380 likes | 543 Views
Passive Research. Section 2. Outline. Objective Tools used for Passive Research Example results. Uses of Passive Research. Gather information for social engineering Quietly probe network in a difficult to detect manner Identify what resources are most valuable/interesting. Objective.
E N D
Passive Research Section 2
Outline • Objective • Tools used for Passive Research • Example results
Uses of Passive Research • Gather information for social engineering • Quietly probe network in a difficult to detect manner • Identify what resources are most valuable/interesting
Objective • Obtain information from the public domain that could potentially be used to bypass security controls • Determine all entities associated with the target • Identify networks, domains, staff and configuration, if possible
What are we looking for • Personal information about users/staff • Organisational structure • Details to map/identify network devices • System configuration
Tools used for Passive Research All resources can be checked without sending ‘suspicious’ packets to the target. • Whois • DNS interrogation • Target’s homepage, news sites, linking sites • Newsgroup postings • Public Internet databases
Whois Section 2.1
Whois The following useful information can be obtained from a whois query: • Organisational branches and subdivisions • Domain names • Network address ranges • IT staff names, phone numbers • Email address format
Useful information found • For one bank, found a network connected to the Internet which they didn’t know existed. • Identified administrator names which were then used for web searches.
Tools used for whois • Command line whois clients available for many Unix/Linux packages • Web based • http://www.whois.org • http://www.demon.net/external/ • http://www.samspade.org/ • http://www.nettitude.com/iptools.html • GUI based for windows • Samspade.org (free and very good) • Geektools.com • Solarwinds
Lab • Use whois from the Unix command line to investigate entries Time: 10 minutes
Passive research - Ripe $ whois -h whois.nic.uk. "loud-fat-bloke.co.uk"
Passive research - Ripe My network range
Whois web interfaces • http://www.samspade.org • http://www.geektools.com/cgi-bin/proxy.cgi • http://www.internic.net/alpha.html • http://www.allwhois.com • http://www.demon.net/external List of whois servers: • http://www.geektools.com/dist/whoislist.gz
Passive research - Ripe Me & my address!!!!!
Lab • Use web based whois to search for information about a particular domain. Time: 15 minutes
Domain Name System Section 4.2
DNS interrogation Tools: Dig, Nslookup • First choice: Zone transfer • MX records • Reverse lookups
Useful information found • Identified over 200 hosts through a single zone transfer of internal and external servers and gateways. • Identified the IP addresses of firewalls that otherwise couldn’t be seen.
Lab • Use web based DNS tools to investigate a company’s DNS entries Time: 10 minutes
Using the target homepage Section 2.3
Target’s homepage • Determine if site is hosted at ISP or at target • Quantify number of sites which may be attacked • Determine if there is any non-public information buried in HTML comment tags. • Review pages to identify server type Other items of interest: • Location • Merger or acquisition news • Phone numbers • Contact names and e-mail addresses • Links to other organisations
Tools to speed up a web page review • Copy the site locally using an automated tool • Search using Nimrod or ‘grep’ for keywords Example tool on Unix • wget (http://www.gnu.org/software/wget/wget.html) • Nimrod www.loud-fat-bloke.co.uk/tools.html Example tool on Windows • Babelweb (http://www.hsc.fr/ressources/outils/babelweb)
Useful information found • Administrator contact details • File configuration details • Comments from programmers concerning configuration
Lab • Examine several companies’ web sites to see if they contain any useful information. Time: 15 minutes
Newsgroups and the web Section 2.4
Newsgroup posting and web search Objective • To obtain newsgroup postings about an organisations employees and resources Example of a web based tool • http://groups.google.com
Useful information found • Client chairman is a ‘male escort for hire’ • Detailed firewall configuration • Threats against companies by hacktivists • Identified information about system administrators and operating system variants
Lab • Use http://groups.google.com to search for useful information about the contacts of a particular company Time: 30 minutes
Lab • Use Internet search engines to identify useful information about an organisation. Time: 15 minutes