Transcript Document 7485245

Reconnaissance
Recon
1
Attack Phases
Phase 1: Reconnaissance
 Phase 2: Scanning
 Phase 3: Gaining access

o Application/OS attacks
o Network attacks/DoS attacks
Phase 4: Maintaining access
 Phase 5: Covering tracks and hiding

Recon
2
Recon

Before bank robber robs a bank…
o Visit the bank
o Make friends with an employee (inside info)
o Study alarm system, vault, security guard’s
routine, security cameras plscement, etc.
o Plan arrival and get away
Most of this is not high tech
 Similar ideas hold for info security

Recon
3
Social Engineering

Hypothetical examples
o New “admin” asks secretary for help
o Angry “manager” calls employee/admin asking for
password
o “Employee” in the field calls another employee
for help with remote access

Real-world examples
o Employees help white hat guy steal company IP
o Person turns over secrets to trusted “friend”
Recon
4
Social Engineering
 Social
engineering
o Defeats strongest crypto, best access
control, protocols, IDS, firewalls, software
security, etc., etc.
 Attacker
may not even touch keyboard
 Ultimate low-tech recon/attack method
Recon
5
Social Engineering

Telephone based attacks
o Company phone number may give attacker
instant credibility
Attacker might ask for voice mail service
 Spoofed caller ID

o
o
o
o
Recon
Appears attacker has company phone number
Online services: Telespoof, Camophone
Some VoIP software
Phone companies also sell such services
6
Camophone
 Spoofed
caller ID
 Cost?
 5 cents per
minute
Recon
7
Social Engineering Defenses

Hard to defend against
o Rooted in human nature
o Many legitimate uses of “social engineering”
(police, sales people, etc.)

User education helps
o Do not give out sensitive info (passwords)
o Do not trust caller ID, etc.

May not want totally paranoid employees
Recon
8
Physical Security
 If
Trudy gets physical access…
 Might find logged in computer, post-it
note with passwords, etc.
 Might install back door, keystroke
logger, access point to LAN, etc.
 Could steal USB drives, laptop,
computers, CDs, etc.
Recon
9
Physical Access
 How
can attacker gain physical
access?
o Ask for it
o Fake it
o Physical break in
 Or
attacker might be employee
o Then Trudy already has access
o Limit employee’s physical access?
Recon
10
Defenses
 Require
badges for entry
o What if someone forgets badge?
 Biometrics
for entry are useful
o Iris scan, hand geometry, …
 Monitor
what people take in/out
o Laptop, USB drive, CD, Furby?
o Miniaturization makes this difficult
Recon
11
Defenses
 Use
locks on file cabinets
o Don’t leave key in the lock…
 Automatic
screen saver with pwd
 Encrypted hard drives
o Especially for those who travel
o Need a way to recover encrypted files
o But there are attacks…
Recon
12
Dumpster Diving
 What
might Trudy find in trash?
o CDs, DVDs, discarded machines, USB, …
o Diagrams of network architecture
 Defenses
o Destroy hard drive before discarding
o Destroy media (degaussing is not enough)
o Shred paper, etc.
Recon
13
Search the “Fine” Web
 “Fine”
is placeholder for another word
o As in “Read the ‘Fine’ Documentation”
 Huge
amount of info available on Web
 Google it!
o For example Google the MD5 hash value
o 20f1aeb7819d7858684c898d1e98c1bb
Recon
14
Google Hacking
 Using
Google to help in attacks
o Not “hacking Google”
 See,
for example
o Johnny Long’s Website
o Google hacking 101
 Google
selected as “favorite hacking
tool” by some infamous hackers
Recon
15
Google
Four important elements of Google
Google bot

1.
o
Crawls Web looking for info to index
o
o
o
Billions served…
Ranked using (secretive) algorithm
Why so secretive?
2.
Recon
Google index
16
Google
3.
4.
Google cache
o
o
o
o
Copy of data that bots found
Includes html, doc, pdf, ppt, etc., etc.
Up to 101k of text each, no images
See also, Wayback Machine
o
o
o
Program need to Google too
Requires API “key” (free from Google)
Limited to 1k searches per day
Google API
Recon
17
Google
 For
any Google search…
o Max number of results limited to 1,000
o Limits data mining capabilities
 So
searches must be precise
 Use “search directives”
o No space after directive, searches case
insensitive, max of 10 search terms
Recon
18
Google Search Directives

