Chapter 5 Phase 1: Reconnaissance. Reconnaissance  Finding as much information about the target as possible before launching the first attack packet.

Slides:



Advertisements
Similar presentations
Module II Footprinting
Advertisements

Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.
Recon This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C.
NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
This module will familiarize you with the following:  Overview of the Reconnaissance Phase  Footprinting: An Introduction  Information Gathering Methodology.
Principles of Information Systems, Sixth Edition The Internet, Intranets, and Extranets Chapter 7.
Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
Week 2 -1 Week 2: Footprinting What is Footprinting? –Systematic collection of information on an intended target with the goal to create a complete profile.
Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 5 Reconnaissance Information Networking Security.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Reconnaissance Steps. EC-Council Gathering information from Open Sources  Owner of IP-address range  Address Range  Domain Names  Computing Platforms.
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 The Internet, Intranets, and Extranets Chapter 7.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Origins of the Internet The Internet was started as a research project sponsored by the Advanced Research Projects Agency (ARPA) within the U.S. Dept.
Authorization and Policy. Is principal P permitted to perform action A on object O? – Authorization system will provide yes/no answer Authorization.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Networking Basics: DNS IP addresses are usually paired with more human-friendly names: Domain Name System (DNS). internet.rutgers.edu HostnameOrganizationTop-level.
Forensic and Investigative Accounting
Principles of Information Systems, Sixth Edition The Internet, Intranets, and Extranets Chapter 7.
 Find out initial information ◦ Open Source ◦ Whois ◦ Nslookup  Find out address range of the network ◦ ARIN (American registry for internet numbers)
Information Gathering Lesson 4. Steps for Gathering Information Find out initial information Open Source Whois Nslookup Find out address range of the.
Footprinting Richard Newman “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the.
Network Reconnaissance
Reconnaissance & Scanning By Letian Li ISQS 6342 (Spring 2003) Professor John Durrett.
Chapter 10 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain how the functions of the application layer,
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 INTERNET AND WORLD WIDE WEB TECHNOLOGIES BUS Abdou Illia, Spring 2007 (Week 11, Thursday 3/22/2007)
Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.
CIS 450 – Network Security Chapter 3 – Information Gathering.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Introduction To Internet
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
DIYTP Assessing a System - Basics  Why?  Vulnerabilities  What to look at:  The six ‘P’s  Patch  Ports  Protect  Policies  Probe  Physical.
Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.
Network Assessment How intrusion techniques contribute to system/network security Network and system monitoring System mapping Ports, OS, applications.
CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.
Application Services COM211 Communications and Networks CDA College Theodoros Christophides
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Assessing a Target System Source: Chapter 3 Computer Security Fundamentals Chuck Easttom Prentice Hall, 2006.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Principles of Information Systems, Sixth Edition 1 The Internet, Intranets, and Extranets Chapter 7.
ROAD TO EXPLOITATION Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
TCOM Information Assurance Management Casing the Establishment.
Registry Functions Essential components for operating a ccTLD registry.
Footprinting and Scanning
4343 X2 – Outline The Domain Name System The Web.
Network Reconnaissance CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
JMU GenCyber Boot Camp Summer, Introduction to Reconnaissance Information gathering – Social engineering – Physical break-in – Dumpster diving Scanning.
Web Server Administration Chapter 4 Name Resolution.
Footprinting. Traditional Hacking The traditional way to hack into a system the steps include: Footprint: Get a big picture of what the network is Scan.
“ is not to be used to pass on information or data. It should used only for company business!” – Memo from IBM Executive The Languages, Methods &
Footprinting/Scanning/ Enumeration Lesson 9. Footprinting External attack: Enables attackers to create a profile of an organization’s security posture.
Uniform Resource Locator URL protocol URL host Path to file Every single website on the Internet has its own unique.
Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Introduction to TCP/IP.
Footprinting and Scanning
The Internet.
Internet Applications
Footprinting and Scanning
Chapter 19 Domain Name System (DNS)
FootPrinting CS391.
Passive Research Section 2 11/29/2018.
Information Technology Ms. Abeer Helwa
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
INTERNET APPLICATIONS
Presentation transcript:

Chapter 5 Phase 1: Reconnaissance

Reconnaissance  Finding as much information about the target as possible before launching the first attack packet  Reconnaissance techniques –Low tech methods –General web searches –Whois databases –DNS

Low-Technology Reconnaissance  Social Engineering  Physical Break-In  Dumpster Diving

Social Engineering  Finding pretext to obtain privileged information or services  Defense –user awareness

