Lecture 2 - Intelligence Gathering PDF

Preview

Summary

Download Lecture 2 - Intelligence Gathering PDF

Description

CSCI369 Ethical Hacking Week 2 – Intelligence Gathering Instructors: Dr. May El Barachi & Mr. Tamas Toth Faculty of Engineering and Information Sciences

1

These slides are based on the lecture slides prepared by Dr. Joonsang Baek

Let us start by a proverb! “know yourself, know your enemy, and you shall win a hundred battles without loss” -- General Sun Tzu

Introduction to Intelligence Gathering • Intelligence gathering is a process of ethical hacking through which a pentester locates information about a target, which will be useful for later steps of the attack. • Intelligence gathered about a target may refine the steps that will come later. • Anything that have potential to be exploited should be sought. • It is important to develop an “eye” to detect the useful information carefully, but sheer “luck” could work.

These slides are based on the lecture slides prepared by Dr. Joonsang Baek

3

Introduction to Intelligence Gathering • Terms  There are a few similar terms in the literature, referring to intelligence gathering such as information gathering and information reconnaissance.  In this subject (CSCI369), we regard them as the same.  There is also a popular term called “footprinting”; this usually refers to any attempt to find as many IP/hostname mappings related to a target as possible.  This is a more specific term.

These slides are based on the lecture slides prepared by Dr. Joonsang Baek

4

Consequence of Intelligence Gathering • Reputation/Business loss  If customers find that their information and/or other data is not properly secured, the reputation of a company will be eroded and the incident will cause the customers to go elsewhere.

• Information leakage  Vital information such as project information, employee data, personal details, financial information, or any of a number of possibilities can be lost.

These slides are based on the lecture slides prepared by Dr. Joonsang Baek

5

Consequence of Intelligence Gathering • Privacy Loss  If the information that is supposed to be kept confidential is lost, the legal repercussions as well as the loss of confidence can result.

• Corporate information  Information that is uncovered through the intelligence gathering process can be sold to the competitors looking for details about their opponents.

These slides are based on the lecture slides prepared by Dr. Joonsang Baek

6

Categorising the Types of Information to Be Gathered • Technical information  Information regarding operating system, network and applications, IP addresses and/or IP address ranges, and device information. Additionally, information regarding webcams, alarm systems, mobile devices and etc.

• Administrative information ➢Organisational structure, corporate policies, hiring procedures, details of employees, phone directories, vendor information, and etc.

• Physical details  Data about location and facility. These slides are based on the lecture slides prepared by Dr. Joonsang Baek

7

Categorising Intelligence Gathering Methods • Passive  Methods that do not engage the target. If the target is not engaged, little or no indication of an impending attack will be given to the target.

• Active  Methods that do engage the target by, for example, making phone calls to the company, help desk, employees and/or other personnel. Care should be taken not to give the target an indication of the attack. These slides are based on the lecture slides prepared by Dr. Joonsang Baek

8

Categorising Intelligence Gathering Methods • Open Source Intelligence (OSINT) gathering  Gathering intelligence from those sources that are typically publicly available and open.  A kind of passive information gathering method.  The least aggressive method.

These slides are based on the lecture slides prepared by Dr. Joonsang Baek

9

Gathering Intelligence about Domain • Domain Name System (DNS)  The DNS is used for resolving hostnames into IP addresses and vice versa. All internetworking applications require DNS to function.  DNS makes use of a hierarchical naming scheme: Queries work in a top-down manner, beginning at the top of the DNS tree and working their way down.

1 0 These slides are based on the lecture slides prepared by Dr. Joonsang Baek

DNS: domain name system people: many identifiers:  SSN, name, passport # Internet hosts, routers:  IP address (32 bit) used for addressing datagrams  “name”, e.g., www.yahoo.com used by humans Q: how to map between IP address and name, and vice versa ?

