Computer Science Innovations, LLC Cybersecurity
Fingerprinting So, we have a file at the top level of a Web site. It is called robots.txt It specifies where to find content and What content to avoid. What can this tell us from a fingerprinting perspective? Tells us the stuff we wish to protect.
Fingerprinting Perspective Www.walmart.com Www.schwans.com Take down the robots.txt Take down the sitemaps Try to take down the disallows Use wget …
Lab Fingerprint Web Server Use wget Use wget www.walmart.com/robots.txt Use more robots.txt Use wget <sitemap files> Use more <sitemap files> Use www.schwans.file Try to wget disallowed files.
What Did We Learn? What can we do with robots.txt from a fingerprint perspective. Part of directory structure. Show's you what they do not want to share. Why does wget not pull disallow information? Hint man wget . It adhere's to the robots.txt protocol. How could we get disallowed information? What type of licensing is wget? Open Source. We can get the source. Change it and go after the disallow.
Web Site Fingerprinting Best Practices: 1) Use robots.txt for things you want found by a search engine and disallow for things you do not want found. 2) Use a tool (if you are a penetration tester) to work around the disallow in robots.txt. Remember disallow is a protocol. 3) Use security in the web server to protect sensitive files.
Network 101 Typically three types of networks A, B, C Differ by.... netmask A netmask 255.0.0.0 B netmask 255.255.0.0 C netmask 255.255.255.0 So how does this work.
OSI Networking Model Application - Applications running on top - ssh Presentation --- Map data between representations. Session --- Support conversation. Transport --- Put stuff in order, end to end Network – communicate with routing Data Link --- communicate without routing Physical --- Cable
Data Link Layer Data link – no routing Scott Brian
Command to See Network Ifconfig -a Scott inet addr:10.10.10.234 Bcast:10.10.10.255 Mask:255.255.255.0 Brian ….. 10.10.10.231... Netmask 255.255.255.0 What does that mean.
Netmask • 255.255.255.0 • Class C network. • Only route if you differ by more than the last octet. • 10.10.10.234 • 10.10.10.231 • No Routing necessary. Only differ by where the Netmask is 0 therefore resolved at the data link layer. MAC/IP. The conversion between MAC and IP is datalink.
More Netmask • 255.255.0.0 is a B network only route if differ by left-most two octets. 192.168.1.2 192.168.2.3 Routing? No. Why? The only values that differ are where you have a bit pattern of 1111's 255.0.0.0 is an A network 10.0.1.7 and 10.1.1.7 does it require routing. Only differs by where it is 1.
Netmask Concluded • Class C network • Netmask 255.255.255.0 • What is that in HEX? • FFFF.FFFF.FFFF.0000 • What is that in Binary? • 1111111111111.1111111111111111.111111111111.0 So Class C network one computer is • 192.168.1.10 and one is 192.168.1.12 • Need Routing?
Netmask Lab • Class C Network 255.255.255.0 • 192.168.1.10 and 192.168.0.11 Need routing? Yes. Differs by third • Class A Network 255.0.0.0 • 10.11.1.1 and 10.10.1.1 need routing? no. • 220.127.116.11. and 10.10.1.2 need routing? yes • Question 192.168.1.1 for a router Cisco– who makes it. 192.168.0.1 – Dlink Netgear, who makes it?
A Little Further in the Network • Find the router.. • Unix • Command netstat -rn scott@kitchen:~$ ifconfig -a eth0 Link encap:Ethernet HWaddr c8:0a:a9:b5:9d:db inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.252.0 scott@kitchen:~$ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
DHCP • Distributed Hosts Configuration Protocol • Machine comes up and looks for a DHCP server • Gets an IP address, Netmask and DNS. • What vulnerability do we have here.
DHCP - Vulnerability • Get on Network and put your own DHCP Server up • The DNS Server it give or serves up is yours. • And it routes to spoofed web sites. • Why does this work? • Because it looks for the first DHCP sever. The one that responds first will be the one closest to the computer asking. Unless you have an intrusion detection systems, you will get away with this. • An intrusion detection system at the network layer would find this. • Part of a penetration test.
What About DNS? • Domain Name Service. Maps names to IP addresses. • It is given to us by DHCP • Unix find it? More /etc/resolv.conf scott@kitchen:~$ more /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.1.1
On My Network • 192.168.1.1 is the DNS Server and the Router • Netmask is 255.255.252.0 • It is CISCO like???? • That is what we found out. • To do on Windows ipconfig /all Lab.... Tell me what you have on your Windows box?
Conventions • Class C 255.255.255.0 • Generally 192.168.x.x • Class A (bigger network) Generally 10.x.x.x. • Gateway … generally. What ever you are working with .1 DHCP Server is generally the Gateway.
What is DHCP? • Distributed Hosts Configuration Protocol • Turn on a computer, get the IP address, DNS Server, Router, and any Routes. • Broadcasts for it. • In other words, comes up, says who is my DHCP? First one wins.
