Presentation is loading. Please wait.

Presentation is loading. Please wait.

ROAD TO EXPLOITATION Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.

Published byRegina Arnold Modified over 9 years ago

Similar presentations

Presentation on theme: "ROAD TO EXPLOITATION Dr. Andy Wu BCIS 4630 Fundamentals of IT Security."— Presentation transcript:

1 ROAD TO EXPLOITATION Dr. Andy Wu BCIS 4630 Fundamentals of IT Security

2 Overview Network Scanning –Host discovery –OS fingerprinting –Service discovery Network mapping/Host discovery –DNS zone transfer Enumeration –Null session –User account info 2

3 Hacking Process 3

4 Early Stages of Hacking In this lab, we’ll introduce a few tools that are used in the early stages of hacking. The aims are to: –Obtain some ideas about a network’s topology; –Locate potential targets; –Find out what OSes and services are running; –Look up user accounts, lock-out threshold, password policies; –Etc. These paves the road for the next stage of attacking targets. 4

5 Reconnaissance –The act of locating targets and developing the methods necessary to attack those targets successfully. –May be extremely flexible and creative. Reconnaissance is not by definition illegal. –Many reconnaissance techniques are completely legal. 5

6 Footprinting The act of uncovering and collecting as much information as possible about a target network. –Domain name –IP address blocks –Organization websites –Company directory –Background info –News articles –Press releases –Etc. 6

7 Information Gathering Search for company’s information in major search engines, e.g., Google, GoogleMaps, Bing. Using web data extractors, e.g., webextractor.com. Website scraping, e.g., binarypool.com. People search websites, e.g., pipl.com. Social media sites. Reports filed with SEC. 7

8 Website Copier Tools are available to copy an entire website for later analysis, e.g., –httrack.com –surfoffline.com –pagenest.com –keepni.com Archive.org provides archived versions of websites. 8

9 Social Engineering Social engineering works, for the most part, because people have the innate tendency to help and to avoid confrontation. The success or failure of social engineering depends on the ability of hackers to manipulate human psychology, contacts, and physical workstations. 9

10 Dumpster Diving Dumpster diving is often the mother lode of sensitive information as well as actual hardware and software. Hackers look specifically for sales receipts and paperwork that contain personal data or credit card information –Shredded documents can lead to data leaks. –Drafts of letters are routinely left whole in the trash. –Company directory sheets, catalog lists, unused or misprinted labels, and policy manuals. 10

11 WHOIS Lookup WHOIS databases contain personal information of domain owners. They are maintained by regional Internet registries: –AfriNIC (Africa) –ARIN (America) –APNIC (Asia Pacific) –LACNIC (Latin America) –RIPE NCC (Europe) tools.whois.net 11

12 DNS Records Domain name service database of a network contains important information about the network hosts, e.g., –A – Host –MX – Mail server –NS – Name server –Cname – Canonical names (aliases) –SOA – Authority of domain 12

13 DNS–Based Reconnaissance DNS Lookup –Tools help Internet users discover the DNS names of target computers. –There are Web sites that provide DNS lookup tools. DNS Zone Transfer –Zone transfer is a DNS feature that lets a DNS server update its database with the list in another DNS server. –An incorrectly configured DNS server may allow any Internet user to perform a zone transfer. –nslookup 13

14 Network Reconnaissance Network scanning is a technique that discovers live hosts in the network. Port scanning allows you to find: –IP addresses and open ports of live hosts –Operating systems and system architecture –Services running on hosts 14

15 Host Discovery ping –Helps to verify whether a host is active. –Command is available for all platforms. –Part of ICMP and uses echo request and echo reply messages. ping sweep –Is used to determine the live hosts from a range of IP addresses but sending ICMP echo requests to multiple hosts. 15

16 Host Discovery traceroute (tracert on Windows) –A packet from a host makes numerous “hops” before it reaches the destination. –Command can track all of the intermediate nodes. –Uses the TTL field in the header to work. Nmap (Zenmap) –Zenmap is the GUI front of nmap. –Use nmap host discovery switch to perform scanning for live hosts. 16

