Phase 1: ReconnaissanceCounter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective
Defenses (2nd Edition)
ISBN-10: 0131481045ISBN-13: 978-0131481046
Reconnaissance vs. Enumeration
● Both are involved in preliminary data collection, but each is unique
● Reconnaissance○ Passively engages the target○ Searching public records, corporate documents,
search results
● Enumeration○ Actively engages the target to gain information○ Ping sweeps, port scans, fingerprinting
Reconnaissance
● Obtain information○ construct a topology (i.e. map)○ understand the domain
● Applying for graduate school or a job
● Jigsaw Puzzle
Search the Fine Web (STFW)
● Public information○ domain names, network addresses, contact
information, etc.
● Indistinguishable from normal user behavior○ no alarms tripped
● Query the ultimate scanner● Bots
○ crawl websites○ visiting reachable locations via hyperlinks
● Index○ searchable with results presented by pagerank
● Cache○ snapshot○ first 101k (may be more now)
● API○ automated web-searches○ 1,000 searches per day
■ 1,000 results
Google Search Directives
● site:[domain]● link:[web page]● intitle:[term(s)]
○ site:cs.fsu.edu intitle: "index of"● related:[site]
○ based on googles indexing algorithm● cache:[page]● filetype:[suffix]● rphonebook:[name and city or state]● bphonebook:[name and city or state]● phonebook:[name and city or state]
Google Search Operators
● Literal matches (" ")○ when order matters
● Not (-)○ remove results that contain the given term
● Plus (+)○ don't exclude common term○ +the +how
http://www.googleguide.com/advanced_operators.html
Examplehttp://www.cs.fsu.edu
CS Example
site:cs.fsu.edu loginsite:cs.fsu.edu login filetype:phpsite:cs.fsu.edu inurl:login filetype:php
site:cs.fsu.edu inurl:bakercache:http://www.cs.fsu.edu/~baker/pls/
Internet Archive (Way-back Machine)
● http://archive.org/web/web.php
● http://wayback.archive.org/web/*/http://www.cs.fsu.edu
Perusing Targets Website
● Go to it !● Note
○ employees' contact info, specifically phone #'s○ corporate lingo
■ physical office locations, star employees, etc.○ business partners○ recent mergers and aquisitions○ technologies in use
■ LAMP vs. M$○ open job requisitions
■ cisco cert XXX required
Defense Against Search Engine and Web-Based Reconnaissance
● Theory: security through obscurity is broken● Practice: it works
● Create policies● Periodically measure effectiveness of set
policies
Defense Against Search Engine and Web-Based Reconnaissance
● Google bot respects robots.txt○ Tells well-behaved Web crawlers not to search
certain directories, files, or the entire Web site○ noindex: don't include given page in index○ nofollow: don't follow links on given page○ noarchive: given page should be indexed, but not
cached○ nosnippet: Google should obtain summary snippets
for use in search results○ site:fsu.edu inurl:robots.txt○ http://geomag.gfdi.fsu.edu/robots.txt○ double-edged sword
● Explicitly ask google to remove cache entries
Tool Time
Foundstone's SiteDigger
● http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx
Wikto (Roelof Timmingh)
● Windows version of nikto○ perl website vulnerability scanner
● http://www.sensepost.com/labs/tools/pentest/wikto
DNS Fingerprinting
Record Types:SRV - Service - Host name, port number of servers with servicesSOA - Start of Authority - Primary NS for the zoneNS - Name Server MX - Mail Exchange - Identifies e-mail serversCNAME - Canonical Name - Domain name aliasesA - Address - maps an IP to a host
● 'dig' can be used to dump Name Server records○ Typical usage is 'dig @[ns-server] [domain] [query-type]'○ Example: 'dig @8.8.8.8 google.com any'
● 'whois' dumps registration information about○ Typical usage 'whois [domain]'○ Example: 'whois google.com'
● 'traceroute' provides routing information between you and the host○ entries of the form * * * indicate a hop which does not respond to
ICMP requests, usually firewalls or routers○ Typical usage is 'traceroute [host]'○ Example: 'traceroute google.com'
● ARIN WHOIS
Now what?
We have all this great data after all of these tools
This is where pentesters and hackers dive into social engineering to get more info, and perhaps even access to a system.
Low-Technology Reconnaissance
● Definition: social engineering: any act where you try to manipulate a person to accomplish a goal and that that goal may or may not be in the target's interest (i.e. disclose info).
● Leverage prior research (dig, google results, social media)
Social Engineering
● Usually you gather info first, before this step● Then with that info and some cunning,
manipulate more info out of people working in the target.
● Human's have a weakness for helping others, so the most common vector for social engineering is "Hey could you please help me...." See: http://www.pcworld.com/article/182180/top_5_social_engineering_exploit_techniques.html
Persuasion: Exploiting evolutionary Triggers
● The grouper and the Sabertooth blenny● The Harvard 70's compliance study
○ Goal is to study compliance (or what is the minimum we need to do to get someone to do a favor?)■ Discovered that the magic word is: "because"
○ Discovered 6 specific human quirks to exploit:■ Reciprocity (we tend to return favors, regardless of original favor)
■ Consistency (we try to be consistent) -Once you give a bum money, its really hard to turn down further requests
■ Social Proof (we tend to try and fit in) -laugh tracks, crowd theory
■ Liking (we tend to cooperate with those who seem to like us) - bad cop / good cop
■ Authority (we cooperate with those who seem to be in charge) - lab coats, badges, and mohawks
■ Scarcity (We'll over value apparently scarce resources) - Xmas toy crazes, limited time offers...
● Information scarcity and censorship
Follow up reference
Robert Cialdini's book, Influence: The Psychology of Persuasian
A GREAT presentation about this by Dr. W. Philip Kegelmeyer: http://csmr.ca.sandia.gov/~wpk/avi/2007.06.28_TT_PhilipKegelmeyer_ThePsychologyofPersuasion.avi
^Seriously worth watching
Social Engineering
● Social Engineering is usually the easiest way into a system. See Anonymous's takedown of HBGary as an example.○ a $40B company "ruined" by a single social
engineering attack!○ (see step #8): http://thestrayworld.
com/2011/02/17/how-the-anonymous-broke-into-hbgary/
A good read: http://news.cnet.com/8301-27080_3-20013901-245.html
A great resource for SE defenses / training
http://social-engineer.org/
Concluding Remarks
We demonstrated techniques used by both hackers and penetration testers. The take away is:● Know your google-fu● Hackers do their homework, and the internet
makes it easy● Security through obscurity does work in
practice● The ease-of-information gathering works
both FOR and AGAINST you and attackers● Humans are the weakest link