Network Security(CP33925) Data Collection 부산대학교공과대학전기컴퓨터공학부

Transcription

1 Network Security(CP33925) Data Collection 부산대학교공과대학전기컴퓨터공학부

2 Hacking History First generation of hackers, technology enthusiasts, geeks Hacking was motivated by intellectual curiosity; causing damage or stealing information was against the rules for this small number of people. Hackers started gaining more of the negative connotations. Media attention started altering the image of a hacker from a technology enthusiast to a computer criminal. During this time period, hackers engaged in activities such as theft of service by breaking into phone systems to make free phone calls. Current Script kiddies: beginners and may or may not understand the impact of their actions in the larger scheme of things. They typically possess very basic skills and rely upon existing tools that they can locate on the Internet. White-hat hackers (ethical hackers): know how hacking works and the danger it poses, but use their skills for good. They adhere the ethic of do not harm. Gray-hat hackers: rehabilitated hackers; those who once were on the dark side, but are now reformed. Black-hat hacker: have intent to break the law, disrupt systems or businesses or generate illegal financial return. Suicide hackers: perform their activities with little regard for the law or staying undetected. They seek to accomplish their goal at all costs and do not worry if they are caught. 2

3 Hacking Methodology Footprinting Attacker passively acquires information about intended victim s systems. In this context, passive information gathering means that no active interaction occurs between the attacker and the victim, like conducting a whois query. Scanning Attacker takes the information obtained during the footprinting phase and uses it to actively acquire more detailed information about a victim, like conducing a ping sweep of all the victim s known IP addresses to see which machines respond. Enumeration Attacker extracts more detailed and useful information from a victim s system. Results of this step includes a list of usernames, groups, applications, banner settings, auditing information and so on. System Hacking Escalation of Privilege Covering Tracks Planting Backdoors Attacker actively attacks a systems using a method the attacker deems useful. If successful, the attacker obtains privileges on a given system higher than should be permissible. Under the right condition, the attacker can use privilege escalation to move from a low-level account such as a guest account all the way up to administrator or system level access. Attacker tries to avoid detection and covers his or her tracks by purging information from the system. Attacker may leave behind a backdoor on the system for later use. Backdoors can be used to regain access, as well as allow any number of different scenarios to take place, such as privilege escalations or remotely controlling a system. 3

4 Steps of The Information-Gathering Process 1. Gathering information Footprinting Examining the company s web site, Identifying key employees, Analyzing open position and job requests, Assessing affiliate, parent or sister companies, Finding technologies and software used by the organization, Determining network address and range 2. Determining the network information Footprinting network range, equipment/technologies in use, financial information, locations, physical assets, employee names and titles 3. Identifying active machines 4. Finding open ports and access points 5. Detecting operating systems 6. Using fingerprinting services Scanning Scanning Scanning Enumeration 7. Mapping the network 4 Enumeration

5 Information on a Company Web Site Web sites offer various amount of information about an organization because the web site has been published to tell customers about the organization. It is common to come across web sites that contain addresses, employee names, branch office locations and technologies the organization uses. Wayback Machine With the Wayback machine it is possible to recover information that was posted on a Web site sometime in the past 5

6 Discovering Financial Information Targets are footprinted prior to being attacked to determine whether a targeted company makes enough money to merit an attack. Financial records are accessible through the Securities and Exchange Commission (SEC) Web site at: Electronic Data Gathering, Analysis and Retrieval (EDGAR) database contains all sorts of financial information. In addition to EDGAR the following sites provide the same type of information: Hoover s: Dun and Bradstreet: Yahoo!Finance: Bloomberg: 6

7 Google Hacking (1/2) Google hacking is effective since Google indexes vast amounts of information in untold numbers of formats. Google indexes Web pages like any search engine, but it can also index images, videos, discussion group postings and all sorts of file types such as PDF, PPT and so on. Google Hacking Database (GHDB) is available at: This site offers insight into some of the ways an attacker can easily find exploitable targets and sensitive data by using Googl es built-in functionality. 7

8 Google Hacking (2/2) What makes this possible is the way in which information is indexed by a search engine Common commands are: intitle: index of finance.pdf returns pages that contain files of the name finance.pdf filetype: bak url: htaccess passwd shadow htusers return files that have specific extensions inurl: admin inurl:backup intitle:index.of returns pages that include specific words or characters in the URL 8

9 Whois & DNS Inspection IP Address Tracing Enumeration What we ll learn today 9

10 Network Security(CP33925) Whois & DNS Inspection What a Whois server is and how to use it Structure and operation principle of DNS server Vulnerabilities of the DNS server and use them to collect information. 부산대학교공과대학전기컴퓨터공학부

