CSCD 434 Lecture 3 Spring 2019 Reconnaissance

Attack Stages There are many reasons why attacks happen Altruistic reasons from white hat hackers to sheer profits from cyber criminals Serious attackers, accomplish goals in stages Ed Skoudis, well-known security expert identifies 5 stages of attack He is a SANS instructor, author of popular book, Counter Hack Reloaded, 2nd Ed. https://www.amazon.com/Counter-Hack-Reloaded- Step-Step/dp/0131481045

Attack Stages 1. Reconnaissance 2. Scanning 3. Gaining Access 4. Maintaining Access 5. Covering Tracks and Hiding Today, look at Reconnaissance ...

Reconnaissance Reconnaissance is probably longest phase, sometimes lasting weeks or months Learn as much as possible about target business and how it operates, including Internet searches Social engineering Dumpster diving Domain name management/search services Non-intrusive network scanning

Scanning Once attacker has enough information to understand how business works and information of value He or she begins process of scanning perimeter and internal network devices looking for weaknesses, including: Open ports Open services Vulnerable applications, including operating systems Weak protection of data in transit Make and model of each piece of LAN/WAN equipment

Gaining Access Gaining access to resources is whole point of a modern-day attack. Usual goal is to either extract information of value to attacker or use network as launch site for attacks against other targets Attacker must gain some level of access to one or more network devices Once access is gained, has to increase his privilege to administrator level so can install applications used to exploit resources

Maintaining Access Having gained access, attacker must maintain access long enough to accomplish his or her objectives Attacker must be stealthy, so as to not get caught while using host environment Trojans, Rootkits or other malicious malware is typically used. Aim to maintain access to target until he accomplished tasks

Covering Tracks and Hiding After achieving his or her objectives, attacker often takes steps to hide intrusion leaves controls left behind for future visits No thief wants to get caught. A smart hacker always clears evidence so that later, no one will find any traces leading to him This involves modifying/corrupting/deleting Logs, modifying registry values and uninstalling applications and deleting folders

Another Model of Attack Stages Our book has another attack model known as Cyber Kill Chain, Chapter 1 Developed by military contractor, Lockheed Martin patterned after military process to target and engage an enemy

Steps of an Attack Cyber Kill Chain outlines steps of an attack: 1. Reconnaissance - probe for information about the system: type of hardware or software used 2. Weaponization - attacker creates an exploit and packages it into a deliverable payload 3. Delivery - weapon is transmitted to the target 4. Exploitation - after weapon is delivered, the exploitation stage triggers the intruder’s exploit 5. Installation - the weapon is installed to either attack the computer or install a remote “backdoor” Steps of an Attack Cyber Kill Chain outlines the steps of an attack: 1. Reconnaissance - probe for information about the system: type of hardware or software used 2. Weaponization - attacker creates an exploit and packages it into a deliverable payload 3. Delivery - weapon is transmitted to the target 4. Exploitation - after weapon is delivered, the exploitation stage triggers the intruder’s exploit 5. Installation - the weapon is installed to either attack the computer or install a remote “backdoor” CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 10 10

Steps of an Attack Cyber Kill Chain outlines the steps of an attack (cont’d): 6. Command and Control - the comprised system connects back to the attacker so that the system can be remotely controlled by the attacker 7. Action on Objectives - now the attackers can start to take actions to achieve their original objectives Steps of an Attack Cyber Kill Chain outlines the steps of an attack (cont’d): 6. Command and Control - the comprised system connects back to the attacker so that the system can be remotely controlled by the attacker 7. Action on Objectives - now the attackers can start to take actions to achieve their original objectives CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition 11 11

Reconnaissance

Purpose of Reconnaissance What is the purpose of reconnaissance? Find out information about target(s)‏ More experienced attackers invest time and resources in information discovery Like bank robbers Do they just decide one day to rob a bank? No. At least successful ones Research vaults, locks, address of bank and map an escape route Computer Attack – no different

Attack Reconnaissance Sources Low Technology Social Engineering Physical Reconnaissance Dumpster Diving

Attack Reconnaissance Social Engineering Employees give away sensitive information Most successful are calls to employees Call help desk as “new” employee for help with a particular task Angry manager calls lower level employee because password has suddenly stopped working System administrator calls employee to fix her account ... requires using her password

Social Engineering Social engineering works, because it exploits human vulnerabilities Desire to help Hope for a reward Fear of making a mistake Fear of getting in trouble Fear of getting someone else in trouble

Social Engineering Most Talented Social Engineer How did he do it? Kevin Mitnick, served almost five years in prison for breaking into computers and “stealing” data from telecommunications companies How did he do it? Built up inside knowledge, developed trust relationships, and lots of patience To get information needed to complete a hack, Mitnick spent days Learning internal company lingo Developing emotional connections with key people Security personnel and system administrators

Social Engineering is Easy Example Compare Social Engineering vs. Traditional way to obtain user password Assume already have user name, Ex. ctaylor Got it from Web site, news or forum group Traditional Steps 1. Scan network to identify open ports 2. Assume you got an open port and machine didn't have latest patches, install a rootkit onto victim network 3. Map entire network, looking for a password file May be large number of subnets and hosts

Social Engineering is Easy 4. Locate and copy encrypted password file Need to dump password file to your server to process the file Remain stealth entire time, modifying logs, altering registry keys to conceal when files were accessed 5. Run cracking tools against encrypted file In privacy of own network, John the Ripper or Cain and Able will crack the file Takes about a week ...

