Embed Size (px)
Citation preview
電腦攻擊與防禦
The Attack and Defense of Computers
Dr. 許 富 皓
Intelligence Gathering Techniques
Intelligence Gathering Techniques (IGT)
IGTs help an attacker to understand the characteristics and potential vulnerabilities of her/his targets.
Through intelligence gathering techniques an attacker can launch a more accurate and efficient attack to her/his targets.
IGT Steps
In the computer hacking world, intelligence gathering can be roughly divided into three major steps:
Footprinting
Scanning
Enumeration
Footprinting collect information to make a unique footprint or a profileof an organization security posture.With footprinting, using rather simple tools, we gather information such as:
Administrative, technical, and billing contacts, which include employee names, email addresses, and phone & fax numbers.IP address rangeDNS serversMail serversAnd we can also identify some of the systems that are directly connected to the Internet.
Scanning
The art of detecting which systems are alive and reachable via the Internet, and what services they offer, using techniques such as ping sweeps, port scans, and operating system identification (OS fingerprinting), is called scanning.
Information Collected by Scanning
The kind of information collected here has to do with the following:
TCP/UDP services running on each system identified.
System architecture (Sparc, Alpha, x86).
Specific IP addresses of systems reachable via the Internet.
Operating system type.
EnumerationEnumeration is the process of extracting valid accounts or exported resource names from systems. The information is gathered using active connections to systems and queries, which is more intrusive in nature than footprinting and scanning.
The techniques are mostly operating system specific, and can gather information such as:
User & group names.
System banners
Routing tables
SNMP information
Footprinting
Internet FootprintingThe fine art of gathering target information
Domain nameSpecific IP addresses of systems reachable via the Internet.TCP and UDP services running on each system identified.System architecture (e.g. , Sparc vs. x86)Access control mechanisms and related access control lists.Intrusion-detection systems (IDSs)System enumeration (user and group name, system banners, routing tables, and SNMP information)DNS hostnames
Where Can We Find The Information?
Company Web pages.Related organizations.Location details.Phone numbers, contact names, e-mail addresses, and personal details.Privacy or security policies, and technical details indicating the types of security mechanisms in place.Archived InformationSearch engines and resumes
Company Web PagesSome organizations will list their security configuration details directly on their Internet web servers.Trying reviewing the HTML source code.
What Info Can We Find in A Web Page Source Code (1)?
check the comment part: those parts included between <!- - and - - > .Using Wget (for Unix) and Teleport Pro (for Windows) you can mirror the entire web pages on a web server. Other sites with none-www prefix name.
Many organizations have sites to handle remote access to internal resources via a web browser:
• E.g. Through Microsoft’s Outlook Web Access, a person can access the contents stored in a Microsoft Exchange server, such as e-mails, address books, a calendar, public folders. Typical URL for this kind of resource is http://owa.company.com or http://outlook.company.com .
What Info Can We Find in A Web Page Source Code (2)?
Sites like http://vpn.company.com or http://www.company.com/vpn will often reveal sites designed to help end users connect to their companies’ VPNs. You can also find detailed instructions on how to download and configure the VPN client software. These sites may even include a phone number to call for assistance if someone (usually this person is supposed to be an employee, however, an attacker may also use this channel to connect the VPN) get troubles to connect to the VPN.
Related organizationsOther related organizations’ web site may also leak sensitive information about the target organization.
Phone numbers, contact names, e-mail addresses, and personal details
Contact names and e-mail addresses may reveal an organization’s employees name or account name.
E.g. If an organization has an employee named John Smith than it is very possible that some of the organization’s hosts’ has an account name jsmith, johnsmith or smithj and vice verse.
From an employee’s name, an attack may find her/his home phone number or home computer which probably has some sort of remote access to the target organization. A keystroke logger on an employee’s home machine or laptop may very well give a hacker a free ride to the organization’s inner hosts.
Search Engines and ResumesA lot of sensitive information could be obtained through a search engine by using appropriate searching key words.If an organization is posting for a security professional with five or more years’ experience work with CheckPoint firewalls and Snort IDS, then what kind of firewall and IDS do you think they use?.
Who is Managing
the Internet today?
Who is Managing the Internet today?
Core functions of the Internet are managed by a nonprofit organization named the Internet Corporation for Assigned Names and Numbers (ICANN; http://www.icann.org ).
