This report shows where and how a hacker can find information about the target organisation. From the simple physical location or the Internet presence of the organisation the hacker can use methods and techniques to infiltrate any organisation. The more information the hacker can gather the easier the infiltration can be achieved. This report details some of the methods and techniques a hacker can use and some of the countermeasures an organisation can employ in order to foil the hacker.
Introduction
In order to combat the hackers out there and keep an organisation secure administrators must understand the methods and techniques employed by hackers to gain information about and access to their organisation. The biggest ally to a hacker is complacency where the administrator thinks that as the organisation has not already been hacked into the security in place must be adequate. Because there are no visible traces of a hacker in the system does not means he is not there, there are new methods and techniques being devised everyday and hackers are becoming stealthy. Therefore an administrator has to monitor and revise the security of the organisations network on a regular basis and it pays to find out what new methods and techniques the hackers have access to before they are being used on the organisation. Administrators should be proactive not reactive.
There are three basis steps that a hacker can employ on order to gain the information required to infiltrate an organisation, which are Footprinting, Scanning and Enumeration each of which is explained in more detail in the following sections of this report.
Footprinting
Footprinting is the term used to describe the methods and techniques employed by a hacker to scope out and understand everything about the selected target. The hacker wants to gather as much information as possible about the intended target in order to compile a footprint or profile of the target organisations security. This can be a long drawn out process but with patience, determination and use of the correct tools the hacker can determine a networks domain name, network block, subnets, routers and IP address ranges. Footprinting can be performed on the Internet, Intranets, Extranets and remote access environments and can be used to glean critical information about the intended target.
Publicly Available Information
The hacker uses information that is readily available to the public over the Internet, such as the organisations web site which can provide information on related organisations, location details, telephone numbers and email addresses for employees and much more. The following are just some of the methods a hacker can employ to gain the information required to infiltrate an organisation.
The Organisations Web Site
Teleport pro is a website mirroring tool which can be utilised to download a web site to the hacker's machine in order that it can be browsed for information at a later time. This software takes a mirror copy of all the details of the website for offline viewing and the hacker can browse through the site and source code at his leisure. A mirror image of the UWS website taking with teleport pro is shown in Figure 1. Even without looking at the source code of the website there are names, such as Sam McKinstry and Harry Burns who must be of key personnel in UWS. These names and finding out the format for UWS mail addresses could be very useful to any hacker.
Without mirroring the site a hacker can still find numerous pieces of information, such as related organisations, location details, contact email addresses/telephone numbers and even usernames, on an organisations website.
Search Engines
Search engines, such as Google and Yahoo, can be very useful tools for any hacker as they can help to find sensitive and critical information about an organisation through their advanced search options. Performing a Google search for www.uws.ac.uk/vpn (Figure 2) delivered results showing links to VPNs (Virtual Private Networks) and when the link for Swansea University (Figure 3) was clicked the web site gave very detailed instructions on how to establish a connection to their VPN. This information could be very useful for a hacker.
Google Earth is also a great tool for any hacker as it can be utilised to find out the exact location of the target organisation which can lead to access to wireless networks, illegal entry into the organisation's building, dumpster-diving and other non technical means of attack.
Countermeasures for Publicly Available Information
If the organisation trades with the public over the Internet much of the information already discussed must be made readily available but an administrator should pay close attention to exactly what information is being displayed. Information which can be directly traced back to the organisation can be avoided by the use of aliases.
WHOIS & DNS Enumeration
Internet Corporation for Assigned Names and Numbers (ICANN) and Internet Assigned Numbers Authority (IANA) are very similar organisations. IANA had the sole responsibility for the technical functioning of the Internet until ICANN was created in 1998. IANA still performs a lot of the day to day operations but some of the other responsibilities have been taken over by ICANN which is responsible for the issuing of globally unique IP address numbers, Internet domain names, protocol parameters and port numbers required for the functioning of the Internet. It also has the responsibility of the coordination of the root DNS server system on the Internet.
