Hacking Methodology Lab
Hacking Methodology Lab
Hacking Methodology Lab
h4X0R
Know Your Enemy
Hacking Methodology & Tools:
Network Reconnaissance
[email protected]
Professional. Proactive. Protective.
h4X0R
Know Your Enemy
Classification
The briefing is
UNCLASSIFIED
in its entirety.
Professional. Proactive. Protective.
• Functional and centralized authority for computer incident data collection &
reporting.
• Provision of technical security incident reports for ISSOs and other authorities
within the department.
Briefing Goals
The goal of this briefing is five-fold:
b. introduce the some of the methods and tools used during the network
reconnaissance process;
d. demonstrate the benefits of a personal lab and the methods used in lab
construction; and
Scanning
• Reconnaissance and Target Acquisition
Footprinting
Enumeration
Scanning
Gaining Access Enumeration
Privilege
Escalation
• Assault
Gaining access
Pilfering
Privilege escalation
Covering Tracks
Pilfering
Back Door Covering tracks
Creation
Back door creation
Denial of
Service Denial of Service (DoS)
Professional. Proactive. Protective.
Footprinting
• Domain name
• Network blocks
• Specific IP addresses
Types of Footprinting:
• Active – The target may be alerted to the activity
(traceroutes, social engineering, zone transfers).
• Passive - The target is unaware of the reconnaissance
activity (Whois searches, other open source information).
Professional. Proactive. Protective.
Techniques –
• DNS zone transfer/interrogation
• Online Tools
• Open source search
• Route tracing
• Social Engineering
• Whois lookup
Tools –
• nslookup
• p0f
• “Sam Spade”
• Search engines
• traceroute
• Usenet
• whois (Internic, ARIN, etc.)
• WinNSlookup
Professional. Proactive. Protective.
DNS Interrogation
nslookup
h4X0R
DNS Server
Professional. Proactive. Protective.
DNS Interrogation
Professional. Proactive. Protective.
DNS Interrogation
DNS Resource Record Type Codes
Most DNS RR types are defined in RFCs 1034, 1183, 1876, and 2782.
DNS Interrogation
DNS Record Examples
UseNet Search
Professional. Proactive. Protective.
Traceroute
c:\>tracert server.target.net
• Traceroute is a utility available
OR in both Windows and *nix OSes.
c:\>tracert 4.3.4.2 • This utility records the the
specific gateway computers at
Hop 1 Hop 2 each hop between the source
TTL 100 TTL 99 host and a specified destination
host.
Source Host Gateway Internet Router
host1.source.net gateway.source.net 2.3.4.6 • Allows the attacker to determine
1.2.3.2 1.2.3.1 some basic network topology and
Hop 3
TTL 98
determine the location of routers
and packet filtering devices.
• As a general rule of thumb, the last
Traceroute
C:\WINDOWS\Desktop>tracert 1.2.61.100
Tracing route to host bb2-web1.xxx.net [1.2.61.100]
1 3 ms 9 ms 9 ms Ubergeek [xxx.xxx.xxx.xxx]
2 70 ms 49 ms 69 ms gw01.phub.cable.rogers.com [xxx.xxx.82.138]
3 116 ms 99 ms 99 ms bb2.gw4.xxx.xxx.net [1.2.60.1]
4 117 ms 100 ms 100 ms bb2-gw2-60-22.xxx.net [1.2.60.2]
6 198 ms 109 ms 110 ms bb2-fw-2-dmz.xxx.net [1.2.61.1]
7 237 ms 179 ms 220 ms bb2-web1.xxx.net [1.2.61.100]
Trace complete.
C:\WINDOWS\Desktop>
Professional. Proactive. Protective.
Traceroute
C:\WINDOWS\Desktop>tracert
Tracing route to host bb2.fw1.xxx.xxx.net [1.2.60.3]
• We now have an initial
1 2ms 6 ms 8 ms Ubergeek [xxx.xxx.xxx.xxx]
map of the network
2 68 ms 47ms 69 ms gw01.phub.cable.rogers.com [xxx.xxx.82.138] and an insight into the
3 111 ms 92 ms 100 ms bb2.gw4.xxx.xxx.net [1.2.60.1] its naming conventions.
4 123ms 101 ms 103 ms bb2.gw2.xxx.xxx.net [1.2.60.2]
• An educated guess and
5 138 ms 107 ms 109 ms bb2.fw1.xxx.xxx.net [1.2.60.3]
another traceroute
Trace complete.
yields another firewall.
C:\WINDOWS\Desktop>
Professional. Proactive. Protective.
Firewalking
Firewalking
Fire, walk with me…
• In this example, firewalk will
scan ports 1-1024 using TCP
packets directed at the firewall
(1.2.61.1) using the previously Ubergeek:#firewalk -n -S 1–1024 TCP 1.2.61.1 1.2.61.100
mapped host at 1.2.61.100 as a
Firewalking through 1.2.61.1 (towards 1.2.60.100) with a
metric.
maximum of 25 hops.
• The packet filter is found after
three hops and firewalk begins Ramping up hopcounts to binding host...
scanning using TCP packets with
a TTL of 4. probe: 1 TTL: 1 port 33434: <response from> [1.2.60.1]
probe: 2 TTL: 2 port 33434: <response from> [1.2.60.2]
• In this case, the ports shown probe: 3 TTL: 3 port 33434: Bound scan: 3 hops <Found gateway
were allowed by the ACL and at 3 hops> [1.2.61.1]
passed successfully through the
packet filter. Scanning...
