Reconnaissance
-
Upload
maroti164 -
Category
Technology
-
view
245 -
download
1
Transcript of Reconnaissance
Agenda
Introduction Reconnaissance techniques
Low-Technology ReconnaissanceSearch the Fine WebWhois Database Domain Name System (DNS) Other techniques
Reconnaissance
A preliminary survey to gain information. Finding as much information about the target as
possible before launching the first attack packet.
Many computer attackers first investigate their target using publicly available information. By conducting determined, methodical reconnaissance, attackers can determine how best to mount their attacks successfully.
Social Engineering
Finding pretext(false reason) to obtain privileged information or services.
Social engineering involves an attacker calling employees at the target organization on the phone and fool them into revealing sensitive information.
Social Engineering
Defense User awareness.If someone unknown to the user calls on the
phone looking to verify computer configurations, passwords, or other sensitive items, the user should not give out the sensitive data, no matter how friendly or urgent the request, without verifying the requestor's identity.
Physical Break-In
MethodsAttacker with physical access to your
computer systems might find that a user walked away from a machine while logged in, giving them instant access to accounts and data.
Attackers might plant backdoors on your internal systems.
Physical access to an Ethernet plug in the wall.
Physical Break-In
DefenseSecurity badges.Physically lock down servers.Use locks on cabinets containing sensitive
information.Use automatic password-protected screen
savers.Encrypt stored files.
Dumpster Diving
Retrieving sensitive information from trash. Attackers use dumpster diving to find discarded
paper, CDs, DVDs, floppy disks, tapes, and hard drives containing sensitive data.
DefensePaper and media shredders are the best
defence against dumpster diving.Provide a separate trash for sensitive
information.
Search the Fine Web(STFW)
Searching an organization’s own web site Using search engines Listen in at the virtual watering hole: USENET
Searching an Organization’s Own Web Site
Employees’ contact information and phone numbers.
Clues about the corporate culture and language. Business partners. Server and application platforms in use.
Using Search Engines
Conduct search based on organization name, product names, employee names.
Retrieve information about history, current events, and future plans of the target organization.
Search for links to target organization via link www.companyname.com in a search engine.
Listening in at the Virtual Watering Hole: Usenet Posting of questions by employees to technical
Newsgroups. Google newsgroup archive web search engine
at http://groups.google.com
Defenses against Web searches
An attempt to increase security by keeping elements of a security strategy secret known as Security by obscurity.
Security policy regarding posting of sensitive information on web site, newsgroups, and mailing lists.
Whois Databases
Contain information regarding assignment of Internet addresses, domain names, and individual contacts.
Internet Corporation for Assigned Names and Numbers (ICANN)
Complete list of accredited registrars available at www.internic.net/alpha.html
InterNIC whois database available at www.internic.net/whois.html
Whois database for organizations outside the United States available at www.allwhois.com/home.html web site.
Defenses Against Whois Searches You must make sure that your registration data
is accurate so that the proper person can be contacted without interruption if an incident occurs.
Make sure there is no extraneous information in your registration records that could be used by an attacker, such as account names for an administrator.
DNS
DNS is a hierarchical database distributed around the world that stores a variety of information, including IP addresses, domain names, and mail server information.
Interrogating DNS Servers So how does an attacker get DNS information?
First, the attacker needs to determine one or more DNS servers for the target organization.
Using this DNS server information, an attacker has a variety of tools to choose from for getting DNS information.
Attackers typically attempt to perform a zone transfer.
Defenses from DNS-based Reconnaissance
Make sure you aren't leaking additional information through DNS.
Your domain names should not indicate any machine's operating system type.
Do not include HINFO or TXT records. Restrict zone transfers to secondary DNS only. Configure firewall . Split-Horizon DNS.
Split DNS Internal users can resolve both internal and external names. External users can only access external names.
Other techniques
The first set consists of completely integrated client executables, such as Sam Spade, which are run on an end user's machine and perform recon queries on behalf of that user.
The second category includes a Web-based tools, accessed across the Internet using a Web browser.
General Purpose Reconnaissance GUI Client Tools for MS Windows
Sam Spade CyberKit NetScan Tools iNetTools
Web-based Reconnaissance Tools: Research and Attack Portals
An attacker accesses these tools using a browser, typing in the target name or IP address into a Web form.
www.samspade.org www.dnsstuff.com www.traceroute.org www.network-tools.com www.cotse.com/refs.htm www.securityspace.com www.dslreports.com/scan www.attackportal.net
References
Counter Hack A Step-by-Step Guide to Computer Attacks and Effective Defenses by Ed Skoudis
www.wikipedia.com www.securityspace.com www.attackportal.net