Information Gathering - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

Information Gathering

Description:

Open Sourc, Whois, NSLookup/Dig. 2. Find IP Range of Network. ARIN, ... whois ... For more information consult the man pages for whois, and/or the following: ... – PowerPoint PPT presentation

Number of Views:128
Avg rating:3.0/5.0
Slides: 15
Provided by: johnmc1
Category:

less

Transcript and Presenter's Notes

Title: Information Gathering


1
Information Gathering
  • TSM 352
  • Cole Chapter 3

2
Introduction
  • Before an attacker can run an exploit, he needs
    to understand the environment he is going after.
  • If adequate information is gathered, access is
    almost guaranteed.
  • From the defenders point of view, this means
    that it is important to recognize an
    information-gathering operation that is taking
    place. This will provide you with an advance
    notice of a potential attack.
  • In this lesson we will learn about some of the
    types of information gathering techniques and the
    kinds of information that are most commonly
    available.

3
Steps for Gathering Information
  • 1. Find out Initial Information
  • Open Sourc, Whois, NSLookup/Dig
  • 2. Find IP Range of Network
  • ARIN, Traceroute
  • 3. Find Active Machines
  • PING
  • 4. Find Open Ports/Services
  • Portscanners, War Dialers
  • 5. Fingerprint Discover OS
  • Queso, NMap
  • 6. Determine Services
  • Default Port, Telnet, Vulnerability Scanners
  • 7. Map the Network
  • Traceroute

4
Find out Initial Information
  • An attacker with a purpose will know your address
    and concentrate solely on your systems.
  • Some attackers (script kiddies) will randomly
    scan, looking for vulnerable systems.
  • As long as your systems are more secure than most
    of the others, this second category of attacker
    is not likely to prey on you.

5
Open Source Information
  • General Information
  • Employee Information
  • Business Information
  • Newsgroups
  • Links to Company/Personal Web Sites
  • HTML Source Code
  • Open Source Defense
  • It would be impossible to remove all public
    information.
  • Being aware of what is out there is absolutely
    necessary, however.
  • Two steps
  • Remove unnecessary information
  • Keep a list of all the information that is there
    and insure that your helpdesk personnel are aware
    of it
  • Occasionally do as the hacker and perform a open
    source search looking for incriminating
    information.

6
whois
  • A program (a single command in Linux), used as a
    starting point to gathering information about an
    online entity. To use in Linux, simply type
  • whois ltdomain namegt, for example
  • whois murraynet.com
  • With Windows systems you will need to download
    and run a program designed to perform information
    gathering. One of the best of these is SamSpade.
  • From the output, the attacker usually gathers the
    following information
  • Administrative contact usually with email
    address and mailing address. Often a phone
    number.
  • Name server(s)
  • Mail Server(s)
  • Dates when the records were last updated and when
    they will expire.
  • Some IP addresses notably of the name servers
    useful in our next step

7
nslookup
  • The next step in finding more information is to
    query the domain name server for the entity under
    scrutiny.
  • Both windows (NT/2k) and Linux have the Nslookup
    command as part of their operating system
  • It provides information concerning other machines
    on the network.
  • Some DNS servers may allow zone transfers
  • The attacker will definitely gain some
    information about additional machines that are
    online for the company, and maybe even an idea of
    their purpose (for example, mail server, web
    server, etc.)

8
Finding a Range of IP Addresses
  • Now that the attacker will want to map out the
    full range of the entitys network.
  • He can find out this information through Internet
    number registration organizations, such as ARIN
    (American Registry for Internet Numbers).
  • ARIN (and all of the others) lets anyone search
    its database to find which IP ranges are
    registered to which organizations. This tool will
    provide information concerning the companys
    range of addresses, and if they are subnetted
    from a larger organization. ARIN (and all of the
    others) can be accessed and queried through a
    browser. However, from Linux you can use the
    whois command and simply specify the registry
  • whois h whois.arin.net .google
  • Again, SamSpade for windows will find IP address
    ranges for you.
  • For more information consult the man pages for
    whois, and/or the following
  • whois h whois.arin.net ?

9
Traceroute
  • Traceroute provides a way to find out which
    machines border the targets network. This
    leads to determining which machines are the
    routers and the firewalls.
  • Most companies have firewalls, so the last hop of
    the traceroute output would be the destination
    machine, the second to last might be the
    firewall, and the third would most likely be the
    border router.
  • Also, by tracerouting to various IP address, an
    attacker can determine whether or not these
    machines are on the same network.

10
Finding Active Machines
  • Once the IP range has been determined, the next
    phase of information gathering is to locate
    machines which are online.
  • PINGing is the most common method for making this
    determination. However, as we will find out, it
    is very easy to prevent PING probing, and the
    hacker must often resort to more clandestine
    approaches.
  • Perform machine scanning at different times of
    the day and night.
  • NAT (network address translation) make it very
    difficult for a hacker to determine which
    machines are active or to even access those
    machines at all.

11
Finding Open Ports/Access Points
  • An online machine cannot be broken into unless it
    is running some sort of service meaning that it
    has at least one listening port. Once the
    potential hacker has determined that a machine is
    online, he must then determine if that machine is
    listening on any ports. This discovery is usually
    implemented by using a port scanner.
  • Port scanners allow the user to specify a range
    of IP addresses and a range (or set) of ports to
    scan. Different port scanning utilities use
    different techniques to determine if ports are
    open. The four basic port scan techniques
  • TCP Connect
  • TCP SYN
  • FIN
  • ACK
  • Port Scanners
  • A huge variety available
  • Nmap is the best learn to use this tool!

12
Determining the OS
  • Normally referred to as fingerprinting and has
    become the center of quite a bit of discussion in
    the last few years.
  • Once an attacker has narrowed down to a couple of
    machines that will be his targets, it is
    important for him to determine the exact
    characteristics of those machines this
    typically starts with finding out which OS and
    which version the machine is running.
  • Typically done by sending specialized packets to
    a machine and seeing how that machine responds.
  • RFCs define how a machine should respond to
    common-sense packets does not include odd
    packets, or some variable details.
  • There are a number of utilities which perform
    fingerprinting.
  • Queso
  • Nmap
  • LanGuard

13
Determine Services Running
  • Different programs and different versions of a
    program have different vulnerabilities.
    Determining the exact program and version will
    help an attacker decide which exploit will be
    most likely to succeed.
  • Quite often the open port itself will indicate
    the service that is running and this is a good
    first guess. But that does not tell us the
    program or version it just provides a starting
    point for our probing. For example, an open port
    25 is most likely a mail server, but which mail
    server?
  • Telnet is handy for probing open ports and
    gathering additional information.
  • Vulnerability scanners, such as Nessus, will do
    all the work for you probing the port,
    determining which version, and then proceeding to
    see if that program is susceptible to the latest
    exploits designed for that version.

14
Mapping the Network
  • Finally, once the attacker has determined the
    target, he may decide not to attack it directly,
    or it may not be possible to attack it directly.
    He may have to attack another (easier) machine
    first, in order to get access to the target
    machine.
  • In any event, it is often necessary to map out
    the network containing the target machine.
  • Tools
  • Traceroute is one tool that may work for this,
    but it takes a lot of patience and careful
    analysis.
  • Sometimes a program like Visual Ping can take
    some of the guesswork out of it but usually
    not. These types of programs depend on the use of
    an online database.
  • The job of completely mapping the target network
    puts all of the techniques of information
    gathering to use. Each of the machines purposes
    need to be identified this often involves
    additional port probing and telnet connecting.
Write a Comment
User Comments (0)
About PowerShow.com