Professional Documents
Culture Documents
330 Introduction to Proactive System Security
Week #3
Footprinting, Scanning, and Enumeration
1
Footprinting, Scanning, and Enumeration
Topics
• Review Quiz #1
• Class Tools (VB, BT5r3 & MS2)
• Footprinting
• Port Scanning
• Enumeration
• Quiz #2
• Assignment #2
2
Class Tools
Creating a local virtual test environment…
Install BT5R3 and MS2 VM on Oracle VirtualBox.
Backtrack 5R3
user: root
password: toor
Metasploitable 2.0
user: msfadmin
password: msfadmin
3
Install VirtualBox
4
Install VirtualBox
5
Install Metasploitable 2.0
6
Install Metasploitable 2.0
7
Install Metasploitable 2.0
8
Install Metasploitable 2.0
9
Install Metasploitable 2.0
10
Metasploitable 2.0 (MS2)
11
Metasploitable 2.0
12
Install Backtrack 5R3
13
Install Backtrack 5R3
14
Install Backtrack 5R3
15
Install Backtrack 5R3
16
Install Backtrack 5R3
17
Install Backtrack 5R3
18
Backtrack (BT5R3)
19
Anatomy of an Attack
Perform Reconnaissance
Scan Target Network
Research Vulnerabilities
Perform Attack
Create Backdoor
Enumerate Network
Exfiltrate
Cover Tracks
20
Footprinting
• Reconnaissance
‐ The process of gathering information on a company’s network.
‐ Nonintrusive (Passive) Profiling v.s. Active Profiling
What kind of information?
‐ Weaknesses in security posture
‐ Remote access capabilities
‐ Domain Names
‐ IP addresses
‐ Networking Protocols / Services
‐ User information, logins, telephones numbers, etc.
With just a URL, you can determine which Web server and OS a company is using;
learn the names of employees.
21
Reconnaissance
• http://groups.google.com
Identify corporate email addresses for employees.
22
Reconnaissance
• whois http://www.whois.net/
Gather IP and domain information.
23
Reconnaissance
• whois http://www.whois.net/
24
Reconnaissance
• Web Data Extractor http://www.rafasoft.com/
Extract contact data, such as email, phone, and fax information, from selected target.
25
Reconnaissance
• Web Data Extractor http://www.rafasoft.com/
26
Reconnaissance
• FOCA http://www.informatica64/FOCA
Extract metadata from documents on Websites to reveal the document creator’s network logon and email address.
27
Reconnaissance
• FOCA http://www.informatica64/FOCA
28
Reconnaissance
• SamSpade
Gather IP and domain information.
29
Reconnaissance
• SamSpade
30
Reconnaissance
• SamSpade
31
Reconnaissance
• Domain Name System Zone Transfers
Transfer all DNS name server records.
‐ DNS uses name servers for resolving hostnames to IP
‐ Zone Transfers enables you to see /analyze / diagram
hosts on the organization’s network
‐ Use the “dig” or “host” commands
32
Reconnaissance
• dig (nslookup)
Tool for querying DNS name servers.
33
Reconnaissance
• dig ‐h
34
Reconnaissance
• dig
To determine the primary DNS server look for a Start of Authority (SOA) record.
35
Reconnaissance
• dig
Look for any: SOA, NS, MX.
36
Reconnaissance
• dig
Reverse lookup
Specify ns
Using AFXR protocol to dig
Connection refused; no success.
37
Reconnaissance
• dig
Success!
38
Reconnaissance
• host
Same as dig??
39
Reconnaissance
• host ‐h
40
Reconnaissance
• host
41
Reconnaissance
• netcat (nc)
Used for banner grabs…
42
Reconnaissance
• netcat (nc)
43
Reconnaissance
• wget
44
Reconnaissance
• wget
45
Reconnaissance
• Andiparos https://code.google.com/p/andiparos/downloads/list
Capture Web server information and possible vulnerabilities in a Web site’s pages. (Through a Proxy)
46
Reconnaissance
• Web Bugs
Method of gathering information about a person visiting a web site or if an email was read.
