Questions about this topic? Sign up to ask in the talk tab.
Classes/Logs/2012/September/17/02-03
From NetSec
02:04 <+foo> we'll be spining up networking mapping here in 5min 02:04 <+foo> *network 02:04 <~hatter> get me dem logz 02:04 <+foo> working on it. 02:07 <+foo> http://pastebin.com/9udApQq9 02:07 * corvus is just too damn slow 02:07 <~hatter> foo: logs posted 02:07 <~hatter> you're up when you're ready 02:07 <+foo> 3min 02:09 -!- shades [[email protected]] has joined #CSIII 02:10 < corvus> holy night of classes!! glad I am around tonight or this morning, what ever it is 02:10 < rory> ^ 02:10 <@zzzzzZZZZzzz[m3n]> this _week_ 02:10 <@zzzzzZZZZzzz[m3n]> tell your friends 02:10 <~hatter> again guys 02:10 <+foo> Good evening and welcome to Network Mapping 02:10 <~hatter> check out http://blackhatlibrary.net/Current:Classes if you havent 02:10 < shades> hey 02:11 < shades> I just came up hella hard guys 02:11 < shades> what's up hatter? 02:11 < shades> I made it back alive from the burn 02:11 <~hatter> hi shades 02:11 <~hatter> awesome 02:11 <@zzzzzZZZZzzz[m3n]> CSIII Hellweek. 02:11 <~hatter> Wasn't sure where ya'd been 02:11 <~hatter> good job 02:11 <~hatter> Yep 02:11 <~hatter> Exactly what this is - CSIII hellweek 02:11 <~hatter> lol 02:11 <@zzzzzZZZZzzz[m3n]> See if you can keep up~! 02:11 < XiX> hey foo is doing a tutorial now on network mapping? 02:11 <+foo> XiX: yup. 02:11 < shades> yes, I unplugged for the most amazing life changing experince ever 02:11 < XiX> ok cool 02:12 -!- x3tan_ [[email protected]] has joined #CSIII 02:13 <+foo> we're going to discuss using OSINT to find information about a network without touching it and follow up with some network protocol overview (including OSI model, TCP and UDP) and move into using nmap as a network mapping tool and whatever other tools we have time for 02:13 <+foo> starting out, there is a wealth of information available about internet connected networks that doesn't require probing for a response 02:14 <+foo> the most common tool that people use is Google for identifying internet facing domains, for example searching for site:reddit.com will show all of the pages google has found 02:14 < shades> is anyone familiar with TiHKAL The Continuation? 02:15 -!- mode/#csiii [+h foo] by hatter 02:15 -!- mode/#csiii [+m] by hatter 02:15 <~hatter> foo: proceed :) 02:15 <~hatter> lol 02:15 <%foo> danke. 02:15 <%foo> another tool Shodan will show you routers found on the internet 02:15 -!- x3tan [[email protected]] has quit [Ping timeout] 02:15 -!- hatter changed the topic of #CSIII to: www.blackhatacademy.net || blackhatlibrary.net || you MUST register to speak here || Classes are in session: http://blackhatlibrary.net/Current:Classes 02:15 <@zzzzzZZZZzzz[m3n]> Shodan is the shit 02:16 <%foo> http://www.shodanhq.com/ has a ton of information, while we're going through this tutorial load it up in your browser 02:16 <%foo> it doesn't just include routers, but servers as well 02:16 <%foo> http://www.shodanhq.com/search?q=microsoft 02:17 <@zzzzzZZZZzzz[m3n]> ^ $.$ 02:17 <%foo> other tools such as whois and ARIN can help you find information as well 02:18 <%foo> http://whois.arin.net/ui 02:18 <%foo> for example: http://whois.arin.net/rest/customer/C00006676 02:18 <%foo> within that record includes links to an IP block of Microsoft http://whois.arin.net/rest/net/NET-206-71-119-0-1.html 02:19 -!- hatter changed the topic of #CSIII to: www.blackhatacademy.net || blackhatlibrary.net || you MUST register to speak here || Class in session: http://blackhatlibrary.net/Current:Classes || Non-class discussion: #recess 02:19 <@zzzzzZZZZzzz[m3n]> http://www.shodanhq.com/search?q=Server%3A+SQ-WEBCAM 02:19 <%foo> ^^^ 02:20 -!- hatter changed the topic of #CSIII to: www.blackhatacademy.net || blackhatlibrary.net || you MUST register to speak here || Class in session: http://blackhatlibrary.net/Current:Classes || Non-class discussion: #recess-iii 02:20 <%foo> the services that organizations offer up may not have DNS entries but still be internet accessible 02:20 <@zzzzzZZZZzzz[m3n]> I might do a class later on the 15 minute shodan botnet sometime near the end of the week. 02:20 <@zzzzzZZZZzzz[m3n]> *wink wink* 02:21 <%foo> :-) 02:21 <%foo> other useful soruces of information include job postings 02:21 <%foo> such as at indeed.com 02:21 <%foo> http://www.indeed.com/jobs?q=firewall&l= 02:21 <@zzzzzZZZZzzz[m3n]> employee portals here^ 02:22 <@zzzzzZZZZzzz[m3n]> ? 