500 likes | 672 Views
電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓. Intelligence Gathering Techniques. I ntelligence G athering T echniques (IGT). IGTs help an attacker to understand the characteristics and potential vulnerabilities of her/his targets.
E N D
電腦攻擊與防禦 The Attack and Defense of Computers Dr.許 富 皓
Intelligence Gathering Techniques (IGT) • IGTs help an attacker to understand the characteristics and potential vulnerabilities of her/his targets. • Through intelligence gathering techniques an attacker can launch a more accurate and efficient attack to her/his targets.
IGT Steps • In the computer hacking world, intelligence gathering can be roughly divided into three major steps: • Footprinting • Scanning • Enumeration
Footprinting • collect information to make a unique footprint or a profileof an organization security posture. • With footprinting, using rather simple tools, we gather information such as: • Administrative, technical, and billing contacts, which include employee names, email addresses, and phone & fax numbers. • IP address range • DNS servers • Mail servers • And we can also identify some of the systems that are directly connected to the Internet.
Scanning • The art of detecting which systems are alive and reachable via the Internet, and what services they offer, using techniques such as ping sweeps, port scans, and operating system identification (OS fingerprinting), is called scanning.
Information Collected by Scanning • The kind of information collected here has to do with the following: • TCP/UDP services running on each system identified. • System architecture (Sparc, Alpha, x86). • Specific IP addresses of systems reachable via the Internet. • Operating system type.
Enumeration • Enumeration is the process of extracting valid accounts or exported resource names from systems. The information is gathered using active connections to systems and queries, which is more intrusive in nature than footprinting and scanning. • The techniques are mostly operating system specific, and can gather information such as: • User & group names. • System banners • Routing tables • SNMP information
Internet Footprinting • The fine art of gathering target information • Domain name • Specific IP addresses of systems reachable via the Internet. • TCP and UDP services running on each system identified. • System architecture (e.g. , Sparc vs. x86) • Access control mechanisms and related access control lists. • Intrusion-detection systems (IDSs) • System enumeration (user and group name, system banners, routing tables, and SNMP information) • DNS hostnames
Where Can We Find The Information? • Company Web pages. • Related organizations. • Location details. • Phone numbers, contact names, e-mail addresses, and personal details. • Privacy or security policies, and technical details indicating the types of security mechanisms in place. • Archived Information • Search engines and resumes
Company Web Pages • Some organizations will list their security configuration details directly on their Internet web servers. • Trying reviewing the HTML source code.
What Info Can We Find in A Web Page Source Code (1)? • check the comment part: those parts included between <!- - and - - > . • Using Wget (for Unix) and Teleport Pro (for Windows) you can mirror the entire web pages on a web server. • Other sites with none-www prefix name. • Many organizations have sites to handle remote access to internal resources via a web browser: • E.g. Through Microsoft’s Outlook Web Access, a person can access the contents stored in a Microsoft Exchange server, such as e-mails, address books, a calendar, public folders. Typical URL for this kind of resource is http://owa.company.com or http://outlook.company.com .
What Info Can We Find in A Web Page Source Code (2)? • Sites like http://vpn.company.com or http://www.company.com/vpn will often reveal sites designed to help end users connect to their companies’ VPNs. You can also find detailed instructions on how to download and configure the VPN client software. These sites may even include a phone number to call for assistance if someone (usually this person is supposed to be an employee, however, an attacker may also use this channel to connect the VPN) get troubles to connect to the VPN.
Related organizations • Other related organizations’ web site may also leak sensitive information about the target organization.
Phone numbers, contact names, e-mail addresses, and personal details • Contact names and e-mail addresses may reveal an organization’s employees name or account name. • E.g. If an organization has an employee named John Smith than it is very possible that some of the organization’s hosts’ has an account name jsmith, johnsmith or smithj and vice verse. • From an employee’s name, an attack may find her/his home phone number or home computer which probably has some sort of remote access to the target organization. A keystroke logger on an employee’s home machine or laptop may very well give a hacker a free ride to the organization’s inner hosts.
Search Engines and Resumes • A lot of sensitive information could be obtained through a search engine by using appropriate searching key words. • If an organization is posting for a security professional with five or more years’ experience work with CheckPoint firewalls and Snort IDS, then what kind of firewall and IDS do you think they use?.
Who is Managing the Internet today?
