Hacking Exposed 7

Network Security Secrets & Solutions

1
 Book - Table of Contents
• Part I Casing the Establishment
– Footprinting
– Scanning
– Enumeration

• Part II Endpoint and Server Hacking

– Hacking Windows
– Hacking UNIX
– Cybercrime and Advanced Persistent Threats

• Part III Infrastructure Hacking

– Remote Connectivity and VoIP Hacking
– Wireless Hacking
– Hacking Hardware

• Part IV Application and Data Hacking

– Web and Database Hacking
– Mobile Hacking
– Countermeasures Cookbook
2
 Part I Casing The Establishment
Case Study: How A Hacker Works
• IAAAS (It’s All About Anonymity, Stupid)
– The Onion Router (Tor), www.torproject.org
• Layered cryptography with SOCKS proxy
• Anonymous outgoing TCP connections
– Tor GUI client (Vidalia) and Privoxy (web filtering proxy)
– Google on browser for juicy targets
– tor-resolve instead of host for IP addresses
– proxychains to force connections through Tor
• Nmap to scan services on targets
– socat to relay persistently
• nc (netcat) to send requests to servers (check server version)
• Exploit vulnerabilities to pwn (own or compromise)

3
Hacking-Labs

4
Hack The Box

5
The Onion Router (TOR) - Overview

6
TOR

7
 Vidalia

Vidalia is a discontinued cross-platform GUI for controlling Tor.

It allows the user to start, stop or view the status of Tor
8
 Privoxy
• Privoxy is a free web proxy for enhancing
privacy, manipulating cookies and
modifying web page data and HTTP headers
before the page is rendered by the browser.
E.g. filtering web pages and removing
advertisements. Privoxy can be customized by
users.

9
Tor-resolve

10
Proxychains

11
NMAP

12
NMAP

13
14
 Chapter 1 Footprinting
• What is footprinting & why
• Internet footprinting
1. Determine the scope of your activities
2. Get proper authorization
3. Publicly available information
4. WHOIS & DNS enumeration
5. DNS interrogation
6. Network reconnaissance

15
 What Is Footprinting?
• Footprint: profile of the target organization
• Why? It gives you a picture of what the hacker sees.
• Sun Tzu - The Art of War: Know yourself and your enemy!
• What to footprint/profile?
– Internet: domain names, network blocks and subnets, IP
addresses, TCP/UDP services, CPU arch, access control, IDS,
system enumeration, DNS hostnames
– Intranet: network protocols, internal domain names, network
blocks, IP addresses, TCP/UDP services, CPU arch, access control,
IDS, system enumeration
– Remote access: phone numbers, remote system type,
authentication mechanisms, VPN
– Extranet: domain names, connection source and destination,
type of connection, access control

16
 Internet Footprinting
• Step 1: Determine the scope of your activities
– Entire organization or subsidiaries?
– Determine all, so as to secure them
• Step 2: Get proper authorization
– Layers 8 and 9: politics and funding
– Get-out-of-jail-free card
• Step 3: Publicly available information
– Nothing short of amazing!

17
 Publicly Available Information
Company Web Pages
• Unexpected: security configuration, asset inventory
spreadsheet, etc.
• HTML source code (offline faster)
– Things buried in comment tags: <, !, --
– Website mirroring tools for offline viewing: Wget (Linux),
Teleport Pro (Windows)
• Enumerate hidden files and directories recursively
– OWASP’s DirBuster
• Easy to be detected: proxy through privoxy
• Remote access to internal resources via browser
– Proxy to internal servers (e.g. Microsoft Exchange server)
• Look for other sites beyond the main
– www1, www2, web, test, etc.
– VPN sites
18
 Publicly Available Information
Related Organizations
Location Details
• Related organizations
– Look for references and links to other organizations
• Outsourced web development
– Partners might not be security-minded
– Social engineering attack
• Location details needed for
– Dumpster-diving, surveillance, social engineering,
unauthorized access, etc.
– Images
• Google Earth, Google Maps – Street View (Wi-Fi MAC
addresses), Google Locations and Skyhook (MAC  location:
“How I Met Your Girlfriend” – BlackHat 2010 demo)
19
Google tracking Wi-Fi