• The attacker can therefore port 20: open
surmise in this case that at port 21: open
least one web server, an ssh server port 22: open
and an ftp server are running in port 53: open
the DMZ. port 80: open
• Armed with this information, the 1027 packets sent, 5 replies received.
attacker can plan any further actions
appropriately.
Professional. Proactive. Protective.
VisualRoute
Professional. Proactive. Protective.
Social Engineering
Scanning
• Reconnaissance and Target Acquisition
Footprinting
Enumeration
Scanning
Gaining Access Enumeration
Privilege
Escalation
• Assault
Gaining access
Pilfering
Privilege escalation
Covering Tracks
Pilfering
Back Door Covering tracks
Creation
Back door creation
Denial of
Service Denial of Service (DoS)
Professional. Proactive. Protective.
Techniques –
• Ping sweep
• TCP/UDP port scan
• Stealth scans
Tools –
• Nmap
• SuperScan
• Internet Toolkit
• Hping
• Grim’s Ping
Professional. Proactive. Protective.
Scanning
Scanning is the process by which the attacker performs bulk target assessment,
identifies listening services and locates possible points of ingress.
Types of scans include the following:
• Ping Sweep – Attempts to determine which hosts on a network are reachable.
Internet Toolkit
One of many similar tools available today, these toolkits are
capable of performing simple ping, port and service scans.
SuperScan
• SuperScan is a scanning
tool available free from
Foundstone.
• In addition to its scanning
ability, SuperScan
incorporates an automated
banner grabbing facility
(banner grabbing will
be discussed later).
Professional. Proactive. Protective.
HPing
• Firewall testing
• Remote OS fingerprinting
HPing
# hping2 --scan known 192.168.1.103
Grim’s Ping
A Weapon of Mass Distribution
Scanning
• Reconnaissance and Target Acquisition
Footprinting
Enumeration
Scanning
Gaining Access Enumeration
Privilege
Escalation
• Assault
Gaining access
Pilfering
Privilege escalation
Covering Tracks
Pilfering
Back Door Covering tracks
Creation
Back door creation
Denial of
Service Denial of Service (DoS)
Professional. Proactive. Protective.
Enumeration
Definition of Enumeration:
A mathematical set with a total ordering and no infinite descending chains.
A total ordering "<=" satisfies x <= x; x <= y <= z => x <= z; x <= y <= x
=> x=y; and for all x, y, x <= y or y <= x. In addition, if a set W is well-
ordered then all non-empty subsets A of W have a least element, i.e. there
exists x in A such that for all y in A, x <= y.
Definition of Enumeration
Enumeration refers to the process by which the attacker makes use of more
intrusive probing in order to identify resource shares, user accounts,
operating systems and applications associated with the targeted network.
Professional. Proactive. Protective.
Techniques –
• List user accounts
• List file shares
• Application/OS identification
Tools –
• Telnet
• Netcat
• SuperScan
• NAT
• NMap
• p0f
• VisualRoute
Professional. Proactive. Protective.
Banner Grabbing
Professional. Proactive. Protective.
• This is accomplished by opening a telnet session to the service you wish to enumerate.
• VisualRoute is capable of
performing banner grab
enumeration of targeted
hosts.
• By directing traces at a
specific port useful
information may be obtained
• P0f is a passive OS
fingerprinting tool.
• Runs in the background
and sniffs traffic on the
wire.
• The packet’s parameters
are compared against
fingerprint tables and
the program makes a
“best guess” regarding
the OS type in real time.
Professional. Proactive. Protective.
OS Fingerprinting
OS Version Platform TTL Window DF TOS
Free BSD 3.x Intel 64 17520 Y 16
Open BSD 2.x Intel 64 17520 N 16
Linux 2.2 Intel 64 32120 Y 0
Solaris 8 Intel/SPARC 64 24820 Y 0
Windows 9x/NT Intel 32/128 5000-9000 Y 0
Windows 2000 Intel 128 17000-18000 Y 0
P S K
Professional. Proactive. Protective.
Forensic Toolkits:
Helix
http://www.e-fense.com/helix/
Pen-Testing Toolkits:
KCPentrix
http://kcpentrix.net/
WHAX
ftp://ftp.belnet.be/packages/whoppix/whax-3.0-200705.iso
Professional. Proactive. Protective.
VICE -
WinDump/TCPDump – Pcap (sniffer) tools.
http://www.winpcap.org/windump
http://www.tcpdump.org/
Professional. Proactive. Protective.
Decompilers
REC Multi format binary decompiler
http://www.backerstreet.com/rec/rec.htm
CHM Encoder MS compiled HTML Help Format (CHM) decompiler
http://www.gridinsoft.com/chm.php
DJ Java Decompiler Java demcompiler
http://mingw.org
Professional. Proactive. Protective.
http://www.metasploit.com
Professional. Proactive. Protective.
• Many InfoSec related titles are available from both the public and
CIRT libraries.
• Deeply discounted computer books can be purchased at any
“Computer Books for Less” outlet in the Ottawa area.
Professional. Proactive. Protective.
Words of Wisdom
“Know the enemy and know yourself and you need not fear the result of a hundred battles…
Sun Tzu, Chinese General,
“The Art of War”, c. 500 B.C.E.
Questions
Questions?
Professional. Proactive. Protective.
Acknowledgments