‐ Works with cookies
‐ Embedded 1 pixel x 1 pixel image (GIF) file
‐ Invisible (matches web page background)
‐ Referenced in an <IMG> tag
‐ You have to reach out and download image (transaction logged)
‐ IP address
‐ Time accessed / viewed
‐ Type of browser
‐ Used to verify if email is valid
(HTML based w/ auto image view)
47
Reconnaissance
• HTTP Methods (RFC‐2616, HTTP/1.1)
Gather content from web servers using HTTP methods.
‐ Hypertext Transfer Protocol (HTTP)
‐ Request / Response protocol between client (web browser) and server (web site).
‐ Port 80
‐ GET Retrieves data
‐ HEAD Retrieves only header info of HTML doc
‐ OPTIONS Available Options
‐ TRACE Remote loopback of request message
‐ CONNECT Switch to tunneled connection (SSL)
‐ DELETE Request origin server delete identified resource
‐ PUT Request entity be stored
‐ POST Allows data to be posted
48
Reconnaissance
• HTTP Methods (RFC‐2616, HTTP/1.1)
49
Reconnaissance
• GET 192.168.56.101 (MS2)
50
Reconnaissance
• HEAD 192.168.56.101 (MS2)
header info of HTML doc
51
Reconnaissance
• Social Engineering
Psychological manipulation of people into performing actions or divulging information.
• Shoulder Surfing
Looking over somebody’s shoulder to get information (passwords / PINs).
• Dumpster Diving
Sifting through garbage to find information that has been discarded that may prove useful.
• Piggybacking
A person tagging along with another person who is authorized to gain entry into a restricted area.
• Phishing
Attempting to acquire information by
masquerading as a trustworthy entity.
52
Reconnaissance
• Social Engineering
Psychological manipulation of people into performing actions or divulging information.
Top SE Techniques:
Urgency – “I need the info now before you know what hits the fan…”
Quid pro quo – “Give me what I need and I will give you a…”
Status quo – “Everyone does it, don’t worry about it…”
Kindness – “Thank you so much for… giving me the keys to the kingdom”
Position – “When I say jump you say how high…”
Other Techniques:
Familiarity
Creating a hostile situation / distraction
Get a job there
53
Reconnaissance
• Phishing
Attempting to acquire information by masquerading as a trustworthy entity.
54
Reconnaissance
• Phishing
Attempting to acquire information by masquerading as a trustworthy entity.
wtf…that’s not FB!
oh hell no…
55
Reconnaissance
• Spear Phishing
Phishing attempts directed at specific individuals or companies.
56
Scanning
• Port / Service Scanning
‐ Examining a range of IP addresses to determine which services
are running.
‐ Automated tools ping each port on a network computer.
‐ Remember many programs use port numbers outside the range
of well‐known ports.
‐ After a hacker discovers an open port / service, finding a
vulnerability or exploit isn’t that difficult.
‐ Port scanning is legal.
‐ Moving away from passive to active info gathering.
57
Scanning
• TCP 3‐way Handshake Review
A B
1) A ‐‐> B SYN my sequence number is X
2) A <‐‐ B ACK your sequence number is X
3) A <‐‐ B SYN my sequence number is Y
4) A ‐‐> B ACK your sequence number is Y
58
Scanning
• Popular types of Port / Service Scans
‐ SYN Scan (nmap ‐sS)
Full TCP connection is never made; RSK/ACK always sent or received to close session.
Considered a stealth scan.
59
Scanning
• Popular types of Port / Service Scans
‐ XMAS Scan (nmap ‐sX)
FIN, PSH, URG flags are set.
Expected result on an open port is no response; packet is discarded.
Expected result on an closed port is a RST packet.
60
Scanning
• Popular types of Port / Service Scans
‐ UDP Scan (nmap ‐sU)
UDP packet sent to target.
Expected result on an open port is an ICMP “Port Unreachable” message (not
guaranteed).
61
Scanning
• Port / Service Scanning
62
Reconnaissance
• nmap
The most popular port scanning tool.
63
Reconnaissance
• nmap ‐h
The most popular port scanning tool.
