ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE
Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network
[size=150][u][b]2007 A Hacking Odyssey – Reconnaissance[/b] [/u][/size]
The aim of this series of papers that will take an in-depth look at how someone may target and electronically break into an organisation, is to educate people who may be tasked with looking after and securing a corporate network to do so in an effective manner.
My personal outlook on this issue is that if you have no idea about the steps a would-be attacker will take to try and gain access to your systems, then you as an administrator can not effectively secure your system to an acceptable standard. Some people may disagree about the concept of demonstrating to people how to gain access to networks they are not meant to, whilst others agree with the ‘full disclosure’ approach.
Take a firewall for example – if you don’t understand the steps an attacker will go through to try and get traffic through your firewall, then how can you stop them for doing it? All you can do is configure it the best way you know how and hope it is good enough.
[b][u]Hacking, Cracking, Hackers and Crackers[/b][/u]
Before I start:
If some innocent looking young teenager came up to you and starting talking about hackers and hacking, then chances are you, being the IT professional that you are would mentally dismiss him as not understanding what he was talking about, just because he used the work ‘hack’. Yet, if a university professor type person in his fifties wearing a tweed coat, glasses and smoking a pipe came up to you and starting talking about hackers and hacking then you would more than likely listen to every word he says…… why is this?
Well, the term ‘Hack’ or ‘Hacker’ is a word coined by the media to mean anyone trying to break in to something IT related, whether it’s a Network, Computer or any other type of electronic system.
The more realistic term to use when talking about a hacker in the way the media’s term is meant, is to use the word ‘Cracker’ or ‘Attacker’. A cracker/attacker is someone who tries to gain access to things they have absolutely no right to be accessing. A hacker is someone who tries to make something function in a way it was not originally designed to do; they ‘hack it apart’.
Take an email program for example; a hacker may try to make this email program send something other than an email, thereby making it do something it is not meant to do. Whereas an attacker/cracker will try to gain a level of access to it and read the users emails contained within the application.
People who are new to the IT community will often innocently use the word hacker until they get flamed by someone for doing so, probably on an IT related web forum, at which point they will usually endeavour to find a different word or face public ridicule on the new IT forum they will inevitably have to find.
There are some people who like to instigate the flaming of the above mentioned people and think that everyone else will presume they are pretty knowledgeable because they make a big fuss of the fact they don’t like the word ‘Hacker’……these are the people you should probably stay away from.
Most people who are secure in their own knowledge of IT and IT security whether for good or bad purposes and who have worked in the area for a while, really don’t care what word is used and can even find themselves using the term ‘hacker’ for ease of instruction when talking to non technical people or media type people. It could also be used to lessen the effect the work ‘Attacker’ has on someone; non IT people can get pretty scared when you say a cyber attacker is out to get them.
For the duration of these papers I will use the term ‘attacker’ to refer to someone trying to do bad things to your computers and to your network. We will also assume the attacker is a ‘he’.
For this chapter we will take the mindset of the Attacker and the preliminary steps he may go through to attack your IT emporium.
How does an attacker decide which organisation to target? When he has decided on the organisation how does he set about attacking it, how does he know where to go on the internet to find the specific network he wants to attack, how does he find your geographical location if he wants to wardrive you, how does he find useful information to socially engineer you, how does he find your phone number range to war dial you, how does he find your mail server?
These are just some of the things the attacker will need to know before planning any attack against you and is generically referred to as reconnaissance.
There are different types of attacker; attackers who have picked a target for a specific reason, attackers who pick random targets but have a specific idea about what they want to do to the target when they find one, and then there are attackers who look for random targets to launch random exploits against in an attempt to gain any level of access, without actually understanding what it is they are doing.
This later genre of attackers are commonly referred to as Script Kiddies, Skiddies, SkiDIE’s, Skids etc and are the ones who don’t usually bother with any reconnaissance and jump straight to firing Nmap up and start telenting to any open ports they may happen to find.
I usually start security related courses off by asking, “What is the first step to take when wanting to attack a network?” 99% of the answers I receive involve the words Nmap and Telnet. Whilst this is a feasible option, there are still lots of steps to take before Nmap is even downloaded.
