So in order to understand what the main areas where organisation should be aware of securing data, we should understand the terminologies like footprinting, scanning and enumeration

The threats that surround the DNS are due in part to the lack of authenticity and integrity checking of the data held within the DNS and in part to other protocols that use host names as an access control mechanism. In response to this, the IETF formed a working group to add DNS Security (DNSSEC) extensions to the existing DNS protocol.

Step 4: Network Reconnaissance

Now that the potential target within the system has been identified, the attacker can try to map the target's network topology and identify potential access paths to that network. This can be done using the widely available traceroute program, which lets you view the routes that an IP packet follows from one host to the next, hence providing the network topology as well as identifying access control devices (application-based firewall or packet-filtering routers).

Network Reconnaissance is a technique commonly used by malicious outsiders to obtain a large amount of publicly-available information regarding an organisation and its IT infrastructure. This information is then used to identify potential weak points in the network in order to identify targets for a compromise attempt.

Once a potential target has been identified by the attacker, additional enumeration of the system(s) is performed to identify likely services and possible entry points into the internal network.

(http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=5359&mode=thread&order=0&thold=0 [accessed 15 November 2005])

Scanning

(A) Introduction:

In today's internet world there are a lot of scanners has been introduced and it is constantly increasing and as a result the danger of attacks by hackers are increasing day by day.

So in order to protect ourselves from these attacks we should have the knowledge of the scanning tools and also the ways that these tools are using against us. (http://www.sys-security.com/ [accessed 18 November 2005])

Definition:

"The art of detecting which systems are alive and reachable via the Internet, and What services they offer, using techniques such as ping sweeps, port scans, and operating system identification, is called scanning."

(http://www.sys-security.com/ [accessed 18 November 2005]),

Scanning can be considered as an equivalent to knocking on the walls to find all the doors and windows.

Scope of scanning:

* TCP/UDP services running on each system identified.

* System architecture (Sparc, Alpha, x86).

* Specific IP addresses of systems reachable via the Internet.

* Operating system type.

(http://gaia.ecs.csus.edu/~ghansahi/classes/notes/196n_at_def_notes/lectures/wk02.ppt [accessed 18 November 2005])

(B) Determining either the target is alive via ping sweeps:

) ICMP sweeps:

We can use ICMP packets to determine whether a target IP address is alive or not, by simply sending an ICMP ECHO request packets to the targeted system and wait to see if an ICMP ECHO reply (ICMP type 0) is received. If an ICMP ECHO reply is received, it means that the target is alive.

Querying multiple hosts:

Querying multiple hosts using this method is referred to as Ping Sweep. Ping Sweeps is the most basic step in mapping out a network.

This is an older approach to mapping, and the scan is fairly slow.

Some of the tools used for this kind of scan include

o UNIX: (Fping, Gping, Nmap, Snort etc)

o Windows: ( Pinger, Nmap, NetCat etc )

Pinger is one of the fastest ICMP sweep scanners. Its advantage lies in its ability to send multiple ICMP ECHO packets concurrently and wait for the response. It also allows you to resolve host names and save the output to a file.

2) Broadcast ICMP:

Sending ICMP ECHO request to the network or/and broadcast addresses will produce all the information you need for mapping a targeted network in even a simpler way.

The request will be broadcast to all alive hosts on the target network, and they will send ICMP ECHO reply to the attacker source IP after only one or two packets have been sent by him.

3) Non-ECHO ICMP:

Blocking incoming ICMP ECHO requests is not enough. We can use non-ECHO ICMP protocols for gathering various information about a system.

Other tools: We can use the icmpush & icmpquery tools to perform this kind of scanning.

Advantage: Many firewalls are configured to block only ICMP ECHO traffic, and in this case it makes the non-ECHO requests a valid form of host identification.

Alternatives: Even if ICMP traffic is blocked on the border router or firewall, there are additional techniques that can be used to determine which systems are actually alive, although these techniques are not as accurate as a normal ICMP Sweep.

4) TCP Sweeps:

The TCP connection establishment process is called "the three way handshake", and is combined of three segments.

I. A client sends a SYN segment specifying the port number of a server that the client wants to connect to, and the client initial sequence number.

II. If the server's service (or port) is active the server will respond with its own SYN segment containing the server's initial sequence number. The server will also acknowledge the client's SYN by ACKing the client's SYN+1.

If the port is not active, the server will send a RESET segment, which will reset the connection.

III. The client will acknowledge the server's SYN by ACKing the servers ISN+1.

When will a RESET be sent? - Whenever an arriving segment does not appear correct to the referenced connection. Referenced connection means the connection specified by the destination IP address and port number, and the source IP address and the port number 5.

With the TCP Sweep technique, instead of sending ICMP ECHO request packets we send TCP ACK or TCK SYN packets to the target network.

Selection of port:

The port number can be selected to meet our needs. Usually a good pick would be one of the following ports 21, 22, 23, 25, 80.

Other tools:

Nmap and Hping6 are tools that support TCP Sweep, both for the Unix platform.

An example with nmap:

[root@mia /root] ./nmap -sP -PT80 192.168.2.0/24

TCP probe port is 80

Starting nmap V. 2.2-BETA4 by Fyodor ([email protected], www.insecure.org/nmap/)

Host host1.MyDomain.com (192.168.2.0) appears to be up.

Host host2.MyDomain.com (192.168.2.1) appears to be up.

Host.host3.MyDomain.com (192.168.2.2) appears to be up.

Host host4.MyDomain.com (192.168.2.3) appears to be up.

Host host5.MyDomain.com (192.168.2.4) appears to be up.

Host host6.MyDomain.com (192.168.2.5) appears to be up.

...

Host host254.MyDomain.com (192.168.2.254) appears to be up.

Nmap run completed -- 32 IP addresses (13 hosts up) scanned in 12 seconds

5) UDP Sweeps/UDP Scans

This method relies on the ICMP PORT UNREACHABLE message, initiated by a closed UDP port.

If no ICMP PORT UNREACHABLE message is received after sending a UDP data gram to a UDP port that we wish to examine on a targeted system,

we may assume the port is opened.

UDP scanning is unreliable because:

• Routers can drop UDP packets as they cross the Internet.

• Many UDP services do not respond when correctly probed.

• Firewalls are usually configured to drop UDP packets.

• UDP sweep relies on the fact that a non-active UDP port will respond with an ICMP PORT UNREACHABLE message.

(C) Determine What Services (If Any) Are Running Or In A Listening State

Ping Sweeps help us identify which systems are alive. Now we will determine the services running on the target system.

1) Port Scanning:

Now we will try to determine what services (if any) are running or in a LISTENING state on the targeted system, by connecting to the TCP and UDP ports of that system. This is called Port Scanning.

For the hacker it is critical to identify listening ports, because it helps him identify the operating system and application in use.

The services detected as listening may suffer from vulnerabilities which may result from two reasons:

* Mis-Configuration of the service

* The version of the software is known to have security flaws

If identified, these vulnerabilities can lead to unprivileged access gained by the attacker.

We will further discuss port scanning types, techniques, and tools.

a) Port Scanning Types:

* TCP connect() scan

With this type of scan we use the basic TCP connection establishment mechanism. To open a connection to an interesting port on the targeted machine:

* A SYN packet is sent to the target's system interesting port.

* Now we wait to see what type of packet is sent back from the target.

o If a SYN/ACK packet is received it usually means the port is in a LISTENING state.

o If a RST/ACK packet is received, it usually means the port is not LISTENING and the connection will RESET.

o We finish the three-way handshake (if SYN/ACK packet was received) by sending an ACK.

o A connection is terminated after the full connection establishment process has been completed.

This kind of scan is easily detected. Inspecting the target system log will show a number of connections and error messages immediately after each one of them was initiated.

* TCP SYN Scan

This is also called half open scanning. This type of scan differs from TCP connect () scan because we do not open a full TCP connection. You send a SYN packet to initiate the three-way handshake and wait for a response. If we receive an SYN/ACK it indicates the port is LISTENING. If we receive an RST/ACK it indicates a NON-LISTENING port.

If we do receive a SYN/ACK packet we immediately tear down the connection by sending a RESET.

Because the TCP three-way handshake was not completed some of the sites will probably not log these scanning attempts.

* Stealth Scan

Chris Klaus was one of the first people to write a paper about stealth scans. In a paper called "stealth scanning - Bypassing Firewalls/SATAN Detectors", he describes a technique which intentionally violates the TCP three-way handshake.