Social Engineering is Easy Compare Social Engineering vs. Traditional way to obtain user password Same goals but now with Social Engineering 1. Make a phone call, 2. Make another phone call, while you are chatting, ask for and receive logon credentials May be able to do it in one step, if lucky!!

Defences for Social Engineering User Awareness Train them to not give out sensitive information Security awareness program should inform employees about social engineering attacks No reason why a system administrator ever needs you to give him/her your password Help desk should have a way to verify the identify of any user requesting help Other ideas?

Attack Reconnaissance Physical Reconnaissance Several Categories Tailgaiting, Shoulder Surfing, other tricks Tailgaiting Usually easy to look like you belong to an organization Can sometimes walk through the door Can pose as someone related to an employee to gain access Temps, contractors, customers and suppliers all potentially have access

Tailgaiting Follow an authorized person into building Look like you belong, have reason for being there, dress the part and act like you belong Phone company or other service technician Once inside, person is not typically challenged Key, Looks like he belongs Has company logos, or carries briefcase, toolkit People take person at face value Partly social engineering too

True Story Person on the right looks like person on the left Person below walked around A NIST building in Washington DC unchallenged Guards even held open doors for him to enter secure areas

Tailgaiting Physical Reconnaissance Defences Once inside, have access to lots of information Physical access to internal networks Passwords, user information, internal telephone numbers, anything you want Defences Badges and biometric information Educate people against letting people into the building Teach employees to question people they don't know

Shoulder Surfing Another physical method of gaining sensitive information Coffee shops, airport lounges, hotel lobbies Many people are completely unaware of being spied upon What can you learn? Private email sessions, government documents, corporate secrets, user names or passwords Even classified documents over the shoulder of an unwary government employee Defense – Be aware of who is around

Dumpster Diving Originated by phone phreaks Precursor to hackers AT&T's monopoly days, before paper shredders became common Phone phreakers used to organize regular dumpster runs against phone company plants and offices Their Target Discarded and damaged copies of AT&T internal manuals Learned about phone equipment

Attack Reconnaissance Dumpster Diving In General Go through someone’s trash Recover copies of Credit card receipts, Reports, Passwords, usernames and other sensitive information

Dumpster Diving EWU Mall in Spokane Student in Spring, 2008 found SSN number, address and SAT scores of high school student applying to EWU Mall in Spokane Another student, Fall 2008 Found little of interest when he staked out a store and had trouble accessing trash Found some information, not sensitive

Defense Against Dumpster Diving Defence Shred all paper including post-it notes Don’t throw away thumb drives, CD’s or other electronic media Secure trash areas, fence, locked gates

Technical Attack Reconnaissance

Domain Names Domain Names Registration process provides Registrars Guarantee of unique name Enter name in Whois and DNS Databases Registrars Before 1999, one registrar, Network Solutions Now, thousands of registrars compete for clients http://www.internic.net/alpha.html complete list of registrars

Domain Names Internet Network Information Center http://www.internic.net/whois.html Search for domain name’s registrar Comes back with registrar and other information

Internic.net/whois.html phptr.com

Example from Internic.net/whois phptr.com

Example Whois Query Tryit, Lets enter counterhack.net http://www.internic.net/whois.html, Answer is Domain Name: COUNTERHACK.NET Registrar: NETWORK SOLUTIONS, LLC Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.NETFIRMS.COM Name Server: NS2.NETFIRMS.COM Status: clientTransferProhibited Updated Date: 21-jun-2006 Creation Date: 22-jun-2001 Expiration Date: 22-jun-2008

Attack Reconnaissance Whois DB’s For other countries, use http://www.uwhois.com Military sites, use http://www.nic.mil/dodnic Education, use http://whois.educause.net/

Attack Reconnaissance Details from the Whois DB After obtaining the target’s registrar, attacker can obtain detailed records on target from whois entries at registrar's site Can look up information by Company name Domain name IP address Human contact Host or server name

Attack Reconnaissance Details from the Whois DB If only know Company’s name Whois DB will provide lot more information Human contacts Phone numbers e-mail addresses Postal address Name servers – the DNS servers Network Solutions http://www.networksolutions.com/whois/index.jsp

