Presentation is loading. Please wait.

Presentation is loading. Please wait.

Acknowledgement Main lecture slides are adapted from Eastern Washington University, CSCD 434: Network Security (Spring 2014) By Carol Taylor

Published byBirgit Wetzel Modified over 6 years ago

Similar presentations

Presentation on theme: "Acknowledgement Main lecture slides are adapted from Eastern Washington University, CSCD 434: Network Security (Spring 2014) By Carol Taylor"— Presentation transcript:

1 Cyber Operation and Penetration Testing Reconnaissance Cliff Zou University of Central Florida

2 Acknowledgement Main lecture slides are adapted from Eastern Washington University, CSCD 434: Network Security (Spring 2014) By Carol Taylor s/ "Google Hacking 101", by Matt Payne files/RC1.pdf

3 Attack Stages Turns out, different reasons attackers want to attack you Altruistic reasons to sheer profit Serious attackers, accomplish goals in stages Ed Skoudis, well-known security expert identifies 5 stages of attack

4 Attack Stages 1. Reconnaissance 2. Scanning 3. Gaining Access
4. Maintaining Access 5. Covering Tracks and Hiding Today, look at Reconnaissance ...

5 Purpose of Reconnaissance
What is the purpose of reconnaissance? Find out information about target(s)‏ More experienced attackers invest time and resources in information discovery Like bank robbers Do they just decide one day to rob a bank? No. At least successful ones Research vaults, locks, address of bank and map an escape route Computer Attack – no different

6 Attack Reconnaissance
Sources Low Technology Social Engineering Physical Reconnaissance Dumpster Diving

7 Attack Reconnaissance
Social Engineering Employees give away sensitive information Most successful are calls to employees Call help desk as “new” employee for help with a particular task Angry manager calls lower level employee because password has suddenly stopped working System administrator calls employee to fix her account ... requires using her password

8 Social Engineering Social engineering works, because it exploits human vulnerabilities Desire to help Hope for a reward Fear of making a mistake Fear of getting in trouble Fear of getting someone else in trouble

9 Social Engineering Most Talented at Social Engineering
Kevin Mitnick, served almost five years in prison for breaking into computers and stealing data from telecommunications companies How did he do it? Built up inside knowledge, developed trust relationships, and lots of patience To get information needed to complete a hack, Mitnick spent days Learning internal company lingo Developing emotional connections with key people Security personnel and system administrators

10 Social Engineering is Easy
Compare Social Engineering vs. Traditional way to obtain user password Assume already have user name, Ex. ctaylor Got it from Web site, news or forum group Traditional Steps 1. Scan network to see if ports are open 2. Assume you got an open port and machine didn't have latest patches, installed a rootkit onto victim network 3. Enumerate the network, looking for a password file May be large number of subnets and hosts

11 Social Engineering is Easy
4. Locate and copy encrypted password file Need to dump password file to your server to process the file Remain stealth the entire time, modifying logs, altering registry keys to conceal when files were accessed 5. Run cracking tools against encrypted file In privacy of own network, John the Ripper or Cain and Able will crack the file Takes about a week ...

12 Social Engineering is Easy
Compare Social Engineering vs. Traditional way to obtain user password Same goals but with Social Engineering 1. Make a phone call 2. Make another phone call, while you are chatting, ask for and receive logon credentials May be able to do it in one step, if lucky!!

13 Defences for Social Engineering
User Awareness Train them to not give out sensitive information Security awareness program should inform employees about social engineering attacks No reason why a system administrator ever needs you to give him/her your password Help desk should have a way to verify the identify of any user requesting help Other ideas?

14 Attack Reconnaissance
Physical Reconnaissance Several Categories Tailgaiting, Shoulder Surfing, other tricks Tailgaiting Usually easy to look like you belong to an organization Can sometimes walk through the door Can pose as someone related to an employee to gain access Temps, contractors, customers and suppliers all potentially have access

15 Tailgaiting Follow an authorized person into building
Look like you belong, have reason for being there, dress the part and act like you belong Phone company or other service technician Once inside, person is not typically challenged Key, Looks like he belongs Has company logos, or carries briefcase, toolkit People take person at face value Partly social engineering too

16 True Story Person on the right looks like person on the left
Person below walked around A NIST building in Washington DC unchallenged. Guards even held open doors for him to enter secure areas

17 Tailgaiting Physical Reconnaissance Defences
Once inside, have access to a lot of information Physical access to internal networks Passwords, user information, internal telephone numbers, anything you want Defences Badges and biometric information Educate people against letting people into the building Teach employees to question people they don't know