Domain Name System: 



distributed database implemented in hierarchy of many name servers application-layer protocol: hosts, name servers communicate to resolve names (address/name translation)  note: core Internet function, implemented as applicationlayer protocol  complexity at network’s “edge”

DNS: services, structure DNS services  

hostname to IP address translation host aliasing  canonical, alias names

 

mail server aliasing load distribution  replicated Web servers: many IP addresses correspond to one name

why not centralize DNS?    

single point of failure traffic volume distant centralized database maintenance

A: doesn ’t scale!

DNS: a distributed, hierarchical database Root DNS Servers

… com DNS servers yahoo.com amazon.com DNS servers DNS servers

…

org DNS servers pbs.org DNS servers

edu DNS servers poly.edu umass.edu DNS serversDNS servers

client wants IP for www.amazon.com; 1st approx:   

client queries root server to find com DNS server client queries .com DNS server to get amazon.com DNS server client queries amazon.com DNS server to get IP address for www.amazon.com

DNS: root name servers  

contacted by local name server that can not resolve name root name server:  contacts authoritative name server if name mapping not known  gets mapping  returns mapping to local name server c. Cogent, Herndon, VA (5 other sites) d. U Maryland College Park, MD h. ARL Aberdeen, MD j. Verisign, Dulles VA (69 other sites )

e. NASA Mt View, CA f. Internet Software C. Palo Alto, CA (and 48 other sites) a. Verisign, Los Angeles CA (5 other sites) b. USC-ISI Marina del Rey, CA l. ICANN Los Angeles, CA (41 other sites) g. US DoD Columbus, OH (5 other sites)

k. RIPE London (17 other sites) i. Netnod, Stockholm (37 other sites) m. WIDE Tokyo (5 other sites)

13 root name “servers” worldwide

TLD, authoritative servers top-level domain (TLD) servers:  responsible for com, org, net, edu, aero, jobs, museums, and all top-level country domains, e.g.: uk, fr, ca, jp  Network Solutions maintains servers for .com TLD  Educause for .edu TLD

authoritative DNS servers:  organization’s own DNS server(s), providing authoritative hostname to IP mappings for organization’s named hosts  can be maintained by organization or service provider

Local DNS name server  

does not strictly belong to hierarchy each ISP (residential ISP, company, university) has one  also called “default name server”



when host makes DNS query, query is sent to its local DNS server  has local cache of recent name-to-address translation pairs (but may be out of date!)  acts as proxy, forwards query into hierarchy

DNS name resolution example

root DNS server

2 

3

host at cis.poly.edu wants IP address for gaia.cs.umass.edu

iterated query: 



contacted server replies with name of server to contact “I don’t know this name, but ask this server”

TLD DNS server 4 5

local DNS server dns.poly.edu

1

8

7

6

authoritative DNS server dns.cs.umass.edu

requesting host cis.poly.edu gaia.cs.umass.edu

DNS name resolution example

root DNS server

3

2 7

recursive query: 



puts burden of name resolution on contacted name server heavy load at upper levels of hierarchy?

6 TLD DNS server

local DNS server dns.poly.edu

1

5

4

8 authoritative DNS server dns.cs.umass.edu

requesting host cis.poly.edu gaia.cs.umass.edu

DNS: caching, updating records 

once (any) name server learns mapping, it caches mapping  cache entries timeout (disappear) after some time (TTL)  TLD servers typically cached in local name servers • thus root name servers not often visited



cached entries may be out-of-date (best effort name-to-address translation!)  if name host changes IP address, may not be known Internet-wide until all TTLs expire



update/notify mechanisms proposed IETF standard  RFC 2136

DNS records DNS: distributed db storing resource records (RR) RR format: (name,

type=A  name is hostname  value is IP address

type=NS  name is domain (e.g., foo.com)  value is hostname of authoritative name server for this domain

value, type, ttl)

type=CNAME  name is alias name for some “canonical” (the real) name  www.ibm.com is really servereast.backup2.ibm.com

 value is canonical name

type=MX  value is name of mailserver associated with name

DNS protocol, messages 

query and reply messages, both with same message format 2 bytes 2 bytes

msg header 



identification: 16 bit # for query, reply to query uses same # flags:  query or reply  recursion desired  recursion available  reply is authoritative

identification

flags

# questions

# answer RRs

# authority RRs

# additional RRs

questions (variable # of questions) answers (variable # of RRs) authority (variable # of RRs) additional info (variable # of RRs)

