860 likes | 1.04k Views
What the public record doesn't want you to know Wesley Spencer Murray State University. 1. 2. For Pen-testers and attackers: Precursor to attack Social Engineering User names and passwords Web vulnerabilities Internal IT structure (software, servers, IP layout) Spearphishing
E N D
What the public record doesn't want you to know Wesley Spencer Murray State University 1
For Pen-testers and attackers: • Precursor to attack • Social Engineering • User names and passwords • Web vulnerabilities • Internal IT structure (software, servers, IP layout) • Spearphishing For the rest of you: • Fun? Curiosity? 3
First things first • Prior to attack, the best crackers do their homework. • Often involves detailed and thorough reconnaissance before a single packet is sent out. • This relates to the real world. Example of bank robbers: • Record times security guards enter/leave • Location of security cameras • Find out alarm system vendor • Find out vault manufacturer • Plan a getaway route 4
Many computer attackers, like bank robbers investigate the target using PUBLIC information. • Recon is not always technically intensive • Yet often, it is just as powerful if not more so. • This is the starting method of choice for the best hacker/crackers. 5
Low-Tech Recon • Social Engineering • Caller ID Spoofing • Physical Break-In • Dumpster Diving 6
Low Tech Recon: What's in it for them? • Without even having to touch a computer, attackers can learn about: • Passwords • Access to detailed network architecture • System documentation • Other highly confidential information 7
Social Engineering • Arguably the best hacking method available • Exploits the weakness of the human element of Information Systems • A skilled Social Engineer can achieve their goals without even touching a keyboard 8
Social Engineering • Typical use: Attacker calls an employee at the target organization and dupes them into revealing sensitive information. • Guess what? It works ALMOST ALL THE TIME 9
Social Engineering: The Process • Attacker first develops a pretext for the phone call • Detailed scenario that will hopefully trick the victim • Involves the role the attacker will assume: • New employee, administrative assistant, manager, or system administrator • Reason for the call: • Getting the right contact name/number, a sensitive document, existing password, or a new account set up • The rest is improvised. Made up as needed to get the job done. 10
Social Engineering: Greatest Hits Collection 1 • A new employee calls the help desk trying to figure out how to perform a particular task on a computer • An angry manager calls a lower level employee because a password has suddenly stopped working • A system administrator calls an employee to fix an account on the system, which requires his password • An employee in the field has lost some important information can calls another employee to get the remote access phone number 11
Social Engineering: The In-House Voicemail Technique • One of the greatest ways to execute social engineering. • Pose as a new employee and call someone at the work place to find the helpdesk number. • Call the helpdesk and ask them for the number of the voicemail administrator • Still posing as the new employee, call the voicemail administrator and request voicemail service. • If you're successful, you've got a new phone extension and a voicemail set up! • Then, contact other employees, ask them for the information you need, and leave them a message to reply to you on your voicemail. • Users often blindly trust anyone with a voicemail account on their system. This method is powerful. 12
Social Engineering: The Defense • User training, user training, user training! • They must be taught to guard sensitive information. • Understand that passwords are like underwear: • You don't tell people what it is, you don't share it, you don't reveal it, and you certainly don't stick it on your monitor! • If someone in "authority" calls, they should not be given sensitive information without identifying themselves. • This is very difficult – but users must understand that attackers are oftentimes the nicest, polite, smooth-talking people of all. No one should be trusted over the phone. 14
Physical Break-In • If an attacker can get physical access to a machine, there is usually nothing he can't eventually do. • This must be prevented at all costs. • Examples: • User walks away from a logged-in machine. • Attacker plugs directly into the network or connects wirelessly, sniffing traffic and bypassing external firewalls. • Attacker might swipe a CD/DVD, backup tape, or even a hard drive. 15
Physical Break-In: Methods • Attacker might try to walk through an entrance with a group of employees on their way to work. • When badge access is required, they try to piggy-back their way in, walking in right after legitimate users. • If locked, just ask someone nicely. Often times, people trust nice people, and genuinely want to help. 16
