Introduction
Ultimately,
every hacker wishes to compromise a target system and gain access to that
system, this goal is the same for any hacker, regardless of the hacker’s “hat”
(his or her ideology or motivation). Before a hacker can attempt to compromise
a target system, he must know a great deal about the target system. There are a
number of network utilities, Web site & programs that a hacker can use to
find out about a target system. Learning these methods will help us for two
reasons. First you should know exactly what tools crackers have at their
disposal to assess your system’s vulnerabilities. Second, many security-savvy
network administrators will frequently use these tools to assess their own
systems. Another term for assessing your own systems. Another term for
assessing your own system (or a client’s) is auditing. When hacker or cracker is examining a potential target
system, this assessment is called footprinting.
If you can find vulnerabilities. You have the chance to fix them before someone
else exploits.
Recall
the discussion of the rather tedious process hackers have to use in order to
enter a target system. The first stage of this process is learning about the
system. It is important to know about the operating system, any software
running on it, what security measures are in effect and as much about the
network as possible. This legwork is like a bank "template" before
attempting a hooligan crime. The thief needs to know all about alarm systems,
work schedules and guards. It is necessary for the hacker, who enters into the
system. The hacker’s first step is to gather information about that system. To
assess you own system, therefore, needs to be your first step also.
Basic Reconnaissance
On
any system, you must first start finding out some general information. This
task – commonly referred to as reconnaissance – is particularly easy with Web
server. A Web server, by definition, must communicates with Web clients. That
activity means that a certain amount of information is easily accessible in the
public domain. In the past, security managers had to use some rather arcane –
looking commands from either a command prompt or a Linux / Unix shell to gather
this information. But today, you can get the information in just a few simple
steps by using some readily available utilities. These tools are used by both
security managers as well as crackers.
The
ways in which information is obtained by a cracker can vary greatly. Although
there are many tools available, the ways listed below are the most likely
initial reconnaissance methods used for Windows platforms:
v
Nslookup
v
Whois
v
ARIN
(This is available via any Internet browser client.)
v
Web-based
tools (Hundreds if not thousands of sites offer various reconnaissance tools.)
v
Target
Web site (The client’s Web site often reveals too much information.)
v
Social
engineering (People are an organization’s greatest asset as well as their
greatest risk.)
In
the following section, we will explore a few of the many Web based tool
available for obtaining basic information on a target system.
Netcraft
The
first step on our journey is the Netcraft Web site. This Web site gathers information
about Web servers – information that you can use in assessing a target system. It
provides an online utility that will tell you what Web server software it is
running, what operating system it is using and other important and interesting information.
1.
Open
your browser and key www.netcraft.com
2.
Click
the link titled “What’s that site running,” which is found on the left side of
the page.
3.
Key
www.chuckeasttom.com into the “What’s
that site running?”
4.
Press
Enter. You will find a great deal of important information.
You
can see that server is running the FreeBSD operating system a Unix variant. You
can also look the machine’s IP address. This step is your first in learning
about the target system. In many cases, with other addresses, you would also
find out what Web server the target system is running. You can then scan the
Internet looking for any known flaws with either the operating system or the
Web server software. This step gives you a starting place to find out about the
system and what weaknesses you might be able to exploit. In this case, you
would simply go to your favorite search engine (Google, Yahoo, Lycos and so
forth) and key in something such as “FreeBSd security flaws.” You will surprise
that how many Web sites will provide you the drawback of the system. Some sites
even have step-by-step instruction on how to exploit these weaknesses.
The
fact that this information is so readily available should be enough to alarm
any system administrator. As software developers are known from drawbacks of their
software, they usually correct their code, known as patches or updates. If you
are not regularly updating your system’s then you are leaving your system for
external virus attacks.
