Académique Documents
Professionnel Documents
Culture Documents
Dr.
Intelligence Gathering Techniques
Intelligence Gathering Techniques (IGT)
IGTs help an attacker to understand the
characteristics and potential
vulnerabilities of her/his targets.
Through intelligence gathering
techniques an attacker can launch a
more accurate and efficient attack to
her/his targets.
IGT Steps
In the computer hacking world,
intelligence gathering can be roughly
divided into three major steps:
Footprinting
Scanning
Enumeration
Footprinting
collect information to make a unique footprint or a profile
of an organization security posture.
With footprinting, using rather simple tools, we gather
information such as:
Administrative, technical, and billing contacts, which include
employee names, email addresses, and phone & fax numbers.
IP address range
DNS servers
Mail servers
And we can also identify some of the systems that are directly
connected to the Internet.
Scanning
The art of detecting which systems are alive
and reachable via the Internet, and what
services they offer, using techniques such as
ping sweeps, port scans, and operating
system identification (OS fingerprinting), is
called scanning.
Information Collected by Scanning
The kind of information collected here has
to do with the following:
TCP/UDP services running on each system
identified.
System architecture (Sparc, Alpha, x86).
Specific IP addresses of systems reachable via
the Internet.
Operating system type.
Enumeration
Enumeration is the process of extracting valid accounts or
exported resource names from systems. The information is
gathered using active connections to systems and queries,
which is more intrusive in nature than footprinting and
scanning.
The techniques are mostly operating system specific, and
can gather information such as:
User & group names.
System banners
Routing tables
SNMP information
Footprinting
Internet Footprinting
The fine art of gathering target information
Domain name
Specific IP addresses of systems reachable via the Internet.
TCP and UDP services running on each system identified.
System architecture (e.g. , Sparc vs. x86)
Access control mechanisms and related access control lists.
Intrusion-detection systems (IDSs)
System enumeration (user and group name, system banners,
routing tables, and SNMP information)
DNS hostnames
Where Can We Find The Information?
Company Web pages.
Related organizations.
Location details.
Phone numbers, contact names, e-mail addresses, and
personal details.
Privacy or security policies, and technical details
indicating the types of security mechanisms in place.
Archived Information
Search engines and resumes
Company Web Pages
Some organizations will list their security configuration
details directly on their Internet web servers.
Trying reviewing the HTML source code.
What Info Can We Find in A Web
Page Source Code (1)?
check the comment part: those parts included between
<!- - and - - > .
Using Wget (for Unix) and Teleport Pro (for
Windows) you can mirror the entire web pages on a
web server.
Other sites with none-www prefix name.
Many organizations have sites to handle remote access to
internal resources via a web browser:
E.g. Through Microsofts Outlook Web Access, a person can
access the contents stored in a Microsoft Exchange server, such as
e-mails, address books, a calendar, public folders. Typical URL for
this kind of resource is http://owa.company.com or http://
outlook.company.com .
What Info Can We Find in A Web
Page Source Code (2)?
Sites like http://vpn.company.com or
http://www.company.com/vpn will often reveal
sites designed to help end users connect to their
companies VPNs. You can also find detailed
instructions on how to download and configure the
VPN client software. These sites may even
include a phone number to call for assistance if
someone (usually this person is supposed to be an
employee, however, an attacker may also use this
channel to connect the VPN) get troubles to
connect to the VPN.
Related organizations
Other related organizations web site may also leak
sensitive information about the target organization.
Phone numbers, contact names, e-mail
addresses, and personal details
Contact names and e-mail addresses may reveal an
organizations employees name or account name.
E.g. If an organization has an employee named John Smith
than it is very possible that some of the organizations hosts
has an account name jsmith, johnsmith or smithj and vice
verse.
From an employees name, an attack may find her/his
home phone number or home computer which probably
has some sort of remote access to the target
organization. A keystroke logger on an employees
home machine or laptop may very well give a hacker a
free ride to the organizations inner hosts.
Search Engines and Resumes
A lot of sensitive information could be obtained through
a search engine by using appropriate searching key
words.
If an organization is posting for a security professional
with five or more years experience work with
CheckPoint firewalls and Snort IDS, then what kind
of firewall and IDS do you think they use?.
Who is Managing
the Internet today?
Who is Managing the Internet
today?
Core functions of the Internet are managed by a
nonprofit organization named the Internet Corporation
for Assigned Names and Numbers (ICANN;
http://www.icann.org ).
Created in Oct. 1998, ICANN is assuming responsibility for a
set of technical functions previously performed under U.S.
government contract by the Internet Assigned Numbers
Authority (IANA; http://www.iana.org ) and other groups.
P.S.: In practice, IANA still handles much of the day-to-day
operations, but these will eventually be transitioned to ICANN
Some of ICANNs Major Functions
ICANN coordinates the assignment of the following
identifiers that must be globally unique for the Internet to
function:
Internet domain names.
IP address numbers.
Protocol parameters and port numbers.
ICANN also coordinates the stable operation of the
Internets root DNS server system.
Three Special ICANN Suborganizations
Address Supporting Organization (ASO;
http://www.aso.icann.org ).
Generic Names Supporting Organization (GNSO;
http://www.gnso.icann.org )
Country Code Domain Name Supporting Organization
(CCNSO; http://www.ccnso.icann.org )
ASO
Reviews and develops recommendations on IP address policy and advises the
ICANN Board on these matters.
Allocates IP address blocks to various Regional Internet Registries (RIRs).
A RIRs responsibility is to manage, distribute, and register public Internet
number resources within their respective regions.
RIRs allocate IPs to organizations, Internet service providers (ISPs), or, in
some cases, National Internet Registries (NIRS) or Local Internet Registries
(LIRS.)
Taiwans Case:
Taiwans ISPs get their IPs from TWNIC:
NIR of Taiwan: TWNIC http://www.twnic.net.tw/ip/ip_01.htm
LIRs/ISPs List of Taiwan: http://www.twnic.net.tw/english/ip/ip_03.htm.
RIR
Currently there are five Regional Registries, four active
and one in observer status.
APNIC ( http://www.apnic.net ) Asia-Pacific region.
ARIN ( http://www.arin.net ) North and South America, sub-
Sahara Africa regions.
LACNIC ( http://www.lacnic.net ) Latin America and portions
of the Caribbean
RIPE ( http://www.ripe.net ) Europe, parts of Asia, Africa north
of the equator, and the Middle East regions.
AfriNIC ( http://www.afrinic.net, currently in observer status )
RIR Summary
ASO allocate IP address blocks to
the five RIRs allocate IPs to
Organizations, ISPs, or NIRs, or LIRs.
Registry-Registrar-Registrant Model
-- [Eduardo Sztokbant]
Registry-Registrar-Registrant Model
3 entities involved in Internet domain name
registration within this model:
Registrant: final client, the one who wishes to
register the domain name.
Registry: the operators that maintain the list of
available domain names within their extension.
Registrar: interface between registry and
registrant, may provide extra services to the
latter one.
Relationship among the three Rs
GNSO
CCNSO
Registrar X
Registrar A Registrar Y
Registrar
.edu.tw
.com.tw, .org.tw com.tw, .org.tw
.div.tw,.net.tw .div.tw,.net.tw
MOE
Result: Registrant