1 / 35

Network Security

Network Security. Footprinting / Packet Sniffing. Footprinting. Definition: the gathering of information about a potential system or network a.k.a. fingerprinting Attacker’s point of view Identify potential target systems Identify which types of attacks may be useful on target systems

manning
Télécharger la présentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security Footprinting / Packet Sniffing

  2. Footprinting • Definition: the gathering of information about a potential system or network • a.k.a. fingerprinting • Attacker’s point of view • Identify potential target systems • Identify which types of attacks may be useful on target systems • Defender’s point of view • Know available tools • May be able to tell if system is being footprinted, be more prepared for possible attack • Vulnerability analysis: know what information you’re giving away, what weaknesses you have

  3. Information to Gather • System (Local or Remote) • IP Address, Name and Domain • Operating System • Type (Windows, Linux, Solaris) • Version (98/NT/2000, Redhat 7/8/9,Fedora,SuSe) • Usernames • File structure • Open Ports (what services/programs are running on the system) • Physical Proximity/Location

  4. Information to Gather (2) • Networks / Enterprises • System information for all hosts • Network topology • Gateways • Firewalls • Overall topology • Network traffic information • Specialized servers • Web, Database, FTP, Email, etc.

  5. Defender Perspective • Identify information you’re giving away • Identify weaknesses in systems/network • Know when systems/network is being probed • Identify source of probe • Develop awareness of threat • Construct audit trail of activity

  6. Tools - Linux • Linux tools - lower level utilities • Local System • hostname • ifconfig • who, last • Remote Systems • ping • traceroute • finger (also local system) • nslookup, dig • whois • arp, netstat (also local system) • Other tools • lsof

  7. Tools – Linux (2) • Other utilities • ethereal (packet sniffing) • nmap (port scanning) - more later

  8. Tools - Windows • Windows • Sam Spade (collected tools) • ethereal (packet sniffer) • Command line tools • ipconfig • Many others…

  9. hostname • Determine name of current system • Usage: hostname • E.g. hostname localhost.localdomain // default • E.g. hostname clics.cs.uwec.edu

  10. ifconfig • Configure network interface • Tells current IP numbers for host system • Usage: ifconfig • E.g. ifconfig // command alone: display status eth0 Link encap: Ethernet HWaddr 00:0C:29:CD:F6:D3 inet addr: 192.168.172.128 . . . lo Link encap: Local Loopback inet addr: 127.0.0.1 . . .

  11. who • Basic tool to show users on current system • Useful for identifying unusual activity (e.g. activity by newly created accounts or inactive accounts) • Usage: who • E.g. who root tty1 Jan 9 12:46 paul tty2 Jan 9 12:52

  12. last • Show last N users on system • Default: since last cycling of file • -N: last N lines • Useful for identifying unusual activity in recent past • Usage: last [-n] • E.g. last -3 wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still logged in flinstf pts/0 137.28.191.74 Sat Feb 5 15:38 still logged in rubbleb pts/0 c48.193.173.92.e Sat Feb 5 14:38 - 15:25 (00:46)

  13. ping • Potential Uses • Is system online? • Through response • Gather name information • Through DNS • Estimate relative physical location • Based on RTT (Round Trip Time) given in summary statistics • Identify operating system • Based on TTL (packet Time To Live) on each packet line • TTL = number of hops allowed to get to system • 64 is Linux default, 128 is Windows default (but can be changed!) • Notes • Uses ICMP packets • Often blocked on many hosts • Usage: ping system • E.g. ping ftp.redhat.com • E.g. ping localhost

  14. traceroute • Potential Uses • Determine physical location of machine • Gather network information (gateway, other internal systems) • Find system that’s dropping your packets – evidence of a firewall • Notes • Can use UDP or ICMP packets • Results often limited by firewalls • Usage: traceroute system • E.g. traceroute cs.umn.edu

  15. traceroute example [wagnerpj@data ~]$ traceroute cs.umn.edu traceroute to cs.umn.edu (128.101.34.202), 30 hops max, 38 byte packets 1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220 ms 0.208 ms 2 v101.networking.cns.uwec.edu (137.28.9.1) 0.245 ms 0.229 ms 0.220 ms 3 uweauclairehub2-ge50.core.wiscnet.net (216.56.90.1) 1.315 ms 1.194 ms 1.343 ms 4 * * * <ctrl-c> [wagnerpj@data ~]$

  16. traceroute example - success H:\>tracert www.google.com Tracing route to www.google.akadns.net [64.233.167.99] over a maximum of 30 hops: 1    <1 ms    <1 ms    <1 ms  v61.networking.cns.uwec.edu [137.28.61.1] 2     4 ms     6 ms     3 ms  UWEauClaireHub2-ge50.core.wiscnet.net [216.56.90.1] 3     2 ms     1 ms     2 ms  r-uweauclaire-isp-gig2-0.wiscnet.net [140.189.8.141] 4    17 ms    17 ms    17 ms  chi-edge-08.inet.qwest.net [65.113.85.5] 5    18 ms    16 ms    18 ms  chi-core-02.inet.qwest.net [205.171.20.113] 6    17 ms    18 ms    19 ms  cer-core-01.inet.qwest.net [205.171.205.34] 7    18 ms    19 ms    21 ms  chp-brdr-01.inet.qwest.net [205.171.139.146] 8    18 ms    17 ms    18 ms  P11-0.CHICR2.Chicago.opentransit.net [193.251.129.113] 9    15 ms    16 ms    16 ms  Google-EU-Customers-2.GW.opentransit.net [193.251.249.30] 10    16 ms    16 ms    18 ms  216.239.46.10 11    21 ms    19 ms    17 ms  64.233.175.30 12    18 ms    16 ms    16 ms  64.233.167.99 Trace complete.