02:22 <%foo> that, as well as specific firewall technologies 02:22 <%foo> checkpoint, pix, asa, iptables 02:22 <@zzzzzZZZZzzz[m3n]> I see. 02:22 <%foo> but yes, employee portals as well 02:23 <%foo> maltego is another great tool for finding information about the perimeter of networks 02:23 <%foo> http://www.paterva.com/ 02:23 <%foo> not only can you find references to ip blocks 02:24 <%foo> but you can search social media, DNS, WHOIS, ARIN and other sources of information 02:24 <%foo> matching physical address to IP block 02:24 <%foo> it makes it much easier to identify data centers 02:26 <%foo> robtex.com, domaintools.com and the public looking glass points make for good public information without even touching the target: http://www.traceroute.org/ 02:26 -!- Andres|cuevana [[email protected]] has joined #CSIII 02:26 <%foo> once you've mapped the OSINT, it becomes time to start putting that information to use 02:27 -!- mode/#csiii [+b *!*[email protected]] by hatter 02:27 <%foo> based on what we've discussed so far you should have been able to identify: public facing routers and hosts, ip blocks registered via ARIN, dns servers, www servers and have a good idea of the external network footprint 02:27 * foo waits for the +b to be /kick'ed 02:28 <%foo> nevermind. 02:29 <%foo> now putting that information to use can happen in several different ways 02:29 <%foo> you can scour google for additional records 02:29 <%foo> make network maps with Free Mind 02:29 <%foo> http://freemind.sourceforge.net/wiki/index.php/Main_Page 02:30 <%foo> I find mapping out a network with freemind makes keeping track of the interconnections much easier than a spreadsheet 02:31 -!- Andres|cuevana [[email protected]] has left #CSIII [] 02:31 <%foo> now, before we start busting out our network toolkit we should talk about protocols 02:31 -!- Apollo [[email protected]] has joined #CSIII 02:31 <%foo> the OSI model exists for a reason 02:31 <@zzzzzZZZZzzz[m3n]> So yeah I feel I should mention (despite it being in the topic) that there is #recess-III for extracurricular chats (since we are going into constant class mode, and students like to pass notes(we don't mind)) 02:32 <~hatter> yeah foo, there is a reason for the OSI model 02:32 <~hatter> +1 02:32 <~hatter> Pay attention to this part guys 02:33 <%foo> https://en.wikipedia.org/wiki/OSI_model and http://2.bp.blogspot.com/-YAXxMzovtJY/TddbzZ26vBI/AAAAAAAAECM/17kqnUulnRc/s1600/OSI-TCP-Comparison.jpg 02:33 <%foo> sorry I don't have a better OSI TCP Comparison handy 02:33 <%foo> the OSI Model is important because it gives you a reference for anything network related 02:33 <%foo> at the very bottom you have the physical layer, layer 1 02:34 <%foo> the physical layer can consist of copper, fiber, pigeon, EM waves or even water 02:34 <%foo> you can fit things like water and pigeon in there because the layer above, the datalink layer, doesn't care. 02:35 <%foo> https://tools.ietf.org/rfc/rfc1149.txt A Standard for the Transmission of IP Datagrams on Avian Carriers 02:36 <%foo> http://boingboing.net/2002/12/28/ip-over-h2o.html 02:36 <%foo> there is a better ip over h2o link but I don't have it handy 02:36 <%foo> someone is welcome to go find that for me :-) 02:36 <~hatter> lol 02:36 <%foo> the layer above, layer 2 is the datalink layer 02:37 <%foo> your datalink layer gives your data, a link. the orange and green blinky lights that we all know and love. 02:38 <%foo> these data links include switches, ethernet ports, gbic's, and coaxial modems 02:39 <%foo> this is your ethernet layer, your layer of MAC addresses 02:39 <%foo> in a VPN scenario, this is tap0 for what it means 02:39 <%foo> your MAC addresses allow your bits to flow along the local segment of your network 02:40 <%foo> these are not (traditionally) shared outside of your local network segment, which is typically defined by the termination point at a switch 02:40 <%foo> your switches send packets to their destination based on matching up an IP address to a MAC address on the local network. 02:41 <%foo> hubs and spanning ports do this for all traffic 02:41 <%foo> in order to convert IPs to MAC addresses, we use arp 02:42 <%foo> corvus: thank you for this excellent link of ip over h2o: http://www.mee.tcd.ie/~bruckerj/projects/streamingmedia 02:42 <%foo> or H2O/IP 02:42 <%foo> on your local systems, run arp -a 02:42 <%foo> and look at your connections 02:43 <%foo> ? (192.168.2.1) at 0:24:a5:df:37:c8 on en0 ifscope [ethernet] 02:43 <%foo> ? (192.168.2.10) at 34:8:4:70:94:89 on en0 ifscope [ethernet] 02:43 <%foo> ? (192.168.2.42) at 0:24:1d:70:59:66 on en0 ifscope [ethernet] 02:43 <%foo> ? (192.168.2.255) at ff:ff:ff:ff:ff:ff on en0 ifscope [ethernet] 02:44 <%foo> as you can see, the local network IP addresses are mapped by interface