2007
A HACKING ODYSSEY PART I: RECONNAISSANCE
The aim of this series of
papers that will take an in-depth look at how someone may target and
electronically break into an organisation, is to educate people who may
be tasked with looking after and securing a corporate network to do so
in an effective manner.
My personal outlook on this issue is that if you have no idea about the
steps a would-be attacker will take to try and gain access to your
systems, then you as an administrator can not effectively secure your
system to an acceptable standard. Some people may disagree about the
concept of demonstrating to people how to gain access to networks they
are not meant to, whilst others agree with the ‘full disclosure’
approach.
Take a firewall for example – if you don’t understand the steps an
attacker will go through to try and get traffic through your firewall,
then how can you stop them for doing it? All you can do is configure it
the best way you know how and hope it is good enough.
Hacking, Cracking, Hackers and Crackers
Before I start:
If some innocent looking young teenager came up to you and starting
talking about hackers and hacking, then chances are you, being the IT
professional that you are would mentally dismiss him as not
understanding what he was talking about, just because he used the work
‘hack’. Yet, if a university professor type person in his fifties
wearing a tweed coat, glasses and smoking a pipe came up to you and
starting talking about hackers and hacking then you would more than
likely listen to every word he says…… why is this?
Well, the term ‘Hack’ or ‘Hacker’ is a word coined by the media to mean
anyone trying to break in to something IT related, whether it’s a
Network, Computer or any other type of electronic system.
The more realistic term to use when talking about a hacker in the way
the media’s term is meant, is to use the word ‘Cracker’ or ‘Attacker’.
A cracker/attacker is someone who tries to gain access to things they
have absolutely no right to be accessing. A hacker is someone who tries
to make something function in a way it was not originally designed to
do; they ‘hack it apart’.
Take an email program for example; a hacker may try to make this email
program send something other than an email, thereby making it do
something it is not meant to do. Whereas an attacker/cracker will try
to gain a level of access to it and read the users emails contained
within the application.
People who are new to the IT community will often innocently use the
word hacker until they get flamed by someone for doing so, probably on
an IT related web forum, at which point they will usually endeavour to
find a different word or face public ridicule on the new IT forum they
will inevitably have to find.
There are some people who like to instigate the flaming of the above
mentioned people and think that everyone else will presume they are
pretty knowledgeable because they make a big fuss of the fact they
don’t like the word ‘Hacker’……these are the people you should probably
stay away from.
Most people who are secure in their own knowledge of IT and IT security
whether for good or bad purposes and who have worked in the area for a
while, really don’t care what word is used and can even find themselves
using the term ‘hacker’ for ease of instruction when talking to non
technical people or media type people. It could also be used to lessen
the effect the work ‘Attacker’ has on someone; non IT people can get
pretty scared when you say a cyber attacker is out to get them.
For the duration of these papers I will use the term ‘attacker’ to
refer to someone trying to do bad things to your computers and to your
network. We will also assume the attacker is a ‘he’.
Reconnaissance
For this chapter we will take the mindset of the Attacker and the
preliminary steps he may go through to attack your IT emporium.
How does an attacker decide which organisation to target? When he has
decided on the organisation how does he set about attacking it, how
does he know where to go on the internet to find the specific network
he wants to attack, how does he find your geographical location if he
wants to wardrive you, how does he find useful information to socially
engineer you, how does he find your phone number range to war dial you,
how does he find your mail server?
These are just some of the things the attacker will need to know before
planning any attack against you and is generically referred to as
reconnaissance.
There are different types of attacker; attackers who have picked a
target for a specific reason, attackers who pick random targets but
have a specific idea about what they want to do to the target when they
find one, and then there are attackers who look for random targets to
launch random exploits against in an attempt to gain any level of
access, without actually understanding what it is they are doing.
This later genre of attackers are commonly referred to as Script
Kiddies, Skiddies, SkiDIE’s, Skids etc and are the ones who don’t
usually bother with any reconnaissance and jump straight to firing Nmap
up and start telenting to any open ports they may happen to find.