This technique is what people refer to today as "half-open" scanning.

Today, some people use the "stealth" term to mean NULL flags (no flags or code bits set).

"Stealth" can also be defined as a scanning technique family, doing one of the following:

o Pass through filtering rules.

o Not to be logged by the targeted system logging mechanisms.

o Try to hide themselves at the usual site / network traffic.

* Explicit Stealth Mapping Techniques

The frequently used explicit mapping techniques are:

o SYN/ACK scan.

This scan intentionally disregards the TCP three-way handshake. We send a SYN/ACK packet, which is step two in the TCP three-way handshake, while there is no SYN packet sent for step one.

Sending SYN/ACK packet to a closed port:

Because TCP is stateless, it knows no SYN has been sent, which is the first step in the three-way TCP handshake. TCP figures this packet must be a mistake and sends a RESET to tear down the connection. This is what we wished for any kind of response to give away the existence of the system and the fact that the probed port is closed.

If we send the SYN/ACK to an open port, it will ignore any such packet

o FIN:

The FIN scan uses the FIN packet as the probe. The hacker sends a FIN packet to a targeted port on a probed system and waits for a response.

o XMAS Tree

XMAS is a scanning type, which sends a TCP packet with the URG, ACK, PST, RST, SYN and FIN flags set. All the TCP flags are set.

o NULL

Null scan is a scanning type, which sends a TCP packet that turns off all flags. The probed system should send back a RESET to all closed ports.

According to RFC 793 this should work against every implementation of TCP regardless of the operating system it runs on. Life is not always simple. Windows, CISCO, BSDI, HP/UX, MVS & IRIX have a broken TCP implementation - they send RESETS to open ports as well.

* Inverse Mapping

A group of techniques, which gathers information about hosts or networks that, are unreachable. By having a clue about what is not there we make assumptions about where things are.

o RESET Scans

Routers will give away internal architecture information of a network, even if the question they were asked does not make any sense.

A router looks at the IP address and makes decisions based on that. The RESET, which is out of place, is not taken into any consideration. The router will report addresses that do not exist with host (or net) unreachable or time exceeded message.

o Domain Query Answers

The probing computer sends answers to domain questions that were never asked. The goal here is to get ICMP unreachable messages for a host or a subnet that do not exist.

* Proxy Scanning / FTP Bounce Scanning

The FTP protocol supports the following scenario:

Attacker.com connects to an FTP server, which has a world writable directory, and establishes a control communication connection. The attacker can then ask the FTP server to initiate an active server data transfer process and send a file anywhere on the Internet, presumably to a user data transfer process.

* TCP Reverse Ident Scanning

The ident protocol (RFC 141316) is used to determine the owner username of a particular TCP connection by communicating with port.

This involves opening a full TCP connection to the target machine port.

The scanning method gives the attacker information that helps determine which server to attack.

If a certain server is running as "root", and one of its services was compromised, attackers can gain instant root access. So it is more common that in a group of services that can be attacked, the services which are at the highest privilege will be attacked first.

b) Port Scanning Techniques

* Random Port Scan

Many commercial intrusion detection systems and firewalls are looking for sequential connection attempts. When the pattern is matched a port scan is reported.

Randomizing the sequence of ports probed may prevent detection.

* Slow Scan

Intrusion detection systems can determine if a specific IP tries to port scan the network they are defending. It is done by analyzing the network traffic over a certain amount of time.

The amount of time is called the site detection threshold.

Some hackers are very patient and can use network scanners that spread out the scan over a long period of time.

If the attacker can guess the detection threshold of its target, he can reduce the chances of detection to a minimum or even to no detection at all, as long as he doesn't include a signature with his packet that alerts the intrusion detection system in other way.

* Fragmentation Scanning

All IP packets that carry data can be fragmented.

If we need to send information using TCP and to fragment our data, normally the destination port and source port along with the flags field will be "travelling" at the first packet sent.

RFC 79117 defines the minimum and maximum sizes of fragments.

In the case of TCP the 8 octets of data (minimum fragment size) are enough to contain the source and destination port numbers. This will force the TCP flags field into the second fragment.

Some filtering devices and intrusion detection systems may incorrectly reassemble or completely miss portions of the scan. They may assume that this was just another segment of traffic that has already passed through their access list.

* Decoy

Some network scanners include options for Decoys or spoofed addresses in their attacks.

It would appear to the attacked network / host that the host(s) you specified as decoys are scanning them as well. This will drive intrusion detection systems into thinking that the target network is being port scanned by all the hosts, and determining who the real attacker is, will be nearly impossible.

One way that helped intrusion detection systems detect the decoy hosts in the past was the TTL (Time to Live) field values in the scanned packets. If all the incoming packets TTL values have the same value, it is likely that they were generated in the same "factory".

If the attacker is using nmap intrusion detection systems cannot use this method since nmap generates random TTL fields between 51-65.

* Coordinated Scans

Probing a few target systems from a single IP within a certain amount of time will usually turn on the alarm of the intrusion detection systems.

We have already discussed a way to try to bypass this - using slow scans. But even a slow scan can sometimes be detected.

When a group of attackers are working together to achieve a common goal, trying to get unauthorized access on a targeted network for example, we call this - coordinated attacks.

Coordinated attacks can be used to target a single host or even an entire network.

If multiple IPs probe a target network, each one of them probes for a certain service on a certain machine in a different time period, and therefore it would be nearly impossible to detect these scans.

When coordinated attack efforts are aimed at a certain host, the detection (if any at all) is dependent on the time period these probes take place.

Coordinated attacks, when intelligently launched, are the most discrete way of probing a target. Most of them are still undetected.

(D) Operating System Detection

Because many security holes are operating system dependent, identifying which operating system runs on the target host / machine is of major importance.

An attacker can scan a range of IPs for opened TCP and UDP ports and the operating system type. Then he can put the list aside for a while.

When a security hole that is operating system dependent is discovered, all the attacker has to do is pull the list and look for a matching information.

* Banner Grabbing

Some services can be used to identify an operating system. The TELNET service is the most notable example. If a system provides the TELNET service, just by telneting to the box and looking at the welcome banner we can, in most cases, identify the operating system:

[root@pooh] # telnet 192.168.1.13

Debian GNU/Linux 2.1 target.domain.com

target login:

Other services have banners that give the same information, for example the mail server:

220 target.domain.com ESMTP Sendmail 8.9.3/8.9.3/Debian/GNU; Thu, 28 Oct 1999 09:56:32 +0200

Today, an increasing number of systems keep their banners turned off or make their banners display forged information.

Some applications leak information. A good example is the SYST command on FTP servers and IIS server:

[root@pooh] # telnet 192.168.1.17

Get HTTP/1.1 400 Bad Request

Server: Microsoft-IIS/4.0

Date: Thu, 28 Oct 1999 08:29:46 GMT

Content-Type: text/html

Content-Length: 87

<html><head><title>Error</title></head><body>The parameter is incorrect. </body></html>

* DNS HINFO Record

The Host information record is a pair of strings identifying the host's hardware type and the operating system.

www IN HINFO "Sparc Ultra 5" "Solaris 2.6"

This is an old technique that is rarely effective today because administrators avoid using this record.

* TCP/IP Stack Fingerprinting

Stack fingerprinting is a technique that uses distinct variations in TCP stack implementation to determine the type of a remote operating system.

The idea is to send "specific" TCP packets to the target IP and observe the response. The response will be unique to a certain group or individual operating system(s). The response varies because one vendor's IP stack implementation is not the same as another. This comes from different interpretation of specific RFC guidelines when vendors wrote their TCP/IP stack.

The tools often used for stack fingerprinting are Queso written by Savage, and Nmap. Nmap has a larger database of responses of operating systems than any other tool. In order to get maximum reliability, Nmap needs at least one port opened at the target host.

The definite information source of the subject is Fyodor's article "Remote OS Detection via TCP/IP Stack Fingerprinting".

o Types of Probes Used to Determine the Operating System Type

* The FIN Probe

A FIN packet is sent to an open port. RFC 793 states that the correct behavior is not to respond to the FIN packet.

Many stack implementations will respond with a RESET. This group includes:

Windows, BSDI, CISCO, HP-UX, MVS, and IRIX with a RESET.

* The Bogus Flag Probe

Here, a SYN packet with an undefined flag set is sent to the targeted host.

Machines running the Linux operating system with kernel prior to 2.0.35 will keep the flag set in their response.