20
 Publicly Available Information
Employee Information (1/2)
• Names -> e-mail addresses, usernames
• Phone numbers  physical address, social engineering
– Phonenumber.com, 411.com, yellowpages.com
• Other personal details
– Blackbookonline.info, peoplesearch.com
• Home phone number, address, social security number, credit history,
criminal record, etc.
– Social/information/professional networking, career, family
ancestry, photo management sites
• Facebook.com, Myspace.com, Reunion.com, Classmates.com,
Twitter.com, Linkedin.com, Plaxo.com, Monster.com,
Careerbuilder.com, Dice.com, Ancestry.com, Flickr.com,
Photobucket.com
• Business directory services: JigSaw.com
– Used by sales teams
– Paid-for services with incentive award points to new or update
entries 21
 Publicly Available Information
Employee Information (2/2)
• Job posting and resumes
– “Checkpoint firewalls and Snort IDS” tells much!
– Google “company resume firewall” to get resumes
from current and past employees
– Search on job sites (monster.com, careerbuilder.com)
– Watch disgruntled and ex- employees: revenge!
• Employee’s home computers
– Remote access to the target
– Keystroke logger: free ride to the target!
• Impersonate a trusted user!

22
 Publicly Available Information
Current Events
• Mergers, acquisitions, scandals, layoffs, rapid hiring,
reorganization, outsourcing, temporary contractors
• Merger or acquisition
– Blending of organizations’ networks
• Less or disabled security
• Human factor
– Low morale  update resumes
– Unauthorized guests
• SEC (Security and Exchange Commission) reports
– Periodical reporting: 10-Q (quarter) and 10-K (annual)
– Sec.gov  organizational charts
• Business info and stock trading sites
– Yahoo!Finance message boards
23
 Publicly Available Information
Privacy or Security Policies
Archived Information
• Privacy or security policies
– Technical details indicating the types of security
mechanisms in place
• Archived information
– Archived copies > current copies
– Archive.org & cached results at Google

24
 Publicly Available Information
Search Engines and Data Relationships
• Google.com, bing.com, yahoo.com, dogpile.com, ask.com
• Search strings used by hackers - Google Hacking Database
(GHDB) at hackersforcharity.org/ghdb/
• Search Google’s cache for vulnerabilities, errors,
configuration issues, etc. – Athena (snakeoillabs.com),
SiteDigger (foundstone.com), Wikto
(sensepost.com/research/wikto)
• Analyze metadata in web files for info leaks – FOCA
(informatica64.com/foca.aspx)
• Mining and linking relevant pieces of info on a subject –
Maltego (paterva.com)
 Public Database Security Countermeasures:
 Site Security Handbook: RFC 2196
 Periodically review and remove public but sensitive data!
25
26
 allinurl:tsweb/default.htm
• Microsoft Windows servers with Remote
Desktop Web Connection exposed
• Google Hacking Database (GHDB), found
at hackersforcharity.org/ghdb/

27
 Step 4: WHOIS and DNS Enumeration
• Domain names, IP addresses, port numbers
– Centrally managed by ICANN (Internet Corporation for Assigned
Names and Numbers)
– Hierarchically stored in WHOIS/DNS servers
• Three R of WHOIS: registry, registrar, registrant
• To lookup keyhole.com, start from whois.iana.org
– Find the registry and registrar for .com (verisign-grs.com) and
then keyhole.com (markmonitor.com)
– Find the registrant details of keyhole.com (for later spoofing)
– Web whois or command-line whois
– Automatic tools (allwhois, uwhois) and GUI tools (superscan,
netscan tools pro)
• To lookup 61.0.0.2, start from arin.net
– Find apnic.net, then find National Backbone of India
– But keep in mind the IP address might be spoofed/masqueraded
28
Internet Infrastructure