Counterhack.net Skoudis, Edward 417 5TH AVE FL 11 Registrant: Skoudis, Edward 417 5TH AVE FL 11 NEW YORK, NY 10016-2204 US Domain Name: COUNTERHACK.NET Administrative Contact : Skoudis, Edward Ed.Skoudis@predictive.com Phone: 732-751-1024

Counterhack.net .. Old Data - 2007 Technical Contact : Network Solutions, LLC. customerservice@networksolutions.com 13861 Sunrise Valley Drive Herndon, VA 20171 , US Phone: 1-888-642-9675 Fax: 571-434-4620 Record expires on 22-Jun-2008 Record created on 22-Jun-2001 Database last updated on 21-Jun-2006 Domain servers in listed order: NS1.NETFIRMS.COM 64.34.74.221 NS2.NETFIRMS.COM 66.244.253.1

Attack Reconnaissance ARIN DB In addition to the Whois DB, another source of information is the American Registry for Internet Numbers (ARIN)‏ ARIN maintains Web-accessible, whois-style DB lets users gather information about who owns particular IP address ranges Can look up IP’s in North and South America, Caribbean and sub-Saharan Africa Use: http://ws.arin.net/ Then, type in IP address at the whois prompt In Europe use, Re’seaux IP Euorope’ens Network Coordination Centr (RIPE NCC) http://www.ripe.net

Attack Recon Whois command Or, instead of going to the Internet, you can just type whois from the command line of Linux If the port number is not blocked!!! $ whois counterhack.net This will display all of the information available from the public dns records for that domain

Attack Reconnaissance Domain Name System (DNS)‏ DNS is a worldwide hierarchical DB Already said ... Organizations must have DNS records for their systems associated with a domain’s name Using DNS records, attacker can compile a list of systems for attack Can even discover Operating System

Domain Name Hierarchy Root DNS Servers com DNS Servers net DNS Servers org DNS Servers counterhack.net DNS Server Example counterhack.net

Attack Reconnaissance Querying DNS First, find out one or more DNS servers for a target system Available from records gathered from the Whois DB Listed as “name servers” and “domain servers” One common tool used to query DNS servers is the nslookup command Included in all Unix flavors and Win NT/2000/XP

Attack Reconnaissance DNS Query First try to do a Zone transfer Says “give me all the information about systems associated with this domain” First use a server command to set DNS server to target’s DNS server Then set the query up to retrieve any type of information And finally to do the zone transfer

Attack Reconnaissance DNS Query Dig command dig – Unix variations must use this for Linux $ dig @66.244.253.1 counterhack.net -t AXFR This does a zone transfer ... might not work Excellent reference for dig here http://www.madboa.com/geek/dig/#ttl Defences against DNS Queries Must have DNS records Need to map between IP addresses plus need to indicate name and mail servers

Attack Reconnaissance Defence against DNS Queries Restrict Zone Transfers Only reason you allow Zone transfers is to keep secondary DNS server in sync with primary server Configure DNS server to only allow Zone transfers to specific IP Addresses Can also configure Firewalls or router to restrict access to TCP port 53 to back-up DNS server

Attack Reconnaissance General Purpose Reconnaissance Tools Can also research target through attack portals on the web Sites allow you to do research and even initiate an attack against the target www.dnsstuff.com/tools www.network-tools.com www.cotse.com/refs.htm http://www.dslreports.com/tools?r=76

More Tools ShodanHQ http://www.shodanhq.io/ SHODAN is a search engine that lets you find specific computers (routers, servers, etc.)‏ Using a variety of filters Some have also described it as a public port scan directory or a search engine of banners

More Tools What does SHODAN index? Bulk of data is taken from 'banners', which are meta-data the server sends back to the client Information about the server software, Options the service supports, Welcome message or other information Very useful for identifying specific machines

More Tools Maltego Comes with Kali Linux http://www.paterva.com/maltego Allows you to enumerate network and domain information like: Domain Names Whois Information DNS Names Netblocks IP Addresses Comes with Kali Linux Overview https://hydrasky.com/network- security/maltego-tutorial-for- beginners/ Also allows you to enumerate People information like: Email addresses associated with a person's name Web sites Social groups Companies and organizations Phone numbers

Maltego

Attack Reconnaissance Summary At the end of this phase the attacker has information needed to move on to the next phase Scanning At a minimum have Phone number List of IPs Address and domain name Lucky – has Operating System and Server names

References Mark Ciampa Johny Long Kevin Mitnick Ed Skoudis Security + Guide to Network Security Fundamentals Johny Long No Tech Hacking, Syngress, 2008 Kevin Mitnick The Art of Deception, Wiley, 2002 Ed Skoudis Counterhack Reloaded, Ch. 5, 2006 http://www.amazon.com/Counter-Hack-Reloaded-Step- Step/dp/0131481045/ref=cm_cr_pr_product_top

The End Lab this week is Background on Nmap and Reconnaissance