Slide 1

Slide 2

Footprinting Definition: the gathering of information about a potential system or network a.k.a. fingerprinting Attackers point of view Identify potential target systems Identify which types of attacks may be useful on target systems Defenders point of view Know available tools May be able to tell if system is being footprinted, be more prepared for possible attack Vulnerability analysis: know what information youre giving away, what weaknesses you have

Slide 3

Information to Gather System (Local or Remote) IP Address, Name and Domain Operating System Type (Windows, Linux, Solaris) Version (98/NT/2000/2003/XP, Redhat, Fedora, SuSe, Ubuntu) Usernames File structure Open Ports (what services/programs are running on the system) Physical Proximity/Location

Slide 4

Information to Gather (2) Networks / Enterprises System information for all hosts Network topology Gateways Firewalls Overall topology Network traffic information Specialized servers Web, Database, FTP, Email, etc.

Slide 5

Defender Perspective Identify information youre giving away Identify weaknesses in systems/network Know when systems/network is being probed Identify source of probe Develop awareness of threat Construct audit trail of activity

Slide 6

Tools Linux ( use man for help ) Linux tools - lower level utilities Local System hostname ifconfig who, last Remote Systems ping traceroute, tracert finger (also local system) nslookup, dig whois arp, netstat (also local system) Other tools lsof

Slide 7

Tools Linux (2) Other utilities ethereal/wireshark (packet sniffing) nmap (port scanning) - more later

Slide 8

Tools - Windows Windows Sam Spade (collected tools) Whois,Ping, IPBlock, Dig, Traceroute, Finger, Browse Web, and Parse email headers ethereal (packet sniffer) Command line tools ipconfig Many others

Slide 9

hostname Determine name of current system Usage: hostname E.g. hostname localhost.localdomain// default E.g. hostname clics.cs.uwec.edu

Slide 10

ifconfig Configure network interface Tells current IP numbers for host system Usage: ifconfig E.g. ifconfig // command alone: display status eth0Link encap: Ethernet HWaddr 00:0C:29:CD:F6:D3 inet addr: 192.168.172.128... loLink encap: Local Loopback inet addr: 127.0.0.1...

Slide 11

who Basic tool to show users on current system Useful for identifying unusual activity (e.g. activity by newly created accounts or inactive accounts) Usage: who E.g. who roottty1Jan 9 12:46 paultty2Jan 9 12:52

Slide 12

last Show last N users on system Default: since last cycling of file -N: last N lines Useful for identifying unusual activity in recent past Usage: last [-n] e.g. last -3 wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still logged in flinstf pts/0 137.28.191.74 Sat Feb 5 15:38 still logged in rubbleb pts/0 c48.193.173.92.e Sat Feb 5 14:38 - 15:25 (00:46)

Slide 13

ping Potential Uses Is system online? Through response Gather name information Through DNS Estimate relative physical location Based on RTT (Round Trip Time) given in summary statistics Identify operating system Based on TTL (packet Time To Live) on each packet line TTL = number of hops allowed to get to system 64 is Linux default, 128 is Windows default (but can be changed!) Notes Uses ICMP packets Often blocked on many hosts Usage: ping system E.g. ping ftp.redhat.com E.g. ping localhost

Slide 14

traceroute Potential Uses Determine physical location of machine Gather network information (gateway, other internal systems) Find system thats dropping your packets evidence of a firewall Notes Can use UDP or ICMP packets Results often limited by firewalls Several GUI-based traceroute utilities available Usage: traceroute system E.g. traceroute cs.umn.edu

Slide 15

traceroute example [wagnerpj@data ~]$ traceroute cs.umn.edu traceroute to cs.umn.edu (128.101.34.202), 30 hops max, 38 byte packets 1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220 ms 0.208 ms 2 v101.networking.cns.uwec.edu (137.28.9.1) 0.245 ms 0.229 ms 0.220 ms 3 uweauclairehub2-ge50.core.wiscnet.net (216.56.90.1) 1.315 ms 1.194 ms 1.343 ms 4 * * * [wagnerpj@data ~]$

Slide 16

traceroute example - success H:\>tracert www.google.comwww.google.com Tracing route to www.google.akadns.net [64.233.167.99] over a maximum of 30 hops:www.google.akadns.net 1

Using ethereal Prompt>>ethereal & (in Linux) Capture/Start/OK Capture window shows accumulated totals for different types of packets Stop packets now displayed Top window packet summary Can sort by column source, destination, protocol are useful Middle window packet breakdown Click on + icons for detail at each packet level Bottom window packet content

Slide 32

Ethereal capture analysis Can save a session to a capture file Can reopen file later for further analysis Open capture file Identify and follow different TCP streams Select TCP packet, Tools/Follow TCP Stream CLICScapture.cap has http, https, ftp, ssh Any interesting information out there?

Slide 33

Related Tools Hunt TCP sniffer Watch and reset connections Hijack sessions Spoof MAC Spoof DNS

Slide 34

Related Tool EtherPEG image capture on network http://www.etherpeg.com Demonstration See http://www.menshevik.com/showme on windowshttp://www.menshevik.com/showme

Slide 35

Summary Basic tools can generate much information Remember principle of accumulating information Attacker will build on smaller pieces to get bigger pieces Moral: dont give away information if you can avoid it