Understanding Internet Footprinting for Enhanced Security

Slide Note
Embed
Share

Internet footprinting, also known as fingerprinting, involves gathering valuable information about a target system or network to identify potential vulnerabilities and prepare against potential attacks. It encompasses data gathering techniques, vulnerability analysis, and perspectives from both attackers and defenders. By understanding the importance of footprinting, organizations can enhance their cybersecurity measures and stay one step ahead of potential threats.


Uploaded on Sep 24, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Internet Security Foot Printing Defiana Arnaldy, M.Si 0818 0296 4763 deff_arnaldy@yahoo.com

  2. Overview Definition of Foot Printing Internet foot printing

  3. Sun Tzu on the Art of War: "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."

  4. WHAT IS FOOTPRINTING? Definition: the gathering of information about a potential system or network (the fine art of gathering target information) a.k.a. fingerprinting Attacker s point of view Identify potential target systems Identify which types of attacks may be useful on target systems Defender s point of view Know available tools May be able to tell if system is being footprinted, be more prepared for possible attack Vulnerability analysis: know what information you re giving away, what weaknesses you have

  5. Information to Gather System (Local or Remote) IP Address, Name and Domain Operating System Type (Windows, Linux, Solaris, Mac) Version (98/NT/2000/2003/XP/Vista/7, Redhat, Fedora, SuSe, Ubuntu, OS X) Usernames (and their passwords) File structure Open Ports (what services/programs are running on the system)

  6. Information to Gather (2) Networks / Enterprises System information for all hosts Network topology Gateways Firewalls Overall topology Network traffic information Specialized servers Web, Database, FTP, Email, etc.

  7. Defender Perspective Identify information you re giving away Identify weaknesses in systems/network Know when systems/network is being probed Identify source of probe Develop awareness of threat Construct audit trail of activity

  8. Why Is Footprinting Necessary? Footprinting methodically ensure that all pieces of information related to the aforementioned technologies are identified is necessary to systematically and Footprinting is often the most arduous task of trying to determine the security posture of an entity; however, it is one of the most important. Footprinting must be performed accurately and in a controlled fashion Without a sound methodology for performing this type of reconnaissance, you are likely to miss key pieces of information related to organization a specific technology or

  9. Internet Footprinting Step 1: Determine the Scope of Your Activities determine the scope of your footprinting activities Are you going to footprint the entire organization, or limit your activities to certain subsidiaries or locations? What disaster-recovery sites? about business partner connections (extranets), or Are there other relationships or considerations? Unfortunately, hackers have no sympathy for our struggles. They exploit our weaknesses manifest themselves. You do not want hackers to know more about your security posture than you do! in whatever forms they

  10. Step 2: Get Proper Authorization One thing hackers can usually disregard that you must pay particular attention to is what we techies affectionately refer to as layers eight and nine of the seven-layer OSI Model Politics and Funding Do you have authorization to proceed with your activities? what exactly are your activities? Is the authorization from the right person(s)? Is it in writing? Are the target IP addresses the right ones?

  11. Step 3: Publicly Available Information Company web pages Related organizations Location details Phone numbers, contact names, e-mail addresses, and personal details Current events (mergers, acquisitions, layoffs, rapid growth, etc.) Privacy or security policies, and technical details indicating the types of security mechanisms in place Archived information Disgruntled employees Search engines, Usenet, and resumes Other information of interest

  12. Step 4: WHOIS & DNS Enumeration So who is "managing" the Internet today, you ask? These core functions of the Internet are "managed" by a nonprofit organization named the Internet Corporation for Assigned Names and Numbers (ICANN; http://www.icann.org). ICANN is a technical coordination body for the Internet. Created in October 1998 by a broad coalition of the Internet's business, technical, communities, ICANN is assuming responsibility for a set of technical functions previously government contract by the Internet Assigned Numbers Authority (IANA; http://www.iana.org) and other groups. (In practice, IANA still handles much of the day-to-day operations, but these will eventually be transitioned to ICANN.) academic, and user performed under U.S.