Created in Oct. 1998, ICANN is assuming responsibility for a set of technical functions previously performed under U.S. government contract by the Internet Assigned Numbers Authority (IANA; http://www.iana.org ) and other groups.
• P.S.: In practice, IANA still handles much of the day-to-day operations, but these will eventually be transitioned to ICANN
Some of ICANN’s Major Functions
ICANN coordinates the assignment of the following identifiers that must be globally unique for the Internet to function:
Internet domain names.IP address numbers.Protocol parameters and port numbers.
ICANN also coordinates the stable operation of the Internet’s root DNS server system.
Three Special ICANN Suborganizations
Address Supporting Organization (ASO; http://www.aso.icann.org ).Generic Names Supporting Organization (GNSO; http://www.gnso.icann.org )Country Code Domain Name Supporting Organization (CCNSO; http://www.ccnso.icann.org )
ASOReviews and develops recommendations on IP address policy and advises the ICANN Board on these matters.Allocates IP address blocks to various Regional Internet Registries (RIRs).
A RIR’s responsibility is to manage, distribute, and register public Internet number resources within their respective regions.
RIRs allocate IPs to organizations, Internet service providers (ISPs), or, in some cases, National Internet Registries (NIRS) or Local Internet Registries (LIRS.)Taiwan’s Case:
Taiwan’s ISPs get their IPs from TWNIC:NIR of Taiwan: TWNIC http://www.twnic.net.tw/ip/ip_01.htmLIRs/ISPs List of Taiwan: http://www.twnic.net.tw/english/ip/ip_03.htm.
RIRCurrently there are five Regional Registries, four active and one in observer status.
APNIC ( http://www.apnic.net ) Asia-Pacific region.ARIN ( http://www.arin.net ) North and South America, sub-Sahara Africa regions.LACNIC ( http://www.lacnic.net ) Latin America and portions of the Caribbean RIPE ( http://www.ripe.net ) Europe, parts of Asia, Africa north of the equator, and the Middle East regions.AfriNIC ( http://www.afrinic.net, currently in ”observer status” )
RIR Summary
ASO – allocate IP address blocks to
the five RIRs – allocate IPs to
Organizations, ISPs, or NIRs, or LIRs.
Registry-Registrar-Registrant Model -- [Eduardo Sztokbant]
Registry-Registrar-Registrant Model
3 entities involved in Internet domain name registration within this model:
Registrant: final client, the one who wishes to register the domain name.Registry: the operators that maintain the list of available domain names within their extension.Registrar: interface between registry and registrant, may provide extra services to the latter one.
Relationship among the three Rs
While there can be several registrars that provide domain registration and related services for a same given TLD, there's necessairly only ONE authoritative repository responsible for this TLD.
GNSOReviews and develops recommendations on domain-name policy for all generic top-level domains (gTLDs) and advises the ICANN Board on these matters.
However, GNSO is not responsible fro domain-name registration, but rather is responsible for the generic top-level domains (for example, .com, .net, .edu, .org, and . info), which can be found at http://www.iana.org/gtld/gtld.htm .root name servers: http://www.gnso.icann.org/gtld-registries/
GNSO Summary
GNSO
TLDR for .edu ……TLD Registry TLDR for .orgTLDR for .com
Verisign Global Registry Service
Registrar A
MarkMointor Inc
Registrar XRegistrar…
Registrant e1 Registrant ep Registrant a1 Registrant aq Registrant x1.. ..Registrant
CCNSOReviews and develops recommendations on domain-name policy for all country-code top-level domains (ccTLDs) and advises the ICANN Board on these matters.
Again, ICANN does not handle domain-name registrations. The definitive list of country-code top-level domains can be found at http:// www.iana.org/cctld/cctld-whois.htm.tw domain name is managed by TWNIC: http://www.twnic.net.tw/dn/dn_01.htm http://rs.twnic.net.tw
CCNSO Summary
CCNSO
TLDR for .uk ……TLD Registry TLDR for .caTLDR for .tw
TWNIC
Registrar A
.edu.tw
MOE
Registrar Y
com.tw, .org.tw
.div.tw,.net.tw
台灣固網
Registrar…
school s1 School sp Registrant x1 Registrant xq Registrant y1.. ..Registrant
Registrar X
.com.tw, .org.tw
.div.tw,.net.tw
中華電信
Some Other Useful LinksIP v4 allocation: http://www.iana.org/assignments/ipv4-address-space .IP address services: http://www.iana.org/ipaddress/ip-addresses.htm .Special-use IP addresses: http://www.rfc-editor.org/rfc/rfc3330.txt .Registered port numbers: http://www.iana.org/assignments/port-numbers Registered protocol: http://www.iana.org/assignments/protocol-numbers .
