$30 off During Our Annual Pro Sale. View Details »

Footprinting for security auditors

jmortegac
February 05, 2017

Footprinting for security auditors

Footprinting for security auditors

jmortegac

February 05, 2017
Tweet

More Decks by jmortegac

Other Decks in Technology

Transcript

  1. Footprinting for securty auditors
    Security track
    Footprinting for security auditors
    Jose Manuel Ortega
    @jmortegac

    View Slide

  2. Footprinting for securty auditors
    Agenda
    • Information gathering
    • Footprinting tools
    • Port scanning with nmap
    • Nmap scripts

    View Slide

  3. Footprinting for securty auditors
    Security auditing phases
    Analyze publicly
    available
    information. Set
    scope of attack
    and identify key
    targets.
    Check for
    vulnerabilities
    on each target
    resource
    Attack targets
    using library of
    tools and
    techniques
    Footprint
    Analysis
    Who is
    DNS Lookup
    Search Engines
    Enumeration
    Exploitation
    Buffer Overflows
    Spoofing
    Password
    Rootkit
    Scanning
    Machines
    Ports
    Applications

    View Slide

  4. Footprinting for securty auditors
    Security Track
    Information Gathering

    View Slide

  5. Footprinting for securty auditors
    Footprinting (gather target information)
    ➔ names, addresses, system types, ...
    Scanning (detect systems and services)
    ➔ response from network stack, applications, ...
    Fingerprinting (identify topologies & systems)
    ➔ network layout, operating systems, services
    passive
    passive
    or
    active
    active
    Enumeration (collect access information)
    ➔ list of user accounts, share names, …
    Sniffing (collect network traffic)
    ➔ addresses, names, information (passwords, ...)
    Information gathering

    View Slide

  6. Footprinting for securty auditors
    Footprinting
    • Identify locations, domain names, IP address
    ranges, e-mail addresses, dial-in phone
    numbers, systems used, administrator
    names, network topology.
    • Using public information.
    • Without network /physical connection to the
    target.

    View Slide

  7. Footprinting for securty auditors
    Security Track
    Tools

    View Slide

  8. Footprinting for securty auditors
    Kali Linux

    View Slide

  9. Footprinting for securty auditors
    Whois Online Tools
    • Get information about domains, IP address, DNS
    • Identify the domain names and associated networks related to a
    particular organization
    • https://www.whois.net/
    • https://tools.whois.net/
    • http://www.whois.com/whois
    • http://who.is
    • http://toolbar.netcraft.com/site_report
    • http://whois.domaintools.com/

    View Slide

  10. Footprinting for securty auditors
    Netcraft
    • http://toolbar.netcraft.com/site_report/?url=fosdem.org

    View Slide

  11. Footprinting for securty auditors
    Whois

    View Slide

  12. Footprinting for securty auditors
    Whois command

    View Slide

  13. Footprinting for securty auditors
    Host command
    • Ge IPv4,v6,mail server

    View Slide

  14. Footprinting for securty auditors
    Network tools
    • http://network-tools.com/

    View Slide

  15. Footprinting for securty auditors
    NETWORK Tools
    • https://www.dnssniffer.com/networktools

    View Slide

  16. Footprinting for securty auditors

    View Slide

  17. Footprinting for securty auditors
    Robtex
    • Provides graphical information from DNS and Whois
    • https://www.robtex.com/dns-lookup/fosdem.org

    View Slide

  18. Footprinting for securty auditors
    Robtex

    View Slide

  19. Footprinting for securty auditors
    Nslookup
    • Query DNS server in order to extract valuable information about the
    host machine.
    • Find names of machines through a domain/zone transfer
    • Nslookup -d→ list all associated records for the domain

    View Slide

  20. Footprinting for securty auditors
    Dig /DNS Resolver

    View Slide

  21. Footprinting for securty auditors
    Dnsmap

    View Slide

  22. Footprinting for securty auditors
    Dnsenum

    View Slide

  23. Footprinting for securty auditors
    DnsRecon

    View Slide

  24. Footprinting for securty auditors
    Zone Transfer
    • How does one provide security against DNS Interrogation?
    • Restrict zone transfers to authorized servers.
    • Set your firewall or router to deny all unauthorized inbound
    connections to TCP port 53
    • Best practice to restrict Zone transfers is review file
    configuration /etc/bind/named.conf.local

    View Slide

  25. Footprinting for securty auditors
    Zone Transfer

    View Slide

  26. Footprinting for securty auditors
    The harvester
    • Catalogue email address and subdomains from a specific domain.
    • It works with all the major search engines including Bing and Google.
    • The objective is to gather emails, subdomains, hosts, employee
    names, open ports and banners from different public sources like
    search engines, PGP key servers and SHODAN computer database.

