This document was uploaded by user and they confirmed that they have the permission to share
it. If you are author or own the copyright of this book, please report to us by using this DMCA
report form. Report DMCA
Overview
Download & View 2007 A Hacking Odyssey as PDF for free.
2007 A Hacking Odyssey – Reconnaissance The aim of this series of papers that will take an in-depth look at how someone may target and electronically break into an organisation, is to educate people who may be tasked with looking after and securing a corporate network to do so in an effective manner. My personal outlook on this issue is that if you have no idea about the steps a would-be attacker will take to try and gain access to your systems, then you as an administrator can not effectively secure your system to an acceptable standard. Some people may disagree about the concept of demonstrating to people how to gain access to networks they are not meant to, whilst others agree with the ‘full disclosure’ approach. Take a firewall for example – if you don’t understand the steps an attacker will go through to try and get traffic through your firewall, then how can you stop them for doing it? All you can do is configure it the best way you know how and hope it is good enough. Hacking, Cracking, Hackers and Crackers Before I start: If some innocent looking young teenager came up to you and starting talking about hackers and hacking, then chances are you, being the IT professional that you are would mentally dismiss him as not understanding what he was talking about, just because he used the work ‘hack’. Yet, if a university professor type person in his fifties wearing a tweed coat, glasses and smoking a pipe came up to you and starting talking about hackers and hacking then you would more than likely listen to every word he says…… why is this? Well, the term ‘Hack’ or ‘Hacker’ is a word coined by the media to mean anyone trying to break in to something IT related, whether it’s a Network, Computer or any other type of electronic system. The more realistic term to use when talking about a hacker in the way the media’s term is meant, is to use the word ‘Cracker’ or ‘Attacker’. A cracker/attacker is someone who tries to gain access to things they have absolutely no right to be accessing. A hacker is someone who tries to make something function in a way it was not originally designed to do; they ‘hack it apart’. Take an email program for example; a hacker may try to make this email program send something other than an email, thereby making it do something it is not meant to do. Whereas an attacker/cracker will try to gain a level of access to it and read the users emails contained within the application. People who are new to the IT community will often innocently use the word hacker until
they get flamed by someone for doing so, probably on an IT related web forum, at which point they will usually endeavour to find a different word or face public ridicule on the new IT forum they will inevitably have to find. There are some people who like to instigate the flaming of the above mentioned people and think that everyone else will presume they are pretty knowledgeable because they make a big fuss of the fact they don’t like the word ‘Hacker’……these are the people you should probably stay away from. Most people who are secure in their own knowledge of IT and IT security whether for good or bad purposes and who have worked in the area for a while, really don’t care what word is used and can even find themselves using the term ‘hacker’ for ease of instruction when talking to non technical people or media type people. It could also be used to lessen the effect the work ‘Attacker’ has on someone; non IT people can get pretty scared when you say a cyber attacker is out to get them. For the duration of these papers I will use the term ‘attacker’ to refer to someone trying to do bad things to your computers and to your network. We will also assume the attacker is a ‘he’. Reconnaissance For this chapter we will take the mindset of the Attacker and the preliminary steps he may go through to attack your IT emporium. How does an attacker decide which organisation to target? When he has decided on the organisation how does he set about attacking it, how does he know where to go on the internet to find the specific network he wants to attack, how does he find your geographical location if he wants to wardrive you, how does he find useful information to socially engineer you, how does he find your phone number range to war dial you, how does he find your mail server? These are just some of the things the attacker will need to know before planning any attack against you and is generically referred to as reconnaissance. There are different types of attacker; attackers who have picked a target for a specific reason, attackers who pick random targets but have a specific idea about what they want to do to the target when they find one, and then there are attackers who look for random targets to launch random exploits against in an attempt to gain any level of access, without actually understanding what it is they are doing. This later genre of attackers are commonly referred to as Script Kiddies, Skiddies, SkiDIE’s, Skids etc and are the ones who don’t usually bother with any reconnaissance and jump straight to firing Nmap up and start telenting to any open ports they may
happen to find. I usually start security related courses off by asking, “What is the first step to take when wanting to attack a network?” 99% of the answers I receive involve the words Nmap and Telnet. Whilst this is a feasible option, there are still lots of steps to take before Nmap is even downloaded. You may have dismissed Script Kiddies out of hand by what I have mentioned above. Just because they do not understand the ins and outs about what they are doing does not make them any less dangerous than someone who does. Script Kiddies have all the time in the world to try and attack you. They usually come across an exploit of some kind that has been published somewhere, read how to actually perform the exploit and then go off in search of someone to test their new found uber skill on. Since they have a specific exploit in mind, which may run over a certain port, they can scan away to their hearts content looking for that one system that is vulnerable to the exploit they have. So, whereas Administrators have to try and secure from 1000’s of possible vulnerabilities, the Script Kiddies only have to find this one vulnerability on your system…..and have an infinite amount of time to find it. Picking a Target So, how do pick a potential target? As good guys you may have a specific reason to attack a target, whether it is your own organisation and are auditing the security of it, or you have been contracted to audit the security of another organisation – if this is the case then step one has been decided for you. As bad guys you could have a grudge against a particular organisation, you could have come across some interesting information in a newsgroup about a certain system being vulnerable, someone may have posted a firewall configuration on a newsgroup/IT help site and not removed any passwords or IP addresses (this used to happen a lot). You could even have been specifically asked by someone to see if you can do any damage against an organisation…..the list goes on. What if you have no reason to pick a specific target and any will do? You could trawl through your own firewall logs and find someone who has targeted you in the past; Zone Alarm for example has an annoying popup that can tell you about any external attempts made to gain access to your machine and includes the IP address of the attacker. If you have a home router they all usually have a logging facility and will record any attack attempts. In true Script Kiddie style you could have stumbled across an exploit and want to try it out, so start looking for susceptible targets.
You could even ping the first IP address that comes into your head, check it is valid and chose that. When I teach this subject in particular, to find an organisation for the duration of the course I usually enter the first words that pop into my head in to Google, take one of the hits on the first page and use that company to demonstrate the reconnaissance steps against. In this case the words are ‘Garden Sheds’. http://www.google.co.uk/search?hl=en&sa=X&oi=spell&resnum=0&ct=result&cd=1&q =garden+sheds&spell=1 The company I chose is Shed Store. That’s the target picked, now let’s see what we can learn about them… Research the Target There are a multitude of perfectly legal methods we can use to research our target and we don’t even have to connect to any of the machines associated with it. Like all good reconnaissance, the intended target should not know what we are trying to do – for this reason we try to use publicly available information that is hosted away from any machine directly belonging to the organisation or has been made to be accessed by the public, i.e. their web server. Targets own web site Once you know who your target is the fist thing to do it browse over to their web site and simply have a look at all the information they have made freely available to us. http://www.shedstore.co.uk/ What info can we get from here? They have kindly given us their address, phone number range, email domain, who they use for their online billing provider, what their office opening hours are and that they are part of Guardian Buildings. Quote: Shedstore (A trading division of Guardian Buildings). Unit 1, Southview Park, Caversham, Reading, Berkshire. RG4 5AF. T: 0870 3500 710 F: 0870 3500 720 E: [email protected] W:
www.shedstore.co.uk
Quote: During our office hours of 8.30am to 12.00pm, then 1.00pm to 5.00pm Monday to Friday, we accept telephone orders and enquiries upon the following numbers. - Sales enquiries & orders: 0845 130 0405 (Local rate) - General enquiries: 0870 3500 710 (National rate) - Customer service enquiries: 0870 3500 710 (National rate) - (For those customers unable to access '08' numbers, please call 0118 946 4182)
By going part of the way through the order procedure we find out they use http://www.securehosting.com/ to handle their online transactions. The also have a members only area of the site. **I will talk about what we can do with all this information later on** We are starting to build up a ‘feeling’ about this company just from their web site. Going by this web site they seem to be a fairly well established company, they have what looks to be a professionally made web site, the seem to do the majority of their business over the internet, but they don’t necessarily seem IT savvy as they have no need to be, so they maybe rely on external hosting providers to handle the web site, email, billing etc…… this last point is a point worth remembering for later on when we cover social engineering. None or all of the above ‘feelings’ we get from the web site are necessarily true……we need to confirm it first. Google I will not cover Google on this paper as the subject as extremely large and I feel it deserves a paper to itself (whick will be posted soon). Needless to say typing the company name in to Google & Google groups may reveal some information that can be useful to you. Jobs advertised on company web sites Although not applicable to this particular web site, let’s say we were using the web site of a small bank, and on this web site they had a Jobs Section, and in this jobs section they
