• No results found

Network Reconnaissance

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "Network Reconnaissance"

Copied!
34
0
0

Loading.... (view fulltext now)

Download now ( 34 Page )

Full text

(1)
(2)

2

What is?

Military reconnaissance

a mission conducted to confirm or deny prior

intelligence (if any) about enemy threat and or the

terrain of a given area.

Network reconnaissance

(3)

Why?

Hackers use reconnaissance as the first step in an

effective attack

Seeing what is on the "other side of the hill" is crucial

to decide what type of attack to launch

Generally, goals of reconnaissance on a target

network are to discover:

■ IP addresses of hosts

(4)

4

Footprinting/Fingerprinting steps

Information Gathering

■ accumulating data regarding a specific network environment, usually for the purpose of

finding ways to intrude into the environment

Locate the network

■ What addresses can be targeted and are available for additional scanning and analysis Identify active machines

■ Which machine is actively connected to the network and reachable Open ports and underlying applications

■ Which ports and applications are accessible OS Fingerprinting

■ Identifying targeted Oss as well as systems response Network mapping

(5)

Information Gathering

Get data regarding network environment such as

■ Organization web site, Location, contact person, Phone

number

Common Tools

■ Registrar query : whois

■ Domain name and resource lookup

(6)

6

Locate the network range

What range of IP addresses are available for

scanning and further enumeration

(7)

Tool: WHOIS Search

■ WhoIs – Query of Internet Registries

■ Ref: http://www.arin.net/community/rirs.html

■ AfriNIC – Africa

■ APNIC - Asia/Pacific ■ ARIN – North America

■ LACNIC - Central and South America

■ RIPE NCC – Europe, Middle East, Central Asia

■ InterNIC– ICANN Public Domain Name Registration Info

■ 3rd Party Whois Tools

■ Geektools - http://www.geektools.com/whois.php ■ DomainTools – http://www.domaintools.com/

(8)

8

(9)

Tool:

- Google

Google, Yahoo, Live.com, etc.

Gather information about a targeted

organization

Evaluate web sites for known security issues

Identify files that are accidentally exposed to

(10)

10

Tool:

- Google search

Helpful Google Queries

Related sites:

related:www.someaddr.com

Search a specific site:

site:www.someaddr.com search_terms

(11)

Tool:

– Google operators

Google Advanced Operators

AND: “+” OR: “|”

Synonym: “~”

site:www.jeffersonwells.com inurl:robots.txt

link:www.jeffersonwells.com intitle:“jefferson wells”

(12)

12

Tool:

NSLOOKUP

■ Queries Domain Name Server information ■ IP and Domain Name Mapping

■ Zone Transfer – Dumps entire table

(13)

Tool:

NSLOOKUP

Zone Transfer – Dumps entire table

$ nslookup

> server = A.B.C.D

(14)

14

Tool:

NSLOOKUP

MX record

$ nslookup

> set type = MX

(15)

Network Identifier Tools

Identifying active computers and services

Common Tools

ping, ping6

■ help verifying whether a host is active

traceroute, traceroute6

(16)

16

Tool: ping

ping [hostname|ip_address]

ping6 [hostname|ip_address]

(17)

Tool: traceroute

tracert

Windows

traceroute

(18)

18

Tool:

How Traceroute work

1. Launch a probe packet towards DST, with a TTL of 1

2. Every router hop decrements the IP TTL of the packet by 1

3. When the TTL hits 0, packet is dropped, router sends ICMP TTL Exceed packet to SRC with the original probe packet as payload

4. SRC receives this ICMP message, displays a traceroute “hop”

5. Repeat from step 1, with TTL incremented by 1 each time, until..

(19)

Tool:

Traceroute Report Hop

■ Traceroute packet with TTL of 1 enters router via the ingress interface. ■ Router decrements TTL to 0, drops packet, generates ICMP TTL Exceed

■ ICMP packet dst address is set to the original traceroute probe source (SRC) ■ ICMP packet src address is set to the IP of the ingress router interface

Traceroute shows a result based on the src address of the ICMP packet The above traceroute will read:172.16.2.1 10.3.2.2

(20)

20

Tool:

Traceroute Latency Calculation

How is traceroute latency calculated?

