|
|
|
|
|
|
Finding as much information about the target as
possible before launching the first attack packet |
|
Reconnaissance techniques |
|
Low tech methods |
|
General web searches |
|
Whois databases |
|
DNS |
|
|
|
|
|
|
Social Engineering |
|
Physical Break-In |
|
Dumpster Diving |
|
|
|
|
|
Finding pretext to obtain privileged information
or services |
|
Defense |
|
user awareness |
|
|
|
|
|
Methods |
|
Walking past unlocked doors to data center |
|
Piggyback behind legitimate employee |
|
Defense |
|
security badges |
|
track computers leaving premises |
|
physically lock down servers |
|
Use locks on cabinets containing sensitive
information |
|
Use automatic password-protected screen savers |
|
Encrypt stored files |
|
|
|
|
|
|
|
Retrieving sensitive information from trash |
|
Defense |
|
Paper shredder |
|
|
|
|
|
Searching an organization’s own web site |
|
Using search engines |
|
Listen in at the virtual watering hole: USENET |
|
|
|
|
|
|
|
|
|
|
Employees’ contact information and phone numbers |
|
Clues about the corporate culture and language |
|
Business partners |
|
Recent mergers and acquisitions |
|
Server and application platforms in use |
|
|
|
|
|
|
|
|
Conduct search based on organization name,
product names, employee names |
|
Retrieve information about history, current
events, and future plans of the target organization |
|
Search for links to target organization via
“link:www.companyname.com” in a search engine |
|
|
|
|
Posting of questions by employees to technical
Newsgoups |
|
Google newsgroup archive web search engine at http://groups.google.com |
|
|
|
|
Security by obscurity |
|
Security policy regarding posting of sensitive
information on web site, newsgroups, and mailing lists |
|
|
|
|
Contain information regarding assignment of
Internet addresses, domain names, and individual contacts |
|
Internet Corporation for Assigned Names and
Numbers (ICANN) |
|
Complete list of accredited registrars available
at www.internic.net/alpha.html |
|
InterNIC’s whois database available at www.internic.net/whois.html |
|
Whois database for organizations outside the
United States available at ALLwhois web site |
|
Whois database for U.S. military organizations
available at whois.nic.mil |
|
Whois database for U.S. government agencies
available at whois.nic.gov |
|
Netwwork Solutions whois database |
|
|
|
|
|
|
|
|
|
|
|
|
|
Names (administrative, technical, billing
contacts) |
|
Used for social engineering attack |
|
Telephone numbers |
|
Used in war-dialing attacks |
|
Email addresses |
|
Format of email addresses eg. First.last@abc.com |
|
Postal address |
|
Used in dumpster diving |
|
Name servers |
|
DNS servers |
|
|
|
|
|
|
|
North/South America |
|
American Registry for Internet Numbers (ARIN) |
|
Europe |
|
RIPE NCC |
|
Asia |
|
Asia Pacific Network Information Center (APNIC) |
|
|
|
|
|
|
|
|
|
|
|
|
|
Address (A) record |
|
Maps a domain name to a specific IP address |
|
Eg. www IN A 130.182.3.1 |
|
Host Information (HINFO) record |
|
Describes host type associated with host name |
|
Eg. www
IN HINFO Solaris8 |
|
Mail Exchange (MX) record |
|
Identifies a mail system accepting mail for the
given domain |
|
Eg. calstatela.edu MX 10 mars |
|
Name Server (NS) record |
|
Identifies DNS servers of domain |
|
Eg. calstatela.edu IN NS eagle |
|
Text (TXT) record |
|
Used for comments |
|
Eg. serverx IN TXT “ this system contains
sensitive info” |
|
|
|
|
|
|
Host |
|
Dig tool for Unix |
|
Advanced Dig tool for MS Windows |
|
Nslookup |
|
Zone transfer |
|
Eg. Nslookup |
|
server 130.182.1.1 |
|
set type=any |
|
ls –d calstatela.edu |
|
|
|
|
|
|
|
|
|
Do not include HINFO or TXT records |
|
Restrict zone transfers to secondary DNS only |
|
“allow-transfer” directive or “xfernets” in BIND |
|
Configure firewall or external router to allow
access to TCP port 53 only to secondary DNS servers |
|
No restriction on UDP port 53 |
|
Split-Horizon DNS |
|
|
|
|
|
|
Internal users can resolve both internal and
external names |
|
External users can only access external names |
|
|
|
|
|
Sam Spade |
|
Ping |
|
Whois |
|
IP Block Whois |
|
Nslookup |
|
Dig |
|
DNS Zone Transfer |
|
Traceroute |
|
Finger |
|
SMTP VRFY |
|
Web browser |
|
CyberKit |
|
NetScan Tools |
|
iNetTools |
|
|
|
|
|
|
|
|
nettool.false.net |
|
www.samspade.org |
|
members.tripod.com/mixtersecurity/evil.html |
|
www.network-tools.com |
|
www.cotse.com/refs.htm |
|
suicide.netfarmers.net |
|
www.jtan.com/resources/winnuke.html |
|
www.securityspace.com |
|
crypto.yashy.com |
|
www.grc.com/x/ne.dll?bh0bkyd2 |
|
privacy.net/analyze |
|
www.webtrends.net/tools/sercurity/scan.asp |
|
www.doshelp.com/dostest.htm |
|
www.dslreports.com/r3/dsl/secureme |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Notes