Who is Managing the Internet today? • Core functions of the Internet are managed by a nonprofit organization named the Internet Corporation for Assigned Names and Numbers (ICANN; http://www.icann.org ). • Created in Oct. 1998, ICANN is assuming responsibility for a set of technical functions previously performed under U.S. government contract by the Internet Assigned Numbers Authority (IANA; http://www.iana.org ) and other groups. • P.S.: In practice, IANA still handles much of the day-to-day operations, but these will eventually be transitioned to ICANN
Some of ICANN’s Major Functions • ICANN coordinates the assignment of the following identifiers that must be globally unique for the Internet to function: • Internet domain names. • IP address numbers. • Protocol parameters and port numbers. • ICANN also coordinates the stable operation of the Internet’s root DNS server system.
Three Special ICANN Suborganizations • Address Supporting Organization (ASO; http://www.aso.icann.org ). • Generic Names Supporting Organization (GNSO; http://www.gnso.icann.org ) • Country Code Domain Name Supporting Organization (CCNSO; http://www.ccnso.icann.org )
ASO • Reviews and develops recommendations on IP address policy and advises the ICANN Board on these matters. • Allocates IP address blocks to various Regional Internet Registries (RIRs). • A RIR’s responsibility is to manage, distribute, and register public Internet number resources within their respective regions. • RIRs allocate IPs to organizations, Internet service providers (ISPs), or, in some cases, National Internet Registries (NIRS) or Local Internet Registries (LIRS.) • Taiwan’s Case: • Taiwan’s ISPs get their IPs from TWNIC: • NIR of Taiwan: TWNIC http://www.twnic.net.tw/ip/ip_01.htm • LIRs/ISPs List of Taiwan: http://www.twnic.net.tw/english/ip/ip_03.htm.
RIR • Currently there are five Regional Registries, four active and one in observer status. • APNIC ( http://www.apnic.net ) Asia-Pacific region. • ARIN ( http://www.arin.net ) North and South America, sub-Sahara Africa regions. • LACNIC ( http://www.lacnic.net ) Latin America and portions of the Caribbean • RIPE ( http://www.ripe.net ) Europe, parts of Asia, Africa north of the equator, and the Middle East regions. • AfriNIC ( http://www.afrinic.net, currently in ”observer status” )
RIR Summary • ASO – allocate IP address blocks to the five RIRs – allocate IPs to Organizations, ISPs, or NIRs, or LIRs.
Registry-Registrar-Registrant Model -- [Eduardo Sztokbant]
Registry-Registrar-Registrant Model • 3 entities involved in Internet domain name registration within this model: • Registrant: final client, the one who wishes to register the domain name. • Registry: the operators that maintain the list of available domain names within their extension. • Registrar: interface between registry and registrant, may provide extra services to the latter one.
Relationship among the three Rs • While there can be several registrars that provide domain registration and related services for a same given TLD, there's necessairly only ONE authoritative repository responsible for this TLD.
GNSO • Reviews and develops recommendations on domain-name policy for all generic top-level domains (gTLDs) and advises the ICANN Board on these matters. • However, GNSO is not responsible fro domain-name registration, but rather is responsible for the generic top-level domains (for example, .com, .net, .edu, .org, and . info), which can be found at http://www.iana.org/gtld/gtld.htm . • root name servers: http://www.gnso.icann.org/gtld-registries/
GNSO Summary GNSO TLDR for .com Verisign Global Registry Service …… TLD Registry TLDR for .edu TLDR for .org … Registrar A MarkMointor Inc Registrar X Registrar .. .. Registrant Registrant e1 Registrant ep Registrant a1 Registrant aq Registrant x1
CCNSO • Reviews and develops recommendations on domain-name policy for all country-code top-level domains (ccTLDs) and advises the ICANN Board on these matters. • Again, ICANN does not handle domain-name registrations. • The definitive list of country-code top-level domains can be found at http:// www.iana.org/cctld/cctld-whois.htm • .tw domain name is managed by TWNIC: http://www.twnic.net.tw/dn/dn_01.htmhttp://rs.twnic.net.tw
CCNSO Summary CCNSO TLDR for .tw TWNIC …… TLD Registry TLDR for .uk TLDR for .ca Registrar X .com.tw, .org.tw .div.tw,.net.tw 中華電信 Registrar A .edu.tw MOE Registrar Y com.tw, .org.tw .div.tw,.net.tw 台灣固網 Registrar … .. .. Registrant school s1 School sp Registrant x1 Registrant xq Registrant y1
Some Other Useful Links • IP v4 allocation: http://www.iana.org/assignments/ipv4-address-space . • IP address services: http://www.iana.org/ipaddress/ip-addresses.htm . • Special-use IP addresses: http://www.rfc-editor.org/rfc/rfc3330.txt . • Registered port numbers: http://www.iana.org/assignments/port-numbers • Registered protocol: http://www.iana.org/assignments/protocol-numbers .
