and the
  hacker must often resort to more clandestine
  approaches.
• Perform machine scanning at different times of
  the day and night.
• NAT (network address translation) make it very
  difficult for a hacker to determine which
  machines are active or to even access those
  machines at all.

11
Finding Open Ports/Access Points

• An online machine cannot be broken into unless it
  is running some sort of service meaning that it
  has at least one listening port. Once the
  potential hacker has determined that a machine is
  online, he must then determine if that machine is
  listening on any ports. This discovery is usually
  implemented by using a port scanner.
• Port scanners allow the user to specify a range
  of IP addresses and a range (or set) of ports to
  scan. Different port scanning utilities use
  different techniques to determine if ports are
  open. The four basic port scan techniques
• TCP Connect
• TCP SYN
• FIN
• ACK
• Port Scanners
• A huge variety available
• Nmap is the best learn to use this tool!

12
Determining the OS

• Normally referred to as fingerprinting and has
  become the center of quite a bit of discussion in
  the last few years.
• Once an attacker has narrowed down to a couple of
  machines that will be his targets, it is
  important for him to determine the exact
  characteristics of those machines this
  typically starts with finding out which OS and
  which version the machine is running.
• Typically done by sending specialized packets to
  a machine and seeing how that machine responds.
• RFCs define how a machine should respond to
  common-sense packets does not include odd
  packets, or some variable details.
• There are a number of utilities which perform
  fingerprinting.
• Queso
• Nmap
• LanGuard

13
Determine Services Running

• Different programs and different versions of a
  program have different vulnerabilities.
  Determining the exact program and version will
  help an attacker decide which exploit will be
  most likely to succeed.
• Quite often the open port itself will indicate
  the service that is running and this is a good
  first guess. But that does not tell us the
  program or version it just provides a starting
  point for our probing. For example, an open port
  25 is most likely a mail server, but which mail
  server?
• Telnet is handy for probing open ports and
  gathering additional information.
• Vulnerability scanners, such as Nessus, will do
  all the work for you probing the port,
  determining which version, and then proceeding to
  see if that program is susceptible to the latest
  exploits designed for that version.

14
Mapping the Network

• Finally, once the attacker has determined the
  target, he may decide not to attack it directly,
  or it may not be possible to attack it directly.
  He may have to attack another (easier) machine
  first, in order to get access to the target
  machine.
• In any event, it is often necessary to map out
  the network containing the target machine.
• Tools
• Traceroute is one tool that may work for this,
  but it takes a lot of patience and careful
  analysis.
• Sometimes a program like Visual Ping can take
  some of the guesswork out of it but usually
  not. These types of programs depend on the use of
  an online database.
• The job of completely mapping the target network
  puts all of the techniques of information
  gathering to use. Each of the machines purposes
  need to be identified this often involves
  additional port probing and telnet connecting.