18 Shoulder Surfing Another physical method of gaining sensitive information Coffee shops, airport lounges, hotel lobbies Many people are completely unaware of being spied upon What can you learn? Private sessions, government documents, corporate secrets, user names or passwords Even classified documents over the shoulder of an unwary government employee Defense – Be aware of who is around

19 Dumpster Diving Originated by phone phreaks Precursor to hackers
AT&T's monopoly days, before paper shredders became common Phone phreakers used to organize regular dumpster runs against phone company plants and offices Target: Discarded and damaged copies of AT&T internal manuals Learned about phone equipment

20 Attack Reconnaissance
Dumpster Diving In General Go through someone’s trash Recover copies of Credit card receipts, Floppies, Passwords, usernames and other sensitive information

21 Dumpster Diving EWU Mall in Spokane Student in Spring, 2008 found
SSN number, address and SAT scores of high school student applying to EWU Mall in Spokane Another student, Fall 2008 Found little of interest when he staked out a store and had trouble accessing trash Found some information, not sensitive

22 Defense Against Dumpster Diving
Defence Shred all paper including post-it notes Don’t throw away floppies or other electronic media Secure trash areas, fence, locked gates

23 Technical Attack Reconnaissance

24 Domain Names Domain Names Registration process provides Registrars
Guarantee of unique name Enter name in Whois and DNS Databases Registrars Before 1999, one registrar, Network Solutions Now, thousands of registrars compete for clients complete list of registrars

25 Domain Names Internet Network Information Center
Search for domain name’s registrar Comes back with registrar and other information

26 Internic.net/whois.html phptr.com

27 Example from Internic.net/whois
phptr.com

28 Example Whois Query Try it, Lets enter counterhack.net
Answer is Domain Name: COUNTERHACK.NET Registrar: NETWORK SOLUTIONS, LLC Whois Server: whois.networksolutions.com Referral URL: Name Server: NS1.NETFIRMS.COM Name Server: NS2.NETFIRMS.COM Status: clientTransferProhibited Updated Date: 21-jun-2006 Creation Date: 22-jun-2001 Expiration Date: 22-jun-2008

29 Attack Reconnaissance
Whois DB’s For other countries, use Military sites, use Education, use

30 Attack Reconnaissance
Details from the Whois DB After obtaining the target’s registrar, attacker can obtain detailed records on target from whois entries at registrar's site Can look up information by Company name Domain name IP address Human contact Host or server name

31 Attack Reconnaissance
Details from the Whois DB If only know Company’s name Whois DB will provide lot more information Human contacts Phone numbers addresses Postal address Name servers – the DNS servers Network Solutions

32 Counterhack.net Skoudis, Edward 417 5TH AVE FL 11
Registrant: Skoudis, Edward 417 5TH AVE FL 11 NEW YORK, NY US Domain Name: COUNTERHACK.NET Administrative Contact : Skoudis, Edward Phone:

33 Counterhack.net .. Old Data - 2007
Technical Contact : Network Solutions, LLC. 13861 Sunrise Valley Drive Herndon, VA , US Phone: Fax: Record expires on 22-Jun-2008 Record created on 22-Jun-2001 Database last updated on 21-Jun-2006 Domain servers in listed order: NS1.NETFIRMS.COM NS2.NETFIRMS.COM

34 Attack Reconnaissance
ARIN DB In addition to the Whois DB, another source of information is the American Registry for Internet Numbers (ARIN)‏ ARIN maintains Web-accessible, whois-style DB lets users gather information about who owns particular IP address ranges Can look up IP’s in North and South America, Caribbean and sub-Saharan Africa Use: Then, type in IP address at the whois prompt In Europe use, Re’seaux IP Euorope’ens Network Coordination Centr (RIPE NCC)

35 Attack Recon Whois command
Or, instead of going to the Internet, you can just type whois from the command line of Linux If the port number is not blocked!!! $ whois counterhack.net This will display all of the information available from the public dns records for that domain

36 Attack Reconnaissance
Domain Name System (DNS)‏ DNS is a worldwide hierarchical DB Already said ... Organizations must have DNS records for their systems associated with a domain’s name Using DNS records, attacker can compile a list of systems for attack Can even discover Operating System

37 RR format: (name, value, type, ttl)
2: Application Layer DNS records DNS: distributed db storing Resource Records (RR) RR format: (name, value, type, ttl) Type=A name is hostname value is IP address Type=CNAME name is alias name for some “canonical” (the real) name is really servereast.backup2.ibm.com value is canonical name Type=NS name is domain (e.g. foo.com) value is name of authoritative DNS server for this domain Type=MX value is name of mailserver associated with name