Physical Break-In: Defenses • Security badges should be issued, and every employee should be checked prior to entry. Every time. • Many companies have badges, but don't check every single employee. • Don't let someone in who claims to have just "forgotten their badge that morning" • Though this can often make legitimate "forgetters" mad, this should be stressed. • People who deny entry to those without badges, even if they are legitimate, should be commended for their denial. • This should be stressed with employee awareness programs. 17
Physical Break-In: Defenses • Lock all computer room doors and wiring closets. Never unlock at any time, especially not for someone you don't know. Don't distribute the key. • Create and even enforce search and seizure of all computer equipment and media inside company premises. • Password protect BIOS and screen savers • Use file system encryption, especially on traveling laptops, etc. 18
Dumpster Diving • Involves looking though trash for sensitive information like: • Discarded paper, CDs, DVDs, floppy disks, tapes, hard drives • You'd be surprised what can be found. Passwords on sticky notes half ripped but readable, with food on them. 19
Dumpster Diving: Defense • Shred all sensitive documents • Obviously this is subject to opinion of what is “sensitive”. Thus user awareness/training is important. • Wipe drives, degauss, and even physically destroy if need be: This can be fun. • Be careful with employee office moves. This is when lost of information is trashed. • Solution: Provide the employee a separate trash can and shred all of his trash, just to be secure. 20
High Tech Recon: Search The Fine Web (STFW) • Recon's big gun: Google • AKA: “Google Hacking” • Adrian Lamo, a noted hacker was once asked his favorite hacking tool • Without blinking, he responded: "Google, hands down." 21
Google Hacking • Good examples: • Site:abanktoattack.com filetype:xls ssn • What might this do? • What if the user takes this page offline? • Google cache might (and probably does) still have. The attacker is still able to be dangerous. • Don't forget the Wayback Machine either. • www.archive.org • Stores cached pages of billions of web pages. You might still find what you're looking for here! • Site:abanktoattack.com inurl:phpinfo • How can this be useful? 24
Google Hacking • Other useful tools: • Super useful cheatsheet: • FoundStone / McAfee SiteDigger 2.0 • Searches Google’s cache to look for vulnerabilities, errors, config issues, etc. • This tool is amazing. 25
Google Hacking • Other useful tools • Johnny Long, the "I hack stuff" guy has a big list of great google search terms. • Called the Google Hacking Database (GHDB) at: http://johnny.ihackstuff.com • Now: http://www.hackersforcharity.org/ghdb/ • Also check out Wikto by Roelof Timmingh. This is similar to SiteDigger • http://www.sensepost.com/research/wikto 27
Google Hacking • Google is working hard and fast to stop some of this with filters like: • SSN filters • Certain vulnerabilities • Worm propogation (previous worms have used google to search for vulnerable machines online) • Good books on Google Hacking: • Google Hacking for Penetration Testers (Syngress, 2004) by Johnny Long • Google Hacks (O'Reilly, 2004) by Tara Calishain and Rael Dornfest 28
Some cool results • Google this:inurl:"ViewerFrame?Mode=” • Find some results and click on them. At the time of this document writing, here’s a few: • http://62.117.68.199:8055/ViewerFrame?Mode=Motion 29
Some cool results • Google this:# Kickstart filetype:cfg • Find some results and click on them. At the time of this document writing, here’s a few: • http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg • Dude, for real??!?!?!?!??!!!!!!!!!!!!?!?! 30
Some cool results • Google this:mysql dump filetype:sql • Find some results and click on them. At the time of this document writing, here’s a few: • http://mobisna.ist.psu.edu/download/mobisna_db.sql • Dude, for real??!?!?!?!??!!!!!!!!!!!!?!?! 31
The Virtual Water Cooler: Newsgroups • Newsgroups are very commonly used by employees to share information and ask questions. • News groups often reveal sensitive information: • How to configure a particular server or system • Problems with code/programming • Troubleshooting other various problems • Sometimes, hackers pose as a good-guy and give their victim bad advice to make their future attack easier • http://groups.google.com – a massive archive of newsgroups 32
Searching the Victim's Own Website • Many times a company website will give a lot of useful information: • Employee contact information, phone numbers, etc. • Clues about corporate culture and language • Business Partners • Recent mergers/acquisitions • Technologies in use • Open job postings 33
Defending Web-Based Recon • Most importantly, teach employees what to post and not to post on the website • If you have to, control ftp/sftp access to certain users only – they must approve all material uploaded • For newsgroups: Have technical employees trained in not divulging unnecessary information • Good idea: Use a non-corporate email address 34
Defending Web-Based Recon • Robots.txt • Tells well-behaved search bots what NOT to search. • Keep in mind that for malicious bots, this tells them explicitly what to search! • noindex: Don't index the given page • nofollow: Don't follow links on the given page • noarchive: Bot may index, but not archive the page • nosnippet: Don't grab summary snippets on the webpage • Example: <meta name="robots" content="noindex,noarchive"> • But… this can be really dangerous! • Robots says DON’T index this!!! • Why not??? 35
