1 / 36

Passive Research

Passive Research. Section 2. Outline. Objective Tools used for Passive Research Example results. Uses of Passive Research. Gather information for social engineering Quietly probe network in a difficult to detect manner Identify what resources are most valuable/interesting. Objective.

sailor
Download Presentation

Passive Research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Passive Research Section 2

  2. Outline • Objective • Tools used for Passive Research • Example results

  3. Uses of Passive Research • Gather information for social engineering • Quietly probe network in a difficult to detect manner • Identify what resources are most valuable/interesting

  4. Objective • Obtain information from the public domain that could potentially be used to bypass security controls • Determine all entities associated with the target • Identify networks, domains, staff and configuration, if possible

  5. What are we looking for • Personal information about users/staff • Organisational structure • Details to map/identify network devices • System configuration

  6. Tools used for Passive Research All resources can be checked without sending ‘suspicious’ packets to the target. • Whois • DNS interrogation • Target’s homepage, news sites, linking sites • Newsgroup postings • Public Internet databases

  7. Whois Section 2.1

  8. Whois The following useful information can be obtained from a whois query: • Organisational branches and subdivisions • Domain names • Network address ranges • IT staff names, phone numbers • Email address format

  9. Useful information found • For one bank, found a network connected to the Internet which they didn’t know existed. • Identified administrator names which were then used for web searches.

  10. Tools used for whois • Command line whois clients available for many Unix/Linux packages • Web based • http://www.whois.org • http://www.demon.net/external/ • http://www.samspade.org/ • http://www.nettitude.com/iptools.html • GUI based for windows • Samspade.org (free and very good) • Geektools.com • Solarwinds

  11. Unix Whois demo

  12. Lab • Use whois from the Unix command line to investigate entries Time: 10 minutes

  13. Example of a windows based whois tool

  14. Passive research - Ripe $ whois -h whois.nic.uk. "loud-fat-bloke.co.uk"

  15. Passive research - Ripe My network range

  16. Whois web interfaces • http://www.samspade.org • http://www.geektools.com/cgi-bin/proxy.cgi • http://www.internic.net/alpha.html • http://www.allwhois.com • http://www.demon.net/external List of whois servers: • http://www.geektools.com/dist/whoislist.gz

  17. Passive research - Ripe Me & my address!!!!!

  18. Passive research - Netcraft

  19. Passive research – DNS/Geektools

  20. Lab • Use web based whois to search for information about a particular domain. Time: 15 minutes

  21. Domain Name System Section 4.2

  22. DNS interrogation Tools: Dig, Nslookup • First choice: Zone transfer • MX records • Reverse lookups

  23. Useful information found • Identified over 200 hosts through a single zone transfer of internal and external servers and gateways. • Identified the IP addresses of firewalls that otherwise couldn’t be seen.

  24. ‘dig’

  25. DNS

  26. Lab • Use web based DNS tools to investigate a company’s DNS entries Time: 10 minutes

  27. Using the target homepage Section 2.3

  28. Target’s homepage • Determine if site is hosted at ISP or at target • Quantify number of sites which may be attacked • Determine if there is any non-public information buried in HTML comment tags. • Review pages to identify server type Other items of interest: • Location • Merger or acquisition news • Phone numbers • Contact names and e-mail addresses • Links to other organisations

  29. Tools to speed up a web page review • Copy the site locally using an automated tool • Search using Nimrod or ‘grep’ for keywords Example tool on Unix • wget (http://www.gnu.org/software/wget/wget.html) • Nimrod www.loud-fat-bloke.co.uk/tools.html Example tool on Windows • Babelweb (http://www.hsc.fr/ressources/outils/babelweb)

  30. Useful information found • Administrator contact details • File configuration details • Comments from programmers concerning configuration

  31. Lab • Examine several companies’ web sites to see if they contain any useful information. Time: 15 minutes

  32. Newsgroups and the web Section 2.4

  33. Newsgroup posting and web search Objective • To obtain newsgroup postings about an organisations employees and resources Example of a web based tool • http://groups.google.com

  34. Useful information found • Client chairman is a ‘male escort for hire’ • Detailed firewall configuration • Threats against companies by hacktivists • Identified information about system administrators and operating system variants

  35. Lab • Use http://groups.google.com to search for useful information about the contacts of a particular company Time: 30 minutes

  36. Lab • Use Internet search engines to identify useful information about an organisation. Time: 15 minutes

More Related