BCIS 4630 Fundamentals of IT Security

ROAD

TO EXPLOITATION

Dr. Andy Wu

Overview

• Network Scanning – Host discovery – OS fingerprinting – Service discovery • Network mapping/Host discovery – DNS zone transfer • Enumeration – Null session – User account info 2

Hacking Process

3

Early Stages of Hacking

• In this lab, we’ll introduce a few tools that are used in the early stages of hacking.

• The aims are to: – Obtain some ideas about a network’s topology; – Locate potential targets; – Find out what OSes and services are running; – Look up user accounts, lock-out threshold, password policies; – Etc.

• These paves the road for the next stage of attacking targets.

4

Reconnaissance

• Reconnaissance – The act of locating targets and developing the methods necessary to attack those targets successfully.

– May be extremely flexible and creative.

• Reconnaissance is not by definition illegal.

– Many reconnaissance techniques are completely legal.

5

Footprinting

• The act of uncovering and collecting as much information as possible about a target network.

– Domain name – IP address blocks – Organization websites – Company directory – Background info – News articles – Press releases – Etc.

6

Information Gathering

• Search for company’s information in major search engines, e.g., Google, GoogleMaps, Bing.

• Using web data extractors, e.g., webextractor.com.

• Website scraping, e.g., binarypool.com.

• People search websites, e.g., pipl.com.

• Social media sites.

• Reports filed with SEC.

7

Website Copier

• Tools are available to copy an entire website for later analysis, e.g., – httrack.com

– surfoffline.com

– pagenest.com

– keepni.com

• Archive.org provides archived versions of websites.

8

Social Engineering

• Social engineering works, for the most part, because people have the innate tendency to help and to avoid confrontation.

• The success or failure of social engineering depends on the ability of hackers to manipulate human psychology, contacts, and physical workstations.

9

Dumpster Diving

• Dumpster diving is often the mother lode of sensitive information as well as actual hardware and software.

• Hackers look specifically for sales receipts and paperwork that contain personal data or credit card information – Shredded documents can lead to data leaks.

– Drafts of letters are routinely left whole in the trash.

– Company directory sheets, catalog lists, unused or misprinted labels, and policy manuals.

10

WHOIS Lookup

• WHOIS databases contain personal information of domain owners.

• They are maintained by regional Internet registries: – AfriNIC (Africa) – ARIN (America) – APNIC (Asia Pacific) – LACNIC (Latin America) – RIPE NCC (Europe) • tools.whois.net

11

DNS Records

• Domain name service database of a network contains important information about the network hosts, e.g., – A – Host – MX – Mail server – NS – Name server – Cname – Canonical names (aliases) – SOA – Authority of domain 12

DNS–Based Reconnaissance

• DNS Lookup – Tools help Internet users discover the DNS names of target computers.

– There are Web sites that provide DNS lookup tools.

• DNS Zone Transfer – Zone transfer is a DNS feature that lets a DNS server update its database with the list in another DNS server.

– An incorrectly configured DNS server may allow any Internet user to perform a zone transfer.

– nslookup 13

Network Reconnaissance

• Network scanning is a technique that discovers live hosts in the network.

• Port scanning allows you to find: – IP addresses and open ports of live hosts – Operating systems and system architecture – Services running on hosts 14

Host Discovery

• ping – Helps to verify whether a host is active.

– Command is available for all platforms.

– Part of ICMP and uses echo request and echo reply messages.

• ping sweep – Is used to determine the live hosts from a range of IP addresses but sending ICMP echo requests to multiple hosts.

15

Host Discovery

• traceroute (tracert on Windows) – A packet from a host makes numerous “hops” before it reaches the destination.

– Command can track all of the intermediate nodes.

– Uses the TTL field in the header to work.

• Nmap (Zenmap) – Zenmap is the GUI front of nmap.

– Use nmap host discovery switch to perform scanning for live hosts.

16

Nmap

• www.insecure.org

• A versatile tool whose functionalities include: – Host discovery – OS fingerprinting – Service discovery 17

Fyodor

18

Banner Grabbing

• Banner grabbing uses Telnet to connect to a port on the remote target and observes the response coming back from it.