to a specific MAC address 02:46 <%foo> some packet capture examples of these: http://chrissanders.org/packet-captures/ 02:46 <%foo> so far, our first two layers map from the OSI model of Physical and Data Link to the TCP/IP model of "Network Interface" 02:47 <%foo> the Network Layer, Layer 3 in OSI and "Internet" layer in the TCP/IP model is where we start working with IP and the routing of packets 02:47 <%foo> the IP layer is defined by RFC 791, https://www.ietf.org/rfc/rfc791.txt 02:48 <%foo> I wonder how horribly this will paste: 02:48 <%foo> Figure 4 from the link to rfc791.txt 02:48 <%foo> 0 1 2 3 02:48 <%foo> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 02:48 <%foo> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 02:48 <%foo> |Version| IHL |Type of Service| Total Length | 02:48 <%foo> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 02:48 <%foo> | Identification |Flags| Fragment Offset | 02:48 <%foo> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 02:48 <%foo> | Time to Live | Protocol | Header Checksum | 02:48 <%foo> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 02:48 <%foo> | Source Address | 02:48 <%foo> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 02:48 <%foo> | Destination Address | 02:48 <%foo> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 02:48 <%foo> | Options | Padding | 02:48 <%foo> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 02:49 <%foo> obama-notbad.jpg 02:49 <@zzzzzZZZZzzz[m3n]> lol 02:49 <%foo> for our purposes, you need to be familiar with the source address and destination address 02:50 <%foo> time to live is also important, as is protocol for that matter 02:50 <@zzzzzZZZZzzz[m3n]> http://i.imgur.com/wAzbK.jpg 02:50 <%foo> they're all important 02:50 <%foo> ^^^ 02:51 <%foo> hrm, I'm going to run out of time. 02:51 <%foo> moving on to tcp and udp 02:51 <@zzzzzZZZZzzz[m3n]> Get the next avaliable slot? 02:51 -!- x3tan_ is now known as x3tan 02:52 <~hatter> oh foo you got 02:52 <~hatter> 10 minutes or 15 minutes 02:52 <~hatter> still 02:52 <%foo> yeah, I'll continue after rorschach 02:52 <~hatter> :) 02:52 <~hatter> ok 02:53 <%foo> so, to wrap up the TCP/IP portion before we get to network mapping with nmap, https://tools.ietf.org/html/rfc1180 is the TCP/IP tutorial 02:54 <~hatter> (also someone get me logs 02:54 <~hatter> ) 02:54 <@rorschach> foo, if you want to keep going on OSI, I'm doing a homework assignment right now 02:54 <@rorschach> almost done but you could be a good stall :p 02:54 <%foo> rorschach: alright, perfect. 02:54 <%foo> SO, TCP and UDP ARE COOL 02:54 < Apollo> If you don't mind me jumping the gun a bit. Do you use a custom profile in nmap or stick to the default defined ones? 02:55 <%foo> Apollo: that depends on the network I'm mapping, in most cases I find the defaults very well tuned 02:55 <%foo> Apollo: if I start getting rst's or icmp-host-unavaialble I may modify the profile 02:55 < shades> won't nmap not tell you much if you're behind a switch? 02:55 <%foo> or if it is an on-going scan, I'll scale back the port checks a bit 02:56 -!- d4rch0n [[email protected]] has joined #CSIII 02:56 < shades> unless you do some arp poisioning or something? 02:56 <%foo> shades: from where? 02:56 < shades> your network segment 02:56 < Apollo> The only thing I typically add is the fin scan. was curious how others do it 02:56 <%foo> shades: one question at a time. 02:57 < shades> ok 02:57 <%foo> re: behind a switch, switches don't filter packets typically (more advanced ones do, but that's not what we're talking about) so they won't be restricting your information 02:57 <%foo> now each router in between you and the host will change the traffic slightly, namely decrementing the TTL (Time To Live) 02:58 <%foo> if you're scanning from the internet and are trying to hit hosts behind a firewall you need to adjust your 02:59 < shades> ah I was not thinking of scanning from the cloud to behind someones firewall. I was thinking of scanning from the inside 02:59 <%foo> scanning from the inside can be impacted by VLANs and other access control methods 03:00 < shades> well it sounds like you're near where I'm staying 03:00 <%foo> in those cases, you need to be familiar with how VLAN IDs work 03:00 < shades> wrong window 03:00 < shades> ok sounds like we're getting side tracked and we haven't even fired up nmap yet 03:01 <~hatter> shades: there will be a part 2 in an hour or so 03:01 < Apollo> Correct me if i'm wrong but nmap should ignore vlans. the router that routes between the vlans may have some filtering technique applied but a different vlan is a different subnet.