were asking for a PIX firewall administrator to start immediately…. This little gem of information tells us that the bank uses PIX firewalls, that they may have no administrator currently employed to manage it/view the logs etc (hence the immediate start) and that they may be susceptible to a social engineering attack whereby someone who does not normally configure the PIX maybe coerced into making a change OR that a new employee is likely to start very soon, who again will be very susceptible to social engineering to get him to alter the firewall’s configuration…..if you had a phone call from someone claiming to be the boss of your new company on your first day at work, would you say no to him if he told you to maybe change an ACL in the firewall? Maybe, maybe not….. All this stems from a seemingly innocent job advert…. Newsgroups Newsgroups are a valuable source of information during the reconnaissance phase of an attack depending on the type of target, as they are usually used by someone to ask for help, i.e. I have a PIX 506E and I want to configure a static NAT for a web server with the IP addresses 192.168.10.10 and 80.80.80.80, how do I do it? This innocently asked question tells us that particular organisation uses a PIX, the internal IP range, the external IP range and that the administrator is not so confident with configuring it, hence it maybe miss configured and easy to attack….. Out of Office replies are also sent out to some newsgroups…..what better time to attack a network than when you know the administrator is out of the office and can’t examine any logs…..or if you want to phone someone up and socially engineer them under the guise of being the system administrator…. well you know he won’t be there to get in your way…. If you trawl through it you will find complete router configurations including IP addresses and passwords, firewall configurations that again include IP addresses and passwords, the list goes on. If you have managed to gleam a name from the organisations web site try searching for it and see if it throws anything up. **When you want to search for say a PIX running configuration that may have been posted in its entirety, it is best to search for a few words that are specific to the configuration. I usually use “mtu outside” – which refers to the Maximum Transmission Unit size for the Outside interface of the firewall and is pretty specific to a firewall - if you know the domain name of your target try including this in your search string as well; most firewalls can be configured with a domain name.... The below link has over 13,000 PIX configurations that have been posted in various newsgroups: http://groups.google.co.uk/groups/search?hl=en&q=mtu+outside+&qt_s=Search
I find PIX firewall configuration especially useful to search through as there are so many things that need to be deleted from the configuration to not give away any information. So often I see IP addresses deleted but domain names remaining intact, a quick ‘nslookup’ of the domain name will sometimes give you the IP Block assigned to the organisation, once you have worked this out take a look at the Access Control Lists and see what they allow in…..see if there are any Peer IP addresses in the VPN configuration etc There is a very extensive search function on the Google Groups site, which will allow you to search for almost any aspect of a post, again try and use keywords specific to either the organisation you are researching or are specific to the type of post you are looking for. You may have to trawl back a while to see if anyone has posted via their company email address in a newsgroup as people are more savvy now-a-days and usually use a hotmail/gmail/Yahoo type web mail account. However, some people sign their messages with their full name, company name and company address……and then explain their entire network setup and what is wrong with it. We will come back to searching newsgroups in the next section when we go over WHOIS records. WHOIS The Internet is a huge directory of domain names and due to various copyright laws, trading laws and DNS workings, there can not be two identical domain names in existence at the same time on the Internet. A domain name refers to an organisations “Internet presence” and is usually related to their normal company name. I.e. The domain name for Barclays Bank is Barclays.co.uk (http://www.barclays.co.uk/) 99% of the time this also means their email addresses will end in Barclays.co.uk. Keeping track of all these domain names was historically done by Network Solutions until 1999 when they lost the monopoly for domain name registration. As the Internet grew so did the amount of suffixes attached to domain names ( .com, .co.uk, .org etc) and so did the amount of registrars. Any domain name ending in . .aero, .arpa, .biz, .cat, .com, .coop, .edu, .info, .int, .jobs, .mobi, .museum, .name, .net, .org, .pro, and .travel are registered with Internic; who can be found here: http://www.internic.net . The country code top-level domains – which are two letter suffixes that refer to the country, I.e. uk, jp, au will inform the attacker what country the target is in. A list of ccTLD’s can be found here: http://www.iana.org/root-whois/index.html
What if your targets domain name does not fall under InterNIC’s remit? Well, there is a very helpful site called Uwhois that will inform us of where to look for the registration details or our particular domain. http://www.uwhois.com/domains.html We browse to Uwhois and enter “shedstore” in the domain box, tick .co.uk and click Go. Depending on who the domain is registered with Uwhois may show us the complete registration record or it may tell us where to go and look for the records. In our case we are told that the domain name is registered: Quote: The answer to your domain search is ________________________________________ Uwhois search forshedstore.co.uk Registered
Notice shedstore.co.uk is a hyperlink? Click on it and you will be taken to either the registration details or you will be told where to look: Quote: [whois.nic.uk]
We now know that whois.nic.uk holds the registration records. Type that into Google and the first hit you get is for Nominet. http://www.nominet.org.uk/other/whois/ Browse to Nominet and enter shedstore.co.uk as the search term: Quote: Domain name: shedstore.co.uk Registrant: Keith Taylor Trading as: Guardian Buildings
Registrant type: UK Partnership Registrant's address: Guardian Buildings Unit 1 Southview Park Caversham Reading Berkshire RG4 5AF United Kingdom Registrant's agent: Thus plc t/a DSVR [Tag = DSVR] URL: http://www.dsvr.co.uk Relevant dates: Registered on: 24-Jan-2000 Renewal date: 24-Jan-2008 Last updated: 20-Jun-2006 Registration status: Registered until renewal date. Name servers: ns0.serve.co.uk ns0.serve.net.uk
Now we are getting some information that we can use to aid our attack. We have a name of someone who is probably fairly high up in the Guardian Buildings organisation; Keith Taylor. We also know Shed Store is part of the Guardian Building group from information we were able to get from their web site. We have the address of both Shed Store and Guardian buildings; again we have this from their web site and from this WHOIS record. We now know who they use to host their web site and who they used to register their domain name from the Registrant’s Address information: URL: http://www.dsvr.co.uk . We can see the record was renewed in June 2006, so ‘Keith Taylor’ is probably still working for the organisation. Finally we have the most important piece of information to us so far; the name servers, which I will talk about in a minute.
You maybe thinking, Yeah, Ok I have all this information but what use is it to me? It will all become apparent right after I run through DNS and DNS zone transfers. Domain Name Service – DNS DNS could be considered the post office and telephone directory of the Internet. Without it the Internet would not be anywhere near as efficient and easy to use as it is today. In a nut shell DNS takes an IP address and ties it in to a domain name. I will presume most people know what an IP address is and will not insult you all be explaining it (PM J_K9 if you need to know) To explain DNS it is best to give an example; so if you go to your RUN prompt (Start > Run) and type CMD into it and press enter(Or your Linux equivalent) You will get a black box popping up; this is your command prompt. Whenever we want to perform any DNS queries, or interact with DNS in anyway we use a program called ‘nslookup’. (Linux users may want to use ‘dig’ instead of nslookup as most recent Linux distro’s have butchered the nslookup program somewhat) Type nslookup: Code: Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Nokia>nslookup Default Server: speedtouch.lan Address: 192.168.1.254 >
Notice the prompt changes to ‘>’, this tells us we are now in the nslookup application and not in the normal command prompt. The Default Server will tell you what your own DNS server is. (this may not always be an actual server, especially if you are using a home router. If you are using a home router then the IP address show will usually be that of the router) At the ‘>’ prompt type google.com: Code:
You will see that the output of the command you entered is three different IP addresses. Now at the prompt type in one of these IP addresses: Code: > 64.233.167.99 Server: speedtouch.lan Address: 192.168.1.254 Name: py-in-f99.google.com Address: 64.233.167.99 >
**Tip – right click the blue bar on top of your command prompt and select properties, in the Edit Options field make sure Quick Edit and Insert Mode are ticked. You can now copy and paste as you would normal text. Try highlighting a Google IP address in the normal way by moving your cursor over it with the mouse button pressed, the text will go white; now right click. To paste the text simply right click again and the text will be pasted where the flashing cursor is.** The output from the above command tells us the IP belongs to Google.com. What you have just done is preformed a DNS query to find out the IP address(es) that Google use for their web presence; when you entered the domain name you done a forward DNS lookup and when you entered the IP address you done a reverse DNS lookup (rDNS).
