Download - Computer Security Workshop
Computer Security Computer Security WorkshopWorkshop
Module 1 – Module 1 – Footprinting / Packet SniffingFootprinting / Packet Sniffing
FootprintingFootprintingDefinition: the gathering of information about a Definition: the gathering of information about a potential system or networkpotential system or network a.k.a. fingerprintinga.k.a. fingerprintingAttacker’s point of viewAttacker’s point of view Identify potential target systemsIdentify potential target systems Identify which types of attacks may be useful on Identify which types of attacks may be useful on
target systemstarget systemsDefender’s point of viewDefender’s point of view Know available toolsKnow available tools May be able to tell if system is being footprinted, be May be able to tell if system is being footprinted, be
more prepared for possible attackmore prepared for possible attack Vulnerability analysis: know what information you’re Vulnerability analysis: know what information you’re
giving away, what weaknesses you havegiving away, what weaknesses you have
Information to GatherInformation to Gather
System (Local or Remote)System (Local or Remote) IP Address, Name and DomainIP Address, Name and Domain Operating SystemOperating System
Type (Windows, Linux, Solaris)Type (Windows, Linux, Solaris)Version (98/NT/2000, Redhat 7/8/9,Fedora,SuSe)Version (98/NT/2000, Redhat 7/8/9,Fedora,SuSe)
UsernamesUsernames File structureFile structure Open Ports (what services/programs are running on Open Ports (what services/programs are running on
the system)the system) Physical Proximity/LocationPhysical Proximity/Location
Information to Gather (2)Information to Gather (2)
Networks / EnterprisesNetworks / Enterprises System information for all hostsSystem information for all hosts Network topologyNetwork topology
GatewaysGatewaysFirewallsFirewallsOverall topologyOverall topology
Network traffic informationNetwork traffic information Specialized serversSpecialized servers
Web, Database, FTP, Email, etc.Web, Database, FTP, Email, etc.
Defender PerspectiveDefender Perspective
Identify information you’re giving awayIdentify information you’re giving awayIdentify weaknesses in systems/networkIdentify weaknesses in systems/networkKnow when systems/network is being Know when systems/network is being probedprobedIdentify source of probeIdentify source of probeDevelop awareness of threatDevelop awareness of threatConstruct audit trail of activityConstruct audit trail of activity
Tools - LinuxTools - LinuxLinux tools - lower level utilitiesLinux tools - lower level utilities Local SystemLocal System
hostnamehostnameifconfigifconfigwho, lastwho, last
Remote SystemsRemote Systemspingpingtraceroutetraceroutefinger (also local system)finger (also local system)nslookup, dignslookup, digwhoiswhoisarp, netstat (also local system)arp, netstat (also local system)
Other toolsOther toolslsoflsof
Tools – Linux (2)Tools – Linux (2)
Other utilitiesOther utilities ethereal (packet sniffing)ethereal (packet sniffing) nmap (port scanning) - more laternmap (port scanning) - more later
Tools - WindowsTools - Windows
WindowsWindows Sam Spade (collected tools)Sam Spade (collected tools) ethereal (packet sniffer)ethereal (packet sniffer) Command line toolsCommand line tools
ipconfigipconfig Many others…Many others…
hostnamehostname
Determine name of current systemDetermine name of current systemUsage: hostnameUsage: hostname E.g. hostnameE.g. hostnamelocalhost.localdomainlocalhost.localdomain // default// default E.g. hostnameE.g. hostnameclics.cs.uwec.educlics.cs.uwec.edu
ifconfigifconfig
Configure network interfaceConfigure network interfaceTells current IP numbers for host systemTells current IP numbers for host systemUsage: ifconfigUsage: ifconfig E.g. ifconfigE.g. ifconfig // command alone: display status // command alone: display statuseth0eth0 Link encap: Ethernet Link encap: Ethernet HWaddr 00:0C:29:CD:F6:D3HWaddr 00:0C:29:CD:F6:D3 inet addr: 192.168.172.128inet addr: 192.168.172.128 . . .. . .loloLink encap: LocalLink encap: Local
LoopbackLoopbackinet addr: 127.0.0.1inet addr: 127.0.0.1 . . .. . .