38 Attack Reconnaissance
Querying DNS First, find out one or more DNS servers for a target system Available from records gathered from the Whois DB Listed as “name servers” and “domain servers” One common tool used to query DNS servers is the nslookup command Included in all Unix flavors and Win NT/2000/XP

39 Attack Reconnaissance
DNS Query First try to do a Zone transfer Says “give me all the information about systems associated with this domain” First use a server command to set DNS server to target’s DNS server Then set the query up to retrieve any type of information And finally to do the zone transfer

40 Attack Reconnaissance
DNS Query Dig command dig – Unix variations must use this for Linux $ counterhack.net -t AXFR This does a zone transfer ... might not work Excellent reference for dig here Defences against DNS Queries Must have DNS records Need to map between IP addresses plus need to indicate name and mail servers

41 Attack Reconnaissance
Defence against DNS Queries Restrict Zone Transfers Only reason you allow Zone transfers is to keep secondary DNS server in sync with primary server Configure DNS server to only allow Zone transfers to specific IP Addresses Can also configure Firewalls or router to restrict access to TCP port 53 to back-up DNS server

42 Attack Reconnaissance
General Purpose Reconnaissance Tools Can also research target through attack portals on the web Sites allow you to do research and even initiate an attack against the target

43 Google Hacking Basics

44 Google Hacking Good to understand how Google works
Understand then how Google can work for attackers to gain sensitive information And, how you can defend against this type of information gathering 44

45 Google Basics Several components to Google Google Bots
Crawl web sites and search for information Google Index Massive index of web pages – index is what gets searched. Relates pages to each other Google Cache Copy of 101K of text for each page Even deleted pages still have copies in Google cache Google API Programs perform search and retrieve results using XML Uses SOAP Simple Object Access Protocol Need your own Google API key to use Google API 45

46 Google Basics Can use directives to focus search and limit amount of information returned site:counterhack.net Says to search only in counterhack.net filetype:ppt site:counterhack.net Limits file type to power point for counterhack.net site cache: Good for removed pages Combining terms gives powerful searches site:wellsfargo.com filetype:xls ssn Says to search only Wellsfargo site for spreadsheets with ssn – social security number 46

47 Google Basics If Web page removed Can search for active scripts
May still be in Google Cache Another place for removed web pages Wayback Machine Archives old web pages Can search for active scripts site:wellsfargo.com filetype:asp site:wellsfargo.com filetype:cgi site:wellsfargo.com filetype:php 47

48 Google Bombing != Google Hacking
A Google bomb or Google wash is an attempt to influence the ranking of a given site in results returned by the Google search engine. Due to the way that Google's Page Rank algorithm works, a website will be ranked higher if the sites that link to that page all use consistent anchor text.

49 How Do I Get Google Search Results?
Pick your keywords carefully & be specific Do NOT exceed 10 keywords Use Boolean modifiers Use advanced operators Google ignores some words*: a, about, an, and, are, as, at, be, by, from, how, i, in, is, it, of, on, or, that, the, this, to, we, what, when, where, which, with *From: Google 201, Advanced Googology - Patrick Crispen, CSU

50 Google's Boolean Modifiers
AND is always implied. OR: Escobar (Narcotics OR Cocaine) "-" = NOT: Escobar -Pablo "+" = MUST: Escobar +Roberto Use quotes for exact phrase matching: "nobody puts baby in a corner"

51 Wildcards Google supports word wildcards but NOT stemming.
"It's the end of the * as we know it" works. but "American Psycho*" won't get you decent results on American Psychology or American Psychophysics.

52 Advanced Searching googleguide.com and… Advanced Search Page:

53 Advanced Operators cache: filetype: define: numrange: 1973..2005 info:
intext: intitle: inurl: link: related: stocks: filetype: numrange: source: phonebook: DEMO: on visa and

54

55 Review: Basic Search Use the plus sign (+) to force a search for an overly common word. Use the minus sign (-) to exclude a term from a search. No space follows these signs. To search for a phrase, supply the phrase surrounded by double quotes (" "). A period (.) serves as a single-character wildcard. An asterisk (*) represents any word—not the completion of a word, as is traditionally used.

56 Advanced Operators Google advanced operators help refine searches. Advanced operators use a syntax such as the following: operator:search_term Notice that there's no space between the operator, the colon, and the search term. The site: operator instructs Google to restrict a search to a specific web site or domain. The web site to search must be supplied after the colon. The link: operator instructs Google to search within hyperlinks for a search term. The cache: operator displays the version of a web page as it appeared when Google crawled the site. The URL of the site must be supplied after the colon. Turn off images and you can look at pages without being logged on the server! Google as a mirror.

