Data Gathering A hacker can’t do anything to you if they don’t know anything about you. The hacker requires: –A target –Your ip address –Your OS type –What kernel are you using –What services you are running –What is your internet connection speed

How they choose a target A hacker can get much information from posts made to news groups and Mailing lists Example (from fire-wall wizards news group): [fw-wiz] Problems with IPTables and DMZ port Klaus Leithner Sat, 5 Jan 2002 I have a very urgent problem with a linux box running RedHat 7.2 and IPTables v We need to replace our normal Firewall (a Watchguard FireBox II) with the following configuration : Public IP - Address Range : with a NetMask Private IP – Address Range : with a NetMask We have a DMZ, which uses the public IP - Address Range.

How they choose a target Schemata: (x) (Router : | (EXTERNAL INTERFACE : )| | Firewall | (DMZ Interface : All of our ||Server in the DMZ use IP-Adresses like || X, and a gateway of )| |(LAN INTERFACE : we use NAT) | We have a breakdown of our standard Firewall, and need to replace it as soon as possible with this linux - box. We have tried every trick, we know and about 24 hours of work no chance ! Can anyone help us !!! Thanks in advance Klaus Leithner

How they choose a target Other targets include: –Entities with high speed internet Universities, governments, large corporations –Entities with many disconnected policies and procedures Governmental entities, medium/large corporations –Well know entities GM, Microsoft, MSU, NASA, etc… –Entities with novice administrators Home computers with cable modems, power left on. –Entities that can give financial gain Banks, stock brokers –Entities that can provide trade secrets Pharmaceutical Companies, Research Companies

How they get info on you Domain lookup –Whois database A list of domains and the contact information associated with a domain. –Example of a domain lookup: >whois –a gm (you might need a host: whois.internic.net) GM.ST63.AREANA.NE.JP GM.HOTELRES.COM GM.GEEKFREET.NET GM.GARM.NET GM.ORG GM.NET GM.COM GM

How they get info on you Domain lookup –Example: >whois gm.com Registrant: Domain Name Administrator General Motors Corporation 300 Renaissance Center Mail Code 482-C23-B21 Detroit MI US Fax: Domain Name: gm.com Administrative Contact: Domain Name Administrator General Motors Corporation 300 Renaissance Center Mail Code 482-C23-B21 Detroit MI US Fax:

How they get info on you Domain lookup –Example (cont): Technical Contact, Zone Contact: DNS Technical Contact EDS NNAM 800 Tower Drive MS 4258 Troy MI US Fax: Created on : Expires on : Record last updated on..: Domain servers in listed order: ns3.eds.com ns1.eds.com ns2.eds.com

How they get info on you DNS queries –Get the ip address of a given domain –Example: host gm.com> gm.com has address Network lookup –Again using the whois database –Instead of giving a domain you give an ip address

How they get info on you Network lookup –Example > whois NetRange: NetName: IBM-COMMERCIAL NameServer: RTPUSSXDNSB03.RALEIGH.MEBS.IHOST.COM NameServer: RTPUSSXDNSB04.RALEIGH.MEBS.IHOST.COM NameServer: BLDUSWXDNSB01.BOULDER.MEBS.IHOST.COM NameServer: BLDUSWXDNSB02.BOULDER.MEBS.IHOST.COM OrgName: IBM Address: 3039 Cornwallis Road City: Research Triangle Park StateProv: NC PostalCode: Country: US RegDate: Updated:

How they get info on you Countermeasures –The whois database is required to register your company for ip address. –Do not use actual names for the various contacts. Instead use names like “tech support” –Do not give a direct phone number, give the main office general phone number –This helps to prevents social engineering!

What machines are running? Now that the hacker has an ip range, what machines are actually there? Use ping sweeps –ICMP ping Send an ICMP echo request to each ip address in a range and if there is a reply then there is machine at the ip address Command: ping ipaddress

What machines are running? Use ping sweeps –Nmap ping sweep Send an ICMP echo packet as well as a connection request to the http port (80). Command: nmap –sP iprange Counter measures –Configure a firewall to not allow TCP/IP echo requests and prevent ICMP echo replies But it stops all pings, some of which maybe useful. –Can’t prevent probing of open ports 

Where is a machine? It is useful to the hacker to know where a machine is located. It is also helpful to know “connected” a computer is Traceroute –Lists all the routers between your computer to an another –Displays the time for each hop –Displays the ip address and common name of each router. –By examining the names of the routers you can generally guess where a router is, it band width, and equipment.

Where is a machine? Example Tracetroute gm.com 1 router ( ) ms ms ms 2 fw-lab.gvsu.edu ( ) ms ms ms 3 router.gvsu.edu ( ) ms ms ms 4 s0-1-0.nl-port1.mich.net ( ) ms ms ms 5 at-1-1-0x20.nl-chi3.mich.net ( ) ms ms ms 6 acr2-so Chicago.cw.net ( ) ms ms ms 7 cable-and-wireless-peering.Chicago.cw.net ( ) ms ms ms 8 0.so XL1.CHI2.ALTER.NET ( ) ms ms ms 9 0.so TL1.CHI2.ALTER.NET ( ) ms ms ms 10 0.so TL1.DCA6.ALTER.NET ( ) ms ms ms 11 0.so CL1.GSO1.ALTER.NET ( ) ms ms ms ATM7-0.GW4.GSO1.ALTER.NET ( ) ms ms ms 13 usibm-gw.customer.alter.net ( ) ms ms ms

Where is a machine? How Traceroute works –Send UDP packets through the internet with the time to live set to 1 –Waits for the ICMP time expired reply –Increase the time to live by one and send again. –Each time it gets a ICMP time expired reply it gets the next step in the route. Countermeasures –You can’t do anything about how you are connected to the internet, nor the ICMP time expire reply –You can block ICMP packets in and out of your organization –You should NOT name machines in a way that revels information

What is running on the machine? When a network service is made available it opens a port in the range of 0 – There are “well know” port numbers opened by established programs. –They are in the range from 0 –1024. Only privileged commands may use a “well know” port number –telnet23 –ftp21 –smtp25 –ssh22 There are also port number generally accepted as being used for certain purposes –See /etc/services for a list know to your machine

What is running on the machine? Port scanning –TCP A program sends a syn request to each port in a range and sees if a syn/ack is returned. Or it can send a fin packet, and see if the computer responds Or it can send a ack packet, and an open port will respond with a rst packet, because their is no established connection Or … TCP scanning is relatively fast because of it’s connection orientated nature –UDP A program sends a udp packet to the port and has to wait to see if an ICMP port unreachable is returned UDP scanning is slow because it must wait for the ICMP return message. There is limit for the rate of returned ICMP error messages.

What is running on the machine? Port scanning –Tools: Netcat Strobe Nmap Satan Saint eEye Retina Scanner (windows) Typhoon Mscan Sscan

What is running on the machine? Port scanning –Countermeasures Port scan detectors –Lestat –Pkdump –Scan detect –Astraro portscan detect –Shadow scan –Resentment.org –Scanlogd –Port sentry Most organizations treat port scans as a prelude to an attack and consider them hostile! –They are a good idea to do to your own organization, but make sure your have permission first!

What OS is running on the machine? Network banners –Many services announce what the OS is. –telnet into any of your security machines OS detection can be done by sending a series of illegal tcp/ip packets to a machine Each OS will respond differently to the packets –By comparing the responses to a database each OS can be determined Tools –Queso –Nmap

What OS is running on the machine? Counter measures –Stop services from broadcasting the OS or protocol being used –Install a proxy firewall, that way the OS identified will be that of the firewall and not your machine.