64
Scanning
• nmap 192.168.56.101 (against MS2)
65
Scanning
• nmap –A –v 192.168.56.101 (against MS2)
66
Scanning
• nmap –A –v 192.168.56.101 (against MS2)
67
Scanning
• nmap –A –v 192.168.56.101 (against MS2)
68
Scanning
• nmap –A –v 192.168.56.101 (against MS2)
69
Scanning
• nmap –A –v 192.168.56.101 (against MS2)
70
Scanning
• nmap –A –v 192.168.56.101 (against MS2)
71
Scanning
• nmap 192.168.56.102 (against BT5R3)
72
Scanning
• nmap –sS ‐v 192.168.56.101 (against MS2)
73
Scanning
• nmap –sS ‐v 192.168.56.100‐200 (range)
74
Reconnaissance
• Unicornscan
Conduct tests on large networks and consolidate tools for large‐scale endeavors.
‐ Ideal for large networks.
‐ Scans 65,535 ports in 3‐7 seconds.
‐ Port scanning using TCP, ICMP, and IP.
‐ Optimizes UDP scanning.
75
Reconnaissance
• fping
A command‐line tool that allows you to ping multiple IP addresses simultaneously (determining which computers
are “live”).
76
Reconnaissance
• fping ‐h
ping vs fping: specify a range
77
Reconnaissance
• hping
Allows you to ping sweep multiple IP addresses simultaneously while bypassing filtering devices (using modified IP
packets).
78
Reconnaissance
• hping3 –h | less
79
Reconnaissance
• hping3 –h | less
80
Reconnaissance
• hping3 –h | less
set flags just like nmap…
81
Enumeration
‐ Next step after port scanning.
‐ Actually connecting to the system and obtaining
information about users, passwords, and shared
resources.
‐ Active / intrusive v.s. Passive
82
REVIEW: OS Vulnerabilities
• Network Basic Input / Output System (NetBIOS)
‐ OSI Session Layer 5.
‐ Software that allows us to interact with a shared network
resources or devices.
‐ NetBIOS frees an application from understanding the details
of a network.
‐ Still used today for ensuring backward capability.
‐ Uses ports open to the internet:
UDP/137
UDP/138
TCP/139
83
REVIEW: OS Vulnerabilities
• Network Basic Input / Output System (NetBIOS)
Why is NetBIOs over TCP/IP considered a security risk again?
84
REVIEW: OS Vulnerabilities
• Network Basic Input / Output System (NetBIOS)
Why is NetBIOs over TCP/IP considered a security risk again?
85
Enumeration
• Network Basic Input / Output System (NetBIOS)
‐ Names have 16 char limit; 15 useable char limit.
‐ Last char reserved for service identification (00 to FF).
‐ Hackers attack Domain Controllers because of the type of info.
‐ Null Sessions (NS) is a serious vulnerability for NetBIOS systems.
‐ NS still present on Windows XP
‐ NS disabled by default in Windows Server 2003
‐ NS not available in Windows Vista and Server 2008
‐ NBTstat command used.
86
Enumeration
87
Enumeration
88
Enumeration
• NBTscan
NetBIOS over TCP/IP scan finds computers running NETBIOS.
89
Enumeration
• NBTscan
90
Enumeration
• nbtstat
91
Enumeration
• nbtstat ‐a
92
Enumeration
• net view
Displays a list of domains, computers, or resources that are being shared by the specified computer.
Used without parameters, net view displays a list of computers in your current domain.
93
Enumeration
• net view
94
Enumeration
• net view
95
Enumeration
• net use
Connects a computer to or disconnects a computer from a shared resource, or displays information about computer
connections. Used without parameters, net use retrieves a list of network connections.
96
Enumeration
• net use
97
Enumeration
• DumpSec
Enumeration tool for Windows systems allowing users to connect to a server and “dump” permissions for shares.
It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares.
98
Enumeration
• DumpSec
99
Enumeration
• smb4K
Used to enumerate Windows computers on a network.
