Download Slide 1

BCIS 4630 Fundamentals of IT Security
ROAD TO EXPLOITATION
Dr. Andy Wu
Overview
• Network Scanning
– Host discovery
– OS fingerprinting
– Service discovery
• Network mapping/Host discovery
– DNS zone transfer
• Enumeration
– Null session
– User account info
2
Hacking Process
3
Early Stages of Hacking
• In this lab, we’ll introduce a few tools that are used
in the early stages of hacking.
• The aims are to:
–
–
–
–
Obtain some ideas about a network’s topology;
Locate potential targets;
Find out what OSes and services are running;
Look up user accounts, lock-out threshold, password
policies;
– Etc.
• These paves the road for the next stage of
attacking targets.
4
Reconnaissance
• Reconnaissance
– The act of locating targets and developing the
methods necessary to attack those targets
successfully.
– May be extremely flexible and creative.
• Reconnaissance is not by definition illegal.
– Many reconnaissance techniques are
completely legal.
5
Footprinting
• The act of uncovering and collecting as much
information as possible about a target network.
–
–
–
–
–
–
–
–
Domain name
IP address blocks
Organization websites
Company directory
Background info
News articles
Press releases
Etc.
6
Information Gathering
• Search for company’s information in major
search engines, e.g., Google, GoogleMaps,
Bing.
• Using web data extractors, e.g.,
webextractor.com.
• Website scraping, e.g., binarypool.com.
• People search websites, e.g., pipl.com.
• Social media sites.
• Reports filed with SEC.
7
Website Copier
• Tools are available to copy an entire
website for later analysis, e.g.,
– httrack.com
– surfoffline.com
– pagenest.com
– keepni.com
• Archive.org provides archived versions of
websites.
8
Social Engineering
• Social engineering works, for the most part,
because people have the innate tendency
to help and to avoid confrontation.
• The success or failure of social engineering
depends on the ability of hackers to
manipulate human psychology, contacts,
and physical workstations.
9
Dumpster Diving
• Dumpster diving is often the mother lode of
sensitive information as well as actual hardware
and software.
• Hackers look specifically for sales receipts and
paperwork that contain personal data or credit card
information
– Shredded documents can lead to data leaks.
– Drafts of letters are routinely left whole in the trash.
– Company directory sheets, catalog lists, unused or
misprinted labels, and policy manuals.
10
WHOIS Lookup
• WHOIS databases contain personal information of
domain owners.
• They are maintained by regional Internet registries:
–
–
–
–
–
AfriNIC (Africa)
ARIN (America)
APNIC (Asia Pacific)
LACNIC (Latin America)
RIPE NCC (Europe)
• tools.whois.net
11
DNS Records
• Domain name service database of a
network contains important information
about the network hosts, e.g.,
– A – Host
– MX – Mail server
– NS – Name server
– Cname – Canonical names (aliases)
– SOA – Authority of domain
12
DNS–Based Reconnaissance
• DNS Lookup
– Tools help Internet users discover the DNS names of
target computers.
– There are Web sites that provide DNS lookup tools.
• DNS Zone Transfer
– Zone transfer is a DNS feature that lets a DNS server
update its database with the list in another DNS server.
– An incorrectly configured DNS server may allow any
Internet user to perform a zone transfer.
– nslookup
13
Network Reconnaissance
• Network scanning is a technique that
discovers live hosts in the network.
• Port scanning allows you to find:
– IP addresses and open ports of live hosts
– Operating systems and system architecture
– Services running on hosts
14
Host Discovery
• ping
– Helps to verify whether a host is active.
– Command is available for all platforms.
– Part of ICMP and uses echo request and echo
reply messages.
• ping sweep
– Is used to determine the live hosts from a range of
IP addresses but sending ICMP echo requests to
multiple hosts.
15
Host Discovery
• traceroute (tracert on Windows)
– A packet from a host makes numerous “hops”
before it reaches the destination.
– Command can track all of the intermediate nodes.
– Uses the TTL field in the header to work.
• Nmap (Zenmap)
– Zenmap is the GUI front of nmap.
– Use nmap host discovery switch to perform
scanning for live hosts.
16
Nmap
• www.insecure.org
• A versatile tool whose functionalities
include:
– Host discovery
– OS fingerprinting
– Service discovery
17
Fyodor
18
Banner Grabbing
• Banner grabbing uses Telnet to connect to a port
on the remote target and observes the response
coming back from it.
