1 / 95

Capital Area Cyber Security User Group CLASS 2 Passive Information Gathering

Capital Area Cyber Security User Group CLASS 2 Passive Information Gathering. Presenter BIO. Strengths Weakness Security Interests Something Fun. User group Objective. Give students offensive knowledge to better defend computer networks

nuru
Télécharger la présentation

Capital Area Cyber Security User Group CLASS 2 Passive Information Gathering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Capital Area Cyber Security User GroupCLASS 2Passive Information Gathering

  2. Presenter BIO • Strengths • Weakness • Security Interests • Something Fun

  3. User group Objective • Give students offensive knowledge to better defend computer networks • Hands-on security training to compliment theory, put theories into practice • “Tell me and I'll forget; show me and I may remember; involve me and I'll understand.” • Knowledge sharing: the power of group learning

  4. USER GROUP OBJECTIVE Contd. • Group Exercise: What do you seen in the following pictures? 4

  5. USER GROUP OBJECTIVE Contd. • Increase experience with a multitude of security aspects • Network with other security-minded professionals • Play in a safe lab environment not offered at work or home • Earn CPEs to maintain certifications without high costs • For CISSP • Preparing and presenting 2 hour presentation = 8 CPEs • Participating 1 hour = 1 CPE • Updating existing presentation (see ISC2 chart for specifics) 5

  6. USER GROUP OBJECTIVE Contd. • Have your questions answered, bring hard issues that require solutions • Improve public speaking and training skills 6

  7. CEH Certified Ethical Hacker Study Guide Kimberly Graves, 2010 Amazon.com Course Chapters: • Chapter 1: Introduction to Ethical Hacking, Ethics, and Legality • Chapter 2: Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering • Chapter 3: Gathering Network and Host Information: Scanning and Enumeration • Chapter 4: System Hacking: Password Cracking, Escalating Privileges, and Hiding Files • Chapter 5: Trojans, Backdoors, Viruses, and Worms • Chapter 6: Gathering Data from Networks: Sniffers • Chapter 7: Denial of Service and Session Hijacking • Chapter 8: Web Hacking: Google, Web Servers, Web Application Vulnerabilities, and Web-Based Password Cracking Techniques • Chapter 9: Attacking Applications: SQL Injection and Buffer Overflows • Chapter 10: Wireless Network Hacking • Wi-Fi and Ethernet • Chapter 11: Physical Site Security • Chapter 12: Hacking Linux Systems • Chapter 14: Cryptography • Chapter 15: Performing a Penetration Test

  8. Course Agenda • Class 1: Methodologies and Lab Setup • Class 2: Passive Information Gathering • Class 3: Active Information Gathering (Nessus) • Class 4: Wireless and Wired Network Enumeration • Class 5: Target System Penetration • Class 6: Privilege Escalation, Maintaining Access, and Malware • Class 7: Web Application Penetration • Class 8: Covering Tracks, IDS, Reporting, and Cleanup • Class 9: Metasploit • Class 10: Physical Security (Lock Picking etc.) • Class 11: Capture the Flag

  9. Agenda • Passive Information Gathering • Goals • Key Employee Identification • Wireless Access Point Identification • Website and Web Page Code Analysis • Electronic Dumpster Diving • Google Hacking • Domain Ownership • Lab Exercises

  10. DO NOT perform any activities from this course on any network/system or on a network connected device without proper permission! Make sure you have written permission and authorization to conduct these activities on any system. Conducting any activities related to penetration testing requires the consent of the owner of the target system and the internet service provider. Failure to obtain consent in the form of a legal contract can result in fines and imprisonment.

  11. Information Systems Security Assessment Framework (ISSAF)

  12. What is Passive Information Gathering? • The process of searching for information that an attacker could potentially use to exploit the target network • Critical Services • Key Employees • Partner Companies • Company Website, IP and email addresses • Physical address and location • Domain names • Types of operating systems, databases, servers, protocols, and programming languages used

  13. What is Passive Information Gathering? • Synonyms: • Footprinting • Reconnaissance (Army example and Oceans Eleven)

  14. What is Passive Information Gathering? • Where can the attacker find this information? • Corporate Websites and Job Postings • Electronic Archives • Web Page Code • Search Engines • Domain Name Servers • Social Engineering

  15. Why Do Passive Information Gathering? • More information about the target can make the penetration test easier during the later phases • “Know your enemies and know yourself, you will not be imperiled in a hundred battles.” –Sun Tzu, Art of War • “Generally, a hacker spends 90 percent of the time profiling and gathering information on a target and 10 percent of the time launching the attack.” -Kimberly Graves

  16. Why Do Passive Information Gathering? • Subtle vulnerabilities and information leaks may exist in publicly available information • Starting point to dive into the test • Timing the Attack • Example around patch releases Microsoft Patch Tuesday or Oracle CPU etc. • Off hours such as holidays, vacations, or peak hours

  17. Active Vs. Passive Information Gathering • Active • Touch the device/network or talk to employees (vulnerability scan) • Passive • Do not communicate/touch the target such as Google searching for publicly available information.

