COMP1321 Digital Infrastructures Richard Henson University of Worcester April 2018
Week 22: “Offensive” security and ethical hacking Objectives: Explain the principles of hacking ethically Explain “Footprinting” and reconnaissance from a penetration testers perspective Use of vulnerability/penetration testing to passively” scan networks & check access to the organisation’s network (and information about it!) from outside Exploit Known vulnerabilities through specific unguarded TCP ports “
Ethical Hacking Principles Hacking is a criminal offence in the UK covered through The Computer Misuse Act (1990) tightened by further legislation (2006) It can only be done ”legally” by a trained (or trainee) professional a computing student would be considered in this context under the law
Ethical Hacking principles Even if it is legal… doesn’t mean it is ethical! Professionals only hack without owner’s permission if there is reason to believe a law is being broken if not… they must ask permission otherwise definitely unethical (and possibly illegal)
Ethical Hacking Principles What is “hacking”? breaching a computer system without permission How is it done? using software tools to get through the security of the system also called penetration testing (again… if done with permission…)
Penetration Testers Toolkit Many penetration testing tools available Also a body of knowledge that shows how to use them… Together, provide the expertise to penetration test a client’s site but this should only be undertaken with the client’s permission…
Preparing to use a Toolkit Ethical Hacking Professionals need to be familiar with both Windows Server, and Linux To fully engage with principles of penetration testing,install the following as virtual machines on your own computer: Windows 2008 Server Linux, with Backtrack (as VM) … Remember: this should only be used ethically! Instead, you may wish to just take an overview (plenty of excellent youtube videos)
What and Why of “Footprinting” Definition: “Gathering information about a “target” system” Could be passive (non-penetrative) or active Find out as much information about the digital and physical evidence of the target’s existence as possible need to use multiple sources… may (e.g. “black hat” hacking) need to be done secretly
Useful hacker “intelligence” about a network Domain Names User/Group names System Names IP addresses Employee Details/Company Directory Network protocols used & VPN start/finish Company documents Intrusion detection system used
Network Infrastructure Revision Windows networks dependent on active directory large object-orientated database installed on servers that become part of domain log in
Desktop Security Windows desktop security managed through the system registry area of protected memory, thousands of hardware/software settings viewed using regedit utility some settings can be changed using regedit other settings cannot be seen with regedit
System Registry System registry settings stored on local hard disk Loaded into memory during bootup Local log on: system policy files can overwrite settings in memory Network log on: group policy files are downloaded and overwrite files during log on
Group Policy and Resource Access Network resource access also controlled via downloaded registry settings in this way, user access can be controlled through group policy policy files, group membership need to be held securely
Rationale for “passive” Footprinting The ethical hacker can gather a lot of information from publicly available sources organisation needs to know what is “out there” Methodology: start by finding the URL (search engine) e.g. www.worc.ac.uk from main website, find other external-facing names e.g. staffweb.worc.ac.uk
Website Connections & History History: use www.archive.org: The Wayback Machine Connections: use robtex.com Business Intelligence: sites that reveal company details e.g. www.companieshouse.co.uk
More Company Information… “Whois” & CheckDNS.com: lookups of IP/DNS combinations details of who owns a domain name details of DNS Zones & subdomains Job hunters websites: e.g. www.reed.co.uk www.jobsite.co.uk www.totaljobs.com IT technicians “blog entries”
People Information Company information will reveal names Use names in search engines Facebook LinkedIn Google Earth reveals: company location(s)
Physical Network Information (“active” footprinting or phishing) External “probing” should be detectable by a good defence system… (could be embarrassing!) e.g. Traceroute: Uses ICMP protocol “echo” no TCP or UDP port reveals names/IP addresses of intelligent hardware: e.g. Routers, Gateways, DMZs
Email Footprinting Using the email system to find the organisation’s email names structure “passive” monitor emails sent IP source address structure of name “active” email sending programs : test whether email addresses actually exist test restrictions on attachments
Utilizing Google etc. (“passive”) Google: Advanced Search options: Uses [site:] [intitle:] [allintitle:] [inurl:] In each case a search string should follow e.g. “password” Maltego graphical representations of data
Perusing Network Firewall settings Firewall acts between transport layer and application layer each application transfers data using a logical port can restrict entry of packets to the application layer by blocking that port hacker will wish to know wish ports are blocked and which could be exploited
TCP/UDP ports and Hacking Schematic TCP/IP stack interacting at three of the 7 OSI levels (network, transport, application): TELNET FTP SMTP NFS DNS SNMP ports X X X X X X TCP UDP IP
TCP & UDP ports Hackers use these to get inside firewalls etc. Essential to know the important ones: 20, 21 ftp 80 http 389 Ldap 22 ssh 88 Kerberos 443 https 23 telnet 110 pop3 636 Ldap/SSL 25 smtp 135 smb 53 dns 137-9 NetBIOS 60 tftp 161 snmp
Reconnaissance/Scanning Three types of scan: Network (already mentioned) identifies active hosts Port send client requests until a suitable active port has been found… Vulnerability assessment of devices for weaknesses that can be exploited
A “Scanning” Methodology for Ethical Hackers… Check for Live Systems Check for open ports “Banner Grabbing” e.g. bad html request Scan for vulnerabilities Draw Network diagram(s) Prepare proxies…
Proxy Hacking (or Hijacking) Attacker creates a copy of the targeted web page on a proxy server Now uses methods like: keyword stuffing linking to the copied page from external sites… Artificially raises search engine ranking authentic page will rank lower… may even be seen as duplicated content, in which case a search engine may remove it from its index
Now you try it! Download OWASP software tools… Try out the tools on an informal basis without infringing “ethical hacking” rules Gather evidence documenting your activities after Campbell Murray’s presentation (27th April) Present evidence to hand in with assignment 2…
Thanks for Listening