Ethical Hacking and Penetration Testing-Week 3 PDF

Preview

Summary

Download Ethical Hacking and Penetration Testing-Week 3 PDF

Description

Ethical Hacking and Penetration Testing Week 3: Footprinting, Port Scanning, and Systems Reconnaissance In week 3, you will learn about system reconnaissance techniques. Footprinting is the process of identifying and locating targets to gain sufficient intelligence to develop the methods necessary to attack the target successfully. Generally, the information a penetration tester uses is the same regardless of the type of penetration testing performed. Critical information the penetration tester would be looking for includes:           

The physical location of the targets, Any data about the physical location, Organizational policies, Operating systems in use, Network infrastructure, Hardware configuration, Available services/ports, Employee directories, Staffing hierarchy, Internal newsletters, and Any other information published about the organization.

This type of information permits the penetration tester to identify potential security weaknesses/vulnerabilities and the possible ways in which to conduct an attack. There are three critical elements of this process that we will be examining in this week; footprinting, port scanning, and system reconnaissance. Footprinting is the often considered the first phase of an attack. It is the process of “passively” gaining information about the intended target. It is essential this step occurs in a manner that does not alert the target to a potential attack. Port scanning takes place after the first footprinting and reconnaissance. Port scanning is designed to find openings in the target organization’s network infrastructure that might provide the attacker access to network resources. Learning Outcomes 1. 2. 3. 4. 5.

Identify common information-gathering tools and techniques. Analyze how port scanning and fingerprinting are used by hackers. Describe common methods used to exploit insecure applications. Compare active and passive operating system (OS) fingerprinting. Explain common network mapping techniques.

1. Footprinting and Reconnaissance In times of war, the parties in conflict spend extensive time and resources studying their opponent. Similarly, hackers spend time footprinting, which is investigating the organizations they wish to attack to identify weaknesses. Hacking and penetration testing involve quite a bit of reconnaissance. Before an attack occurs, it is vital to gather background information on the organization that will be the subject of the test or the attack. Footprinting, the first phase of the hacking process, “is specifically designed to gain information about a target passively. If done correctly and patiently, it is possible for skilled attackers to gain valuable information about their intended target without alerting the victim to the impending attack. It's surprising what information is obtainable during this phase: network range, equipment/technologies in use, financial information, locations, physical assets, and employee names and titles” (Oriyano & Gregg, 2014, p. 108).

Remember that footprinting acquires information from a potential target through public sources; therefore, the targeted organization is unaware of footprinting activities. The most basic and straightforward way to acquire information is from the WHOIS database, which contains domain registry and DNS information. Sample WHOIS Lookup

Overall, footprinting represents an excellent method to gather preliminary information regarding a potential target organization. 2. Social Networking in the Context of Footprinting We hear much about popular social networking sites such as Facebook, LinkedIn, Twitter, Instagram, etc., and an increasing number of people are becoming participants. The use of social networking sites has exploded over recent years, and their accessibility by mobile devices, such as smartphones and tablets, has made social networking an important aspect of people’s lives. Individuals load large amounts of information onto social media sites. It is understandable that hackers would seek to leverage this outlet to gather information about individuals and organizations they would like to target. Some common social media scams include:

         

“Secret” celeb gossip, “Please send money,” “Test your IQ,” “Tweet for cash!” Fake login screens, Fake Facebook groups, False news articles, Charity solicitations, Sexual solicitation, and Amber alerts.

3. Understanding the Port Scanning The term scanning applies to network scanning, port scanning, and probing. Historically, the term port scanning is defined as a process that primarily takes place shortly after the surveillance or information gathering phase of a hacking attempt or penetration test. Scanning is the process of finding openings in the target organization, such as wireless access points, Internet gateways, available systems, vulnerability lists, and port listening. Probing is an attempt to discover information about the hosts on the network. Probing occurs by looking for open ports on available host computers. For a computer to offer or use services on the network, it must first have an open port. Web servers typically use port 80, while FTP servers use port 21. An attacker can find out what services are running on a computer by discovering which ports that computer has opened. Remember that port scanning is active reconnaissance versus the passive reconnaissance. It is worth keeping in mind that the target system may observe you as you conduct active reconnaissance. Scanning can be considered a logical extension (and overlap) of active reconnaissance since the attacker uses details gathered during reconnaissance to identify specific vulnerabilities. Often attackers use automated tools, such as network/host scanners and war dialers, to locate systems and attempt to discover weaknesses. This figure shows how the Nmap tool can be used to scan for open ports. Take a note at the open ports found for this sample IP address.

http://www.petri.co.il/images/nmap-portscanning-08.JPG Port scanning continues to be an effective and straightforward way to detect anomalies and openings from your internal network to the outside world. Using the Linux-based Nmap utility helps hackers determine both the operating system and version of a system detected through the firewall and also which ports are open and what

typical applications are behind those open ports. Nmap and port scanning are an excellent place to start when beginning your penetration testing process. These provide an overview of your networks, with pointers regarding where to look for weaknesses. 4. Mapping the Network Environment Mapping the network environment is an essential step in the hacking/penetration testing process. It allows the hacker to understand better how the network is composed and what type of device might exist on the network. The following screenshot illustrates a simple ping command:

http://0.tqn.com/d/compnetworking/1/0/X/c/command-window-ping-web_site.png Mapping the network is typically done using a ping sweep utility that will ping a range of IP addresses. The purpose of this mapping is to find what hosts are currently live on the network. The ping sweep identifies viable targets on the network. Once the IP address of viable hosts is known, the attacker can then begin to probe those hosts to gather additional information, such as the OS or applications running on those hosts. An attacker follows a particular sequence of steps to scan any network, and the scanning methods may differ based on the attack objectives which are set up before the attackers begin this process. The more open ports, the more potential for someone to exploit the services running on the host computer. Once the attacker knows which ports are open, he or she can use this information to discover the OS and application servicing the port. The purpose of scanning and probing is to find weaknesses on the network. Intruders know the vulnerabilities of specific OSs and the applications they run. The intruder increases his or her chance of succeeding by finding the weakest point on the network and, later, attacking that vulnerability. The attacker continues to discover information about the network until he has a complete map of the hosts, servers, and weaknesses to exploit in the future. Remember that, without permission, probing or scanning a network that is not your own may be illegal.

Ref er ences Or i y ano,S.P. ,&Gr egg,M.C.( 2014) .Hack ert echni ques ,t ool s,andi nc i dent handl i ng( 2nded. ) .Bur l i ngt on,MA:J ones&Bar t l et tLear ni ng....