You may still be thinking what the hell you are on about but it will become apparent now: Try typing one of the IP addresses you got from your DNS lookup into your web browser. You are still taken to Google. Your computer does not talk to other computers by using words such as Google.com. When you enter Google.com into your browser your computer needs to convert this into a form both it and other computers will understand. As you probably know everything on the Internet needs an IP address, as this is how all traffic is addressed on the Internet (it is different on an internal LAN but for now assume everything uses IP addresses). So something needs to take google.com and convert it to an IP address to enable your computer to go out on to the Internet and find the server that hosts the Google web site. If you haven’t guessed it already, it is DNS’s job to do this. Without DNS you would have to remember 64.233.167.99 and use this when you wanted to go to Google. Then when you wanted to go to Hotmail you would have to enter 64.4.33.7, and then if you wanted to go to Digg you would have to enter 64.191.203.30… … can you see how confusing this would become. If you wanted to advertise your business web site you would have to use an IP address and hope everyone could remember it…… DNS allows us to use a human readable syntax that we can remember easily, to browse the Internet. Without it, the Internet would be very chaotic. You can find a very good explanation of DNS here: http://en.wikipedia.org/wiki/Domain_name_system But what has all this got to do with our reconnaissance? Well there are different types of DNS records that will be used for different services. If we wanted to send an email to an organisation the a DNS record would tell the appropriate mail server the IP address of where that organisations mail server is located. This records is called an MX record (Mail Exchange), DNS records can also be used for web servers, FTP servers etc. If we could get our hands on all of these DNS records for our target domain, we would have a huge chuck of valuable information for when it comes to the next phase of our attack; as we would know where to go to try and gain specific entry to the network….if we wanted to exploit their mail server DNS would tell us where it is, if we wanted to attack their FTP server DNS would tell us where it is…….. DNS servers support something called a Zone Transfer and what this is, is a way of the DNS server telling someone all the information it has about a certain domain, MX records, A records, PTR records etc. There is a catch to this though and that is properly configured DNS servers only support
Zone Transfers to authorised people and sometimes not at all. To go back to the WHOIS record we found, the very last entry listed is the DNS servers that our target uses: Quote: Name servers: ns0.serve.co.uk ns0.serve.net.uk
So let us try and see if a Zone Transfer will work on these DNS servers: Go back to your nslookup prompt: Code: C:\Documents and Settings\Nokia>nslookup Default Server: speedtouch.lan Address: 192.168.1.254 >
And type “server ns0.serve.co.uk” (you could even do an nslookup for this and use the IP address if you wanted to ) Code: > server ns0.serve.co.uk Default Server: ns0.serve.co.uk Address: 212.69.220.10 >
This is telling the nslookup application to query the server you have specified and not your own default one. (Obviously since this is where the information relating to the shedstore.co.uk domain is located, it is the server we need to get the info off) To ask it for all the information it has on the shedstore.co.uk domain (a Zone Transfer), we use the following command: Code:
> ls -d shedstore.co.uk
If Zone Transfers are enabled to casual users, and we have the right DNS server for our domain, it should reply will all of the DNS records it holds: Code: > server ns0.serve.co.uk Default Server: ns0.serve.co.uk Address: 212.69.220.10 > ls -d shedstore.co.uk [ns0.serve.co.uk] shedstore.co.uk. SOA ns0.serve.co.uk hostmaster.dsvr.co.uk. (2 006122800 3600 1800 86400 3600) shedstore.co.uk. NS ns0.serve.co.uk shedstore.co.uk. NS ns0.serve.net.uk shedstore.co.uk. MX 5 mx81.emailfiltering.com shedstore.co.uk. MX 10 mx82.emailfiltering.com shedstore.co.uk. MX 20 mx83.emailfiltering.com shedstore.co.uk. A 212.69.210.106 ftp CNAME www.shedstore.co.uk mail CNAME www.shedstore.co.uk smtp CNAME www.shedstore.co.uk www A 212.69.210.106 shedstore.co.uk. SOA ns0.serve.co.uk hostmaster.dsvr.co.uk. (2 006122800 3600 1800 86400 3600) >
** Tip – there will nearly always be two name servers listed on the WHOIS records – if the first one does not allow Zone Transfers always try the second one too, as this is usually a backup DNS server and may not be configured the same as the first one.. ** So what have we got? We have the Start of Authority (SOA) which is the authoritative DNS server for the shedstore.co.uk domain – the numbers after it are pretty unimportant to us but refer to the zones serial number, refresh rate, retry rate etc. The Name Server (NS) records basically tie the domain name to the DNS server. Think of it a mapping so others can find the correct DNS server.
The MX records which we have already covered refer to where all email should be sent to for the domain. In our case it looks like Shed Store is outsourcing their email to a hosting provider of some kind. The CNAME or Canonical name records are aliases and point back to the A record. They are usually used when there is more than one type of service using the same IP address. In this case it is FTP, HTTP and SMTP. The A record (Address record) is the main DNS record and does the actual mapping of the domain name to the IP address. The CNAME records referred to above all refer to this A record. ( if you now do an nslookup for shedstore.co.uk it is this very A record that will be consulted to return the IP address to you) The one glaring omission is a PTR record – which handles the rDNS lookup. (the opposite of the A record so to speak) If you do an nslookup on the IP address 212.69.210.106 you won’t get shedstore.co.uk: Code: C:\Documents and Settings\Nokia>nslookup 212.69.210.106 Server: speedtouch.lan Address: 192.168.1.254 Name: internetdesign.dsvr.co.uk Address: 212.69.210.106
This is another indication that the website is hosted by a third party, probably called Internet Design and they have only bothered to update the A record and not the PTR record. If you go back to the WHOIS record it will back this theory up: Code: Registrant's agent: Thus plc t/a DSVR [Tag = DSVR] URL: http://www.dsvr.co.uk
If we couple this with the fact the DNS server itself is not configured adequately and we were able to complete a Zone Transfer we could come up with the conclusion that this is a very sloppy setup and could mean they are not using as good a web hosting service as they could do, that they do not understand the DNS implications of their own setup, that the have never tested their security - hence more proof they may not be very IT savvy… …
IP Address Just like domain names are registered and entered on a WHOIS database, IP addresses are also registered and entered on a database. For Europe and Asia an organisation called RIPE handles this. (http://www.ripe.net/) and for America ARIN handles it (http://www.arin.net/index.shtml). If you browse to them and enter the IP address mentioned in the A record you will find out who it is registered to: Code: inetnum: netname: descr: country: admin-c: tech-c: status: mnt-by: source: role: address: address: address: phone: fax-no:
212.69.210.0 - 212.69.211.255 DSVR Hosting in iP House GB NOC5587-RIPE NOC5587-RIPE ASSIGNED PA AS5587-MNT RIPE # Filtered AS5587.NET Network Operations Victoria Building Salford Quays M5 2SP +44 207 3455256 +44 207 3455257
As I said it is not really applicable in this case as it is only for a web server that belongs to a hosting company. But if it was for an organisation that hosted their web server internally you would be able to get more contact details for the company from here. In this case we only get the name and address of the hosting company, which is in Salford Keys, Manchester. – It may come in handy for a social engineering attempt later on, who knows but it is worth writing it all down. Mail Server Mail servers are a good way of finding information out about a company and what email addresses are valid in the company. It is possible to telnet to a mail server on both port 25 and 110. When you connect you are greeted with a banner saying the type of mail server and its version. Open a command prompt again and type the following: Code:
C:\Documents and Settings\Nokia>telnet shedstore.co.uk 25
This is telling the telnet application to open a connection to shedstore.co.uk on port 25. You should now see this: Code: 220 internetdesign.dsvr.co.uk ESMTP Exim 4.52 Wed, 07 Feb 2007 20:03:06 +0000
The mail server banner is telling us the type of mail server is Exim, and it is located in the UK. It also tells us that this mail server belongs to the same people who host Shed Stores web site….but the MX records from the DNS Zone Transfer are for a different company. The must have a web mail solution and another hosted email solution. Going by the MX record they also have email hosted with emailfiltering.com So they may have another domain name in place for email, or it may have something to do with the Guardian Buildings organisation that they are a part of. It’s hard to tell exactly why they have another email solution but it is something worth bearing in mind. Code: MX
5
mx81.emailfiltering.com
Browse to emailfiltering.com in your browser and see if there is a web site for it. Yes, there is – but it has a URL redirect in place and takes you to http://www.emailsystems.com/ . If you put an ‘s’ after the HTTP (https://www.emailsystems.com/ ) and go to their secure site you are presented with a logon…….probably where you go to check your emails on line….. Try telenting to the mail server mentioned in the MX record on port 25……now this is a seriously locked down mail server……my guess is their email hosting company do know what they are doing, unlike their web hosting company. All this information comes in handy when we try to social engineer some information out of the companies we have discovered are target uses. FTP
Did anyone notice their was a CNAME record for an FTP server? Let us see if it is active. Go back to your command prompt and type: Code: C:\Documents and Settings\Nokia>ftp shedstore.co.uk
You should be presented with the following: Code: C:\Documents and Settings\Nokia>ftp shedstore.co.uk Connected to shedstore.co.uk. 220 ProFTPD 1.3.0rc2 Server (ProFTPD) [212.69.210.106] User (shedstore.co.uk:(none)):
It has told us what type of FTP server it is (ProFTPD) and is asking for a user name and password. At this point DO NOT try and gain access to anything. Remember we are researching the target passively and do not want to try and connect to anything directly related to the Shed Store company until we have taken the proper countermeasures to obscure our own identity and location on the WWW. Web hosting companies typically provide FTP access for their customers so they can upload their web site and make any changes that are needed. I pointed out that there is a members only part to the web site earlier on, my guess would be that members can logon and maybe buy direct from the company via the user portal? If so all their details are stored on the server somewhere and if we manage to get FTP access we can also get access to all of the files and do not have to worry about trying to exploit the web service…. At this point it is enough for us to just know it is there and how to access it. *Hey look, we have learnt they have a web site, a mail server and an FTP server and the IP address of them all…..and we didn’t have to fire up Nmap up once to tell us what services they have….** Social Engineering Social Engineering is the art of interacting with someone with the sole reason of maliciously soliciting information out of them. The common example is to get a user name and password, but this is not always the case. I have endless hours of fun teaching
this and getting students to phone places up and trying out what they learn in real life. It is an incredibly hard skill to master. But once you have mastered it you can save yourself hours of pain staking work trying to crack user accounts etc the hard way. Most people think Social Engineering is something reserved for the determined attacker or for the people carrying out a Pen Test. I would suspect that 99% of the people reading this have never tried it or are ever likely too……yet they wouldn’t think twice about firing Nmap up and scanning someone’s system. In my view if you can get some information out of someone such as a password, well then it saves you having to spend hours running a dictionary attack or trying to brute force the password which you have just got hold of in a few minutes via social engineering. NEVER underestimate the Social Engineering stage of reconnaissance it nearly always pays off and saves you a lot of time and hassle. The reason not many people do it is that to carry out an effective Social Engineering attack you need a rather large set of gonads, a very good reason to want to do it and some prior information about the person or the persons organisation that you are speaking to. Social Engineering is not something that can be taught and is more of a skill you pick up over time. The more you do it, the better you can become at it. There are a couple of facts about human beings in general that need to be mentioned to better explain how to carry out effective social engineering attacks: Humans are very easily programmed and become stuck when something happens out of the ordinary. Being extra nice to someone and making that person like you and want to help you, does pay off sometimes People generally do not say no to an authoritative figure or to someone who is higher placed then them in the organisational structure. It is usually easier to coerce someone into doing something they don’t normally do, than to coerce them into doing something they do everyday.