11 Exploring Domain Information Leakage A public company that wants to attract customers must walk a fine line because some information by necessity will have to be made public while other information can be kept secret. An example of information that should be kept secret by any company is domain information, or the information that is associated with the registration of an Internet domain Currently many tools are available that can be used for obtaining types of basic information, like: whois, nslookup Internet Assigned Numbers Authority (IANA) and Regional Institute Registries (RIRS) to find the range of Internet Protocol (IP) address traceroute to determine the location of the network 11

12 Whois (Whois) Understanding Whois Servers (1/3) Created in 1984 Protocols for finding the domain, people and Internet resources related to the domain Information you can get with the Whois server Domain registration and related organization information Internet resource information related to domain name The network address and IP address of the target site Name, contact, account of registrant, manager, technical manager When to create and update records Primary and secondary DNS servers Assigned location of IP address 12

13 Understanding Whois Servers (2/3) Whois server list After registering the domain, the Whois server for each region stores the related information Region Total Europe Asia and Pacific Autrailia France Japan England Korea For hackers whois.internic.net whois.ripe.net whois.apnic.net whois.arin.net whois.aunic.net whois.nic.fr whois.nic.ad.jp whois.nic.uk whois.krnic.net Whois server 13

14 Understanding Whois Servers (3/3) Searching Whois server list Whois server search from 14

15 Hosts File (1/5) Used before DNS existed and still used it a lot depending on purpose For Windows-based systems (Windows operating system installation directory), \system32\drivers\etc\hosts and for Linux, /etc/hosts 15

16 Hosts File (2/5) Hosts file IP Addr. Domain name or Arbitrary Name Normally hosts file is empty. Used When the DNS server is not working When a separate network is configured and used arbitrarily When several servers having different IP addresses are clustered and are operated at the same domain 16

17 Hosts File (3/5) Resolving host names using the hosts file 도메인등록하기 ping 을통해 ip 주소확인 Open the file C:\Windows\system32\drivers\etc\hosts to register the domain 17

18 Hosts File (4/5) Resolving host names using the hosts file Checking Hosts file behavior ping hanbit ping a

19 Hosts File (5/5) Blocking access to the site by registering the wrong address

20 Domain Name System (DNS) DNS Operation (1/3) System that matches IP address, which is a numeric network address, into each other's name Hierarchy of DNS The topmost object is '.' (Root) The second entity is the national and organizational characteristics Normally, the first part comes up with a DNS server name specified by a specific server, such as www and ftp servers Fully Qualified Domain Name (FQDN): Completed address (e.g., 20

21 DNS Operation (2/3) Name Resolution Order of DNS Servers Local DNS Server 1. Query 8. Response Root DNS Server kr DNS Server pusan.ac.kr DNS Server 21

22 DNS Operation (3/3) Check cached DNS information on your system ipconfig /displaydns 22

23 Data Collection using DNS (1/2) Distinguishing DNS servers Primary DNS server: The central DNS server for the domain Secondary DNS server: Backup server on primary DNS server Cache DNS server: A temporary DNS server in case the connection between the primary DNS server and the secondary DNS server is not possible Information acquisition using DNS The primary security problem with DNS servers is that they do not limit the destination to the secondary DNS server Procedure Run nslookup Collecting Domain Information 23

24 Data Collection using DNS (2/2) Information acquisition using DNS Search what kind of server this DNS has A(Address): Corresponding IP address for the domain PTR(Pointer): Corresponding the domain for IP address NS(Name Server): DNS Server ANY(ALL): Show all DNS records 24

25 Network Security(CP33925) IP Address Tracing Learn how to track IP addresses Track the attacker's IP address directly 부산대학교공과대학전기컴퓨터공학부

26 Understanding IP Address Tracing Checking the Source IP Address 26

27 IP Address Tracing (1/5) Using Analyze header of received Using P2P Service File Transfer Hackers access the web bulletin board to understand the structure of the website and attack it. 27

28 IP Address Tracing (2/5) Checking the IP address of a web visitor Check the web server log settings Check the options for creating logs in [Control Panel] - [Administrative Tools] - [IIS Manager] Press <Select Fields> to see the currently set log field. 28

29 IP Address Tracing (3/5) Checking the IP address of a web visitor Check the web server log Log files can usually be found in 'C:\inetpub\logs\logfiles\ You can see the IP related information of the accessed clients from the log. 29

