Embed Size (px)
Citation preview
Cybersecurity
Computer Science Innovations, LLC
Fingerprinting
So, we have a file at the top level of a
Web site.
It is called robots.txt
It specifies where to find content and
What content to avoid.
What can this tell us from a fingerprinting perspective? Tells us the stuff we wish to protect.
Fingerprinting Perspective
Www.walmart.com
Www.schwans.com
Take down the robots.txt
Take down the sitemaps
Try to take down the disallows
Use wget …
Lab Fingerprint Web Server
Use wget
Use wget www.walmart.com/robots.txt
Use more robots.txt
Use wget <sitemap files>
Use more <sitemap files>
Use www.schwans.file
Try to wget disallowed files.
What Did We Learn?
What can we do with robots.txt from a fingerprint perspective. Part of directory structure.
Show's you what they do not want to share.
Why does wget not pull disallow information? Hint man wget . It adhere's to the robots.txt protocol.
How could we get disallowed information? What type of licensing is wget? Open Source. We can get the source. Change it and go after the disallow.
Web Site Fingerprinting
Best Practices:
1) Use robots.txt for things you want found by a search engine and disallow for things you do not want found.
2) Use a tool (if you are a penetration tester) to work around the disallow in robots.txt. Remember disallow is a protocol.
3) Use security in the web server to protect sensitive files.
Network 101
Typically three types of networks A, B, C
Differ by.... netmask
A netmask 255.0.0.0
B netmask 255.255.0.0
C netmask 255.255.255.0
So how does this work.
OSI Networking Model
Application - Applications running on top - ssh
Presentation --- Map data between representations.
Session --- Support conversation.
Transport --- Put stuff in order, end to end
Network – communicate with routing
Data Link --- communicate without routing
Physical --- Cable
Data Link Layer
Data link – no routing
Scott Brian
Command to See Network
Ifconfig -a
Scott
inet addr:10.10.10.234 Bcast:10.10.10.255 Mask:255.255.255.0
Brian ….. 10.10.10.231...
Netmask 255.255.255.0 What does that mean.
Netmask
255.255.255.0 Class C network.
Only route if you differ by more than the last octet.
10.10.10.234
10.10.10.231
No Routing necessary. Only differ by where the Netmask is 0 therefore resolved at the data link layer. MAC/IP. The conversion between MAC and IP is datalink.
More Netmask
255.255.0.0 is a B network only route if differ by left-most two octets.
192.168.1.2
192.168.2.3
Routing? No. Why? The only values that differ are where you have a bit pattern of 1111's
255.0.0.0 is an A network
10.0.1.7 and 10.1.1.7 does it require routing. Only differs by where it is 1.
Netmask Concluded Class C network Netmask 255.255.255.0 What is that in HEX?
– FFFF.FFFF.FFFF.0000
What is that in Binary?– 1111111111111.1111111111111111.111111111111.0
So Class C network one computer is 192.168.1.10 and one is 192.168.1.12 Need Routing?
Netmask Lab
Class C Network 255.255.255.0– 192.168.1.10 and 192.168.0.11
Need routing? Yes. Differs by third Class A Network 255.0.0.0
– 10.11.1.1 and 10.10.1.1 need routing? no.
– 11.11.1.1. and 10.10.1.2 need routing? yes
Question 192.168.1.1 for a router Cisco– who makes it. 192.168.0.1 – Dlink Netgear, who makes it?
A Little Further in the Network Find the router..
– Unix
– Command netstat -rnscott@kitchen:~$ ifconfig -a
eth0 Link encap:Ethernet HWaddr c8:0a:a9:b5:9d:db
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.252.0
scott@kitchen:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
DHCP Distributed Hosts Configuration Protocol
Machine comes up and looks for a DHCP server
Gets an IP address, Netmask and DNS.
What vulnerability do we have here.
DHCP - Vulnerability
Get on Network and put your own DHCP Server up
The DNS Server it give or serves up is yours.
And it routes to spoofed web sites.
Why does this work?
Because it looks for the first DHCP sever. The one that responds first will be the one closest to the computer asking. Unless you have an intrusion detection systems, you will get away with this.
An intrusion detection system at the network layer would find this.
Part of a penetration test.
What About DNS?
Domain Name Service. Maps names to IP addresses.
It is given to us by DHCP Unix find it? More /etc/resolv.conf
scott@kitchen:~$ more /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.1.1
On My Network
192.168.1.1 is the DNS Server and the Router Netmask is 255.255.252.0 It is CISCO like???? That is what we found out. To do on Windows ipconfig /all
Lab.... Tell me what you have on your Windows box?
Conventions
Class C 255.255.255.0– Generally 192.168.x.x
Class A (bigger network) Generally 10.x.x.x.
Gateway … generally. What ever you are working with .1 DHCP Server is generally the Gateway.
What is DHCP?
Distributed Hosts Configuration Protocol Turn on a computer, get the IP address, DNS Server,
Router, and any Routes. Broadcasts for it. In other words, comes up, says who is my DHCP?
