Chapter 3 footprinting
-
Upload
setia-jul-ismail -
Category
Education
-
view
774 -
download
1
Transcript of Chapter 3 footprinting
Footprinting
Keamanan Jaringan D3 Teknik Telekomunikasi
Footprinting • Definition: the gathering of information
about a potential system or network • a.k.a. fingerprinting
• Attacker’s point of view • Identify potential target systems • Identify which types of attacks may be useful on
target systems
• Defender’s point of view • Know available tools • May be able to tell if system is being footprinted,
be more prepared for possible attack • Vulnerability analysis: know what information
you’re giving away, what weaknesses you have
Information to Gather
• System (Local or Remote) • IP Address, Name and Domain
• Operating System • Type (Windows, Linux, Solaris, Mac)
• Version (98/NT/2000/2003/XP/Vista/7, Redhat, Fedora, SuSe, Ubuntu, OS X)
• Usernames (and their passwords)
• File structure
• Open Ports (what services/programs are running on the system)
Information to Gather (2)
• Networks / Enterprises • System information for all hosts
• Network topology • Gateways
• Firewalls
• Overall topology
• Network traffic information
• Specialized servers • Web, Database, FTP, Email, etc.
Defender Perspective
• Identify information you’re giving away
• Identify weaknesses in systems/network
• Know when systems/network is being probed
• Identify source of probe
• Develop awareness of threat
• Construct audit trail of activity
Tools - Linux • Some basic Linux tools - lower level
utilities • Local System
• hostname
• ifconfig
• who, last
• Remote Systems • ping
• traceroute
• nslookup, dig
• whois
• arp, netstat (also local system)
Tools – Linux (2)
• Other utilities
• wireshark (packet sniffing)
• nmap (port scanning) - more later
• Ubuntu Linux
• Go to System / Administration / Network Tools – get interface to collection of tools: ping, netstat, traceroute, port scan, nslookup, finger, whois
Tools - Windows
• Windows
• Sam Spade (collected network tools)
• Wireshark (packet sniffer)
• Command line tools
• ipconfig
• Many others…
hostname
• Determine host name of current system
• Usage: hostname
• E.g. hostname
localhost.localdomain // default
• E.g. hostname
mobile.cs.uwec.edu
ifconfig
• Configure network interface
• Tells current IP numbers for host system
• Usage: ifconfig
• E.g. ifconfig // command alone: display status
eth0 Link encap: Ethernet
HWaddr 00:0C:29:CD:F6:D3
inet addr: 192.168.172.128 . . .
lo Link encap: Local
Loopback
inet addr: 127.0.0.1 . . .
who
• Basic tool to show users on current system
• Useful for identifying unusual activity (e.g. activity by newly created accounts or inactive accounts)
• Usage: who • E.g. who
root tty1 Jan 9 12:46
paul tty2 Jan 9 12:52
last • Show last N users on system
• Default: since last cycling of file
• -N: last N lines
• Useful for identifying unusual activity in recent past
• Usage: last [-n] • E.g. last -3
wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still logged in
flinstf pts/0 137.28.191.74 Sat Feb 5 15:38 still logged in
rubbleb pts/0 c48.someu.edu Sat Feb 5 14:38 - 15:25 (00:46)
ping • Potential Uses
• Is system online? • Through response
• Gather name information • Through DNS
• Tentatively Identify operating system • Based on TTL (packet Time To Live) on each packet line • TTL = number of hops allowed to get to system • 64 is Linux default, 128 is Windows default (but can be
changed!)
• Notes • Uses ICMP packets
• Often blocked on many hosts; more useful within network
• Usage: ping system • E.g. ping ftp.redhat.com • E.g. ping localhost
traceroute • Potential Uses
• Determine physical location of machine • Gather network information (gateway, other
internal systems) • Find system that’s dropping your packets –
evidence of a firewall
• Notes • Can use UDP or ICMP packets • Results often limited by firewalls • Several GUI-based traceroute utilities available • Usage: traceroute system
• E.g. traceroute cs.umn.edu
traceroute example - Success C:\Users\Temp>tracert telkomuniversity.ac.id
Tracing route to telkomuniversity.ac.id [10.14.203.238]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms 192.168.60.1
2 6 ms 6 ms 4 ms 10.11.221.1
3 7 ms 3 ms 2 ms 10.0.0.254
4 3 ms 1 ms 1 ms 10.14.203.238
Trace complete.
C:\Users\Temp>
traceroute example - blocked C:\Users\Temp>tracert detik.com
Tracing route to detik.com [203.190.242.69]
over a maximum of 30 hops:
1 1 ms 1 ms 2 ms 192.168.60.1
2 5 ms 2 ms 2 ms 10.11.221.1
3 4 ms 9 ms 3 ms 10.0.0.254
4 * * * Request timed out.