DNS protocol, messages 2 bytes

2 bytes

identification

flags

# questions

# answer RRs

# authority RRs

# additional RRs

name, type fields for a query

questions (variable # of questions)

RRs in response to query

answers (variable # of RRs)

records for authoritative servers

authority (variable # of RRs)

additional “helpful” info that may be used

additional info (variable # of RRs)

Inserting records into DNS  

example: new startup “Network Utopia” register name networkuptopia.com at DNS registrar (e.g., Network Solutions)  provide names, IP addresses of authoritative name server (primary and secondary)  registrar inserts two RRs into .com TLD server:

(networkutopia.com, dns1.networkutopia.com, NS) (dns1.networkutopia.com, 212.212.212.1, A)



create authoritative server type A record for www.networkuptopia.com; type MX record for networkutopia.com

Attacking DNS DDoS attacks  Bombard root servers with traffic  Not successful to date  Traffic Filtering  Local DNS servers cache IPs of TLD servers, allowing root server bypass 

Bombard TLD servers  Potentially more dangerous

Redirect attacks  Man-in-middle  Intercept queries 

DNS poisoning  Send bogus relies to DNS server, which caches

Exploit DNS for DDoS  Send queries with spoofed source address: target IP  Requires amplification

Gathering Intelligence about Domain  In the hierarchy, three classes of DNS servers exist:  Root DNS servers: There are 13 root servers in the world.  Top-Level Domain (TLD) servers: These servers are responsible for toplevel domain such as .com, .org., .net, .edu, gov, au, uk, ca, kr, jp and etc.  Authoritative DNS servers: These DNS servers of every organisation with publicly accessible hosts provide publicly available DNS records that map the names of hosts to IP addresses.

These slides are based on the lecture slides prepared by Dr. Joonsang Baek

10

Gathering Intelligence about Domain • DNS scenario 1. A user makes a query for www.amazon.com. (by typing the URL or clicking a link…) 2. The browser sends the DNS query to the local DNS server. 3. The local DNS server queries the root servers to get a list of IP addresses for TLD servers responsible for .com 4. The local DNS server then queries one of those TLD servers to get the IP address of the authoritative DNS server for amazon 5. The local DNS server queries the authoritative server to get the IP address of www.amazon.com, which is 54.230.135.118 These slides are based on the lecture slides prepared by Dr. Joonsang Baek

26

Gathering Intelligence about Domain • DNS records  DNS servers store resource records (RRs).  A RR (resource record) is a four-tuple and contains the following fields: {Name, Value, Type, TTL}  TTL is “time to live” for the RR  Name and Value depend on Type  If Type = A, then Name is a hostname and Value is its IP address; Example: {www.example.com, 145.36.25.127, A, TTL}  If Type = NS, then Name is a domain and Value is the hostname of an authoritative DNS server that knows how to get the IP address of the hostname; Example: {earth.example.com, dns.example.com, NS, TTL} 27

These slides are based on the lecture slides prepared by Dr. Joonsang Baek

Gathering Intelligence about Domain • DNS records  Name and Type depend on Type (continued)  If Type = CNAME, then Value is a canonical hostname for the hostname Name; Example: {mars.example.com, www.example.com, CNAME, TTL}  If Type = MX, then Value is a canonical name of a mail server that has the hostname Name ; Example: {saturn.example.com, mail.example.com, MX, TTL}

These slides are based on the lecture slides prepared by Dr. Joonsang Baek

28

Gathering Intelligence about Domain • Managing DNS  ICANN (Internet Corporation for Assigned Names and Numbers): The authority for domain name assignments  Thousands of Domain Name Registrars have been accredited by ICANN to sell domain names and make this information available.  The decentralized nature of domain name registration means there is no single location for obtaining information about a given domain.  After purchasing a domain name, the owner of the authoritative domain can create as many subdomains as desired, whether they be actual subdomains or individual hosts These slides are based on the lecture slides prepared by Dr. Joonsang Baek

29

Gathering Intelligence about Domain • Caution about interpreting DNS entries  DNS is largely unregulated and may provide inconsistent data. Fake entries, incorrect entries and entries that point to hosts that cannot be reached from the internet may all be found  It is important to verify findings from DNS searches.  Usually DNS servers closer to the target domain are more likely to have up-to-date and accurate information. Some ISPs will give less access to requests coming from remote IP addresses, so changing location can improve results.

