Computer Security Computer Security WorkshopWorkshop

Module 1 – Module 1 – Footprinting / Packet SniffingFootprinting / Packet Sniffing

FootprintingFootprintingDefinition: the gathering of information about a Definition: the gathering of information about a potential system or networkpotential system or network a.k.a. fingerprintinga.k.a. fingerprintingAttacker’s point of viewAttacker’s point of view Identify potential target systemsIdentify potential target systems Identify which types of attacks may be useful on Identify which types of attacks may be useful on

target systemstarget systemsDefender’s point of viewDefender’s point of view Know available toolsKnow available tools May be able to tell if system is being footprinted, be May be able to tell if system is being footprinted, be

more prepared for possible attackmore prepared for possible attack Vulnerability analysis: know what information you’re Vulnerability analysis: know what information you’re

giving away, what weaknesses you havegiving away, what weaknesses you have

Information to GatherInformation to Gather

System (Local or Remote)System (Local or Remote) IP Address, Name and DomainIP Address, Name and Domain Operating SystemOperating System

Type (Windows, Linux, Solaris)Type (Windows, Linux, Solaris)Version (98/NT/2000, Redhat 7/8/9,Fedora,SuSe)Version (98/NT/2000, Redhat 7/8/9,Fedora,SuSe)

UsernamesUsernames File structureFile structure Open Ports (what services/programs are running on Open Ports (what services/programs are running on

the system)the system) Physical Proximity/LocationPhysical Proximity/Location

Information to Gather (2)Information to Gather (2)

Networks / EnterprisesNetworks / Enterprises System information for all hostsSystem information for all hosts Network topologyNetwork topology

GatewaysGatewaysFirewallsFirewallsOverall topologyOverall topology

Network traffic informationNetwork traffic information Specialized serversSpecialized servers

Web, Database, FTP, Email, etc.Web, Database, FTP, Email, etc.

Defender PerspectiveDefender Perspective

Identify information you’re giving awayIdentify information you’re giving awayIdentify weaknesses in systems/networkIdentify weaknesses in systems/networkKnow when systems/network is being Know when systems/network is being probedprobedIdentify source of probeIdentify source of probeDevelop awareness of threatDevelop awareness of threatConstruct audit trail of activityConstruct audit trail of activity

Tools - LinuxTools - LinuxLinux tools - lower level utilitiesLinux tools - lower level utilities Local SystemLocal System

hostnamehostnameifconfigifconfigwho, lastwho, last

Remote SystemsRemote Systemspingpingtraceroutetraceroutefinger (also local system)finger (also local system)nslookup, dignslookup, digwhoiswhoisarp, netstat (also local system)arp, netstat (also local system)

Other toolsOther toolslsoflsof

Tools – Linux (2)Tools – Linux (2)

Other utilitiesOther utilities ethereal (packet sniffing)ethereal (packet sniffing) nmap (port scanning) - more laternmap (port scanning) - more later

Tools - WindowsTools - Windows

WindowsWindows Sam Spade (collected tools)Sam Spade (collected tools) ethereal (packet sniffer)ethereal (packet sniffer) Command line toolsCommand line tools

ipconfigipconfig Many others…Many others…

hostnamehostname

Determine name of current systemDetermine name of current systemUsage: hostnameUsage: hostname E.g. hostnameE.g. hostnamelocalhost.localdomainlocalhost.localdomain // default// default E.g. hostnameE.g. hostnameclics.cs.uwec.educlics.cs.uwec.edu

ifconfigifconfig

Configure network interfaceConfigure network interfaceTells current IP numbers for host systemTells current IP numbers for host systemUsage: ifconfigUsage: ifconfig E.g. ifconfigE.g. ifconfig // command alone: display status // command alone: display statuseth0eth0 Link encap: Ethernet Link encap: Ethernet HWaddr 00:0C:29:CD:F6:D3HWaddr 00:0C:29:CD:F6:D3 inet addr: 192.168.172.128inet addr: 192.168.172.128 . . .. . .loloLink encap: LocalLink encap: Local