WHOIS Servers and Protocol • Essentially, the WHOIS is a database of contact information about domain name registrants. It is accessed through the websites of registrars or registries, as well as through technical means by the registrars and registries, themselves.
Methods to Store WHOIS Information • There are two ways that WHOIS information may be stored: Thick or Thin.
Thick Model • Thick model: one WHOIS server stores the WHOIS information from all the registrars for the particular set of data (so that one WHOIS server can respond with WHOIS information on all .org domains, for example).
Thin Model • Thin model: one WHOIS server stores the name of the WHOIS server of a registrar that has the full details on the data being looked up (such as the .comWHOIS servers, which refer the WHOIS query to the registrar that the domain was registered from).
Availability of WHOIS Servers • The WHOIS query syntax, type of permitted queries, available data, and the formatting of the results can vary widely from server to server. • Many of the registrars are actively restricting queries to combat spammers, attackers, and resource overload. • Information for .mil and .gov have been pulled from public view entirely due to national security concerns. • Information for .edu.tw is not available in .tw domain registry—TWNIC ( http://rs.twnic.net.tw/.)
Problems with WHOIS Servers • Privacy: Registrant’s contact details. • Spam. • Internationalization. • Lack of WHOIS server lists.
Domain-Related vs. IP-Related • Domain-related items (such as osborne.com) are registerd separately from IP-related items (such as IP net-blocks). • Therefore, we will have two different paths in our methodology for finding these details.
Domain-Related Search • The authoritative Registry for a given TLD, e.g. com, contains information about which registrar the target entity registered its domain with. • By querying the appropriate Registrar, the Registrant details for the particular domain name can be found. • The above steps are referred to as the “Three Rs” of WHOIS– Registry, Registrar, Registrant.
Exmaple for tsmc.com IANA Whois service Result: RegistryVeriSign Global Registry Services VeriSign Global Registry Services Whois Service Result: RegistrarNETWORK SOLUTIONS, LLC. NETWORK SOLUTIONS, LLC.Whois Service Result: Registrant TSMC keyword: com keyword: tsmc.com keyword: tsmc.com
Exmaple for uni-president.com.tw IANA Whois service Result: RegistryTaiwan Network Information Center (TWNIC) Registrar Taiwan Network Information Center (TWNIC) Whois Service Result: Registrant 統一企業股份有限公司 keyword: tw keyword: uni-president.com.tw P.S.: TWNIC is also the Registrar of com.tw
One-Stop-Shopping for WHOIS Information • http://www.allwhois.com . • http://www.uwhois.com . • http://www.internic.net/whois.html .
TARNET-Related URLs • http://www.moe.gov.tw/ • http://domain.edu.tw/index.html
IP-Related Search (1) • The WHOIS server at ICANN (IANA) does not currently act as an authoritative registry for all the RIRs as it does for the TLDs, but each RIR does know which IP ranges it manage. This allows us to simply pick any one of them to start our search. If we pick the wrong one, it will tell us which one e need to go to.
IP-Related Search (2) • You are interested in the IP address 140.115.50.80. • Try the WHOIS search at RIRARIN’s web site. • The result shows that the IP address is managed by RIRAPNIC. • Then go to RIR APNIC’s web site to search the same IP address. • Here you are. • The above process can be followed to trace back any IP address in the world to its owner, or at least to a point of contact that may be willing to provide the remaining details. • Laundered IP addresses: an attacker can also masquerade her/his true IPs.
IP-Related Search (3) • We can also find out IP ranges and BGP autonomous system numbers that an organization “owns” by searching the RIR WHOSI servers for the organization’s literal name. • E.g. go to http://whois.apnic.net and type ncu. • TWNIC doesn’t provide detailed information; therefore no detailed information are shown. • E.g. go to http://www.arin.net and type Google. • Useful information: • Administrative contact • Administrators’ names: could be used to cheat gullible users to change their passwords. • Phone and fax number • DNS names: could be used in DNS interrogation.