Questions about this topic? Sign up to ask in the talk tab.

Classes/Logs/2012/September/17/02-03

From NetSec
Jump to: navigation, search
02:04 <+foo> we'll be spining up networking mapping here in 5min
02:04 <+foo> *network
02:04 <~hatter> get me dem logz
02:04 <+foo> working on it. 
02:07 <+foo> http://pastebin.com/9udApQq9
02:07  * corvus is just too damn slow
02:07 <~hatter> foo: logs posted
02:07 <~hatter> you're up when you're ready
02:07 <+foo> 3min
02:09 -!- shades [[email protected]] has joined #CSIII
02:10 < corvus> holy night of classes!! glad I am around tonight or this morning, what ever it is
02:10 < rory> ^
02:10 <@zzzzzZZZZzzz[m3n]> this _week_
02:10 <@zzzzzZZZZzzz[m3n]> tell your friends
02:10 <~hatter> again guys
02:10 <+foo> Good evening and welcome to Network Mapping
02:10 <~hatter> check out http://blackhatlibrary.net/Current:Classes if you havent
02:10 < shades> hey
02:11 < shades> I just came up hella hard guys
02:11 < shades> what's up hatter?
02:11 < shades> I made it back alive from the burn
02:11 <~hatter> hi shades 
02:11 <~hatter> awesome
02:11 <@zzzzzZZZZzzz[m3n]> CSIII Hellweek.
02:11 <~hatter> Wasn't sure where ya'd been
02:11 <~hatter> good job
02:11 <~hatter> Yep
02:11 <~hatter> Exactly what this is - CSIII hellweek
02:11 <~hatter> lol
02:11 <@zzzzzZZZZzzz[m3n]> See if you can keep up~!
02:11 < XiX> hey foo is doing a tutorial now on network mapping?
02:11 <+foo> XiX: yup. 
02:11 < shades> yes, I unplugged for the most amazing life changing experince ever
02:11 < XiX> ok cool
02:12 -!- x3tan_ [[email protected]] has joined #CSIII
02:13 <+foo> we're going to discuss using OSINT to find information about a network without touching it and follow up 
             with some network protocol overview (including OSI model, TCP and UDP) and move into using nmap as a network 
             mapping tool and whatever other tools we have time for
02:13 <+foo> starting out, there is a wealth of information available about internet connected networks that doesn't 
             require probing for a response
02:14 <+foo> the most common tool that people use is Google for identifying internet facing domains, for example 
             searching for site:reddit.com will show all of the pages google has found
02:14 < shades> is anyone familiar with TiHKAL The Continuation?
02:15 -!- mode/#csiii [+h foo] by hatter
02:15 -!- mode/#csiii [+m] by hatter
02:15 <~hatter> foo: proceed :)
02:15 <~hatter> lol
02:15 <%foo> danke. 
02:15 <%foo> another tool Shodan will show you routers found on the internet
02:15 -!- x3tan [[email protected]] has quit [Ping timeout]
02:15 -!- hatter changed the topic of #CSIII to:  www.blackhatacademy.net || blackhatlibrary.net || you MUST register to 
          speak here || Classes are in session: http://blackhatlibrary.net/Current:Classes
02:15 <@zzzzzZZZZzzz[m3n]> Shodan is the shit
02:16 <%foo> http://www.shodanhq.com/ has a ton of information, while we're going through this tutorial load it up in 
             your browser
02:16 <%foo> it doesn't just include routers, but servers as well
02:16 <%foo> http://www.shodanhq.com/search?q=microsoft
02:17 <@zzzzzZZZZzzz[m3n]> ^ $.$
02:17 <%foo> other tools such as whois and ARIN can help you find information as well
02:18 <%foo> http://whois.arin.net/ui
02:18 <%foo> for example: http://whois.arin.net/rest/customer/C00006676
02:18 <%foo> within that record includes links to an IP block of Microsoft 
             http://whois.arin.net/rest/net/NET-206-71-119-0-1.html
02:19 -!- hatter changed the topic of #CSIII to: www.blackhatacademy.net || blackhatlibrary.net || you MUST register to 
          speak here || Class in session: http://blackhatlibrary.net/Current:Classes || Non-class discussion: #recess
02:19 <@zzzzzZZZZzzz[m3n]> http://www.shodanhq.com/search?q=Server%3A+SQ-WEBCAM
02:19 <%foo> ^^^
02:20 -!- hatter changed the topic of #CSIII to: www.blackhatacademy.net || blackhatlibrary.net || you MUST register to 
          speak here || Class in session: http://blackhatlibrary.net/Current:Classes || Non-class discussion: #recess-iii
02:20 <%foo> the services that organizations offer up may not have DNS entries but still be internet accessible
02:20 <@zzzzzZZZZzzz[m3n]> I might do a class later on the 15 minute shodan botnet sometime near the end of the week.
02:20 <@zzzzzZZZZzzz[m3n]> *wink wink*
02:21 <%foo> :-)
02:21 <%foo> other useful soruces of information include job postings
02:21 <%foo> such as at indeed.com
02:21 <%foo> http://www.indeed.com/jobs?q=firewall&l=
02:21 <@zzzzzZZZZzzz[m3n]> employee portals here^
02:22 <@zzzzzZZZZzzz[m3n]> ?