• Different protocols (services) have distinctive responses that can be used to verify the existence of those services on the target.

– Attacker may be fooled by a honeypot or port emulator.

• Response may contain OS or service information that may be used to determine the OS running on the target.

19

“Self-Scanner”

• netstat – Allows all the transmission Control Protocol (TCP), User Datagram Protocol (UDP), and IP connections on a computer to be viewed.

– Also helps to locate • IP address of computers • IP addresses of the hosts connected to the computers • Port of the host to which a computer is connected 20

Lab 2 Configuration

21

Target IP Addresses

• In this lab, we will scan and enumerate two servers. Their IP addresses are 10.1.99.150 and 10.1.99.151.

• When you are told to enter those two IP address, enter the entire four octets as above.

• You do

NOT

have to change the fourth octet to reflect your team number.

22

Tools Used in this Lab

• In this lab tools are selected only if they work in the realistic scenario in which the attacker has no user account in the target domain and his/her machine has not been joined to the domain (i.e., he/she is not trusted in the domain).

• I exclude those tools that look cool in theory but work only when the attacker machine is part of the domain (but how would he/she get in, to begin with?).

• For this reason, net view wouldn’t work in the way as presented on p. 170 of the textbook.

– It displays network shares only on a host that is a member of the domain.

– On a non-member machine, you will get Error 5 – access denied.

• Similarly, DumpSec wouldn’t work and will encounter Error 5.

23

Nmap Switches

• Basic syntax

nmap [port range] [switch(es)]

• Nmap switches are case-sensitive!

• By default, if no other switches are given, Nmap performs host discovery and then performs a SYN port scan.

24

Nmap Host Discovery

• To obtain a quick list of live hosts on the network without scanning for open ports on each, use the –sP (ping scan) switch.

• The syntax is:

nmap –sP /mask

– Replace

with the real network ID. It may be in the FQDN or resolved IP format.

– Use the CIDR notation for the mask.

25

OS Fingerprinting

• OS fingerprinting is the method to determine the operating system running on a remote target system.

• Passive OS fingerprinting use sniffers to capture packets and analyze them for OS information.

– For example, Windows and Linux systems pad the ping packets differently. By looking in the data portion for the padding characters, the attacker can guess the type of OS.

26

OS Fingerprinting

• Active OS fingerprinting sends specially crafted packets to the remote target and analyze the response.

• The response are then compared with a fingerprint database to determine the OS running on the remote machine.

• Use OS fingerprinting switch in Nmap to perform OS fingerprinting.

27

Nmap OS Fingerprinting

• Nmap may be used to fingerprint the OS running on the target.

• The switch is

–O

.

28

Service Discovery

• Each network service is allocated a well known port number.

• If the service is running on the server, the port must be open.

• The reverse is true too – if a port is found open on the server, the attacker can deduce that the server is running the service.

• The same goes for many registered ports that are related to common applications, e.g., Port 3306 for MySQL.

29

Service Discovery

• The attacker then will look up whether there are known vulnerabilities in the service. Chances are, some vulnerabilities have been found and reported, and often times, tools have been created to take advantage of those vulnerabilities.

• If the attacker runs those tools, he/she has a good chance of compromising the target.

• Service discovery is a critical step in the hacking process.

30

Nmap Switches

• -sS • -sT SYN scan (default) Connect scan • -sN • -sX Null scan Xmas scan • -O • -sP OS fingerprinting Host discovery • -p Port range 31

In Summary

• Port scanning allows you to find: – IP addresses and open ports of live hosts – Operating systems and system architecture – Services running on hosts 32

DNS

• DNS Lookup – Tools help Internet users discover the DNS names of target computers.

– There are Web sites that provide DNS lookup tools.

• DNS Zone Transfer – Zone transfer is a DNS feature that lets a DNS server update its database with the list in another DNS server.

– An incorrectly configured DNS server may allow any Internet user to perform a zone transfer.

33

NSLookup

• If a DNS server is mis-configured, it’s easy to extract important host information stored in the DNS database.

