Penetration Testing Reconnaissance CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou [email protected] Acknowledgement Main lecture slides are adapted from Eastern Washington University, CSCD 434: Network Security (Spring 2014) By Carol Taylor http://penguin.ewu.edu/cscd434/Cour
seNotes/ "Google Hacking 101", by Matt Payne http://www.certconf.org/presentations /2006/files/RC1.pdf Attack Stages Turns out, different reasons attackers want to attack you Altruistic reasons to sheer profit Serious attackers, accomplish goals in stages Ed Skoudis, well-known security expert identifies 5 stages of attack
Today, look at Reconnaissance ... Purpose of Reconnaissance What is the purpose of reconnaissance? Find out information about target(s) More experienced attackers invest time and resources in information discovery Like bank robbers Do they just decide one day to rob a bank? No. At least successful ones Research vaults, locks, address of bank and map an escape route
Computer Attack no different Attack Reconnaissance Sources Low Technology Social Engineering Physical Reconnaissance Dumpster Diving Attack Reconnaissance Social Engineering Employees give away sensitive information
Most successful are calls to employees Call help desk as new employee for help with a particular task Angry manager calls lower level employee because password has suddenly stopped working System administrator calls employee to fix her account ... requires using her password Social Engineering Social engineering works, because it exploits human vulnerabilities Desire to help
Hope for a reward Fear of making a mistake Fear of getting in trouble Fear of getting someone else in trouble Social Engineering is Easy Compare Social Engineering vs. Traditional way to obtain user password Assume already have user name, Ex. ctaylor Got it from Web site, news or forum group
Traditional Steps 1. Scan network to see if ports are open 2. Assume you got an open port and machine didn't have latest patches, installed a rootkit onto victim network Social Engineering is Easy 4. Locate and copy encrypted password file Need to dump password file to your server to process the file Remain stealth the entire time, modifying logs, altering registry keys to conceal when
files were accessed 5. Run cracking tools against encrypted file In privacy of own network, John the Ripper or Cain and Able will crack the file Takes about a week ... Social Engineering is Easy Compare Social Engineering vs. Traditional way to obtain user
password Same goals but with Social Engineering 1. Make a phone call 2. Make another phone call, while you are chatting, ask for and receive logon credentials Defences for Social Engineering User Awareness Train them to not give out sensitive information Security awareness program should
inform employees about social engineering attacks No reason why a system administrator ever needs you to give him/her your password Help desk should have a way to verify the identify of any user requesting help Attack Reconnaissance Physical Reconnaissance Several Categories Tailgaiting, Shoulder Surfing, other tricks
Tailgaiting Usually easy to look like you belong to an organization Can sometimes walk through the door Can pose as someone related to an employee to gain access Temps, contractors, customers and suppliers all potentially have access Tailgaiting Physical Reconnaissance Once inside, have access to a lot of
information Physical access to internal networks Passwords, user information, internal telephone numbers, anything you want Defences Badges and biometric information Educate people against letting people into the building Teach employees to question people Shoulder Surfing
Another physical method of gaining sensitive information Coffee shops, airport lounges, hotel lobbies Many people are completely unaware of being spied upon What can you learn? Private email sessions, government documents, corporate secrets, user names or passwords Even classified documents over the shoulder of an unwary government employee
Defense Be aware of who is around Attack Reconnaissance Dumpster Diving In General Go through someones trash Recover copies of Credit card receipts, Floppies, Passwords, usernames and other sensitive information Defense Against Dumpster
Diving Defence Shred all paper including post-it notes Dont throw away floppies or other electronic media Secure trash areas, fence, locked gates Technical Attack Reconnaissance Domain Names Domain Names
Registration process provides Guarantee of unique name Enter name in Whois and DNS Databases Registrars Before 1999, one registrar, Network Solutions Now, thousands of registrars compete for clients http://www.internic.net/alpha.html complete list of registrars
Domain Names Internet Network Information Center http://www.internic.net/whois.html Search for domain names registrar Comes back with registrar and other information Internic.net/whois.html phptr.com Example from Internic.net/whois
phptr.com Whois Query in Linux Try whois query in Kali Linux If the port number is not blocked!!! Attack Reconnaissance Whois DBs For other countries, use http://www.uwhois.com Military sites, use http://www.nic.mil/dodnic
Education, use http://whois.educause.net/ Attack Reconnaissance Details from the Whois DB After obtaining the targets registrar, attacker can obtain detailed records on target from whois entries at registrar's site Can look up information by Company name Domain name IP address Human contact
Host or server name Attack Reconnaissance Details from the Whois DB If only know Companys name Whois DB will provide lot more information Human contacts Phone numbers e-mail addresses Postal address Name servers the DNS servers Network Solutions