• Different protocols (services) have distinctive
responses that can be used to verify the existence
of those services on the target.
– Attacker may be fooled by a honeypot or port emulator.
• Response may contain OS or service information
that may be used to determine the OS running on
the target.
19
“Self-Scanner”
• netstat
– Allows all the transmission Control Protocol
(TCP), User Datagram Protocol (UDP), and IP
connections on a computer to be viewed.
– Also helps to locate
• IP address of computers
• IP addresses of the hosts connected to the
computers
• Port of the host to which a computer is connected
20
Lab 2 Configuration
21
Target IP Addresses
• In this lab, we will scan and enumerate two
servers. Their IP addresses are
10.1.99.150 and 10.1.99.151.
• When you are told to enter those two IP
address, enter the entire four octets as
above.
• You do NOT have to change the fourth
octet to reflect your team number.
22
Tools Used in this Lab
• In this lab tools are selected only if they work in the realistic
scenario in which the attacker has no user account in the target
domain and his/her machine has not been joined to the domain
(i.e., he/she is not trusted in the domain).
• I exclude those tools that look cool in theory but work only
when the attacker machine is part of the domain (but how
would he/she get in, to begin with?).
• For this reason, net view wouldn’t work in the way as presented
on p. 170 of the textbook.
– It displays network shares only on a host that is a member of the
domain.
– On a non-member machine, you will get Error 5 – access denied.
• Similarly, DumpSec wouldn’t work and will encounter Error 5.
23
Nmap Switches
• Basic syntax
nmap [port range] [switch(es)] <target
IP address>
• Nmap switches are case-sensitive!
• By default, if no other switches are given,
Nmap performs host discovery and then
performs a SYN port scan.
24
Nmap Host Discovery
• To obtain a quick list of live hosts on the
network without scanning for open ports on
each, use the –sP (ping scan) switch.
• The syntax is:
nmap –sP <network ID>/mask
– Replace <network ID> with the real network ID.
It may be in the FQDN or resolved IP format.
– Use the CIDR notation for the mask.
25
OS Fingerprinting
• OS fingerprinting is the method to determine
the operating system running on a remote
target system.
• Passive OS fingerprinting use sniffers to
capture packets and analyze them for OS
information.
– For example, Windows and Linux systems pad the
ping packets differently. By looking in the data
portion for the padding characters, the attacker
can guess the type of OS.
26
OS Fingerprinting
• Active OS fingerprinting sends specially
crafted packets to the remote target and
analyze the response.
• The response are then compared with a
fingerprint database to determine the OS
running on the remote machine.
• Use OS fingerprinting switch in Nmap to
perform OS fingerprinting.
27
Nmap OS Fingerprinting
• Nmap may be used to fingerprint the OS
running on the target.
• The switch is –O.
28
Service Discovery
• Each network service is allocated a wellknown port number.
• If the service is running on the server, the port
must be open.
• The reverse is true too – if a port is found
open on the server, the attacker can deduce
that the server is running the service.
• The same goes for many registered ports that
are related to common applications, e.g., Port
3306 for MySQL.
29
Service Discovery
• The attacker then will look up whether there
are known vulnerabilities in the service.
Chances are, some vulnerabilities have been
found and reported, and often times, tools
have been created to take advantage of those
vulnerabilities.
• If the attacker runs those tools, he/she has a
good chance of compromising the target.
• Service discovery is a critical step in the
hacking process.
30
Nmap Switches
•
•
•
•
•
•
-sS SYN scan (default)
-sT Connect scan
-sN Null scan
-sX Xmas scan
-O OS fingerprinting
-sP Host discovery
• -p Port range
31
In Summary
• Port scanning allows you to find:
– IP addresses and open ports of live hosts
– Operating systems and system architecture
– Services running on hosts
32
DNS
• DNS Lookup
– Tools help Internet users discover the DNS names of
target computers.
– There are Web sites that provide DNS lookup tools.
• DNS Zone Transfer
– Zone transfer is a DNS feature that lets a DNS server
update its database with the list in another DNS server.
– An incorrectly configured DNS server may allow any
Internet user to perform a zone transfer.
33
NSLookup
• If a DNS server is mis-configured, it’s easy to
extract important host information stored in the
DNS database.
• You don’t even need a separate tool.