30 Using traceroute IP Address Tracing (4/5) A tool that verifies the IP address of a router through which a packet reaches its destination Use TTL value of UDP, ICMP and IP From the other party's known IP address, guess the Internet configuration that the other party belongs to If traceroute is configured differently each time and then, the path is fixed to one at a certain time, it may be being tracked. 30

31 IP Address Tracing (5/5) Use traceroute to determine the routing path Open Visual TraceRoute is able to determine the geographical location of a packet by plotting the flow of packets on the earth's top Sam Spade 31

32 Network Security(CP33925) Enumeration What footprinting is The relationship between ports and services Various port scan techniques Performing codification using SNMP 부산대학교공과대학전기컴퓨터공학부

33 Footprinting Footprinting Looking at footprints One of the ways to gather information about the attacked target Social Engineering Most of the events where passwords are actually exposed are due to social engineering Hacking to send and receive user accounts or password information between friends, or use things written on notebooks besides computers Information required for hacking User account of the system you want to penetrate Information about the person using the account to find the password Whether to use of bulletin board Identify security measures of partner companies or affiliates Note: It is better to search the target website after downloading 33

34 Scan (1/3) Scan Tasks to determine whether the server providing the service is operational and the services the server provides When you make a phone call, say 'Hello' on one side and say 'Hello' on the other side and confirm each other. Techniques Ping ICMP Scan TCP/UDP Scan 34

35 Scan (2/3) Ping A simple utility to make sure your network and system are working properly It uses the Internet Control Message Protocol (ICMP), and is used by default on TCP/IP networks. ICMP SCAN How to use ICMP to determine if the target system is active Using Echo Request (Type 8) and Echo Reply (Type 0) Using Timestamp Request (Type 13) and Timestamp Reply (Type 14) Using Information Request (Type 15) and Information Reply (Type 16) Using ICMP Address Mask Request (Type 17) and ICMP Address Mask Reply (Type 18) 35

36 Scan (3/3) ICMP SCAN Windows execution result Indicates the length of the ICMP packet (32 bytes for Windows, 56 bytes for Unix or Linux) The size of the ICMP Echo Reply packet sent from the victim Time from receiving Echo Request packet to receiving Reply packet 4 TTL (Time To Live) value (e.g., WINDOWS 98/NT/ , WINDOWS 10 64) 5 6 The number of Request packets, the number of Reply packets, the number of lost packets Time information from the request packet to the reply packet 36

37 TCP & UDP SCAN (1/5) TCP Open Scan Most basic scan using TCP Attacker Victim Attacker Victim Open port Closed port Stealth Scan Not only does not leave a log, but also deceives victims and hides their location TCP Half Open scan: A typical case 37

38 TCP & UDP SCAN (2/5) Stealth Scan FIN (Finish) Scan: No response if port is open; RST packet returned if closed. NULL Scan: Packets sent without flag (Flag) value XMAS Scan: Packets sent with both ACK, FIN, RST, SYN, and URG flags set Attacker Victim Attacker Victim FIN, NULL, XMAS FIN, NULL, XMAS No response Open port RST Packet Closed port 38

39 Scan with ACK packet TCP & UDP SCAN (3/5) After sending an ACK packet to all ports, it receives RST packet and analyzes When the port is opened, an RST packet with a TTL value of 64 or less, an RST packet with an arbitrary value other than 0 is returned When the port is closed, an RST packet with a constant TTL value and the window size 0 is returned Scan using TCP packets It does not apply equally to all systems, and is well known and thus, rarely applied. The scan method using the SYN packet is still valid and very effective because it cannot distinguish from a legitimate packet for establishing a session 39

40 TCP Fragmentation TCP & UDP SCAN (4/5) A TCP header with a size of 20 bytes is divided into two packets The first packet has the source and destination IP address, the second packet has the port number to scan The first packet passes through the firewall because there is no information about the TCP port, and the second packet can go through the firewall without the source and destination addresses. Scan using time difference to avoid Firewall, etc. How to send a lot of packets over a very short period of time or How to send a packet for a very long time Types Paranoid: Sends packets one at a time, every 5 or 10 minutes. Sneaky: Packets are sent every 15 seconds on the WAN and 5 seconds on the LAN. Polite: Send packets in 0.4 second increments. Normal: Normal case FTP Bounce Scan On a vulnerable FTP server, use the PORT command to check whether another port is enabled 40

41 TCP & UDP SCAN (5/5) UDP scan If the port is closed, the attack target will send an ICMP Unreachable packet, but will not send it if it is open (unreliable). Attacker Victim Attacker Victim UDP Packet UDP Packet No response Open port ICMP Unreachable Closed port 41