http://www.networksolutions.com/whois/ index.jsp Counterhack.net Registrant: Skoudis, Edward 417 5TH AVE FL 11 NEW YORK, NY 10016-2204 US Domain Name: COUNTERHACK.NET Administrative Contact : Skoudis, Edward [email protected] 417 5TH AVE FL 11
NEW YORK, NY 10016-2204 US Phone: 732-751-1024 Attack Reconnaissance ARIN DB In addition to the Whois DB, another source of information is the American Registry for Internet Numbers (ARIN) ARIN maintains Web-accessible, whois-style DB lets users gather information about who owns particular IP address ranges Can look up IPs in North and South America, Caribbean and sub-Saharan Africa
Use: http://ws.arin.net/ Then, type in IP address at the whois prompt In Europe use, Reseaux IP Euoropeens Network Coordination Centr (RIPE NCC) http:// Attack Reconnaissance General Purpose Reconnaissance Tools Can also research target through attack portals on the web Sites allow you to do research and even initiate an attack against the target www.dnsstuff.com/tools
www.network-tools.com www.cotse.com/refs.htm http://www.dslreports.com/tools?r=76 Google Hacking Basics Google Hacking Good to understand how Google works Understand then how Google can work for attackers to gain sensitive information And, how you can defend against this type of information gathering
31 Google Basics Several components to Google Google Bots Crawl web sites and search for information Google Index Massive index of web pages index is what gets searched. Relates pages to each other Google Cache Copy of 101K of text for each page Even deleted pages still have copies in Google cache Google API
Programs perform search and retrieve results using XML Uses SOAP Simple Object Access Protocol 32 Need your own Google API key to use Google Google Basics Can use directives to focus search and limit amount of information returned site:counterhack.net Says to search only in counterhack.net filetype:ppt site:counterhack.net Limits file type to power point for counterhack.net site
cache:www.counterhack.net Good for removed pages Combining terms gives powerful searches site:wellsfargo.com filetype:xls ssn Says to search only Wellsfargo site for 33 Google Basics If Web page removed May still be in Google Cache Another place for removed web
pages Wayback Machine http://www.archive.org Archives old web pages Can search for active scripts site:wellsfargo.com filetype:asp site:wellsfargo.com filetype:cgi site:wellsfargo.com filetype:php 34 Google Bombing != Google Hacking
http://en.wikipedia.org/wiki/Google_bomb A Google bomb or Google wash is an attempt to influence the ranking of a given site in results returned by the Google search engine. Due to the way that Google's Page Rank algorithm works, a website will be ranked higher if the sites that link to that page all use consistent anchor text. How Do I Get Google Search Results?
Pick your keywords carefully & be specific Do NOT exceed 10 keywords Use Boolean modifiers Use advanced operators Google ignores some words*: a, about, an, and, are, as, at, be, by, from, how, i, in, is, it, of, on, or, that, the, this, to, we, what, when, where, which, with *From: Google 201, Advanced Googology - Patrick Crispen, CSU Google's Boolean
Modifiers AND is always implied. OR: Escobar (Narcotics OR Cocaine) "-" = NOT: Escobar Pablo "+" = MUST: Escobar +Roberto Use quotes for exact phrase matching: "nobody puts baby in a corner" Wildcards Google
supports word wildcards but NOT stemming. "It's the end of the * as we know it" works. but "American Psycho*" won't get you decent results on American Psychology or American Psychophysics. Advanced Searching googleguide.com and Advanced Search Page: http://www.google.com/advanced_search
9999999 http://www.googleguide.com/advanced_operators.html and 5yjnx http://tinyurl.com/ Review: Basic Search Use the plus sign (+) to force a search for an overly common word. Use the minus sign (-) to exclude a term from
a search. No space follows these signs. To search for a phrase, supply the phrase surrounded by double quotes (" "). A period (.) serves as a singlecharacter wildcard. An asterisk (*) represents any word not the completion of a word, as is traditionally used. Advanced Operators Google advanced operators help refine searches.
Advanced operators use a syntax such as the following: operator:search_term Notice that there's no space between the operator, the colon, and the search term. The site: operator instructs Google to restrict a search to a specific web site or domain. The web site to search must be supplied after the colon. The link: operator instructs Google to search within hyperlinks for a search term. The cache: operator displays the version of a web page as it appeared when Google crawled
the site. The URL of the site must be supplied after the colon. Turn off images and you can look at pages without being logged on the server! Google as a mirror. Other parts Google searches not only the content of a page, but the title and URL as well. The intitle: operator instructs Google to search for a term within the title of a document.
The inurl: operator instructs Google to search only within the URL (web address) of a document. The search term must follow the colon. To find every web page Google has crawled for a specific site, use the site: operator. What Can Google Search? The filetype: operator instructs Google to search only within the text of a particular type of file. The file type to search must be supplied after the colon. Don't include a period before the file
extension. Everything listed at http://filext.com/ claims Johnny. Can also ,e.g., say filetype:phps to only search .phps files.