17 Nmap www.insecure.org A versatile tool whose functionalities include: –Host discovery –OS fingerprinting –Service discovery 17

18 Fyodor 18

19 Nmap Switches Basic syntax nmap [port range] [switch(es)] Nmap switches are case-sensitive! By default, if no other switches are given, Nmap performs host discovery and then performs a SYN port scan. 19

20 Nmap Host Discovery To obtain a quick list of live hosts on the network without scanning for open ports on each, use the –sP (ping scan) switch. The syntax is: nmap –sP /mask –Replace with the real network ID. It may be in the FQDN or resolved IP format. –Use the CIDR notation for the mask. 20

21 Banner Grabbing Banner grabbing uses Telnet to connect to a port on the remote target and observes the response coming back from it. Different protocols (services) have distinctive responses that can be used to verify the existence of those services on the target. –Attacker may be fooled by a honeypot or port emulator. Response may contain OS or service information that may be used to determine the OS running on the target. 21

22 “Self-Scanner” netstat –Allows all the transmission Control Protocol (TCP), User Datagram Protocol (UDP), and IP connections on a computer to be viewed. –Also helps to locate IP address of computers IP addresses of the hosts connected to the computers Port of the host to which a computer is connected 22

23 OS Fingerprinting OS fingerprinting is the method to determine the operating system running on a remote target system. Passive OS fingerprinting use sniffers to capture packets and analyze them for OS information. –For example, Windows and Linux systems pad the ping packets differently. By looking in the data portion for the padding characters, the attacker can guess the type of OS. 23

24 OS Fingerprinting Active OS fingerprinting sends specially crafted packets to the remote target and analyze the response. The response are then compared with a fingerprint database to determine the OS running on the remote machine. Use OS fingerprinting switch in Nmap to perform OS fingerprinting. 24

25 Nmap OS Fingerprinting Nmap may be used to fingerprint the OS running on the target. The switch is –O. 25

26 Service Discovery Each network service is allocated a well- known port number. If the service is running on the server, the port must be open. The reverse is true too – if a port is found open on the server, the attacker can deduce that the server is running the service. The same goes for many registered ports that are related to common applications, e.g., Port 3306 for MySQL. 26

27 Service Discovery The attacker then will look up whether there are known vulnerabilities in the service. Chances are, some vulnerabilities have been found and reported, and often times, tools have been created to take advantage of those vulnerabilities. If the attacker runs those tools, he/she has a good chance of compromising the target. Service discovery is a critical step in the hacking process. 27

28 Nmap Switches -sS SYN scan (default) -sT Connect scan -sN Null scan -sX Xmas scan -O OS fingerprinting -sP Host discovery -p Port range 28

29 In Summary Port scanning allows you to find: –IP addresses and open ports of live hosts –Operating systems and system architecture –Services running on hosts 29

30 DNS DNS Lookup –Tools help Internet users discover the DNS names of target computers. –There are Web sites that provide DNS lookup tools. DNS Zone Transfer –Zone transfer is a DNS feature that lets a DNS server update its database with the list in another DNS server. –An incorrectly configured DNS server may allow any Internet user to perform a zone transfer. 30

31 NSLookup If a DNS server is mis-configured, it’s easy to extract important host information stored in the DNS database. You don’t even need a separate tool. NSLookup (name server lookup) is a Windows native tool for resolving FQDNs to IP addresses. To perform a zone transfer from a DNS server, just run nslookup interactively and issue the ls command. 31

32 Regular Name Resolution To lookup the IP address of a FQDN, the command is nslookup 32

33 DNS Zone Transfer with NSLookup To perform a zone transfer, first enter just the command nslookup (without the FQDN argument). Then enter the server command followed by the IP address of the DNS server. Finally, enter the listing command: ls –d 33

34 DNS Records Domain name service database of a network contains important information about the network hosts, e.g., –A: Host –MX: Mail server –NS: Name server –Cname: Canonical names (aliases) –SOA: Start of Authority of domain 34

35 Enumeration The process of finding user and group accounts, machine names, network shares, services, audit settings, etc. on a system. Scanning tells us what hosts are “live” and running what services. With enumeration the attacker tries to find out what accounts or resources may be worth exploiting or may be abused for attacking those hosts. 35

