Footprinting

Keamanan Jaringan D3 Teknik Telekomunikasi

Footprinting • Definition: the gathering of information

about a potential system or network • a.k.a. fingerprinting

• Attacker’s point of view • Identify potential target systems • Identify which types of attacks may be useful on

target systems

• Defender’s point of view • Know available tools • May be able to tell if system is being footprinted,

be more prepared for possible attack • Vulnerability analysis: know what information

you’re giving away, what weaknesses you have

Information to Gather

• System (Local or Remote) • IP Address, Name and Domain

• Operating System • Type (Windows, Linux, Solaris, Mac)

• Version (98/NT/2000/2003/XP/Vista/7, Redhat, Fedora, SuSe, Ubuntu, OS X)

• Usernames (and their passwords)

• File structure

• Open Ports (what services/programs are running on the system)

Information to Gather (2)

• Networks / Enterprises • System information for all hosts

• Network topology • Gateways

• Firewalls

• Overall topology

• Network traffic information

• Specialized servers • Web, Database, FTP, Email, etc.

Defender Perspective

• Identify information you’re giving away

• Identify weaknesses in systems/network

• Know when systems/network is being probed

• Identify source of probe

• Develop awareness of threat

• Construct audit trail of activity

Tools - Linux • Some basic Linux tools - lower level

utilities • Local System

• hostname

• ifconfig

• who, last

• Remote Systems • ping

• traceroute

• nslookup, dig

• whois

• arp, netstat (also local system)

Tools – Linux (2)

• Other utilities

• wireshark (packet sniffing)

• nmap (port scanning) - more later

• Ubuntu Linux

• Go to System / Administration / Network Tools – get interface to collection of tools: ping, netstat, traceroute, port scan, nslookup, finger, whois

Tools - Windows

• Windows

• Sam Spade (collected network tools)

• Wireshark (packet sniffer)

• Command line tools

• ipconfig

• Many others…

hostname

• Determine host name of current system

• Usage: hostname

• E.g. hostname

localhost.localdomain // default

• E.g. hostname

mobile.cs.uwec.edu

ifconfig

• Configure network interface

• Tells current IP numbers for host system

• Usage: ifconfig

• E.g. ifconfig // command alone: display status

eth0 Link encap: Ethernet

HWaddr 00:0C:29:CD:F6:D3

inet addr: 192.168.172.128 . . .

lo Link encap: Local

Loopback

inet addr: 127.0.0.1 . . .

who

• Basic tool to show users on current system

• Useful for identifying unusual activity (e.g. activity by newly created accounts or inactive accounts)

• Usage: who • E.g. who

root tty1 Jan 9 12:46

paul tty2 Jan 9 12:52

last • Show last N users on system

• Default: since last cycling of file

• -N: last N lines

• Useful for identifying unusual activity in recent past

• Usage: last [-n] • E.g. last -3

wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still logged in

flinstf pts/0 137.28.191.74 Sat Feb 5 15:38 still logged in

rubbleb pts/0 c48.someu.edu Sat Feb 5 14:38 - 15:25 (00:46)

ping • Potential Uses

• Is system online? • Through response

• Gather name information • Through DNS

• Tentatively Identify operating system • Based on TTL (packet Time To Live) on each packet line • TTL = number of hops allowed to get to system • 64 is Linux default, 128 is Windows default (but can be

changed!)

• Notes • Uses ICMP packets

• Often blocked on many hosts; more useful within network

• Usage: ping system • E.g. ping ftp.redhat.com • E.g. ping localhost

traceroute • Potential Uses

• Determine physical location of machine • Gather network information (gateway, other

internal systems) • Find system that’s dropping your packets –

evidence of a firewall

• Notes • Can use UDP or ICMP packets • Results often limited by firewalls • Several GUI-based traceroute utilities available • Usage: traceroute system

• E.g. traceroute cs.umn.edu

traceroute example - Success C:\Users\Temp>tracert telkomuniversity.ac.id

Tracing route to telkomuniversity.ac.id [10.14.203.238]

over a maximum of 30 hops:

1 1 ms <1 ms <1 ms 192.168.60.1

2 6 ms 6 ms 4 ms 10.11.221.1

3 7 ms 3 ms 2 ms 10.0.0.254

4 3 ms 1 ms 1 ms 10.14.203.238

Trace complete.

C:\Users\Temp>

traceroute example - blocked C:\Users\Temp>tracert detik.com

Tracing route to detik.com [203.190.242.69]

over a maximum of 30 hops:

1 1 ms 1 ms 2 ms 192.168.60.1

2 5 ms 2 ms 2 ms 10.11.221.1

3 4 ms 9 ms 3 ms 10.0.0.254

4 * * * Request timed out.

