1 / 86

What the public record doesn't want you to know Wesley Spencer Murray State University

What the public record doesn't want you to know Wesley Spencer Murray State University. 1. 2. For Pen-testers and attackers: Precursor to attack Social Engineering User names and passwords Web vulnerabilities Internal IT structure (software, servers, IP layout) Spearphishing

weldon
Download Presentation

What the public record doesn't want you to know Wesley Spencer Murray State University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. What the public record doesn't want you to know Wesley Spencer Murray State University 1

  2. 2

  3. For Pen-testers and attackers: • Precursor to attack • Social Engineering • User names and passwords • Web vulnerabilities • Internal IT structure (software, servers, IP layout) • Spearphishing For the rest of you: • Fun? Curiosity? 3

  4. First things first • Prior to attack, the best crackers do their homework. • Often involves detailed and thorough reconnaissance before a single packet is sent out. • This relates to the real world. Example of bank robbers: • Record times security guards enter/leave • Location of security cameras • Find out alarm system vendor • Find out vault manufacturer • Plan a getaway route 4

  5. Many computer attackers, like bank robbers investigate the target using PUBLIC information. • Recon is not always technically intensive • Yet often, it is just as powerful if not more so. • This is the starting method of choice for the best hacker/crackers. 5

  6. Low-Tech Recon • Social Engineering • Caller ID Spoofing • Physical Break-In • Dumpster Diving 6

  7. Low Tech Recon: What's in it for them? • Without even having to touch a computer, attackers can learn about: • Passwords • Access to detailed network architecture • System documentation • Other highly confidential information 7

  8. Social Engineering • Arguably the best hacking method available • Exploits the weakness of the human element of Information Systems • A skilled Social Engineer can achieve their goals without even touching a keyboard 8

  9. Social Engineering • Typical use: Attacker calls an employee at the target organization and dupes them into revealing sensitive information. • Guess what? It works ALMOST ALL THE TIME 9

  10. Social Engineering: The Process • Attacker first develops a pretext for the phone call • Detailed scenario that will hopefully trick the victim • Involves the role the attacker will assume: • New employee, administrative assistant, manager, or system administrator • Reason for the call: • Getting the right contact name/number, a sensitive document, existing password, or a new account set up • The rest is improvised. Made up as needed to get the job done. 10

  11. Social Engineering: Greatest Hits Collection 1 • A new employee calls the help desk trying to figure out how to perform a particular task on a computer • An angry manager calls a lower level employee because a password has suddenly stopped working • A system administrator calls an employee to fix an account on the system, which requires his password • An employee in the field has lost some important information can calls another employee to get the remote access phone number 11

  12. Social Engineering: The In-House Voicemail Technique • One of the greatest ways to execute social engineering. • Pose as a new employee and call someone at the work place to find the helpdesk number. • Call the helpdesk and ask them for the number of the voicemail administrator • Still posing as the new employee, call the voicemail administrator and request voicemail service. • If you're successful, you've got a new phone extension and a voicemail set up! • Then, contact other employees, ask them for the information you need, and leave them a message to reply to you on your voicemail. • Users often blindly trust anyone with a voicemail account on their system. This method is powerful. 12

  13. Social Engineering: Caller ID Spoofing 13

  14. Social Engineering: The Defense • User training, user training, user training! • They must be taught to guard sensitive information. • Understand that passwords are like underwear: • You don't tell people what it is, you don't share it, you don't reveal it, and you certainly don't stick it on your monitor! • If someone in "authority" calls, they should not be given sensitive information without identifying themselves. • This is very difficult – but users must understand that attackers are oftentimes the nicest, polite, smooth-talking people of all. No one should be trusted over the phone. 14

  15. Physical Break-In • If an attacker can get physical access to a machine, there is usually nothing he can't eventually do. • This must be prevented at all costs. • Examples: • User walks away from a logged-in machine. • Attacker plugs directly into the network or connects wirelessly, sniffing traffic and bypassing external firewalls. • Attacker might swipe a CD/DVD, backup tape, or even a hard drive. 15

  16. Physical Break-In: Methods • Attacker might try to walk through an entrance with a group of employees on their way to work. • When badge access is required, they try to piggy-back their way in, walking in right after legitimate users. • If locked, just ask someone nicely. Often times, people trust nice people, and genuinely want to help. 16

  17. Physical Break-In: Defenses • Security badges should be issued, and every employee should be checked prior to entry. Every time. • Many companies have badges, but don't check every single employee. • Don't let someone in who claims to have just "forgotten their badge that morning" • Though this can often make legitimate "forgetters" mad, this should be stressed. • People who deny entry to those without badges, even if they are legitimate, should be commended for their denial. • This should be stressed with employee awareness programs. 17