02:22 <%foo> that, as well as specific firewall technologies
02:22 <%foo> checkpoint, pix, asa, iptables
02:22 <@zzzzzZZZZzzz[m3n]> I see.
02:22 <%foo> but yes, employee portals as well
02:23 <%foo> maltego is another great tool for finding information about the perimeter of networks
02:23 <%foo> http://www.paterva.com/
02:23 <%foo> not only can you find references to ip blocks
02:24 <%foo> but you can search social media, DNS, WHOIS, ARIN and other sources of information
02:24 <%foo> matching physical address to IP block
02:24 <%foo> it makes it much easier to identify data centers
02:26 <%foo> robtex.com, domaintools.com and the public looking glass points make for good public information without 
             even touching the target: http://www.traceroute.org/
02:26 -!- Andres|cuevana [[email protected]] has joined #CSIII
02:26 <%foo> once you've mapped the OSINT, it becomes time to start putting that information to use
02:27 -!- mode/#csiii [+b *!*[email protected]] by hatter
02:27 <%foo> based on what we've discussed so far you should have been able to identify: public facing routers and hosts, 
             ip blocks registered via ARIN, dns servers, www servers and have a good idea of the external network 
             footprint
02:27  * foo waits for the +b to be /kick'ed
02:28 <%foo> nevermind. 
02:29 <%foo> now putting that information to use can happen in several different ways
02:29 <%foo> you can scour google for additional records
02:29 <%foo> make network maps with Free Mind
02:29 <%foo> http://freemind.sourceforge.net/wiki/index.php/Main_Page
02:30 <%foo> I find mapping out a network with freemind makes keeping track of the interconnections much easier than a 
             spreadsheet
02:31 -!- Andres|cuevana [[email protected]] has left #CSIII []
02:31 <%foo> now, before we start busting out our network toolkit we should talk about protocols
02:31 -!- Apollo [[email protected]] has joined #CSIII
02:31 <%foo> the OSI model exists for a reason
02:31 <@zzzzzZZZZzzz[m3n]> So yeah I feel I should mention (despite it being in the topic) that there is #recess-III for 
                           extracurricular chats (since we are going into constant class mode, and students like to pass 
                           notes(we don't mind))
02:32 <~hatter> yeah foo, there is a reason for the OSI model
02:32 <~hatter> +1
02:32 <~hatter> Pay attention to this part guys
02:33 <%foo> https://en.wikipedia.org/wiki/OSI_model and 
             http://2.bp.blogspot.com/-YAXxMzovtJY/TddbzZ26vBI/AAAAAAAAECM/17kqnUulnRc/s1600/OSI-TCP-Comparison.jpg
02:33 <%foo> sorry I don't have a better OSI TCP Comparison handy
02:33 <%foo> the OSI Model is important because it gives you a reference for anything network related
02:33 <%foo> at the very bottom you have the physical layer, layer 1
02:34 <%foo> the physical layer can consist of copper, fiber, pigeon, EM waves or even water
02:34 <%foo> you can fit things like water and pigeon in there because the layer above, the datalink layer, doesn't care. 
02:35 <%foo> https://tools.ietf.org/rfc/rfc1149.txt    A Standard for the Transmission of IP Datagrams on Avian Carriers
02:36 <%foo> http://boingboing.net/2002/12/28/ip-over-h2o.html
02:36 <%foo> there is a better ip over h2o link but I don't have it handy
02:36 <%foo> someone is welcome to go find that for me :-)
02:36 <~hatter> lol
02:36 <%foo> the layer above, layer 2 is the datalink layer
02:37 <%foo> your datalink layer gives your data, a link. the orange and green blinky lights that we all know and love.
02:38 <%foo> these data links include switches, ethernet ports, gbic's, and coaxial modems
02:39 <%foo> this is your ethernet layer, your layer of MAC addresses
02:39 <%foo> in a VPN scenario, this is tap0 for what it means
02:39 <%foo> your MAC addresses allow your bits to flow along the local segment of your network
02:40 <%foo> these are not (traditionally) shared outside of your local network segment, which is typically defined by 
             the termination point at a switch
02:40 <%foo> your switches send packets to their destination based on matching up an IP address to a MAC address on the 
             local network. 