Humans are very easily programmed and become stuck when something happens out of the ordinary. Think of a normal hand shake; if someone walks up to you and extends their hand in a motion that signifies to you that they are about to shake yours, you are programmed to lift your hand up in response. In certain scenarios such as when meeting someone, this is expected. But what if it happens in a situation you don’t expect it, i.e. when you are walking down the street and a perfect stranger walks up to you with an outstretched hand signifying that he wants to shake hands with you? You still lift your hand to respond to that person, maybe not very
far but you will still do it. Now what if when meeting someone, and when you expect a hand shake, the person stops half way through extending their hand and puts it in their pocket? You still extend yours and when something happens you don’t expect, such as someone putting their hand in their pocket, your programming breaks down and for a second or two you go into limbo as you have no idea what to do. Why - Because like as not this will have never happened to you before so you have no programmed response to it. Consider this – whilst you are in limbo during this hand shake, if the other person was to ask you what your phone number is, what would you do? You are programmed to respond to a question, so whilst your mind is in limbo wondering what the hell to do, the programmed part of it will respond to the question that has just been directed towards you and unless you manage to stop yourself in time you will answer the question. When I was learning about Social Engineering the course was taught by a Psychologist and not an IT security professional. Half way though one talk the speaker invited a hypnotist into the seminar. The first thing this hypnotist done was to walk up to someone near the front of the audience and introduce himself – just as they were about to shake hands he put his in his pocket and said something to him, in a few seconds this guy was hypnotised and answered any question the guy asked him. He very effectively utilized the moment when his mind was wondering what it should do, to hypnotize him. I’m not suggesting you need to walk around shaking hands with people and hypnotising them to socially engineer them, but am trying to demonstrate that when something happens out of the ordinary, people let their guard drop very temporarily and the mind is very open to external influences. To apply this psychology to a ‘real life’ social engineering attack – imagine you phone up the web hosting company that Shed Store use (we know this info from the DNS records and the WHOIS record), and went through the normal process everyone goes through when initiating a phone call – the other person says hello, you say hello and state the reason why you are phoning – the other person will go through the process they have probably gone through 1000’s of times and asks you for your credentials to authenticate yourself……… Ooops, we hang up as we can’t do that. To apply the methodology of breaking someone’s programming you need to do something unexpected that may have never happened to the other person before. The list of how to do this is endless – but you have just found out your name server allows anonymous Zone Transfers right? So your going to be a tad angry – what’s the odds that if you phone up and instead of saying 'hello' which the poor help desk dude will be expecting, you start yelling down the phone straight away asking why their DNS server is miss configured. What you are going to do is put them in a situation they may have not been in before and do not know how to handle properly (chances are at the help desk level they will not even know what a DNS Zone Transfer is). So whilst they are
fumbling around trying to make sense of what you are angry about, mention (in a very pissed off voice) you cant logon to your web server and need to know your details – now this is something the person will be programmed to do and will understand, so whilst they are still trying to figure out what the hell a DNS Zone Transfer is and who they can escalate it too, they will be only too happy to do something they are familiar with (and which gives them a bit of breathing space) and lookup the details for you. Of course you don’t have to rant and rave at someone to throw them of their guard. Try phoning an up-market hotel who do not normally give out the details of who is staying in a certain room…..when they answer just simply ask if they have the time (be very polite), I can pretty much guarantee the receptionist will have never had this happen to her before…so whist she is in the state of registering what you have just asked and what she should do in response to you, ask her who is staying in room 101 – her programming will kick in and she may very well divulge the information to you. The trick is to be nice and extra polite to her. After you have tried this method a few times you will develop a few methods that usually work most of the time and stick to them. Being extra nice to someone and making that person like you and want to help do, does pay off sometimes This one kind of speaks for itself and is not something I need to cover in great detail. Use your charm to try and make someone like you enough to want to help you. This usually works best when talking to someone of the opposite sex (unless you swing the other way). The best way to do it is not to try and solicit any information during your first conversation. Phone up initially, explain who you are (or who you are pretending to be) and ask an innocent question that will not require her to ask you some questions to authenticate yourself. Such as: “Hi, I’m Keith Taylor the Managing Director of Shed Store, well Guardian Buildings but you have us down as Shed Store. You host one of our web sites called shedstore.co.uk and I was wondering if you are experiencing any technical difficulties again, as at the moment we can’t reach it.”. If we examine that seemingly harmless and everyday initial introduction more closely you can see what we have just done: “Hi, I’m Keith Taylor the Managing Director of Shed Store” = Using the name we got from the WHOIS record we have introduced ourselves to her – putting a name to a voice on the telephone forces her to automatically construct a mental picture of you, which will aid us in getting her on our side. We have told her we are very high up in the company, the MD no less. How many MD’s does she speak to on a daily basis? Not many I bet, so we will now stick in her mind and she will remember us next time we call. By identifying the company we are from, we allow her to learn a little more about us by offering her
extra information, which goes in our favour but more importantly we let her know what company we are from so when we try to extract some information from her later on she may not feel the need to authenticate us. “well Guardian Buildings but you have us down as Shed Store” – This again offers her a little more information to add to her mental picture of us. The second part of this sentence implies we have contacted them before and have regular dealings with them – again adding to our authenticity. “You host one of our web sites called shedstore.co.uk” – Here we have told her what our web site is and that we are indeed one of their customers. This is important later on when we ask her for our login details, as she will not need to ask us what our domain name is which is usually the prelude to asking us to authenticate ourselves – we will be breaking her programming. “I was wondering if you are experiencing any technical difficulties again, as at the moment we can’t reach it” – This reinforces the fact we have spoken to them before as we mentioned the word ‘again’. But more importantly it is a question that does not require her to authenticate us and is something she will have to search for, and gives you that ‘moment of silence’ to make idle chat with her……get to know her….and make her like and trust you. She now has a mental image of you, knows who you work for, knows a little more info about your organisation than she may normally get to find out with most customers (which could make you stand out amongst others), she knows you are a Managing Director which again makes you more likely to be remembered by her (and all women like important men don’t they?), we have let her know that we have phoned up before, she knows your domain name – which means she won’t have to ask for it, she knows you are having technical difficulties but are still being nice to her – not many other customers would be as nice when experiencing technical difficulties, again you will stick out in her mind because of this. After this all you can do is use your charm during the ‘moment of silence’ to get to know her. Give it a few hours and phone back up, you may have to do this a few times until the same person answers the phone. The second conversation could go something like this: “ Hi it’s Keith again the MD from shedstore.co.uk. I phoned you earlier to ask about some technical difficulties, I’m just wondering if you are having some issues now as we can’t access our site again and are really starting to lose business over this.” “ Hi ” – You must use her name here as it tells her we have
remembered her, and everyone likes to be remembered, right? Especially by an MD… “it’s Keith again the MD from shedstore.co.uk” – This time we just use the first name, to make the conversation more friendly and social, we reinforce the fact we are an MD and again we tell her our domain name. “I phoned you earlier to ask about some technical difficulties, I’m just wondering if you are having some issues now as we can’t access our site again and are really starting to lose business over this.” – This last part is designed to make her go off and search for something again – which will give us another moment of silence to make idle chit chat. Most important we have no emphasised that this is a serious matter to our business and needs to be resolved…but we are still being very civil and chatty to her……..this will be out of the norm for most cases she has experienced when something is going wrong…. and it stresses the fact that we must be an exceptionally nice person if we are still being nice to her….hell I would want to marry me! The knack here is to make idle chat but around a subject that you can refer to later on. The third time you phone up, don’t mention anything work related. Start the conversation off about the subject you made idle chat about. When you feel the time is right say something along the line of “Oh I’ve forgot what it is I’m phoning for now….Oh that’s right, I can’t remember my logon for the shedstore account, can you help us out?” – Or words to that effect. If you have done your part right she will know your domain name, be under the impression you work for Shed Store and may just go right ahead and give you the credentials you need. I have provided a theoretical example that only uses three phone calls. In reality it could take week or even months to gain the trust of someone and it is not always done over the phone, it can quite easily be done in person. You only get one shot, if you try it to soon and she asks for credentials, obviously you can’t supply then and have to hang up wasting what could be weeks of effort in trying to gain her trust. People generally do not say no to an authoritative figure or to someone who is higher placed then them in the organisational structure. & It is usually easier to coerce someone into doing something they don’t normally do, than to coerce them into doing something they do everyday. You should have grasped the basics by now. If you can convince them you are important enough, they maybe willing to skip procedure to accommodate your request. Or, if you can put them under enough direct ‘managerial’ pressure they may rush the job and again not authenticate you. The last one relates to things like the job advert I mentioned further up the page: It will be
easier to get the person filling in for the missing firewall admin to make a change that it will be to get the regular firewall admin to make the change. Accidentally phoning the wrong person, when you know the real person is away (maybe by an OOO reply to a newsgroup) can be a lot more rewarding that phoning the correct person. Likewise instead of phoning a hosting company who are trained to authenticate people before dealing with them, try phoning the target company direct and claiming to be from the hosting centre…..it maybe easier to coerce an un-trained company employee who has never had to ask anyone for credentials in their life to part with some logon details. Prior Information What ever tactic you decide to use you are always going to need one thing – prior information about the person/organisation you are trying to imitate. You can’t pretend to be someone else if you know nothing about them… What information have we managed to get from all of the above steps? Company name – An obvious one that we need Domain name – Handy to guess email addresses, needed for WHOIS lookups and for social engineering attempts. Office Opening hours – What better time to attack their network than when they are not there, or if you want to phone someone claiming to be an employee it is best to do so when they are not in the office Telephone number range – People still do use modems. With the phone range we can Wardial the company looking for them. Company Address – A post code is often used in authentication steps. We also now know were to go to look through their rubbish if you are that way inclined Senior Person from the company – From the WHOIS record we know the name of a person who is likely to be high up in the company. Also good as a search string in newsgroups Name Servers – You have seem why these are important Mail Servers – In this case the email is outsourced – another avenue for a social engineer attack, either to the target claiming to be from the email company, or vice versa. The also may have a second email service for another domain. Web site hosting company – As above; ideal for Social Engineering attempts. We also
know they host a web mail solution for the company too – more info we can use for our social engineering. If we did want to social engineer them we also know their address and phone number from the RIPE record we looked up. FTP Site – We know they have FTP access to the web site. This can come in very handy when wanting to try and exploit parts of the web site as all we have to do is find an FTP logon, we don’t need to spend a lot of time looking for web vulnerabilities.