whowho
Basic tool to show users on current Basic tool to show users on current systemsystemUseful for identifying unusual activity (e.g. Useful for identifying unusual activity (e.g. activity by newly created accounts or activity by newly created accounts or inactive accounts)inactive accounts)Usage: whoUsage: who E.g. whoE.g. whorootroot tty1tty1 Jan 9 12:46Jan 9 12:46paulpaul tty2tty2 Jan 9 12:52Jan 9 12:52
lastlastShow last N users on systemShow last N users on system Default: since last cycling of fileDefault: since last cycling of file -N: last N lines-N: last N linesUseful for identifying unusual activity in recent pastUseful for identifying unusual activity in recent pastUsage: last [-n]Usage: last [-n] E.g. last -3E.g. last -3wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still
logged inlogged inflinstf pts/0 137.28.191.74 Sat Feb 5 15:38 still flinstf pts/0 137.28.191.74 Sat Feb 5 15:38 still
logged inlogged inrubbleb pts/0 c48.193.173.92.e Sat Feb 5 14:38 - rubbleb pts/0 c48.193.173.92.e Sat Feb 5 14:38 -
15:25 (00:46)15:25 (00:46)
pingpingPotential UsesPotential Uses
Is system online?Is system online?Through responseThrough response
Gather name informationGather name informationThrough DNSThrough DNS
Estimate relative physical locationEstimate relative physical locationBased on RTT (Round Trip Time) given in summary statisticsBased on RTT (Round Trip Time) given in summary statistics
Identify operating systemIdentify operating systemBased on TTL (packet Time To Live) on each packet lineBased on TTL (packet Time To Live) on each packet lineTTL = number of hops allowed to get to systemTTL = number of hops allowed to get to system64 is Linux default, 128 is Windows default (but can be changed!)64 is Linux default, 128 is Windows default (but can be changed!)
NotesNotes Uses ICMP packetsUses ICMP packets Often blocked on many hostsOften blocked on many hosts Usage: ping Usage: ping systemsystem
E.g. ping ftp.redhat.comE.g. ping ftp.redhat.comE.g. ping localhostE.g. ping localhost
traceroutetraceroute
Potential UsesPotential Uses Determine physical location of machineDetermine physical location of machine Gather network information (gateway, other internal Gather network information (gateway, other internal
systems)systems) Find system that’s dropping your packets – evidence Find system that’s dropping your packets – evidence
of a firewallof a firewallNotesNotes Can use UDP or ICMP packetsCan use UDP or ICMP packets Results often limited by firewallsResults often limited by firewalls Usage: traceroute Usage: traceroute systemsystem
E.g. traceroute cs.umn.eduE.g. traceroute cs.umn.edu
traceroute exampletraceroute example[wagnerpj@data ~]$ traceroute cs.umn.edu[wagnerpj@data ~]$ traceroute cs.umn.edutraceroute to cs.umn.edu (128.101.34.202), 30 hops max, traceroute to cs.umn.edu (128.101.34.202), 30 hops max,
38 byte packets38 byte packets1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220 ms 0.208 1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220 ms 0.208
msms2 v101.networking.cns.uwec.edu (137.28.9.1) 0.245 ms 2 v101.networking.cns.uwec.edu (137.28.9.1) 0.245 ms
0.229 ms 0.220 ms0.229 ms 0.220 ms3 uweauclairehub2-ge50.core.wiscnet.net (216.56.90.1) 3 uweauclairehub2-ge50.core.wiscnet.net (216.56.90.1)
1.315 ms 1.194 ms 1.343 ms1.315 ms 1.194 ms 1.343 ms4 * * *4 * * *<ctrl-c><ctrl-c>[wagnerpj@data ~]$[wagnerpj@data ~]$
traceroute example - successtraceroute example - successH:\>tracert H:\>tracert www.google.comwww.google.com
