![Page 1: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/1.jpg)
Corso di Sicurezza delle Reti e dei Sistemi Software aa 2015/16
Ing. Antonio Pirozzi
Universita' degli Studi del Sannio
![Page 2: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/2.jpg)
#whoami
• Research Fellow at University of Sannio
• Vuln. Researcher for Emaze spa
• ISWATlab co-founder and Researcher
![Page 3: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/3.jpg)
Exercises workflow
![Page 4: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/4.jpg)
Exercises workflow: phase1
You are here
![Page 5: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/5.jpg)
Exercises workflow: phase1..
Reconnaissance :
Military Reconnaissance
Network Reconnaissance
Military observation of a region to locate an enemy or ascertain strategic features.
Process of acquiring information about a network.
![Page 6: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/6.jpg)
Real scenarios...The Corporate network
Fonte: www.corporatecomputingsolutions.com
●Ping●Traceroute/tracert●Nmap●Dnsrecon●Dig●whois
Network Cartography
Corporate - Physical - Logical - Electronic - Infrastructure Assets - On-Location Gathering
Individual: - Social networks Profile - Internet Presence
![Page 7: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/7.jpg)
Real scenarios...A bottom up view.
FONTE: http://www.potaroo.net/ispcol/2006-05/bgp.html
● Whois ASN : whois.radb.net● IP to BGP mapping : whois.cymru.com
BGP: routing protocol of the Internet.It selects the best path based on the shortest AS path.ASN: BGP routing domains
Showing BGP routes and AS’s Let's Do It
![Page 8: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/8.jpg)
Public available informations
●Web pages●Location details (gmaps,gearth)●Employees stuffs (yellowpages,the harvester,..)●Current events●Privacy or security policies●Archived infos (wayback machines..)●Search engines (gdorks)●...
![Page 9: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/9.jpg)
Whois infos
ICANN
➔APNIC➔ARIN➔LACNIC➔RIPE➔afriNIC
Asian-pacific regionNorth and south America, sub saharian Africa Latin America and CaribbeanEurope,part of Asia,north Africa and Middle East RegionsBoth region of Africa managed by ARIN and RIPE
RIRs Regional Internet Registry
Allocates IP addresses Blocks
RegistryRegisterRegistrant
![Page 10: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/10.jpg)
Whois infos
How to find infos...
● Domain-related Searches● IP-related Searches (ip net blocks, BGP, AS,etc)
Whois.arin.net
![Page 11: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/11.jpg)
ReconnaissanceIntelligence/info gathering
Open source intelligence (OSINT)
Also includes:● War driving.● Looking for information stored on discarded comp/devices.● Masquerading as an authorized network user.
Step 1: ScanningStep 2: Identify the server OS
Step 3: Banner grabbing
Step 4: Web server app scanDNSRecon● Zone Transfer● Wildcard Entries● DNS Lookup and Reverse DNS Lookup● Standard Record Enumeration● Cache Snooping● Zone Walking● Google Lookup
Semi-Passive
Passive Active
● Social media● Public website● Whois● Infrastructure
![Page 12: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/12.jpg)
OSINT
Open Source Intelligence (OSINT) is intelligence collected from
publicly available sources. ≠ RUMINT, SIGINT, HUMINT, GEOINT
Why OSINT ??Allow you to obtain huge amount of intelligence from your target without sending a packet to him. Cit Practical OSINT - Shane MacDougall Derbycon 2013
Optimize an attack:
- password cracking / Social Engineering
![Page 13: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/13.jpg)
Start...
https://www.youtube.com/watch?v=Z-LMQ03A_sw&feature=youtu.be
![Page 14: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/14.jpg)
OSINT
Tool deprecation is frequent...