100
Enumeration
• smb4K
101
Enumeration
• finger
102
Review Questions
• Question #1
To find information about the key IT personnel
responsible for a company’s domain, you might use
which of the following tools? (Choose all that apply.)
a. Whois.
b. Whatis.
c. SamSpade.
d. Nbtstat.
103
Review Questions
• Question #1
To find information about the key IT personnel
responsible for a company’s domain, you might use
which of the following tools? (Choose all that apply.)
a. Whois.
b. Whatis.
c. SamSpade.
d. Nbtstat.
104
Review Questions
• Question #2
Which is one of the most vulnerable components to
network attacks?
a. TCP/IP.
b. WINS.
c. DHCP.
d. DNS.
105
Review Questions
• Question #2
Which is one of the most vulnerable components to
network attacks?
a. TCP/IP.
b. WINS.
c. DHCP.
d. DNS.
106
Review Questions
• Question #3
Which of the following contains host records for a
domain?
a. DNS
b. WINS
c. Linux server
d. UNIX Web Clients
107
Review Questions
• Question #3
Which of the following contains host records for a
domain?
a. DNS
b. WINS
c. Linux server
d. UNIX Web Clients
108
Review Questions
• Question #4
Which of the following enables you to view all host
computers on a network?
a. SOA
b. ipconfig
c. Zone Transfers
d. HTTP HEAD method
109
Review Questions
• Question #4
Which of the following enables you to view all host
computers on a network?
a. SOA
b. ipconfig
c. Zone Transfers
d. HTTP HEAD method
110
Review Questions
• Question #5
What’s one way to gather information about a domain?
a. View the header of an e‐mail you send to an e‐mail account
that doesn’t exist.
b. Use the ipconfig command.
c. Use the ifconfig command.
d. Connect via Telnet to TCP port 53.
111
Review Questions
• Question #5
What’s one way to gather information about a domain?
a. View the header of an e‐mail you send to an e‐mail account
that doesn’t exist.
b. Use the ipconfig command.
c. Use the ifconfig command.
d. Connect via Telnet to TCP port 53.
112
Review Questions
• Question #6
To determine a company’s primary DNS server, you can
look for a DNS server containing which of the following?
a. Cname record.
b. Host record.
c. PTR record.
d. SOA record.
113
Review Questions
• Question #6
To determine a company’s primary DNS server, you can
look for a DNS server containing which of the following?
a. Cname record.
b. Host record.
c. PTR record.
d. SOA record.
114
Review Questions
• Question #7
Which of the following tools can assist you in finding
general information about an organization and its
employees? (Choose all that apply.)
a. www. google.com
b. http://groups.google.com
c. netcat
d. nmap
115
Review Questions
• Question #7
Which of the following tools can assist you in finding
general information about an organization and its
employees? (Choose all that apply.)
a. www. google.com
b. http://groups.google.com
c. netcat
d. nmap
116
Review Questions
• Question #8
What’s the first method a security tester should attempt
to find a password for a computer on the network?
a. Use a scanning tool.
b. Install a sniffer on the network.
c. Ask the user.
d. Install a password‐cracking program.
117
Review Questions
• Question #8
What’s the first method a security tester should attempt
to find a password for a computer on the network?
a. Use a scanning tool.
b. Install a sniffer on the network.
c. Ask the user.
d. Install a password‐cracking program.
118
Review Questions
• Question #9
Discovering a user’s password be observing the keys he
or she presses is called which of the following?
a. Password hashing
b. Password crunching
c. Piggybacking
d. Shoulder surfing
119
Review Questions
• Question #9
Discovering a user’s password be observing the keys he
or she presses is called which of the following?
a. Password hashing
b. Password crunching
c. Piggybacking
d. Shoulder surfing
120
Review Questions
• Question #10
Entering a company’s restricted area by following closely
behind an authorized person is referred to as which of
the following?
a. Shoulder surfing
b. Piggybacking
c. False entering
d. Social Engineering
121
Review Questions
• Question #10
Entering a company’s restricted area by following closely
behind an authorized person is referred to as which of
the following?
a. Shoulder surfing
b. Piggybacking
c. False entering
d. Social Engineering
122
Review Questions
• Question #11
What social engineering technique involves telling an
employee that you’re calling from the CEO’s office and
need certain information ASAP?