Domain Searches
Whilst the use of these organisations centralises the management of the Internet the actual data is stored on lots of WHOIS servers across the globe. These servers can be queried to establish the 'Three R's' of WHOIS which are the Registry, the Registrar and the Registrant. The Registry for the organisations TLD (Top Level Domain (in the case of ICANN this is the '.org' portion of the address) holds the information of who the organisation registered its domain with (Registrar). The Registrar holds the information on the Registrant of the domain name.
In the following example the registry is shown to be Verisign.gre.com, the registrar is shown to be GoDaddy.com and the registrant is ICANN.
Taking the process of domain lookup on step further by accessing the GoDaddy website revealed further details of ICANN including location, email addresses for administrative contact and telephone numbers for the organisation.
The telephone number for ICANN revealed on the GoDaddy website can be entered as a search parameter on another website such as www.phonenumber.co.uk and the resulting links can be used to dig even further into the ICANN organisation.
One of the links contained on the phonenumber website leads to the DNS Ops Logs for ICANN which is a real time log of the DNS operations for ICANN and can be used to find out the configuration of the ICANN DNS servers
IP Searches
RIRs (Regional Internet Registries) manage all IP related issues and are part of ICANN's ASO (Address Supporting Organisation). If hacker chooses any of the numerous RIRs and conducts a WHOIS search for a particular IP address, the RIR will tell him if it manages that address or not. If it does not manage that particular IP address it will point the hacker to the RIR which does and the hacker can then perform another WHOIS search on that site. The IP address can be tracked through numerous RIRs until the owner's identity is revealed. Different governments and different organisations offer various levels of cooperation. IP ranges can also be established by querying the RIRs using the organisation's name, this will give the IP address range of the organisation, its ASN (Autonomous System Number) and the BGP (Border Gateway Protocol) system number. Both the ASN and the BGP can be utilised at a later date for BGP enumeration. The administrative contact, telephone numbers and fax numbers can also be revealed and these can be very useful to the hacker as they can be used to contact unsuspecting users within the organisation, posing as the administrative contact, asking them to change third passwords.
Countermeasures to Domain and IP Searches
Whilst Internet registration of the domain name of the organisation requires administrative contacts, registered net blocks and authoritative name server information steps should be taken to ensure the organisations security. These steps can be as simple as using a toll free telephone number which is not connected to the organisations telephone exchange or using the anonymity element of the organisation domain name provider. GoDaddy offers a private registration feature for minimal cost which means that it will not display critical data such as telephone numbers, email addresses and location of the organisation. This feature would go some way to stalling the hacker.
Interrogating DNS
Insecure configuration of DNS servers can lead to critical information being revealed about the organisation. An administrator who has insecurely configured DNS and allows DNS zone transfers to be carried out by untrustworthy Internet users runs the risk of critical organisational information being leaked. This information can be used to launch an attack which could not be undertaken without it. Under normal circumstances DNS zone transfers are only required between the master and secondary master servers but badly configured DNS can lead to the transfer being performed by anyone who asks. This need not be a problem if a public/private DNS mechanism is used to separate external and internal information, but if this mechanism is not in place the untrustworthy Internet users can access internal hostnames and IP addresses.
Nslookup
Nslookup client, which is built into most UNIX and Windows operating systems, is the easiest method for a hacker to perform an unauthorized DNS zone transfer. The interactive mod of nslookup reveals the default nameserver. Different record type queries will show different DNS records for example an MX query will show the mail exchange records whilst an any query will show all DNS records. The domains associated records can be shown with the ls command and all of the domains records by using the -d command. All of this output can be redirected to a file, such as /tmp/zone_out, in order that the hacker can peruse it at a later time.