  18. Starting at the Source • What information is available on the target company’s website? • The About Us section contains the company headquarters address and the name of the CEO and/or other chief officers • Searching the site could reveal domain names • Attackers could use the information to: • Dumpster dive at the company’s physical location • Wardrive • Wardial • Conducting a pen test against a large company is difficult • Search for vendors, partners, and recent mergers and acquisitions of smaller companies that may have less security Build Your Own Security Lab

  19. Scrutinizing Key Employees • Find a list of key employees • An attacker may visit the published home address of an employee to exploit her wireless connectivity • Sites that list addresses and other personal information: • www.anywho.com • people.yahoo.com • www.zabasearch.com • www.peoplesearchnow.com • Research social/corporate networking sites: • www.ZoomInfo.com • www.facebook.com • www.Linkedin.com • www.myspace.com Build Your Own Security Lab

  20. Scrutinizing Key Employees • Useful information to prepare for social engineering • Debt (payoff) • Disgruntled (layoffs from Mergers) • Vacations • Embarrassing information (blackmail) • How to get this information: • Run a credit report (illegal without permission) • Find out via facebook status etc. • Bugs/Cameras/Spies/Stakeout/Pick Pocket Build Your Own Security Lab

  21. Social Engineering Key Employees • Kevin Mitnick – Father of social engineering • At age 12, socially engineered bus driver to circumvent the punch card system for LA buses • Went on to hacking phones, systems etc. and was captured and put in solitary confinement due to fears that he could launch a nuclear missile by whistling into a phone

  22. Social Engineering Key Employees • “Amateurs hack systems, professionals hack people. “ — Bruce Schneier • Basic social engineering strategies: • Important person/Angry Boss/Customer = fear • Helpful Helpdesk = help • “Sticks and stones WILL break my bones” = torture • Shoulder Surfing • Impersonation (Palin) • Third person

  23. Getting in bed with Robin Sage • Research regarding unquestioned trust • Relationship level of trust based on gender, occupation, credentials, and social network • Results: • Hundreds on connections with government affiliates including NSA, DOD, etc. and top companies. • Offered gifts, jobs, speaking opportunities etc. • Information shared and connections made breaching security policies

  24. Wireless Access Points (WAP) • Wireless LANs (WLAN) are made of multiple computers connected to a wireless infrastructure • A WAP can run in different modes: • Normal – client computers connect to a central WAP • Bridge – the WAP communicates directly with clients and other APs • Client – the WAP communicates only with other APs as a client • Repeater – repeats the signal of another AP to extend the signal’s range

  25. Wireless Access Points (WAP)

  26. WLAN Threat • Wardriving – driving around a target with special equipment to record information about WAPs • Equipment: laptop with a wireless network interface controller, GPS device, antennae and network discovery tools (Kismet) • Warwalking – walking around or sitting near a target with a laptop and other equipment in a backpack • Warflying

  27. WLAN Threat - NetStumbler • Windows GUI-based active wireless scanner • Provides information such as: • MAC address • SSID • Access point name • Channel • Vendor • Encryption detection • Signal strength • GPS coordinates (if GPS device is attached) Build Your Own Security Lab

  28. NetStumbler Interface

  29. WLAN Threat - Kismet Kismet UI Main View • Unix-based passive wireless network detector • Provides: • Basic Intrusion Detection System features • Cisco product detection via CDP • IP block detection • Hidden SSID decloaking • Ethereal file logging • Airsnort-compatible weak key logging • Run-time decoding of WEP packets • SSID grouping and custom naming • A single stream viewable to many client devices • Graphical data mapping • Network device manufacturer identification • Default WAP configuration detection

  30. Kismet Interface

  31. Wireless LAN Threat *Vistumbler is an alternative to NetStumbler for Windows Vista and 7

  32. Mapping Wireless Access Points • Use website such as http://wigle.net to geographically map points or to locate existing known access points

  33. Dumpster Diving (Electronic) • Unhappy employees may leak sensitive information • www.internalmemos.comcontains documents that are often for employees’ eyes only* • Process of looking for old electronic data (once posted it is always available!!) • One place to look is an Internet archive • The Wayback Machine at www.archive.org contains about 85 billion archived web pages • Archived pages may contain leaked information or security vulnerabilities • www.alexa.com provides site statistics and some domain information web.archive.org

