Data Gathering

1
Data Gathering

• A hacker cant do anything to you if they dont
  know anything about you.
• The hacker requires
• A target
• Your ip address
• Your OS type
• What kernel are you using
• What services you are running
• What is your internet connection speed

2
How they choose a target

• A hacker can get much information from posts made
  to news groups and Mailing lists
• Example (from fire-wall wizards news group)
• fw-wiz Problems with IPTables and DMZ port
• Klaus Leithner leithner_at_cortex.at Sat, 5 Jan 2002
  113557
• I have a very urgent problem with a linux box
  running RedHat 7.2 and IPTables v. 1.2.3.
• We need to replace our normal Firewall (a
  Watchguard FireBox II) with the following
  configuration
• Public IP - Address Range 211.18.46.192 with a
  NetMask 255.255.255.192 Private IP Address
  Range 10.43.0.0 with a NetMask 255.255.0.0
• We have a DMZ, which uses the public IP - Address
  Range.

3
How they choose a target

• Schemata
• (x) (Router 211.18.46.193
• ------------- (EXTERNAL INTERFACE
  211.18.46.194)
• Firewall --------- (DMZ Interface
  211.18.46.195 All of our Server in the
  DMZ use IP-Adresses like
• 211.18.46.X, and a gateway of
  211.18.4.193)
• -------------
• (LAN INTERFACE 10.43.0.1 we use NAT)
• We have a breakdown of our standard Firewall, and
  need to replace it as
• soon as possible with this linux - box. We have
  tried every trick, we
• know and about 24 hours of work no chance !
• Can anyone help us !!!

4
How they choose a target

• Other targets include
• Entities with high speed internet
• Universities, governments, large corporations
• Entities with many disconnected policies and
  procedures
• Governmental entities, medium/large corporations
• Well know entities
• GM, Microsoft, MSU, NASA, etc
• Entities with novice administrators
• Home computers with cable modems, power left on.
• Entities that can give financial gain
• Banks, stock brokers
• Entities that can provide trade secrets
• Pharmaceutical Companies, Research Companies

5
How they get info on you

• Domain lookup
• Whois database
• A list of domains and the contact information
  associated with a domain.
• Example of a domain lookup
• gtwhois a gm (you might need a host
  whois.internic.net)
• GM.ST63.AREANA.NE.JP
• GM.HOTELRES.COM
• GM.GEEKFREET.NET
• GM.GARM.NET
• GM.ORG
• GM.NET
• GM.COM
• GM

6
How they get info on you

• Domain lookup
• Example
• gtwhois gm.com
• Registrant
• Domain Name Administrator
• General Motors Corporation
• 300 Renaissance Center Mail Code
  482-C23-B21
• Detroit MI 48265-3000
• US
• domainname.admin_at_gm.com 1.3136654967
  Fax 1.1111111111
• Domain Name gm.com
• Administrative Contact
• Domain Name Administrator
• General Motors Corporation
• 300 Renaissance Center Mail Code
  482-C23-B21
• Detroit MI 48265-3000
• US
• domainname.admin_at_gm.com 1.3136654967
  Fax 1.1111111111

7
How they get info on you

• Domain lookup
• Example (cont)
• Technical Contact, Zone Contact
• DNS Technical Contact
• EDS NNAM
• 800 Tower Drive MS 4258
• Troy MI 48098
• US
• dnsmaster_at_eds.com 1.2482655000 Fax
  1.1111111111
• Created on.............. 1992-01-15.
• Expires on.............. 2011-01-16.
• Record last updated on.. 2010-08-13.
• Domain servers in listed order
• ns3.eds.com
• ns1.eds.com
• ns2.eds.com

8
How they get info on you

• DNS queries
• Get the ip address of a given domain
• Example
• host gm.comgt
• gm.com has address 170.224.60.167
• Network lookup
• Again using the whois database
• Instead of giving a domain you give an ip address

9
How they get info on you

• Network lookup
• Example
• gtwhois 170.224.60.167
• NetRange 170.224.0.0 - 170.227.255.255
• NetName IBM-COMMERCIAL
• NameServer RTPUSSXDNSB03.RALEIGH.MEBS.IHOST.C
  OM
• NameServer RTPUSSXDNSB04.RALEIGH.MEBS.IHOST.C
  OM
• NameServer BLDUSWXDNSB01.BOULDER.MEBS.IHOST.C
  OM
• NameServer BLDUSWXDNSB02.BOULDER.MEBS.IHOST.C
  OM
• OrgName IBM
• Address 3039 Cornwallis Road
• City Research Triangle Park
• StateProv NC
• PostalCode 27709-2195
• Country US
• RegDate 1992-02-08
• Updated 2006-09-15

10
How they get info on you

• Countermeasures
• The whois database is required to register your
  company for ip address.
• Do not use actual names for the various contacts.
  Instead use names like tech support
• Do not give a direct phone number, give the main
  office general phone number
• This helps to prevents social engineering!