Countermeasures for Interrogating DNS
All zone transfers can be restricted to only being able to be performed between authorized servers. TCP port 53 can be configured with a firewall or packet filtering router to stop all inbound unauthorized connections or cryptographic TSIGs (Transaction Signatures) can be used in order that only trusted hosts are allowed zone transfer information. The configuration of external nameservers can be done in such a way that internal network information is never revealed.
The hacker has now established the organisation's IP address range, the physical location, administrative contact, telephone numbers and email addresses. All of this information can now be utilised to scan the network for vulnerabilities.
Scanning
A hacker can find many tools, readily available on the internet, to aid in the gathering of information about the company that is the focus of the intended infiltration. Many of these tools are intended for use by an administrator in the monitoring and auditing of their network. Once the hacker has established the IP address of the intended victim, via the footprinting techniques, these tools can be utilised to scan for active nodes and open ports.
Ping Sweep and Port Scan
The hacker will perform ping sweeps to determine which of the nodes are active and then do port scans on the active nodes to determine which ports are open or in a listening state. Port scanning can also be used to determine the operating systems and applications running on the network. Some of these methods are detailed below.
fping
fping can be used to establish if a host node is active by sending ICMP (Internet Control Message Protocol) echo requests in a round robin configuration to multiple hosts at one time. This can be achieved by either entering the individual IP addresses in the command line or by creating a file containing all of the addresses and specifying this file to be used by fping. The file to be created should contain all of the IP addresses to be pinged n the sweep but simple method of achieving this is to use the format:-
172.16.16.1
….
172.16.16.254
When this file is read all of the addresses between 172.16.16.1 and 172.16.16.254 inclusive will be pinged simultaneously and the replies or lack of reply can be analysed to establish which nodes are active on the win.net network.
Nmap
Network Mapper, shortened to nmap, is a free open source utility that can be used to explore network and audit the security on that network. It can also be used for inventorying the network, monitoring host and service uptime and scheduling service upgrades. Nmap can be utilised to determine the active hosts on a network, the operating system being used, the services that are running on the hosts and much more. This is a widely used utility that is included in many Linux operating systems.
With the use of the many option, such as -PT and -sS, this utility can be used by hackers to establish the vulnerabilities of any network. The format for using nmap is;
nmap (scan type) (option) target
Figure 8 shows a scan type -sP (ping scan), the option is -PT80 (scan port 80) and the target is the lin.net network (172.16.32.0/24). Port 80 is used as it is a common port which is often the port that systems allow though their firewall. A non-stateful firewall is more likely to allow the TCP ACK packets through and the node sends a RST packet which informs the hacker that the node is active. The result of the ping scan on the lin.net network shows that nodes 1, 2, 4 and 5 are all online and their IP and MAC addresses are supplied. Also shown are the systems that these nodes are running on which are either Cisco or Cadmus (the system run on Virtual Box). Nmap scanned 256 IP addresses on the network in 10.710 seconds and discovered 4 hosts up.
Figure 9 shows a scan completed when the ports are closed on most of the nodes on the win.net network. Even although the ports are closed the IP addresses and names of the nodes can be determined. The only ports that are open are the ports on the network printer and the scan shows that the open ports are TCP/ filtered ports and the services running on each of these ports.
Another scan that can be undertaken is TCP SYN scan, also known as a half-open scan, where a full connection to the target is not established only a SYN (Synchronise) packet is sent. This is type of stealthy scan and if the target responds with SYN/ACK (Synchronise/ Acknowledge) it is known that the port is in listening state. A port that is not in the listening state will generally respond with a RST/ACK (Reset/Acknowledge). The hacker will respond to this RST/ACK with another RST/ACK with the intention that a full connection is never established with the target. It is still possible for the hacker to gain information from the target using a stealthy scan as is shown in the following two diagrams (Figures 10 & 11) where a stealthy scan was performed on the win.net network using nmap and the option -sS.
The operating system that is running on the target system and all of the open ports and services running on these ports can be displayed using the -O option on nmap. This action can performed on each of the nodes in the network including the routers and gives the hacker the information required to follow up with enumeration of the network.