  13. Specifically, ICANN coordinates the assignment of the following identifiers that must be globally unique for the Internet to function: Internet domain names IP address numbers Protocol parameters and port numbers In addition, ICANN coordinates the stable operation of the Internet's root DNS server system.

  14. To be thorough, we could have done the same searches via the command-line WHOIS client with the following three commands: [bash]$ whois com -h whois.iana.org [bash]$ whois keyhole.com -h whois.verisign-grs.com [bash]$ whois keyhole.com -h whois.omnis.com There are also several websites that attempt to automate this process with varying degrees of success: http://www.allwhois.com http://www.uwhois.com http://www.internic.net/whois.html Last but not least, there are several GUIs available that will assist you in your searches too: SamSpade http://www.samspade.org SuperScan http://www.foundstone.com NetScan Tools Pro http://www.nwpsw.com

  15. Step 5: DNS Interrogation After identifying all the associated domains, you can begin to query the DNS. DNS is a distributed database used to map IP addresses to hostnames, and vice versa. If DNS is configured insecurely, it is possible to obtain revealing information about the organization. One administrator can make is allowing untrusted Internet users to perform a DNS zone transfer of the most serious misconfigurations a system

  16. A zone transfer allows a secondary master server to update its zone database from the primary master This provides for redundancy when running DNS, should the primary name server become unavailable. Generally, a DNS zone transfer needs to be performed only by secondary master DNS servers Many DNS servers, however, are misconfigured and provide a copy of the zone to anyone who asks.

  17. A simple way to perform a zone transfer is to use the nslookup client that is usually provided with most UNIX and Windows implementations. We can use nslookup in interactive mode, as follows: [bash]$ nslookup Default Server: ns1.example.net Address: 10.10.20.2 > 216.182.1.1 Server: ns1.example.net Address: 10.10.20.2 Name: gate.tellurian.net Address: 216.182.1.1 > set type=any > ls -d Tellurian.net. >\> /tmp/zone_out

  18. Step 6: Network Reconnaissance Now that we have identified potential networks, we can attempt to determine their network topology as well as potential access paths into the network. To accomplish (ftp://www.ee.lbl.gov/traceroute.tar.gz) comes with most flavors of UNIX and is provided in Windows. In Windows, it is spelled tracert due to the 8.3 legacy filename issues. this task, we can use the program traceroute that traceroute is a diagnostic tool originally written by Van Jacobson that lets you view the route that an IP packet follows from one host to the next. traceroute uses the time- tolive (TTL) option in the IP packet to elicit an ICMP TIME_EXCEEDED message from each router

  19. traceroute topology employed by the target network, in addition to identifying access control applicationbased firewall or packet-filtering routers) that may be filtering our traffic may allow you to discover the network devices (such as an Most of what we have done up to this point with traceroute has been command-line oriented. For the graphically inclined, you can use VisualRoute (http://www.visualroute.com), NeoTrace (http://www.neotrace.com), or Trout (http://www.foundstone.com)

  20. Tools - Linux Some basic Linux tools - lower level utilities Local System hostname ifconfig who, last Remote Systems ping traceroute nslookup, dig whois arp, netstat (also local system) Other tools lsof

  21. Tools Linux (2) Other utilities wireshark (packet sniffing) nmap (port scanning) - more later Ubuntu Linux Go to System / Administration / Network Tools get interface to collection of tools: ping, netstat, traceroute, port scan, nslookup, finger, whois

  22. Tools - Windows Windows Sam Spade (collected network tools) Wireshark (packet sniffer) Command line tools ipconfig Many others

  23. hostname Determine host name of current system Usage: hostname E.g. hostname localhost.localdomain // default E.g. hostname mobile.cs.uwec.edu

  24. ifconfig Configure network interface Tells current IP numbers for host system Usage: ifconfig E.g. ifconfig // command alone: display status eth0 Link encap: Ethernet HWaddr 00:0C:29:CD:F6:D3 inet addr: 192.168.172.128 . . . lo Link encap: Local Loopback inet addr: 127.0.0.1 . . .