■ Timestamp when the probe packet is launched ■ Timestamp when the ICMP response is received

■ Calculate the difference to determine round-trip time ■ Routers along the path donot do anytime “processing”

■ They simply reflect the original packet’s data back to the SRC

■ Many implementations encode the original launch timestamp into the probe packet,

to increase accuracy and reduce state

Most Importantly: only the ROUNDTRIP is measured

Traceroute is showing you the hops on the forward path

But showing you latency based on the forward PLUS reverse path. Any delays on

(21)

Tool:

Interprete Traceroute DNS

Interpreting DNS is one of the most important

aspects of correctly using traceroute

Information you can uncover includes:

■ Physical Router Locations

■ Interface Types and Capacities

■ Router Type and Roles

(22)

22

Tool:

Traceroute Reading Tips

■ Router’s name may include Exchange Point

■ MAE, NAP, PAIX

■ Router names may be the IATA 3-letter code of the nearest

airport or CLLI code in their node name

■ Other abbreviation

■ http://www.sarangworld.com/TRACEROUTE/showdb-2.php3

(23)
(24)

24

(25)
(26)

26

Tool:

Router Type/Role

■ Knowing the role of a router can be useful

■ But every network is different, and uses different naming

conventions

■ May not always follow naming rules

■ Generally speaking, May need guessing the context and get a

basic understanding of the roles

■ Core routers–CR, Core, GBR, BB

(27)

Tool:

DNS Interface type

■ Most networks will try to put interface info into DNS ■ Though this many not always be up to date

■ Many large networks use automatically generated DNS

■ As well as capacity, and maybe even the make/model of

router

■ Examples:

■ xe-11-1-0.edge1.Washington1.Level2.net

■ XE-#/#/# is Juniper 10GE port. The device has at least 12 slots

■ It’s at least a 40G/slot router since it has a 10GE PIC in slot 1

(28)

28

Tool:

Sample Traceroute

(29)

Identifying Active Machines

Attackers will want to know if machines are alive

before they attempt to attack. One of the most basic

methods of identifying active machines is to perform

a sweep

Common Tools

■ ping, traceroute

(30)

30

Finding Open Ports

Open services

Common tools

Port scanning tools

(31)

OS Fingerprinting

■ Passive fingerprint

■ Sniffing technique

■ Examine packets for certain characteristics such as

■ The IP TTL value ■ The TCP Window Size ■ The IP DF Option

■ The IP Type of Service (TOS) Option

■ Active Fingerprint

■ Injects the packets into the network

■ Examines the subtle differences that exist between different vendor implementations of

the TCP/IP stack

(32)

32

Mapping the Network

Gained enough information to build network map

Network mapping provides the hacker with a

blueprint of the organization.

May use manual or automated ways to compile this

(33)

Summary

Method Technique Common Tools

Information gathering Passive Whois, nslookup

Determining network range Passive RIPE, LACNIC, APNIC, ARIN

Identify active machines Active ping, hping, traceroute, nmap,

SuperScan

Finding open ports/applications Active nmap, Amap, SuperScan

OS fingerprinting Active/passive nmap, Winfigerprint, P0f,

Xprobe2, ettercap

(34)

34

References

Download now ( PDF - 34 Page - 647.15 KB )

Related documents

Papillary Thyroid Carcinoma Intertwined with Hashimoto’s Thyroiditis: An Intriguing Correlation

Positive effect of RORγt on the prognosis of thyroid papillary carcinoma patients combined with Hashimoto’s thyroiditis. American Journal of

North Carolina has developed a successful model for

nChQa’ s G rowth and E volution The North Carolina Healthcare Quality Alliance is governed by a board of directors comprised of representatives of the North Carolina

Case 1:05-cv JHR Document 61-2 Filed 07/11/2005 Page 1 of 57 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF DELAWARE

In her Congoleum report she also presented a chart detailing numerous statements from other asbestos defendants which she said evidenced the “Widespread Recognition that

Date: 24, Nov Program & Abstracts. Venue: Wakayama Marina City, Wakayama, Japan. Wakayama Medical University

Department of Rehabilitation Medicine, Wakayama Medical University, School of Medicine Joint Usage/Research Center of Sports for persons with impairments.. Medical Center for

Issued guarantees GUARANTEE SUM (MILL NOK)

[r]

School Based Access Program (SBAP) Medicaid Cost Reporting and Cost Settlement Training for FY

• The Medicaid cost report captures the actual costs of providing Medicaid covered health-related services as reported by the LEAs, which will be compared to Medicaid

Validity and reliability of foods and beverages intake obtained by telephone survey in Belo Horizonte, Brazil

O sistema utiliza como indica- dores de alimentos e bebidas marcadores de alimentação não saudável: consumo diário ou quase diário de refrigerante sem restrição

Achieving Patient Experience Excellence in Ontario: An Idea Book. Spring 2013

To improve patient satisfaction, answer questions and anticipate patient needs, patient navigators help facilitate crucial conversations with patients, families, clinicians,