It would be:
- OFFENSIVE- DEFENSIVE
Information gathering & OSINT tools:
- metagoofil- FOCA- the harvester- creepy- exiftool- waybackmachine- whois- socialmention- google Graph Search
WEB Site and social media:
http://trendsmap.com/Facebook GraphYandex (!,+,~~, &,&& , /, mime)http://search.nerdydata.com/http://mugshots.com/GOOGLEWaybackmachinesocialmentionrobtex
![Page 15: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/15.jpg)
OSINT Process
Source Identification COLLECTION
DATAPROCESSING &INTEGRATION
DATAANALYSIS RESULTS
![Page 16: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/16.jpg)
DEMO: MALTEGO
![Page 17: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/17.jpg)
Reconnaissancesemi-passive: DNSrecon
• Standard Record EnumerationA RecordsNS RecordsMX RecordsTXT RecordsCNAME Records
● DNS Lookupdig
traversing the entire DNS hierarchy
● Reverse DNS Lookup● DNS Lookupdig
IP hostnamePTR
● Dnsrecon● Fierce.pl● Dnsenum● Subbroute● DNSmap
![Page 18: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/18.jpg)
[Ab]USING DNS Reconnaissance:DNS Lookup
● What is the website’s IP address ?
![Page 19: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/19.jpg)
[Ab]USING DNS Reconnaissance:DNS Lookup
●How to identify the name servers associated with a domain ?
![Page 20: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/20.jpg)
[Ab]USING DNS Reconnaissance:
DNS Lookup
. What does the delegation path to my zone look like ?
![Page 21: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/21.jpg)
[Ab]USING DNS Reconnaissance...
• DNS Enumeration 1/3:locating all DNS servers and DNS entries for an organization.
Understanding Wildcard Entries
Wildcard : *.example.com. 3600 IN MX 10 host1.example.com.
Lookup for MX record for somerandomname.example.com return host1.example.com
Bypassing Wildcard entries
![Page 22: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/22.jpg)
[Ab]USING DNS Reconnaissance...
• DNS Enumeration 2/3:
DNS Zone Transfer
● Fierce.pl● Dig● Dnsrecoon● ...
And what if transfer zone fails ??
AXFR Records
![Page 23: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/23.jpg)
[Ab]USING DNS Reconnaissance...
• DNS Enumeration 3/3:
DNS reverse lookups and DNS brute-forcing will help you enumerate DNS entries.
Response:
Wordlist
If Wildcards are set If Wildcards are NOT set
addgfdgs.example.com
1.2.3.5
Example.com 1.2.3.4
OK The subdomain Exists //The subdomain does not exist
![Page 24: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/24.jpg)
[Ab]USING DNS Reconnaissance...
• Misc:DNS Cache Snooping
Non-Recursive Queries
● checking the time the query takes to process.● checking the TTL
ENABLED DISABLED
● nslookup -norecursive
![Page 25: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/25.jpg)
Exercise
Facebook.comMyspace.comReddit.comMashable.com
OSINT and DNS Reconnaissance on:
Each domain for each group
Expected Deliverables: general report(spreadsheet), maltego graph
![Page 26: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/26.jpg)
Active Reconnaissance: Network Recon
• Nmap
• hping3
● TCP SYN Scan (-sS)● TCP connect() scan (-sT)● UDP Scan (-sU)● TCP FIN Xmas and Null scans● Ping Scan (-sP)● Version Detection (-sV)● Idle Scan (-sI)● OS detection● TCP Ack Scan● Traceroute● Evading Firewalls: Not in this module
Port states :
● Open● Closed● Filtered● Unfiltered● Open/Filtered● Closed/Filtered
https://nmap.org/book/man-port-scanning-basics.html
![Page 27: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/27.jpg)
• TCP SYN Scan (-sS) :
often referred to as "half-open" scanning, because you don't open a full TCP connection.
● nmap -sS 192.168.1.1
Requires root
Active Reconnaissance: Network Recon
![Page 28: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/28.jpg)
• TCP connect() scan (-sT):
TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges.The system call completes connections to open target ports.
● nmap -sT 192.168.1.1
Active Reconnaissance: Network Recon
![Page 29: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/29.jpg)
• UDP Scan (-sU) :
DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common, It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.If an ICMP port unreachable error (type 3, code 3) is returned, the port is closed.Other ICMP unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13) mark the port as filtered.If no response is received after retransmissions, the port is classified as open|filtered.