filetype:phps mysql_connect Adobe Portable Document Format (pdf) Adobe PostScript (ps) Lotus 1-2-3 (wk1, wk2, wk3, wk4, wk5, wki, wks, wku) MacWrite (mw) Microsoft Excel (xls) Microsoft PowerPoint (ppt) Microsoft Word (doc)
Microsoft Works (wks, wps, wdb) Microsoft Write (wri) Rich Text Format (rtf) Shockwave Flash (swf) Text (ans, txt) And many more. Directory Listings Directory Listings Show server version information Useful for an attacker
Advisories and application patches for web application explain the newly discovered vulnerability Analysis of the source code of the vulnerable application yields a search for un-patched applications Sometimes this can be very simple; e.g.: Automation! There
are two ways to automate Google searches: Plain old web robots The Google API: http://www.google.com/apis/ Terms of Service http://www.google.com/terms_of_service.htm l "You may not send automated queries
of any sort to Google's system without express permission in advance from Google. Note that 'sending automated queries' includes, among other things: using any software which sends queries to Google to determine how a web site or web page 'ranks' on Google for various queries; 'meta-searching' Google; and performing 'offline' searches on Google." Google API The
Google API is the blessed way of automating Google interaction. When you use the Google API you include your license string Protecting Yourself from Google Hackers Keep your sensitive data off the web! Even if you think you're only putting your data on
a web site temporarily, there's a good chance that you'll either forget about it, or that a web crawler might find it. Consider more secure ways of sharing sensitive data, such as SSH/SCP or encrypted email. Protecting yourself Consider removing your site from Google's index. http://www.google.com/remove.ht
ml Robots.txt Use a robots.txt file. Web crawlers are supposed to follow the robots exclusion standard. This standard outlines the procedure for "politely requesting" that web crawlers ignore all or part of your web site. This file is only a suggestion. The major search engine's crawlers
honor this file and its contents. For examples and suggestions for using a robots.txt file, see Google Hacking Something called The Google Hacking Database (GHDB) Database of saved queries that identify sensitive data Google blocks some better known Google hacking queries, nothing stops hacker from crawling your site and launching Google Hacking Database queries directly
54 Google Hacking Originally, Google Hacking Database located at http://www.hackersforcharity.org/ghdb/ Created by Johnny Long, a security expert More information about Google hacking can be found: http://www.informit.com/articles/article.asp? p=170880&rl=1 Now, Google Hacking DB is at different URL http://www.exploit-db.com/google-hacking-databasereborn/ Johnny I hackstuff is off doing charitable work in Uganda
Being maintained by the Exploit DB people 55 Google Hacking What a hacker can learn from Google queries? Information Google Hacking Database identifies:
Advisories and server vulnerabilities Error messages that contain too much information Files containing passwords Sensitive directories Pages containing logon portals Pages containing network or vulnerability data such as firewall logs 56 Defenses from Google Hacking Check your site for Google hacking vulnerabilities
The easiest way to check whether web site/applications have Google hacking vulnerabilities Use a Web Vulnerability Scanner Web Vulnerability Scanner scans your entire website and automatically checks for pages identified by Google hacking queries. Note: Your web vulnerability scanner must be able to launch Google hacking queries Ex: Acunetix Web Vulnerability Scanner
57 Defenses from Google Hacking If Google has cached a page or URL Can have Google remove it First, update your Web site and remove sensitive information Then signal Google not to index or cache it Put a file, robots.txt in Web Server directory Says dont search certain directories, files or entire Web site 58
Defenses Against Google Hacking Or, keep Google from accessing your pages with meta tags at top of Web pages noindex, nofollow, noarchive and others Tells Google not to index, link or archive page Can also request directly from Google http://services.google.com/ Does the request in 24 hours or less Remove page from other places www.robotstxt.org for non-Google search
engines www.archive.org/about/faqs.php for Wayback 59 Attack Reconnaissance Summary At the end of this phase the attacker has information needed to move on to the next phase Scanning At a minimum have
Phone number List of IPs Address and domain name Lucky has Operating System and Server names
Embedded Systems Education: Vanderbilt Edited and Presented by Janos Sztipanovits ISIS, Vanderbilt University Vanderbilt Engineering School Mid-size engineering program (# faculty < 100, ~1200 undergraduate and ~400 graduate students) Feasible strategy must build on research strength and effective resource utilization:...
The ability to ask well-defined questions is an important component of literacy, helping to make students critical consumers of knowledge. Questions can be driven by curiosity about the world, inspired by a model's predictions, or they can result from a...
Runtime. TLVA works well on small programs, but when trying to scale up the solution running time may reach double exponent! Most of the time is wasted due to the fact even a simple command may affect all predicates along...
Cognitive- Waking Employees up to the need for a strategic shift. 2. Limited Resources- The greater the shift in strategy, the greater it is assumed are the resources needed to execute it. ... Blue Ocean Strategy promotes another path that...
AboutOMICSInternational Conferences. AboutOMICSGroup. OMICS International is a pioneer and leading science event organizer, which publishes around 500 open access journals and conducts over 300 Medical, Clinical, Engineering, Life Sciences, Pharma scientific conferences all over the globe annually with the support...
Agenda Session 1: Origination and structuring of longevity risk transfer transactions, including collateralisation Session 2: A typical longevity-only (re)insurance transaction - converting the deal into a contract; key terms and protections
Ready to download the document? Go ahead and hit continue!