Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Similar documents
Hacking Techniques & Intrusion Detection

NCS490 Penetration Testing. Ronny L. Bull, MS Lecturer Computer Science Department. Spring 2014

Vulnerability Assessment and Penetration Testing

How-to: DNS Enumeration

Part I - Gathering WHOIS Information

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Penetration Testing with Kali Linux

Vulnerability Assessment and Penetration Testing. CC Faculty ALTTC, Ghaziabad

smtp-user-enum User Documentation

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Attacks and Defense. Phase 1: Reconnaissance

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Lecture 5: Network Attacks I. Course Admin

Learn Ethical Hacking, Become a Pentester

Glossary of Technical Terms Related to IPv6

Penetration Testing Workshop

1. LAB SNIFFING LAB ID: 10

Looking for Trouble: ICMP and IP Statistics to Watch

Intelligence Gathering. n00bpentesting.com

Computer Security and Penetration Testing. Chapter 2 Reconnaissance

DNS Basics. DNS Basics

Basic DNS Course. Module 1. DNS Theory. Ron Aitchison ZYTRAX, Inc. Page 1 of 24

Introduction to Network Operating Systems

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Andreas Dittrich, Philipp Reinecke Testing of Network and System Security. example.

Footprinting and Reconnaissance Tools

!!!!!!!!!!!!!!!!!!!!!!

Vinny Hoxha Vinny Hoxha 12/08/2009

Network Penetration Testing and Ethical Hacking Scanning/Penetration Testing. SANS Security Sans Mentor: Daryl Fallin

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

Applications and Services. DNS (Domain Name System)

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.

TESTING OUR SECURITY DEFENCES

IBM. Vulnerability scanning and best practices

WHAT WE WILL LEARN IN THIS ISSUE?

Networks University of Stirling CSCU9B1 Essential Skills for the Information Age. Content

Introduction to Network Discovery and Identity

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Lab Objectives & Turn In

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Linux Network Security

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015


Penetration Testing Report Client: Business Solutions June 15 th 2015

Security of IPv6 and DNSSEC for penetration testers

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

Penetration Testing Automation System

A fresh new look into Information Gathering. Christian Martorella IV OWASP MEETING SPAIN

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Distributed Systems. 22. Naming Paul Krzyzanowski. Rutgers University. Fall 2013

Audience. Pre-Requisites

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

41376 UDP performing get device status Command Workstation (CWS), Harmony, Bi-directional Driver TCP/UDP

Penetration Testing Lab. Reconnaissance and Mapping Using Samurai-2.0

Internet Security [1] VU Engin Kirda

McAfee Certified Assessment Specialist Network

Penetration Testing 2014

PKF Avant Edge. Penetration Testing. Stevie Heong CISSP, CISA, CISM, CGEIT, CCNP

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Introduction on Low level Network tools

DNS Root NameServers

Penetration Testing Walkthrough

Build Your Own Security Lab

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

An Introduction to Network Vulnerability Testing

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Mathatma Gandhi University

Assignment One. ITN534 Network Management. Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition)

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

CIT 380: Securing Computer Systems

Firewalls. Pehr Söderman KTH-CSC

Chris Gates

A Study on The Information Gathering Method for Penetration Testing

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

External Network Penetration Test Report

Configuring Security for SMTP Traffic

Si no quieres que sepa tu nombre, por que llevas el DNI en la frente? Christian Martorella CISSP, CISA

ECE 4321 Computer Networks. Network Programming

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Virtual Server and DDNS. Virtual Server and DDNS. For BIPAC 741/743GE

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Detecting rogue systems

Client logo placeholder XXX REPORT. Page 1 of 37

Introduction to Network Penetration Testing

Conducting an IP Telephony Security Assessment

Analysing Port Scanning Tools and Security Techniques

Ethical Hacking Course Layout

Firewall implementation and testing

Course Content: Session 1. Ethics & Hacking

EXPLORER. TFT Filter CONFIGURATION

APNIC IPv6 Deployment

SCP - Strategic Infrastructure Security

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Ethical Hacking: The Value of Controlled Penetration Tests

Connecting with Computer Science, 2e. Chapter 5 The Internet

Transcription:

Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail

All materials is licensed under a Creative Commons Share Alike license. http://creativecommons.org/licenses/by-sa/3.0/ 2

# whoami Ali Al-Shemery Ph.D., MS.c., and BS.c., Jordan More than 14 years of Technical Background (mainly Linux/Unix and Infosec) Technical Instructor for more than 10 years (Infosec, and Linux Courses) Hold more than 15 well known Technical Certificates Infosec & Linux are my main Interests 3

Fingerprinting Defining what the target really is!