  34. lockheedmartin.com Through The Years

  35. Dumpster Diving (Electronic) • Wiki leaks –http://wikileaks.org/ • Password sites –http://www.skullsecurity.org/wiki/index.php/Passwords • Good Old Fashion Dumpster Diving web.archive.org

  36. Analyzing Web Page Code • Web sites can provide more information in their source code • Use a site ripper to duplicate the web pages onto a local hard disk • BlackWidow displays HTML and source code, email addresses on the site, and site links • Teleport Pro • Wget • Instant Source • Look for hidden fields embedded in the source code • Hidden fields contain information, such as email addresses, using only security by obscurity • Example: <INPUT TYPE=HIDDEN NAME="name" VALUE="Omega Seamaster"> <INPUT TYPE=HIDDEN NAME="price" VALUE="$2495.50"> <INPUT TYPE=HIDDEN NAME="wa" VALUE="1"> <INPUT TYPE=HIDDEN NAME="return" VALUE="http://www.vulnerable_site.com/ cgi-bin/cart.pl?db=Omega.dat&category=&search=watch&method=&begin= &display=&price=&merchant="> <INPUT TYPE=HIDDEN NAME="add2" VALUE="1"> <INPUT TYPE=HIDDEN NAME="image" VALUE="http://www.vulnerable_site.com/ images/omega-bond.jpg"> Build Your Own Security Lab

  37. Mining Job Ads and Analyzing Financial Data • Job postings may contain technologies and infrastructure the organization uses • Postings on the organization’s website • CareerBuilder • Monster • Dice • The IT Job Board • Federal and state government agencies keep financial and business records for organizations in the United States • SEC Edgar database contains annual reports and corporate prospects that may list mergers Sec.gov, google.com

  38. Google Hacking • Father of Google Hacking = Johnny Long aka j0hnnyhax • Google Hacking Database • http://johnny.ihackstuff.com/ghdb/ • Books: • Google Hacking for Penetration Testers, Syngress Publishing, 2004. ISBN 1-931-83636-1 • Google Hacking for Penetration Testers, Volume 2, Syngress Publishing, 2007. ISBN 978-1597491761

  39. Using Google to Mine Sensitive Information Google Hacking uses Google’s search engine and certain operators to make searches more efficient and to find security flaws in websites

  40. Google Hacking Example - filetype Google.com

  41. Google Hacking Example - inurl Google.com

  42. Remote access connection with default HTML page

  43. Pages containing results from a vulnerability scan

  44. Exploring Domain Ownership • Who owns a specific domain? • The Internet Assigned Numbers Authority (IANA)is an Internet controlling authority that manages domain names and global IP address use • It is one place that can serve as a good starting point to find out more information about domain ownership • Regional Internet Registries (RIRs) distribute IP addresses to individual organizations within a geographical region • American Registry for Internet Numbers (ARIN)  • RIPE Network Coordination Centre (RIPE NCC)  • Asia-Pacific Network Information Centre (APNIC)  • Latin American and Caribbean Internet Address Registry (LACNIC)  • African Network Information Centre (AfriNIC) 

  45. Exploring Domain Ownership BAD Versus Good • WHOIS • A tool for querying databases that have registered users or assignees of an Internet resource, such as a domain name or an IP address block • Gives information about administrative contacts, domains, and physical address • Many web-based tools can query domain information from • Sam Spade — www.samspade.org • Geektools — www.geektools.com • Better-Whois — www.betterwhois.com • DSHIELD — www.dshield.org • Iptools – www.iptools.com Geektools.com

  46. Exploring Domain Ownership • Domain Name Server • Matches known domain names to unknown IP addresses and store DNS records to locate addresses • Structured as a hierarchy of domain servers: Build Your Own Security Lab

  47. Exploring Domain Ownership • Gather information from a DNS using dig and nslookup tools • nslookup - provides server name and address information • Access nslookup from the command line of a Linux or Windows computer by typing nslookup and an IP address or domain name • dig – newer, more powerful domain zone transfer tool • DNS record names and types: Build Your Own Security Lab

  48. Dig and nslookup Dig nslookup

  49. Dig Mail server query Name server query

  50. Exploring Domain Ownership • Identifying Web Server Software • Common web server software: • Apache Web Server • Microsoft IIS Server • Sun One Web Server • Netcraft runs a service called “What's That Site Running?” that gathers information about web servers (www.netcraft.com)

More Related