I usually start security related courses off by asking, “What is the
first step to take when wanting to attack a network?” 99% of the
answers I receive involve the words Nmap and Telnet. Whilst this is a
feasible option, there are still lots of steps to take before Nmap is
even downloaded.
You may have dismissed Script Kiddies out of hand by what I have
mentioned above. Just because they do not understand the ins and outs
about what they are doing does not make them any less dangerous than
someone who does. Script Kiddies have all the time in the world to try
and attack you. They usually come across an exploit of some kind that
has been published somewhere, read how to actually perform the exploit
and then go off in search of someone to test their new found uber skill
on.
Since they have a specific exploit in mind, which may run over a
certain port, they can scan away to their hearts content looking for
that one system that is vulnerable to the exploit they have.
So, whereas Administrators have to try and secure from 1000’s of
possible vulnerabilities, the Script Kiddies only have to find this one
vulnerability on your system…..and have an infinite amount of time to
find it.
Picking a Target
So, how do pick a potential target?
As good guys you may have a specific reason to attack a target, whether
it is your own organisation and are auditing the security of it, or you
have been contracted to audit the security of another organisation – if
this is the case then step one has been decided for you. As bad guys
you could have a grudge against a particular organisation, you could
have come across some interesting information in a newsgroup about a
certain system being vulnerable, someone may have posted a firewall
configuration on a newsgroup/IT help site and not removed any passwords
or IP addresses (this used to happen a lot). You could even have been
specifically asked by someone to see if you can do any damage against
an organisation…..the list goes on.
What if you have no reason to pick a specific target and any will do?
You could trawl through your own firewall logs and find someone who has
targeted you in the past; Zone Alarm for example has an annoying popup
that can tell you about any external attempts made to gain access to
your machine and includes the IP address of the attacker. If you have a
home router they all usually have a logging facility and will record
any attack attempts.
In true Script Kiddie style you could have stumbled across an exploit
and want to try it out, so start looking for susceptible targets.
You could even ping the first IP address that comes into your head,
check it is valid and chose that.
When I teach this subject in particular, to find an organisation for
the duration of the course I usually enter the first words that pop
into my head in to Google, take one of the hits on the first page and
use that company to demonstrate the reconnaissance steps against.
In this case the words are ‘Garden Sheds’.
http://www.google.co.uk/
The company I chose is Shed Store.
That’s the target picked, now let’s see what we can learn about them…
Research the Target
There are a multitude of perfectly legal methods we can use to research
our target and we don’t even have to connect to any of the machines
associated with it. Like all good reconnaissance, the intended target
should not know what we are trying to do – for this reason we try to
use publicly available information that is hosted away from any machine
directly belonging to the organisation or has been made to be accessed
by the public, i.e. their web server.
Targets own web site
Once you know who your target is the fist thing to do it browse over to
their web site and simply have a look at all the information they have
made freely available to us.
http://www.shedstore.co.uk/
What info can we get from here?
They have kindly given us their address, phone number range, email
domain, who they use for their online billing provider, what their
office opening hours are and that they are part of Guardian Buildings.
Quote:
Shedstore (A trading division of Guardian Buildings). Unit 1, Southview
Park, Caversham, Reading, Berkshire. RG4 5AF.
T: 0870 3500 710 F: 0870 3500 720 E: sales@shedstore.co.uk W:
www.shedstore.co.uk
Quote:
During our office hours of 8.30am to 12.00pm, then 1.00pm to 5.00pm -
Monday to Friday, we accept telephone orders and enquiries upon the
following numbers.
- Sales enquiries & orders: 0845 130 0405 (Local rate)
- General enquiries: 0870 3500 710 (National rate)
- Customer service enquiries: 0870 3500 710 (National rate)
- (For those customers unable to access '08' numbers, please call 0118
946 4182)
By going part of the way through the order procedure we find out they
use http://www.securehosting.com/ to handle their online transactions.
The also have a members only area of the site.
