Recon This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne

Phase 1: Reconnaissance Investigate the target using publicly available information Use this information to plan your attack Use this information to plan your escape

Low-Tech Reconnaissance Social engineering Physical break-in Dumpster diving Eavesdropping Wiretapping

Lo-Tech: Social Engineering Still the best way to get information. The GIBE virus that claims to be a security fix from Microsoft is an example of this.GIBE virus Calls to help desk about passwords. Calls to users from “help desk” about passwords. Defense: user/sysadmin awareness

Lo-Tech: Physical Break-In Wiretaps into the wiring closets Drive up to a house, clip into their outside phone box with a long set of wires and dial anywhere using their phone. Remember this is highly illegal. Physical access to machine rooms or “secure” building under a variety of ruses. Defense: badge checks, education, alarms and motion sensors.

Lo-Tech: Physical Break-In Theft of laptops at airports Use encrypted file system Screen savers 5 minute minimum, password protected

Lo-Tech: Dumpster Diving Rummaging through the site’s trash looking for discarded information Credit card slips, password information, old network maps, old server configuration listings Oracle caught dumpster diving on Microsoft Defense: paper shredders, proper trash disposal

Web-based Reconnaissance Searching a company’s own website employee contact info with phone numbers clues about corporate culture and language business partners recent mergers and acquisitions technologies in use NT? IIS? Oracle? Solaris? helpful for social engineering attacks

Web-based Reconnaissance Using search engines search for “ all websites that link to that URL potential business partners, vendors, clients Forums (the virtual watering hole) newsgroups are asked technical questions by company employees attackers can... learn a company’s system mislead the employees

Web-based Reconnaissance Defenses establish a company policy on web-publication of sensitive information, especially about products used in the company and their configuration establish a company policy on employees’ use of newsgroups/forums and mailing lists surf newsgroups, etc. for sensitive info about your own company to see what has leaked out

The Domain Name System Hierarchical, highly distributed database IP addresses, domain names, mail-server info DNS servers : Internet :: 411 : phone system

whois Databases Domain names, network addresses, IT employees Registrars (100s) compete to register domains mom’n’pops to giants, barebones to value-added InterNIC whois db [ ] lists registrars for.com,.net,.org domains Allwhois whois db [ ] front-end for registrars in 59 countries Other whois dbs [ whois.nic.mil ], [ whois.nic.gov ], [ ] (for.edu domains)

ARIN IP Address Assignments American Registry for Internet Numbers (ARIN) maintains information on who owns IP address ranges given a company name. Scope: North and South America, Caribbean, sub-Saharan Africa

RIPE, APNIC Address Assignments Reseaux IP Europeens Network Coordination Centre (RIPE NCC) contains the IP address assignments for European networks. Asian assignments are at the Asia Pacific Network Information Center (APNIC)

We’ve Got the Registrar, Now What? Search at a particular registrar by... company name or human name ( name ) domain name (no keyword needed) IP address, host name or name server name ( host ) NIC handle ( handle ) Can learn... administrative, technical, and billing contact names phone nos., addresses, postal addresses registration dates name servers

Defenses against DNS-based Recon no OS in machine names & therefore DNS servers don’t include HINFO or TXT records for machines limit zone transfers to need-to-know IP addresses DNS needs UDP Port 53 to resolve names TCP Port 53 is used for zone transfers restrict it to known secondary DNS servers Split DNS a.k.a. Split-Brain a.k.a. Split-Horizon DNS external DNS server: publicly accessible hosts only internal DNS server: DNS info for internal network like proxy server; forwards requests beyond firewall

Interrogating DNS servers first identify a company “name/domain server” Windows & most UNIX flavors have: nslookup zone transfer: “send all info about a domain” system names (may imply OS, machines’ purposes) IP addresses, mail-server names, etc. most UNIXs flavors have: host some UNIXs flavors have: dig available for Windows : adig, nscan [ nscan.hypermart.net/index.cgi?index=dns ] General Purpose Reconnaissance Tools

Sam Spade [ ] Windows, GUI, freeware web browser, ping, whois, IP block whois, nslookup, dig, DNS zone transfer, traceroute, finger, SMTP VRFY CyberKit [ ] NetScanTools [ ] iNetTools [ ]

All traffic comes from web server, not client Attacker can remain more anonymous Some operated by... high-integrity pros in security organizations shady characters... so don’t use your company’s ISP account Some tests include DoS attacks... so check with your company’s legal department Web Reconnaissance Tools

Scanning Software Languard GFI (for Windows) NMAP (for Un*x)

Nessus: A Vulnerability Scanner for Linux Nessus is a free, open-source general vulnerability scanner As such, it is used by the white hat community and the black hats Project started by Renaud Deraison Available at Consists of a client and server, with modular plug-ins for individual tests