    View Slide

  27. Footprinting for securty auditors
    The harvester

    View Slide

  28. Footprinting for securty auditors
    The harvester

    View Slide

  29. Footprinting for securty auditors
    Subdomains
    • https://api.hackertarget.com/hostsearch/?q=fosdem.org

    View Slide

  30. Footprinting for securty auditors
    Maltego

    View Slide

  31. Footprinting for securty auditors
    Maltego

    Company Stalker (this gathers email information)

    Footprint L1 (basic information gathering)

    Footprint L2 (moderate amount of information
    gathering)

    Footprint L3 (intense and the most complete
    information gathering)

    View Slide

  32. Footprinting for securty auditors
    Maltego

    View Slide

  33. Footprinting for securty auditors
    Shodan

    View Slide

  34. Footprinting for securty auditors
    Censys.io

    View Slide

  35. Footprinting for securty auditors
    Mr looquer

    View Slide

  36. Footprinting for securty auditors
    Web robots
    • https://wordpress.com/robots.txt
    • https://wordpress.com/sitemap.xml

    View Slide

  37. Footprinting for securty auditors
    Web Archive

    View Slide

  38. Footprinting for securty auditors
    Spider foot

    View Slide

  39. Footprinting for securty auditors
    Spider foot

    View Slide

  40. Footprinting for securty auditors
    Scanning tools
    • Active footprinting
    • Number and type of opened ports
    • Type of services running in the servers
    • Vulnerabilities of the services and software
    • Nmap is a great tool for discovering Open ports, protocol
    numbers, OS details, firewall details, etc.

    View Slide

  41. Footprinting for securty auditors
    Security Track
    NMAP

    View Slide

  42. Footprinting for securty auditors
    Nmap Port Scanner
    • Unix-based port scanner
    • Support for different
    scanning techniques
    • Detects operating system
    of remote hosts
    • Many configuration options
    - timing
    - scanned port range
    - scan method
    • Various front ends
    for easier handling

    View Slide

  43. Footprinting for securty auditors
    Zenmap Port Scanner

    View Slide

  44. Footprinting for securty auditors
    Zenmap Port Scanner

    View Slide

  45. Footprinting for securty auditors
    Sparta

    View Slide

  46. Footprinting for securty auditors
    Nmap whois

    View Slide

  47. Footprinting for securty auditors
    Guessing the Operating System
    • We can use the --osscan-guess option to force Nmap
    into discovering the OS.

    View Slide

  48. Footprinting for securty auditors
    Banner Grabbing
    nmap -p80 -sV -sT fosdem.org

    View Slide

  49. Footprinting for securty auditors
    Nmap Script Engine
    • Simple scripts to automate a wide variety of networking
    tasks
    • Are written in Lua programming language.
    • Network discovery
    • Vulnerability detection
    • Backdoor detection
    • Vulnerability exploitation

    View Slide

  50. Footprinting for securty auditors
    Nmap Script Engine
    usr/local/share/nmap/scripts

    View Slide

  51. Footprinting for securty auditors
    Nmap Script Engine
    • https://github.com/cldrn/nmap-nse-scripts/tree/master/
    scripts

    View Slide

  52. Footprinting for securty auditors
    Banner grabbing with nmap script
    nmap --script banner fosdem.org

    View Slide

  53. Footprinting for securty auditors
    http-enum script
    nmap -v --script http-enum.nse fosdem.org

    View Slide

  54. Footprinting for securty auditors
    ↘mysql-databases
    nmap -v -d -p3306 --script mysql-databases.nse
    --script-args='mysqluser=root' 192.168.100.8

    View Slide

  55. Footprinting for securty auditors
    ↘mysql-databases

    View Slide

  56. Footprinting for securty auditors
    Find vulnerabilities with nmap
    •XSS / SQL Injection
    ↘nmap -p80 –script http-unsafe-output-escaping
    ↘http://svn.dd-wrt.com/browser/src/router/nmap/scripts/http-un
    safe-output-escaping.nse?rev=28293
    ↘https://nmap.org/nsedoc/scripts/http-unsafe-output-escaping.ht
    ml

    View Slide

  57. Footprinting for securty auditors
    Security Track
    Vulnerability Scanner

    View Slide

  58. Footprinting for securty auditors

    View Slide

  59. Footprinting for securty auditors
    Arachni Vulnerability Scanner

    View Slide

  60. Footprinting for securty auditors
    Links & References
    • http://www.0daysecurity.com/penetration-testing/net
    work-footprinting.html
    • http://nmap.org/nsedoc/
    • https://secwiki.org/w/Nmap/External_Script_Library
    • https://nmap.org/book/man-os-detection.html
    • https://hackertarget.com/7-nmap-nse-scripts-recon/

    View Slide

  61. Footprinting for securty auditors
    Books

    View Slide

  62. Footprinting for securty auditors
    Security track
    Thank you!
    Jose Manuel Ortega
    @jmortegac

    View Slide