finding information

Finding Information

But first some humor• BLAMESTORMING: Sitting around in a group, discussing why a server went down,

and who was responsible. • SEAGULL MANAGER: A manager who flies in, makes a lot of noise, craps on

everything, and then leaves. • CUBE FARM: An office filled with cubicles. • MOUSE POTATO: The on-line, wired generation's answer to the couch potato. • STRESS PUPPY: An admin who seems to thrive on being stressed out, whiney, and

complains about stupid users all day. • SWIPEOUT: An access card that has been rendered useless because the magnetic

strip is worn away from extensive use. • PERCUSSIVE MAINTENANCE: The fine art of whacking the crap out of an electronic

device to get it to work again. • 404: A completely clueless end-user. • OHNOSECOND: That fraction of time after hitting Enter, in which you realize that

you've just permanently erased a big database. • Inoculatte: Taking coffee intravenously when you are pulling an all-nighter getting that

database online from the backup tapes.

Go from

• We are going to go from a URL– www.juniata.edu

• To knowing available ports, addresses, and Operating system

Basic information

• For www.juniata.edu find the following– TCP/IP address– OS

• Not fair to:– call Joel– ask Matt or Ned– rely on what you already know

• Who did it and how?

My machine

• Starting nmap V. 3.00 ( www.insecure.org/nmap )• Interesting ports on THOMAS-LAP.juniata.edu (172.16.27.133):• (The 1597 ports scanned but not shown below are in state: closed)• Port State Service• 25/tcp open smtp • 135/tcp open loc-srv • 139/tcp open netbios-ssn • 445/tcp open microsoft-ds • Remote operating system guess: Windows Millennium Edition (Me),

Win 2000, or WinXP• Nmap run completed -- 1 IP address (1 host up) scanned in 20

seconds

Step one

• Basic information about www.juniata.edu– ping– whois– nslookup

Ping (locally)

WhoisRegistrant:NASCAR, Inc. (NASCAR4-DOM) 1801 W. Int'l Speedway Blvd Daytona Beach, FL 32114 US

Domain Name: NASCAR.COM

Administrative Contact: Hills, Antony (AHB122) jcantrell@NASCAR.COM NASCAR, Inc. 1801 West International Speedway Blvd. Daytona Beach, Fl 32120 US 904-253-0611 904-947-6558 Technical Contact: TBS Server Operations (TS309-ORG) hostmaster@TBSNAMES.TURNER.COM Turner Broadcasting System, Inc. One CNN Center Atlanta, GA 30348 US 404-827-5000 Fax- 404-827-1593

Record expires on 29-Dec-2006. Record created on 28-Dec-1995. Database last updated on 6-Feb-2003 15:32:40 EST.

Domain servers in listed order:

TWDNS-01.NS.AOL.COM 149.174.213.151 TWDNS-02.NS.AOL.COM 152.163.239.216 TWDNS-03.NS.AOL.COM 205.188.146.88 TWDNS-04.NS.AOL.COM 64.12.147.120

Us

Domain Name: JUNIATA.EDU Registrant: Juniata College 1700 Moore Street Huntingdon,

PA 16652 UNITED STATES Contacts: Administrative Contact: Anne Wood Juniata

College BSC Huntingdon, PA 16652 UNITED STATES (814) 641-5310 wood@juniata.edu

Technical Contact: Anne Wood Juniata College BSC Huntingdon, PA 16652 UNITED STATES (814) 641-5310 wood@juniata.edu Name

Servers: NS1.JUNIATA.EDU 192.112.102.3 NS2.JUNIATA.EDU 192.112.102.4

Nslookup (inside)

• Can ask for all records in name server:

ARIN searchOrgName: Juniata CollegeOrgID: JUNIATAddress: 1700 Moore StreetCity: HuntingdonStateProv: PAPostalCode: 16652Country: US

NetRange: 192.112.102.0 - 192.112.102.255CIDR: 192.112.102.0/24NetName: JCNetHandle: NET-192-112-102-0-1Parent: NET-192-0-0-0-0NetType: Direct AssignmentNameServer: NS1.JUNIATA.EDUNameServer: NS2.JUNIATA.EDUComment:RegDate: 1991-08-07Updated: 2002-03-05

TechHandle: AM202-ARINTechName: Wood, AnneTechPhone: +1-814-641-5310TechEmail: sysadmin@juniata.edu

OrgTechHandle: AM202-ARINOrgTechName: Wood, AnneOrgTechPhone: +1-814-641-5310OrgTechEmail: sysadmin@juniata.edu

# ARIN WHOIS database, last updated 2003-02-05 20:00# Enter ? for additional hints on searching ARIN's WHOIS database.

Ping sweep find active addresses

How about Mars?