• You don’t even need a separate tool.

•

NSLookup

(name server lookup) is a Windows native tool for resolving FQDNs to IP addresses.

• To perform a zone transfer from a DNS server, just run

nslookup

interactively and issue the ls command.

34

Regular Name Resolution

• To lookup the IP address of a FQDN, the command is

nslookup

35

DNS Zone Transfer with NSLookup

• • • To perform a zone transfer, first enter just the command

nslookup

the FQDN argument).

(without Then enter the server command followed by the IP address of the DNS server.

Finally, enter the listing command:

ls –d

36

DNS Records

• Domain name service database of a network contains important information about the network hosts, e.g., – A: Host – MX: Mail server – NS: Name server – Cname: Canonical names (aliases) – SOA: Start of Authority of domain 37

Enumeration

• The process of finding user and group accounts, machine names, network shares, services, audit settings, etc. on a system.

• Scanning tells us what hosts are “live” and running what services. With enumeration the attacker tries to find out what accounts or resources may be worth exploiting or may be abused for attacking those hosts. 38

Typical Things to Enumerate

• User accounts • Groups – Names – Members • Access settings – Logon hours – Logon workstation restrictions • Audit settings • Service banners 39

Null Session

• Null session allows one to connect to the IPC (interprocesses communication) shares on a Windows machine without a username and password.

• The IPC share is a “hidden share” – you don’t see the share when you explore shared resources on a computer in Windows Explorer. Hidden shares are denoted by a $ sign at the end of the share name.

• Windows automatically shares each partition as a hidden share –

C$

,

D$

, etc.

• There are other hidden shares, including

IPC$

.

40

Null Session

• Establishing a null session is necessary for many enumeration tools to work.

• The syntax is

net use \\\IPC$ "" /u:""

or

net use \\\IPC$ "" /user:""

– Replace the

part with the real host name or IP address of the target.

– Everything else in the command must be typed

exactly as shown

above.

– Notice there is no space between the double quotes.

– There is no space between the

/

and the

u

.

– There is no space between the colon and double quote.

41

Null Session

• Anonymous access to and more difficult with every upgrade in Windows versions.

restricted access to

RestrictAnonymous IPC$

• A domain controller may ironically have less

IPC$

(0 has been made more because it needs to provide services to hosts in the network.

• The access level is set by the registry key:

HKLM\SYSTEM\CurrentControlSet\Control\LSA\

– None; 1 – Does not allow enumeration of SAM account and names; 2 – No access). 42

Establishing a Null Session

43

User Accounts

• To obtain user account information on a remote target, a variety of tools may be used: – SuperScan –

Enum

–

User2Sid

–

UserInfo

– Winfingerprint – Etc.

44

Enum

• This tool can retrieve a host of info about user accounts, groups, policies, etc.

• The syntax is:

enum

– Replace • -P

with the real host name or IP address of the target machine.

• You don’t have to precede it with double back slashes.

– Some useful Enum switches: password policy information • -U • -G user accounts groups and membership 45

Security Identifier (SID)

• Internally, Windows OSes keep track of user and group accounts using their unique SIDs, not names.

• SIDs are never reused. You may delete a user account and later create a new one with the exact same username; but the two accounts will have two different SIDs.

• An administrator account’s SID ends with

500

( the info in the FYI box on p. 167 is wrong!

).

46

Security Identifier (SID)

• Some sources recommende that the built-in administrator account be renamed and a boggy administrator account be set up. Also, the guest account should be disabled and/or renamed.

• These measures are only effective against less knowledgeable attackers.

• Tools such as

user2sid

can easily reveal the true SID of accounts.

47

User2Sid

• This tools can find the SID of a user account on a remote computer.

• The syntax is:

user2sid

– Replace

with the real host name or IP address of the target machine.

• You don’t have to precede it with double back slashes.

– Replace

with the real target username.

48

UserInfo

• This tool displays some useful information about a user account.

• The syntax is:

userInfo

– Replace

with the real host name or IP address of the target machine.

• You don’t have to precede it with double back slashes.

– Replace

with the real target username.

49

WinFingerprint

50