site:[domain]
o Searches particular domain
o site:cs.sjsu.edu stamp

link:[web page]
o All sites linked to a given web page
o link:www.cs.sjsu.edu

intitle:[term(s)]
o Web sites that include “term(s)” in title
o site:cs.sjsu.edu intitle:”index of” stamp
Recon
19
Google Search Directives

related:[site]
o Similar sites, based on Google’s indexing
o related:www.cs.sjsu.edu

cache:[page]
o Display Web page from Google’s cache
o cache:www.cs.sjsu.edu

filetype:[suffix]
o Like ppt, doc, etc.
o filetype:ppt site:cs.sjsu.edu stamp
Recon
20
Google Search Directives
 rphonebook:[name
and city or state]
 bphonebook:[name
and city or state]
o Residential phone book
o rphonebook:Mark Stamp Los Gatos
o Business phone book
 phonebook:[name
and city or state]
o Residential and business phone books
Recon
21
Other Search Operations

Literal match (“ ”)
o “metamorphic engines” site:cs.sjsu.edu

Not (-)
o Filter out sites that include term
o site:cs.sjsu.edu -ty -lin

Plus (+)
o Include (normally filtered) term
o Not the opposite of “+”
o site:cs.sjsu.edu stamp +the
Recon
22
Interesting Searches

From the text
o
o
o
o
o
o
o
Recon
site:mybank.com filetype:xls ssn
site:mybank.com ssn -filetype:pdf
site:mybank.com filetype:asp
site:mybank.com filetype:cgi
site:mybank.com filetype:php
site:mybank.com filetype:jsp
site:cs.sjsu.edu filetype:xls
23
Google Hacking Database
 Google
Hacking Database (GHDB)
 Interesting searches
o
o
o
o
Recon
intitle:”index of” finance.xls
“welcome to intranet”
intitle:”gateway configuration menu”
intitle:”samba web administration tool”
intext:”help workgroup”
24
GHDB
Intitle:”welcome to IIS 4.0”
 “… we find that even if they've taken the time to change

their main page, some dorks forget to change the titles of
their default-installed web pages. This is an indicator that
their web server is most likely running … the now
considered OLD IIS 4.0 and that at least portions of their
main pages are still exactly the same as they were out of
the box. Conclusion? The rest of the factory-installed stuff
is most likely lingering around on these servers as well. …
Factory-installed default scripts: FREE with operating
system. Getting hacked by a script kiddie that found you
on Google: PRICELESS. For all the things money can't
buy, there's a googleDork award.”
Recon
25
Google
 Suppose
sensitive data is accessible
o Removing it does not remove problem
o Google cache, Wayback Machine
 What
about automated searches?
o Google API
o SiteDigger and Wikto
Recon
26
SiteDigger
User provides
Google API key
 One search…

o Uses GHDB
o Does 1k Google
searches
o Your daily limit
o There’s always
tomorrow…
Recon
27
Google

Lots of other interesting Google searches
o Track current flights
o Look up auto VIN
o Look up product UPC

Google filters some sensitive data
o SSNs, for example

Yahoo and MSN Search do less filtering
Recon
28
Newsgroups
“Listening in at the virtual water cooler”
 Employees submit detailed questions

o How to configure something
o How to code something
o How to troubleshoot a problem

Reveals info about products, config, etc.
o “sensitive information leakage on a grand scale”

Attacker could even play active role
o Give bad/incorrect advice
Recon
29
Newsgroups
 To
search groups
o groups.google.com
o Repackaged version of DejaNews
Recon
30
Organization’s Website
 Web
o
o
o
o
o
o
Recon
site might reveal useful info
Employee contact info
Clues about corporate culture/language
Business partners
Recent mergers and acquisitions
Technology in use
Open jobs
31
Defenses Against Web Recon

Limit what goes on Web pages
o No sensitive info
o Limit info about products, configuration, …

Security by obscurity?
o “…no sense putting an expensive lock on your
door and leaving milk and cookies outside so the
lock picker can have a snack” while he breaks in
Recon
32
Defenses Against Web Recon
Have a policy on use of newsgroups
 Monitor publicly available info
 Google/Wayback will remove sensitive data
 Use robots.txt so Web pages not indexed

o Tags: noindex, nofollow, noarchive, nosnippet
o Well-behaved crawlers will respect these, but…
o …a sign to bad guys of sensitive data
Recon
33
Whois Databases
 Internet
“white pages” listing
o Domain names, contact info, IP addresses
o .com, .net, .org, .edu
 ICANN
oversees registration process
o Hundreds of actual registrars
Recon
34
InterNIC

