280 likes | 298 Vues
COMP1321 Digital Infrastructures. Richard Henson University of Worcester April 2018. Week 22: “Offensive” security and ethical hacking. Objectives: Explain the principles of hacking ethically Explain “ Footprinting ” and reconnaissance from a penetration testers perspective
E N D
COMP1321Digital Infrastructures Richard Henson University of Worcester April 2018
Week 22: “Offensive” security and ethical hacking • Objectives: • Explain the principles of hacking ethically • Explain “Footprinting” and reconnaissance from a penetration testers perspective • Use of vulnerability/penetration testing to passively” scan networks & check access to the organisation’s network (and information about it!) from outside • Exploit Known vulnerabilities through specific unguarded TCP ports • “
Ethical Hacking Principles • Hacking is a criminal offence in the UK • covered through The Computer Misuse Act (1990) • tightened by further legislation (2006) • It can only be done ”legally” by a trained (or trainee) professional • a computing student would be considered in this context under the law
Ethical Hacking principles • Even if it is legal… • doesn’t mean it is ethical! • Professionals only hack without owner’s permission if there is reason to believe a law is being broken • if not… they must ask permission • otherwise definitely unethical (and possibly illegal)
Ethical Hacking Principles • What is “hacking”? • breaching a computer system without permission • How is it done? • using software tools to get through the security of the system • also called penetration testing (again… if done with permission…)
Penetration Testers Toolkit • Many penetration testing tools available • Also a body of knowledge that shows how to use them… • Together, provide the expertise to penetration test a client’s site • but this should only be undertaken with the client’s permission…
Preparing to use a Toolkit • Ethical Hacking Professionals need to be familiar with both Windows Server, and Linux • To fully engage with principles of penetration testing,install the following as virtual machines on your own computer: • Windows 2008 Server • Linux, with Backtrack (as VM) … • Remember: this should only be used ethically! • Instead, you may wish to just take an overview (plenty of excellent youtube videos)
What and Why of “Footprinting” • Definition: • “Gathering information about a “target” system” • Could be passive (non-penetrative) or active • Find out as much information about the digital and physical evidence of the target’s existence as possible • need to use multiple sources… • may (e.g. “black hat” hacking) need to be done secretly
Useful hacker “intelligence”about a network • Domain Names • User/Group names • System Names • IP addresses • Employee Details/Company Directory • Network protocols used & VPN start/finish • Company documents • Intrusion detection system used
Network Infrastructure Revision • Windows networks dependent on active directory • large object-orientated database • installed on servers that become part of domain log in
Desktop Security • Windows desktop security managed through the system registry • area of protected memory, thousands of hardware/software settings • viewed using regeditutility • some settings can be changed using regedit • other settings cannot be seen with regedit
System Registry • System registry settings stored on local hard disk • Loaded into memory during bootup • Local log on: • system policy files can overwrite settings in memory • Network log on: • group policy files are downloaded and overwrite files during log on
Group Policy and Resource Access • Network resource access also controlled via downloaded registry settings • in this way, user access can be controlled through group policy • policy files, group membership need to be held securely
Rationale for “passive” Footprinting • The ethical hacker can gather a lot of information from publicly available sources • organisation needs to know what is “out there” • Methodology: • start by finding the URL (search engine) • e.g. www.worc.ac.uk • from main website, find other external-facing names • e.g. staffweb.worc.ac.uk
Website Connections & History • History: use www.archive.org: • The Wayback Machine • Connections: use robtex.com • Business Intelligence: • sites that reveal company details • e.g. www.companieshouse.co.uk
More Company Information… • “Whois” & CheckDNS.com: • lookups of IP/DNS combinations • details of who owns a domain name • details of DNS Zones & subdomains • Job hunters websites: • e.g. www.reed.co.uk • www.jobsite.co.uk • www.totaljobs.com • IT technicians “blog entries”
People Information • Company information will reveal names • Use names in • search engines • Facebook • LinkedIn • Google Earth reveals: • company location(s)
Physical Network Information (“active” footprinting or phishing) • External “probing” • should be detectable by a good defence system… (could be embarrassing!) • e.g. Traceroute: • Uses ICMP protocol “echo” • no TCP or UDP port • reveals names/IP addresses of intelligent hardware: • e.g. Routers, Gateways, DMZs
Email Footprinting • Using the email system to find the organisation’s email names structure • “passive” monitor emails sent • IP source address • structure of name • “active” email sending programs : • test whether email addresses actually exist • test restrictions on attachments
Utilizing Google etc. (“passive”) • Google: Advanced Search options: • Uses [site:] [intitle:] [allintitle:] [inurl:] • In each case a search string should follow • e.g. “password” • Maltego • graphical representations of data
Perusing Network Firewall settings • Firewall acts between transport layer and application layer • each application transfers data using a logical port • can restrict entry of packets to the application layer by blocking that port • hacker will wish to know wish ports are blocked and which could be exploited
TCP/UDP ports and Hacking • Schematic TCP/IP stack interacting at three of the 7 OSI levels (network, transport, application): TELNET FTP SMTP NFS DNS SNMP X X X X ports X X TCP UDP IP
TCP & UDP ports • Hackers use these to get inside firewalls etc. • Essential to know the important ones: • 20, 21 ftp 80 http 389 Ldap • 22 ssh 88 Kerberos 443 https • 23 telnet 110 pop3 636 Ldap/SSL • 25 smtp 135 smb • 53 dns 137-9 NetBIOS • 60 tftp 161 snmp
Reconnaissance/Scanning • Three types of scan: • Network (already mentioned) • identifies active hosts • Port • send client requests until a suitable active port has been found… • Vulnerability • assessment of devices for weaknesses that can be exploited
A “Scanning” Methodology for Ethical Hackers… • Check for Live Systems • Check for open ports • “Banner Grabbing” • e.g. bad html request • Scan for vulnerabilities • Draw Network diagram(s) • Prepare proxies…
Proxy Hacking (or Hijacking) • Attacker creates a copy of the targeted web page on a proxy server • Now uses methods like: • keyword stuffing • linking to the copied page from external sites… • Artificially raises search engine ranking • authentic page will rank lower… • may even be seen as duplicated content, in which case a search engine may remove it from its index
Now you try it! • Download OWASP software tools… • Try out the tools on an informal basis without infringing “ethical hacking” rules • Gather evidence documenting your activities • after Campbell Murray’s presentation (27th April) • Present evidence to hand in with assignment 2…