LoopbackLoopbackinet addr: 127.0.0.1inet addr: 127.0.0.1 . . .. . .

whowho

Basic tool to show users on current Basic tool to show users on current systemsystemUseful for identifying unusual activity (e.g. Useful for identifying unusual activity (e.g. activity by newly created accounts or activity by newly created accounts or inactive accounts)inactive accounts)Usage: whoUsage: who E.g. whoE.g. whorootroot tty1tty1 Jan 9 12:46Jan 9 12:46paulpaul tty2tty2 Jan 9 12:52Jan 9 12:52

lastlastShow last N users on systemShow last N users on system Default: since last cycling of fileDefault: since last cycling of file -N: last N lines-N: last N linesUseful for identifying unusual activity in recent pastUseful for identifying unusual activity in recent pastUsage: last [-n]Usage: last [-n] E.g. last -3E.g. last -3wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still

logged inlogged inflinstf pts/0 137.28.191.74 Sat Feb 5 15:38 still flinstf pts/0 137.28.191.74 Sat Feb 5 15:38 still

logged inlogged inrubbleb pts/0 c48.193.173.92.e Sat Feb 5 14:38 - rubbleb pts/0 c48.193.173.92.e Sat Feb 5 14:38 -

15:25 (00:46)15:25 (00:46)

pingpingPotential UsesPotential Uses

Is system online?Is system online?Through responseThrough response

Gather name informationGather name informationThrough DNSThrough DNS

Estimate relative physical locationEstimate relative physical locationBased on RTT (Round Trip Time) given in summary statisticsBased on RTT (Round Trip Time) given in summary statistics

Identify operating systemIdentify operating systemBased on TTL (packet Time To Live) on each packet lineBased on TTL (packet Time To Live) on each packet lineTTL = number of hops allowed to get to systemTTL = number of hops allowed to get to system64 is Linux default, 128 is Windows default (but can be changed!)64 is Linux default, 128 is Windows default (but can be changed!)

NotesNotes Uses ICMP packetsUses ICMP packets Often blocked on many hostsOften blocked on many hosts Usage: ping Usage: ping systemsystem

E.g. ping ftp.redhat.comE.g. ping ftp.redhat.comE.g. ping localhostE.g. ping localhost

traceroutetraceroute

Potential UsesPotential Uses Determine physical location of machineDetermine physical location of machine Gather network information (gateway, other internal Gather network information (gateway, other internal

systems)systems) Find system that’s dropping your packets – evidence Find system that’s dropping your packets – evidence

of a firewallof a firewallNotesNotes Can use UDP or ICMP packetsCan use UDP or ICMP packets Results often limited by firewallsResults often limited by firewalls Usage: traceroute Usage: traceroute systemsystem

E.g. traceroute cs.umn.eduE.g. traceroute cs.umn.edu

traceroute exampletraceroute example[wagnerpj@data ~]$ traceroute cs.umn.edu[wagnerpj@data ~]$ traceroute cs.umn.edutraceroute to cs.umn.edu (128.101.34.202), 30 hops max, traceroute to cs.umn.edu (128.101.34.202), 30 hops max,

38 byte packets38 byte packets1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220 ms 0.208 1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220 ms 0.208

msms2 v101.networking.cns.uwec.edu (137.28.9.1) 0.245 ms 2 v101.networking.cns.uwec.edu (137.28.9.1) 0.245 ms

0.229 ms 0.220 ms0.229 ms 0.220 ms3 uweauclairehub2-ge50.core.wiscnet.net (216.56.90.1) 3 uweauclairehub2-ge50.core.wiscnet.net (216.56.90.1)

1.315 ms 1.194 ms 1.343 ms1.315 ms 1.194 ms 1.343 ms4 * * *4 * * *<ctrl-c><ctrl-c>[wagnerpj@data ~]$[wagnerpj@data ~]$

traceroute example - successtraceroute example - successH:\>tracert H:\>tracert www.google.comwww.google.com