These slides are based on the lecture slides prepared by Dr. Joonsang Baek

30

Gathering Intelligence about Domain • nslookup  The easiest tool to determine the IP address for a hostname  Windows, Unix and MacOS all have nslookup client  This is a tool for sending a DNS query directly from your host to any DNS server, regardless of whether it is root, TLD or authoritative  Example: Try nslookup www.uow.edu.au  Reverse DNS is also possible: Try nslookup 130.130.215.2

These slides are based on the lecture slides prepared by Dr. Joonsang Baek

31

Gathering Intelligence about Domain • whois  A protocol for querying about the owner of a domain name, IP network  Information returned by WHOIS contains information about the owner, including email addresses, contact numbers, street addresses, etc.  As WHOIS servers exist all over the Internet and are administered by different organizations, the quality of the results may vary  All WHOIS services have mechanisms in place to prevent data mining, which is intended to prevent collection of data for spam, but also limits the usefulness of WHOIS for intelligence gathering.  Example: On Linux, run whois uow.edu.au 32

These slides are based on the lecture slides prepared by Dr. Joonsang Baek

Gathering Intelligence about Domain • Website that provides whois service  http://whois.domaintools.com  Easier to navigate and view information provided by whois  Sometimes more information can be found

These slides are based on the lecture slides prepared by Dr. Joonsang Baek

33

Gathering Intelligence about Domain • Netcraft  A website that provides comprehensive information about technologies that a domain uses  URL: http://toolbar.netcraft.com/site_report  In fact, Netcraft will provide almost all the information whois can provide  It provides information about web hosting company, hosting history, type of web server, whether it sends spam, server-side and clientside technologies, web applications used and etc. (Many more!)  All the above information can be exploited to find vulnerabilities of the target These slides are based on the lecture slides prepared by Dr. Joonsang Baek

34

Gathering Intelligence about Domain • Netcraft example  As an example, query www.howtogeek.com on netcraft  You can see this site is using WordPress as blog software

 Then go to www.exploit-db.com and search wordpress  A long list of exploitable vulnerabilities exist! These slides are based on the lecture slides prepared by Dr. Joonsang Baek

20

Gathering Intelligence about Subdomains • Finding subdomains  Subdomain: A subdomain is a domain which is a part of a larger domain  Example uow.edu.au has subdomains media.uow.edu.au, eis.uow.edu.au, and etc.

• Reasons for having subdomains  To organise content more effectively by giving different divisions or departments their own subsite that they can control and manage  Or companies may want to “hide” contents by having subdomain sites, for example: beta.facebook.com These slides are based on the lecture slides prepared by Dr. Joonsang Baek

36

Gathering Intelligence about Subdomains  A few web tools for searching for subdomains exist:  https://searchdns.netcraft.com/  https://pentest-tools.com/informationgathering/find-subdomains-of-domain (more effective)

These slides are based on the lecture slides prepared by Dr. Joonsang Baek

37

Gathering Intelligence about Network Topology  traceroute (tracert on Windows)  A tool that can help determine network topology.  It shows the path a packet takes as it travels from the source to the destination.  Importantly it gives information about routers between the source and destination.  After running traceroute to several systems on their network, one can start drawing a network diagram  More information on www.traceroute.org These slides are based on the lecture slides prepared by Dr. Joonsang Baek

38

Gathering Intelligence from Website  What can be found     

People (personnel) Email addresses Physical addresses Job postings leaking information Product, project and service information