Fundacja Rozwoju Regionu Gołdapedukacja techniczno informatyczna
Access:

» Introduction to passive information gathering

Related categories: Security | Security Tools

B³a¿ej Kantak
Viewed: 4724 | Article date: 2006-08-01 12:36:14

In this article, Blazej will learn how to locate valuable information that can help compromise a company's IT infrastructure.

Making too much information known to the outside world can infringe an organisation’s security policy and leave its IT system more vulnerable to attack. In this article we will learn easy it is to locate valuable information that can help compromise a company’s IT infrastructure.

About the author

B³a¿ej Kantak has been involved in IT for over 15 years, and has been working in the industry for over 8 years. He is currently employed as a network troubleshooter at a large financial institution. Specialising in computer networks, he is also involved in exploring other aspects of IT security, especially Wi-Fi, VPN, FW, VoIP and breaking Cisco devices. He is currently looking for a source of T-shirts that say My wife 0wnz me... His last foray into the realm of physical security was a successful DoS attack on a lift.

Penetration testing - a catchy phrase eagerly used in IT publications. For all those who base their knowledge of IT security on films like The Hackers, where breaking into a computer system requires flying about in virtual reality between two translucent glowing towers, penetration testing (pentesting for short) sounds impossibly technical. Fortunately, in the real world it is not that difficult - with a few simple tools and procedures, practically anyone can gather the information required to compromise an IT system.

You will learn...

  • what the first phase of penetration testing looks like,

  • how to protect your system from passive information gathering.

You should know...

  • how to use a Web browser,

  • how a TCP/IP network works.

Note that this article is neither intended to describe the theory of hacking nor to present the work ethics of a true hacker. It is also not a tool list or a tutorial on breaking into computer systems. What I intend to show is that by correlating relevant data, anyone even moderately familiar with computers and networks can gather enough information to overcome or bypass security measures for surprisingly many businesses and institutions with a Web presence.

I will try to demonstrate how much you can achieve armed with just a Web browser, a chair, some music, and of course your mind, without which all information (including this article) is useless. I will deliberately omit the technical details so you can experiment on your own and feel the satisfaction when it all clicks together.

The article is primarily intended for users who are less experienced in computer security, but are generally familiar with using computers and the Internet. Let’s get going!

Pentesting

A penetration test (security audit) is the process of checking IT systems security by simulating actions that a potential intruder may take, and is undertaken by a group of qualified and authorised experts. The aim of the test is therefore to conduct a controlled attack on production systems in order to discover and eliminate vulnerabilities, with the final intention being to increase the organisation’s IT security.

Pentests can be divided according to the knowledge granted to the testers: black box testing means that testers have no inside knowledge of target system, while white box testing means that testers have access to complete technical specifications (configuration, databases, source codes etc.). Tests are also divided into external, where auditors operate from outside the target system (such as a network), and internal, with testers working as a user within the system (for example an employee).

Each pentest can be divided into the following phases:

  • passive information gathering - the process of locating and gathering information on the target system in a passive manner without arousing the target’s suspicions,

  • network scanning and mapping - exploring routing, investigating firewall rules (firewalking),

  • fingerprinting - identifying operating system types and versions throughout the target network,

  • detecting vulnerabilities and weak configurations - analysing the information gathered and determining potential attack vectors,

  • penetration - exploiting vulnerabilities to break into the target system,

  • privilege escalation - gaining extended access rights to systems in the target organisation,

  • reporting - gathering all the information into a report, analysing it together with the management and technical staff of the target organisation and proposing actions to increase IT system security.

Pentesting even has its own methodology standard: the Open Source Security Testing Methodology Manual (OSSTMM), prepared by the Institute for Security and Open Methodologies (ISECOM). You can find more information at: http://www.isecom.org/osstmm.

Make your bed and lie in it

I’ve already touched upon the key factors that contribute to success. The basis of any pentest is a comfortable working environment suited to the tester’s individual needs. In my personal experience, the environment consists of a favourite Web browser (in my case Firefox), good (i.e. relaxing) music, a pencil, a thick notepad and a comfortable chair (you will spend a lot of time in it). Time is the final piece of the puzzle, and has probably the most influence on the final test result. For the purpose of this article, we will assume our time limit is infinity, which should be enough to do our job well.

With the environment set up, we can get to work. In this article, we will look at the first stage of pentesting, namely passive (or relatively passive) information gathering. Imagine you are a security consultant whose task is to gather as much information as possible about a certain company (let’s call it Untouchables Inc.) without alerting its system administrators to your activity.

Note that in this case we will not go into who the client is - it could be Untouchables Inc. itself, but it might also be a competitor. We simply have a job to do, and such details do not concern us.

Low hanging fruit

Where do we start? Well, some might start simply by visiting www.untouchablesinc.com, but that would run counter to the requirement that we should remain hidden. Fortunately, there are many places on the Web where we can find lots of interesting information about the target. Most of them are very old services that were originally intended to make the World Wide Web easier to use. As it turns out, the convenience comes at the cost of exposing a wealth of information which, after analysis and correlation, can give a pretty clear picture of what is going on at a certain organisation, what its structure is, who its suppliers are, who manages it, who works there - the list goes on and on. Of course, you won’t get all this information every time, but it’s always worth picking some low hanging fruit first.

All right then. Let’s start by determining the physical location of Untouchables Inc., its opening hours and maybe some phone numbers. What we need is a phone book. In this day and age you probably won’t have one handy (though you might find it at the post office), so it’s more convenient to use a Web-based alternative, such as Yellow Pages (www.yellowpages.com). To find an address on a map, you can use maps.google.com or www.multimap.com.

Make a note of all the information you’ve found. For example, phone numbers can later be used for social engineering attacks (if required) or wardialling using a specific prefix. E-mail addresses may indicate the corporate address format (e.g. arnold.rimmer@untouchablesinc.com). If the target company is present on a stock exchange, you can try to find some more information through the website of the relevant stock exchange or in financial portals.

Once we have a few basic facts, let’s see how much information resides in other places. We’ll start with the WHOIS database.

WHOIS

The purpose of the WHOIS service is to supply contact and registration information for a subject (company, institution, organisation). The service supports queries related to IP address ranges (network service-based queries) and domain names (name service-based queries). The WHOIS database includes information on IP addresses assigned to a subject, the number of its autonomous system (AS - used for BGP routing), credentials for individuals who maintain the record and other data.

The WHOIS database has been divided into four regional Internet registries:

A d v e r t i s e m e n t
Linux BSD Unix ranking vote

Page: 1 2 3 4 5
Buy article Buy subscription
Buy now add to cart
add to cart
Standard price: 2€/$3 Standard price: 25€/$30
Buy article for as little as (2€/$3) each allow access to individual articles. Buy a full access to our Hakin9 archive portal. You will be able to read the articles from all archive issues from year 2005 and 2006. For just 25€/$30 you get unrestricted access to the entire website for the whole year.
SDJhakin9

.SDJ Users:


.:Login
.:Password

[Register]
[Forgotten your password?]

...hakin9 StarterKit IT Practical Solutions for Newbies

...Shopping Cart

sum: 0 €
Choose currency:

...SUBSCRIBE TO
hakin9 Print Edition


...Advertisement



...Conferences

...Topics

...Advertisement

 

 

Subscribe | Contact Us | Newsletter | See all issues | About Hakin9
Copyright C 2006 by Software Developer's Journal. All rights reserved.