36 Typical Things to Enumerate User accounts Groups –Names –Members Access settings –Logon hours –Logon workstation restrictions Audit settings Service banners 36

37 Null Session Null session allows one to connect to the IPC (interprocesses communication) shares on a Windows machine without a username and password. The IPC share is a “hidden share” – you don’t see the share when you explore shared resources on a computer in Windows Explorer. Hidden shares are denoted by a $ sign at the end of the share name. Windows automatically shares each partition as a hidden share – C$, D$, etc. There are other hidden shares, including IPC$. 37

38 Null Session Establishing a null session is necessary for many enumeration tools to work. The syntax is net use \\ \IPC$ "" /u:"" or net use \\ \IPC$ "" /user:"" –Replace the part with the real host name or IP address of the target. –Everything else in the command must be typed exactly as shown above. –Notice there is no space between the double quotes. –There is no space between the / and the u. –There is no space between the colon and double quote. 38

39 Null Session Anonymous access to IPC$ has been made more and more difficult with every upgrade in Windows versions. A domain controller may ironically have less restricted access to IPC$ because it needs to provide services to hosts in the network. The access level is set by the registry key: HKLM\SYSTEM\CurrentControlSet\Control\LSA\ RestrictAnonymous (0 – None; 1 – Does not allow enumeration of SAM account and names; 2 – No access). 39

40 Establishing a Null Session 40

41 User Accounts To obtain user account information on a remote target, a variety of tools may be used: –SuperScan –Enum –User2Sid –UserInfo –Winfingerprint –Etc. 41

42 Enum This tool can retrieve a host of info about user accounts, groups, policies, etc. The syntax is: enum –Replace with the real host name or IP address of the target machine. You don’t have to precede it with double back slashes. –Some useful Enum switches: -P password policy information -U user accounts -G groups and membership 42

43 Security Identifier (SID) Internally, Windows OSes keep track of user and group accounts using their unique SIDs, not names. SIDs are never reused. You may delete a user account and later create a new one with the exact same username; but the two accounts will have two different SIDs. An administrator account’s SID ends with 500 (the info in the FYI box on p. 167 is wrong!). 43

44 Security Identifier (SID) Some sources recommende that the built-in administrator account be renamed and a boggy administrator account be set up. Also, the guest account should be disabled and/or renamed. These measures are only effective against less knowledgeable attackers. Tools such as user2sid can easily reveal the true SID of accounts. 44

45 User2Sid This tools can find the SID of a user account on a remote computer. The syntax is: user2sid –Replace with the real host name or IP address of the target machine. You don’t have to precede it with double back slashes. –Replace with the real target username. 45

46 UserInfo This tool displays some useful information about a user account. The syntax is: userInfo –Replace with the real host name or IP address of the target machine. You don’t have to precede it with double back slashes. –Replace with the real target username. 46

47 WinFingerprint 47

Download ppt "ROAD TO EXPLOITATION Dr. Andy Wu BCIS 4630 Fundamentals of IT Security."

Similar presentations

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Computer Security Fundamentals

Computer Security Fundamentals
METEOROLOGICAL TELECOMMUNICATION AND METCAP A GLANCE TO NETWORK BRIEFLY Ömer Hüdai ALBAYRAK 2010ALANYA.

METEOROLOGICAL TELECOMMUNICATION AND METCAP A GLANCE TO NETWORK BRIEFLY Ömer Hüdai ALBAYRAK 2010ALANYA.
Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.

Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.
Week 2 -1 Week 2: Footprinting What is Footprinting? –Systematic collection of information on an intended target with the goal to create a complete profile.

Week 2 -1 Week 2: Footprinting What is Footprinting? –Systematic collection of information on an intended target with the goal to create a complete profile.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
CSC586 Network Forensics IP Tracing/Domain Name Tracing.

CSC586 Network Forensics IP Tracing/Domain Name Tracing.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
Penetration Testing.

Penetration Testing.
Port Scanning.

Port Scanning.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
Ana Chanaba Robert Huylo

Ana Chanaba Robert Huylo

Similar presentations

Ads by Google