Some operating systems will RESET the connection when getting this kind of probe.

* TCP Initial sequence number sampling

Finding patterns of the initial sequence numbers chosen by the TCP implementations when responding to a connection request.

We can divide the answers into four groups:

• Traditional 64k (older UNIXs)

• Random increment (FreeBSD, DG-UX, IRIX, new versions of Solaris)

• True "random" (Linux)

• Time dependent modules (MS Windows)

* "Don't Fragment Bit"

To enhance performance some operating systems set the "Don't fragment bit".

Monitoring this behavior can give the attacker more information about the targetoperating system.

* TCP Initial Window

Some stack implementations have a unique initial window size on their returned packets.

* ACK Value

In some cases IP stacks even differ in the value they use for the ACK field.

For example, sending a FIN|PSH|URG to a closed port. Most implementations will set the acknowledgement number in the returned packet to be the same as the sequence number received. Windows responds with an ACK field that is the sequence number+1.

* ICMP error Message Quenching

RFC 1812 25 suggests limiting the rate at which various error messages are sent.

Only a few operating systems are known to follow this RFC.

An attacker can use this to send UDP packets to a random, high UDP port and count the number of unreachable messages received within a given amount of time.

* ICMP Message Quoting

ICMP error messages should quote a small amount of information from the ICMP message that caused the error.

The information is quoted when the PORTUNREACHABLE message is received in the IP header + 8 bytes, with almost all the implementations. Solaris sends more information than is needed and Linux even more.

* ICMP Error Message Echoing Integrity

When sending back an ICMP error message, some stack implementations may alter the IP header.

If an attacker examines the types of alternation that have been made to the headers, he may be able to make certain assumptions about the target operating system.

* Type of Service (TOS)

When an ICMP PORT UNREACHABLE message is sent, an attacker can examine the type of service field.

Nearly all implementations use 0 for this value, Linux uses 0xC0.

* Fragmentation Handling

Different stack implementations handle overlapping fragments differently. This was pointed out by Thomas Ptacek and Tim Newsham in their paper "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection".

Some implementations will either overwrite the old data portions with the new data or vice versa, when the fragments are reassembled.

* TCP Options

RFC 793 defines the TCP options. RFC 1323 26 defines the more advanced TCP options.

• Not all hosts implement TCP options

• When sending a query with an option set to a targeted host, the target host will set the option in the reply only if it supports it.

• We can test all the options at the same time if we send one packet that includes all the options.

When you examine the response packet, you look at the Options field for Options that were set. These are the supported options.

Some operating systems support all the advanced options while others support very few.

(E) Firewalking:

Firewalking is a technique used to gather information about a remote network protected by a firewall.

The technique is being used for two purposes:

* Determining the rule set or ACL of a firewall or other packet-filtering device (mapping open ports on a firewall).

* Mapping a network behind a firewall. When a firewall's policy is to drop ICMP ECHO Request/reply this technique is very effective.

How does Firewalking work?

It is using a trace route-like packet filtering to determine whether or not a particular packet can pass through a packet-filtering device.

Since trace route is dependent on the IP layer (TTL field), any transport protocol can be used the same way (TCP, UDP, and ICMP).

For Firewalking we need two pieces of information in advance:

* The IP address of the last known gateway before the firewalking takes place

* The IP address of a host located behind the firewall.

The first IP address serves as our waypoint. The second IP address is used as a destination to direct the packet flow.

If we try to trace route the machine behind a firewall and get blocked by an ACL filter that prohibits the probe, we can only determine what the last gateway which responded was probably the firewall. The firewall then becomes a waypoint for further investigations. We try again to traceroute the same machine, this time we use a different traceroute- like probe using a different transport protocol. If we get a response we can conclude the following:

* That particular traffic is allowed by the firewall

* We know a host behind the firewall

If we are continuously kept blocked by the ACL filters at out waypoint, we know that this kind of traffic is blocked.

Trying to pass packets on all ports and protocols through the firewall and monitor the response, will produce the ACL.

Sending packets to every host behind the packet-filtering device can generate an accurate map of a network's topology.

. (http://gaia.ecs.csus.edu/~ghansahi/classes/notes/196n_at_def_notes/lectures/wk02.ppt [accessed 18 November 2005])

2. (http://www.informit.com/index.asp [accessed 18 November 2005])

3. (http://www.dirc.org.uk/publications/techreports/papers/5.pdf. [accessed 18 November 2005])

4. (http://www.auditmypc.com/freescan/readingroom/port_scanning.asp [accessed 18 November 2005])

5. (http://www.oreilly.com/catalog/networksa/chapter/ch04.pdf. [accessed 18 November 2005])

Enumeration

Introduction:

"From the results of port scanning, we gain a list of open ports on the target machines. An open port does not entirely indicate what listening service may be active. Ports below 1024 have been assigned to various services and if these are found open, they generally indicate the assigned service. Additionally, other applications have been run on certain ports for so long that they have become the de facto standard, such as port 65301 for pcAnywhere and 26000 for Quake. Of course system administrators can change the port a service runs on in an attempt to "hide it" (an example of security through obscurity). Therefore, we attempt to connect to the open port and grab a banner to verify the service running.

Knowing which applications the target hosts are running goes a long way toward performing vulnerability analysis. Just as with knowing the OS, we can run the list of applications through the Internet and find a list of known vulnerabilities and exploits for these applications-again, often from the vendors themselves.

Application enumeration also involves banner grabbing. Several applications (including telnet, FTP, HTTP, SNMP, and a host of others) identify themselves and their version in their user name/password challenge screen. This information is called a banner and is very helpful in identifying running applications. We generally record any banners we come across during our penetration testing. This can be done with many applications, including NetCat, which runs on either the UNIX or Windows command line i.e. Telnet"

(http://ginger.cs.uwp.edu/Classes/Cs490/notes/Hacking1.doc [accessed 18 November 2005])

Definitions:

"The third phase is the process of identifying user accounts and poorly protected computing resources. During the enumeration stage, the hacker connects to computers in the target network and pokes around these systems to gain more information. While the scanning phase might be compared to a knock on the door or a turn of the doorknob to see if it is locked, enumeration could be compared to entering an office and rifling through a file cabinet or desk drawer for information. It is definitely more intrusive."

(http://www.bookrags.com/subscribe/choice.php?u=hacking-csci-03&catdir=sciences [accessed 19 November 2005])

"Network enumeration is the final step after network foot printing and network scanning. Network Enumeration is the exploit used by network intruders to discover the devices on a network. Network intruders and attackers tend to use unconcealed discovery protocols such as ICMP and SNMP to gather information, they may also scan various ports on remote hosts or severs in an attempt to further identifications of a remote host."

(http://www.sbi-secureit.com/network-security-enumeration-solution.htm [accessed 19 November 2005])

What Is Banner Grabbing?

One of the oldest techniques used to identify a remote operating system is "banner grabbing", which consists in opening a connection to a remote application daemon and determining the operating system by examining the responses received from applications like telnet or ftp.

Tools that use this technique span from scanners like Hackbot and ScanSSH to ad-hoc scripts aimed at particular application services. Hackbot is a banner grabber that can scan for ftp, mail, ssh banner and DNS version, can perform whois lookup and various types of web scanning including Nimda and "path revealing NT problems". ScanSSH is a scanner that probes SSH servers and classifies them according to their advertised version number.

Banner grabbing is simply defined as connecting to remote applications and observing the output which is surprisingly informative to remote hackers. At the very least, a hacker may have identified the make and model of the running service.

Banner grabbing normally occurs at the application level. The hacker remotely connects to an application via telnet or NetCat, presses Enter a few times, and observes the platform-specific information that comes back. Telnet Ports 80 (web), 25 (mail), or 21 (FTP) with any domain name, and you get all sorts of banner information. Security administrators can make security warnings appear on banners. Registry grabbing requires a dump utility and a null session connection, with the hacker using some data mining software to search through all the Registry entries for any juicy information like the Sam Spade product does. (McClure.S et al, 2001)

Manual Tools: Telnet, NetCat

Telnet and NetCat are the tried and true manual mechanism for enumerating banners and application information. Telnet is a remote communications tool built in to most operating systems. NetCat, called the "Swiss army knife," is noted for its elegant flexibility.

