The Attack and Defense of Computers

Dr.
Intelligence Gathering Techniques
Intelligence Gathering Techniques (IGT)
IGTs help an attacker to understand the
characteristics and potential
vulnerabilities of her/his targets.
Through intelligence gathering
techniques an attacker can launch a
more accurate and efficient attack to
her/his targets.
IGT Steps
In the computer hacking world,
intelligence gathering can be roughly
divided into three major steps:
Footprinting
Scanning
Enumeration
Footprinting
collect information to make a unique footprint or a profile
of an organization security posture.
With footprinting, using rather simple tools, we gather
information such as:
Administrative, technical, and billing contacts, which include
employee names, email addresses, and phone & fax numbers.
IP address range
DNS servers
Mail servers
And we can also identify some of the systems that are directly
connected to the Internet.
Scanning
The art of detecting which systems are alive
and reachable via the Internet, and what
services they offer, using techniques such as
ping sweeps, port scans, and operating
system identification (OS fingerprinting), is
called scanning.
Information Collected by Scanning
The kind of information collected here has
to do with the following:
TCP/UDP services running on each system
identified.
System architecture (Sparc, Alpha, x86).
Specific IP addresses of systems reachable via
the Internet.
Operating system type.
Enumeration
Enumeration is the process of extracting valid accounts or
exported resource names from systems. The information is
gathered using active connections to systems and queries,
which is more intrusive in nature than footprinting and
scanning.
The techniques are mostly operating system specific, and
can gather information such as:
User & group names.
System banners
Routing tables
SNMP information
Footprinting
Internet Footprinting
The fine art of gathering target information
Domain name
Specific IP addresses of systems reachable via the Internet.
TCP and UDP services running on each system identified.
System architecture (e.g. , Sparc vs. x86)
Access control mechanisms and related access control lists.
Intrusion-detection systems (IDSs)
System enumeration (user and group name, system banners,
routing tables, and SNMP information)
DNS hostnames
Where Can We Find The Information?
Company Web pages.
Related organizations.
Location details.
Phone numbers, contact names, e-mail addresses, and
personal details.
Privacy or security policies, and technical details
indicating the types of security mechanisms in place.
Archived Information
Search engines and resumes
Company Web Pages
Some organizations will list their security configuration
details directly on their Internet web servers.
Trying reviewing the HTML source code.
What Info Can We Find in A Web
Page Source Code (1)?
check the comment part: those parts included between
<!- - and - - > .
Using Wget (for Unix) and Teleport Pro (for
Windows) you can mirror the entire web pages on a
web server.
Other sites with none-www prefix name.
Many organizations have sites to handle remote access to
internal resources via a web browser:
E.g. Through Microsofts Outlook Web Access, a person can
access the contents stored in a Microsoft Exchange server, such as
e-mails, address books, a calendar, public folders. Typical URL for
this kind of resource is http://owa.company.com or http://
outlook.company.com .
What Info Can We Find in A Web
Page Source Code (2)?
Sites like http://vpn.company.com or
http://www.company.com/vpn will often reveal
sites designed to help end users connect to their
companies VPNs. You can also find detailed
instructions on how to download and configure the
VPN client software. These sites may even
include a phone number to call for assistance if
someone (usually this person is supposed to be an
employee, however, an attacker may also use this
channel to connect the VPN) get troubles to
connect to the VPN.
Related organizations
Other related organizations web site may also leak
sensitive information about the target organization.
Phone numbers, contact names, e-mail
addresses, and personal details
Contact names and e-mail addresses may reveal an
organizations employees name or account name.
E.g. If an organization has an employee named John Smith
than it is very possible that some of the organizations hosts
has an account name jsmith, johnsmith or smithj and vice
verse.
From an employees name, an attack may find her/his
home phone number or home computer which probably
has some sort of remote access to the target
organization. A keystroke logger on an employees
home machine or laptop may very well give a hacker a
free ride to the organizations inner hosts.
Search Engines and Resumes
A lot of sensitive information could be obtained through
a search engine by using appropriate searching key
words.
If an organization is posting for a security professional
with five or more years experience work with
CheckPoint firewalls and Snort IDS, then what kind
of firewall and IDS do you think they use?.
Who is Managing
the Internet today?
Who is Managing the Internet
today?
Core functions of the Internet are managed by a
nonprofit organization named the Internet Corporation
for Assigned Names and Numbers (ICANN;
http://www.icann.org ).
Created in Oct. 1998, ICANN is assuming responsibility for a
set of technical functions previously performed under U.S.
government contract by the Internet Assigned Numbers
Authority (IANA; http://www.iana.org ) and other groups.
P.S.: In practice, IANA still handles much of the day-to-day
operations, but these will eventually be transitioned to ICANN
Some of ICANNs Major Functions
ICANN coordinates the assignment of the following
identifiers that must be globally unique for the Internet to
function:
Internet domain names.
IP address numbers.
Protocol parameters and port numbers.
ICANN also coordinates the stable operation of the
Internets root DNS server system.
Three Special ICANN Suborganizations
Address Supporting Organization (ASO;
http://www.aso.icann.org ).
Generic Names Supporting Organization (GNSO;
http://www.gnso.icann.org )
Country Code Domain Name Supporting Organization
(CCNSO; http://www.ccnso.icann.org )
ASO
Reviews and develops recommendations on IP address policy and advises the
ICANN Board on these matters.
Allocates IP address blocks to various Regional Internet Registries (RIRs).
A RIRs responsibility is to manage, distribute, and register public Internet
number resources within their respective regions.
RIRs allocate IPs to organizations, Internet service providers (ISPs), or, in
some cases, National Internet Registries (NIRS) or Local Internet Registries
(LIRS.)
Taiwans Case:
Taiwans ISPs get their IPs from TWNIC:
NIR of Taiwan: TWNIC http://www.twnic.net.tw/ip/ip_01.htm
LIRs/ISPs List of Taiwan: http://www.twnic.net.tw/english/ip/ip_03.htm.
RIR
Currently there are five Regional Registries, four active
and one in observer status.
APNIC ( http://www.apnic.net ) Asia-Pacific region.
ARIN ( http://www.arin.net ) North and South America, sub-
Sahara Africa regions.
LACNIC ( http://www.lacnic.net ) Latin America and portions
of the Caribbean
RIPE ( http://www.ripe.net ) Europe, parts of Asia, Africa north
of the equator, and the Middle East regions.
AfriNIC ( http://www.afrinic.net, currently in observer status )
RIR Summary
ASO allocate IP address blocks to
the five RIRs allocate IPs to
Organizations, ISPs, or NIRs, or LIRs.
Registry-Registrar-Registrant Model
-- [Eduardo Sztokbant]
Registry-Registrar-Registrant Model
3 entities involved in Internet domain name
registration within this model:
Registrant: final client, the one who wishes to
register the domain name.
Registry: the operators that maintain the list of
available domain names within their extension.
Registrar: interface between registry and
registrant, may provide extra services to the
latter one.
Relationship among the three Rs

