Description: Topics covered in this lecture include:
Steps of an attack
Information gathering
(this topic)
Exploitation
Post-exploitation
Information gathering
Querying services to see what other information can be gained, such as active usernames
Passive and active techniques
Active information gathering:
Steps of information gathering
Footprinting
Scanning
Enumeration
A list of the IP addresses of the systems that are part of the organisation’s network
IP addresses that are exposed to the Internet
Domain Name System (DNS)
Resolves names (such as leedsbeckett.ac.uk) to IP addresses (such as 160.9.244.58)
DNS is a hierarchical database, data is stored in a tree
Recommended reading: http://en.wikibooks.org/wiki/Computer...
William Shakespeare, Romeo and Juliet
Domain Name System (DNS)
Like using a phone book to look up the number to call in order to contact a person
It's easier for humans to remember names than numbers
Commands
dig
nslookup
host
Reverse lookup
Discuss: when might this be helpful for a security professional?
DNS record types
DNS zone transfer
A secondary name server would send a AXFR type request, which triggers a zone transfer
Can be a security misconfiguration
Whois
Domain names are registered through a registrar
Contact details are provided, including address, phone number, and email address
All these details can be accessed via Whois
Whois is a protocol, a program, and a directory
Regional internet registries
Regional Internet Registries (RIR) are responsible for data for corresponding regions
Whois
Whois program
Whois on an IP address
Another example:
IP range
Contact details
Subdomains
Typically each has a different IP address
Brute-forcing subdomains involves guessing at likely subdomains
Can reveal systems to attack
Tools exist to automate this process:
For example, Dnsmap
Tools for pen-testing that try a number of DNS queries:
Fierce, Dnsenum, Dnsrecon
Scanning
Scanning is an active phase of an attack or security test
To identify IP addresses, ports, and services
For a network administrator this helps to keep track of the state of the network
For an attack it helps assess and plan attacks
Scanning
Once an attacker knows
An IP address
With an open port
And what version of software it has
They can look for information about any known vulnerabilities in that software
Look for exploits that may work
Or go on to test for unknown vulnerabilities
NMap
(by Insecure.Com LLC, licensed under the Creative Commons Attribution License version 3.0)
Ping sweep
Nmap host discovery
Nmap host discovery
If there are no routers involved, and you run nmap as root:
Also shows the MAC address (typically unique to NIC)
The first three octets of the MAC address usually specify the manufacturer
Looking for open ports
The next stage for an attacker or security tester is to examine the attack surface
what it there that could be attacked on each of those systems?
Important port numbers
Certain ports are used for common purposes
FTP: ports 20 and 21
SSH: port 22
Telnet: port 23
SMTP: port 25
DNS: port 53
TFTP: port 69
HTTP: port 80
POP3: port 110
SFTP: port 115
HTTPS: port 443
Client/server
A web server listens on port 80
A client connects to remote port 80 on the server
Then the client and server start a conversation
Client will ask for a webpage
The server responds with one
Port scan
A port scan involves connecting to each of the 65535 possible ports
If the connection succeeds, the port is open
Otherwise it is closed (or filtered by a firewall)
TCP three way handshake
The initial connection involves a three way handshake
SYN port scan
A SYN scan skips the third step
If we get a SYN/ACK we can stop, since this already tells us that the port is open
This requires root access, to write to the network directly (rather than using libraries)
Nmap port scan
Lots of options (man nmap)
The need for service identification
Knowing a port is open tells us there is something there
It is helpful to know what
For example, port 80 is open:
Is it IIS, Apache, …?
What version?
Banner grabbing
One way to find out, is to connect to the port and look at what it responds with:
Service identification
Amap
Nmap -sV
OS identification
Knowing what OS is running is important to an attacker
So they can can know what exploits and payloads will work
Scanning the ENTIRE (IPv4) Internet
Zmap: The Internet Scanner
Complete scan of IPv4 in under 45 minutes
Does not track connections
Used on a single destination port (such as 80)
SYN scan
Can be combined with a banner grabber
For More Information Please Visit:- http://z.cliffe.schreuders.org/
Tags:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.