WHOIS Servers
WHOIS Servers and Protocol
Essentially, the WHOIS is a database of contact information about domain name registrants. It is accessed through the websites of registrars or registries, as well as through technical means by the registrars and registries, themselves.
Methods to Store WHOIS Information
There are two ways that WHOIS information may be stored: Thick or Thin.
Thick Model
Thick model: one WHOIS server stores the WHOIS information from all the registrars for the particular set of data (so that one WHOIS server can respond with WHOIS information on all .org domains, for example).
Thin Model
Thin model: one WHOIS server stores the name of the WHOIS server of a registrar that has the full details on the data being looked up (such as the .com WHOIS servers, which refer the WHOIS query to the registrar that the domain was registered from).
Availability of WHOIS ServersThe WHOIS query syntax, type of permitted queries, available data, and the formatting of the results can vary widely from server to server.Many of the registrars are actively restricting queries to combat spammers, attackers, and resource overload.Information for .mil and .gov have been pulled from public view entirely due to national security concerns.Information for .edu.tw is not available in .tw domain registry—TWNIC ( http://rs.twnic.net.tw/ .)
Problems with WHOIS Servers
Privacy: Registrant’s contact details.
Spam.
Internationalization.
Lack of WHOIS server lists.
Domain-Related vs. IP-RelatedDomain-related items (such as osborne.com) are registerd separately from IP-related items (such as IP net-blocks).Therefore, we will have two different paths in our methodology for finding these details.
Domain - Related Search
Domain-Related SearchThe authoritative Registry for a given TLD, e.g. com, contains information about which registrar the target entity registered its domain with.By querying the appropriate Registrar, the Registrant details for the particular domain name can be found.The above steps are referred to as the “Three Rs” of WHOIS– Registry, Registrar, Registrant.
Exmaple for tsmc.comIANA Whois service
Result: Registry VeriSign Global Registry Services
VeriSign Global Registry Services Whois Service
Result: Registrar NETWORK SOLUTIONS, LLC.
NETWORK SOLUTIONS, LLC.Whois Service
Result: Registrant TSMC
keyword: com
keyword: tsmc.com
keyword: tsmc.com
Exmaple for uni-president.com.tw
keyword: tw
keyword: uni-president.com.tw
IANA Whois service
Result: Registry Taiwan Network Information Center (TWNIC)
Registrar Taiwan Network Information Center (TWNIC) Whois Service
Result: Registrant 統一企業股份有限公司
P.S.: TWNIC is also the Registrar of com.tw
One-Stop-Shopping for WHOIS Information
http://www.allwhois.com .http://www.uwhois.com .http://www.internic.net/whois.html .
TARNET-Related URLshttp://www.moe.gov.tw/
http://domain.edu.tw/index.html
IP-Related Search
IP-Related Search (1)The WHOIS server at ICANN (IANA) does not currently act as an authoritative registry for all the RIRs as it does for the TLDs, but each RIR does know which IP ranges it manage. This allows us to simply pick any one of them to start our search. If we pick the wrong one, it will tell us which one e need to go to.
IP-Related Search (2)You are interested in the IP address 140.115.50.80.
Try the WHOIS search at RIR ARIN’s web site.The result shows that the IP address is managed by RIR APNIC.Then go to RIR APNIC’s web site to search the same IP address.Here you are.
The above process can be followed to trace back any IP address in the world to its owner, or at least to a point of contact that may be willing to provide the remaining details. Laundered IP addresses: an attacker can also masquerade her/his true IPs.
IP-Related Search (3)We can also find out IP ranges and BGP autonomous system numbers that an organization “owns” by searching the RIR WHOSI servers for the organization’s literal name.
E.g. go to http://whois.apnic.net and type ncu.• TWNIC doesn’t provide detailed information; therefore no
detailed information are shown.
E.g. go to http://www.arin.net and type Google. • Useful information:
Administrative contact Administrators’ names: could be used to cheat gullible users to
change their passwords. Phone and fax number DNS names: could be used in DNS interrogation.