57 Other parts Google searches not only the content of a page, but the title and URL as well. The intitle: operator instructs Google to search for a term within the title of a document. The inurl: operator instructs Google to search only within the URL (web address) of a document. The search term must follow the colon. To find every web page Google has crawled for a specific site, use the site: operator.

58 What Can Google Search? The filetype: operator instructs Google to search only within the text of a particular type of file. The file type to search must be supplied after the colon. Don't include a period before the file extension. Everything listed at claims Johnny. Can also ,e.g., say filetype:phps to only search .phps files. filetype:phps mysql_connect Adobe Portable Document Format (pdf) Adobe PostScript (ps) Lotus (wk1, wk2, wk3, wk4, wk5, wki, wks, wku) MacWrite (mw) Microsoft Excel (xls) Microsoft PowerPoint (ppt) Microsoft Word (doc) Microsoft Works (wks, wps, wdb) Microsoft Write (wri) Rich Text Format (rtf) Shockwave Flash (swf) Text (ans, txt) And many more….

59 Directory Listings Directory Listings Show server version information
Useful for an attacker intitle:index.of server.at intitle:index.of server.at site:aol.com Finding Directory Listings intitle:index.of "parent directory" intitle:index.of name size Displaying variables “Standard” demo and debugging program “HTTP_USER_AGENT=Googlebot” Frequently an avenue for remote code execution /etc/passwd`

60 Default Pages Default Pages are another way to find specific versions of server software…. Apache Server Version Query Apache 1.3.0–1.3.9 Intitle:Test.Page.for.Apache It.worked! this.web.site! Apache1.3.11– Intitle:Test.Page.for.Apache seeing.this.instead Apache 2.0 Intitle:Simple.page.for.Apache Apache.Hook.Functions Apache SSL/TLS Intitle:test.page "Hey, it worked !" "SSL/TLS-aware" Many IIS servers intitle:welcome.to intitle:internet IIS Unknown IIS server intitle:"Under construction" "does not currently have" IIS 4.0 intitle:welcome.to.IIS.4.0 IIS 4.0 allintitle:Welcome to Windows NT 4.0 Option Pack IIS 4.0 allintitle:Welcome to Internet Information Server IIS 5.0 allintitle:Welcome to Windows 2000 Internet Services IIS 6.0 allintitle:Welcome to Windows XP Server Internet Services Many Netscape servers allintitle:Netscape Enterprise Server Home Page Unknown Netscape server allintitle:Netscape FastTrack Server Home Page

61 Security Advisory + Source = Google Hack
Security Advisories and application patches for web application explain the newly discovered vulnerability Analysis of the source code of the vulnerable application yields a search for un-patched applications Sometimes this can be very simple; e.g.: “Powered by CuteNews v1.3.1”

62 Automation! There are two ways to automate Google searches:
Plain old web robots The Google API:

63 Terms of Service http://www.google.com/terms_of_service. html
"You may not send automated queries of any sort to Google's system without express permission in advance from Google. Note that 'sending automated queries' includes, among other things: using any software which sends queries to Google to determine how a web site or web page 'ranks' on Google for various queries; 'meta-searching' Google; and performing 'offline' searches on Google."

64 Google API The Google API is the blessed way of automating Google interaction. When you use the Google API you include your license string

65 Protecting Yourself from Google Hackers
Keep your sensitive data off the web! Even if you think you're only putting your data on a web site temporarily, there's a good chance that you'll either forget about it, or that a web crawler might find it. Consider more secure ways of sharing sensitive data, such as SSH/SCP or encrypted .

66 Protecting yourself… Consider removing your site from Google's index.

67 Robots.txt Use a robots.txt file. Web crawlers are supposed to follow the robots exclusion standard. This standard outlines the procedure for "politely requesting" that web crawlers ignore all or part of your web site. This file is only a suggestion. The major search engine's crawlers honor this file and its contents. For examples and suggestions for using a robots.txt file, see

68 Google Hacking Something called The Google Hacking Database (GHDB)
Database of saved queries that identify sensitive data Google blocks some better known Google hacking queries, nothing stops hacker from crawling your site and launching “Google Hacking Database” queries directly 68

69 Google Hacking Originally, Google Hacking Database located at
Created by Johnny Long, a security “expert” More information about Google hacking can be found: 80&rl=1 69