Outline External Footprinting Identify External Ranges Passive, and Active Internal Footprinting Identify Internal Ranges Passive, and Active 5

External Footprinting

Identify Customer External Ranges The major goals of intelligence gathering during a penetration test is to determine hosts which will be in scope. Common techniques to identify: WHOIS searches on the domains and the ranges reverse DNS lookups DNS brute forcing 7

Passive Reconnaissance - WHOIS Lookups Determine TLD for the domain, and which WHOIS server contains the information we're after. WHOIS information is based upon a tree hierarchy. ICANN (IANA) is the authoritative registry for all of the TLDs. Middle East WHOIS lookup (registrar): RIPE NCC, http://www.ripe.net/lir-services/membersupport/info/list-of-members/mideast DEMO (whois) 8

Online Tools Central Ops, http://centralops.net/ NetCraft, http://netcraft.com/ Domain Tools, http://www.domaintools.com/ DNS Stuff, http://www.dnsstuff.com MX Toolbox, http://mxtoolbox.com RIPE, http://www.ripe.net/data-tools/db WHOIS, http://www.whois.com/whois/ WHOIS, http://www.whois.sc/ What Is My IP, http://www.whatismyip.com/ InterNIC, http://www.internic.net/ 9

Active Footprinting Port Scanning Next Week 10

DNS Discovery Performed by looking at the WHOIS records for the domain's authoritative nameserver. Variations of the main domain name should be checked, and the website should be checked for references to other domains which could be under the target's control. 11

Zone Transfers DNS zone transfer, also known as AXFR, is a type of DNS transaction. It is a mechanism designed to replicate the databases containing the DNS data across a set of DNS servers. Zone transfer comes in two flavors, full (AXFR) and incremental (IXFR). Tools commonly used: host, dig, and nmap DEMO 12

Forward/Reverse DNS Reverse DNS can be used to obtain valid server names in use within an organizational. There is a caveat that it must have a PTR (reverse) DNS record for it to resolve a name from a provided IP address. 13

DNS Bruteforce Check the ability to perform zone transfers. Discover additional host names that are not commonly known. 14

SMTP SMTP bounce back, also called a Non-Delivery Report/Receipt (NDR), a (failed) Delivery Status Notification (DSN) message, a Non-Delivery Notification (NDN) or simply a bounce, is an automated electronic mail message from a mail system informing the sender of another message about a delivery problem. Done by simply creating a bogus address (Blah_blah_address@target.com) within the target's domain. DEMO: Central Ops (Email Dossier), http://centralops.net/co/ Manually 15

SMTP Cont. smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtpuser-enum ) Usage: smtp-user-enum.pl [options] ( -u username -U fileof-usernames ) ( -t host -T file-of-targets ) Examples: $ smtp-user-enum.pl -M VRFY -U users.txt -t 10.0.0.1 $ smtp-user-enum.pl -M EXPN -u admin1 -t 10.0.0.1 $ smtp-user-enum.pl -M RCPT -U users.txt -T mail-serverips.txt $ smtp-user-enum.pl -M EXPN -D example.com -U users.txt - t 10.0.0.1 16

Banner Grabbing An enumeration technique used to glean information about computer systems on a network and the services running its open ports. Banner grabbing is used to identify network the version of applications and operating system that the target host are running. Usually performed on: HTTP, FTP, and SMTP Tools commonly used: Telnet, Nmap, and Netcat 17

SNMP Sweeps SNMP offer tons of information about a specific system. The SNMP protocol is a stateless, datagram oriented protocol. Unfortunately SNMP servers don't respond to requests with invalid community strings and the underlying UDP protocol does not reliably report closed UDP ports. This means that "no response" from a probed IP address can mean either of the following: machine unreachable SNMP server not running invalid community string the response datagram has not yet arrived 18

Web Application Discovery Identifying weak web applications can be a particularly fruitful activity during a penetration test. Things to look for include OTS applications that have been misconfigured, OTS application which have plugin functionality (plugins often contain more vulnerable code than the base application), and custom applications. Web application fingerprinters such as WAFP can be used here to great effect. More on this when we reach Web Penetration Testing 19

Virtual Host Detection & Enumeration Web servers often host multiple "virtual" hosts to consolidate functionality on a single server. If multiple servers point to the same DNS address, they may be hosted on the same server. Tools such as MSN search can be used to map an ip address to a set of virtual hosts. 20

Establish External Target List Once the activities above have been completed, a list of users, emails, domains, applications, hosts and services should be compiled. Mapping versions Identifying patch levels Looking for weak web applications Identify lockout threshold Error Based Identify weak ports for attack Outdated Systems Virtualization platforms vs VMs Storage infrastructure 21

Internal Footprinting

Passive Footprinting If the tester has access to the internal network, packet sniffing can provide a great deal of information. Use techniques like those implemented in p0f to identify systems. # p0f o cap.txt -i eth0 -M -V -v -p -t 23

Identify Customer Internal Ranges When performing internal testing, first enumerate your local subnet, and you can often extrapolate from there to other subnets by modifying the address slightly. Also, a look a the routing table of an internal host can be particularly telling. Below are a number of techniques which can be used. DHCP servers can be a potential source of not just local information, but also remote IP range and details of important hosts. Most DHCP servers will provide a local IP gateway address as well as the address of DNS and WINS servers. In Windows based networks, DNS servers tend to be Active Directory domain controllers, and thus targets of interest. 24

Active Footprinting We can perform all the external active footprinting techniques here. 25

Active Footprinting Port Scanning Internal port scanning differs from external port scanning, because of the higher bandwidth available, and the ability Next Week 26

Assingment Choose a company and gather information about it 27

SUMMARY We saw what is intelligence gathering The OSINT three What corporate info to gather What individual info to gather Understood the covert gathering types How to use Google when performing intelligence gathering 28

References Effective meetings, http://www.businessandthegeek.com/?p=112 http://www.pentest-standard.org/index.php WHOIS lookup references ICANN - http://www.icann.org IANA - http://www.iana.com NRO - http://www.nro.net AFRINIC - http://www.afrinic.net APNIC - http://www.apnic.net ARIN - http://ws.arin.net LACNIC - http://www.lacnic.net RIPE - http://www.ripe.net, RIPE NCC 29

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information