While there can be several registrars that provide domain

registration and related services for a same given TLD,
there's necessairly only ONE authoritative repository
responsible for this TLD.
GNSO
Reviews and develops recommendations on domain-
name policy for all generic top-level domains (gTLDs)
and advises the ICANN Board on these matters.
However, GNSO is not responsible fro domain-name
registration, but rather is responsible for the generic top-level
domains (for example, .com, .net, .edu, .org, and . info),
which can be found at http://www.iana.org/gtld/gtld.htm .
root name servers: http://www.gnso.icann.org/gtld-
registries/
 GNSO Summary

GNSO

TLDR for .com

TLD Registry TLDR for .edu TLDR for .org Verisign Global Registry Service

Registrar Registrar A Registrar X

MarkMointor Inc

Registrant Registrant e1 .. Registrant ep Registrant a1 .. Registrant aq Registrant x1

CCNSO
Reviews and develops recommendations on domain-
name policy for all country-code top-level domains
(ccTLDs) and advises the ICANN Board on these
matters.
Again, ICANN does not handle domain-name registrations.
The definitive list of country-code top-level domains can be
found at http:// www.iana.org/cctld/cctld-whois.htm
.tw domain name is managed by TWNIC:
http://www.twnic.net.tw/dn/dn_01.htm http://
rs.twnic.net.tw
 CCNSO Summary

CCNSO

TLDR for .tw

TLD Registry TLDR for .uk TLDR for .ca TWNIC

Registrar X
Registrar A Registrar Y
Registrar
.edu.tw
.com.tw, .org.tw com.tw, .org.tw
.div.tw,.net.tw .div.tw,.net.tw
MOE