• NSLookup (name server lookup) is a
Windows native tool for resolving FQDNs to IP
addresses.
• To perform a zone transfer from a DNS
server, just run nslookup interactively and
issue the ls command.
34
Regular Name Resolution
• To lookup the IP address of a FQDN, the
command is nslookup <fqdn>
35
DNS Zone Transfer with NSLookup
•
•
•
To perform a zone transfer, first enter just the command nslookup (without
the FQDN argument).
Then enter the server command followed by the IP address of the DNS
server.
Finally, enter the listing command: ls –d <domain_name>
36
DNS Records
• Domain name service database of a
network contains important information
about the network hosts, e.g.,
– A: Host
– MX: Mail server
– NS: Name server
– Cname: Canonical names (aliases)
– SOA: Start of Authority of domain
37
Enumeration
• The process of finding user and group
accounts, machine names, network shares,
services, audit settings, etc. on a system.
• Scanning tells us what hosts are “live” and
running what services. With enumeration
the attacker tries to find out what accounts
or resources may be worth exploiting or
may be abused for attacking those hosts.
38
Typical Things to Enumerate
• User accounts
• Groups
– Names
– Members
• Access settings
– Logon hours
– Logon workstation restrictions
• Audit settings
• Service banners
39
Null Session
• Null session allows one to connect to the IPC
(interprocesses communication) shares on a
Windows machine without a username and
password.
• The IPC share is a “hidden share” – you don’t see
the share when you explore shared resources on a
computer in Windows Explorer. Hidden shares are
denoted by a $ sign at the end of the share name.
• Windows automatically shares each partition as a
hidden share – C$, D$, etc.
• There are other hidden shares, including IPC$.
40
Null Session
• Establishing a null session is necessary for many
enumeration tools to work.
• The syntax is
net use \\<hostname/IP>\IPC$ "" /u:"" or
net use \\<hostname/IP>\IPC$ "" /user:""
– Replace the <hostname/IP> part with the real host name
or IP address of the target.
– Everything else in the command must be typed exactly as
shown above.
– Notice there is no space between the double quotes.
– There is no space between the / and the u.
– There is no space between the colon and double quote.
41
Null Session
• Anonymous access to IPC$ has been made more
and more difficult with every upgrade in Windows
versions.
• A domain controller may ironically have less
restricted access to IPC$ because it needs to
provide services to hosts in the network.
• The access level is set by the registry key:
HKLM\SYSTEM\CurrentControlSet\Control\LSA\
RestrictAnonymous (0 – None; 1 – Does not allow
enumeration of SAM account and names; 2 – No
access).
42
Establishing a Null Session
43
User Accounts
• To obtain user account information on a
remote target, a variety of tools may be used:
– SuperScan
– Enum
– User2Sid
– UserInfo
– Winfingerprint
– Etc.
44
Enum
• This tool can retrieve a host of info about user
accounts, groups, policies, etc.
• The syntax is:
enum <switch(es)> <host name/IP>
– Replace <host name/IP> with the real host name or
IP address of the target machine.
• You don’t have to precede it with double back slashes.
– Some useful Enum switches:
• -P password policy information
• -U user accounts
• -G groups and membership
45
Security Identifier (SID)
• Internally, Windows OSes keep track of user
and group accounts using their unique SIDs,
not names.
• SIDs are never reused. You may delete a user
account and later create a new one with the
exact same username; but the two accounts
will have two different SIDs.
• An administrator account’s SID ends with 500
(the info in the FYI box on p. 167 is wrong!).
46
Security Identifier (SID)
• Some sources recommende that the built-in
administrator account be renamed and a
boggy administrator account be set up. Also,
the guest account should be disabled and/or
renamed.
• These measures are only effective against
less knowledgeable attackers.
• Tools such as user2sid can easily reveal
the true SID of accounts.
47
User2Sid
• This tools can find the SID of a user account
on a remote computer.
• The syntax is:
user2sid <host name/IP> <username>
– Replace <host name/IP> with the real host
name or IP address of the target machine.
• You don’t have to precede it with double back slashes.
– Replace <username> with the real target
username.
48
UserInfo
• This tool displays some useful information
about a user account.
• The syntax is:
userInfo <host name/IP> <username>
– Replace <host name/IP> with the real host
name or IP address of the target machine.
• You don’t have to precede it with double back slashes.
– Replace <username> with the real target
username.
49
WinFingerprint
50