* Telnet:

Start up a telnet application to ports in turn:

C:\>telnet<IP_addr> <port_nr>

C:\>telnet10.10.0.1 80

HTTP/1.0 400 Bad Request

Server: Netscape-Commerce/1.12

Your browser sent a non-HTTP compliant message.

* NetCat: Linux command-line tool also known as nc for service enumeration of the target machine. If during scanning you saw any http or telnet services on the target, you can use NetCat for banner grabbing. Banner grabbing is used to remotely connect to the target host to obtain platform-specific information (e.g. what operating system an http or telnet server runs on) and configurations of the service (e.g. version number). Create a summary of that you have found out about the available services.

C:\> nc -v www.corleone.com 80

<enter>

OR

C:\> nc -n 10.10.0.1 80

<enter>

Countermeasures: Banner-Grabbing

* The best defence is to shut down unnecessary services.

* Restrict access to services using network access control

* For services that are business critical and can't be turned off, find the correct way to disable the presentation of the vendor and version in the banners

* Audit network regularly with port scans and raw NetCat connects to active ports

* Changing the banner is difficult but possible

* Eliminate any entry points: e.g., default passwords

Auditing Checks:

* Be careful of false positives and false negatives!

* Slow responses can result in wrong conclusion

* Banners may not reflect all patches

* Vulnerabilities may be eligible only if combined with a particular version of OS

* Vulnerability tests can have bugs

* A vulnerability may exist - but the context may not exist for the application

* Specific network h/w may impact test (e.g., load balancing, firewall proxies)

Therefore:

* Use two tools to test!

* Determine if vulnerability exist in context of OS, applications, etc.

* Treat information as confidential.

* Network enumeration is the information obtained: network resources and shares, user logins including generic installation (out of the box) hardware and software vendor user IDs, IDs and their groups, and applications and banners. The steps to consider are:

o Identify the domain name, IP address range and other critical information. Ordinarily, the "who is" query is used, which typically provides the address of the target network (i.e., domain name servers and IP address mapping), administrative contact and billing contact. The individual executing the "who is" query should provide reasonable assurance that all listings are obtained, and not just the first 50 items, which may require grouping the names into plurals or modified organization names.

o Identify IP address ranges that may be owned by the organization. This is typically done by querying Internet number registries such as ARIN, RIP, APNIC and LACNIC.

o Identify external e-mail servers by gathering MX record information from DNS servers.

o Attempt a zone transfer between all systems identified as a DNS server (including back-up servers) to obtain the network IP listing and the machine host names. A zone transfer requests the complete list of matched IP addresses and host names stored within a DNS for a specified domain. In addition, the "nslookup," which is supported by both the UNIX and Windows platforms, may also be used to perform a zone transfer using a DNS server that is authoritative for the domain of interest. In addition, the machine's host names may indicate its purpose (i.e., mail server and firewall), which is one more critical piece of information. Recent technologies prevent the ability to perform a zone transfer without the initiating device.

o Determine whether the organization has outsourced its domain name function to an Internet service provider (ISP). In cases where this function is outsourced, it is recommended that the terms of the penetration test clearly state whether the hosted system is within the scope of the engagement.

o Notify network staff that a penetration test may be underway because zone transfer can be detected.

o Use ICMP (ping) or TCP ping (with a full or half TCP handshake) sweeps to determine which machines for IP addresses are "up" or "live." Though this step may provide critical information regarding which devices are active, there is likelihood that perimeter security devices or firewalls may drop the ICMP traffic to the host. It may be filtered and dropped with a response indicating the device is down, when it is not. It is recommended that randomizing the order of the IP addresses being pinged helps avoid detection, as does varying the NMAP. NMAP is a popular tool used for UNIX-based systems and Pinger, and Ws PingPro Pack are used in Windows-based environments for performing Ping sweeps.

o Use the trace route method to identify the paths from the Ping packets to the destination target. The routes can then be traced to the destination live hosts, detected using the Ping sweeps to derive an estimated map of the organization's architecture topology. The two commonly used tools are tracer route and tracert, available for both UNIX and Windows-based operating systems. The purpose of this method is to identify the common and uncommon "hops" prior to reaching the destination targets, which could represent such things as firewalls, filtering routers or other gateways, load-balancing devices, or web redirectors. It is not uncommon for network segments to have multiple connections to the Internet-unknown to the network group. However, these uncommon paths can lead to network compromises, if uncontrolled.

o Send "bogus" e-mail messages to domains owned by the organization in an attempt to receive a returned e-mail. Review the header of returned e-mails to determine possible network paths.

* To perform a vulnerability analysis:

o Assess possible methods of attacks based on identification of vulnerabilities. To do this, identified machines within the target network are examined to identify all open ports, the operating systems (OS), the applications and their hosts (including version number, patch level and/or service pack). In addition, this information is compared with Internet vulnerability databases to ascertain what current vulnerabilities and exploits may be applicable to the target network.

o Identify the type of OS employed by target hosts. For those target hosts identified in the network enumeration phase, the NMAP tool can be used to identify the type of OS employed. The type of OS employed is critical in predicting the types of service available and then to tailor the targeted analysis of service rendered through that port, which, when executed, will determine if specific vulnerabilities exist. In conjunction with this step is the need to obtain a current list of vulnerabilities for the OS employed by searching the OS vendor's web site and vulnerability databases to obtain details of these vulnerabilities.

o Obtain permission to execute a port scan for those destination target hosts that are "live." A port scan may be needed on all possible ports (1-65535), if the security group is aware of the penetration testing. The list of ports should include applications that have known vulnerabilities. Ports examined should relate to weaknesses, vulnerabilities or information gathering. For example, the ports for file transfer protocol (FTP), Telnet, and Real Secure (ports 21, 23 and 2998) are often selected to attempt to exploit vulnerabilities. NMAP is the standard tool and can be programmed to execute a port scan for those destination target hosts that are "live" (from a port scan). Port scanning is clearly unethical without the express permission of the port owner. Port scanning, as with many other vulnerability tests, is a technique that may be employed by hackers, and should alarm the security group of a potential attempted penetration.

o Perform an application enumeration to identify assigned services (applications) of ports. In addition to the port scan, the specific identification of assigned services (applications) to a port is known as application enumeration. Knowing which applications the target hosts are running goes a long way toward performing a vulnerability analysis. Ordinarily, the applications are run through the Internet. Find a list of known vulnerabilities and exploits for these applications, which often comes from the vendors themselves and vulnerability databases. Application enumeration also involves banner grabbing, which may be helpful in identifying running applications. This can be done with many applications, including NetCat, which runs from either the UNIX or Windows command line; Telnet; and What's Running, a Windows GUI tool. Examples of common sources of information about system and application software vulnerabilities and exploits are Bugtraq lists, Packetstorm and SecurityFocus.

o Run commercial or open source network vulnerability assessment tools to verify results. Popular tools include Nessus, ISS Internet Scanner, Foundstone's FoundScan, eEye's Retina Scanner and GFI's LANguard.

* Exploit vulnerabilities identified in the vulnerability analysis to attempt to gain root or administrator-level access to the target systems or other trusted user account access as follows:

o Document all relevant information upon access to the command line of a targeted system, via the access points identified in the vulnerability analysis, including the host and directory or share name to which access was gained; the host from which access was gained; date, time and the level of access; and finally the security hole(s) that were exploited to gain access.

o Launch attacks against other systems on the network from the host that was compromised. If possible, a tool kit is installed on the exploited hosts that are tailored to the operating system of the other targeted machines to ascertain their vulnerabilities. The tool kit may include NetCat, password crackers, remote control software, sniffers and discovery tools, which can be executed from the command line.

o Notify the organization if the access level is achieved, allowing installation of critical viruses that could result in consequential system outage. (McClure.S et al, 2001)

Null Sessions:

Windows NT/2000 has a serious Achilles heel in its default reliance on CIFS/SMB and NetBIOS. The CIFS/SMB and NetBIOS standards include APIs that return rich information about a machine via TCP port 139-even to unauthenticated users. The first step in accessing these APIs remotely is creating just such an unauthenticated connection to an NT/2000 system by using the so-called "null session" command, assuming TCP port 139 is shown listening by a previous port scan:

net use \\192.168.202.33\IPC$ "" /u:""

The preceding syntax connects to the hidden interprocess communications "share" (IPC$) at IP address 192.168.202.33 as the built-in anonymous user (/u:"") with a null ("") password. If successful, the attacker now has an open channel over which to attempt all the various techniques outlined in this chapter to pillage as much information as possible from the target: network information, shares, users, groups, Registry keys, and so on.

