Ethical Hacking - Reconnaisance By Nic Maurel What is Ethical Hacking? (cid:1) Why Ethical Hacking? (cid:1) What do companies aim to protect? (cid:1) Confidentiality Security CIA Usability Integrity Availabilty What kind of tests do we do on the “Target (cid:1) of Evaluation”? Black Box Test (cid:1) White Box Test (cid:1) Grey Box Test (cid:1) 1 2 3 Types of Ethical Hackers (cid:1) Whitehat Hackers (cid:1) Blackhat Hackers (cid:1) 1 – Pre-Assessement Greyhat Hackers (cid:1) 2 – Assessment Phase 3 – Post Assessment Who are we up against? (cid:1) − Phreakers − Script kiddies − Disgruntled Employees − Cyber Terrorists Hacktivists − Software Crackers/Hackers − System Crackers/Hackers − Whackers Historical Hackers (cid:1) John Draper -AKA “Captain Crunch” (cid:1) Kevin Mitnick – first hacker to hit the FBI wanted list (cid:1) Vladimir Levin – siphoned off large amounts of money from (cid:1) citibank Jonathan James – first juvenile hacker to be arrested at age (cid:1) 16 Adrian Lamo – Broke into the New York Times and Microsoft (cid:1) Scope of Attack for TOE (cid:1) Insider Attack (cid:1) Outside Attack (cid:1) Stolen Equipment Attack (cid:1) Physical Entry (cid:1) Bypass authenication (cid:1) Social Engineering (cid:1) Hacker Methodology (cid:1) Reconnaisance (cid:1) Active scanning Scanning and Enumeration (cid:1) Passive scanning Gaining Access (cid:1) Priveledge Escalation (cid:1) Maintaining Access (cid:1) Covering Tracks placing backdoors (cid:1) Reconnaissance – Casing the Joint (cid:1) Search the fine web (STFW) : (cid:1) Google – the hackers big gun (cid:1) Google Cached Copies site:www.test.co.za insite:www.test.co.za “this report was generated by nessus” filetype:xls Inurl:search-text Link:www.test.co.za Intitle:Welcome to IIS4.0 Search Company website – View source code (cid:1) Job boards and user groups and forums (cid:1) EDGAR Database - www.sec.gov (cid:1) www.archive.org (cid:1) Whois – Registrar information (cid:1) ARIN – www.arin.net - North South America and Subsaharan Africa (cid:1) APNIC – www.apnic.net - Asia Pacific (cid:1) RIPE – www.ripe.net - Europe Middle East (cid:1) LACNIC - www.lacnic.net – Latin America and Carribean (cid:1) AfriNIC – Planned to supoort Africa (cid:1) Tools (cid:1) www.samspade.org Whois client – linux www.dnsstuff.com www.allwhois.com www.ipaddresslocation.org DNS Interrogation (cid:1) Search for SOA, A, MX, SRV, CNAME and PTR records. (cid:1) Nslookup www.test.co.za (cid:1) Nslookup 192.168.0.3 (cid:1) Use address to find Network ranges with whois (cid:1) Lookup addresses below and above eg. 192.168.0.2 and 192.168.0.4 (cid:1) Dig -t ANY test.co.za (cid:1) Try zone transfers (cid:1) Look for common names eg. Smtp, pop, pop3, imap, proxy, server, mail, (cid:1) dbn, durban.