One final piece of information that would be nice to ascertain is the location of the web server. Is it located at the organization’s facility, is it located at a server farm, or is it just a virtual system hosted by a third party? The best way to determine this information is to note what was discovered previously in this chapter and tie that together with atraceroutecommand.traceroute determines the path to a domain by incrementing the TTL field of the IP header. When the TTL falls to zero, an Internet Control Message Protocol (ICMP) 0 message is generated. These ICMP messages identify each particular hop on the path to the destination. An exampletracerouteis shown here:
C:\>tracert www.wiley.com
Tracing route to www.wiley.com [64.143.198.41] over a maximum of 30 hops:
1 <10 ms <10 ms 10 ms PROXY [172.20.1.1]
2 <10 ms <10 ms 66-162-219-65.gen.twtelecom.net [66.162.219.65]
3 10 ms <10 ms 209.163.157.165
4 <10 ms 10 ms core-dlfw.twtelecom.net [66.192.246.77]
5 10 ms 10 ms tran-dlfw.twtelecom.net [168.215.54.74]
6 10 ms 10 ms sl-gw40-fw-4-2.sprintlink.net [160.81.227.105]
7 10 ms 10 ms sl-bb22-fw-4-3.sprintlink.net [144.232.8.249]
8 20 ms 10 ms 144.232.19.214
9 10 ms 10 ms dal-core-01.inet.qwest.net [205.171.25.45]
10 20 ms 10 ms iah-core-02.inet.qwest.net [205.171.8.126]
11 10 ms 10 ms iah-core-01.inet.qwest.net [205.171.31.1]
12 40 ms 40 ms tpa-core-02.inet.qwest.net [205.171.5.105]
13 30 ms 30 ms cntr-02.tpf.qwest.net [205.171.27.78]
14 30 ms 30 ms ms msfc-02.tpf.qwest.net [63.146.176.26]
15 30 ms 40 ms ms www.wiley.com [63.146.189.41]
Trace complete.
Several good GUI-based traceroute tools are available. These tools draw a visual map that displays the path and destination:
NeoTrace— A good GUI traceroute program that maps the path and destination.
VisualRoute— Another good GUI tool that maps the path and destination.
Hping— Another tool that can be used to trace routes behind a fire-wall. Hping transmits TCP packets to a port on a destination host and observes the results. Hping evaluates returned packets and tracks accepted, rejected, and dropped packets. Using successive probes, Hping can determine if a port is open, if a firewall is present, and if packets are passed through the firewall.
Some useful links to learn more about traceroute include the following:
www.visualroute.com www.traceroute.org IN THE LAB
Site location and identification is a risk in that the attacker now knows the location of the server or service. This is something that is hard to completely prevent. To mitigate these risks, you can configure routers and firewalls to provide as little information as possible. In the lab, download a demo version of Neotrace from www.softpedia.com/get/Network-Tools/Traceroute-Whois-Tools/McAfee-NeoTrace-Professional.shtml. After installing it, you can use the tool to trace not only your own organization but others to determine how these tools work and what information they really provide. The exercise at the end of the chapter can give you more guidance. Once you have experimented with a GUI tool like Neotrace, you might also want to try several of the traceroute programs built in to BackTrack.
Summary
Whereas subsequent chapters require more advanced software, this chapter looked at what is possible with little more than an Internet connection and a browser. The idea was to drive home the point that security is not just about firewalls and intrusion detection. Much of security is about information protection and control.
Part of building your own security lab is understanding how information leakage can have disastrous results for an organization. Consider the power an attacker has when he has identified the type of web server an organization has. Consider further the negative potential of an attacker knowing which types of technologies a company uses (perhaps gleaned just from reviewing the organization’s job ads). Even the names, home phone numbers, and addresses of an organization’s employees can represent potential security holes. That’s why before you ever configure your first IDS or scan a network
with a vulnerability-analysis tool, you must consider the topics that have been presented in this chapter.
Key Terms
Basic encryption— A simple XOR encoding system.
Cookies— A technology developed to deal with the fact that HTTP is stateless. This makes possible shopping carts, car reservations, and other state-based transactions.
Domain name server— A hierarchy of Internet servers that translate alphanumeric domain names into IP addresses and vice versa.
Dumpster diving— The act of digging through the trash to recover sen-sitive information.
Edgar database— Maintains a listing of publicly traded U.S. firms.
Forms-based authentication— A means of authentication that utilizes cookies to cache usernames and passwords so that users can move from on web page to another without having to reauthenticate themselves.
Google hacking— The process of using Google to look for unsecure web pages or other incorrectly posted information.
Hidden field— A form field that is invisible to a web site visitor yet can be viewed in the HTML code of the web site.
Internet Assigned Numbers Authority— Authorized to perform coor-dinating functions of the global Internet.
Message digest authentication— A cryptographic hashing function that works by sending the hash of the original value combined with a nonce value.
Regional Internet Registries— RIRs are regional organizations that are responsible for overseeing the registration and administration of IPv4 and IPv6 addresses.
Site rippers— Software programs that allow the copying of an entire web site for later offsite viewing.
Social engineering— The practice of tricking employees into reveal-ing sensitive data about their computer systems or infrastructures. This type of attack targets people and is the art of human manipulation. Even when systems are physically well protected, social-engineering attacks are possible.
Source code— When discussing web pages, the source code is the com-ments, tags, instructions, and text used to define the web page.
Traceroute— A program used to identify the path taken by IP packets between source and destination.
WHOIS— An Internet utility that returns registration information about the domain name and IP address.
Wardialing— The process of using a software program to automati-cally call thousands of telephone numbers to look for anyone who has a modem attached.
Wardriving— The process of driving around a neighborhood or area to identify wireless access points.
Exercises
This section presents several hands-on exercises to help reinforce your knowl-edge and understanding of this chapter. The author selected the tools and utilities used in these exercises because they are easily obtainable. Our goal is to provide you with real hands-on experience.