Nmap of Mars

• Starting nmap V. 3.00 ( www.insecure.org/nmap )• Interesting ports on mars.juniata.edu (172.16.17.214):• (The 1585 ports scanned but not shown below are in state: closed)• Port State Service• 21/tcp open ftp • 22/tcp open ssh • 23/tcp open telnet • 25/tcp open smtp • 111/tcp open sunrpc • 515/tcp open printer • 2049/tcp open nfs • 4045/tcp open lockd • 6000/tcp open X11 • 6112/tcp open dtspc • 7100/tcp open font-service • 12345/tcp open NetBus • 32771/tcp open sometimes-rpc5 • 32776/tcp open sometimes-rpc15 • 32777/tcp open sometimes-rpc17 • 32778/tcp open sometimes-rpc19 • Remote operating system guess: Solaris 8 early access beta through actual release• Up• time 37.983 days (since Mon Dec 30 14:26:29 2002)• Nmap run completed -- 1 IP address (1 host up) scanned in 58 seconds

www.juniata.edu

• Is this right– TCP/IP address 172.16.17.209– Outside 192.112.102.5– OS

• Linux Kernel 2.4.0 - 2.5.20• Linux 2.4.19-pre4 on Alpha

– www.netcraft.com– Nmap

Output for www.juniata.edu• Starting nmap V. 3.00 ( www.insecure.org/nmap )• Interesting ports on www.juniata.edu (172.16.17.209):• (The 1594 ports scanned but not shown below are in state: closed)• Port State Service• 21/tcp open ftp • 22/tcp open ssh • 80/tcp open http • 111/tcp open sunrpc • 139/tcp open netbios-ssn • 873/tcp open rsync • 12345/tcp open NetBus • Remote OS guesses: Linux Kernel 2.4.0 - 2.5.20, Linux 2.4.19-pre4

on Alpha• Nmap run completed -- 1 IP address (1 host up) scanned in 5

seconds

What else

• Ping sweep looking for other active machines

• Do tracert to understand network– from outside in, typically have router then

firewall just before destination.– Nmap router and firewall to get OS

• War dailing for open modems

tracert

tracert from outside to .5

tracert from outside to .3

From outside to .4

From outside to .22

From outside to .9

Vulnerability scanners

Red teaming page 90

• Who is page 91– Protection page 92– Name risk for social engineering

• Can use Special name to catch or initials A. Wood• Although this info can be found other ways

remember the easiest is what most people use

– Split DNS servers one for external, minimum required information for the outside world

– Inside DNS with other name resolution not required by the outside world.

Nslookup

• Used to get IP address of servers

• Get range of IPs to explore address spaces

• Protection– Must provide DNS data to be “seen”– The least you provide the better.

ARIN

• Gets address range and subnet

• Protection– NAT with private addresses behind the

firewall except for external resources help minimize damage

Tracert

• Used to explore and “map” system

• routes in (necessary to know for Denail of service)

• Protection– only way to stop is to disable ICMP traffic

(which tracert uses)– disables a lot of “features/functionality”– again security versus features/functionality

ping

• Used to find active addresses

• Run different times of day– used to find “servers” from “workstations”– only works if uses turn off workstations

• Protection– again NAT can’t “See” internal addresses– ICMP again used for ping

port scan and fingerprinting

• Open ports and operating systems

• Used to find vulnerabilities

• Protection– firewall only allows traffic on specific ports to

specific machines– less info the better gives limited view– IDS

Information Gathered

• We now know valid IPs– open ports– Operating systems– map of network (ip of router firewall)

• Time to discover vulnerabilities and export

• Use tool, SAINT for example

• Explore and find vulnerabilities

Some other scans of home machines

• Starting nmap V. 3.00 ( www.insecure.org/nmap )• Warning: OS detection will be MUCH less reliable because we did not find at least 1

open and 1 closed TCP port• Insufficient responses for TCP sequencing (0), OS detection may be less accurate• Interesting ports on HOME1 (192.168.2.9):• (The 1596 ports scanned but not shown below are in state: filtered)• Port State Service• 21/tcp open ftp • 139/tcp open netbios-ssn • 389/tcp open ldap • 1002/tcp open unknown • 1720/tcp open H.323/Q.931 • Remote OS guesses: AIX v4.2, Linux 1.3.20 (X86), Windows XP Professional RC1+

through final release, Cayman 2E <http://www.cayman.com/>• Nmap run completed -- 1 IP address (1 host up) scanned in 413 seconds

More open ports• Starting nmap V. 3.00 ( www.insecure.org/nmap )• Insufficient responses for TCP sequencing (0), OS detection may be less accurate• Insufficient responses for TCP sequencing (2), OS detection may be less accurate• Interesting ports on thomas-tablet.juniata.edu (192.168.2.52):• (The 1590 ports scanned but not shown below are in state: closed)• Port State Service• 80/tcp open http • 135/tcp open loc-srv • 139/tcp open netbios-ssn • 443/tcp open https • 445/tcp open microsoft-ds • 1002/tcp open unknown • 1025/tcp open NFS-or-IIS • 1026/tcp open LSA-or-nterm • 1027/tcp open IIS • 1720/tcp open H.323/Q.931 • 5000/tcp open UPnP

Of course todays footprinting must include wireless

• http://www.wellenreiter.net/index.html

Wellenreiter more passive then netStumbler

NetStumbler

Want to boost your Antenna?

• http://mali.geekcorps.org/article.php3?id_article=39

• Look at HomeToJc in netstumbler

Fport