a. Urgency
b. Status quo
c. Position of authority
d. Quid pro quo
123
Review Questions
• Question #11
What social engineering technique involves telling an
employee that you’re calling from the CEO’s office and
need certain information ASAP?
a. Urgency
b. Status quo
c. Position of authority
d. Quid pro quo
124
Review Questions
• Question #12
Security testers and hackers use which of the following to
determine which services are running on a host?
a. Zone transfer
b. Zone scanning
c. Encryption algorithms
d. Port scanning
125
Review Questions
• Question #12
Security testers and hackers use which of the following to
determine which services are running on a host?
a. Zone transfer
b. Zone scanning
c. Encryption algorithms
d. Port scanning
126
Review Questions
• Question #13
Which flags are set on a packet sent with the
nmap –sX 192.168.56.101 command?
a. FIN
b. PSH
c. SYN
d. URG
127
Review Questions
• Question #13
Which flags are set on a packet sent with the
nmap –sX 192.168.56.101 command?
a. FIN
b. PSH
c. SYN
d. URG
128
Review Questions
• Question #14
Which nmap command verifies whether the SSH port is
open on any computers in the 192.168.1.0
network? (Choose all that apply.)
a. nmap –v 192.168.1.0-254 –p 22
b. nmap –v 192.168.1.0-254 –p 23
c. nmap –v 192.168.1.0-254 –s 22
d. nmap –v 192.168.1.0/24 –p 22
129
Review Questions
• Question #14
Which nmap command verifies whether the SSH port is
open on any computers in the 192.168.1.0
network? (Choose all that apply.)
a. nmap –v 192.168.1.0-254 –p 22
b. nmap –v 192.168.1.0-254 –p 23
c. nmap –v 192.168.1.0-254 –s 22
d. nmap –v 192.168.1.0/24 –p 22
130
Review Questions
• Question #15
A closed port responds to a SYN packet with which of the
following packets?
a. FIN
b. SYN‐ACK
c. SYN
d. RST
131
Review Questions
• Question #15
A closed port responds to a SYN packet with which of the
following packets?
a. FIN
b. SYN‐ACK
c. SYN
d. RST
132
Review Questions
• Question #16
Which type of scan is usually used to bypass a firewall or
packet‐filtering device?
a. ACK scan
b. SYN scan
c. XMAS scan
d. FIN scan
133
Review Questions
• Question #16
Which type of scan is usually used to bypass a firewall or
packet‐filtering device?
a. ACK scan
b. SYN scan
c. XMAS scan
d. FIN scan
134
Review Questions
• Question #17
A FIN packet sent to a closed port responds with which
of the following packets?
a. FIN
b. SYN‐ACK
c. RST
d. SYN
135
Review Questions
• Question #17
A FIN packet sent to a closed port responds with which
of the following packets?
a. FIN
b. SYN‐ACK
c. RST
d. SYN
136
Review Questions
• Question #18
Which type of scan send a packet with all flags set to
NULL?
a. NULL
b. VOID
c. SYN
d. XMAS
137
Review Questions
• Question #18
Which type of scan send a packet with all flags set to
NULL?
a. NULL
b. VOID
c. SYN
d. XMAS
138
Review Questions
• Question #19
To bypass some ICMP‐filtering devices on a network, an
attacker might send which type of packets to scan the
network for vulnerable services?
a. PING packets
b. SYN packets
c. ACK packets
d. Echo Request packets
139
Review Questions
• Question #19
To bypass some ICMP‐filtering devices on a network, an
attacker might send which type of packets to scan the
network for vulnerable services?
a. PING packets
b. SYN packets
c. ACK packets
d. Echo Request packets
140
Review Questions
• Question #20
Which of the following is a tool for creating a custom
TCP/IP packet and sending it to a host computer?
a. Tracert
b. Traceroute
c. Hping
d. Nmapping
141
Review Questions
• Question #20
Which of the following is a tool for creating a custom
TCP/IP packet and sending it to a host computer?