Tracing route to Tracing route to www.google.akadns.netwww.google.akadns.net [64.233.167.99] over a maximum of 30 hops: [64.233.167.99] over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms v61.networking.cns.uwec.edu [137.28.61.1]1 <1 ms <1 ms <1 ms v61.networking.cns.uwec.edu [137.28.61.1]2 4 ms 6 ms 3 ms UWEauClaireHub2-ge50.core.wiscnet.net [216.56.90.1]2 4 ms 6 ms 3 ms UWEauClaireHub2-ge50.core.wiscnet.net [216.56.90.1]3 2 ms 1 ms 2 ms r-uweauclaire-isp-gig2-0.wiscnet.net [140.189.8.141]3 2 ms 1 ms 2 ms r-uweauclaire-isp-gig2-0.wiscnet.net [140.189.8.141]4 17 ms 17 ms 17 ms chi-edge-08.inet.qwest.net [65.113.85.5]4 17 ms 17 ms 17 ms chi-edge-08.inet.qwest.net [65.113.85.5]5 18 ms 16 ms 18 ms chi-core-02.inet.qwest.net [205.171.20.113]5 18 ms 16 ms 18 ms chi-core-02.inet.qwest.net [205.171.20.113]6 17 ms 18 ms 19 ms cer-core-01.inet.qwest.net [205.171.205.34]6 17 ms 18 ms 19 ms cer-core-01.inet.qwest.net [205.171.205.34]7 18 ms 19 ms 21 ms chp-brdr-01.inet.qwest.net [205.171.139.146]7 18 ms 19 ms 21 ms chp-brdr-01.inet.qwest.net [205.171.139.146]8 18 ms 17 ms 18 ms P11-0.CHICR2.Chicago.opentransit.net [193.251.129.113]8 18 ms 17 ms 18 ms P11-0.CHICR2.Chicago.opentransit.net [193.251.129.113]9 15 ms 16 ms 16 ms Google-EU-Customers-2.GW.opentransit.net 9 15 ms 16 ms 16 ms Google-EU-Customers-2.GW.opentransit.net
[193.251.249.30][193.251.249.30]10 16 ms 16 ms 18 ms 216.239.46.1010 16 ms 16 ms 18 ms 216.239.46.1011 21 ms 19 ms 17 ms 64.233.175.3011 21 ms 19 ms 17 ms 64.233.175.3012 18 ms 16 ms 16 ms 64.233.167.9912 18 ms 16 ms 16 ms 64.233.167.99 Trace complete.Trace complete.
fingerfingerPotential UsesPotential Uses Collect usernamesCollect usernames Determine if user is currently logged inDetermine if user is currently logged inNotesNotes Often blockedOften blocked Usage: finger Usage: finger localuserlocaluser or finger or finger @system@system or finger or finger remoteuser@systemremoteuser@system
E.g. finger wagnerpj (user on local system)E.g. finger wagnerpj (user on local system)E.g. finger @cs.umn.edu (all on remote system)E.g. finger @cs.umn.edu (all on remote system)E.g. finger [email protected] (user on remote system)E.g. finger [email protected] (user on remote system)
whoiswhois
Potential UsesPotential Uses Queries nicname/whois servers for Internet Queries nicname/whois servers for Internet
registration informationregistration information Can gather contacts, names, geographic Can gather contacts, names, geographic
information, servers, … - useful for social information, servers, … - useful for social engineering attacksengineering attacks
NotesNotes Usage: whois Usage: whois domaindomain
e.g. whois netcom.come.g. whois netcom.com
whois example - basicwhois example - basicDomain Name: UWEC.EDUDomain Name: UWEC.EDU
Registrant:Registrant: University of Wisconsin - Eau ClaireUniversity of Wisconsin - Eau Claire 105 Garfield Avenue105 Garfield Avenue Eau Claire, WI 54702-4004Eau Claire, WI 54702-4004 UNITED STATESUNITED STATES
Contacts:Contacts:
Administrative Contact:Administrative Contact: Computing and Networking ServicesComputing and Networking Services 105 Garfield Ave105 Garfield Ave Eau Claire, WI 54701Eau Claire, WI 54701 UNITED STATESUNITED STATES (715) 836-5711(715) 836-5711 [email protected]@uwec.edu
Name Servers:Name Servers: TOMATO.UWEC.EDU 137.28.1.17TOMATO.UWEC.EDU 137.28.1.17 LETTUCE.UWEC.EDU 137.28.1.18LETTUCE.UWEC.EDU 137.28.1.18 BACON.UWEC.EDU 137.28.5.194BACON.UWEC.EDU 137.28.5.194
whois example - wildcardswhois example - wildcardswhois uw%.eduwhois uw%.edu
Your search has matched multiple domains.Your search has matched multiple domains.