5 * * * Request timed out.

Trace complete.

C:\Users\Temp>

Visual Traceroute Example

whois

• Potential Uses • Queries nicname/whois servers for Internet

registration information

• Can gather contacts, names, geographic information, servers, … - useful for social engineering attacks

• Notes • Usage: whois domain

• e.g. whois telkomuniversity.ac.id

whois example - wildcards • whois uw%.edu

Your search has matched multiple domains.

Below are the domains you matched (up to 100). For specific

information on one of these domains, please search on that domain.

UW.EDU

UWA.EDU

UWB.EDU

UWC.EDU

UWEC.EDU

UWEST.EDU

UWEX.EDU

….

nslookup • Potential Uses

• Query internet name servers

• Find name for IP address, and vice versa

• Notes • Now deprecated – generally use dig

• Sometimes useful when dig fails

• Usage • nslookup xxxxxxx // name or IP addr.

• E.g. nslookup academic.telkomuniversity.ac.id

• E.g. dig academic.telkomuniversity.ac.id

dig

• Potential Uses

• Domain Name Service (DNS) lookup utility

• Associate name with IP address and vice versa

• Notes

• Many command options

• General usage: dig <somehost>

• E.g. dig academic.telkomuniversity.ac.id

• E.g. dig 10.14.203.238

arp

• Tracks addresses, interfaces accessed by system

• Possible uses

• Find systems that your system has recently talked to

• Notes

• arp // display names

• arp –n // display numeric addresses

netstat

• Shows connections, routing information, statistics

• Possible uses • find systems that your system has recently

talked to, find recently used ports

• Notes • Many flags

• netstat // open sockets, etc. • netstat –s // summary statistics • netstat – r // routing tables • netstat – p // programs • netstat – l // listening sockets

Windows Tools

• Sam Spade

• “swiss army knife” of footprinting

• Has most of the Linux tools

• Plus other functionality

• Usage

• Start application

• Fill in name or IP address

• Choose option desired in menus

Packet Sniffers

• Definition: Hardware or software that can display network traffic packet information

• Usage • Network traffic analysis

• Example packet sniffers • tcpdump (command line, Linux)

• wireshark (GUI interface, Linux, Windows – open source)

• others…

Limitations – Packet Sniffing • Packet sniffers only catch what they can see

• Users attached to hub – can see everything

• Users attached to switch – only see own traffic

• Wireless – wireless access point is like hub

• Need to be able to put your network interface card (NIC) in “promiscuous” mode to be able to process all traffic, not just traffic for/from itself • NIC must support

• Need privilege (e.g. root in Linux)

OSI Network Protocol

• Layer 7 – Application (incl. app. content)

• Layer 6 – Presentation

• Layer 5 – Session

• Layer 4 – Transport (incl. protocol, port)

• Layer 3 – Network (incl. source, dest)

• Layer 2 – Data Link

• Layer 1 – Physical

wireshark • Created as tool to examine network problems in

1997

• Various contributors added pieces; released 1998

• Name change (2007): ethereal -> wireshark

• Works with other packet filter formats

• Information

• http://www.wireshark.org

• Demonstration

Using wireshark

• Ubuntu – Applications / Internet / Wireshark (as root) • Enter your administrative account pw: user

• Capture/Interfaces/eth0:, Start

• Capture window shows accumulated totals for different types of packets

• Stop – packets now displayed

• Top window – packet summary • Can sort by column – source, destination, protocol are useful

• Middle window – packet breakdown • Click on + icons for detail at each packet level

• Bottom window – packet content

Wireshark capture analysis • Can save a session to a capture file

• Can reopen file later for further analysis

• Open capture file • Ubuntu: /home/user/Support/MOBILEcapture.cap

• W2K3: C:\Support\MOBILEcapture.cap

• Identify and follow different TCP streams • Select TCP packet, Analyze/Follow TCP Stream

• MOBILEcapture.cap has http, https, ftp, ssh streams

• Any interesting information out there? • HINT: follow stream on an ftp packet

Related Tool

• Hunt

• TCP sniffer

• Watch and reset connections

• Hijack sessions

• Spoof MAC address

• Spoof DNS name

Related Tool

• EtherPEG – image capture on network

• http://www.etherpeg.com

Summary • Basic tools can generate much information

• Remember principle of accumulating information

• Attacker will build on smaller pieces to get bigger pieces

• Message to defenders: don’t give away any information if you can avoid it

Ref

• www.cs.uwec.edu

Thank You D3 Teknik Telekomunikasi