  25. who Basic tool to show users on current system Useful for identifying unusual activity (e.g. activity by newly created accounts or inactive accounts) Usage: who E.g. who root tty1 Jan 9 12:46 paultty2 Jan 9 12:52

  26. last Show last N users on system Default: since last cycling of file -N: last N lines Useful for identifying unusual activity in recent past Usage: last [-n] E.g. last -3 wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still logged in flinstf pts/0 137.28.191.74 Sat Feb 5 15:38 still logged in rubbleb pts/0 c48.someu.edu Sat Feb 5 14:38 - 15:25 (00:46)

  27. ping Potential Uses Is system online? Through response Gather name information Through DNS Tentatively Identify operating system Based on TTL (packet Time To Live) on each packet line TTL = number of hops allowed to get to system 64 is Linux default, 128 is Windows default (but can be changed!) Notes Uses ICMP packets Often blocked on many hosts; more useful within network Usage: ping system E.g. ping ftp.redhat.com E.g. ping localhost

  28. traceroute Potential Uses Determine physical location of machine Gather network information (gateway, other internal systems) Find system that s dropping your packets evidence of a firewall Notes Can use UDP or ICMP packets Results often limited by firewalls Several GUI-based traceroute utilities available Usage: traceroute system E.g. traceroute cs.umn.edu

  29. traceroute example - blocked [wagnerpj@data ~]$ traceroute cs.umn.edu traceroute to cs.umn.edu (128.101.34.202), 30 hops max, 38 byte packets 1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220 ms 0.208 ms 2 v101.networking.cns.uwec.edu (137.28.9.1) 0.245 ms 0.229 ms 0.220 ms 3 uweauclairehub2-ge50.core.wiscnet.net (216.56.90.1) 1.315 ms 1.194 ms 1.343 ms 4 * * * <ctrl-c> [wagnerpj@data ~]$

  30. traceroute example - success H:\>tracert www.google.com Tracing route to www.google.akadns.net [64.233.167.99] over a maximum of 30 hops: 1 2 3 4 5 6 7 8 9 <1 ms 4 ms 2 ms 17 ms 18 ms 17 ms 18 ms 18 ms 15 ms [193.251.249.30] 16 ms 21 ms 18 ms <1 ms 6 ms 1 ms 17 ms 16 ms 18 ms 19 ms 17 ms 16 ms <1 ms v61.networking.cns.uwec.edu [137.28.61.1] 3 ms UWEauClaireHub2-ge50.core.wiscnet.net [216.56.90.1] 2 ms r-uweauclaire-isp-gig2-0.wiscnet.net [140.189.8.141] 17 ms chi-edge-08.inet.qwest.net [65.113.85.5] 18 ms chi-core-02.inet.qwest.net [205.171.20.113] 19 ms cer-core-01.inet.qwest.net [205.171.205.34] 21 ms chp-brdr-01.inet.qwest.net [205.171.139.146] 18 ms P11-0.CHICR2.Chicago.opentransit.net [193.251.129.113] 16 ms Google-EU-Customers-2.GW.opentransit.net 10 11 12 16 ms 19 ms 16 ms 18 ms 216.239.46.10 17 ms 64.233.175.30 16 ms 64.233.167.99 Trace complete.