Caller ID spoofing You could use all of the information we have gathered together so far and you could use the very best methods of social engineering and it could all fail. They are not foolproof methods as they have a huge human element to it, and humans are very unpredictable. However, there is one final trick in our arsenal that can sometimes work when all other attempts fail and that is to spoof our caller ID. If someone was to ring you up at work and say “Hi its Jim, I am filling in for the System Administrator today.” You may or may not believe him. If he called and said the same thing but on your caller ID display it came up that he was indeed calling from the Sys Admins desk then the chances are that you would indeed believe him……unless his desk is in the same room as you of course. Think of Caller ID spoofing as instantaneous credibility It is relatively easy to spoof a caller ID, the hard part is finding what number to spoof it too. TeleSpoof: http://www.telespoof.com/ is probably the most popular service to use since Star38 and Comophone where forced to shutdown due to very negative publicity… usually CallerID ‘falsification’ services do not stay in business very long but TeleSpoof seem to be doing a good job of it so far. You have to pay to use TeleSpoof but it is relatively cheap and is worth trying out on your friends a few times to get the hang of it all. If you have a VoIP setup than you can spoof your own caller ID for free, notably the Asterisk PBX is quite good for doing this and is free… Once you have learnt of a telephone number, probably via a WHOIS record or a RIPE / ARIN record, which both usually list the System Administrators of organisation (and what better person could you pick to pretend to be!) you can spoof away and see who reveals information to you.
If you can’t find the System Administrators number, usually phoning reception and asking for it will work…. After all, why would they not give it to you? Summary Reconnaissance is not very glamorous, it is tedious, probably not much fun to read about and is almost never done by Script Kiddies. It is largely based on common sense and reading publicly available information, However, it is a very important part of the bigger picture. It puts you 'in tune' with the target so you don't go wondering in blindly Nmap'ing away. There is not much skill involved in it - which is why I think it puts the Skiddies off.... I have tried to run through all the steps an attacker may go through when researching your organisation. I have chosen a real life company as nothing in this paper is illegal to do. The company I chose looks to be a largely web based company and I have not revealed anything that could list their internal network presence, although there are a few ways of finding it out and the more astute of you may be able to do so by utilizing most of what I have mentioned. The next part will cover the prelude to gaining access to a network – i.e. network discovery, mapping out a network, scanning for services, looking for weaknesses, WLAN scanning etc and will utilize the information we have learnt here. I won’t use Shed Store for this as they are a real organisation trying to run a business over the Internet and it would not be right to demonstrate methods of accessing their network, if indeed there are any. If someone from Shed Store does read this hopefully they will look at it as a free partial vulnerability assessment and leave it at that. Remember to write everything down that you learn about a target, no matter how small and trivial it maybe. You never know when that little bit of information may come in handy. Try out your social engineering on a few innocent people in a harmless manner; maybe try and find out who is staying in a particular hotel room etc. After a while you will get good at it and be able to use it for more ‘daring’ situations. Some of you maybe wondering why I have not mentioned Google much at all – that is because I plan on writing another paper in the near future on how to use Google from a ‘hacking’ prospective. Please post any questions in this thread or start a new one in the relevant forum; PM’s, Email’s and MSN messages will not be answered. Nokia
2007 A Hacking Odyssey: Part Two – Network Scanning & Nmap Part 1 Quote: Due to post size limits I have had to split this paper into two halves. Please find the second half here: http://tazforum.thetazzone.com/viewtopic.php?t=5766
If you have followed part one you will have most of the information needed to allow you to progress on to the second phase of your attack/Pen test. You can find part one here: http://tazforum.thetazzone.com/viewtopic.php?t=5445 The second phase can be generically summed up as ‘Scanning’. To even start this phase we need of an absolute minimum one thing; an IP address. If you have not been able to glean and IP address during your reconnaissance phase, then you will need to go back and persevere with it, because until you get one you will not be able to do anything else….you can’t scan something if you don’t know where it is. Scanning typically involves all or some of the following: Covered in this paper: War Driving War Dialling Network Mapping Port Scanning Covered in Part 3: Vulnerability Scanning IPS and IDS detection and evasion Firewall ‘auditing’ PBX scanning Scanning a network is a very unique activity as all networks are different; they are configured in different ways, secured in different ways, use different hardware, have different services running, respond differently to various scans and use different software/OS’s – to name but a few of the variations. For this reason it is impossible to write a step by step paper along the line of ‘enter this command and you will get this output, now enter this command and you have exploited the service’. It just won’t work this way. What I will do however is explain the theory of how it all works and explain how to use the most common tools for doing this; the most common of these common tools being Nmap, hence a large part of this paper will be devoted to it.
I will briefly cover War Dialling and War Driving first though, as they are not terribly hard to understand. **Before I go on I need to point out that the scanning phase is the complete opposite to the reconnaissance phase in terms of exposing yourself to the target network. Reconnaissance when done properly is nearly completely passive and is entirely legal. Scanning on the other hand is not passive in any way shape or form and is for the most part illegal. You WILL leave log entries on the remote system when scanning it. Whether these look suspicious to an administrator or are suspicious enough to set off an IDS alarm is entirely up to you and the methods you chose to adopt** War Dialling Pretty much everyone has heard of War Dialling in today’s cyber world. It was probably made famous by the film War Games – where a young teenager connects to a government network via a Modem. This file was released in the early 80’s and the technique used in it is still valid today… Before VPN’s and Remote Access software were readily available the only feasible way for an employee to connect to the corporate LAN or indeed for an administrator to connect to a remote system was via a Modem; which they would ‘Dial in’ to. Even though there are a lot more secure methods for remote access in today’s world, it does not mean that remote access via a modem does not still exist anywhere. A lot of people use the ‘if it is not broke, then don’t fix it’ philosophy. Couple this with the price of a modem (£5) and you have a very quick and extremely cheap remote access solution, albeit not a very efficient one but a working one all the same. Think of your own dial up connection (everyone over the age of 10 must have been unlucky enough to of had a dial up connection at some point). You dial out onto the internet, usually to your ISP, enter a user name and password and viola you are connected to the Internet. Obviously data flows both ways through this connection. If used in the conventional sense the data coming back is return traffic to one of your legitimate requests, i.e. a web page you have requested to see. However what if the return traffic is not legitimate…….how does your modem know this……well, it doesn’t. To use a dialup connection you must have a phone line, right? If you have a phone line then you will have a phone number. If someone dials this phone number and the line is connected to your modem…..what will they dial in to? Yep you guessed it; your modem
and in effect your computer. A very popular procedure amongst employees was to install some remote control software such as VNC and set it to listen on the COM port that the modem was using. Then when they go home, they can dial in to the line attached to their computer and be greeted with the VNC login prompt. In modern times (modern from an IT point of view) there is a plethora of remote control software available to any user for free or for very cheap. And all they need is a phone line installed by their desk. Chances are they will already have a phone next to their desk….so when they leave at night they connect this up to their modem, go home and dial their own number, connect to the free edition of VNC they have installed and start working from home. As far as they are concerned they are doing the company a favour as they can get more work done and it hasn’t cost the company a penny……what do they care about network security, that’s the job for they guy who keeps saying no to them whenever they ask for something……..sod him, right? Unfortunately it is not just clueless end users who do this; Routers, switches and firewalls used to be remotely managed via a dialup link into them, with basic authentication. How often does a network infrastructure get upgraded? Not very often…….. Sadly in my experience of pen testing, 60% of the unsecured modems I find are attached to routers and not to end user work stations. System Admins come and go and they have a lot more to think about than one poxy phone line coming into an old router……. The most common application used for War Dialling is probably THC-Scan (The Hackers Choice - http://www.thc.org/thc-scan/). It runs on pretty much anything that has a kernel and an emulator (yes even a MAC) and is extremely easy to use. Obviously the final thing we need is a range of phone numbers right? If you have read part one you may have noticed the first two things we ever learnt about the target……its phone numbers and office hours. Why are the office hours important? Well we don’t want to try and take over a PC whilst the user is sitting in front of it do we….also if they do plug their phone line into the computer it is going to be so they can work from home…. which won’t be in office hours will it? I won’t cover instructions on how to use it as I don’t want to spend too much time on War Dialling, but there is a very good video tutorial showing how to use it on the above mentioned site and very extensive documentation is included with the download. So you dial away and look at the log detailing what it found. If you use the Nudge feature of THC you may very well see some banners that can be very informative to use – such as ‘Hi, I’m a PC, or Hi, I am a MAC’. You will need to learn to recognise the return strings from the various modems it finds to be able to know what is listening behind the modem, i.e. VNC, PC Anywhere etc.