● nmap -sU 192.168.1.1● nmap -sS -sU -Pn 192.168.1.1
Requires root
Active Reconnaissance: Network Recon
![Page 30: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/30.jpg)
• TCP FIN Xmas and Null scans
● NULL scan (-sN) : Does not set any bits (TCP flag header is 0).● FIN scan (-sF) : Sets just the TCP FIN bit.● Xmas scan (-sX) : Sets the FIN, PSH, and URG flags,
lighting the packet up like a Christmas tree.
Page 65 of RFC 793 says that “if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response
Active Reconnaissance: Network Recon
![Page 31: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/31.jpg)
• Ping Scan (-sP):
● nmap -sP 192.168.1.1-254
nmap will ping every address in that range and return the IP of hosts that respond.
Active Reconnaissance: Network Recon
![Page 32: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/32.jpg)
• Version Detection (-sV) :
● nmap -sV --version-intensity 9 192.168.1.1
Starting nmap 3.45 Interesting ports PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 3.7.1p1 (Protocol 1.99) 25/tcp open smtp 80/tcp open http Apache httpd 1.3.27 ((Unix) mod_gzip/1.3.26.1a FrontPage/5.0.2.2510 PHP/4.3.2 mod_ssl/2.8.13 OpenSSL/0.9.7a) 443/tcp open ssl/http Apache httpd 1.3.27 ((Unix) mod_gzip/ ...) 993/tcp open ssl/imap UW Imapd 2001.315 995/tcp open ssl/pop3 Openwall popa3d 8888/tcp open ssl/unknown
An intensity level between 0-9 can be specified. Default is 7
Active Reconnaissance: Network Recon
![Page 33: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/33.jpg)
• Idle Scan (-sI) :
Open ports
https://nmap.org/book/idlescan.html
nmap -P0 -p <port> -sI <zombie IP> <target IP>
Active Reconnaissance: Network Recon
![Page 34: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/34.jpg)
• Idle Scan (-sI) :
Closed ports
https://nmap.org/book/idlescan.html
Active Reconnaissance: Network Recon
![Page 35: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/35.jpg)
• Idle Scan (-sI) :
Filtered ports
https://nmap.org/book/idlescan.html
Active Reconnaissance: Network Recon
![Page 36: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/36.jpg)
• OS detection :
For operating system detection -O flag can be used
nmap -O -v 192.168.1.1
Nmap sends a series of TCP and UDP packets to the remote host and examines every bit in the responses. After performing dozens of tests such as :● TCP ISN sampling, ● TCP options support and ordering, ● IP ID sampling, and ● the initial window size check
Requires root
Active Reconnaissance: Network Recon
![Page 37: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/37.jpg)
• TCP Ack Scan :
nmap -sA 192.168.1.1
● No RST Packet is returned: port is filtered
Usually used to map firewall rulesets and distinguish between stateful and stateless firewalls,
Active Reconnaissance: Network Recon
![Page 38: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/38.jpg)
And more.....
Active Reconnaissance: Network Recon
![Page 39: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/39.jpg)
1) Scan for the Conficker virus on your LAN ect.
$ nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 192.168.1.1-254
Active Reconnaissance: Network Recon
![Page 40: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/40.jpg)
2) Scan Network for Rogue APs.
$ nmap -sS -O --open --script=rogueap.nse 192.168.1.1-10
ReconnaissanceActive: Network Recon
![Page 41: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/41.jpg)
3) Find host sharing same IP
nmap -p 80 --script hostmap-bfk.nse nmap.org
ReconnaissanceActive: Network Recon
![Page 42: Corso di Sicurezza delle Reti e dei Sistemi Software aa](https://reader033.vdocuments.net/reader033/viewer/2022060415/6295586cb78f6c2a5c2461ab/html5/thumbnails/42.jpg)
• 4). Traceroute Geolocation
ReconnaissanceActive: Network Recon
nmap --traceroute --script traceroute-geolocation.nse -p 80 hackertarget.com