Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recon This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C.

Published byJustus Brush Modified over 10 years ago

Similar presentations

Presentation on theme: "Recon This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C."— Presentation transcript:

1 Recon This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne

2 Phase 1: Reconnaissance Investigate the target using publicly available information Use this information to plan your attack Use this information to plan your escape

3 Low-Tech Reconnaissance Social engineering Physical break-in Dumpster diving Eavesdropping Wiretapping

4 Lo-Tech: Social Engineering Still the best way to get information. The GIBE virus that claims to be a security fix from Microsoft is an example of this.GIBE virus Calls to help desk about passwords. Calls to users from “help desk” about passwords. Defense: user/sysadmin awareness

5 Lo-Tech: Physical Break-In Wiretaps into the wiring closets Drive up to a house, clip into their outside phone box with a long set of wires and dial anywhere using their phone. Remember this is highly illegal. Physical access to machine rooms or “secure” building under a variety of ruses. Defense: badge checks, education, alarms and motion sensors.

6 Lo-Tech: Physical Break-In Theft of laptops at airports Use encrypted file system Screen savers 5 minute minimum, password protected

7 Lo-Tech: Dumpster Diving Rummaging through the site’s trash looking for discarded information Credit card slips, password information, old network maps, old server configuration listings Oracle caught dumpster diving on Microsoft Defense: paper shredders, proper trash disposal

8 Web-based Reconnaissance Searching a company’s own website employee contact info with phone numbers clues about corporate culture and language business partners recent mergers and acquisitions technologies in use NT? IIS? Oracle? Solaris? helpful for social engineering attacks

9 Web-based Reconnaissance Using search engines search for “www.companyname.com” all websites that link to that URL potential business partners, vendors, clients Forums (the virtual watering hole) newsgroups are asked technical questions by company employees attackers can... learn a company’s system mislead the employees

10 Web-based Reconnaissance Defenses establish a company policy on web-publication of sensitive information, especially about products used in the company and their configuration establish a company policy on employees’ use of newsgroups/forums and mailing lists surf newsgroups, etc. for sensitive info about your own company to see what has leaked out

11 The Domain Name System Hierarchical, highly distributed database IP addresses, domain names, mail-server info DNS servers : Internet :: 411 : phone system

12 whois Databases Domain names, network addresses, IT employees Registrars (100s) compete to register domains mom’n’pops to giants, barebones to value-added InterNIC whois db [ www.internic.net/whois.html ] lists registrars for.com,.net,.org domains Allwhois whois db [ www.allwhois.com/home.html ] front-end for registrars in 59 countries Other whois dbs [ whois.nic.mil ], [ whois.nic.gov ], [ www.networksolutions.com ] (for.edu domains)

13 ARIN IP Address Assignments American Registry for Internet Numbers (ARIN) maintains information on who owns IP address ranges given a company name. Scope: North and South America, Caribbean, sub-Saharan Africa www.arin.net/whois/

14 RIPE, APNIC Address Assignments Reseaux IP Europeens Network Coordination Centre (RIPE NCC) contains the IP address assignments for European networks. www.ripe.net Asian assignments are at the Asia Pacific Network Information Center (APNIC) www.apnic.net

15 We’ve Got the Registrar, Now What? Search at a particular registrar by... company name or human name ( name ) domain name (no keyword needed) IP address, host name or name server name ( host ) NIC handle ( handle ) Can learn... administrative, technical, and billing contact names phone nos., e-mail addresses, postal addresses registration dates name servers

16 Defenses against DNS-based Recon no OS in machine names & therefore DNS servers don’t include HINFO or TXT records for machines limit zone transfers to need-to-know IP addresses DNS needs UDP Port 53 to resolve names TCP Port 53 is used for zone transfers restrict it to known secondary DNS servers Split DNS a.k.a. Split-Brain a.k.a. Split-Horizon DNS external DNS server: publicly accessible hosts only internal DNS server: DNS info for internal network like proxy server; forwards requests beyond firewall

17 Interrogating DNS servers first identify a company “name/domain server” Windows & most UNIX flavors have: nslookup zone transfer: “send all info about a domain” system names (may imply OS, machines’ purposes) IP addresses, mail-server names, etc. most UNIXs flavors have: host some UNIXs flavors have: dig available for Windows : adig, nscan [ nscan.hypermart.net/index.cgi?index=dns ] General Purpose Reconnaissance Tools

18 Sam Spade [ www.samspade.org/ssw/ ] Windows, GUI, freeware web browser, ping, whois, IP block whois, nslookup, dig, DNS zone transfer, traceroute, finger, SMTP VRFY CyberKit [ www.cyberkit.net ] NetScanTools [ www.netscantools.com/nstmain.html ] iNetTools [ www.wildpackets.com/products/inettools/ ]

19 All traffic comes from web server, not client Attacker can remain more anonymous Some operated by... high-integrity pros in security organizations shady characters... so don’t use your company’s ISP account Some tests include DoS attacks... so check with your company’s legal department http://www.securityspace.com/sspace/index.html Web Reconnaissance Tools

20 Scanning Software Languard GFI (for Windows) NMAP (for Un*x)

21 Nessus: A Vulnerability Scanner for Linux Nessus is a free, open-source general vulnerability scanner As such, it is used by the white hat community and the black hats Project started by Renaud Deraison Available at www.nessus.orgwww.nessus.org Consists of a client and server, with modular plug-ins for individual tests

Download ppt "Recon This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C."

Similar presentations

Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.

Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.
Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.

Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
Intrusions. Disclaimer Some techniques and tools mentioned in this class could be: – Illegal to use – Dangerous for others – they can crash machines and.

Intrusions. Disclaimer Some techniques and tools mentioned in this class could be: – Illegal to use – Dangerous for others – they can crash machines and.
NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Principles of Information Systems, Sixth Edition The Internet, Intranets, and Extranets Chapter 7.

Principles of Information Systems, Sixth Edition The Internet, Intranets, and Extranets Chapter 7.
Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.

Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Week 2 -1 Week 2: Footprinting What is Footprinting? –Systematic collection of information on an intended target with the goal to create a complete profile.

Week 2 -1 Week 2: Footprinting What is Footprinting? –Systematic collection of information on an intended target with the goal to create a complete profile.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Chapter 5 Phase 1: Reconnaissance. Reconnaissance  Finding as much information about the target as possible before launching the first attack packet.

Chapter 5 Phase 1: Reconnaissance. Reconnaissance  Finding as much information about the target as possible before launching the first attack packet.
CSC586 Network Forensics IP Tracing/Domain Name Tracing.

CSC586 Network Forensics IP Tracing/Domain Name Tracing.
Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 5 Reconnaissance Information Networking Security.

Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 5 Reconnaissance Information Networking Security.
Reconnaissance Steps. EC-Council Gathering information from Open Sources  Owner of IP-address range  Address Range  Domain Names  Computing Platforms.

Reconnaissance Steps. EC-Council Gathering information from Open Sources  Owner of IP-address range  Address Range  Domain Names  Computing Platforms.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Similar presentations

Ads by Google