By

Maroti Deshmukh

12MCMB02

Agenda

Introduction Reconnaissance techniques

Low-Technology ReconnaissanceSearch the Fine WebWhois Database Domain Name System (DNS) Other techniques

Reconnaissance

A preliminary survey to gain information. Finding as much information about the target as

possible before launching the first attack packet.

Many computer attackers first investigate their target using publicly available information. By conducting determined, methodical reconnaissance, attackers can determine how best to mount their attacks successfully.

Low-Technology Reconnaissance

Social Engineering Physical Break-In Dumpster Diving

Social Engineering

Finding pretext(false reason) to obtain privileged information or services.

Social engineering involves an attacker calling employees at the target organization on the phone and fool them into revealing sensitive information.

Social Engineering

Defense User awareness.If someone unknown to the user calls on the

phone looking to verify computer configurations, passwords, or other sensitive items, the user should not give out the sensitive data, no matter how friendly or urgent the request, without verifying the requestor's identity.

Physical Break-In

MethodsAttacker with physical access to your

computer systems might find that a user walked away from a machine while logged in, giving them instant access to accounts and data.

Attackers might plant backdoors on your internal systems.

Physical access to an Ethernet plug in the wall.

Physical Break-In

DefenseSecurity badges.Physically lock down servers.Use locks on cabinets containing sensitive

information.Use automatic password-protected screen

savers.Encrypt stored files.

Dumpster Diving

Retrieving sensitive information from trash. Attackers use dumpster diving to find discarded

paper, CDs, DVDs, floppy disks, tapes, and hard drives containing sensitive data.

DefensePaper and media shredders are the best

defence against dumpster diving.Provide a separate trash for sensitive

information.

Search the Fine Web(STFW)

Searching an organization’s own web site Using search engines Listen in at the virtual watering hole: USENET

Searching an Organization’s Own Web Site

Employees’ contact information and phone numbers.

Clues about the corporate culture and language. Business partners. Server and application platforms in use.

Using Search Engines

Conduct search based on organization name, product names, employee names.

Retrieve information about history, current events, and future plans of the target organization.

Search for links to target organization via link www.companyname.com in a search engine.

Listening in at the Virtual Watering Hole: Usenet Posting of questions by employees to technical

Newsgroups. Google newsgroup archive web search engine

at http://groups.google.com

Defenses against Web searches

An attempt to increase security by keeping elements of a security strategy secret known as Security by obscurity.

Security policy regarding posting of sensitive information on web site, newsgroups, and mailing lists.

Whois Databases

Contain information regarding assignment of Internet addresses, domain names, and individual contacts.

Internet Corporation for Assigned Names and Numbers (ICANN)

Complete list of accredited registrars available at www.internic.net/alpha.html

InterNIC whois database available at www.internic.net/whois.html

Whois database for organizations outside the United States available at www.allwhois.com/home.html web site.

Figure 5.2 List of accredited registrars on the InterNIC site

Figure 5.3 Using the InterNIC whois database to find the target’s registrar

Figure 5.4 Looking up a domain name at a particular registrar

Figure 5.5 Results of a registrar whois search

Figure 5.6 Searching for IP Address Assignments in ARIN

Defenses Against Whois Searches You must make sure that your registration data

is accurate so that the proper person can be contacted without interruption if an incident occurs.

Make sure there is no extraneous information in your registration records that could be used by an attacker, such as account names for an administrator.

DNS

DNS is a hierarchical database distributed around the world that stores a variety of information, including IP addresses, domain names, and mail server information.

Fig 5.7 DNS Hierarchy

Fig 5.8 Recursive search to resolve a domain name to IP address

Interrogating DNS Servers So how does an attacker get DNS information?

First, the attacker needs to determine one or more DNS servers for the target organization.

Using this DNS server information, an attacker has a variety of tools to choose from for getting DNS information.

Attackers typically attempt to perform a zone transfer.

Defenses from DNS-based Reconnaissance

Make sure you aren't leaking additional information through DNS.

Your domain names should not indicate any machine's operating system type.

Do not include HINFO or TXT records. Restrict zone transfers to secondary DNS only. Configure firewall . Split-Horizon DNS.

Split DNS Internal users can resolve both internal and external names. External users can only access external names.

Other techniques

The first set consists of completely integrated client executables, such as Sam Spade, which are run on an end user's machine and perform recon queries on behalf of that user.

The second category includes a Web-based tools, accessed across the Internet using a Web browser.

General Purpose Reconnaissance GUI Client Tools for MS Windows

Sam Spade CyberKit NetScan Tools iNetTools

Web-based Reconnaissance Tools: Research and Attack Portals

An attacker accesses these tools using a browser, typing in the target name or IP address into a Web form.

www.samspade.org www.dnsstuff.com www.traceroute.org www.network-tools.com www.cotse.com/refs.htm www.securityspace.com www.dslreports.com/scan www.attackportal.net

References

Counter Hack A Step-by-Step Guide to Computer Attacks and Effective Defenses by Ed Skoudis

www.wikipedia.com www.securityspace.com www.attackportal.net

Thank You…