420 likes | 846 Views
Network Reconnaissance. What is?. Military reconnaissance a mission conducted to confirm or deny prior intelligence (if any) about enemy threat and or the terrain of a given area. Network reconnaissance process of acquiring information about a network. Why?.
E N D
What is? • Military reconnaissance • a mission conducted to confirm or deny prior intelligence (if any) about enemy threat and or the terrain of a given area. • Network reconnaissance • process of acquiring information about a network
Why? • Hackers use reconnaissance as the first step in an effective attack • Seeing what is on the "other side of the hill" is crucial to decide what type of attack to launch • Generally, goals of reconnaissance on a target network are to discover: • IP addresses of hosts • Accessible UDP and TCP ports • OS type
Footprinting/Fingerprinting steps • Information Gathering • accumulating data regarding a specific network environment, usually for the purpose of finding ways to intrude into the environment • Locate the network • What addresses can be targeted and are available for additional scanning and analysis • Identify active machines • Which machine is actively connected to the network and reachable • Open ports and underlying applications • Which ports and applications are accessible • OS Fingerprinting • Identifying targeted Oss as well as systems response • Network mapping • Create blueprint of organization
Information Gathering • Get data regarding network environment such as • Organization web site, Location, contact person, Phone number • Common Tools • Registrar query : whois • Domain name and resource lookup • Search Tools
Locate the network range What range of IP addresses are available for scanning and further enumeration Common Tools : whois
Tool: WHOIS Search • WhoIs – Query of Internet Registries • Ref: http://www.arin.net/community/rirs.html • AfriNIC – Africa • APNIC - Asia/Pacific • ARIN – North America • LACNIC - Central and South America • RIPE NCC – Europe, Middle East, Central Asia • InterNIC– ICANN Public Domain Name Registration Info • 3rd Party Whois Tools • Geektools - http://www.geektools.com/whois.php • DomainTools – http://www.domaintools.com/ • DNSStuff – http://www.dnsstuff.com
Tool: - Google • Google, Yahoo, Live.com, etc. • Gather information about a targeted organization • Evaluate web sites for known security issues • Identify files that are accidentally exposed to the public
Tool: - Google search • Helpful Google Queries • Related sites: • related:www.someaddr.com • Search a specific site: • site:www.someaddr.com search_terms • Use Google to search group or blog postings
Tool: – Google operators Google Advanced Operators AND: “+” OR: “|” Synonym: “~” site:www.jeffersonwells.com inurl:robots.txt link:www.jeffersonwells.com intitle:“jefferson wells” filetype:xls
Tool: NSLOOKUP • Queries Domain Name Server information • IP and Domain Name Mapping • Zone Transfer – Dumps entire table • Check mail server
Tool: NSLOOKUP • Zone Transfer – Dumps entire table $ nslookup > server = A.B.C.D > ls somedomain.com
Tool: NSLOOKUP • MX record $ nslookup > set type = MX > somedomain.com
Network Identifier Tools • Identifying active computers and services • Common Tools • ping, ping6 • help verifying whether a host is active • traceroute, traceroute6 • determine the route to a node
Tool: ping • ping [hostname|ip_address] • ping6 [hostname|ip_address] • ping -R [hostname|ip_address]
Tool: traceroute • tracert • Windows • traceroute • Unix
Tool: How Traceroute work Launch a probe packet towards DST, with a TTL of 1 Every router hop decrements the IP TTL of the packet by 1 When the TTL hits 0, packet is dropped, router sends ICMP TTL Exceed packet to SRC with the original probe packet as payload SRC receives this ICMP message, displays a traceroute “hop” Repeat from step 1, with TTL incremented by 1 each time, until.. DST host receives probe, returns ICMP Dest Unreachable
Tool: Traceroute Report Hop • Traceroute packet with TTL of 1 enters router via the ingress interface. • Router decrements TTL to 0, drops packet, generates ICMP TTL Exceed • ICMP packet dst address is set to the original traceroute probe source (SRC) • ICMP packet src address is set to the IP of the ingress router interface • Traceroute shows a result based on the src address of the ICMP packet • The above traceroute will read:172.16.2.1 10.3.2.2 • You have NO visibility into the return path or the egress interface used
Tool: Traceroute Latency Calculation • How is traceroute latency calculated? • Timestamp when the probe packet is launched • Timestamp when the ICMP response is received • Calculate the difference to determine round-trip time • Routers along the path donot do anytime “processing” • They simply reflect the original packet’s data back to the SRC • Many implementations encode the original launch timestamp into the probe packet, to increase accuracy and reduce state • Most Importantly: only the ROUNDTRIP is measured • Traceroute is showing you the hops on the forward path • But showing you latency based on the forward PLUS reverse path. Any delays on the reverse path will affect your results!
Tool: InterpreteTraceroute DNS • Interpreting DNS is one of the most important aspects of correctly using traceroute • Information you can uncover includes: • Physical Router Locations • Interface Types and Capacities • Router Type and Roles • Network Boundaries and Relationships
Tool: Traceroute Reading Tips • Router’s name may include Exchange Point • MAE, NAP, PAIX • Router names may be the IATA 3-letter code of the nearest airport or CLLI code in their node name • Other abbreviation • http://www.sarangworld.com/TRACEROUTE/showdb-2.php3 • Interface name
Tool: Router Type/Role • Knowing the role of a router can be useful • But every network is different, and uses different naming conventions • May not always follow naming rules • Generally speaking, May need guessing the context and get a basic understanding of the roles • Core routers–CR, Core, GBR, BB • Peering routers–BR, Border, Edge, IGR, Peer • Customer routers–AR, Aggr, Cust, CAR, GW
Tool: DNS Interface type • Most networks will try to put interface info into DNS • Though this many not always be up to date • Many large networks use automatically generated DNS • As well as capacity, and maybe even the make/model of router • Examples: • xe-11-1-0.edge1.Washington1.Level2.net • XE-#/#/# is Juniper 10GE port. The device has at least 12 slots • It’s at least a 40G/slot router since it has a 10GE PIC in slot 1 • It must be Juniper MX960, no other device could fit this profile
Tool: Sample Traceroute $ traceroute www.hellers.com $ traceroute www.mit.edu
Identifying Active Machines • Attackers will want to know if machines are alive before they attempt to attack. One of the most basic methods of identifying active machines is to perform a sweep • Common Tools • ping, traceroute • Network scanning tools • nmap, superscan
Finding Open Ports • Open services • Common tools • Port scanning tools • nmap, superscan
OS Fingerprinting • Passive fingerprint • Sniffing technique • Examine packets for certain characteristics such as • The IP TTL value • The TCP Window Size • The IP DF Option • The IP Type of Service (TOS) Option • Active Fingerprint • Injects the packets into the network • Examines the subtle differences that exist between different vendor implementations of the TCP/IP stack • Common tools : nmap
Mapping the Network Gained enough information to build network map Network mapping provides the hacker with a blueprint of the organization. May use manual or automated ways to compile this information