Registrant school s1 .. School sp Registrant x1 .. Registrant xq Registrant y1

Some Other Useful Links
IP v4 allocation:
http://www.iana.org/assignments/ipv4-address-space .
IP address services:
http://www.iana.org/ipaddress/ip-addresses.htm .
Special-use IP addresses:
http://www.rfc-editor.org/rfc/rfc3330.txt .
Registered port numbers:
http://www.iana.org/assignments/port-numbers
Registered protocol:
http://www.iana.org/assignments/protocol-numbers .
WHOIS Servers
WHOIS Servers and Protocol
Essentially, the WHOIS is a database of
contact information about domain name
registrants. It is accessed through the
websites of registrars or registries, as well
as through technical means by the registrars
and registries, themselves.
Methods to Store WHOIS Information
There are two ways that WHOIS
information may be stored: Thick or Thin.
Thick Model
Thick model: one WHOIS server stores the
WHOIS information from all the registrars
for the particular set of data (so that one
WHOIS server can respond with WHOIS
information on all .org domains, for
example).
Thin Model
Thin model: one WHOIS server stores the
name of the WHOIS server of a registrar
that has the full details on the data being
looked up (such as the .com WHOIS
servers, which refer the WHOIS query to
the registrar that the domain was registered
from).
Availability of WHOIS Servers
The WHOIS query syntax, type of permitted queries,
available data, and the formatting of the results can vary
widely from server to server.
Many of the registrars are actively restricting queries to
combat spammers, attackers, and resource overload.
Information for .mil and .gov have been pulled
from public view entirely due to national security
concerns.
Information for .edu.tw is not available in .tw
domain registryTWNIC ( http://rs.twnic.net.tw/ .)
Problems with WHOIS Servers
Privacy: Registrants contact details.
Spam.
Internationalization.
Lack of WHOIS server lists.
Domain-Related vs. IP-Related
Domain-related items (such as osborne.com)
are registerd separately from IP-related items
(such as IP net-blocks).
Therefore, we will have two different paths in our
methodology for finding these details.
Domain - Related Search
Domain-Related Search
The authoritative Registry for a given TLD, e.g.
com, contains information about which registrar
the target entity registered its domain with.
By querying the appropriate Registrar, the
Registrant details for the particular domain name
can be found.
The above steps are referred to as the Three Rs
of WHOIS Registry, Registrar, Registrant.
Exmaple for tsmc.com
IANA Whois service
keyword: com
Result: Registry VeriSign Global Registry Services

VeriSign Global Registry Services Whois Service

keyword: tsmc.com
Result: Registrar NETWORK SOLUTIONS, LLC.

NETWORK SOLUTIONS, LLC.Whois Service

keyword: tsmc.com
Result: Registrant TSMC
Exmaple for uni-president.com.tw
IANA Whois service
keyword: tw
Result: Registry Taiwan Network Information Center (TWNIC)

Registrar Taiwan Network Information Center (TWNIC) Whois Service

keyword: uni-president.com.tw

Result: Registrant

P.S.: TWNIC is also the Registrar of com.tw

One-Stop-Shopping for WHOIS
Information
http://www.allwhois.com .
http://www.uwhois.com .
http://www.internic.net/whois.html .
TARNET-Related URLs
http://www.moe.gov.tw/
http://domain.edu.tw/index.html
IP-Related Search
IP-Related Search (1)
The WHOIS server at ICANN (IANA) does not
currently act as an authoritative registry for all the
RIRs as it does for the TLDs, but each RIR does
know which IP ranges it manage. This allows us
to simply pick any one of them to start our search.
If we pick the wrong one, it will tell us which one
e need to go to.
IP-Related Search (2)
You are interested in the IP address 140.115.50.80.
Try the WHOIS search at RIR ARINs web site.
The result shows that the IP address is managed by
RIR APNIC.
Then go to RIR APNICs web site to search the same
IP address.
Here you are.
The above process can be followed to trace back any IP
address in the world to its owner, or at least to a point of
contact that may be willing to provide the remaining
details.
Laundered IP addresses: an attacker can also masquerade
her/his true IPs.
IP-Related Search (3)
We can also find out IP ranges and BGP autonomous
system numbers that an organization owns by searching
the RIR WHOSI servers for the organizations literal name.
E.g. go to http://whois.apnic.net and type ncu.
TWNIC doesnt provide detailed information; therefore no
detailed information are shown.
E.g. go to http://www.arin.net and type Google.
Useful information:
Administrative contact
Administrators names: could be used to cheat gullible users to
change their passwords.
Phone and fax number
DNS names: could be used in DNS interrogation.