  18. Physical Break-In: Defenses • Lock all computer room doors and wiring closets. Never unlock at any time, especially not for someone you don't know. Don't distribute the key. • Create and even enforce search and seizure of all computer equipment and media inside company premises. • Password protect BIOS and screen savers • Use file system encryption, especially on traveling laptops, etc. 18

  19. Dumpster Diving • Involves looking though trash for sensitive information like: • Discarded paper, CDs, DVDs, floppy disks, tapes, hard drives • You'd be surprised what can be found. Passwords on sticky notes half ripped but readable, with food on them. 19

  20. Dumpster Diving: Defense • Shred all sensitive documents • Obviously this is subject to opinion of what is “sensitive”. Thus user awareness/training is important. • Wipe drives, degauss, and even physically destroy if need be: This can be fun. • Be careful with employee office moves. This is when lost of information is trashed. • Solution: Provide the employee a separate trash can and shred all of his trash, just to be secure. 20

  21. High Tech Recon: Search The Fine Web (STFW) • Recon's big gun: Google • AKA: “Google Hacking” • Adrian Lamo, a noted hacker was once asked his favorite hacking tool • Without blinking, he responded: "Google, hands down." 21

  22. Google Hacking 22

  23. Google Hacking 23

  24. Google Hacking • Good examples: • Site:abanktoattack.com filetype:xls ssn • What might this do? • What if the user takes this page offline? • Google cache might (and probably does) still have. The attacker is still able to be dangerous. • Don't forget the Wayback Machine either. • www.archive.org • Stores cached pages of billions of web pages. You might still find what you're looking for here! • Site:abanktoattack.com inurl:phpinfo • How can this be useful? 24

  25. Google Hacking • Other useful tools: • Super useful cheatsheet: • FoundStone / McAfee SiteDigger 2.0 • Searches Google’s cache to look for vulnerabilities, errors, config issues, etc. • This tool is amazing. 25

  26. 26

  27. Google Hacking • Other useful tools • Johnny Long, the "I hack stuff" guy has a big list of great google search terms. • Called the Google Hacking Database (GHDB) at: http://johnny.ihackstuff.com • Now: http://www.hackersforcharity.org/ghdb/ • Also check out Wikto by Roelof Timmingh. This is similar to SiteDigger • http://www.sensepost.com/research/wikto 27

  28. Google Hacking • Google is working hard and fast to stop some of this with filters like: • SSN filters • Certain vulnerabilities • Worm propogation (previous worms have used google to search for vulnerable machines online) • Good books on Google Hacking: • Google Hacking for Penetration Testers (Syngress, 2004) by Johnny Long • Google Hacks (O'Reilly, 2004) by Tara Calishain and Rael Dornfest 28

  29. Some cool results • Google this:inurl:"ViewerFrame?Mode=” • Find some results and click on them. At the time of this document writing, here’s a few: • http://62.117.68.199:8055/ViewerFrame?Mode=Motion 29

  30. Some cool results • Google this:# Kickstart filetype:cfg • Find some results and click on them. At the time of this document writing, here’s a few: • http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg • Dude, for real??!?!?!?!??!!!!!!!!!!!!?!?! 30

  31. Some cool results • Google this:mysql dump filetype:sql • Find some results and click on them. At the time of this document writing, here’s a few: • http://mobisna.ist.psu.edu/download/mobisna_db.sql • Dude, for real??!?!?!?!??!!!!!!!!!!!!?!?! 31

  32. The Virtual Water Cooler: Newsgroups • Newsgroups are very commonly used by employees to share information and ask questions. • News groups often reveal sensitive information: • How to configure a particular server or system • Problems with code/programming • Troubleshooting other various problems • Sometimes, hackers pose as a good-guy and give their victim bad advice to make their future attack easier • http://groups.google.com – a massive archive of newsgroups 32

  33. Searching the Victim's Own Website • Many times a company website will give a lot of useful information: • Employee contact information, phone numbers, etc. • Clues about corporate culture and language • Business Partners • Recent mergers/acquisitions • Technologies in use • Open job postings 33

  34. Defending Web-Based Recon • Most importantly, teach employees what to post and not to post on the website • If you have to, control ftp/sftp access to certain users only – they must approve all material uploaded • For newsgroups: Have technical employees trained in not divulging unnecessary information • Good idea: Use a non-corporate email address 34

  35. Defending Web-Based Recon • Robots.txt • Tells well-behaved search bots what NOT to search. • Keep in mind that for malicious bots, this tells them explicitly what to search! • noindex: Don't index the given page • nofollow: Don't follow links on the given page • noarchive: Bot may index, but not archive the page • nosnippet: Don't grab summary snippets on the webpage • Example: <meta name="robots" content="noindex,noarchive"> • But… this can be really dangerous! • Robots says DON’T index this!!! • Why not??? 35