Internet today: about 40.000 autonomous systems and

400.000 IP Prefixes

The Hierarchical infrastructure of internet:

•Tier 1: Full mesh network
•Tier 2: National Internet providers
•Tier 3: Local Internet Service Providers
30
 Public Database Security Countermeasures
Administrative contacts, registered net blocks authoritative name servers

• Keep administrative contacts up-to-date

• Anonymize administrative contacts
• Authenticate updates rigidly to avoid domain
hijacking
– AOL in 1998: redirected traffic

31
DNS - Start Of Authority (SOA) record

32
DNS record types

33
 Step 5: DNS Interrogation
• Obtain revealing info about the organization by querying
DNS servers (domain name <-> IP addresses)
• DNS zone transfer by untrusted users
– Due to misconfiguration
– From primary server to secondary server
– Private DNS info: internal hostnames and IP addresses
– dnsrecon
• nslookup
– mapping and getting all resource records (A, RP, MX, HINFO, etc.)
– HINFO: host info
– Search with grep, sed, awk, perl
– Scripts: dnsenum, dnsmap, fierce, host

34
 DNS Security Countermeasures
• Restrict zone transfer to only authorized
servers
– named.conf in BIND
• Configure a firewall to deny unauthorized
inbound connections to TCP port 53 (thwart
zone transfer) DNS - Domain Name System.
• Configure not to provide internal DNS info
• Discourage the use of HINFO records

35
 Step 6: Network Reconnaissance
• Network topology and access path diagram
• traceroute, tracert, visualroute, McAfee’s
NeoTrace, Foundstone’s Trout
– Find the exact path (IP nodes – routers, firewall, etc.)
– Leverage TTL and ICMP
• Thwarting Network Reconnaissance
Countermeasures
– Intrusion detection: snort, bro
– Configure border routers to limit ICMP and UDP traffic
to specific systems

36
 Summary
• Footprinting: tedious works to be done
regularly
• Automate tasks by shell, Python, Perl scripts
• Minimize info leaks
• Implement monitoring

37
 Homework #1
1. (20 points) Select a web site.
1) Use “Wget” or “Teleport Pro” to mirror the site. Look for comments within comment tags. Give screen
dumps and explain what you found.
2) Use “DirBuster” with a proxy feature through “privoxy” to enumerate hidden files and directories. Screen
dump and explain the hidden files and directories you found.
2. (20 points) Lookup “How I met your girlfriend” in the BlackHat 2010 demo to explain, in 0.5 page,
how this was done.
3. (20 points) Select a person. Use on-line sites for phone book, social network, information, job,
photo management, business directory, jigsaw.com, etc. to summarize, with screen dumps and
explanations, what information you can get. If your target is not in US nor native English speaker,
you might need to use on-line sites different from the textbook.
4. (20 points) Google “XYZ resume firewall” and “XYZ resume intrusion detection” where “XYZ” is
the name of your target company. Screen dump “useful” results and explain what you got.
5. (20 points) Lookup Archive.org and Google cached results, and select a target web site. Compare
the differences between an archived and cached copy with its current on-line web site. Give
screen dump and explain the differences.
6. (20 points) Find Google Hacking Database at hackersforcharity.org/ghdb/. Summarize what it has
and select 3 strings to search. Screen dump and explain what you got.
7. (20 points) Select a web site. Start from whois.iana.org to find its registry, registrar, and registrant.
Also select an IP address. Start from arin.net to find who owns the IP address. Show your screen
dump and explain.
8. (20 points) Select a domain name. Use nslookup to dump its DNS records. Show your screen
dump and explain.
9. (20 points) Select a domain name. Use traceroute or similar tools to find the access path to that
domain. Show your screen dump and explain.
10. (bonus: 40 points) Follow the case study right before chapter 1. Select one target and run
through all tools (Tor, Vidalia, Privoxy, tor-resolve, proxychains, Nmap, socat, nc). Screen dump 38
the process and explain what you got in your screen.