Upload
allison-hodges
View
226
Download
1
Tags:
Embed Size (px)
Citation preview
Network ReconnaissanceNetwork Reconnaissance
2
What is?
Military reconnaissanceMilitary reconnaissance a mission conducted to confirm or deny prior a mission conducted to confirm or deny prior
intelligence (if any) about enemy threat and or the intelligence (if any) about enemy threat and or the terrain of a given area.terrain of a given area.
Network reconnaissanceNetwork reconnaissance process of acquiring information about a networkprocess of acquiring information about a network
3
Why?
Hackers use reconnaissance as the first step in an Hackers use reconnaissance as the first step in an effective attackeffective attack
Seeing what is on the "other side of the hill" is crucial Seeing what is on the "other side of the hill" is crucial to decide what type of attack to launchto decide what type of attack to launch
Generally, goals of reconnaissance on a target Generally, goals of reconnaissance on a target network are to discover:network are to discover: IP addresses of hostsIP addresses of hosts Accessible UDP and TCP portsAccessible UDP and TCP ports OS typeOS type
4
Footprinting/Fingerprinting steps
Information Gathering accumulating data regarding a specific network environment, usually for the purpose of
finding ways to intrude into the environment Locate the network
What addresses can be targeted and are available for additional scanning and analysis Identify active machines
Which machine is actively connected to the network and reachable Open ports and underlying applications
Which ports and applications are accessible OS Fingerprinting
Identifying targeted Oss as well as systems response Network mapping
Create blueprint of organization
5
Information Gathering
Get data regarding network environment such as Organization web site, Location, contact person, Phone
number
Common Tools Registrar query : whois Domain name and resource lookup Search Tools
6
Locate the network range
What range of IP addresses are available for scanning and further enumeration
Common Tools : whois
7
Tool: WHOIS SearchTool: WHOIS Search WhoIs – Query of Internet RegistriesWhoIs – Query of Internet Registries
Ref: http://www.arin.net/community/rirs.htmlRef: http://www.arin.net/community/rirs.html AfriNIC – AfricaAfriNIC – Africa APNIC - Asia/PacificAPNIC - Asia/Pacific ARIN – North America ARIN – North America LACNIC - Central and South AmericaLACNIC - Central and South America RIPE NCC – Europe, Middle East, Central AsiaRIPE NCC – Europe, Middle East, Central Asia InterNIC– ICANN Public Domain Name Registration InfoInterNIC– ICANN Public Domain Name Registration Info
3rd Party Whois Tools3rd Party Whois Tools Geektools - http://www.geektools.com/whois.phpGeektools - http://www.geektools.com/whois.php DomainTools – http://www.domaintools.com/DomainTools – http://www.domaintools.com/ DNSStuff – http://www.dnsstuff.comDNSStuff – http://www.dnsstuff.com
8
Tool: WHOIS web interfaceTool: WHOIS web interface
9
Tool: Tool: - Google
Google, Yahoo, Live.com, etc. Gather information about a targeted
organization Evaluate web sites for known security issues Identify files that are accidentally exposed to
the public
10
Tool: Tool: - Google search
Helpful Google Queries Related sites:
related:www.someaddr.com Search a specific site:
site:www.someaddr.com search_terms Use Google to search group or blog postings
11
Tool: Tool: – Google operators
Google Advanced OperatorsAND: “+”OR: “|”Synonym: “~”site:www.jeffersonwells.cominurl:robots.txtlink:www.jeffersonwells.comintitle:“jefferson wells”filetype:xls
12
Tool: Tool: NSLOOKUP
Queries Domain Name Server information IP and Domain Name Mapping Zone Transfer – Dumps entire table Check mail server
13
Tool: Tool: NSLOOKUP
Zone Transfer – Dumps entire table$ nslookup > server = A.B.C.D > ls somedomain.com
14
Tool: Tool: NSLOOKUP
MX record$ nslookup> set type = MX> somedomain.com
15
Network Identifier ToolsNetwork Identifier Tools
Identifying active computers and servicesIdentifying active computers and services Common ToolsCommon Tools
ping, ping6ping, ping6 help verifying whether a host is activehelp verifying whether a host is active
traceroute, traceroute6 traceroute, traceroute6 determine the route to a node determine the route to a node
16
Tool: pingTool: ping
ping [hostname|ip_address]ping [hostname|ip_address] ping6 [hostname|ip_address]ping6 [hostname|ip_address] ping -R [hostname|ip_address]ping -R [hostname|ip_address]
17
Tool: tracerouteTool: traceroute
tracerttracert WindowsWindows
traceroute traceroute Unix Unix
18
Tool: Tool: How Traceroute work