Tracing route to Tracing route to www.google.akadns.netwww.google.akadns.net [64.233.167.99] over a maximum of 30 hops: [64.233.167.99] over a maximum of 30 hops:  

1    <1 ms    <1 ms    <1 ms  v61.networking.cns.uwec.edu [137.28.61.1]1    <1 ms    <1 ms    <1 ms  v61.networking.cns.uwec.edu [137.28.61.1]2     4 ms     6 ms     3 ms  UWEauClaireHub2-ge50.core.wiscnet.net [216.56.90.1]2     4 ms     6 ms     3 ms  UWEauClaireHub2-ge50.core.wiscnet.net [216.56.90.1]3     2 ms     1 ms     2 ms  r-uweauclaire-isp-gig2-0.wiscnet.net [140.189.8.141]3     2 ms     1 ms     2 ms  r-uweauclaire-isp-gig2-0.wiscnet.net [140.189.8.141]4    17 ms    17 ms    17 ms  chi-edge-08.inet.qwest.net [65.113.85.5]4    17 ms    17 ms    17 ms  chi-edge-08.inet.qwest.net [65.113.85.5]5    18 ms    16 ms    18 ms  chi-core-02.inet.qwest.net [205.171.20.113]5    18 ms    16 ms    18 ms  chi-core-02.inet.qwest.net [205.171.20.113]6    17 ms    18 ms    19 ms  cer-core-01.inet.qwest.net [205.171.205.34]6    17 ms    18 ms    19 ms  cer-core-01.inet.qwest.net [205.171.205.34]7    18 ms    19 ms    21 ms  chp-brdr-01.inet.qwest.net [205.171.139.146]7    18 ms    19 ms    21 ms  chp-brdr-01.inet.qwest.net [205.171.139.146]8    18 ms    17 ms    18 ms  P11-0.CHICR2.Chicago.opentransit.net [193.251.129.113]8    18 ms    17 ms    18 ms  P11-0.CHICR2.Chicago.opentransit.net [193.251.129.113]9    15 ms    16 ms    16 ms  Google-EU-Customers-2.GW.opentransit.net 9    15 ms    16 ms    16 ms  Google-EU-Customers-2.GW.opentransit.net

[193.251.249.30][193.251.249.30]10    16 ms    16 ms    18 ms  216.239.46.1010    16 ms    16 ms    18 ms  216.239.46.1011    21 ms    19 ms    17 ms  64.233.175.3011    21 ms    19 ms    17 ms  64.233.175.3012    18 ms    16 ms    16 ms  64.233.167.9912    18 ms    16 ms    16 ms  64.233.167.99  Trace complete.Trace complete.

fingerfingerPotential UsesPotential Uses Collect usernamesCollect usernames Determine if user is currently logged inDetermine if user is currently logged inNotesNotes Often blockedOften blocked Usage: finger Usage: finger localuserlocaluser or finger or finger @system@system or finger or finger remoteuser@systemremoteuser@system

E.g. finger wagnerpj (user on local system)E.g. finger wagnerpj (user on local system)E.g. finger @cs.umn.edu (all on remote system)E.g. finger @cs.umn.edu (all on remote system)E.g. finger wagnerpj@cs.umn.edu (user on remote system)E.g. finger wagnerpj@cs.umn.edu (user on remote system)

whoiswhois

Potential UsesPotential Uses Queries nicname/whois servers for Internet Queries nicname/whois servers for Internet

registration informationregistration information Can gather contacts, names, geographic Can gather contacts, names, geographic

information, servers, … - useful for social information, servers, … - useful for social engineering attacksengineering attacks

NotesNotes Usage: whois Usage: whois domaindomain

e.g. whois netcom.come.g. whois netcom.com

whois example - basicwhois example - basicDomain Name: UWEC.EDUDomain Name: UWEC.EDU

Registrant:Registrant: University of Wisconsin - Eau ClaireUniversity of Wisconsin - Eau Claire 105 Garfield Avenue105 Garfield Avenue Eau Claire, WI 54702-4004Eau Claire, WI 54702-4004 UNITED STATESUNITED STATES

