Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Footprinting for security auditors

7c4b1ae16723b56facc7a8a8f95aa6ce?s=47 jmortegac
February 05, 2017

Footprinting for security auditors

Footprinting for security auditors

7c4b1ae16723b56facc7a8a8f95aa6ce?s=128

jmortegac

February 05, 2017
Tweet

More Decks by jmortegac

Other Decks in Technology

Transcript

  1. Footprinting for securty auditors Security track Footprinting for security auditors

    Jose Manuel Ortega @jmortegac
  2. Footprinting for securty auditors Agenda • Information gathering • Footprinting

    tools • Port scanning with nmap • Nmap scripts
  3. Footprinting for securty auditors Security auditing phases Analyze publicly available

    information. Set scope of attack and identify key targets. Check for vulnerabilities on each target resource Attack targets using library of tools and techniques Footprint Analysis Who is DNS Lookup Search Engines Enumeration Exploitation Buffer Overflows Spoofing Password Rootkit Scanning Machines Ports Applications
  4. Footprinting for securty auditors Security Track Information Gathering

  5. Footprinting for securty auditors Footprinting (gather target information) ➔ names,

    addresses, system types, ... Scanning (detect systems and services) ➔ response from network stack, applications, ... Fingerprinting (identify topologies & systems) ➔ network layout, operating systems, services passive passive or active active Enumeration (collect access information) ➔ list of user accounts, share names, … Sniffing (collect network traffic) ➔ addresses, names, information (passwords, ...) Information gathering
  6. Footprinting for securty auditors Footprinting • Identify locations, domain names,

    IP address ranges, e-mail addresses, dial-in phone numbers, systems used, administrator names, network topology. • Using public information. • Without network /physical connection to the target.
  7. Footprinting for securty auditors Security Track Tools

  8. Footprinting for securty auditors Kali Linux

  9. Footprinting for securty auditors Whois Online Tools • Get information

    about domains, IP address, DNS • Identify the domain names and associated networks related to a particular organization • https://www.whois.net/ • https://tools.whois.net/ • http://www.whois.com/whois • http://who.is • http://toolbar.netcraft.com/site_report • http://whois.domaintools.com/
  10. Footprinting for securty auditors Netcraft • http://toolbar.netcraft.com/site_report/?url=fosdem.org

  11. Footprinting for securty auditors Whois

  12. Footprinting for securty auditors Whois command

  13. Footprinting for securty auditors Host command • Ge IPv4,v6,mail server

  14. Footprinting for securty auditors Network tools • http://network-tools.com/

  15. Footprinting for securty auditors NETWORK Tools • https://www.dnssniffer.com/networktools

  16. Footprinting for securty auditors

  17. Footprinting for securty auditors Robtex • Provides graphical information from

    DNS and Whois • https://www.robtex.com/dns-lookup/fosdem.org
  18. Footprinting for securty auditors Robtex

  19. Footprinting for securty auditors Nslookup • Query DNS server in

    order to extract valuable information about the host machine. • Find names of machines through a domain/zone transfer • Nslookup -d→ list all associated records for the domain
  20. Footprinting for securty auditors Dig /DNS Resolver

  21. Footprinting for securty auditors Dnsmap

  22. Footprinting for securty auditors Dnsenum

  23. Footprinting for securty auditors DnsRecon

  24. Footprinting for securty auditors Zone Transfer • How does one

    provide security against DNS Interrogation? • Restrict zone transfers to authorized servers. • Set your firewall or router to deny all unauthorized inbound connections to TCP port 53 • Best practice to restrict Zone transfers is review file configuration /etc/bind/named.conf.local
  25. Footprinting for securty auditors Zone Transfer

  26. Footprinting for securty auditors The harvester • Catalogue email address

    and subdomains from a specific domain. • It works with all the major search engines including Bing and Google. • The objective is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.
  27. Footprinting for securty auditors The harvester