02:41 <%foo> hubs and spanning ports do this for all traffic
02:41 <%foo> in order to convert IPs to MAC addresses, we use arp
02:42 <%foo> corvus: thank you for this excellent link of ip over h2o: 
             http://www.mee.tcd.ie/~bruckerj/projects/streamingmedia
02:42 <%foo> or H2O/IP
02:42 <%foo> on your local systems, run arp -a
02:42 <%foo> and look at your connections
02:43 <%foo> ? (192.168.2.1) at 0:24:a5:df:37:c8 on en0 ifscope [ethernet]
02:43 <%foo> ? (192.168.2.10) at 34:8:4:70:94:89 on en0 ifscope [ethernet]
02:43 <%foo> ? (192.168.2.42) at 0:24:1d:70:59:66 on en0 ifscope [ethernet]
02:43 <%foo> ? (192.168.2.255) at ff:ff:ff:ff:ff:ff on en0 ifscope [ethernet]
02:44 <%foo> as you can see, the local network IP addresses are mapped by interface to a specific MAC address
02:46 <%foo> some packet capture examples of these: http://chrissanders.org/packet-captures/
02:46 <%foo> so far, our first two layers map from the OSI model of Physical and Data Link to the TCP/IP model of 
             "Network Interface"
02:47 <%foo> the Network Layer, Layer 3 in OSI and "Internet" layer in the TCP/IP model is where we start working with IP 
             and the routing of packets
02:47 <%foo> the IP layer is defined by RFC 791, https://www.ietf.org/rfc/rfc791.txt
02:48 <%foo> I wonder how horribly this will paste:
02:48 <%foo> Figure 4 from the link to rfc791.txt
02:48 <%foo>     0                   1                   2                   3   
02:48 <%foo>     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
02:48 <%foo>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
02:48 <%foo>    |Version|  IHL  |Type of Service|          Total Length         |
02:48 <%foo>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
02:48 <%foo>    |         Identification        |Flags|      Fragment Offset    |
02:48 <%foo>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
02:48 <%foo>    |  Time to Live |    Protocol   |         Header Checksum       |
02:48 <%foo>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
02:48 <%foo>    |                       Source Address                          |
02:48 <%foo>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
02:48 <%foo>    |                    Destination Address                        |
02:48 <%foo>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
02:48 <%foo>    |                    Options                    |    Padding    |
02:48 <%foo>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
02:49 <%foo> obama-notbad.jpg
02:49 <@zzzzzZZZZzzz[m3n]> lol
02:49 <%foo> for our purposes, you need to be familiar with the source address and destination address
02:50 <%foo> time to live is also important, as is protocol for that matter
02:50 <@zzzzzZZZZzzz[m3n]> http://i.imgur.com/wAzbK.jpg
02:50 <%foo> they're all important
02:50 <%foo> ^^^ 
02:51 <%foo> hrm, I'm going to run out of time. 
02:51 <%foo> moving on to tcp and udp 
02:51 <@zzzzzZZZZzzz[m3n]> Get the next avaliable slot?
02:51 -!- x3tan_ is now known as x3tan
02:52 <~hatter> oh foo you got
02:52 <~hatter> 10 minutes or 15 minutes
02:52 <~hatter> still
02:52 <%foo> yeah, I'll continue after rorschach
02:52 <~hatter> :)
02:52 <~hatter> ok
02:53 <%foo> so, to wrap up the TCP/IP portion before we get to network mapping with nmap, 
             https://tools.ietf.org/html/rfc1180 is the TCP/IP tutorial
02:54 <~hatter> (also someone get me logs
02:54 <~hatter> )
02:54 <@rorschach> foo, if you want to keep going on OSI, I'm doing a homework assignment right now
02:54 <@rorschach> almost done but you could be a good stall :p
02:54 <%foo> rorschach: alright, perfect. 
02:54 <%foo> SO, TCP and UDP ARE COOL
02:54 < Apollo> If you don't mind me jumping the gun a bit. Do you use a custom profile in nmap or stick to the default 
                defined ones?
02:55 <%foo> Apollo: that depends on the network I'm mapping, in most cases I find the defaults very well tuned
02:55 <%foo> Apollo: if I start getting rst's or icmp-host-unavaialble I may modify the profile
02:55 < shades> won't nmap not tell you much if you're behind a switch?
02:55 <%foo> or if it is an on-going scan, I'll scale back the port checks a bit
02:56 -!- d4rch0n [[email protected]] has joined #CSIII
02:56 < shades> unless you do some arp poisioning or something?
02:56 <%foo> shades: from where? 
02:56 < shades> your network segment
02:56 < Apollo> The only thing I typically add is the fin scan. was curious how others do it
02:56 <%foo> shades: one question at a time. 
02:57 < shades> ok
02:57 <%foo> re: behind a switch, switches don't filter packets typically (more advanced ones do, but that's not what 
             we're talking about) so they won't be restricting your information
02:57 <%foo> now each router in between you and the host will change the traffic slightly, namely decrementing the TTL 
             (Time To Live)
02:58 <%foo> if you're scanning from the internet and are trying to hit hosts behind a firewall you need to adjust your 
02:59 < shades> ah I was not thinking of scanning from the cloud to behind someones firewall. I was thinking of scanning 
                from the inside
02:59 <%foo> scanning from the inside can be impacted by VLANs and other access control methods
03:00 < shades> well it sounds like you're near where I'm staying
03:00 <%foo> in those cases, you need to be familiar with how VLAN IDs work
03:00 < shades> wrong window
03:00 < shades> ok sounds like we're getting side tracked and we haven't even fired up nmap yet
03:01 <~hatter> shades: there will be a part 2 in an hour or so
03:01 < Apollo> Correct me if i'm wrong but nmap should ignore vlans.  the router that routes between the vlans may have 
                some filtering technique applied but a different vlan is a different subnet.