finding information
DESCRIPTION
Finding Information. But first some humor. BLAMESTORMING: Sitting around in a group, discussing why a server went down, and who was responsible. SEAGULL MANAGER: A manager who flies in, makes a lot of noise, craps on everything, and then leaves. CUBE FARM: An office filled with cubicles. - PowerPoint PPT PresentationTRANSCRIPT
Finding Information
But first some humor• BLAMESTORMING: Sitting around in a group, discussing why a server went down,
and who was responsible. • SEAGULL MANAGER: A manager who flies in, makes a lot of noise, craps on
everything, and then leaves. • CUBE FARM: An office filled with cubicles. • MOUSE POTATO: The on-line, wired generation's answer to the couch potato. • STRESS PUPPY: An admin who seems to thrive on being stressed out, whiney, and
complains about stupid users all day. • SWIPEOUT: An access card that has been rendered useless because the magnetic
strip is worn away from extensive use. • PERCUSSIVE MAINTENANCE: The fine art of whacking the crap out of an electronic
device to get it to work again. • 404: A completely clueless end-user. • OHNOSECOND: That fraction of time after hitting Enter, in which you realize that
you've just permanently erased a big database. • Inoculatte: Taking coffee intravenously when you are pulling an all-nighter getting that
database online from the backup tapes.
Go from
• We are going to go from a URL– www.juniata.edu
• To knowing available ports, addresses, and Operating system
Basic information
• For www.juniata.edu find the following– TCP/IP address– OS
• Not fair to:– call Joel– ask Matt or Ned– rely on what you already know
• Who did it and how?
My machine
• Starting nmap V. 3.00 ( www.insecure.org/nmap )• Interesting ports on THOMAS-LAP.juniata.edu (172.16.27.133):• (The 1597 ports scanned but not shown below are in state: closed)• Port State Service• 25/tcp open smtp • 135/tcp open loc-srv • 139/tcp open netbios-ssn • 445/tcp open microsoft-ds • Remote operating system guess: Windows Millennium Edition (Me),
Win 2000, or WinXP• Nmap run completed -- 1 IP address (1 host up) scanned in 20
seconds
Ping (locally)
WhoisRegistrant:NASCAR, Inc. (NASCAR4-DOM) 1801 W. Int'l Speedway Blvd Daytona Beach, FL 32114 US
Domain Name: NASCAR.COM
Administrative Contact: Hills, Antony (AHB122) [email protected] NASCAR, Inc. 1801 West International Speedway Blvd. Daytona Beach, Fl 32120 US 904-253-0611 904-947-6558 Technical Contact: TBS Server Operations (TS309-ORG) [email protected] Turner Broadcasting System, Inc. One CNN Center Atlanta, GA 30348 US 404-827-5000 Fax- 404-827-1593
Record expires on 29-Dec-2006. Record created on 28-Dec-1995. Database last updated on 6-Feb-2003 15:32:40 EST.
Domain servers in listed order:
TWDNS-01.NS.AOL.COM 149.174.213.151 TWDNS-02.NS.AOL.COM 152.163.239.216 TWDNS-03.NS.AOL.COM 205.188.146.88 TWDNS-04.NS.AOL.COM 64.12.147.120
Us
Domain Name: JUNIATA.EDU Registrant: Juniata College 1700 Moore Street Huntingdon,
PA 16652 UNITED STATES Contacts: Administrative Contact: Anne Wood Juniata
College BSC Huntingdon, PA 16652 UNITED STATES (814) 641-5310 [email protected]
Technical Contact: Anne Wood Juniata College BSC Huntingdon, PA 16652 UNITED STATES (814) 641-5310 [email protected] Name
Servers: NS1.JUNIATA.EDU 192.112.102.3 NS2.JUNIATA.EDU 192.112.102.4
Nslookup (inside)
• Can ask for all records in name server:
ARIN searchOrgName: Juniata CollegeOrgID: JUNIATAddress: 1700 Moore StreetCity: HuntingdonStateProv: PAPostalCode: 16652Country: US
NetRange: 192.112.102.0 - 192.112.102.255CIDR: 192.112.102.0/24NetName: JCNetHandle: NET-192-112-102-0-1Parent: NET-192-0-0-0-0NetType: Direct AssignmentNameServer: NS1.JUNIATA.EDUNameServer: NS2.JUNIATA.EDUComment:RegDate: 1991-08-07Updated: 2002-03-05
TechHandle: AM202-ARINTechName: Wood, AnneTechPhone: +1-814-641-5310TechEmail: [email protected]
OrgTechHandle: AM202-ARINOrgTechName: Wood, AnneOrgTechPhone: +1-814-641-5310OrgTechEmail: [email protected]
# ARIN WHOIS database, last updated 2003-02-05 20:00# Enter ? for additional hints on searching ARIN's WHOIS database.
Ping sweep find active addresses
How about Mars?
