Information Gathering

Before an attack What information do we need? WHOIS details OS & web server details (NetCraft, whois.webhosting.info) DNS information, Zone transfers, reverse DNS lookups Open ports?

Information Gathering Legal issues Is gathering information on a target legal? Yes BUT, port scans are considered to be an attacks so check local laws for further information Other information gathering techniques are, for the most part, legal but please check before you proceed

Information Gathering WHOIS What information to look for: Owner Administrative contact Technical contact

Information Gathering OS & web server details

Information Gathering DNS information What information to look for: Find the DNS server details Now what? C:\>nslookup > server > set type=any // return all records > ls –d

Information Gathering DNS information (cont.) Reverse DNS lookup Ping –a (we can also use nmap as described in the next section)

Information Gathering Open ports? We have to install a few things WinPcap 3.1: Installer for Windows 95/98/ME/NT4/2000/XP/2003/Vista NMAP: Latest stable Nmap command-line zipfile: nmap-3.93-win32.zip

Information Gathering Open ports (cont)? Performing a quick and simple port scan SYN scan: nmap –sS –P0 –p- (C:SYN; S:SYN/ACK; C:RST) CONNECT scan: nmap –sT –P0 –p- (three way handshake: C:SYN; S:SYN/ACK; C:ACK; C S; S C) SRC port: nmap –sS –P0 –p- -g53 Ping sweep: nmap –sP Reverse DNS: nmap –sP –R

Information Gathering Try it on a site you use Lets try one together Gather WHOIS details OS & web server details (NetCraft) DNS information, Zone transfers, reverse DNS lookups (

Web applications

What are web applications? msdn.microsoft.com Any application that uses the HTTP protocol to communicate with its clients

Web applications What are web applications? (cont.) REQUEST: GET /html/default.asp HTTP/1.1 Host: Connection: close Accept-Encoding: gzip RESPONSE: HTTP/ OK Connection: close Content-Type:text/html Content-Encoding:gzip

Web applications What are web applications? (cont.) Lets have a look at the raw data on the wire…

Web platforms

What technologies exist? JAVA (i.e. Servlets, JSP) ASP.NET (C#, J#, ASP, C++) PHP Lotus Notes Cold Fusion Native Code (i.e. ISAPI) CGI (i.e. Perl, C) BEA WebLogic IBM WebSphere Zope (i.e. Python)

Web platforms What is the difference? Programming language Performance Features Integration Stability Administration Ease of use Security What else?

Web platforms ASP Have tendency to be vulnerable, no/limited built-in facilities

Web platforms PHP Global variables can be problematic

Web platforms Lotus Notes ACLs on NSF files are often poorly configured

Web platforms CGI Native code = native code issues (b0f)

Web platforms Java and.NET security Source files can be decompiled and read Any secrets are exposed Connection string information User credentials Internal addresses What tools exist to help us? Java: DJ Decompiler ( Salamander (

Web platforms Native code versus web technologies Whats the difference between them with respect to getting the source? Native code = ASM VM code = byte code Reversing native code The original source code is not available Programme flow is harder to follow (IDA Pro can help) Reversing VM code The original code is readable DJ turns *.class, *.jar files into Java code Salamander: exes or dlls into VB or C#.NET

Web platforms Reversing demo Native code Java.NET

Web platforms Protection Dongles VM code: Obfuscation techniques Salamander HASP Native code: packers Exe Shield Armadillo ASProtect Anticrack

Web platforms Summary You dont have to break the law to gather info. Although port scanning in illegal Platforms, some better than others/more security aware

?