Contacts:Contacts:

Administrative Contact:Administrative Contact: Computing and Networking ServicesComputing and Networking Services 105 Garfield Ave105 Garfield Ave Eau Claire, WI 54701Eau Claire, WI 54701 UNITED STATESUNITED STATES (715) 836-5711(715) 836-5711 networking@uwec.edunetworking@uwec.edu

Name Servers:Name Servers: TOMATO.UWEC.EDU 137.28.1.17TOMATO.UWEC.EDU 137.28.1.17 LETTUCE.UWEC.EDU 137.28.1.18LETTUCE.UWEC.EDU 137.28.1.18 BACON.UWEC.EDU 137.28.5.194BACON.UWEC.EDU 137.28.5.194

whois example - wildcardswhois example - wildcardswhois uw%.eduwhois uw%.edu

Your search has matched multiple domains.Your search has matched multiple domains.

Below are the domains you matched (up to 100). For specificBelow are the domains you matched (up to 100). For specificinformation on one of these domains, please search on that information on one of these domains, please search on that

domain.domain. UW.EDUUW.EDU UWA.EDUUWA.EDU UWB.EDUUWB.EDU UWC.EDUUWC.EDU UWEC.EDUUWEC.EDU UWEST.EDUUWEST.EDU UWEX.EDUUWEX.EDU

… …..

nslookupnslookupPotential UsesPotential Uses Query internet name serversQuery internet name servers Find name for IP address, and vice versaFind name for IP address, and vice versaNotesNotes Now deprecated – generally use digNow deprecated – generally use dig Sometimes useful when dig failsSometimes useful when dig failsUsageUsage nslookup xxxxxxxnslookup xxxxxxx // name or IP addr.// name or IP addr.

E.g. nslookup data.cs.uwec.eduE.g. nslookup data.cs.uwec.eduE.g. dig data.cs.uwec.eduE.g. dig data.cs.uwec.edu

digdig

Potential UsesPotential Uses Domain Name Service (DNS) lookup utilityDomain Name Service (DNS) lookup utility Associate name with IP address and vice Associate name with IP address and vice

versaversa

NotesNotes Many command optionsMany command options General usage: dig <somehost>General usage: dig <somehost>

E.g. dig data.cs.uwec.eduE.g. dig data.cs.uwec.eduE.g. dig 137.28.109.33E.g. dig 137.28.109.33

arparp

Tracks addresses, interfaces accessed by Tracks addresses, interfaces accessed by systemsystemPossible usesPossible uses Find adjacent systemsFind adjacent systems

NotesNotes arparp // display names// display names arp –narp –n // display numeric addresses // display numeric addresses

netstatnetstatShows connections, routing information, Shows connections, routing information, statisticsstatisticsPossible usesPossible uses find adjacent machines, used portsfind adjacent machines, used portsNotesNotes Many flagsMany flags

netstatnetstat // open sockets, etc.// open sockets, etc.netstat –s netstat –s // summary statistics// summary statisticsnetstat – rnetstat – r // routing tables// routing tablesnetstat – pnetstat – p // programs// programsnetstat – lnetstat – l // listening sockets// listening sockets

lsoflsof

Lists open files on your systemLists open files on your systemUseful to see what processes are working Useful to see what processes are working with what files, possibly identify tamperingwith what files, possibly identify tamperingUsage: lsofUsage: lsof

Windows ToolsWindows Tools

Sam SpadeSam Spade ““swiss army knife” of footprintingswiss army knife” of footprinting Has most of the Linux toolsHas most of the Linux tools Plus other functionalityPlus other functionality

UsageUsage Start applicationStart application Fill in name or IP addressFill in name or IP address Choose option desired in menusChoose option desired in menus

Packet SniffersPacket Sniffers

Definition: Hardware or software that can Definition: Hardware or software that can display network traffic packet informationdisplay network traffic packet informationUsageUsage Network traffic analysisNetwork traffic analysis