  31. Visual Traceroute Example

  32. whois Potential Uses Queries nicname/whois servers for Internet registration information Can gather contacts, names, geographic information, servers, - useful for social engineering attacks Notes Usage: whois domain e.g. whois netcom.com

  33. whois example - basic Domain Name: UWEC.EDU Registrant: University of Wisconsin - Eau Claire 105 Garfield Avenue Eau Claire, WI 54702-4004 UNITED STATES Contacts: Administrative Contact: Computing and Networking Services 105 Garfield Ave Eau Claire, WI 54701 UNITED STATES (715) 836-5711 networking@uwec.edu Name Servers: TOMATO.UWEC.EDU 137.28.1.17 LETTUCE.UWEC.EDU 137.28.1.18 BACON.UWEC.EDU 137.28.5.194

  34. whois example - wildcards whois uw%.edu Your search has matched multiple domains. Below are the domains you matched (up to 100). For specific information on one of these domains, please search on that domain. UW.EDU UWA.EDU UWB.EDU UWC.EDU UWEC.EDU UWEST.EDU UWEX.EDU .

  35. nslookup Potential Uses Query internet name servers Find name for IP address, and vice versa Notes Now deprecated generally use dig Sometimes useful when dig fails Usage nslookup xxxxxxx // name or IP addr. E.g. nslookup data.cs.uwec.edu E.g. dig data.cs.uwec.edu

  36. dig Potential Uses Domain Name Service (DNS) lookup utility Associate name with IP address and vice versa Notes Many command options General usage: dig <somehost> E.g. dig data.cs.uwec.edu E.g. dig 137.28.109.33

  37. arp Tracks addresses, interfaces accessed by system Possible uses Find systems that your system has recently talked to Notes arp // display names arp n // display numeric addresses

  38. netstat Shows connections, routing information, statistics Possible uses find systems that your system has recently talked to, find recently used ports Notes Many flags netstat // open sockets, etc. netstat s // summary statistics netstat r // routing tables netstat p // programs netstat l // listening sockets

  39. lsof Lists open files on your system Useful to see what processes are working with what files, possibly identify tampering Usage: lsof

  40. Windows Tools Sam Spade swiss army knife of footprinting Has most of the Linux tools Plus other functionality Usage Start application Fill in name or IP address Choose option desired in menus

  41. Packet Sniffers Definition: Hardware or software that can display network traffic packet information Usage Network traffic analysis Example packet sniffers tcpdump (command line, Linux) wireshark (GUI interface, Linux, Windows open source) others

  42. Limitations Packet Sniffing Packet sniffers only catch what they can see Users attached to hub can see everything Users attached to switch only see own traffic Wireless wireless access point is like hub Need to be able to put your network interface card (NIC) in promiscuous mode to be able to process all traffic, not just traffic for/from itself NIC must support Need privilege (e.g. root in Linux)

  43. OSI Network Protocol Layer 7 Application (incl. app. content) Layer 6 Presentation Layer 5 Session Layer 4 Transport (incl. protocol, port) Layer 3 Network (incl. source, dest) Layer 2 Data Link Layer 1 Physical

  44. wireshark Created as tool to examine network problems in 1997 Various contributors added pieces; released 1998 Name change (2007): ethereal -> wireshark Works with other packet filter formats Information http://www.wireshark.org Demonstration

  45. Using wireshark Ubuntu Applications / Internet / Wireshark (as root) Enter your administrative account pw: user Capture/Interfaces/eth0:, Start Capture window shows accumulated totals for different types of packets Stop packets now displayed Top window packet summary Can sort by column source, destination, protocol are useful Middle window packet breakdown Click on + icons for detail at each packet level Bottom window packet content

  46. Wireshark capture analysis Can save a session to a capture file Can reopen file later for further analysis Open capture file Ubuntu: /home/user/Support/MOBILEcapture.cap W2K3: C:\Support\MOBILEcapture.cap Identify and follow different TCP streams Select TCP packet, Analyze/Follow TCP Stream MOBILEcapture.cap has http, https, ftp, ssh streams Any interesting information out there? HINT: follow stream on an ftp packet

  47. Related Tool Hunt TCP sniffer Watch and reset connections Hijack sessions Spoof MAC address Spoof DNS name

  48. Related Tool EtherPEG image capture on network http://www.etherpeg.com

More Related Content