multiple search engines (All-in-One , Dogpile) advance

1
Footprinting and Scanning
2
Protect from

• Target acquisition and information gathering
• footprinting
• scanning
• enumeration
• initial access
• privilege escalation
• covering tracks

3
Footprinting

• gathering target information
• profile of security posture

4
Scope of footprinting

• Organization, region, location
• open source search
• web page (save it offline, e.g. teleport )
• multiple search engines (All-in-One , Dogpile)
• advanced search (e.g. Yahoo)
• publicly trade companies (e.g. EDGAR)
• You can obtain satellite images of a location
  using the TerraServer or downloading Google
  Earth.
• countermeasures
• remove unnecessary information from web pages
• create security policies (see Site Security
  Handbook)

5
Network enumeration

• Identify domain names and networks
• registrar query. In Linux/UNIX issue whois
  domain_at_whois.crsnic.net In Windows download
  SamSpade, enter a DNS server in the right window
  and perform the query in the left windows as
  shown here.
• organizational and domain query. Use the dig
  function of SamSpade to obtain information about
  who is responsible for the domain, the primary
  (authoritative) DNS server, the other DNS
  servers, etc.
• network query. The ARIN database can provide
  information on IP blocks assigned to an
  organization. You can also use the SamSpade IP
  Block tool.
• countermeasures only administrative cleanup,
  because the information is required for
  registration.

6
DNS interrogation

• Use the Spade tool to check DNS.
• Use the dig tool in Spade to obtain the
  authoritative DNS for the organization (it will
  also provide mail server, etc, IP numbers).
• A zone transfer asks the authoritative name
  server of an organization for all the information
  it knows about a domain (it should not provide
  the information).
• Mail relay check asks a mail server to relay mail
  for you (it should not relay your message).
• Countermeasures deny all unauthorized inbound
  connections to port 53. You can also set
  directives to the DNS server (see book). This
  prevents zone transfer, but not nslookup to each
  IP number.
• Network Reconnaissance
• traceroute (tracert) allows to study the network
  topology (identify the nodes in the network). See
  this example.

7
Scanning

• After obtaining a list of network and IP
  addresses scanning starts
• ping sweeps (active machines) user pinger in
  Windows and nmap in Linux/UNIX. This is an
  example of pinger.
• TCP port scanning (open ports in active
  machines) SYN and connect scans work with most
  hosts. SYN is stealthier and may not be logged.
  In Windows use SuperScan and in Linux/UNIX use
  nmap. See an example of SuperScan. BUT, hackers
  use scripts with binary files, not graphical
  tools.
• UDP port scanning use WUPS in Windows as shown
  here.
• countermeasures detection using active ports
  (see an example of what it logs). Later we will
  learn to install an IDS program (snort), the way
  to protect from ping sweeps and port scanning.
  NAT is a first step. See more free/shareware
  security tools here.

8
More in Scanning

• OS detection (stack fingerprinting)
• probe the TCP/IP stack,because it varies with OS.
  Requires at least one listening port to make
  determination. See textbook (pages 69-72) for
  types of probe.
• why is it important? There are hacker tools OS
  and Net device specific. In Linux/UNIX use nmap
  with -O. You can use the Netcraft site to check
  the OS of a host running a Web server.
• countermeasures standards, filtering requests at
  firewall.
• OS detection (passive signatures)
• monitoring the traffic the operating system can
  be detected, among other things. Siphon is a
  recent Linux/UNIX tool.
• Once the OS is identified enumeration can take
  place (to be seen in next class meeting).