Example packet sniffersExample packet sniffers tcpdump (command line, Linux)tcpdump (command line, Linux) ethereal (Linux, Windows – open source)ethereal (Linux, Windows – open source) others…others…

Limitations – Packet SniffingLimitations – Packet Sniffing

Packet sniffers only catch what they can Packet sniffers only catch what they can seesee Users attached to hub – can see everythingUsers attached to hub – can see everything Users attached to switch – can see own traffic Users attached to switch – can see own traffic

onlyonlyNeed to be able to put NIC in Need to be able to put NIC in “promiscuous” mode to be able to process “promiscuous” mode to be able to process all traffic, not just traffic for/from itselfall traffic, not just traffic for/from itself NIC must supportNIC must support Need privilege (e.g. root in Linux)Need privilege (e.g. root in Linux)

OSI Network ProtocolOSI Network Protocol

Layer 7 – Application (incl. app. content)Layer 7 – Application (incl. app. content)Layer 6 – PresentationLayer 6 – PresentationLayer 5 – SessionLayer 5 – SessionLayer 4 – Transport (incl. protocol, port)Layer 4 – Transport (incl. protocol, port)Layer 3 – Network (incl. source, dest)Layer 3 – Network (incl. source, dest)Layer 2 – Data LinkLayer 2 – Data LinkLayer 1 – PhysicalLayer 1 – Physical

etherealethereal

Created as tool to examine network Created as tool to examine network problems in 1997problems in 1997Various contributors added packet Various contributors added packet dissectors, fixes, upgrades; released 1998dissectors, fixes, upgrades; released 1998Works with other packet filter formatsWorks with other packet filter formatsInformation: Information: http://http://www.ethereal.comwww.ethereal.comDemonstrationDemonstration

Using etherealUsing ethereal# ethereal# etherealCapture/Start/OKCapture/Start/OKCapture window shows accumulated totals for Capture window shows accumulated totals for different types of packetsdifferent types of packetsStop – packets now displayedStop – packets now displayedTop window – packet summaryTop window – packet summary Can sort by column – source, destination, protocol are Can sort by column – source, destination, protocol are

usefulusefulMiddle window – packet breakdownMiddle window – packet breakdown Click on + icons for detail at each packet levelClick on + icons for detail at each packet levelBottom window – packet contentBottom window – packet content

Ethereal capture analysisEthereal capture analysisCan save a session to a capture fileCan save a session to a capture fileCan reopen file later for further analysisCan reopen file later for further analysisOpen capture file (disable network name Open capture file (disable network name resolution for faster opening and “reset” the resolution for faster opening and “reset” the filter):filter): Linux: /usr/local/Support/CLICScapture.capLinux: /usr/local/Support/CLICScapture.cap Windows: C:\Support\CLICScapture.capWindows: C:\Support\CLICScapture.capIdentify and follow different TCP streamsIdentify and follow different TCP streams Select TCP packet, Tools/Follow TCP StreamSelect TCP packet, Tools/Follow TCP Stream CLICScapture.cap has http, https, ftp, sshCLICScapture.cap has http, https, ftp, sshAny interesting information out there?Any interesting information out there?

Related ToolsRelated Tools

HuntHunt TCP snifferTCP sniffer Watch and reset connectionsWatch and reset connections Hijack sessionsHijack sessions Spoof MAC Spoof MAC Spoof DNSSpoof DNS

Related ToolRelated Tool

EtherPEG – image capture on networkEtherPEG – image capture on network http://www.etherpeg.comhttp://www.etherpeg.com

DemonstrationDemonstration See See http://www.menshevik.com/showmehttp://www.menshevik.com/showme on on

windowswindows

SummarySummary

Basic tools can generate much Basic tools can generate much informationinformationRemember principle of accumulating Remember principle of accumulating informationinformation Attacker will build on smaller pieces to get Attacker will build on smaller pieces to get

bigger piecesbigger pieces

Moral: don’t give away information if you Moral: don’t give away information if you can avoid itcan avoid it