Some commercial War Diallers have a database that will tell you this automatically; if you don’t mind paying for them then this is a good choice to go for. PhoneSweep is probably the best commercial one available (http://www.sandstorm.net/products/phonesweep/) you can see a screen shot to better explain what I mean about identifying the system type – THC will just show you the raw output and it will be up to you to trawl through the logs and work out what system is what. That’s pretty much it for War Dialling, find a modem, dial into it, see what remote control software is listening on the COM port, try and connect to it. The most common software listening will probably be VNC as it is free…..there is also a well publicized exploit for circumventing VNC authorisation…… War Driving War Driving derives its name from War Dialling. If War Dialling is phoning every number in a range to find a modem, then War Driving is driving round an area looking for every Wireless Access Points.(WAP). There are subsets of War Driving such as War Walking, War Mountain Biking, War Flying, War sitting on the bench outside the building with my laptop hoping I don’t look suspicious…generically they can all be safely called War Driving. The chances of finding a WAP in today’s world are much greater that the chances of finding a modem. In the past most security/hacking type books typically confined Wireless LAN (WLAN) hacking to a few pages at the back of the book, however now-adays it is becoming more and more popular and more and more rewarding in terms of illegally accessing a network. Due to this the newer security and hacking books tend to devote a lot more page space to WLAN hacking. When conducting a Pen Test, after the reconnaissance phase I usually set up a laptop and leave someone with it to carry out the War Dialling , whilst that is running I will drive around the targets building and War Drive it. By the time I get back we are able to go through the results of both assessments. If we find any ‘miss configurations’ it usually gives us a general impression as to the state of the network and its security. WLAN’s obviously use radio transmissions to transmit data from one node to another. Our aim as WLAN hackers is to put ourselves within range of these transmissions so we can also receive them and look at the contents being sent. Before we do this we obviously need to find the Wireless networks. WLAN’s all have a network name, which is what distinguishes them from each other and helps employees know which one they are meant to connect to. This network name is known as the Extended Service Set Identifier or ESSID. If you open your wireless network properties and search for networks, you will end up with a list of networks that
your wireless adaptor is within range of. Each of these will have a name, what you are looking at is the ESSID of each WLAN. ESSID’s are transmitted in clear to every wireless client that may be listening; this forms part of the ‘beacon’ that is transmitted periodically by the AP and is included on most packets leaving the WAP. Likewise when a client is associated with an AP, this also transmits the ESSID in clear. It is possible for a wireless client that is not associated with an AP to send a ‘probe request’ to the AP asking for various bits of information. Normally the ESSID is included with these requests and any AP that does not have the same ESSID will drop the packet. The rules of the various 802.11 protocols say that it must acknowledge a probe request that is using the ESSID configured on the AP OR that has the ESSID parameter set to ‘Any’. If you re-read the above statement you will see a fairly large whole in the 802.11 implementations that we can exploit: “OR that has the ESSID parameter set to ‘Any’.”…. SO, if we send probe requests and set the ESSID bit to ‘any’…then all WAP’s within range must respond to the requests….. and when the WAP’s send traffic what is included in the packet, yep the ESSID. Netstumbler (http://www.netstumbler.com/) which is arguably the most popular War Driving tool around uses this ‘flaw’ in the 802.11 protocols. It sends out 100’s of probe requests with the ESSID bit set to any and waits for return traffic. When this traffic comes it extracts the ESSID, sending MAC address, wireless channel and approximate signal strength of the WAP or the wireless client. If your wireless adaptor is set to receive a DHCP IP address (one that is automatically assigned to you) then Netstumbler will also record the IP range in use on that WLAN. Wireless Access Points can be configured to ignore probe requests with the ESSID bit set to ‘any’, but as we will see later on this does not really increase the WLAN security. They will however defeat Netstumbler static of using the ‘any’ ESSID and will remain hidden to it. Personally I don’t like Netstumbler due to it being very very noisy…..100’s of probe requests with the ESSID set to ‘any’ will set wireless IDS alarms of in an instant. Couple this with the fact it won’t pick up WLAN’s with the ESSID set to ‘any’ and you are found wanting when conducting an ‘Active Scan’. You set all the IDS’s off and may still not find all the WLAN’s. It must be mentioned that Netstumbler comes into its element when using it with a GPS and a decent antenna though.
So how do we find the WLAN’s that are ignoring probe requests with the ‘any’ ESSID bit set and at the same time avoid setting off IDS’s? To accomplish this we need to put of card into Monitor mode (sometimes referred to as rfmon mode) Most people confuse promiscuous mode with monitor mode. They are two very different things. Promiscuous mode will listen to all traffic that is sent on a WLAN that it is currently associated with. If it is not associated with a certain WLAN, then it will not accept traffic from it. Monitor mode on the other hand listens to all WLAN traffic without associating to any WLAN. Obviously if we have not associated with a WLAN and are not sending any packets to any, then no one will know we are there and no IDS alarms will be raised. Airodump (http://www.wirelessdefence.org/Contents/Aircrack_airodump.htm) which run on *nix platforms, Airodump-ng (http://www.aircrack-ng.org/doku.php?id=airodump-ng) which runs on Windows platforms and Wellenreitter (http://www.remote-exploit.org/) which is now part of the BackTrack live CD are the most popular tools for this and are all capable of capturing packets in monitor mode. For the anoraks that use a MAC, Kismet will run on your *cough* MAC (http://www.kismetwireless.net/index.shtml) as well as pretty much any other OS too. See here for a tutorial on using Airodump and indeed how to crack the WEP encryption: http://www.tazforum.thetazzone.com/viewtopic.php?t=2069 There will be a counterpart explaining packet injection with Windows and how to crack WPA-PSK at some point in the near future. Which ever one you chose to use you will more than likely need extra drivers to put your wireless adaptor into monitor mode. Once in monitor mode you can chose to capture all packets as either an ‘.ivs’ file (for WEP cracking) or a ‘.cap’ file for viewing with applications such as Ethereal or Wireshark as it is now known. The only occurrence left that we may find is if the WAP has been configured to not reply to probe requests set to ‘any’ and it is not broadcasting the ESSID with its beacons and is not a whole lot of traffic going over it. As long as there are clients associated with it (Airodump will tell us this, as will Wellenreitter) we can force a client off the WLAN and make it have to re-associate again. Commonly referred to as a Deauthentication Attack or Deauth for short, this forces traffic to be sent over the WLAN and will reveal the ESSID to us. It also forms the basis for WPA-PSK hacking. A deauth attack utilizes yet another weakness with the 802.11 protocols, whereby a client will accept and obey a deauthentication packet that is sent by the AP without any