InterNIC
(Internet
Network Info
Center)
o First place to look
o Info on domain
name registration
services
Recon
35
InterNIC

Whois info
available from
InterNIC
o com,net,org,edu

Other sites for
other top level
domains
Recon
36
Whois
 Once
registrar is
known, attacker
can contact it
o More detailed
Whois info
o Network Solutions
in this example
Recon
37
Whois
 Info
includes
o Names
o Telephone numbers
o Email addresses
o Name (DNS)
servers
o And so on…
Recon
38
IP Address Assignment
 ARIN
(American Registry for
Internet Numbers)
o Info about who owns IP address or range
of addresses
 Similar
organizations for Europe,
Asia, Latin America, …
Recon
39
Defense Against Whois Search

Bad idea to put false info into databases
o Important that people can contact you
o For example, if attack launched from your site
No real defense against Whois
 Anonymous registration services exist

o Author is not fond of these
o Better to train against social engineering
Recon
40
Domain Name System
 DNS
o A hierarchical distributed database
o Like a (hierarchical distributed)
telephone directory
o Converts human-friendly names into
computer-friendly IP addresses
 Internet
Recon
is impossible without DNS
41
DNS
 13
root DNS servers
o A “single point” of failure for Internet
Recon
42
 DNS
example
DNS
o Recursive and
iterative
searches
o Resolved
locally, if
possible
o Lots and lots
of caching
Recon
43
DNS
 DNS
Recon
cache on Windows machine
44
DNS
Gives IP address of a domain
 Lots of other info
 DNS record types

o
o
o
o
o
Recon
Address: domain name/IP address (or vice-versa)
Host information: info about system
Mail exchange: mail system info
Name server: DNS servers
Text: arbitrary text string
45
Interrogating DNS
 Attacker
determines DNS servers
o From registrar’s Whois database
 Use
nslookup (or dig in Linux) to
interrogate name servers
o Zone transfer (all info about domain)
o See example from text --- IP addresses,
mail server names, OS types, etc.
Recon
46
DNS Recon Defenses
Remove info on OS types, etc.
 Restrict zone transfers

o To primary and secondary name servers

Employ “split DNS”
o Allow outside DNS activity related to Web,
mail, FTP, …, servers
o No outside DNS directly from internal network
Recon
47
Split DNS

Internal DNS server acts as proxy
o Relays requests to external DNS
o Internal users can resolve internal and external
Recon
48
General-Purpose Recon Tools
 Sam
Spade
o Detective character in Dashiell
Hammett’s novel, The Maltese Falcon
o Humphrey Bogart
o Also a general Web-based recon tool
 Research
and attack portals
o For more specific info
Recon
49
Sam Spade
All the bells and whistles
 Some of Sam Spade’s capabilities

o ping, whois lookups, IP block whois, nslookup,
DNS zone transfer, traceroute, finger
o SMTP VRFY --- is given email address valid?
o Web browser --- view raw HTTP interaction
o Web crawler --- grab entire web site
Recon
50
Sam Spade
 “The
incredibly
useful Sam
Spade user
interface”
Recon
51
Other General Recon Tools
 Active
Whois Browser
o Whois and DNS tool, $19.95
 NetScanTools
Pro
o Costs $249+
 iNetTools
o Feature-limited, but free
Recon
52
Web-based Recon Tools
 Some
o
o
o
o
o
o
o
Recon
“run by rather shady operators”
www.samspade.org
www.dnsstuff.com
www.traceroute.org
www.networktools.com
www.cotse.com/refs.htm
www.securityspace.com
www.dlsreports.com
53
AttackPortal
 AttackPortal
o Helps
attacker
remain
anonymous
o This site is
moribund
(2005)
Recon
54
Conclusion

Attacker can gain useful info from variety
of sources
o From social engineering to automated tools…
o …and everything in between

Useful info might include
o Contact info, IP addresses, domain names
o Possibly system details, technologies used, …

Building blocks for actual attacks
Recon
55
Summary
 Sophisticated
attacks likely to start
with recon phase
 Low-tech recon techniques
o
o
o
o
Recon
Social engineering
Spoofed caller ID
Physical access
Dumpster diving
56
Summary
 Higher-tech
techniques
o Google hacking, SiteDigger, GHDB
o Whois databases, InterNIC, ARIN
o DNS, nslookup, dig
o Sam Spade, client-side recon tools
o Web-based recon tools
Recon
57