Physical Break-In  Methods –Walking past unlocked doors to data center –Piggyback behind legitimate employee  Defense –security badges –track computers leaving premises –physically lock down servers –Use locks on cabinets containing sensitive information –Use automatic password-protected screen savers –Encrypt stored files

Dumpster Diving  Retrieving sensitive information from trash  Defense –Paper shredder

Reconnaissance via Searching the Web  Searching an organization’s own web site  Using search engines  Listen in at the virtual watering hole: USENET

Searching an Organization’s Own Web Site  Employees’ contact information and phone numbers  Clues about the corporate culture and language  Business partners  Recent mergers and acquisitions  Server and application platforms in use

Using Search Engines  Conduct search based on organization name, product names, employee names  Retrieve information about history, current events, and future plans of the target organization  Search for links to target organization via “link: in a search engine

Listening in at the Virtual Watering Hole: Usenet  Posting of questions by employees to technical Newsgoups  Google newsgroup archive web search engine at

Defenses against Web searches  Security by obscurity  Security policy regarding posting of sensitive information on web site, newsgroups, and mailing lists

Whois Databases  Contain information regarding assignment of Internet addresses, domain names, and individual contacts  Internet Corporation for Assigned Names and Numbers (ICANN)  Complete list of accredited registrars available at  InterNIC’s whois database available at  Whois database for organizations outside the United States available at ALLwhois web siteALLwhois  Whois database for U.S. military organizations available at whois.nic.mil whois.nic.mil  Whois database for U.S. government agencies available at whois.nic.gov whois.nic.gov  Netwwork Solutions whois database Netwwork Solutions

Figure 5.2 List of accredited registrars on the InterNIC site

Figure 5.3 Using the InterNIC whois database to find the target’s registrar

Figure 5.4 Looking up a domain name at a particular registrar

Figure 5.5 Results of a registrar whois search

Useful Information in Registar  Names (administrative, technical, billing contacts) –Used for social engineering attack  Telephone numbers –Used in war-dialing attacks  addresses –Format of addresses eg.  Postal address –Used in dumpster diving  Name servers –DNS servers

IP Address Range Assignments  North/South America –American Registry for Internet Numbers (ARIN)ARIN  Europe –RIPE NCCRIPE NCC  Asia –Asia Pacific Network Information Center (APNIC)APNIC

Figure 5.6 Searching for IP Address Assignments in ARIN

Fig 5.7 DNS Hierarchy

Fig 5.8 Recursive search to resolve a domain name to IP address

DNS Record Types  Address (A) record –Maps a domain name to a specific IP address –Eg. www IN A  Host Information (HINFO) record –Describes host type associated with host name –Eg. www IN HINFO Solaris8  Mail Exchange (MX) record –Identifies a mail system accepting mail for the given domain –Eg. calstatela.edu MX 10 mars  Name Server (NS) record –Identifies DNS servers of domain –Eg. calstatela.edu IN NS eagle  Text (TXT) record –Used for comments –Eg. serverx IN TXT “ this system contains sensitive info”

Interrogating DNS Servers  Host  Dig tool for Unix  Advanced Dig tool for MS Windows Advanced Dig tool for MS Windows  Nslookup  Zone transfer –Eg. Nslookup server set type=any ls –d calstatela.edu

Defenses from DNS-based Reconnaissance  Do not include HINFO or TXT records  Restrict zone transfers to secondary DNS only –“allow-transfer” directive or “xfernets” in BIND  Configure firewall or external router to allow access to TCP port 53 only to secondary DNS servers –No restriction on UDP port 53  Split-Horizon DNS

Split DNS  Internal users can resolve both internal and external names  External users can only access external names

General Purpose Reconnaissance GUI Client Tools for MS Windows  Sam Spade Sam Spade –Ping –Whois –IP Block Whois –Nslookup –Dig –DNS Zone Transfer –Traceroute –Finger –SMTP VRFY –Web browser  CyberKit CyberKit  NetScan Tools NetScan Tools  iNetTools iNetTools

Figure 5.10 Sam Spade user interface

Web-based Reconnaissance Tools: Research and Attack Portals  nettool.false.net nettool.false.net   members.tripod.com/mixtersecurity/evil.html members.tripod.com/mixtersecurity/evil.html    suicide.netfarmers.net suicide.netfarmers.net    crypto.yashy.com crypto.yashy.com   privacy.net/analyze privacy.net/analyze   

Figure 5.11 a Web-based reconnaissance and attack tool

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.