Null Session Countermeasure:

Null sessions require access to TCP 139, so the most prudent way to stop them is to filter the NetBIOS-related TCP and UDP ports 135 through 139 at all perimeter network access devices.

You could also disable NetBIOS over TCP/IP on individual NT hosts by unbinding WINS Client (TCP/IP) from the appropriate interface using the Network Control Panel's Bindings tab. Under 2000, this is more easily accomplished via the appropriate Network Connection applet, Advanced TCP/IP Settings, WINStab: Disable NetBIOS Over TCP/IP.

Following NT Service Pack 3, Microsoft provided a mechanism to prevent enumeration of sensitive information over null sessions without the radical surgery of disabling NetBIOS over TCP/IP (although we still recommend doing that unless NetBIOS services are necessary). It's called RestrictAnonymous, after the Registry key that bears that name:

. Open regedt32, and navigate to HKLM\SYSTEM\CurrentControlSet\Control\LSA.

2. Choose Edit | Add Value and enter the following data:

Value Name: RestrictAnonymous

Data Type: REG_DWORD

Value: 1 (or 2 on Win2000)

3. Exit the Registry Editor and restart the computer for the change to take effect.

NetBIOS Enumeration

The tools and techniques for peering along the NetBIOS wire are readily available most are built into the OS itself.

Enumerating NT/2000 Domains with net view The net view command is a great example of a built-in enumeration tool. It is an extraordinarily simple NT/2000 command-line utility that will list domains available on the network and then lay bare all machines in a domain.

Here's how to enumerate domains on the network using net view:

C:\>net view /domain

Domain

----------------------------------------------------------------- --------------

CORLEONE

BARZINI_DOMAIN

TATAGGLIA_DOMAIN

BRAZZI

The command completed successfully.

The next command will list computers in a particular domain:

C:\>net view /domain:corleone

Server Name Remark

----------------------------------------------------------------- --------------

\\VITO Make him an offer he can't refuse

\\MICHAEL Nothing personal

\\SONNY Badda bing badda boom

\\FREDO I'm smart

\\CONNIE Don't forget the cannoli

Dumping the NetBIOS Name Table with nbtstat and nbtscan Another great built-in tool is nbtstat, which calls up the NetBIOS Name Table from a remote system. The Name Table contains great information, as seen in the following example:

C:\>nbtstat -A 192.168.202.33

NetBIOS Remote Machine Name Table

Name Type Status

---------------------------------------------

SERVR9 <00> UNIQUE Registered

SERVR9 <20> UNIQUE Registered

9DOMAN <00> GROUP Registered

9DOMAN <1E> GROUP Registered

SERVR9 <03> UNIQUE Registered

INet~Services <1C> GROUP Registered

IS~SERVR9......<00> UNIQUE Registered

9DOMAN <1D> UNIQUE Registered

..__MSBROWSE__.<01> GROUP Registered

ADMINISTRATOR <03> UNIQUE Registered

MAC Address = 00-A0-CC-57-8C-8A

NetBIOS Enumeration Countermeasures

Nearly all of the preceding techniques operate over the NetBIOS transports discussed so frequently by this point, so by denying access to TCP and UDP 135 through 139, none of these activities will be successful. The best way to do this is by blocking access to these ports using a router, firewall, or other network gatekeeper. This will prevent sensitive information from being downloaded over an anonymous connection.

NT/2000 SNMP Enumeration

Even if you have tightly secured access to NetBIOS services, your NT/2000 systems may still cough up similar information if they are running the Simple Network Management Protocol (SNMP) agent accessible via default community strings like "public." EnumeratingNTusers viaSNMPis a cakewalk using theNTRKsnmputilSNMPbrowser:

C:\>snmputil walk 192.168.202.33 public .1.3.6.1.4.1.77.1.2.25

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.

lanmgr-2.server.svUserTable.svUserEntry.svUserName.5.

71.117.101.115.116

Value = OCTET STRING - Guest

Variable = .iso.org.dod.internet.private.enterprises.lanmanager.

lanmgr-2.server. svUserTable.svUserEntry.svUserName.13.

65.100.109.105.110.105.115.116.114.97.116.111.114

Value = OCTET STRING - Administrator

End of MIB subtree.

The last variable in the preceding snmputil syntax".1.3.6.1.4.1.77.1.2.25" is the object identifier (OID) that specifies a specific branch of the Microsoft enterprise Management Information Base (MIB), as defined in the SNMP protocol.

DNS Zone Transfers

One of the primary sources of footprinting information is the

Domain Name System (DNS), the Internet standard protocol for matching host IP addresses with human-friendly names like amazon.com. Since Windows 2000 Active Directory namespace is based on DNS, Microsoft has completely upgraded Win 2000's DNS server implementation to accommodate the needs of AD and vice versa.

Thus, a simple zone transfer (nslookup, ls -d <domainname>) can enumerate a lot of interesting network information, as shown in the following sample zone transfer run against the domain "labfarce.org" (edited for brevity and line-wrapped for legibility).

D:\Toolbox>nslookup

Default Server: corp-dc.labfarce.org

Address: 192.168.234.110

> ls -d labfarce.org

[[192.168.234.110]]

labfarce.org. SOA corp-dc.labfarce.org admin.

labfarce.org. A 192.168.234.110

labfarce.org. NS corp-dc.labfarce.org

ldap._tcp SRV priority=0, weight=100, port=389, corp-dc.labfarce.org

Per RFC 2052, the format for SRV records is

Service.Proto.Name TTL Class SRV Priority Weight Port Target

Some very simple observations an attacker could take from this file would be the location of the domain's Global Catalog service (_gc._tcp), domain controllers using Kerberos authentication (_kerberos._tcp), LDAP servers (_ldap._tcp), and their associated port numbers (only TCP incarnations are shown here).

Enumerating Users via NetBIOS

The enum tool from Bindview's Razor team automates null session

setup and extracts all of the most useful information that an attacker could desire. The following example has been edited for brevity to show some of the most dangerous leaks:

D:\Toolbox>enum -U -d -P -L -c 172.16.41.10

server: 172.16.41.10

setting up session... success.

password policy:

min length: none

lockout threshold: none

opening lsa policy... success.

names:

netbios: LABFARCE.COM

domain: LABFARCE.COM

trusted domains:

SYSOPS

PDC: CORP-DC

netlogon done by a PDC server

getting user list (pass 1, index 0)... success, got 11.

UNIX ENUMERATION:

Most modern UNIX implementations rely on standard TCP/IP networking features and are thus not as prone to giving up information as freely as NT does via its legacy NetBIOS interfaces or as NetWare does over its proprietary mechanisms. Of course, this does not mean that UNIX isn't vulnerable to enumeration techniques, but just what techniques will yield the most results depends on how the system is configured. For example, Remote Procedure Call (RPC), Network Information System (NIS), and Network File System (NFS) still enjoy widespread deployment and have all been targeted by attackers over the years. (McClure.S et al, 2001)

Preventive measure used to defend against footprinting, scanning and enumeration.

By G.C. Eric Brumfield "Security Systems Protective Measures Against Hackers" Available:

(http://www.abanet.org/genpractice/magazine/tpg/brumfiel.html [accessed 20 November 2005])

After accomplishing the great task of installing a network security system, there is yet another concern that demands close attention:

* The ability to manage network security systems effectively so that hackers do not break through security walls and create nightmares for us all. Hacker is more than just a word to many. For some it's, a career, and for others it is like a vampire in the night waiting to suck the blood and money from the life of a company. Most organizations in business today have been the victim of hackers at one time or another. Part of the reason is that hackers come in many shapes and sizes. They can be as small and as brilliant as the adolescent genius that lives next door-the kid that spends his time solving puzzles and breaking passwords on his PC in the basement, instead of playing with the boring computer-illiterate kids in the neighborhood. Or hackers can be as dangerous as the professionals, known as "Black Hats," computer criminals who make a living by breaking into unsuspecting computer systems and selling, destroying or manipulating data or information they poach.

* How can businesses protect their investments with criminals waiting for the perfect opportunity to penetrate security systems? There are many security measures that can be taken. Some are very small steps, and others involve financial investments.