Zenmap
Zenmap is the is the Windows version of nmap and as can be seen n the following diagram it gives the option for a wide variety of scans including ping scan, intense scan and quick scan. All the user has to do is enter the targets IP address and choose which scan to complete.
Diagram 13 shows the results of an intense scan on the win.net network. The open ports on each of the nodes on that network can be seen with the port type. Zenmap also completed stealth scans on each of the nodes and showed the number of nodes still to be scanned.
Zenmap is GUI based software and has a feature which details the topology of the network being scanned. This allows th hacker to see at a glance the relationship of all of the nodes on the network with each of their IP addresses.
Another feature of Zenmap is the host details tab which allows the operating system and an overview of the network to be seen. All of this information is able to be used by the hacker to infiltrate the organisation and find out even more details.
SuperScan
SuperScan is a Windows port scanner and is on of the best, most consistent and flexible tools an administrator has for assessing the network. It scans both TCP and UDP ports as a rule. And has many other features to aid the administrator in his work. These features can be utilised by a hacker to access infinite amounts of information about the network.
Figure 16 shows the results of a scan performed on win.net and lin.net where the open ports and the services running on these ports are shown. The results also show versions of the services running, time stamps and content types. All of this information is very useful to a hacker trying to infiltrate a network.
Countermeasures for Ping Sweeps and Port Scanning
Both ping sweeps and port scanning can be countered by two methods either detection or prevention. Which ever methods are used the administrator has to be vigilant and monitor the log files regularly in order to establish patterns of activity. These patterns of activity could alert the administrator to the fact that someone is sweeping or scanning the network trying to find a way in.
The detection of ping sweeps and port scans can be achieved with the use of IDS (Intrusion Detection Systems) such as Snort. There are a number of UNIX utilities which can be employed to detect and log ICMP packets, such as Scanlogd and Courtney. McAfee, Symantec and Checkpoint all offer desktop firewall tools which can be used to detect and log ping sweeps in a GUI based system. For the detection of port scans in a Windows environment there is a program called Attacker available from Foundstone which aids the administrator by detecting and logging these types of scans.
Prevention of ping sweeps can be achieved by evaluating the types of ICMP traffic that is allowed on the network. Firewalls can also be configured to filter the ICMP traffic and the filters can be configured to only allow certain types of packet through. Further configuration can be done so that these packets are only allowed to access certain nodes on the network. Another method for prevention of ping sweeps is to limit the ICMP traffic with ACLs (Access Control Lists) to certain IP addresses of the ISP. This allows the ISP to monitor connectivity but makes it harder for hackers to ping sweep the network.
Prevention of port scans is a more difficult task as most ports require being open if the network is going to function but if there are any unnecessary services these can be disabled in the start-up scripts for UNIX. In The Windows environment disabling services is a more difficult task as this environment relies on TCP ports 139 and 445 to be able to function correctly.
Enumeration
Enumeration is the process a hacker employs to use the information about live nodes, operating systems and services running on the networks which has been gathered using the footprinting and scanning techniques. Enumeration takes the scanning techniques one step further by establishing active connections to the target system and initiating direct queries. These queries can give the hacker the means to infiltrate and find user names and passwords, unsecured shared resources and security vulnerabilities caused by older versions of software. The port scans and operating system scans discussed earlier in this report are especially helpful to a hacker when it comes to enumeration as most techniques are platform specific. Many of the port scanning tools utilised by the hacker also offer methods of enumeration. It is only a matter of time before the hacker can infiltrate the system after enumeration has been performed. Enumeration can be performed on any of the 65,535 TCP or UDP ports on a system therefore only some of these have been detailed in this report.
Banner Grabbing
Banner grabbing is the basic numeration technique and is a method whereby the hacker can connect to and receive output from remote applications. This information contains such things as the brand and version of the service running.