Below are the domains you matched (up to 100). For specificBelow are the domains you matched (up to 100). For specificinformation on one of these domains, please search on that information on one of these domains, please search on that
domain.domain. UW.EDUUW.EDU UWA.EDUUWA.EDU UWB.EDUUWB.EDU UWC.EDUUWC.EDU UWEC.EDUUWEC.EDU UWEST.EDUUWEST.EDU UWEX.EDUUWEX.EDU
… …..
nslookupnslookupPotential UsesPotential Uses Query internet name serversQuery internet name servers Find name for IP address, and vice versaFind name for IP address, and vice versaNotesNotes Now deprecated – generally use digNow deprecated – generally use dig Sometimes useful when dig failsSometimes useful when dig failsUsageUsage nslookup xxxxxxxnslookup xxxxxxx // name or IP addr.// name or IP addr.
E.g. nslookup data.cs.uwec.eduE.g. nslookup data.cs.uwec.eduE.g. dig data.cs.uwec.eduE.g. dig data.cs.uwec.edu
digdig
Potential UsesPotential Uses Domain Name Service (DNS) lookup utilityDomain Name Service (DNS) lookup utility Associate name with IP address and vice Associate name with IP address and vice
versaversa
NotesNotes Many command optionsMany command options General usage: dig <somehost>General usage: dig <somehost>
E.g. dig data.cs.uwec.eduE.g. dig data.cs.uwec.eduE.g. dig 137.28.109.33E.g. dig 137.28.109.33
arparp
Tracks addresses, interfaces accessed by Tracks addresses, interfaces accessed by systemsystemPossible usesPossible uses Find adjacent systemsFind adjacent systems
NotesNotes arparp // display names// display names arp –narp –n // display numeric addresses // display numeric addresses
netstatnetstatShows connections, routing information, Shows connections, routing information, statisticsstatisticsPossible usesPossible uses find adjacent machines, used portsfind adjacent machines, used portsNotesNotes Many flagsMany flags
netstatnetstat // open sockets, etc.// open sockets, etc.netstat –s netstat –s // summary statistics// summary statisticsnetstat – rnetstat – r // routing tables// routing tablesnetstat – pnetstat – p // programs// programsnetstat – lnetstat – l // listening sockets// listening sockets
lsoflsof
Lists open files on your systemLists open files on your systemUseful to see what processes are working Useful to see what processes are working with what files, possibly identify tamperingwith what files, possibly identify tamperingUsage: lsofUsage: lsof
Windows ToolsWindows Tools
Sam SpadeSam Spade ““swiss army knife” of footprintingswiss army knife” of footprinting Has most of the Linux toolsHas most of the Linux tools Plus other functionalityPlus other functionality
UsageUsage Start applicationStart application Fill in name or IP addressFill in name or IP address Choose option desired in menusChoose option desired in menus
Packet SniffersPacket Sniffers
Definition: Hardware or software that can Definition: Hardware or software that can display network traffic packet informationdisplay network traffic packet informationUsageUsage Network traffic analysisNetwork traffic analysis
Example packet sniffersExample packet sniffers tcpdump (command line, Linux)tcpdump (command line, Linux) ethereal (Linux, Windows – open source)ethereal (Linux, Windows – open source) others…others…
Limitations – Packet SniffingLimitations – Packet Sniffing
Packet sniffers only catch what they can Packet sniffers only catch what they can seesee Users attached to hub – can see everythingUsers attached to hub – can see everything Users attached to switch – can see own traffic Users attached to switch – can see own traffic
