|
|
(7 intermediate revisions by 3 users not shown) |
Line 1: |
Line 1: |
− | {{cleanup}}
| + | #REDIRECT: [[:Category:Information gathering]] |
− | | + | |
− | Network surveillance is one of the beginning phases to any attack. There are tools that are publicly available, such as [[nmap]], however, it is important to understand ''how'' these tools work to utilize their true effectiveness.
| + | |
− | | + | |
− | Understanding the basics of [[IP address|IP addressing]] and [[subnetting]] is essential. If [[IP address|IP addressing]] and [[subnetting]] is new information, it may be beneficial to start with [[Assembly_Basics#Counting|hexadecimal]].
| + | |
− | | + | |
− | =IP Addressing=
| + | |
− | An IP address is a numerical value assigned to devices on the Internet, similar to a phone number. Their are two versions in use today, IPv4 and IPv6.
| + | |
− | | + | |
− | An IPv4 address is 32 bits, or four bytes. A [[Byte|byte]] can have a maximum value of 256, therefore, an IPv4 address's octet can only range from 0 to 255, and because there are four bytes, an IPv4 address consists of four octets. Typically, IP addresses reserve the '0' value for the network address and '255' for the broadcast address, therefore, a system typically will not end in 0 or 255. There are also other addressing schemes that are reserved for various reasons, such as:
| + | |
− | | + | |
− | 127.*.*.* - This is reserved in RFC 1918 for the localhost, or loopback address. If you ever do anything to an IP address starting in 127, you will be performing these actions to your local machine.
| + | |
− | | + | |
− | 192.168.*.* - This is reserved in RFC 1918 for the local network. If you come across this IP addressing scheme, it is not an external, or public, IP address, but more likely an internal, or local IP. The subnet mask is typically 255.255.255.0 when using this scheme, however, it is not required.
| + | |
− | | + | |
− | 172.*.*.* - This is reserved in RFC 1918 for the same reasons as the 192.168.*.* addressing scheme. The subnet mask is typically 255.255.0.0 when using this scheme, however, it is not required.
| + | |
− | | + | |
− | 10.*.*.* - Same as above
| + | |
− | | + | |
− | 169.254.*.* - 169.254.*.* is reserved for APIPA addresses, or Automatic Private IP Addressing, typically found in Windows when a network connection is not found and/or the DHCP server is failing to lease an IP to the computer.
| + | |
− | | + | |
− | =Ports=
| + | |
− | Any computer with an IP address has up to 65355 ports. A port is kind of like a phone line, and an IP address is kind of like an address. The [[HTTP]] protocol, for example, runs on port 80 on the [[server]]. So, when you go to a site (e.g.) google.com, first your web browser looks up google.com's [[IP address]] using a service called [[DNS]] (dynamic name server) and then connects to that [[IP address]] on port 80. The reason for the DNS service is that computers talk to each other through [[IP address|IP addresses]] and domain names e.g. google.com are an easier way for us humans to remember how to get from place to place.
| + | |
− | | + | |
− | =Routing=
| + | |
− | Any computer on the internet has something called a '[[gateway]]' or 'border [[router]]'. This router is the upstream router that connects it and its peers to the rest of the internet. By compromizing this router, attackers are able to monitor traffic between the target host and the rest of the internet, kind of like a phone bug. The act of monitoring traffic in such a way is called sniffing.
| + | |
− | | + | |
− | =Theory=
| + | |
− | The important things to an attacker when first running surveillance are going to be the open ports and the network information and the upstream router, from a technical standpoint. [[Password]] wordlists can be made from content within the target site, assuming there is one, as well as any information that can be gleaned about any employees.
| + | |
− | | + | |
− | In order to determine the border router, we'll use a utility called [[traceroute]]. On windows the command is `tracert' and on [[linux]] the command is `traceroute'. This command-line tool allows you to follow your traffic from your own machine to another host. Sometimes the remote host has network-layer attempts to prevent the traceroute from completing. There are methods to evade this as well.
| + | |
− | | + | |
− | Alternatively, you can use the traceroute engine here on our free services page. I recommend using tracert with the -d flag on windows since it will avoid hostname lookups (making it run faster). If [[ICMP]]/[[UDP]] traceroute seems to be ineffective, you can use a [[TCP traceroute]]. When tracerouting a web [[server]], you can trace to [[TCP]] port 80; and when tracerouting a [[DNS]] server, you can trace to UDP port 53. Many times methods like this are used when there is no other choice. You will always be able to identify the border [[router]] (and potentially a [[firewall]]) because it will be the next-to-last hop before the target host.
| + | |
− | | + | |
− | For port scanning, which scans for open ports on a system, the [[nmap]] utility is virtually unparralelled. While you can write your own port scanner, nmap has every option anyone could think of already. No point in re-inventing the wheel. Nmap is available from nmap.org, or, you can use the port scan on our free services page.
| + | |
− | | + | |
− | Lastly, we'll go over obtaining additional network information. Additional network information, such as mailserver information and DNS information can be utilized in an attack as well. By running a `[[whois]]' on the target domain, you can obtain the DNS server addresses as well as the domain's registrar. Using the linux command line utility called `[[dig]]', you can obtain [[DNS#MX_Record|MX records]] (dig -t MX domain.tld), which will point you in the direction of the mailserver.
| + | |
− | | + | |
− | You can type any of the commands in this tutorial by themselves on the correct operating system and they should appropriately greet you with some sort of help screen indicating the different options and their uses.
| + | |
− | | + | |
− | =Tools=
| + | |
− | | + | |
− | [http://blackhatacademy.org/free-services.php Free Services]
| + | |
− | | + | |
− | As far as what tools to use, [[nikto]] and [[nmap]] are good for [[web applications|web application]] and [[server]] scanning, respectively. Some common strings (with the example : target.net) are as follows :
| + | |
− | | + | |
− | user@host# nmap -sS -A -sV -O -P0 --defeat-rst-ratelimit target.net
| + | |
− | user@host# ./nikto.pl -evasion 9 -host target.net
| + | |
− | | + | |
− | | + | |
− | Nmap is a good tool for mapping out what [[daemons]] are running on the server. This is important, because each daemon could be a chink in the armor of the site. [[Command Injection]], [[Buffer Overflows]], and null-byte/escape string vulnerabilities may plague any of these daemons and so generally after scanning a machine and getting a decent version print I try to google for vulnerabilities in any/all of the running daemons unless I know one off of the top of my head. Keep in mind that if target.net is running an application called "Port Sentry", nmap may come back thinking that every port is open. If this is the case, you may want to try running:
| + | |
− | | + | |
− | user@host# nmap -sS -A -sV -O -P0 -T paranoid --defeat-rst-ratelimit target.net
| + | |
− | | + | |
− | or even
| + | |
− | | + | |
− | user@host# nmap -sX -A -sV -O -P0 -T paranoid --defeat-rst-ratelimit target.net
| + | |
− | | + | |
− | As it stands, nikto does a great job mentioning CVE references for any vulnerabilities it discovers. Just remember that sometimes you can get a lot of false positives. If nikto doesn't mention a URL for a reference but lists a CVE reference, try google.
| + | |
− | | + | |
− | [[Category:Network Security]]
| + | |