First one wins.
What is wrong with our Network, via Conventions?
C Network, why netmask 255.255.255.0 IP address starts with 10, which is an A network Should start with ???? 192.168 Router ends in .254, what does it typically do?
– .1
Review Fingerprinting Why do we Fingerprint? To learn about the
system. If you are an adversary, you want to find something easy.
If you are a security professional, you want to see how hard your systems are.
Most common tool is nmap. Nmap can help you work around an IDS. Inspects traffic to tell you about products and ports. Nmap is a TCP/IP expert, Xmas, Stealth, etc.
Network use NetmaskTypical network --- cisco …
Ip address of the router is
192.168.1.1
255.255.255.0
C
So if I talk to 192.168.1.10 to 192.168.1.21
Do I need to route?
No?
So if the address differs by the octet with a 0 in the netmask no routing.
Network Route When
Addresses differ from where there is a 1.
For 255.255.255.0
If we wish to go from 192.168.1.10 to 206.245.1.17
Do we need to route? Yes
How do we find our router? Use netstat -rn
Talk About AddressesTCP/IP protocol
We agree to not route what addresses:
169.254 what you get when you do not get a dhcp address.
172.
10.
192.168
127.0.0.1 127.0.0.2
192.168.1.x CISCO
192.168.0.x DLINK
Network Topology
So, I want three networks to be separate and have one external address to the internet. How do I do this?
206.1.17.9 external address 10.10.10.254 internal
Network1 192.168.1.x 255.255.255.0 gtw 192.168.1.1
Internal (10.10.10.1)
Network2 192.168.2.x 255.255.255.0 gtw 192.168.2.1
Internal (10.10.10.2)
Network3 192.168.3.x 255.255.255.0 gtw 192.168.3.1
Internal (10.10.10.3)
What Did We Learn
1) Netmask determines your address range.. Route when difference is in the area of 1's on netmask.
2) Router must be on same subnet as network it is routing.
3) How do we find netmask Unix (ifconfig -a) windows ipconfig /all
4) How do we find router – netstat -rn
5) How do we find dns server windows its ipconfig /all
Use more /etc/resolv.conf
Email Tracking
Let's say, I sent an email to Mo and I wanted assurance that he has read it. Email itself is a datagram.
In the email message
<img src=”www.morrisisagreatguy.com/photo.jpg”>
Tools that do this for you. Put a link that does not require a click and sends that to a server for recordiing.
Email Tracking
<img src=”www.morrisisagreatguy.com/photo.jpg”>
This can be a servlet that returns a graphic. When the email is read, the servlet it called (it has to show the graphic). While getting the graphic, it denotes the fact that the email was read.
Fingerprinting Lab
Tell me what I am running nmap thestreits.com By using nmap
Tell me what hosts on your subnet are running.
By using nmap
Fingerprinting
We want to see what is on our network. If you are bad.... then you are looking for easy things. We want to make sure, we are not one of those easy
things. So for Bad People, Fingerprinting is a way to find
easy systems to crack. For Security Professionals, hardening our systems.
Best Practices
Only SSH login and only through a private key. Open Ports 22 (private key only) and 443 This is for externally facing Servers So how do we find out?
How Do We Fingerprint
Command - telnet host port Then send it commands Then get what's running by parsing the results of
commands.
scott@companion:~$ telnet www.scottstreit.com 80
Trying 74.103.6.161......
HEAD
<address>Apache/2.2.14 (Ubuntu) Server at localhost Port 80</address>
</body></html>
Instead Of
Telnet to a port. Writing a socket level program Ping
scott@companion:~$ ping www.scottstreit.com
PING www.scottstreit.com (74.103.6.161) 56(84) bytes of data.
64 bytes from pool-74-103-6-161.bltmmd.fios.verizon.net (74.103.6.161): icmp_req=1 ttl=52 time=24.7 ms
We Use Nmap
What is good about Nmap? Price.... Free Runs on every system. Around a long time – stable. Defacto Standard. Does a lot of things.
nmap
We can see what systems are up on a subnet We can see what ports are open We can see what tools are runinng on the open
ports. We don't have to fool around with TCP/IP
Two Movies on nmap
Let's watch a youtube movie on nmap.
Lab Tell me what is running on my machine. Www.scottstreit.com Do it two ways. First telnet port HEAD port 80. Telnet www.scottstreit.com 80
– HEAD
Then do an nmap on my box. Tell me what is running. Tell me what hosts are up on our 10. subnet.
Let's Simulate nmap
scott@companion:~$ telnet www.scottstreit.com 80
Trying 173.59.254.127...
Connected to www.scottstreit.com.
Escape character is '^]'.
head
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>head to /index.html not supported.<br />
</p>
<hr>
<address>Apache/2.2.14 (Ubuntu) Server at localhost Port 80</address>
</body></html>
Connection closed by foreign host.
scott@companion:~$