  17. finger • Potential Uses • Collect usernames • Determine if user is currently logged in • Notes • Often blocked • Usage: finger localuser or finger @system or finger remoteuser@system • E.g. finger wagnerpj (user on local system) • E.g. finger @cs.umn.edu (all on remote system) • E.g. finger wagnerpj@cs.umn.edu (user on remote system)

  18. whois • Potential Uses • Queries nicname/whois servers for Internet registration information • Can gather contacts, names, geographic information, servers, … - useful for social engineering attacks • Notes • Usage: whois domain • e.g. whois netcom.com

  19. whois example - basic Domain Name: UWEC.EDU Registrant: University of Wisconsin - Eau Claire 105 Garfield Avenue Eau Claire, WI 54702-4004 UNITED STATES Contacts: Administrative Contact: Computing and Networking Services 105 Garfield Ave Eau Claire, WI 54701 UNITED STATES (715) 836-5711 networking@uwec.edu Name Servers: TOMATO.UWEC.EDU 137.28.1.17 LETTUCE.UWEC.EDU 137.28.1.18 BACON.UWEC.EDU 137.28.5.194

  20. whois example - wildcards • whois uw%.edu Your search has matched multiple domains. Below are the domains you matched (up to 100). For specific information on one of these domains, please search on that domain. UW.EDU UWA.EDU UWB.EDU UWC.EDU UWEC.EDU UWEST.EDU UWEX.EDU ….

  21. nslookup • Potential Uses • Query internet name servers • Find name for IP address, and vice versa • Notes • Now deprecated – generally use dig • Sometimes useful when dig fails • Usage • nslookup xxxxxxx // name or IP addr. • E.g. nslookup data.cs.uwec.edu • E.g. dig data.cs.uwec.edu

  22. dig • Potential Uses • Domain Name Service (DNS) lookup utility • Associate name with IP address and vice versa • Notes • Many command options • General usage: dig <somehost> • E.g. dig data.cs.uwec.edu • E.g. dig 137.28.109.33

  23. arp • Tracks addresses, interfaces accessed by system • Possible uses • Find adjacent systems • Notes • arp // display names • arp –n // display numeric addresses

  24. netstat • Shows connections, routing information, statistics • Possible uses • find adjacent machines, used ports • Notes • Many flags • netstat // open sockets, etc. • netstat –s // summary statistics • netstat – r // routing tables • netstat – p // programs • netstat – l // listening sockets

  25. lsof • Lists open files on your system • Useful to see what processes are working with what files, possibly identify tampering • Usage: lsof

  26. Windows Tools • Sam Spade • “swiss army knife” of footprinting • Has most of the Linux tools • Plus other functionality • Usage • Start application • Fill in name or IP address • Choose option desired in menus

  27. Packet Sniffers • Definition: Hardware or software that can display network traffic packet information • Usage • Network traffic analysis • Example packet sniffers • tcpdump (command line, Linux) • ethereal (Linux, Windows – open source) • others…

  28. Limitations – Packet Sniffing • Packet sniffers only catch what they can see • Users attached to hub – can see everything • Users attached to switch – can see own traffic only • Need to be able to put NIC in “promiscuous” mode to be able to process all traffic, not just traffic for/from itself • NIC must support • Need privilege (e.g. root in Linux)

  29. OSI Network Protocol • Layer 7 – Application (incl. app. content) • Layer 6 – Presentation • Layer 5 – Session • Layer 4 – Transport (incl. protocol, port) • Layer 3 – Network (incl. source, dest) • Layer 2 – Data Link • Layer 1 – Physical

  30. ethereal • Created as tool to examine network problems in 1997 • Various contributors added packet dissectors, fixes, upgrades; released 1998 • Works with other packet filter formats • Information: http://www.ethereal.com • Demonstration

  31. Using ethereal • # ethereal • Capture/Start/OK • Capture window shows accumulated totals for different types of packets • Stop – packets now displayed • Top window – packet summary • Can sort by column – source, destination, protocol are useful • Middle window – packet breakdown • Click on + icons for detail at each packet level • Bottom window – packet content

  32. Ethereal capture analysis • Can save a session to a capture file • Can reopen file later for further analysis • Open capture file (disable network name resolution for faster opening and “reset” the filter): • Linux: /usr/local/Support/CLICScapture.cap • Windows: C:\Support\CLICScapture.cap • Identify and follow different TCP streams • Select TCP packet, Tools/Follow TCP Stream • CLICScapture.cap has http, https, ftp, ssh • Any interesting information out there?

  33. Related Tools • Hunt • TCP sniffer • Watch and reset connections • Hijack sessions • Spoof MAC • Spoof DNS

  34. Related Tool • EtherPEG – image capture on network • http://www.etherpeg.com • Demonstration • See http://www.menshevik.com/showme on windows

  35. Summary • Basic tools can generate much information • Remember principle of accumulating information • Attacker will build on smaller pieces to get bigger pieces • Moral: don’t give away information if you can avoid it

More Related