onlyonlyNeed to be able to put NIC in Need to be able to put NIC in “promiscuous” mode to be able to process “promiscuous” mode to be able to process all traffic, not just traffic for/from itselfall traffic, not just traffic for/from itself NIC must supportNIC must support Need privilege (e.g. root in Linux)Need privilege (e.g. root in Linux)
OSI Network ProtocolOSI Network Protocol
Layer 7 – Application (incl. app. content)Layer 7 – Application (incl. app. content)Layer 6 – PresentationLayer 6 – PresentationLayer 5 – SessionLayer 5 – SessionLayer 4 – Transport (incl. protocol, port)Layer 4 – Transport (incl. protocol, port)Layer 3 – Network (incl. source, dest)Layer 3 – Network (incl. source, dest)Layer 2 – Data LinkLayer 2 – Data LinkLayer 1 – PhysicalLayer 1 – Physical
etherealethereal
Created as tool to examine network Created as tool to examine network problems in 1997problems in 1997Various contributors added packet Various contributors added packet dissectors, fixes, upgrades; released 1998dissectors, fixes, upgrades; released 1998Works with other packet filter formatsWorks with other packet filter formatsInformation: Information: http://http://www.ethereal.comwww.ethereal.comDemonstrationDemonstration
Using etherealUsing ethereal# ethereal# etherealCapture/Start/OKCapture/Start/OKCapture window shows accumulated totals for Capture window shows accumulated totals for different types of packetsdifferent types of packetsStop – packets now displayedStop – packets now displayedTop window – packet summaryTop window – packet summary Can sort by column – source, destination, protocol are Can sort by column – source, destination, protocol are
usefulusefulMiddle window – packet breakdownMiddle window – packet breakdown Click on + icons for detail at each packet levelClick on + icons for detail at each packet levelBottom window – packet contentBottom window – packet content
Ethereal capture analysisEthereal capture analysisCan save a session to a capture fileCan save a session to a capture fileCan reopen file later for further analysisCan reopen file later for further analysisOpen capture file (disable network name Open capture file (disable network name resolution for faster opening and “reset” the resolution for faster opening and “reset” the filter):filter): Linux: /usr/local/Support/CLICScapture.capLinux: /usr/local/Support/CLICScapture.cap Windows: C:\Support\CLICScapture.capWindows: C:\Support\CLICScapture.capIdentify and follow different TCP streamsIdentify and follow different TCP streams Select TCP packet, Tools/Follow TCP StreamSelect TCP packet, Tools/Follow TCP Stream CLICScapture.cap has http, https, ftp, sshCLICScapture.cap has http, https, ftp, sshAny interesting information out there?Any interesting information out there?
Related ToolsRelated Tools
HuntHunt TCP snifferTCP sniffer Watch and reset connectionsWatch and reset connections Hijack sessionsHijack sessions Spoof MAC Spoof MAC Spoof DNSSpoof DNS
Related ToolRelated Tool
EtherPEG – image capture on networkEtherPEG – image capture on network http://www.etherpeg.comhttp://www.etherpeg.com
DemonstrationDemonstration See See http://www.menshevik.com/showmehttp://www.menshevik.com/showme on on
windowswindows
SummarySummary
Basic tools can generate much Basic tools can generate much informationinformationRemember principle of accumulating Remember principle of accumulating informationinformation Attacker will build on smaller pieces to get Attacker will build on smaller pieces to get
bigger piecesbigger pieces
Moral: don’t give away information if you Moral: don’t give away information if you can avoid itcan avoid it