1. Launch a probe packet towards DST, with a TTL of 12. Every router hop decrements the IP TTL of the packet by 13. When the TTL hits 0, packet is dropped, router sends ICMP TTL Exceed
packet to SRC with the original probe packet as payload4. SRC receives this ICMP message, displays a traceroute “hop”5. Repeat from step 1, with TTL incremented by 1 each time, until..6. DST host receives probe, returns ICMP Dest Unreachable
19
Tool: Tool: Traceroute Report Hop
Traceroute packet with TTL of 1 enters router via the ingress interface. Router decrements TTL to 0, drops packet, generates ICMP TTL Exceed
ICMP packet dst address is set to the original traceroute probe source (SRC) ICMP packet src address is set to the IP of the ingress router interface Traceroute shows a result based on the src address of the ICMP packet The above traceroute will read:172.16.2.1 10.3.2.2 You have NO visibility into the return path or the egress interface used
20
Tool: Tool: Traceroute Latency Calculation
How is traceroute latency calculated? Timestamp when the probe packet is launched Timestamp when the ICMP response is received Calculate the difference to determine round-trip time Routers along the path donot do anytime “processing”
They simply reflect the original packet’s data back to the SRC Many implementations encode the original launch timestamp into the probe packet,
to increase accuracy and reduce state Most Importantly: only the ROUNDTRIP is measured
Traceroute is showing you the hops on the forward path But showing you latency based on the forward PLUS reverse path. Any delays on
the reverse path will affect your results!
21
Tool: Tool: Interprete Traceroute DNS
Interpreting DNS is one of the most important aspects of correctly using traceroute
Information you can uncover includes: Physical Router Locations Interface Types and Capacities Router Type and Roles Network Boundaries and Relationships
22
Tool: Tool: Traceroute Reading Tips
Router’s name may include Exchange Point MAE, NAP, PAIX
Router names may be the IATA 3-letter code of the nearest airport or CLLI code in their node name
Other abbreviation http://www.sarangworld.com/TRACEROUTE/showdb-2.php3
Interface name
23
Tool: Tool: Common Location US Major Cities
24
Tool: Tool: Common Location Major Cities
25
Tool: Tool: Common Interface Naming
26
Tool: Tool: Router Type/Role
Knowing the role of a router can be useful But every network is different, and uses different naming
conventions May not always follow naming rules Generally speaking, May need guessing the context and get a
basic understanding of the roles Core routers–CR, Core, GBR, BB Peering routers–BR, Border, Edge, IGR, Peer Customer routers–AR, Aggr, Cust, CAR, GW
27
Tool: Tool: DNS Interface type Most networks will try to put interface info into DNS Though this many not always be up to date Many large networks use automatically generated DNS As well as capacity, and maybe even the make/model of
router Examples:
xe-11-1-0.edge1.Washington1.Level2.net XE-#/#/# is Juniper 10GE port. The device has at least 12 slots It’s at least a 40G/slot router since it has a 10GE PIC in slot 1 It must be Juniper MX960, no other device could fit this profile
28
Tool: Tool: Sample Traceroute
$ traceroute www.hellers.com$ traceroute www.mit.edu
29
Identifying Active Machines
Attackers will want to know if machines are alive before they attempt to attack. One of the most basic methods of identifying active machines is to perform a sweep
Common Tools ping, traceroute Network scanning tools
nmap, superscan
30
Finding Open Ports
Open services
Common tools Port scanning tools
nmap, superscan
31
OS Fingerprinting
Passive fingerprint Sniffing technique Examine packets for certain characteristics such as
The IP TTL value The TCP Window Size The IP DF Option The IP Type of Service (TOS) Option
Active Fingerprint Injects the packets into the network Examines the subtle differences that exist between different vendor implementations of
the TCP/IP stack Common tools : nmap
32
Mapping the Network
Gained enough information to build network map
Network mapping provides the hacker with a blueprint of the organization.
May use manual or automated ways to compile this information
33
Summary
Method Technique Common Tools
Information gathering Passive Whois, nslookup
Determining network range Passive RIPE, LACNIC, APNIC, ARIN
Identify active machines Active ping, hping, traceroute, nmap, SuperScan
Finding open ports/applications Active nmap, Amap, SuperScan
OS fingerprinting Active/passive nmap, Winfigerprint, P0f, Xprobe2, ettercap
Mapping the network Active CartoReso, traceroute, NeoTrace
34
Q&A