Telnet is built in to most operating systems and is a tool for communicating with remote nodes. It can be utilised by the hacker for banner grabbing. The hacker only has to open a telnet connection to a port that has been identified through th port scanning techniques in order to receive useful information.
Figure 17 shows the type of information that can be accessed using telnet to perform a banner grab. The document type is shown to be HTML public, the operating system is Debian (Linux), and it is running Apache 2.2.9 Web Server with PHP 5.2.6 running. It also displays the full address for the server which is debian.student.uws.loc. All of this information is easily acquired and very helpful to the hacker.
Countermeasures for Banner Grabbing
The most reliable methods of countering banner grabbing are either disabling unnecessary services or using ACLs to restrict access to services. Finding a way to stop the brand and version of critical services being displayed is also a means of countering this type of attack.
FTP Enumeration
Accessing the contents of File Transfer Protocol (FTP) repositories is another means gaining information used by hackers. Most operating systems have an FTP client built into them and it is a very simple process to use this client to connect to an FTP server. The method for establishing an FTP connection can be seen in Figure 18 where an anonymous login was achieved using a fake email address. This login resulted in th remote system type being revealed and a data connection being established where the files on the node could be listed.
Countermeasures for FTP
Turning off the FTP service is the best method of countering this type of attack. The administrator should also be wary of any anonymous FTP and restrict the uploading of files.
Netbios Name Service (NBNS) Enumeration
NBNS is a Windows based naming distribution system which has mainly been replaced by the Internet based naming standard DNS. This utility is still built into most versions of Windows and is enabled by default. NBNS enumeration is one of the simplest methods of enumeration as the tools and techniques are easily found, some even coming built into the operating systems. Net view, nbtstat and nbtscan are all tools which are built into Windows operating systems and can be used by hackers to enumerate the target system.
Net view is a command line tool which lists the domains on the network and even goes as far as to open up the domain and list individual nodes. This can be seen in Figure 19 where the win.net network was probed.
Nbtstat connects to individual machines within the network for enumeration and gives results showing the name of the system, which domain it is connected to, the names of any users logged on, services running and the MAC address of the network interface hardware. Each of these units are able to be identified by their NetBIOS service codes for example a computer name with a [00] code denotes a workstation service whilst the domain name with a [00] code denotes a domain name. Figure 20 shows the results of an nbtstat scan on the win.net network.
The problems with nbtstat is that it can only b used on individual nodes and that the output is rather enigmatic with the need to understand the codes.
Nbtscan on the other hand can be used to give the same results over the entire network at the same time and does not use the codes.
Countermeasures for NetBIOS Name Service (NBNS) Enumeration
All of the techniques discussed for NetBIOS Name Service enumeration operate via UDP port 137 therefore the administrator should restrict access to this port ether on individual nodes or at the network routers. The problem with restricting access at the network routers is that Windows name resolution will be disabled across these routers. Disabling of the Alerter and Messenger services on individual nodes will prevent user data being shown on NetBIOS name table dumps.
User Enumeration
User enumeration is probably the easiest type of enumeration as most Windows environments readily give this information when a null session scan is performed. The following examples demonstrate the type of information that can be acquired when enumerating users.
DumpSec
DumpSec, which was once known as DumpAcl, is one of a security administrators best tools but can also be just as useful to a hacker. It does everything from auditing the file system permissions to auditing remote system services. DumpSec can be used on the command line and can retrieve user information even on a null connection. Using DumpSec can generate such information as lists of users/groups, system policies and user rights. Figure shows a list of users and their password details generated using DumpSec.
Superscan
Superscan can be used to perform numerous enumeration techniques automatically, including NetBIOS name tables, Account Policies, Logon Sessions and User scans.
When it cans the users it gives details of the full name, when they last logged in to the system, when their passwords expire and when their passwords were last changed. All of these details and the list of the types of enumeration scans that can be carried out using Superscan can be seen in Figure 22.
Conclusion
References