**I will talk about what we can do with all this information later on**
We are starting to build up a ‘feeling’ about this company just from
their web site. Going by this web site they seem to be a fairly well
established company, they have what looks to be a professionally made
web site, the seem to do the majority of their business over the
internet, but they don’t necessarily seem IT savvy as they have no need
to be, so they maybe rely on external hosting providers to handle the
web site, email, billing etc…… this last point is a point worth
remembering for later on when we cover social engineering.
None or all of the above ‘feelings’ we get from the web site are
necessarily true……we need to confirm it first.
Google
I will not cover Google on this paper as the subject as extremely large
and I feel it deserves a paper to itself (whick will be posted soon).
Needless to say typing the company name in to Google & Google
groups may reveal some information that can be useful to you.
Jobs advertised on company web sites
Although not applicable to this particular web site, let’s say we were
using the web site of a small bank, and on this web site they had a
Jobs Section, and in this jobs section they were asking for a PIX
firewall administrator to start immediately….
This little gem of information tells us that the bank uses PIX
firewalls, that they may have no administrator currently employed to
manage it/view the logs etc (hence the immediate start) and that they
may be susceptible to a social engineering attack whereby someone who
does not normally configure the PIX maybe coerced into making a change
OR that a new employee is likely to start very soon, who again will be
very susceptible to social engineering to get him to alter the
firewall’s configuration…..if you had a phone call from someone
claiming to be the boss of your new company on your first day at work,
would you say no to him if he told you to maybe change an ACL in the
firewall? Maybe, maybe not…..
All this stems from a seemingly innocent job advert….
Newsgroups
Newsgroups are a valuable source of information during the
reconnaissance phase of an attack depending on the type of target, as
they are usually used by someone to ask for help, i.e. I have a PIX
506E and I want to configure a static NAT for a web server with the IP
addresses 192.168.10.10 and 80.80.80.80, how do I do it?
This innocently asked question tells us that particular organisation
uses a PIX, the internal IP range, the external IP range and that the
administrator is not so confident with configuring it, hence it maybe
miss configured and easy to attack…..
Out of Office replies are also sent out to some newsgroups…..what
better time to attack a network than when you know the administrator is
out of the office and can’t examine any logs…..or if you want to phone
someone up and socially engineer them under the guise of being the
system administrator…. well you know he won’t be there to get in your
way….
If you trawl through it you will find complete router configurations
including IP addresses and passwords, firewall configurations that
again include IP addresses and passwords, the list goes on. If you have
managed to gleam a name from the organisations web site try searching
for it and see if it throws anything up.
**When you want to search for say a PIX running configuration that may
have been posted in its entirety, it is best to search for a few words
that are specific to the configuration. I usually use “mtu outside” –
which refers to the Maximum Transmission Unit size for the Outside
interface of the firewall and is pretty specific to a firewall - if you
know the domain name of your target try including this in your search
string as well; most firewalls can be configured with a domain name....
The below link has over 13,000 PIX configurations that have been posted
in various newsgroups:
http://groups.google.co.uk/groups/search?hl=en&q=mtu+outside+&qt_s=Search
I find PIX firewall configuration especially useful to search through
as there are so many things that need to be deleted from the
configuration to not give away any information. So often I see IP
addresses deleted but domain names remaining intact, a quick ‘nslookup’
of the domain name will sometimes give you the IP Block assigned to the
organisation, once you have worked this out take a look at the Access
Control Lists and see what they allow in…..see if there are any Peer IP
addresses in the VPN configuration etc
There is a very extensive search function on the Google Groups site,
which will allow you to search for almost any aspect of a post, again
try and use keywords specific to either the organisation you are
researching or are specific to the type of post you are looking for.
You may have to trawl back a while to see if anyone has posted via
their company email address in a newsgroup as people are more savvy
now-a-days and usually use a hotmail/gmail/Yahoo type web mail account.
However, some people sign their messages with their full name, company
name and company address……and then explain their entire network setup
and what is wrong with it.
We will come back to searching newsgroups in the next section when we
go over WHOIS records.
Original Tutorial
by nokia for TheTAZZone-TAZForum
Originally posted on February 7th, 2007 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.