One major step that organizations can take is to eliminate use of the Internet on the job. It is common knowledge that Internet access and a modem are key sources of entry into an organization's computer system. And every organization has its workaholics-you know, people who are so dedicated to work that they have to take some of it home with them. Then they remotely access the server at the office to make modifications to their critical projects. If the fire walls of our network security systems allow people with just average computer literacy to enter, then what opportunities for intrusion exist for the "Black Hats" of the world. Just a simple password can create a virtual playground for the professional hacker.

Internal Measures

Companies must first take proactive measures from within. Initial steps should be blocking the curious onlooker or the average computer hacker. This would basically protect documents within the system from internal onlookers, but it will not protect them from that experienced hacker outside, looking in. Measures might include password protection, masking and information-change detection. Getting into the habit of changing passwords regularly is a wise thing to do.

It's recommended that companies change user passwords at least once a quarter. Masking techniques include disguising files inside the computer, or hiding ranges of information inside a file to make information appear unreadable or invisible. Change-detection techniques include audit trails such as byte count and formula difference locators. There are many security programs available in today's marketplace that address spreadsheet and word-processing techniques, operating systems security, database protection, and general safeguards and Internet security, to name just a few. Depending on your business, any one or all of these programs would benefit to the protection of data or information within your systems. Companies that implement such internal protective measures move one step closer to preventing incidents like the Bernard Mayles case in 1991. Bernard stole drug-processing information from his then-employer pharmaceuticals giant Merck & Co, and tried to peddle it to an Eastern European company. That company's agent turned out to have a different employer: the FBI. Mayles was sentenced to nine years in prison.

External Measures

As companies move toward decentralized networks of personal computers and away from centralized, easily protected mainframes, they become more vulnerable to hacking. In an effort to make businesses more user-friendly, we are inevitably making them more hacker-friendly as well.

There is also the "denial of service" attack, in which a hacker tricks a computer so that it shuts down or is so busy with bogus requests that it can't handle legitimate ones. In March, a series of "denial of service" attacks crippled hundreds of systems, including computers owned by NASA and other government agencies, various academic institutions, Microsoft Corporation and other commercial institutions. Last year a virus shut down computers for two days at National City Corporation, a Cleveland bank. The bank spent at least $400,000 to correct the virus rewiring during the attack to activate backup computers.

In a survey conducted last year by Information Week and Ernst & Young of New York, 40 percent of respondents reported losses of up to $100,000 from macro viruses; nearly half (47 percent) reported losses of up to $100,000 due to other types of viruses.

One very common preventive measure that companies are using is to hire outside organizations to strengthen their network security systems. The organizations conduct a series of diagnostic tests from outside, to see how easy it is to crack the firewalls of the target organization-with the permission of the organization. This adds a new twist, paying someone to hack systems to discover the weaknesses.

Symptoms:

How can you tell whether your computer or network has been hacked? Some telltale signs:

* Files unexpectedly disappear or are modified

* Files unexpectedly appear or grow in size

* An unexplained decrease in hard drive space availability

* Sudden computer or network performance changes

* Frequent crashes

* Strange messages or dialog boxes appear on the desktop

Preventative measures are the first steps towards safeguarding your system and network. Here are some important measures to take:

* Implement a firewall. A firewall is a blockade that keeps intruders away from networks. Firewalls intercept and analyze traffic, allowing only authorized data to pass through.

* Develop a detailed IT security policy. Create a security policy that details company practices to secure the network. Make sure all employees are aware of the policy.

* Change passwords. Your security policy should direct employees to create unique passwords. Make sure to change default passwords as soon as possible. Use complex passwords and make sure to change them on a regular basis.

* Install antivirus software. All computers on your network should be running the most recent version of an anti-virus program. The server should be configured to regularly push virus updates to all connected systems.

* Keep patch levels up-to-date. Update your operating system and stay on top of patch levels. Maintaining the most recent versions of software and operating systems will help you block hackers from getting through.

* Turn off unnecessary network services. Non-essential features, because they are not actively used, are less likely to be updated regularly. These features could present potential security holes. Disable features you know aren't necessary. By limiting the network and excluding non-essential services, you can reduce security risks.

* Use an intrusion detection system. Intrusion detection systems monitor and analyze network traffic. IDS programs alert you when an attack has occurred or is being attempted. If an attack is detected, an IDS blocks the attack and provides you with information on how to eliminate the problem.

* Run minimal services. Ensure machines run minimal services - particularly servers

* Updating software. Run the most up-to-date versions with patches installed

* Restrict access to services (data, configuration files) based on need

* Minimize service banners and display warnings against trespassing

* Collect and monitor logs via remote server (login attempts, changes in permissions, accounts, or log/audit settings, file/printer accesses, etc.)

* Ensure remote administration uses strong authentication and encryption controls

* Use file integrity checking tools

* Partition services and hardware in network to maximize security!

(http://www.symantec.com/small_business/library/hackers_attack.html [accessed 20 November 2005])

* First of all never keep your organization's computer network secrete i.e. don't expose or claim in public or on cyber world that your network is impossible to be backed. As we know every network has flaws and backdoors for hackers so by saying this that nobody can hack your network is simply inviting hackers to start struggling on your network for hacking and hackers will take it as a challenge and will start work on hacking your network.

* Try to give less access to people in your organizations as much as possible coz this is true phrase that don't trust anybody. Try to give the access to some people to whom you can fully trust over. If you give access to more people than this mean that you are make ease for Social engineers for hacking more information about your network.

* Always keep the basics protecting software on your network like antivirus and firewall etc and also keep them updated for new virus definitions all the time but best is to update it daily.

* Try to do your own work and don't interfere in others work. Always practice the principle of "Mind your own business". Never make people your enemies or too many close friends. Try as far as possible to avoid inviting any unwanted troubles.

* Hire experts of networking and programming but it will be better if you hire some professional hackers to take a complete look of your network and identify your loopholes and accordingly fix them on time before any hacking attempts occur.

* Preventing thieves

o Banks can impose a limit of a maximum of a £5000 online withdrawal limit to minimize the damage of a company in the case of any hacking attempts on their online money withdrawal services.

o Avoid making super user account as much as possible but even though if you make one than don't give anybody to the access to it. Try to you use the super user account by yourself only. Normal activities should be done in normal accounts and avoid it in super user accounts. It is true especially on UNIX systems.

o Do monthly audits of accounts to check any discrepancies so that the owner of the account can be informed. For more security, audits can be done at more regular intervals.

* Thwarting social engineers

o Ensure that all personnel are given a basic course on computer security. Ignorance is a real weakness here.

o If possible, try to use automatic protection systems such as biometric devices instead of humans for security. Unlike humans, these systems can't be talked into doing something.

o No one should give anyone any password prior to verifying that the other person is an employee of the company. Too often, social engineers pretend to be an employee working in some obscure department of a large company and can deceive real employees to revealing passwords.

* Detecting impersonators

o Always log the IP (Internet Protocol) addresses of those who log in as administrators in your network. If any IP does not belong in your network, cut him from the network or report it to the authorities.

* Prevent Deliberate Data Destruction (DDD)

o Regular backups: Ensure that your system administrator performs regular backups of your system on tape drives so lost data can be retrieved anytime a problem crops up.

o Never store very important data for public consumption if it is not absolutely necessary.

(http://library.thinkquest.org/04oct/00460/deterIntrusion.html#jump [accessed 20 November 2005])

Conclusion

Network security is one of the most important issue now a days and for this reason its important to understand the "HOWS" of hacking i.e. how hacking can affect you and over all process of your organization, how hackers hack and how you can prevent hackers from gaining access to your system. Now is the time to preventative measures to reduce the chances of a successful attack.

We have been go through some network security issues and discussed some network security techniques which are used in today's cyber world for hacking of different organizations network. We discuss three steps of network hacking and also the different tools and the use of tools for collecting confidential information and data about an organization.

Firstly we discuss footprinting which is the first step in hacking a network. In footprinting a hacker start gathering as much information as he can in order to attack and obtain a complete profile of an organization's security posture. This information mostly consists of the location of the company, phone numbers, employs names, security policies and overall layout of the target network.

Than we discuss scanning which is the second step towards hacking a network. During scanning our aim is to know which systems are alive and reachable via the internet and what services they offer using techniques such as ping sweeps, port scans, and operating system identification.

Finally moving towards the last and important step that is enumeration in which hackers discover the devices on a network. Attackers tend to use unconcealed discovery protocols such as ICMP and SNMP to gather information, they may also scan various ports on remote hosts or servers in an attempt to further identifications of a remote host.