Defending Web-Based Recon • If you need Google to remove something: • http://support.google.com/webmasters/bin/answer.py?hl=en&answer=1663416 • They promise to remove in 24 hours, but sometimes as soon as 1 hour! • For non-Google sites: www.robotstxt.org 36
Let’s get personal… • Cyberstalking & Anti-Social Networking • http://www.pipl.com • http://www.spokeo.com • http://www.peekyou.com • http://www.yoname.com • http://tineye.com - not necessarily useful here… 37
Whois: A Treasure Trove of Information • Assignment of domain names • IP Addresses • Individual Contact information 38
Whois: A Treasure Trove of Information • Now, attackers do searches based upon: • Domain names • NIC contact names/email • IP addresses • Telephone Numbers • Name Servers (useful to dig) • One way to make it easier: • http://www.nirsoft.net/utils/whois_this_domain.htmlhttp://www.nirsoft.net/utils/ipnetinfo.html • Also, check this out, but it isn’t free: • http://www.domaintools.com/ 39
Whois Defense • Keep all registrar information up-to-date. If the current contact leaves the company, replace his info. • If you choose, use a anonymous domain handler: • www.domainsbyproxy.com 40
Geo-Location • http://www.nabber.org/projects/geotrace 41
DNS • Quick review of DNS • Record Types: • Address (A record) • This type of record maps a domain name to a specific IP address or vice versa • www 1D IN A 10.1.1.48 • Host Information (HINFO record) • This record associates arbitrary informat8ion about the system with a domain name and historically was used to identify the OS the machine ran on. • www 1D IN HINFO Linux2.6 • Mail Exchange (MX record) • This record identifies a mail system accepting mail for the given domain. • @ 1D IN MX 10 mail.website.com • Name Server (NS record) • This record identifies DNS servers associated with a given domain. • @ 1D IN NS ns1.website.com • Text (TXT record) • This record associates an arbitrary text string with the domain name. • Admin 1D IN TXT "Admin Workstation" 42
DNS 43
DNS Interrogation • Attacker needs to determine one or more DNS servers of the target organization. • This is available from whois • nslookup – a popular tool for obtaining DNS information • Usually a good first step in performing a zone transfer. • Zone transfer is the transfer of a zone file which contains all the information it has about a given domain. • Zone transfers are used for a secondary DNS server can obtain information from its primary DNS. • But, attackers use this too. • If a zone transfer can be performed, a lot of information can be obtained! 44
DNS Interrogation • A zone transfer will give server names, IP addresses, MX entries, and occasionally even more information. • Unfortunately, on Linux nslookup has incapacitated zone transfers, so use dig: • $ dig $10.1.1.34 website.com –t AXFR • Namp –sL <IP_RANGE> • http://serversniff.net/sshreport.php • Definitely give this a shot! • Fiercehttp://ha.ckers.org/fierce/./fierce.pl -dns irongeek.com 45
DNS Defense • For starters, look at your zone file(s). Remove everything possible except: • Name servers • Mail servers • The ip/name mapping for the above • Anything other than the above is not needed – remove it. • Restrict zone transfers with extreme prejudice. • Zone transfers are used to keep a secondary DNS in sync with its primary DNS. NO ONE else has any business with your zone transfer. • The DNS servers in the network should only allow zone transfers to each other – and absolutely no one else. • Also, on the firewall(s) allow UDP port 53 to your DNS servers only. • TCP port 53 only for the allowed secondary DNS. (TCP is used for zone transfers, UDP for normal queries/responses) 46
DNS Defense • Unfortunately, many companies still allow zone transfers. • If not on the primary DNS, often times its allowed on the secondary/tertiary. • Lastly, employ split DNS techniques. 47
BackTrack • Useful for all kinds of stuff – arguably the best hack tool out there • Often times, hackers claim it is sufficient enough to run a full-scale attack, end-to-end. • And they’re right. • Email Harvesting • Goog-mail.py <domain name> – pretty cool, you’ll have to try it out • Then, take those results and google them! You’ll be amazed at what you might find. • DNS Enumeration • Dnsenum.pl <domain name> 49
Sam Spade • Easy to use and very functional recond suite • Capabilities: • Ping • Whois • IP block whois – finds out who owns a particular set if IPs by quering ARIN, RIPE NCC, APNIC, and LACNIC • Nslookup – convert domain names to IPs • DNS Zone Transfer – transfers all info it can about a given domain • Traceroute – returns a list of routers hops in between you and the target • Finger – queries a UNIX system to determine its user list (finger is RARELY used these days) • SMTP VRFY – determine if a given email is valid on a target email server • Web browser – View raw HTTP, including headers. (Useful for attacking web applications) • Web crawler – Grabs the entire contents of a website and creates a local copy. • Was at: www.samspade.org/ssw 50