Kevin Beaver - Hacking For Dummies

As a security professional, you may not have to worry about covering your tracks or evading IPSes or related security controls because everything you do is legitimate, but you may want to test systems stealthily. In this book, I discuss techniques that hackers use to conceal their actions and outline some countermeasures for concealment techniques.

Getting an outside look can turn up a ton of information about your organization and systems that others can see, and you do so through a process often called footprinting. Here’s how to gather the information:

Use a web browser to search for information about your organization. Search engines, such as Google and Bing, are great places to start.

Run network scans, probe open ports, and seek out vulnerabilities to determine specific information about your systems. As an insider, you can use port scanners, network discovery tools, and vulnerability scanners (such as Nmap, SoftPerfect Network Scanner, and GFI LanGuard) to see what’s accessible and to whom.

Whether you search generally or probe more technically, limit the amount of information you gather based on what’s reasonable for you. You might spend an hour, a day, or a week gathering this information. How much time you spend depends on the size of your organization and the complexity of the information systems you’re testing.

The amount of information you can gather about an organization’s business and information systems can be staggering and often widely available. Your job is to find out what’s out there. This process is often referred to as open-source intelligence (OSINT). From social media to search engines to dedicated intelligence-gathering tools, quite a bit of information is available on network and information vulnerabilities if you look in the right places. This information potentially allows malicious attackers and employees to access sensitive information and target specific areas of the organization, including systems, departments, and key people. I cover information gathering in detail in Chapter 5.

Active information gathering produces more details about your network and helps you see your systems from an attacker’s perspective. You can do the following things:

Use the information provided by WHOIS searches to test other closely related IP addresses and host names. When you map and gather information about a network, you see how its systems are laid out. This information includes determining IP addresses, host names (typically external but occasionally internal), running protocols, open ports, available shares, and running services and applications.

Scan internal hosts when they’re within the scope of your testing. (They really ought to be because that’s where the large majority of vulnerabilities exist.) These hosts may not be visible to outsiders (you hope they’re not), but you absolutely need to test them to see what rogue (or even curious or misguided) employees, other insiders, and even malware controlled by outside parties can access. A worst-case situation is that the intruder has set up shop on the inside. Just to be safe, examine your internal systems for weaknesses.

If you’re not completely comfortable scanning your systems, consider using a lab with test systems or a system running virtual machine software, such as the following:

VMware Workstation Pro ( www.vmware.com/products/workstation-pro.html )

VirtualBox, an open-source virtual-machine alternative ( www.virtualbox.org )

Scan and document specific hosts that are accessible from the Internet and your internal network. Start by pinging specific host names or IP addresses with one of these tools:

The basic ping utility that’s built into your operating system (OS).

A third-party utility that allows you to ping multiple addresses at the same time, such as NetScanTools Pro ( www.netscantools.com ) for Windows and fping ( http://fping.sourceforge.net ) for Linux.

The site WhatIsMyIP.com ( www.whatismyip.com ) shows how your gateway IP address appears on the Internet. Just browse to that site and the public IP address of your firewall or router appears. This information gives you an idea of the outermost IP address that the world sees.

Scan for open ports by using network scanning and analysis tools such as the following:

Scan network ports with NetScanTools Pro or Nmap ( https://nmap.org ). See Chapter 9for details.

Monitor network traffic with a network analyzer, such as Omnipeek ( www.liveaction.com/products/omnipeek-network-protocol-analyzer/ ) or Wireshark ( www.wireshark.org ). I cover this topic in various chapters of this book.

Scanning internally is easy. Simply connect your PC to the network, load the software, and fire away. Just be aware of network segmentation and internal IPSes that may impede your work.

Scanning from outside your network takes a few more steps. The easiest way to connect and get an outside-in perspective is to assign your computer a public IP address and plug that system into a switch on the public side of your firewall or router. Physically, the computer isn’t on the Internet looking in, but this type of connection works the same way as long as it’s outside your network perimeter. You can also do an outside-in scan from home, from a remote office, or even via a laptop connected to your cellphone hotspot.

As a security professional, you need to gather the things that count when scanning your systems. You can often identify the following information:

Protocols in use, such as Domain Name System and NetBIOS

Services running on the hosts, such as email, web, and database systems

Available remote access services, such as Remote Desktop Protocol, telnet, and Secure Shell (SSH)

Encrypted network services such as SSL/TLS and IPsec

Permissions and authentication requirements for network shares

You can look for the following sample open ports (which your network scanner reports as accessible or open):

Ping (ICMP echo) replies, showing that ICMP traffic is allowed to and from the host.

TCP port 21, showing that FTP could be running.

TCP port 23, showing that Telnet could be running.

TCP ports 25 or 465 (SMTP and SMPTS), 110 or 995 (POP3 and POP3S), or 143 or 993 (IMAP and IMAPS), showing that an email server could be running.

TCP/UDP port 53, showing that a DNS server could be running.

TCP ports 80, 443, and 8080, showing that a web server or web proxy could be running.

TCP/UDP ports 135, 137, 138, 139, and, especially, 445, showing that a Windows host could be running.

Thousands of ports can be open — 65,534 each for both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol), to be exact. I cover many popular port numbers when describing security checks throughout this book. A continually updated listing of all well-known port numbers (ports 0–1023) and registered port numbers (ports 1024–49151), with their associated protocols and services, is located at www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt .

If a service doesn’t respond on a TCP or UDP port, that result doesn’t mean that the service isn’t running. You may have to dig further to find out.