  28. Footprinting for securty auditors The harvester

  29. Footprinting for securty auditors Subdomains • https://api.hackertarget.com/hostsearch/?q=fosdem.org

  30. Footprinting for securty auditors Maltego

  31. Footprinting for securty auditors Maltego ∙ Company Stalker (this gathers

    email information) ∙ Footprint L1 (basic information gathering) ∙ Footprint L2 (moderate amount of information gathering) ∙ Footprint L3 (intense and the most complete information gathering)
  32. Footprinting for securty auditors Maltego

  33. Footprinting for securty auditors Shodan

  34. Footprinting for securty auditors Censys.io

  35. Footprinting for securty auditors Mr looquer

  36. Footprinting for securty auditors Web robots • https://wordpress.com/robots.txt • https://wordpress.com/sitemap.xml

  37. Footprinting for securty auditors Web Archive

  38. Footprinting for securty auditors Spider foot

  39. Footprinting for securty auditors Spider foot

  40. Footprinting for securty auditors Scanning tools • Active footprinting •

    Number and type of opened ports • Type of services running in the servers • Vulnerabilities of the services and software • Nmap is a great tool for discovering Open ports, protocol numbers, OS details, firewall details, etc.
  41. Footprinting for securty auditors Security Track NMAP

  42. Footprinting for securty auditors Nmap Port Scanner • Unix-based port

    scanner • Support for different scanning techniques • Detects operating system of remote hosts • Many configuration options - timing - scanned port range - scan method • Various front ends for easier handling
  43. Footprinting for securty auditors Zenmap Port Scanner

  44. Footprinting for securty auditors Zenmap Port Scanner

  45. Footprinting for securty auditors Sparta

  46. Footprinting for securty auditors Nmap whois

  47. Footprinting for securty auditors Guessing the Operating System • We

    can use the --osscan-guess option to force Nmap into discovering the OS.
  48. Footprinting for securty auditors Banner Grabbing nmap -p80 -sV -sT

    fosdem.org
  49. Footprinting for securty auditors Nmap Script Engine • Simple scripts

    to automate a wide variety of networking tasks • Are written in Lua programming language. • Network discovery • Vulnerability detection • Backdoor detection • Vulnerability exploitation
  50. Footprinting for securty auditors Nmap Script Engine usr/local/share/nmap/scripts

  51. Footprinting for securty auditors Nmap Script Engine • https://github.com/cldrn/nmap-nse-scripts/tree/master/ scripts

  52. Footprinting for securty auditors Banner grabbing with nmap script nmap

    --script banner fosdem.org
  53. Footprinting for securty auditors http-enum script nmap -v --script http-enum.nse

    fosdem.org
  54. Footprinting for securty auditors ↘mysql-databases nmap -v -d -p3306 --script

    mysql-databases.nse --script-args='mysqluser=root' 192.168.100.8
  55. Footprinting for securty auditors ↘mysql-databases

  56. Footprinting for securty auditors Find vulnerabilities with nmap •XSS /

    SQL Injection ↘nmap -p80 –script http-unsafe-output-escaping <target> ↘http://svn.dd-wrt.com/browser/src/router/nmap/scripts/http-un safe-output-escaping.nse?rev=28293 ↘https://nmap.org/nsedoc/scripts/http-unsafe-output-escaping.ht ml
  57. Footprinting for securty auditors Security Track Vulnerability Scanner

  58. Footprinting for securty auditors

  59. Footprinting for securty auditors Arachni Vulnerability Scanner

  60. Footprinting for securty auditors Links & References • http://www.0daysecurity.com/penetration-testing/net work-footprinting.html

    • http://nmap.org/nsedoc/ • https://secwiki.org/w/Nmap/External_Script_Library • https://nmap.org/book/man-os-detection.html • https://hackertarget.com/7-nmap-nse-scripts-recon/
  61. Footprinting for securty auditors Books

  62. Footprinting for securty auditors Security track Thank you! Jose Manuel

    Ortega @jmortegac