a. Tracert
b. Traceroute
c. Hping
d. Nmapping
142
Review Questions
• Question #21
Which of the following testing processes is the most
intrusive?
a. Port scanning
b. Enumeration
c. Null scanning
d. Numeration
143
Review Questions
• Question #21
Which of the following testing processes is the most
intrusive?
a. Port scanning
b. Enumeration
c. Null scanning
d. Numeration
144
Review Questions
• Question #22
Enumeration of Windows systems can be more difficult if
which port is filtered?
a. 110 UDP
b. 443 UDP
c. 80 TCP
d. 139 TCP
145
Review Questions
• Question #22
Enumeration of Windows systems can be more difficult if
which port is filtered?
a. 110 UDP
b. 443 UDP
c. 80 TCP
d. 139 TCP
146
Review Questions
• Question #23
A null session is enabled by default in all the following
versions except?
a. Windows 95
b. Windows Server 2008
c. Windows 98
d. Windows 2000
147
Review Questions
• Question #23
A null session is enabled by default in all the following
versions except?
a. Windows 95
b. Windows Server 2008
c. Windows 98
d. Windows 2000
148
Review Questions
• Question #24
To identify the NetBIOS names of systems on the
193.145.85.0 network, which of the following commands
do you use?
a. nbtscan 193.145.85.0/24
b. nbtscan 193.145.85.0‐255
c. nbtstat 193.145.85.0/24
d. netstat 193.145.85.0/24
149
Review Questions
• Question #24
To identify the NetBIOS names of systems on the
193.145.85.0 network, which of the following commands
do you use?
a. nbtscan 193.145.85.0/24
b. nbtscan 193.145.85.0‐255
c. nbtstat 193.145.85.0/24
d. netstat 193.145.85.0/24
150
Review Questions
• Question #25
Which of the following is a Windows command‐line
utility for seeing NetBIOS shares on a network?
a. net use
b. net user
c. net view
d. nbtuser
151
Review Questions
• Question #25
Which of the following is a Windows command‐line
utility for seeing NetBIOS shares on a network?
a. net use
b. net user
c. net view
d. nbtuser
152
Review Questions
• Question #26
A NetBIOS name can contain a maximum of how many
characters?
a. 10
b. 11
c. 15
d. 16
153
Review Questions
• Question #26
A NetBIOS name can contain a maximum of how many
characters?
a. 10
b. 11
c. 15
d. 16
154
Review Questions
• Question #26
Which of the following commands connects to a
computer containing shared files and folders?
a. net view
b. net use
c. netstat
d. nbtstat
155
Review Questions
• Question #26
Which of the following commands connects to a
computer containing shared files and folders?
a. net view
b. net use
c. netstat
d. nbtstat
156
Review Questions
• Question #26
Which ports are most vulnerable to NetBIOS attacks?
a. 135 to 137
b. 389 to 1023
c. 135 to 139
d. 110 and 115
157
Review Questions
• Question #26
Which ports are most vulnerable to NetBIOS attacks?
a. 135 to 137
b. 389 to 1023
c. 135 to 139
d. 110 and 115
158
Review Questions
• Question #27
What is the best method of preventing NetBIOS attacks?
a. Filtering certain ports at the firewall
b. Telling users to create difficult‐to‐guess passwords
c. Pausing the Workstation service.
d. Stopping the Workstations service.
159
Review Questions
• Question #27
What is the best method of preventing NetBIOS attacks?
a. Filtering certain ports at the firewall
b. Telling users to create difficult‐to‐guess passwords
c. Pausing the Workstation service.
d. Stopping the Workstations service.
160
Review Questions
• Question #28 (last one)
Which of the following is a commonly used UNIX
enumeration tool?
a. Netcat
b. Nbtstat
c. Netstat
d. Finger
161
Review Questions
• Question #28 (last one)
Which of the following is a commonly used UNIX
enumeration tool?
a. Netcat
b. Nbtstat
c. Netstat
d. Finger
162
Quiz #2
• Short answer, closed book, closed notes.
163
Questions?
probbins@hawaii.edu
www2.hawaii.edu/~probbins
https://www.dorkatron.com/docs/ISA330/
164