authentication at all. In a nutshell what this means is that if we can send a deauthentication packet to a wireless client and make the packet look like it came from the AP, then the client will disassociate from that WLAN. To take it one step further if we send the deauthentication packet to the broadcast address of the LAN then all of the wireless clients will disassociate from it. When the clients re-associate to the LAN they have to broadcast an association packet which contains the ESSID in plain text to announce to the AP that they want to associate with it, otherwise no AP will answer, as if you remember from earlier they will only answer to their own ESSID, (or the ESSID of ‘any’ if configured to do so). This is a slightly more noisy way of finding the ESSID, but nowhere near as noisy as Netstumbler. You may set IDS alarms off with this too, so use it with caution. The trick in all of the above is finding the right WLAN for your target as you could be up 10’s of WLAN in the area, so you need to know which one is the right one. Most companies will name their WLAN something relevant to them or even name it the same as the company name. If this is the case then they have just made your job a lot easier. If the ESSID does not give you any info and you still have no idea which one belongs to your target you could try using the signal strength to make a best guess as to which WLAN is coming from your targets building, maybe visit the reception of your target and ask for directions to somewhere and then have a look at your WLAN sniffer’s logs to see what network had the strongest signal for the time you were in the building. If this is not providing you with any results you could even try phoning the IT dept up and asking them…..most will tell you the name there and then. The final things to say are that if you are having trouble picking up the signal, try again at night time or better yet at night time after it has been raining. Wireless signals travel further at night and further still when the ground is damp. If you still can’t get a signal try using a better antenna. Mapping the Network If we are going to try and gain entry to the network, it is a good idea to know the layout of it. Any half decent attacker will draw out his findings so that he has a diagram with as much information as he can find, which might be a lot or a very little. It is rather hard to map out networks that use NAT/PAT as our traces won’t get past the border router or firewall – we can’t trace to an internal IP address over the internet. However, if we have managed to find a way in via our War Driving and/or Dialling attempts then we already have access to the internal address space so can trace away to our hearts content. Either way a trace route works the same and the inner workings of it
are very simple. An IP packet has a Time To Live field set in it, commonly referred to as a TTL. Every layer 3 device such as a router or a layer 3 switch will decrement this TTL field by one as it routes the packet. (See here if you are unsure what layer 3 refers to) Once the frame has passed through enough layer 3 devices to reduce the TTL field to zero the layer 3 device who reduced it to zero, will drop it altogether. Without the TTL theoretically an IP packet would travel around a network for ever…. (According to the RFC the TTL is decremented by one for every second that the router has it. Due to the routing speed of most routers they typically have it for a lot less then a second, so it is safe to say that it will be reduced by one for every router it passes though) When this last router drops the packet it needs to send something back to the original sender to say that the packet has timed out, as per RFC rules. To do this it will send an ICMP Time Exceeded message (ICMP type 11 as defined in RFC792). Here is where the trace part comes in: We now that only a router will send the ICMP time exceeded message. The source IP address of this times exceeded message will be the routers IP address. If we know what the original TTL setting was we can determine how many hops away the router that sent the time exceeded message is. (A hop is considered to be a routing device that the packer passes through, so two hops means it has gone through two routers) So we set the TTL to one – then send it to the first router, this will decrement the TTL to zero and be forced to drop the packet and send the ICMP message to us – when we receive this message we learn the IP address of the first router. Then we set the TTL to a value of two – the first router decrements the TTL to one, but then as it is not zero it sends it on to the next router in its path – this router receives it, decrements the TTL to zero and is forced to send the ICMP type 11 message to us – thereby giving us the IP address of the second router. Then we set the TTL to three and the same process occurs until it gets to the final router. Setting all thses TTL fields manually can be quite a time consuming task, so MS and *nix have an application that will do it for us. The Microsoft version is called tracert and the *nix version is called traceroute. Simply open up a command prompt and type ‘tracert’ followed by the destination IP
address or Fully Qualified Domain Name (FQDN): Code: C:\Documents and Settings\Nokia>tracert google.com Tracing route to google.com [72.14.207.99] over a maximum of 30 hops: 1 95 ms 99 ms 99 ms speedtouch.lan [192.168.1.254] 2 241 ms 256 ms 257 ms brnt-bam-2.inet.ntl.com [194.145.148.7] 3 239 ms 248 ms 251 ms brnt-t3core-1a-ge-110-0.inet.ntl.com [213.105.19 9.85] 4 223 ms 227 ms 245 ms bre-bb-a-so-130-0.inet.ntl.com [213.105.174.245] 5 240 ms 255 ms 247 ms gfd-bb-b-so-120-0.inet.ntl.com [213.105.172.150] 6 * 217 ms 226 ms nth-bb-a-so-000-0.inet.ntl.com [62.253.185.97] 7 256 ms 247 ms 245 ms nth-bb-b-so-200-0.inet.ntl.com [213.105.172.194] 8 9 10 11 12 13 14 15
279 ms 250 ms 245 ms 319 ms 359 ms 344 ms 343 ms 353 ms
265 ms 278 ms 268 ms 316 ms 352 ms 349 ms 341 ms 349 ms
248 ms tele-ic-1-as0-0.inet.ntl.com [62.253.184.2] 268 ms 212.250.14.66 277 ms 72.14.238.244 317 ms 216.239.46.112 356 ms 72.14.233.113 337 ms 66.249.94.96 337 ms 66.249.94.118 343 ms eh-in-f99.google.com [72.14.207.99]
The numbers on the side indicate what the TTL was for that hop. The next three columns tell us the round trip time and the last part of it tells us the FQDN of the router if there is a DNS entry in existence for that IP address, or it will just tell us the IP address of it. You can usually tell by the trace route output which routers belong to the same organisation; the first seven hops in my trace all belonged to NTL. Some times however the routers won’t play by the rules and will be configured to not send ICMP Time Exceeded messages out. If this is the case you will get some **** instead of an IP address. You could also be unlucky enough to come across a router that will not allow ICMP type 11 packets to pass through it. If this is the case you will get all ****’s from this router onwards as the return packets can not get to you hence you can’t
trace the routers IP address. Ping Sweep To go hand in hand with traceroute you can also PING a target or a targets subnet to see what hosts are active on it. There are hundreds of tools available but I suppose the most common is Nmap. Use the –sP option to Ping Sweep a subnet. For example if we ping sweep the IP addresses adjacent to Google (we found Google’s IP from our trace route) we will be able to see what is alive: Code: C:\Documents and Settings\Nokia>nmap -sP 72.14.207.0-255 Starting Nmap 4.03 ( http://www.insecure.org/nmap ) at 2007-02-13 20:38 GMT Standard Time Host 72.14.207.4 appears to be up. Host 72.14.207.5 appears to be up. Host 72.14.207.6 appears to be up. Host 72.14.207.8 appears to be up. Host eh-in-f9.google.com (72.14.207.9) appears to be up. Host eh-in-f19.google.com (72.14.207.19) appears to be up. Host eh-in-f32.google.com (72.14.207.32) appears to be up. Host eh-in-f33.google.com (72.14.207.33) appears to be up. Host eh-in-f34.google.com (72.14.207.34) appears to be up. Host eh-in-f35.google.com (72.14.207.35) appears to be up. Host eh-in-f36.google.com (72.14.207.36) appears to be up. Host eh-in-f37.google.com (72.14.207.37) appears to be up. Host eh-in-f38.google.com (72.14.207.38) appears to be up. Host eh-in-f39.google.com (72.14.207.39) appears to be up. Host eh-in-f40.google.com (72.14.207.40) appears to be up. Host eh-in-f41.google.com (72.14.207.41) appears to be up. Host eh-in-f42.google.com (72.14.207.42) appears to be up. Host eh-in-f43.google.com (72.14.207.43) appears to be up. Host eh-in-f44.google.com (72.14.207.44) appears to be up. Host eh-in-f45.google.com (72.14.207.45) appears to be up. Host eh-in-f46.google.com (72.14.207.46) appears to be up. Host eh-in-f47.google.com (72.14.207.47) appears to be up. Host eh-in-f48.google.com (72.14.207.48) appears to be up. Host eh-in-f49.google.com (72.14.207.49) appears to be up. Host eh-in-f50.google.com (72.14.207.50) appears to be up. Host eh-in-f51.google.com (72.14.207.51) appears to be up. Host eh-in-f52.google.com (72.14.207.52) appears to be up.