Besides
strengths and weaknesses of that software, sometimes just knowing the operating
system and the Web server software is enough information in and of itself. i.e.
if a target system is running Windows NT 4.0, what would this fact tell a
hacker? Because Microsoft has long ago released Windows 2000, Windows XP and
Window 2003 Server, the hacker can deduce that this target system does not
frequently update its software. This could denote a company that is on a very
tight budget or one that simply is not particularly computer – savvy. In either
case, this lack of updating software means that this system probably doesn’t
employ the latest security devices and techniques.
Tracing the IP Address
The
nest piece of information you will want concerns the various connections
between you and the target system. When you visit a Web site, the packets
bouncing back and forth between you and the target site do not take a direct
route from you to there. They usually bounce around the Internet, going through
various Internet service providers and routers. The obvious way to obtain this
information is to use the traceroute or tracert utility. You can then write
down the IP address of each step in the journey. Howeve, this task can be very
tedious. An easier process is offered through the Visualware Inc. Web site.
Visualware offers some very interesting products, along with free online Web
demos. These products automate network utilities, such as tracert and who is,
in a rich graphical interface. I find Visualware’s product, VisualRoute, to be particularly
useful and remarkably easy to employ.
Using IP Registration Information
The
information gained with these utilities can be used in a variety of ways i.e.
you can take the e-mail address of the administrator and do a Google “groups”
search for that address. Google now provides a gateway, via its “groups” tab,
to Usenet newsgroups. These groups are basically global bulletin boards where
people can engage in discussion on a wide range of topics. Network
administrators sometime post questions in specific newsgroups hoping to get
advice from the colleagues. If the network administrator of the target system
has posted, he or she may have given away more information about her network
than is wise. In one case, a network administrator usually posted a link to a
diagram showing his entire network, the server, IP addresses, type of firewall
and so on. This information could have been easily exploited.
That
is not to say that administrators must avoid using the Internet as an
information source. That is certainly not the case. But when administrators do
use newsgroups, they should not use their real name, their company’s name, or
any information that might facilitate tracking them back to their company. In
this way, information that they discuss about their forms network can not
readily to apply.
Social Engineering
One
of the most common applications for using the information gained from
reconnaissance work is social engineering. Social engineering is a
non-technical way of intruding on a system.
This can range from dumpster diving to trying to get employee to
unwittingly compromise the system.
When
dumpster diving, some typing to
obtain information will go through trash cans or dumpsters looking for garbage
that contains information such as a IP address, password or even a map of the
network. This technique can be very messy, but also quite effective.
The
most common tactic is to try to get an authorized user of a system to give you
her password. This task may sound impossible, but it is actually quite easy.
For example, if a hacker has discovered the name of the system administrator
and knows that the company is rather large with a big Information Technology
(IT) department, she can use this name to her advantage. Assume a scenario in
which a hacker finds out that the network administrator for a certain firm is
named Jan Smith. She can get Jan’s office location, e-mail address and phone
number from Internic or from using VisualRoute software. She can now call a
remote office and speak to a secretary. The pan could work extremely well if
that secretary (let’s call him Eric) is new to the company. The hacker tells
Eric that she is a new intern working for John Smith and that John has
instructed her to check all the PCs to ensure that they have proper virus –
scanning software. The hacker name and password, so could Eric please give
these to her? It is amazing how often the person will indeed give a username
and password to a caller. With this information, the hacker does not need to
use any technical skills at all. She can simply use Eric’s legitimate username
and password and log on to the target system.
Note
that such as all the employees of an organization must be knew about computer
security same in that scheme. No matter how secure your system is or how much
time and money you invest in security, it is all for naught if your empolyees
are easily duped into compromising security.
There
are entire volumes written on social engineering. As with all topics, the goal
is acquaint you with the basics, not to make you master of any of the topics.
The following links may be interest.
Ø
www.securityfocus.com/egi-bin/sfonline/infocus.pl?id=1527
Ø
www.cybercrime.net/Property/Hacking/social%20Engineering/SocialEngineering.html