42 Practice (1/3) Scanning in a variety of ways: fping, hping3, sing, nmap Search fping package Used to check the list of network systems before scanning sudo apt-cache search fping* Verifying fping sudo apt-cache show fping 42

43 Practice (2/3) Scanning in a variety of ways: fping, hping3, sing, nmap Install fping sudo apt-get install fping Scanning with fping fping -q -a -s /24 -q: Hide ICMP Request and Reply -a: Shows the active system -s: Displays the results after the scan is finished 43

44 Practice (3/3) Scanning in a variety of ways: fping, hping3, sing, nmap Scan with nmap The most powerful tool you commonly use for port scans nmap - st st option: TCP Open Scan nmap - ss ss option: SYN stealth scan nmap - sf - p 80, p option: scan specific ports nmap -f - ss f Option: Packet to pass through firewall by hiding destination port to scan 44

45 Understanding Operating System (1/2) Banner Grabbing The most basic way to determine the operating system of a vitim system Techniques to identify banners similar to the telnet prompt that appear when you log into a remote system Banner grabbing for FTP telnet ftp SMTP 포트에대해배너그래빙하기 45

46 Understanding Operating System (2/2) Using Netcraft Shows various information about operating system of attack target. 46

47 Firewall Detection (1/2) Firewall Primary line of defense against intruders Determine whether to allow or block access Firewall detection The easiest way to determine if a firewall is installed is to use traceroute When you run traceroute, you see that * is being filtered by routing or a firewall exists 47

48 firewalk (firewalk) Firewall Detection (2/2) How to find the access control list (ACL) of a firewall firewalk principle If a firewall is detected, a TTL value that is one greater than the TTL to the firewall is generated and sent. If the firewall blocks the packet, no packets will be returned When the firewall sends the packet as it is, the packet disappears from the next router, and the router sends an ICMP Time Exceeded message (Type 11) like the traceroute process. The attacker can assume that the port that received the ICMP Time Exceeded message from is open. 48

49 Understanding SNMP (1/7) Simple Network Management Protocol (SNMP) Standard protocol for centralized management tools SNMP component It is divided into management system and agent. Configuration of the Agent Simple Network Management Protocol (SNMP): Transport Protocol Management Information Base (MIB): A set of objects to be managed Database of objects that an administrator can query or set Structure of Management Information (SMI): How to manage Criteria for creating and managing MIBs conforming to standards Minimum match between management system and agent communication Version, Community, PDU Type PDU Type 0: Get request, 1: Get next request, 2: Set request, 3: Get response, 4: Trap 49

50 Understanding SNMP (2/7) Communication between management system and agent Management System Agent UDP 161 Port UDP 161 Port UDP 161 Port UDP 162 Port Get Request: The management system reads the value of a specific variable. Get Next Request: The management system requests the value of the variable following the variable already requested Set Request: The management system requests a change of a specific variable value Get Response: The agent sends the corresponding variable value to the management system Trap: Notifies the management system of the specific situation of the agent 50

51 Understanding SNMP (3/7) Obtaining Information Using SNMP Vulnerabilities Anyone can view SNMP MIB information by default. Packets are transmitted in UDP and the reliability of the connection is low. Data can be sent in unencrypted plain text to be sniffed Install SNMP 51

52 Understanding SNMP (4/7) Obtaining Information Using SNMP Vulnerabilities Configure SNMP Community String Click the <Add> button on the [Security] tab of the [Properties] menu Permission is 'READ ONLY', community name is 'public Check 'Accept SNMP packets from any host and thus, register a community 52

53 Understanding SNMP (5/7) Obtaining Information Using SNMP Vulnerabilities Install snmpwalk (sudo) apt-get install snmp Scanning SNMP Verify that SNMP service port 161 is open nmap - su - p Crack Community String using nmap nmap - su - p script=snmp-brute snmpwalk scan 53

54 Understanding SNMP (6/7) Information you can get with SNMP (Windows system) System MIB: Host name, installed OS version, last boot time, etc. Interfaces: Loopback (the logical interface) and the physical interface In the case of a switch, you can check all the details of multiple interfaces. Shared Printers: Verifying shared printers Services: See a list of services running on the scanned system Accounts: Check the account used Shares: Identify shared resources TCP/IP Networks: Checking the list of connected networks Routes: Check the system's routing table UDP Services: Identify the providing UDP services TCP Connections: Check the current TCP session and open ports on the scanned system 54

55 Understanding SNMP (7/7) SNMP Security Countermeasures If you do not need SNMP, stop using SNMP. If you have to use SNMP, set the community as complex as a password to prevent it from being easily exposed Register IP address of system to use SNMP by setting host to send/receive packets 55

56 56