traceroutePotential Uses Determine physical location of machine Gather network information (gateway, other internal systems) Find system that’s dropping your packets – evidence of a firewall Notes Can use UDP or ICMP packets Results often limited by firewalls Several GUI-based traceroute utilities available Usage: traceroute system E.g. traceroute cs.umn.edu
Footprinting / Packet Sniffing
Footprinting
Definition: the gathering of information about a potential system or network a.k.a. fingerprinting Attacker’s point of view Identify potential target systems Identify which types of attacks may be useful on target systems Defender’s point of view Know available tools May be able to tell if system is being footprinted, be more prepared for possible attack Vulnerability analysis: know what information you’re giving away, what weaknesses you have
Information to Gather
System (Local or Remote) IP Address, Name and Domain Operating System Type (Windows, Linux, Solaris) Version (98/NT/2000/2003/XP, Redhat, Fedora, SuSe, Ubuntu) Usernames File structure Open Ports (what services/programs are running on the system) Physical Proximity/Location
Information to Gather (2)
Networks / Enterprises System information for all hosts Network topology Gateways Firewalls Overall topology Network traffic information Specialized servers Web, Database, FTP, Email, etc.
Defender Perspective
Identify information you’re giving away Identify weaknesses in systems/network Know when systems/network is being probed Identify source of probe Develop awareness of threat Construct audit trail of activity
Tools – Linux (use “man” for help)
Linux tools - lower level utilities Local System hostname ifconfig who, last Remote Systems ping traceroute, tracert finger (also local system) nslookup, dig whois arp, netstat (also local system) Other tools lsof
Tools – Linux (2)
Other utilities ethereal/wireshark (packet sniffing) nmap (port scanning) - more later
Tools - Windows
Windows Sam Spade (collected tools) Whois,Ping, IPBlock, Dig, Traceroute, Finger, Browse Web, and Parse email headers … ethereal (packet sniffer) Command line tools ipconfig Many others…
hostname
Determine name of current system Usage: hostname E.g. hostname localhost.localdomain // default E.g. hostname clics.cs.uwec.edu
ifconfig
Configure network interface Tells current IP numbers for host system Usage: ifconfig E.g. ifconfig // command alone: display status eth0 Link encap: Ethernet HWaddr 00:0C:29:CD:F6:D3 inet addr: 192.168.172.128 . . . lo Link encap: Local Loopback inet addr: 127.0.0.1 . . .
who
Basic tool to show users on current system Useful for identifying unusual activity (e.g. activity by newly created accounts or inactive accounts) Usage: who E.g. who root tty1 Jan 9 12:46 paul tty2 Jan 9 12:52
last
Show last N users on system Default: since last cycling of file -N: last N lines Useful for identifying unusual activity in recent past Usage: last [-n] e.g. last -3 wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still logged in flinstf pts/0 137.28.191.74 Sat Feb 5 15:38 still logged in rubbleb pts/0 c48.193.173.92.e Sat Feb 5 14:38 - 15:25 (00:46)
ping
Potential Uses Is system online? Through response Gather name information Through DNS Estimate relative physical location Based on RTT (Round Trip Time) given in summary statistics Identify operating system Based on TTL (packet Time To Live) on each packet line TTL = number of hops allowed to get to system 64 is Linux default, 128 is Windows default (but can be changed!) Notes Uses ICMP packets Often blocked on many hosts Usage: ping system E.g. ping ftp.redhat.com E.g. ping localhost
traceroute
Potential Uses Determine physical location of machine Gather network information (gateway, other internal systems) Find system that’s dropping your packets – evidence of a firewall Notes Can use UDP or ICMP packets Results often limited by firewalls Several GUI-based traceroute utilities available Usage: traceroute system E.g. traceroute cs.umn.edu
traceroute example
[wagnerpj@data ~]$ traceroute cs.umn.edu traceroute to cs.umn.edu (128.101.34.202), 30 hops max, 38 byte packets 1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220 ms 0.208 ms 2 v101.networking.cns.uwec.edu (137.28.9.1) 0.245 ms 0.229 ms 0.220 ms 3 uweauclairehub2-ge50.core.wiscnet.net (216.56.90.1) 1.315 ms 1.194 ms 1.343 ms 4 * * * [wagnerpj@data ~]$
traceroute example - success
H:\>tracert www.google.com Tracing route to www.google.akadns.net [64.233.167.99] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms v61.networking.cns.uwec.edu [137.28.61.1] 2 4 ms 6 ms 3 ms UWEauClaireHub2-ge50.core.wiscnet.net [216.56.90.1] 3 2 ms 1 ms 2 ms r-uweauclaire-isp-gig2-0.wiscnet.net [140.189.8.141] 4 17 ms 17 ms 17 ms chi-edge-08.inet.qwest.net [65.113.85.5] 5 18 ms 16 ms 18 ms chi-core-02.inet.qwest.net [205.171.20.113] 6 17 ms 18 ms 19 ms cer-core-01.inet.qwest.net [205.171.205.34] 7 18 ms 19 ms 21 ms chp-brdr-01.inet.qwest.net [205.171.139.146] 8 18 ms 17 ms 18 ms P11-0.CHICR2.Chicago.opentransit.net [193.251.129.113] 9 15 ms 16 ms 16 ms Google-EU-Customers-2.GW.opentransit.net [193.251.249.30] 10 16 ms 16 ms 18 ms 216.239.46.10 11 21 ms 19 ms 17 ms 64.233.175.30 12 18 ms 16 ms 16 ms 64.233.167.99 Trace complete.
finger
Potential Uses Collect usernames Determine if user is currently logged in Notes Often blocked Usage: finger localuser or finger @system or finger remoteuser@system E.g. finger chidanan(user on local system) E.g. finger @csse.rose-hulman.edu (all on remote system) E.g. finger chidanan@csse.rose-hulman.edu (user on remote system)
whois
Potential Uses Queries nicname/whois servers for Internet registration information Can gather contacts, names, geographic information, servers, … - useful for social engineering attacks Notes Usage: whois domain e.g. whois netcom.com
whois example - basic
Domain Name: UWEC.EDU Registrant: University of Wisconsin - Eau Claire 105 Garfield Avenue Eau Claire, WI 54702-4004 UNITED STATES Contacts: Administrative Contact: Computing and Networking Services 105 Garfield Ave Eau Claire, WI 54701 UNITED STATES (715) 836-5711 networking@uwec.edu Name Servers: TOMATO.UWEC.EDU 137.28.1.17 LETTUCE.UWEC.EDU 137.28.1.18 BACON.UWEC.EDU 137.28.5.194
whois example - wildcards
whois uw%.edu Your search has matched multiple domains. Below are the domains you matched (up to 100). For specific information on one of these domains, please search on that domain. UW.EDU UWA.EDU UWB.EDU UWC.EDU UWEC.EDU UWEST.EDU UWEX.EDU ….
Comments