Host eh-in-f53.google.com (72.14.207.53) appears to be up. Host eh-in-f54.google.com (72.14.207.54) appears to be up. Host eh-in-f56.google.com (72.14.207.56) appears to be up. Host eh-in-f57.google.com (72.14.207.57) appears to be up. Host eh-in-f58.google.com (72.14.207.58) appears to be up. Host eh-in-f59.google.com (72.14.207.59) appears to be up. Host eh-in-f60.google.com (72.14.207.60) appears to be up. Host eh-in-f61.google.com (72.14.207.61) appears to be up. Host eh-in-f62.google.com (72.14.207.62) appears to be up. Host eh-in-f63.google.com (72.14.207.63) appears to be up. Host eh-in-f64.google.com (72.14.207.64) appears to be up. Host eh-in-f65.google.com (72.14.207.65) appears to be up. Host eh-in-f66.google.com (72.14.207.66) appears to be up. Host eh-in-f67.google.com (72.14.207.67) appears to be up. Host eh-in-f68.google.com (72.14.207.68) appears to be up. Host eh-in-f69.google.com (72.14.207.69) appears to be up. Host eh-in-f70.google.com (72.14.207.70) appears to be up. Host eh-in-f71.google.com (72.14.207.71) appears to be up. Host eh-in-f72.google.com (72.14.207.72) appears to be up. Host eh-in-f73.google.com (72.14.207.73) appears to be up. Host eh-in-f74.google.com (72.14.207.74) appears to be up. Host eh-in-f75.google.com (72.14.207.75) appears to be up. Host eh-in-f76.google.com (72.14.207.76) appears to be up. Host eh-in-f77.google.com (72.14.207.77) appears to be up. Host eh-in-f78.google.com (72.14.207.78) appears to be up. Host eh-in-f79.google.com (72.14.207.79) appears to be up. Host eh-in-f80.google.com (72.14.207.80) appears to be up. Host eh-in-f81.google.com (72.14.207.81) appears to be up. Host eh-in-f83.google.com (72.14.207.83) appears to be up. Host eh-in-f84.google.com (72.14.207.84) appears to be up. Host eh-in-f88.google.com (72.14.207.88) appears to be up. Host eh-in-f91.google.com (72.14.207.91) appears to be up. Host eh-in-f93.google.com (72.14.207.93) appears to be up. Host eh-in-f95.google.com (72.14.207.95) appears to be up. Host eh-in-f96.google.com (72.14.207.96) appears to be up. Host eh-in-f97.google.com (72.14.207.97) appears to be up. Host eh-in-f99.google.com (72.14.207.99) appears to be up. Host eh-in-f100.google.com (72.14.207.100) appears to be up. Host eh-in-f101.google.com (72.14.207.101) appears to be up. Host eh-in-f104.google.com (72.14.207.104) appears to be up. Host eh-in-f107.google.com (72.14.207.107) appears to be up. Host eh-in-f112.google.com (72.14.207.112) appears to be up. Host eh-in-f115.google.com (72.14.207.115) appears to be up. Host eh-in-f117.google.com (72.14.207.117) appears to be up. Host eh-in-f121.google.com (72.14.207.121) appears to be up. Host eh-in-f123.google.com (72.14.207.123) appears to be up.
Host eh-in-f129.google.com (72.14.207.129) appears to be up. Host eh-in-f133.google.com (72.14.207.133) appears to be up. Host eh-in-f161.google.com (72.14.207.161) appears to be up. Host 72.14.207.162 appears to be up. Host 72.14.207.164 appears to be up. Host 72.14.207.165 appears to be up. Host eh-in-f176.google.com (72.14.207.176) appears to be up. Host eh-in-f177.google.com (72.14.207.177) appears to be up. Host eh-in-f178.google.com (72.14.207.178) appears to be up. Host eh-in-f179.google.com (72.14.207.179) appears to be up. Host eh-in-f180.google.com (72.14.207.180) appears to be up. Host eh-in-f181.google.com (72.14.207.181) appears to be up. Host eh-in-f182.google.com (72.14.207.182) appears to be up. Host eh-in-f183.google.com (72.14.207.183) appears to be up. Host eh-in-f184.google.com (72.14.207.184) appears to be up. Host eh-in-f187.google.com (72.14.207.187) appears to be up. Host eh-in-f190.google.com (72.14.207.190) appears to be up. Host eh-in-f191.google.com (72.14.207.191) appears to be up. Host eh-in-f196.google.com (72.14.207.196) appears to be up. Host eh-in-f212.google.com (72.14.207.212) appears to be up. Host 72.14.207.221 appears to be up. Host 72.14.207.222 appears to be up. Host 72.14.207.224 appears to be up. Host 72.14.207.225 appears to be up. Host 72.14.207.227 appears to be up. Host 72.14.207.228 appears to be up. Host 72.14.207.230 appears to be up. Host 72.14.207.231 appears to be up. Host 72.14.207.233 appears to be up. Host 72.14.207.234 appears to be up. Host 72.14.207.236 appears to be up. Host 72.14.207.237 appears to be up. Host 72.14.207.251 appears to be up. Host 72.14.207.252 appears to be up. Host 72.14.207.253 appears to be up. Host 72.14.207.254 appears to be up. Nmap finished: 256 IP addresses (109 hosts up) scanned in 22.328 seconds
Oh my, doesn’t Google have rather a lot of servers. The last thing to note is that just like ICMP time exceeded messages; ICMP replies can also be blocked by routers & firewalls and the actual host can also be configured not to reply to ICMP requests.
Port Scanning Port scanning is a very useful tool that is very much in favour of the attackers. If we are to find a way into a network then it will more than likely be through a vulnerable service of some kind. Most newcomers find ‘ports’ a difficult concept to grasp due to them trying to think of them as physical ports, hence when I say there are 65356 different ports you probably try and picture the back of a computer with all these ports sticking out of it. The ports are entirely configured in software and in very simple terms all they are is a way of keeping traffic from different services separate. A service can be a Mail Server, a Web Server, an FTP server etc. If someone sends you an email, you don’t want it going to your web server do you? So all these services are given their own ports to use by way of a port number. There are 65356 TCP ports and 65356 UDP ports. Take a SMTP Mail server and a Web server for example: An SMTP Mail server usually uses port 25 (TCP) and an FTP server will usually use port 21 (TCP) If I send you an email, your computer can’t just simply read it and determine it is an email and needs to go to the mail server – like wise if I send you a file via FTP your computer cant read this and know it is a file destined for the FTP service…only the relevant services will know what to do with the data. So we need a way to tell your computer to send the right data to the right service. To accomplish this we put the destination port number in the packet and then send it to the computer. This way when the data arrives at the computer all it has to do is look for a port number, if it says port 25 then it knows to send it to the service listening on port 25, which will be the Mail server – the mail server receives this traffic, understands what it is and passes it on up to your mail client so you can read it. If I want to send you a file via FTP I first open up a channel to you on port 21. Your computer receives this data, looks at the destination port number and knows where to send it to, in this case the service listening on port 21; FTP. There is more to it than this, but in essence this is what happens. The obvious limitation to this is that every service needs to be listening on the correct port – if I am to send an email to you I need to know that your mail server is listening on port 25 for me to put the destination port number in the packet…if you have your mail server listening on port 50, when I send an email to you, your computer will look at the
port number (25), see there is no service listening on that port and drop the data. You would also be disrupting the service that should be listening on port 50. For this reason the Internet Assigned Numbers Authority (IANA) have a very strict registration process to control which service will listen on which port. From the IANA web site: Quote: The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023. DCCP Well Known ports SHOULD NOT be used without IANA registration. The registration procedure is defined in [RFC4340], Section 19.9. The Registered Ports are those from 1024 through 49151 DCCP Registered ports SHOULD NOT be used without IANA registration. The registration procedure is defined in [RFC4340], Section 19.9. The Dynamic and/or Private Ports are those from 49152 through 65535
In layman’s terms; Well Known ports are used for the most common services specific to network and Internet functionality, such as FTP, SMTP, Telnet, HTTP, DNS etc Registered Ports are for common services that are not specific for the functionality of a Network or the Internet such as PC games, Kazza, SQL cluster manager, Anti Virus etc – things that are widely used and that others need to know the port number in advance for. The Dynamic and private ports can be used by anyone for anything. You can find a constantly updated list of port assignments on the IANA web site: http://www.iana.org/assignments/port-numbers So, taking it a step further and looking at it from a bad guy’s point of view, if someone wants to run a mail server and receive email then they need to have a mail server listening on port 25. If we send a data packet to that port and we get a response back, we know that as per IANA regulations that is has to be a mail server who sent this response. If we don’t get a response back then there is nothing listening on that port, hence there is no service running.
There are two mail types of protocol used for the transmission of data over a network and the Internet; User Datagram Protocol (UDP) and Transmission Control Protocol (TCP). Even though they both do the same job, they do it in very different ways. If you are not to sure about how TCP and UDP works and the differences between the two, please read THIS before continuing on with this paper as you will need to have a rudimentary understanding of it to understand how a port scan works and the benefits of using different types of scan. Which brings us nicely on to Nmap…. Nmap (Part 1 of 3) Nmap is probably the worlds most famous and useful port scanner. It runs on pretty much every Operating System and is relatively straight forward to use. For Windows there is a graphical version and a command line version, which can both be found here: http://insecure.org/nmap/download.html For this paper I shall use the Command Line Interface (CLI) version however if you have never used it before it maybe worth while to use the graphical version until you are comfortable with it. After installing Nmap and the Winpcap drivers that come with it Windows XP Service Pack 2 users should install the registry file. It can be found in, C:\Program Files\Nmap, simply right click on ‘nmap_performance.reg’ and select merge – the latest release has this as an install option. You can now use Nmap by typing nmap directly into a command prompt. You need to be an administrator/root of the host you install Nmap on to use all of its features. If you already have Nmap installed use the following command to ensure you have the latest version (Version 4.20 as of this writing): “nmap --version” If you do not add any option after typing nmap it will display a list of commonly used parameters that you can use for your scan: Code: Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Nokia>nmap Nmap 4.03 ( http://www.insecure.org/nmap ) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL : Input from list of hosts/networks -iR : Choose random targets --exclude : Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -P0: Treat all hosts as online -- skip host discovery -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags : Customize TCP scan flags -sI : Idlescan -sO: IP protocol scan -b : FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 -F: Fast - Scan only the ports listed in the nmap-services file) -r: Scan ports consecutively - don't randomize SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version-intensity : Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for debugging) OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively TIMING AND PERFORMANCE: Options which take