5 * * * Request timed out.
Trace complete.
C:\Users\Temp>
Visual Traceroute Example
whois
• Potential Uses • Queries nicname/whois servers for Internet
registration information
• Can gather contacts, names, geographic information, servers, … - useful for social engineering attacks
• Notes • Usage: whois domain
• e.g. whois telkomuniversity.ac.id
whois example - wildcards • whois uw%.edu
Your search has matched multiple domains.
Below are the domains you matched (up to 100). For specific
information on one of these domains, please search on that domain.
UW.EDU
UWA.EDU
UWB.EDU
UWC.EDU
UWEC.EDU
UWEST.EDU
UWEX.EDU
….
nslookup • Potential Uses
• Query internet name servers
• Find name for IP address, and vice versa
• Notes • Now deprecated – generally use dig
• Sometimes useful when dig fails
• Usage • nslookup xxxxxxx // name or IP addr.
• E.g. nslookup academic.telkomuniversity.ac.id
• E.g. dig academic.telkomuniversity.ac.id
dig
• Potential Uses
• Domain Name Service (DNS) lookup utility
• Associate name with IP address and vice versa
• Notes
• Many command options
• General usage: dig <somehost>
• E.g. dig academic.telkomuniversity.ac.id
• E.g. dig 10.14.203.238
arp
• Tracks addresses, interfaces accessed by system
• Possible uses
• Find systems that your system has recently talked to
• Notes
• arp // display names
• arp –n // display numeric addresses
netstat
• Shows connections, routing information, statistics
• Possible uses • find systems that your system has recently
talked to, find recently used ports
• Notes • Many flags
• netstat // open sockets, etc. • netstat –s // summary statistics • netstat – r // routing tables • netstat – p // programs • netstat – l // listening sockets
Windows Tools
• Sam Spade
• “swiss army knife” of footprinting
• Has most of the Linux tools
• Plus other functionality
• Usage
• Start application
• Fill in name or IP address
• Choose option desired in menus
Packet Sniffers
• Definition: Hardware or software that can display network traffic packet information
• Usage • Network traffic analysis
• Example packet sniffers • tcpdump (command line, Linux)
• wireshark (GUI interface, Linux, Windows – open source)
• others…
Limitations – Packet Sniffing • Packet sniffers only catch what they can see
• Users attached to hub – can see everything
• Users attached to switch – only see own traffic
• Wireless – wireless access point is like hub
• Need to be able to put your network interface card (NIC) in “promiscuous” mode to be able to process all traffic, not just traffic for/from itself • NIC must support
• Need privilege (e.g. root in Linux)
OSI Network Protocol
• Layer 7 – Application (incl. app. content)
• Layer 6 – Presentation
• Layer 5 – Session
• Layer 4 – Transport (incl. protocol, port)
• Layer 3 – Network (incl. source, dest)
• Layer 2 – Data Link
• Layer 1 – Physical
wireshark • Created as tool to examine network problems in
1997
• Various contributors added pieces; released 1998
• Name change (2007): ethereal -> wireshark
• Works with other packet filter formats
• Information
• http://www.wireshark.org
• Demonstration
Using wireshark
• Ubuntu – Applications / Internet / Wireshark (as root) • Enter your administrative account pw: user
• Capture/Interfaces/eth0:, Start
• Capture window shows accumulated totals for different types of packets
• Stop – packets now displayed
• Top window – packet summary • Can sort by column – source, destination, protocol are useful
• Middle window – packet breakdown • Click on + icons for detail at each packet level
• Bottom window – packet content
Wireshark capture analysis • Can save a session to a capture file
• Can reopen file later for further analysis
• Open capture file • Ubuntu: /home/user/Support/MOBILEcapture.cap
• W2K3: C:\Support\MOBILEcapture.cap
• Identify and follow different TCP streams • Select TCP packet, Analyze/Follow TCP Stream
• MOBILEcapture.cap has http, https, ftp, ssh streams
• Any interesting information out there? • HINT: follow stream on an ftp packet
Related Tool
• Hunt
• TCP sniffer
• Watch and reset connections
• Hijack sessions
• Spoof MAC address
• Spoof DNS name
Related Tool
• EtherPEG – image capture on network
• http://www.etherpeg.com
Summary • Basic tools can generate much information
• Remember principle of accumulating information
• Attacker will build on smaller pieces to get bigger pieces
• Message to defenders: don’t give away any information if you can avoid it
Ref
• www.cs.uwec.edu
Thank You D3 Teknik Telekomunikasi