What is wrong with our Network, via Conventions? • C Network, why netmask 255.255.255.0 • IP address starts with 10, which is an A network • Should start with ???? 192.168 • Router ends in .254, what does it typically do? • .1
Review Fingerprinting • Why do we Fingerprint? To learn about the system. If you are an adversary, you want to find something easy. • If you are a security professional, you want to see how hard your systems are. • Most common tool is nmap. • Nmap can help you work around an IDS. • Inspects traffic to tell you about products and ports. • Nmap is a TCP/IP expert, Xmas, Stealth, etc.
Network use Netmask Typical network --- cisco … Ip address of the router is 192.168.1.1 255.255.255.0 C So if I talk to 192.168.1.10 to 192.168.1.21 Do I need to route? No? So if the address differs by the octet with a 0 in the netmask no routing.
Network Route When Addresses differ from where there is a 1. For 255.255.255.0 If we wish to go from 192.168.1.10 to 18.104.22.168 Do we need to route? Yes How do we find our router? Use netstat -rn
Talk About Addresses TCP/IP protocol We agree to not route what addresses: 169.254 what you get when you do not get a dhcp address. 172. 10. 192.168 127.0.0.1 127.0.0.2 192.168.1.x CISCO 192.168.0.x DLINK
Network Topology So, I want three networks to be separate and have one external address to the internet. How do I do this? 22.214.171.124 external address 10.10.10.254 internal Network1 192.168.1.x 255.255.255.0 gtw 192.168.1.1 Internal (10.10.10.1) Network2 192.168.2.x 255.255.255.0 gtw 192.168.2.1 Internal (10.10.10.2) Network3 192.168.3.x 255.255.255.0 gtw 192.168.3.1 Internal (10.10.10.3)
What Did We Learn 1) Netmask determines your address range.. Route when difference is in the area of 1's on netmask. 2) Router must be on same subnet as network it is routing. 3) How do we find netmask Unix (ifconfig -a) windows ipconfig /all 4) How do we find router – netstat -rn 5) How do we find dns server windows its ipconfig /all Use more /etc/resolv.conf
Email Tracking Let's say, I sent an email to Mo and I wanted assurance that he has read it. Email itself is a datagram. In the email message <img src=”www.morrisisagreatguy.com/photo.jpg”> Tools that do this for you. Put a link that does not require a click and sends that to a server for recordiing.
Email Tracking <img src=”www.morrisisagreatguy.com/photo.jpg”> This can be a servlet that returns a graphic. When the email is read, the servlet it called (it has to show the graphic). While getting the graphic, it denotes the fact that the email was read.
Fingerprinting Lab Tell me what I am running nmap thestreits.com By using nmap Tell me what hosts on your subnet are running. By using nmap
Fingerprinting • We want to see what is on our network. • If you are bad.... then you are looking for easy things. • We want to make sure, we are not one of those easy things. • So for Bad People, Fingerprinting is a way to find easy systems to crack. • For Security Professionals, hardening our systems.
Best Practices • Only SSH login and only through a private key. • Open Ports 22 (private key only) and 443 • This is for externally facing Servers • So how do we find out?
How Do We Fingerprint • Command - telnet host port • Then send it commands • Then get what's running by parsing the results of commands. scott@companion:~$ telnet www.scottstreit.com 80 Trying 126.96.36.199...... HEAD <address>Apache/2.2.14 (Ubuntu) Server at localhost Port 80</address> </body></html>
Instead Of • Telnet to a port. • Writing a socket level program • Ping scott@companion:~$ ping www.scottstreit.com PING www.scottstreit.com (188.8.131.52) 56(84) bytes of data. 64 bytes from pool-74-103-6-161.bltmmd.fios.verizon.net (184.108.40.206): icmp_req=1 ttl=52 time=24.7 ms
We Use Nmap • What is good about Nmap? • Price.... Free • Runs on every system. • Around a long time – stable. • Defacto Standard. • Does a lot of things.
nmap • We can see what systems are up on a subnet • We can see what ports are open • We can see what tools are runinng on the open ports. • We don't have to fool around with TCP/IP
Two Movies on nmap Let's watch a youtube movie on nmap.
Lab • Tell me what is running on my machine. • Www.scottstreit.com • Do it two ways. • First telnet port HEAD port 80. • Telnet www.scottstreit.com 80 • HEAD • Then do an nmap on my box. • Tell me what is running. • Tell me what hosts are up on our 10. subnet.
Let's Simulate nmap scott@companion:~$ telnet www.scottstreit.com 80 Trying 220.127.116.11... Connected to www.scottstreit.com. Escape character is '^]'. head <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>501 Method Not Implemented</title> </head><body> <h1>Method Not Implemented</h1> <p>head to /index.html not supported.<br /> </p> <hr> <address>Apache/2.2.14 (Ubuntu) Server at localhost Port 80</address> </body></html> Connection closed by foreign host. scott@companion:~$