CSC 5930/9010 Offensive Security: OSINT

Transcription

1 CSC 5930/9010 Offensive Security: OSINT Professor Henry Carter Spring 2019

2 Recap Designing shellcode requires intimate knowledge of assembly, system calls, and creative combinations of operations But allows for truly flexible and customized attacks Some countermeasures that exist for exploits include careful logging, deep packet inspection (IDS), and stack modifications in the kernel Circumventing these measures requires continuous study and creativity thus, the "art" of exploitation

3 Attack Kill Chain Attacks take place from a variety of actors in a variety of positions, but they generally follow a pattern The Lockheed Martin kill chain enumerates possible phases of attack These phases tend to focus on malware-specific attacks The kill chain points to a more general pattern of reconnaissance, attack, and persistence in the system

4 Kill Chain Illustration

5 Intelligence Gathering Any attack requires some information about the target to determine how to proceed with the exploitation A significant amount of information can be found publicly Open Source Intelligence (OSINT) encompasses the data that can be easily gathered from public sources

6 What is OSINT? Open Source Intelligence is information gathered from publicly-available sources. This information is readily available to anyone who might want to hack your site. Sources may include Newspapers Web-based communities Public data Observation and reporting Professional and academic literature Maps Google!

7 How do I look? Search engines! This technique is well documented: e.g., searching publicly indexed web directories Scraping social media, Github, credential dumps, etc. OSINT Tools: Recon-NG Shodan

8 What am I looking for? addresses can reveal account names. Links can reveal unpublished web directories. Forums with entries of users from a company can reveal information about hardware/software used by the company and often can reveal poorly configured software. Job sites (dice mostly) may identify technologies a company is searching for. See who they're hiring and you may find out what they're weak in. Open directories on the company's site can reveal all sorts of useful intelligence. pastebin.com. Let anonymous help you do your job!

9 Internet Name Allocation The Internet Corporation for Assigned Names and Numbers (icann.org) and the Internet Assigned Numbers Authority (IANA) coordinate the assignment of Internet domain names (human readable names that identify groups of machines) IP address numbers (numbers used to route internet messages to the correct host) ICANN delegates its work to the Address Supporting Organization (ASO) The ASO allocates IP address blocks to Regional Internet Registries (RIRs). APNIC, ARIN, LACNIC, RIPE, AfriNIC Critical use: mapping target names and addresses!

10 Review: IPv4 addresses Octet (number in range 0-255) So-called because it is represented with 8 bits (one byte) IPv4 Addresses are comprised of 4 octets , , Originally, the internet would be assigned in network chunks of different sizes according to class: Class A networks: first octet starts with 0-bit (0-127), network address is one octet, three octets for host addresses (128 networks, 16,777,216 addresses). B/C used 2 or 3 octets for network address Allocated IP blocks are subdivide for access ISPs and organizations by assigning longer network addresses (CIDR) For any organization, we can look up the network address

11 Review: Host Domain Names Sequence of labels terminated by dots. The rightmost dot is implied if missing. The labels are strings of upper and/or lower case characters (A-Za-z), numbers, or hyphens. Resolved recursively from right to left using queries to name servers for each zone Examples helix.csc.villanova.edu whitehouse.gov Usually allows a more consistent mapping of resources if IP addresses are changing

12 Domain Registrant Information The whois application on Linux allows you to query public servers for registrant information Including names, addresses, admin contact info, etc. These servers can also be queried through web interfaces Try it out! Navigate to Provide a domain name If complete information is not available, you will be directed to another whois server with more complete information.

13 Dig The dig application allows you to query a domain from DNS and see the corresponding IP address Dig also allows reverse lookups, where you enter an IP address and it returns a domain name if the domain has configured a PTR record This allows you to map out the publicly exposed hosts (both IPs and domain names) within a target organization s network Try dig

14 Active Scanning After understanding the machines that are publicly available (including DNS and IP address space) you can start scanning for potential vulnerabilities Some information can be established from a simple port scan Many applications use designated port numbers More thorough scanning techniques look for additional information, such as Operating System Software version Configuration details

15 nmap Scanning software written by Fyodor (Gordon Lyon) Host discovery (ARP scanning) Port scanning (TCP/UDP) Version detection OS detection Scriptable interactions with the Nmap Scripting Engine (NSE) Scans ~1000 most popular ports by default

16 Vulnerability Scanners Nessus, Nexpose, and OpenVAS are the most popular commercial network audit tools. If there is no need for stealth in a penetration, you can discover services (in particular vulnerable services) using these tools. Typically, these operate as client/server applications. The client asks the server to scan machines/networks/etc. The server does the scanning. Your kali VM would normally act as both client and server. (You communicate to the server with a web browser.)

17 Web Scanners Scanners like Nikto will scan web servers for files and programs that can be exploited. It can also identify software version information and configuration flaws Scrapers like CeWL will search web page source code for words that can be used later to enumerate running servers, identify account information, or be used in password dictionary attacks The Burp Suite is among the most popular web testing tools, and contains a variety of scanners and exploit applications

18 Special-Purpose Scanners Some open source software and common commercial software has been studied/explored enough to demonstrate consistent exploitability Special-purpose scanners are designed to scan for vulnerabilities in a particular target application Examples include: WordPress Apache HTTP server Cisco brand routers

19 Stealth Many of these scanners send large volumes of specially formatted requests If an intrusion detection system is searching for scanning behavior, you may get blocked It s CRITICAL to know how a scanner works before you use it! Stealth scanners and scanning techniques may be required

20 Recap Any attack or penetration test must begin with intelligence A significant amount of information can be gathered from public sources DNS and IP allocation helps identify the public internetfacing machines within an organization Scanning tools allow you to enumerate what devices are listening and what software they are running Perseverance is key!!!

21 Next Time... Metasploit Tutorial Remember, you need to read it BEFORE you come to class! Quiz #7 will be based on the reading Complete and submit the scanning lab See Blackboard for due date 21