Nmap of Mars
• Starting nmap V. 3.00 ( www.insecure.org/nmap )• Interesting ports on mars.juniata.edu (172.16.17.214):• (The 1585 ports scanned but not shown below are in state: closed)• Port State Service• 21/tcp open ftp • 22/tcp open ssh • 23/tcp open telnet • 25/tcp open smtp • 111/tcp open sunrpc • 515/tcp open printer • 2049/tcp open nfs • 4045/tcp open lockd • 6000/tcp open X11 • 6112/tcp open dtspc • 7100/tcp open font-service • 12345/tcp open NetBus • 32771/tcp open sometimes-rpc5 • 32776/tcp open sometimes-rpc15 • 32777/tcp open sometimes-rpc17 • 32778/tcp open sometimes-rpc19 • Remote operating system guess: Solaris 8 early access beta through actual release• Up• time 37.983 days (since Mon Dec 30 14:26:29 2002)• Nmap run completed -- 1 IP address (1 host up) scanned in 58 seconds
www.juniata.edu
• Is this right– TCP/IP address 172.16.17.209– Outside 192.112.102.5– OS
• Linux Kernel 2.4.0 - 2.5.20• Linux 2.4.19-pre4 on Alpha
– www.netcraft.com– Nmap
Output for www.juniata.edu• Starting nmap V. 3.00 ( www.insecure.org/nmap )• Interesting ports on www.juniata.edu (172.16.17.209):• (The 1594 ports scanned but not shown below are in state: closed)• Port State Service• 21/tcp open ftp • 22/tcp open ssh • 80/tcp open http • 111/tcp open sunrpc • 139/tcp open netbios-ssn • 873/tcp open rsync • 12345/tcp open NetBus • Remote OS guesses: Linux Kernel 2.4.0 - 2.5.20, Linux 2.4.19-pre4
on Alpha• Nmap run completed -- 1 IP address (1 host up) scanned in 5
seconds
What else
• Ping sweep looking for other active machines
• Do tracert to understand network– from outside in, typically have router then
firewall just before destination.– Nmap router and firewall to get OS
• War dailing for open modems
tracert
tracert from outside to .5
tracert from outside to .3
From outside to .4
From outside to .22
From outside to .9
Vulnerability scanners
Red teaming page 90
• Who is page 91– Protection page 92– Name risk for social engineering
• Can use Special name to catch or initials A. Wood• Although this info can be found other ways
remember the easiest is what most people use
– Split DNS servers one for external, minimum required information for the outside world
– Inside DNS with other name resolution not required by the outside world.
Nslookup
• Used to get IP address of servers
• Get range of IPs to explore address spaces
• Protection– Must provide DNS data to be “seen”– The least you provide the better.
ARIN
• Gets address range and subnet
• Protection– NAT with private addresses behind the
firewall except for external resources help minimize damage
Tracert
• Used to explore and “map” system
• routes in (necessary to know for Denail of service)
• Protection– only way to stop is to disable ICMP traffic
(which tracert uses)– disables a lot of “features/functionality”– again security versus features/functionality
ping
• Used to find active addresses
• Run different times of day– used to find “servers” from “workstations”– only works if uses turn off workstations
• Protection– again NAT can’t “See” internal addresses– ICMP again used for ping
port scan and fingerprinting
• Open ports and operating systems
• Used to find vulnerabilities
• Protection– firewall only allows traffic on specific ports to
specific machines– less info the better gives limited view– IDS
Information Gathered
• We now know valid IPs– open ports– Operating systems– map of network (ip of router firewall)
• Time to discover vulnerabilities and export
• Use tool, SAINT for example
• Explore and find vulnerabilities
Some other scans of home machines
• Starting nmap V. 3.00 ( www.insecure.org/nmap )• Warning: OS detection will be MUCH less reliable because we did not find at least 1
open and 1 closed TCP port• Insufficient responses for TCP sequencing (0), OS detection may be less accurate• Interesting ports on HOME1 (192.168.2.9):• (The 1596 ports scanned but not shown below are in state: filtered)• Port State Service• 21/tcp open ftp • 139/tcp open netbios-ssn • 389/tcp open ldap • 1002/tcp open unknown • 1720/tcp open H.323/Q.931 • Remote OS guesses: AIX v4.2, Linux 1.3.20 (X86), Windows XP Professional RC1+
through final release, Cayman 2E <http://www.cayman.com/>• Nmap run completed -- 1 IP address (1 host up) scanned in 413 seconds
More open ports• Starting nmap V. 3.00 ( www.insecure.org/nmap )• Insufficient responses for TCP sequencing (0), OS detection may be less accurate• Insufficient responses for TCP sequencing (2), OS detection may be less accurate• Interesting ports on thomas-tablet.juniata.edu (192.168.2.52):• (The 1590 ports scanned but not shown below are in state: closed)• Port State Service• 80/tcp open http • 135/tcp open loc-srv • 139/tcp open netbios-ssn • 443/tcp open https • 445/tcp open microsoft-ds • 1002/tcp open unknown • 1025/tcp open NFS-or-IIS • 1026/tcp open LSA-or-nterm • 1027/tcp open IIS • 1720/tcp open H.323/Q.931 • 5000/tcp open UPnP
Of course todays footprinting must include wireless
• http://www.wellenreiter.net/index.html
Wellenreiter more passive then netStumbler
NetStumbler
Want to boost your Antenna?
• http://mali.geekcorps.org/article.php3?id_article=39
• Look at HomeToJc in netstumbler
Fport