My recommendation is to take the basic preventative measures like taking backup in regular intervals, keep your software updated, put firewall and antivirus software on your network and keep them updated daily, obey the principle of "Don't trust anyone" but only some people. Keep the things simple and avoid the things which invite the hackers to hack your network.

Taking organizations and test there network with different software:

) http://www.apniisp.com (Portal website in Pakistan)

Results we got using Sam Spad:

Ping:

WHOIS:

1/21/02 22:48:10 whois http://www.apniisp.com

.com is a domain of USA & International Commercial

Searches for .com can be run at http://www.crsnic.net/

whois -h whois.crsnic.net apniisp.com ...

Redirecting to ENOM, INC.

whois -h whois.enom.com apniisp.com ...

Registration Service Provided By: Apniisp.Com

Contact: [email protected]

Domain name: apniisp.com

Registrant Contact:

ApniISP.Com

Salman Mehmood ([email protected])

+92.03009280848

Fax: +92.0000000

9/1, Zainab MAnzil, Hurmusji Street,

Gari Khata, Arambagh,

Karachi, SINDH 74200

PK

Administrative Contact:

ApniISP.Com

Salman Mehmood ([email protected])

+92.03009280848

Fax: +92.0000000

9/1, Zainab MAnzil, Hurmusji Street,

Gari Khata, Arambagh,

Karachi, SINDH 74200

PK

Technical Contact:

ApniISP.Com

Salman Mehmood ([email protected])

+92.03009280848

Fax: +92.0000000

9/1, Zainab MAnzil, Hurmusji Street,

Gari Khata, Arambagh,

Karachi, SINDH 74200

PK

Status: Locked

Name Servers:

ns1.apniisp.com

ns2.apniisp.com

Results: As we see from whois I got the name of administrator, his phone number, location i.e. address

IP Block:

1/21/02 22:54:20 Input

1/21/02 22:54:12 IP block 69.25.0.0

Trying 69.25.0.0 at ARIN

Trying 69.25.0 at ARIN

Internap Network Services PNAP-12-2002 (NET-69-25-0-0-1)

69.25.0.0 - 69.25.255.255

Internap Network Services PNAP-MIA003-INAP-BB-1 (NET-69-25-0-0-2)

69.25.0.0 - 69.25.1.255

# ARIN WHOIS database, last updated 2005-11-20 19:10

# Enter ? for additional hints on searching ARIN's WHOIS database.

Here I got the range of IP Addresses i.e. 69.25.0.0 - 69.25.255.255

Traceroute:

Info from its source code:

1/21/02 23:03:08 browsing http://www.apniisp.com/

Fetching http://www.apniisp.com/ ...

GET / HTTP/1.1

Host: www.apniisp.com

Connection: close

User-Agent: Sam Spade 1.14

HTTP/1.1 301 Moved Permanently



Date: Mon, 21 Nov 2005 23:03:11 GMT

Content-Type: text/html; charset=iso-8859-1

Connection: close

Server: Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.10 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7c

Location: http://www.apniisp.com/beta

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<HTML><HEAD>

<TITLE>301 Moved Permanently</TITLE>

</HEAD><BODY>

<H1>Moved Permanently</H1>

The document has moved <A HREF="http://www.apniisp.com/beta">here</A>.<P>

<HR>

<ADDRESS>Apache/1.3.33 Server at www.apniisp.com Port 80</ADDRESS>

</BODY></HTML>

Result: It gives me information about the web server i.e. Apache the scripting language is PHP and its version is 4.3.10

Now after having the IP Block we will scan the website through Super Scan for its Domain Names:

We got following results from Super Scan

IP

69.25.254.10

Hostname

ns1.eregal.com

UDP Ports (1)

53

Domain Name Server

UDP Port

Banner

53

Domain Name Server

BIND version:

9.2.

IP

69.25.64.76

Hostname

[Unknown]

Netbios Name

TARJIM20

Workgroup/Domain

TARJIM

UDP Ports (1)

37

NETBIOS Name Service

UDP Port

Banner

37

NETBIOS Name Service

MAC Address: 00:06:5B:19:92:5A

NIC Vendor : Unknown

Netbios Name Table (4 names)

TARJIM20 00 UNIQUE Workstation service name

TARJIM20 20 UNIQUE Server services name

TARJIM 00 GROUP Workstation service name

TARJIM 1E GROUP Group name

IP

69.25.31.102

Hostname

[Unknown]

UDP Ports (1)

23

Network Time Protocol

UDP Port

Banner

IP

69.25.10.111

Hostname

exchange7-field7.net

UDP Ports (1)

53

Domain Name Server

UDP Port

Banner

53

Domain Name Server

BIND version:

8.3.

IP

69.25.59.141

Hostname

holder.userdns.com

UDP Ports (1)

53

Domain Name Server

UDP Port

Banner

53

Domain Name Server

BIND version:

9.2.

Total hosts discovered

942

Total open TCP ports

0

Total open UDP ports

287

2)

http://www.mobilinkgsm.com (mobile company in Pakistan)

Results I got using software Sam Spad:

Ping:

WHOIS:

1/22/02 00:50:00 whois www.mobilink.net

.net is a domain of Network services

Searches for .net can be run at http://www.crsnic.net/

whois -h whois.crsnic.net mobilink.net ...

Redirecting to MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE

whois -h whois.melbourneit.com mobilink.net ...

Domain Name.......... mobilink.net

Creation Date........ 2001-03-11

Registration Date.... 2001-03-11

Expiry Date.......... 2010-03-11

Organisation Name.... Mobilink GSM

Organisation Address. Mobilink House, 5-P, Gulberg II

Organisation Address. Lahore

Organisation Address. NA

Organisation Address. Punjab

Organisation Address. PAKISTAN

Admin Name........... Salman Fahim

Admin Address........ Mobilink House, 5-P, Gulberg II

Admin Address........

Admin Address........ Lahore

Admin Address........ NA

Admin Address........ Punjab

Admin Address........ PAKISTAN

Admin Email.......... [email protected]

Admin Phone.......... +92.3008478717

Admin Fax............ +92.425770124

Tech Name............ Salman Fahim

Tech Address......... Mobilink House, 5-P, Gulberg II

Tech Address.........

Tech Address......... Lahore

Tech Address......... NA

Tech Address......... Punjab

Tech Address......... PAKISTAN

Tech Email........... [email protected]

Tech Phone........... +92.3008478717

Tech Fax............. +92.425770124

Name Server.......... ns.cyber.net.pk

Name Server.......... ns1.cyber.net.pk

So from whois I got the name of administrator, his phone number, fax number email address and location i.e. address

DNS checks:

11/22/02 01:01:17 dns www.mobilink.net

Canonical name: www.mobilink.net

Addresses:

202.165.247.86

IP Block:

1/22/02 01:04:01 IP block [email protected]

Trying 202.165.247.86 at ARIN

Trying 202.165.247 at ARIN

OrgName: Asia Pacific Network Information Centre

OrgID: APNIC

Address: PO Box 2131

City: Milton

StateProv: QLD

PostalCode: 4064

Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 202.0.0.0 - 203.255.255.255

CIDR: 202.0.0.0/7

NetName: APNIC-CIDR-BLK

NetHandle: NET-202-0-0-0-1

Parent:

NetType: Allocated to APNIC

NameServer: NS1.APNIC.NET

NameServer: NS3.APNIC.NET

NameServer: NS4.APNIC.NET

NameServer: TINNIE.ARIN.NET

NameServer: NS-SEC.RIPE.NET

NameServer: DNS1.TELSTRA.NET.255

Traceroute:

Now after having the IP Block I will scan the website through Super Scan for its Domain Names:

I got following results from Super Scan

IP

202.165.251.130

Hostname

[Unknown]

UDP Ports (1)

23

Network Time Protocol

UDP Port

Banner

IP

202.165.254.135

Hostname

[Unknown]

UDP Ports (1)

23

Network Time Protocol

UDP Port

Banner

IP

202.165.255.179

Hostname

[Unknown]

UDP Ports (2)

53

Domain Name Server

61

SNMP

UDP Port

Banner

61

SNMP

Hardware: x86 Family 6 Model 8 Stepping 6 AT/AT COMPATIBLE - Software: Windows

2000 Version 5.0 (Build 2195 Multiprocessor Free)

IP

202.165.255.201

Hostname

[Unknown]

UDP Ports (1)

23

Network Time Protocol

IP

202.165.252.157

Hostname

[Unknown]

UDP Ports (1)