  36. Defending Web-Based Recon • If you need Google to remove something: • http://support.google.com/webmasters/bin/answer.py?hl=en&answer=1663416 • They promise to remove in 24 hours, but sometimes as soon as 1 hour! • For non-Google sites: www.robotstxt.org 36

  37. Let’s get personal… • Cyberstalking & Anti-Social Networking • http://www.pipl.com • http://www.spokeo.com • http://www.peekyou.com • http://www.yoname.com • http://tineye.com - not necessarily useful here… 37

  38. Whois: A Treasure Trove of Information • Assignment of domain names • IP Addresses • Individual Contact information 38

  39. Whois: A Treasure Trove of Information • Now, attackers do searches based upon: • Domain names • NIC contact names/email • IP addresses • Telephone Numbers • Name Servers (useful to dig) • One way to make it easier: • http://www.nirsoft.net/utils/whois_this_domain.htmlhttp://www.nirsoft.net/utils/ipnetinfo.html • Also, check this out, but it isn’t free: • http://www.domaintools.com/ 39

  40. Whois Defense • Keep all registrar information up-to-date. If the current contact leaves the company, replace his info. • If you choose, use a anonymous domain handler: • www.domainsbyproxy.com 40

  41. Geo-Location • http://www.nabber.org/projects/geotrace 41

  42. DNS • Quick review of DNS • Record Types: • Address (A record) • This type of record maps a domain name to a specific IP address or vice versa • www 1D IN A 10.1.1.48 • Host Information (HINFO record) • This record associates arbitrary informat8ion about the system with a domain name and historically was used to identify the OS the machine ran on. • www 1D IN HINFO Linux2.6 • Mail Exchange (MX record) • This record identifies a mail system accepting mail for the given domain. • @ 1D IN MX 10 mail.website.com • Name Server (NS record) • This record identifies DNS servers associated with a given domain. • @ 1D IN NS ns1.website.com • Text (TXT record) • This record associates an arbitrary text string with the domain name. • Admin 1D IN TXT "Admin Workstation" 42

  43. DNS 43

  44. DNS Interrogation • Attacker needs to determine one or more DNS servers of the target organization. • This is available from whois • nslookup – a popular tool for obtaining DNS information • Usually a good first step in performing a zone transfer. • Zone transfer is the transfer of a zone file which contains all the information it has about a given domain. • Zone transfers are used for a secondary DNS server can obtain information from its primary DNS. • But, attackers use this too. • If a zone transfer can be performed, a lot of information can be obtained! 44

  45. DNS Interrogation • A zone transfer will give server names, IP addresses, MX entries, and occasionally even more information. • Unfortunately, on Linux nslookup has incapacitated zone transfers, so use dig: • $ dig $10.1.1.34 website.com –t AXFR • Namp –sL <IP_RANGE> • http://serversniff.net/sshreport.php • Definitely give this a shot! • Fiercehttp://ha.ckers.org/fierce/./fierce.pl -dns irongeek.com 45

  46. DNS Defense • For starters, look at your zone file(s). Remove everything possible except: • Name servers • Mail servers • The ip/name mapping for the above • Anything other than the above is not needed – remove it. • Restrict zone transfers with extreme prejudice. • Zone transfers are used to keep a secondary DNS in sync with its primary DNS. NO ONE else has any business with your zone transfer. • The DNS servers in the network should only allow zone transfers to each other – and absolutely no one else. • Also, on the firewall(s) allow UDP port 53 to your DNS servers only. • TCP port 53 only for the allowed secondary DNS. (TCP is used for zone transfers, UDP for normal queries/responses) 46

  47. DNS Defense • Unfortunately, many companies still allow zone transfers. • If not on the primary DNS, often times its allowed on the secondary/tertiary. • Lastly, employ split DNS techniques. 47

  48. 48

  49. BackTrack • Useful for all kinds of stuff – arguably the best hack tool out there • Often times, hackers claim it is sufficient enough to run a full-scale attack, end-to-end. • And they’re right. • Email Harvesting • Goog-mail.py <domain name> – pretty cool, you’ll have to try it out • Then, take those results and google them! You’ll be amazed at what you might find. • DNS Enumeration • Dnsenum.pl <domain name> 49

  50. Sam Spade • Easy to use and very functional recond suite • Capabilities: • Ping • Whois • IP block whois – finds out who owns a particular set if IPs by quering ARIN, RIPE NCC, APNIC, and LACNIC • Nslookup – convert domain names to IPs • DNS Zone Transfer – transfers all info it can about a given domain • Traceroute – returns a list of routers hops in between you and the target • Finger – queries a UNIX system to determine its user list (finger is RARELY used these days) • SMTP VRFY – determine if a given email is valid on a target email server • Web browser – View raw HTTP, including headers. (Useful for attacking web applications) • Web crawler – Grabs the entire contents of a website and creates a local copy. • Was at: www.samspade.org/ssw 50

More Related