Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne Course Web page: https://samsclass.info/124/124_F17.shtml Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)

1. CNIT 124:
Advanced Ethical
Hacking
Ch 5: Information Gathering

2. OSINT
Open Source Intelligence

3. Useful Info for a Pentest
• Employees who talk too much
– Twitter, Facebook, etc.
• Archived listservs may have technical
questions
• What software and hardware are they
using?
– Defenses such as firewalls
– Security problems
– Extra systems like ActiveMQ

4. Netcraft
• Try ccsf.edu

5. Whois

6. CCSF.EDU
• Normal record
• Informative
• Compare to
kittenwar.com
• Privacy protections

7. Whois Limitations
• Data can be fake or concealed
• "whois microsoft.com" has a strange result
(NSFW) because it searches the whole
FQDN, so people have added joke records
• Seems to no longer work as of 9-16-17

8. Whois Limitations

9. DNS Queries
• dig samsclass.info
• dig samsclass.info aaaa
• dig samsclass.info ns
• dig samsclass.info soa
• dig samsclass.info any

10. • Link Ch 5a

11. Dig at a specific server
• dig samsclass.info any
– 10 records
• dig @8.8.8.8 samsclass.info any
– 18 records
• dig @coco.ns.cloudflare.com
samsclass.info any
– 10 records

12. DNS Cache Snooping Demo
• Make a new DNS record
• dig +norecurse @109.69.8.51 test360.samsclass.info
• Shows record, if it's in the cache
• dig @109.69.8.51 test360.samsclass.info
• Caches record

13. Find a Public Resolver
• Link Ch
5d

14. Nonrecursive Query
• Server has no data in its cache
• Doesn't ask other servers (nonrecursive)
• Finds no answer
– Command works the same way on Kali Linux
and Mac OS X

15. Recursive Query
• DNS server asks other servers and finds
the record
• Note its TTL starts at 3600 seconds

16. Nonrecursive Query
• Now the data is in the cache
• This shows that someone has resolved that
site on this server recently

17. Demo: puntCAT Server
• Cache Snooping works simply on a single
server
• Public DNS Servers: Link Ch 5j

18. Demo: OpenDNS Cluster
• One recursive query puts it in one cache
• Cached record observed in 3/12 queries

19. Demo: OpenDNS Cluster
• Ten recursive queries puts it in more caches

20. Demo: OpenDNS Cluster
• Cached record observed in 6/10 queries

21. Watching TTL Count Down

22. Zone Transfers
• First find SOA

23. Performing Zone Transfer

24. University System of Georgia
• 1038
records
• Link Ch
5e

25. Fierce DNS Scanner
• included in
Kali
• Attempts a
zone
transfer
• Then brute-
forces
domain
names

26. Fierce on Zonetransfer.me

28. DNSqueries.com
• Link Ch 5h

30. Searching for Email Addresses

31. theHarvester
• Searches Google.
Bing, and other
sources for email
addresses
• Also finds sites
hosted at the same IP

32. Maltego

34. Port Scanning

35. Manual Port Scanning
• Some services show a banner as soon as a
connection is made
• The banner could be deceptive, however
• Many services, like HTTP and DNS, don't
deliver a banner so easily

36. Nmap SYN Scan
• -sS switch
• Sends SYN, listens for SYN/ACK
• Doesn't complete the handshake, just
sends a RST

37. Nmap Scan Limitations
• Nmap is so popular, IDS and IPS systems
often detect it
• They may block all results

38. SYN Scan of Server 2008
Took 40 sec.

39. Version Scan
• -sV switch
• Grabs banners to determine version

40. Version Scan of Windows 2008
Took 110
sec.

41. UDP Scans
• -sU switch
• Sends packets to commonly-used UDP ports
• Packets are valid service requests
• Servers running on default ports will reply
• Closed ports return an "ICMP Unreachable"
packet
• Cannot tell an open port that doesn't reply
from a filtered port

42. UDP Scan of Windows 2008
Took 1200
sec.

43. Scanning Specified Ports
• By default, Nmap scans 1000 "interesting"
ports
• You can specify ports with –p switch
• -p 80 will scan one port
• -p 23, 25, 80 will scan three ports
• -p 1-65535 will scan them all (slow)

44. Nmap Version Scan Crashes Server
• Rarely
happens, but
is a possibility