23

Network Time Protocol

UDP Port

Banner

Total hosts discovered

67

Total open TCP ports

0

Total open UDP ports

77

3)

http://www.zebonline.com (website development company)

Ping:

Whois:

DOMAIN: ZEBONLINE.COM

RSP: iDotz.Net - Domain Name Registration Service

URL: http://www.idotz.net

created-date: 2002-10-30

updated-date: 2005-10-21

registration-expiration-date: 2006-10-30

owner-contact: P-AJK151

owner-organization: Argus Sision

owner-fname: Aurang zeb

owner-lname: Khan

owner-street: Suite#10 , 2nd floor ,Shalimar Arcade , F-8 Markaz

owner-city: Islamabad

owner-zip: 44000

owner-country: PK

owner-phone: +92512281589

owner-fax: +92512857350

owner-email: [email protected]

admin-contact: P-AJK151

admin-organization: Argus Sision

admin-fname: Aurang zeb

admin-lname: Khan

admin-street: Suite#10 , 2nd floor ,Shalimar Arcade , F-8 Markaz

admin-city: Islamabad

admin-zip: 44000

admin-country: PK

admin-phone: +92512281589

admin-fax: +92512857350

admin-email: [email protected]

tech-contact: P-AJK151

tech-organization: Argus Sision

tech-fname: Aurang zeb

tech-lname: Khan

tech-street: Suite#10 , 2nd floor ,Shalimar Arcade , F-8 Markaz

tech-city: Islamabad

tech-zip: 44000

tech-phone: +92512281589

tech-fax: +92512857350

tech-email: [email protected]

billing-contact: P-AJK151

billing-organization: Argus Sision

billing-fname: Aurang zeb

billing-lname: Khan

billing-street: Suite#10 , 2nd floor ,Shalimar Arcade , F-8 Markaz

billing-city: Islamabad

billing-zip: 44000

billing-phone: +92512281589

billing-fax: +92512857350

billing-email: [email protected]

nameserver: ns1.pakwebhost.com

nameserver: ns2.pakwebhost.com

; This domain name was registered at: http://www.idotz.net

; iDotz.Net - Cool Domains @ Great Prices! Get a web address under: .com .net .org ; .fm .am .tv .la .md .bz .ws .tk .cc .de .us .cn .jp .pl .uk .biz .info and More!

It contains information about the webmaster , location i.e. address , phone numbers, billing information, and email address etc

IP Block:

ReferralServer: rwhois://rwhois.nac.net:43

NetRange: 66.29.0.0 - 66.29.127.255

CIDR: 66.29.0.0/17

NetName: NAC-NETBLK07

4) www.khybersoft.com (software house)

Whois:

Registrant:

www khybersoft com [email protected] +92.091- 5825713

Shadman Khan

main boulevard gulberg

Peshawar,NWFP,PK 54570

Domain Name:khybersoft.com

Record last updated at 2005-02-11 01:33:03

Record created on 2004/2/10

Record expired on 2006/2/10

Domain servers in listed order:

ns.paknet.com.pk ns-isb.paknet.com.pk

Administrator:

Khybersoft Technologies 1st floor PSTP PDA building Phase 5 hayatabad Phase 5 Peshawar

Peshawar NWFP, PK 25000

name:(www khybersoft com)

mail:([email protected]) +92.091-5825713

Khybersoft Technologies

Technical Contactor:

main boulevard gulberg

Lahore PK 54570

name:(www khybersoft com)

mail:([email protected]) +92.425757359

Webtechnos

Billing Contactor:

Khybersoft Technologies 1st floor PSTP PDA building Phase 5 hayatabad Phase 5 Peshawar 54570

name:(www khybersoft com)

mail:([email protected]) +92.425757359

Khybersoft Technologies

From who is I came to know about the all its branches their address, email address of each administrator and their phone numbers.

IP Block:

ReferralServer: whois://whois.apnic.net

NetRange: 202.0.0.0 - 203.255.255.255

CIDR: 202.0.0.0/7

NetName: APNIC-CIDR-BLK

NetHandle: NET-202-0-0-0-1

DNC Checks:

1/22/02 02:41:35 dns www.khybersoft.com

Canonical name: virtual-webdata-rwp.paknet.com.pk

Aliases:

www.khybersoft.com

Addresses:

203.135.1.114

Now after having the IP Block I will scan the website through Super Scan for its Domain Names:

I got following results from Super Scan

SuperScan Report - 11/22/02 02:46:37

IP

203.135.2.176

Hostname

[Unknown]

UDP Ports (2)

037

[Unknown]

2967

SSC-AGENT / Norton Antivirus

UDP Port

Banner

Total hosts discovered

21

Total open TCP ports

0

Total open UDP ports

2

5) www.jang.com (News website)

Whois:

Domain Name.......... jang.com

Creation Date........ 1996-05-18

Registration Date.... 2000-06-01

Expiry Date.......... 2006-05-19

Organisation Name.... NetIdentity

Organisation Address. 5190 Neil Road

Organisation Address. Ste 430

Organisation Address. Reno

Organisation Address. 89502

Organisation Address. NV

Organisation Address. UNITED STATES

Admin Name........... Get YourName@ThisDomain as an email address from www.netidentity.com

Admin Address........ 5190 Neil Road

Admin Address........ Suite 430

Admin Address........ Reno

Admin Address........ 89502

Admin Address........ NV

Admin Address........ UNITED STATES

Admin Email.......... [email protected]

Admin Phone.......... +1.3034130011

Admin Fax............

Tech Name............ Get YourName@ThisDomain as an email address from www.netidentity.com

Tech Address......... 5190 Neil Road

Tech Address......... Suite 430

Tech Address......... Reno

Tech Address......... 89502

Tech Address......... NV

Tech Address......... UNITED STATES

Tech Email........... [email protected]

Tech Phone........... +1.3034130011

Name Server.......... ns1.mailbank.com

Name Server.......... ns2.mailbank.com

DNS checks:

11/22/02 02:55:27 dns www.jang.com

Canonical name: www.jang.com

Addresses:

216.10.106.149

IP Block:

Net Range: 216.10.96.0 - 216.10.127.255

CIDR: 216.10.96.0/19

Net Name: ARIN-NAVISITE-1BLK

Traceroute:

I got following results from Super Scan

SuperScan Report - 11/22/02 02:58:07

IP

216.10.101.2

Hostname

sjzafrt0202-v100.sjz.navisite.net

UDP Ports (1)

61

SNMP

UDP Port

Banner

IP

216.10.101.4

Hostname

sjzafrt02x2-v100.sjz.navisite.net

UDP Ports (1)

61

SNMP

UDP Port

Banner

Total hosts discovered

82

Total open TCP ports

0

Total open UDP ports

2

References

. G.C. Eric Brumfield "Security Systems Protective Measures Against Hackers" Available:

http://www.abanet.org/genpractice/magazine/tpg/brumfiel.html accessed 20 November 2005

2. http://www.2600slc.org accessed 15 November 2005

3. http://www.bookrags.com/subscribe/choice.php?u=hacking-csci-03&catdir=sciences accessed 19 November 2005

4. (http://www.auditmypc.com/freescan/readingroom/port_scanning.asp accessed 18 November 2005

5. http://www.bookrags.com/sciences/computerscience [accessed 15 November 2005]

6. http://www.dirc.org.uk/publications/techreports/papers/5.pdf. accessed 18 November 2005

7. http://ginger.cs.uwp.edu/Classes/Cs490/notes/Hacking1.doc accessed 18 November 2005

8. http://gaia.ecs.csus.edu/~ghansahi/classes/notes/196n_at_def_notes/lectures/wk02.ppt accessed 18 November 2005

9. http://library.thinkquest.org/04oct/00460/deterIntrusion.html#jump accessed 20 November 2005

0. http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=5359&mode=thread&order=0&thold=0 accessed 15 November 2005

1. http://www.informit.com/index.asp accessed 18 November 2005

2. http://www.informit.com/content/images/0201719568/samplechapter/klevinskych05.pdf accessed 19 November 2005

3. http://www.oreilly.com/catalog/networksa/chapter/ch04.pdf. accessed 18 November 2005

4. http://www.symantec.com/small_business/library/hackers_attack.html accessed 20 November 2005

5. http://www.sys-security.com/ accessed 18 November 2005

6. McClure.S et al, (2001) Hacking Exposed second edition Network Security Secrets and Solutions, McGraw Hill, California USA.