70 Google Hacking Now, Google Hacking DB is at different URL
Johnny I hackstuff is off doing charitable work in Uganda Being maintained by the Exploit DB people

71 Google Hacking What Can a hacker can learn from Google queries?
Information Google Hacking Database identifies: Advisories and server vulnerabilities Error messages that contain too much information Files containing passwords Sensitive directories Pages containing logon portals Pages containing network or vulnerability data such as firewall logs 71

72 Defenses from Google Hacking
Check your site for Google hacking vulnerabilities The easiest way to check whether web site/applications have Google hacking vulnerabilities Use a Web Vulnerability Scanner Web Vulnerability Scanner scans your entire website and automatically checks for pages identified by Google hacking queries. Note: Your web vulnerability scanner must be able to launch Google hacking queries Ex: Acunetix Web Vulnerability Scanner 72

73 Defenses from Google Hacking
If Google has cached a page or URL Can have Google remove it First, update your Web site and remove sensitive information Then signal Google not to index or cache it Put a file, robots.txt in Web Server directory Says don’t search certain directories, files or entire Web site 73

74 Defenses Against Google Hacking
Or, keep Google from accessing your pages with meta tags at top of Web pages noindex, nofollow, noarchive and others Tells Google not to index, link or archive page Can also request directly from Google Does the request in 24 hours or less Remove page from other places for non-Google search engines for Wayback Machine 74

75 Attack Reconnaissance
Summary At the end of this phase the attacker has information needed to move on to the next phase Scanning At a minimum have Phone number List of IPs Address and domain name Lucky – has Operating System and Server names

Download ppt "Acknowledgement Main lecture slides are adapted from Eastern Washington University, CSCD 434: Network Security (Spring 2014) By Carol Taylor"

Similar presentations

WordPress Installation for Beginners Sheila Bergman

WordPress Installation for Beginners Sheila Bergman
View and manage corporate files from within Baan and ERP LN. Allows you to access the files on the network from within Baan maintain sessions!

View and manage corporate files from within Baan and ERP LN. Allows you to access the files on the network from within Baan maintain sessions!
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Google Search Using internet search engine as a tool to find information related to creativity & innovation.

Google Search Using internet search engine as a tool to find information related to creativity & innovation.
Ahmad Radaideh.  Abstract  Introduction  Google Cached Content  GOOGLE HACKING Procedures  Google Advance Operators  Google hacking Result Categories.

Ahmad Radaideh.  Abstract  Introduction  Google Cached Content  GOOGLE HACKING Procedures  Google Advance Operators  Google hacking Result Categories.
Introduction The Basic Google Hacking Techniques How to Protect your Websites.

Introduction The Basic Google Hacking Techniques How to Protect your Websites.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
1 CSCD 434 Lecture 5 Winter 2013 Reconnaissance. 2 Attack Stages Turns out, different reasons attackers want to attack you – Altruistic reasons to sheer.

1 CSCD 434 Lecture 5 Winter 2013 Reconnaissance. 2 Attack Stages Turns out, different reasons attackers want to attack you – Altruistic reasons to sheer.
Www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.

GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.
Wasim Rangoonwala ID# 00506259 CS-460 Computer Security “Privacy is the claim of individuals, groups or institutions to determine for themselves when,

Wasim Rangoonwala ID# CS-460 Computer Security “Privacy is the claim of individuals, groups or institutions to determine for themselves when,
XP New Perspectives on Browser and E-mail Basics Tutorial 1 1 Browser and E-mail Basics Tutorial 1.

XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
CIS 450 – Network Security Chapter 8 – Password Security.

CIS 450 – Network Security Chapter 8 – Password Security.
HOW WEB SERVER WORKS? By- PUSHPENDU MONDAL RAJAT CHAUHAN RAHUL YADAV RANJIT MEENA RAHUL TYAGI.

HOW WEB SERVER WORKS? By- PUSHPENDU MONDAL RAJAT CHAUHAN RAHUL YADAV RANJIT MEENA RAHUL TYAGI.
XP New Perspectives on The Internet, Sixth Edition— Comprehensive Tutorial 3 1 Searching the Web Using Search Engines and Directories Effectively Tutorial.

XP New Perspectives on The Internet, Sixth Edition— Comprehensive Tutorial 3 1 Searching the Web Using Search Engines and Directories Effectively Tutorial.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Google This presentation is meant to be a handy tool to help you in your web searches. There is much more in Google than I present here but I hope this.

Google This presentation is meant to be a handy tool to help you in your web searches. There is much more in Google than I present here but I hope this.

Similar presentations

Ads by Google