11
What machines are running?

• Now that the hacker has an ip range, what
  machines are actually there?
• Use ping sweeps
• ICMP ping
• Send an ICMP echo request to each ip address in a
  range and if there is a reply then there is
  machine at the ip address
• Command ping ipaddress

12
What machines are running?

• Use ping sweeps
• Nmap ping sweep
• Send an ICMP echo packet as well as a connection
  request to the http port (80).
• Command nmap sP iprange
• Counter measures
• Configure a firewall to not allow TCP/IP echo
  requests and prevent ICMP echo replies
• But it stops all pings, some of which maybe
  useful.
• Cant prevent probing of open ports ?

13
Where is a machine?

• It is useful to the hacker to know where a
  machine is located.
• It is also helpful to know connected a computer
  is
• Traceroute
• Lists all the routers between your computer to an
  another
• Displays the time for each hop
• Displays the ip address and common name of each
  router.
• By examining the names of the routers you can
  generally guess where a router is, it band width,
  and equipment.

14
Where is a machine?

• Example
• Tracetroute gm.com
• 1 router (148.61.162.254) 0.342 ms 0.288 ms
  0.275 ms
• 2 fw-lab.gvsu.edu (148.61.17.22) 0.906 ms
  0.485 ms 0.463 ms
• 3 router.gvsu.edu (148.61.6.1) 2.136 ms 1.829
  ms 1.480 ms
• 4 s0-1-0.nl-port1.mich.net (198.108.23.74)
  4.013 ms 3.418 ms 12.013 ms
• 5 at-1-1-0x20.nl-chi3.mich.net (198.108.22.169)
  21.982 ms 15.438 ms 12.870 ms
• 6 acr2-so-6-1-0.Chicago.cw.net (208.172.1.169)
  58.108 ms 35.452 ms 36.204 ms
• 7 cable-and-wireless-peering.Chicago.cw.net
  (208.172.1.222) 69.233 ms 70.475 ms 69.281 ms
• 8 0.so-5-2-0.XL1.CHI2.ALTER.NET (152.63.68.2)
  73.590 ms 70.233 ms 68.240 ms
• 9 0.so-2-0-0.TL1.CHI2.ALTER.NET (152.63.67.125)
  69.726 ms 73.297 ms 71.348 ms
• 10 0.so-1-2-0.TL1.DCA6.ALTER.NET (152.63.1.93)
  48.134 ms 48.167 ms 47.825 ms
• 11 0.so-4-0-0.CL1.GSO1.ALTER.NET (152.63.39.137)
  59.292 ms 58.914 ms 56.003 ms
• 12 189.ATM7-0.GW4.GSO1.ALTER.NET (152.63.33.213)
  57.321 ms 56.504 ms 58.668 ms
• 13 usibm-gw.customer.alter.net (157.130.39.38)
  61.277 ms 60.298 ms 60.273 ms

15
Where is a machine?

• How Traceroute works
• Send UDP packets through the internet with the
  time to live set to 1
• Waits for the ICMP time expired reply
• Increase the time to live by one and send again.
• Each time it gets a ICMP time expired reply it
  gets the next step in the route.
• Countermeasures
• You cant do anything about how you are connected
  to the internet, nor the ICMP time expire reply
• You can block ICMP packets in and out of your
  organization
• You should NOT name machines in a way that revels
  information

16
What is running on the machine?

• When a network service is made available it opens
  a port in the range of 0 65535.
• There are well know port numbers opened by
  established programs.
• They are in the range from 0 1024. Only
  privileged commands may use a well know port
  number
• telnet 23
• ftp 21
• smtp 25
• ssh 22
• There are also port number generally accepted as
  being used for certain purposes
• See /etc/services for a list know to your machine

17
What is running on the machine?

• Port scanning
• TCP
• A program sends a syn request to each port in a
  range and sees if a syn/ack is returned.
• Or it can send a fin packet, and see if the
  computer responds
• Or it can send a ack packet, and an open port
  will respond with a rst packet, because their is
  no established connection
• Or
• TCP scanning is relatively fast because of its
  connection orientated nature
• UDP
• A program sends a udp packet to the port and has
  to wait to see if an ICMP port unreachable is
  returned
• UDP scanning is slow because it must wait for the
  ICMP return message. There is limit for the rate
  of returned ICMP error messages.

18
What is running on the machine?

• Port scanning
• Tools
• Netcat
• Strobe
• Nmap
• Satan
• Saint
• eEye Retina Scanner (windows)
• Typhoon
• Mscan
• Sscan

19
What is running on the machine?

• Port scanning
• Countermeasures
• Port scan detectors
• Lestat
• Pkdump
• Scan detect
• Astraro portscan detect
• Shadow scan
• Resentment.org
• Scanlogd
• Port sentry
• Most organizations treat port scans as a prelude
  to an attack and consider them hostile!
• They are a good idea to do to your own
  organization, but make sure your have permission
  first!

20
What OS is running on the machine?

• Network banners
• Many services announce what the OS is.
• telnet into any of your security machines
• OS detection can be done by sending a series of
  illegal tcp/ip packets to a machine
• Each OS will respond differently to the packets
• By comparing the responses to a database each OS
  can be determined
• Tools
• Queso
• Nmap

21
What OS is running on the machine?

• Counter measures
• Stop services from broadcasting the OS or
  protocol being used
• Install a proxy firewall, that way the OS
  identified will be that of the firewall and not
  your machine.