You may have dismissed Script Kiddies out of hand by what I have mentioned above. Just because they do not understand the ins and outs about what they are doing does not make them any less dangerous than someone who does. Script Kiddies have all the time in the world to try and attack you. They usually come across an exploit of some kind that has been published somewhere, read how to actually perform the exploit and then go off in search of someone to test their new found uber skill on.
Since they have a specific exploit in mind, which may run over a certain port, they can scan away to their hearts content looking for that one system that is vulnerable to the exploit they have.
So, whereas Administrators have to try and secure from 1000’s of possible vulnerabilities, the Script Kiddies only have to find this one vulnerability on your system…..and have an infinite amount of time to find it.
[b][u]Picking a Target[/b][/u]
So, how do pick a potential target?
As good guys you may have a specific reason to attack a target, whether it is your own organisation and are auditing the security of it, or you have been contracted to audit the security of another organisation – if this is the case then step one has been decided for you. As bad guys you could have a grudge against a particular organisation, you could have come across some interesting information in a newsgroup about a certain system being vulnerable, someone may have posted a firewall configuration on a newsgroup/IT help site and not removed any passwords or IP addresses (this used to happen a lot). You could even have been specifically asked by someone to see if you can do any damage against an organisation…..the list goes on.
What if you have no reason to pick a specific target and any will do?
You could trawl through your own firewall logs and find someone who has targeted you in the past; Zone Alarm for example has an annoying popup that can tell you about any external attempts made to gain access to your machine and includes the IP address of the attacker. If you have a home router they all usually have a logging facility and will record any attack attempts.
In true Script Kiddie style you could have stumbled across an exploit and want to try it out, so start looking for susceptible targets.
You could even ping the first IP address that comes into your head, check it is valid and chose that.
When I teach this subject in particular, to find an organisation for the duration of the course I usually enter the first words that pop into my head in to Google, take one of the hits on the first page and use that company to demonstrate the reconnaissance steps against.
In this case the words are ‘Garden Sheds’.
The company I chose is Shed Store.
That’s the target picked, now let’s see what we can learn about them…
[b][u]Research the Target[/b][/u]
There are a multitude of perfectly legal methods we can use to research our target and we don’t even have to connect to any of the machines associated with it. Like all good reconnaissance, the intended target should not know what we are trying to do – for this reason we try to use publicly available information that is hosted away from any machine directly belonging to the organisation or has been made to be accessed by the public, i.e. their web server.
[b][u]Targets own web site[/b][/u]
Once you know who your target is the fist thing to do it browse over to their web site and simply have a look at all the information they have made freely available to us.
What info can we get from here?
They have kindly given us their address, phone number range, email domain, who they use for their online billing provider, what their office opening hours are and that they are part of Guardian Buildings.
Shedstore (A trading division of Guardian Buildings). Unit 1, Southview Park, Caversham, Reading, Berkshire. RG4 5AF.
T: 0870 3500 710 F: 0870 3500 720 E: email@example.com W: http://www.shedstore.co.uk
During our office hours of 8.30am to 12.00pm, then 1.00pm to 5.00pm – Monday to Friday, we accept telephone orders and enquiries upon the following numbers.
– Sales enquiries & orders: 0845 130 0405 (Local rate)
– General enquiries: 0870 3500 710 (National rate)
– Customer service enquiries: 0870 3500 710 (National rate)
– (For those customers unable to access ’08’ numbers, please call 0118 946 4182)
By going part of the way through the order procedure we find out they use http://www.securehosting.com/ to handle their online transactions.
The also have a members only area of the site.
**I will talk about what we can do with all this information later on**
We are starting to build up a ‘feeling’ about this company just from their web site. Going by this web site they seem to be a fairly well established company, they have what looks to be a professionally made web site, the seem to do the majority of their business over the internet, but they don’t necessarily seem IT savvy as they have no need to be, so they maybe rely on external hosting providers to handle the web site, email, billing etc…… this last point is a point worth remembering for later on when we cover social engineering.
None or all of the above ‘feelings’ we get from the web site are necessarily true……we need to confirm it first.
I will not cover Google on this paper as the subject as extremely large and I feel it deserves a paper to itself (whick will be posted soon). Needless to say typing the company name in to Google & Google groups may reveal some information that can be useful to you.
[b][u]Jobs advertised on company web sites[/b][/u]
Although not applicable to this particular web site, let’s say we were using the web site of a small bank, and on this web site they had a Jobs Section, and in this jobs section they were asking for a PIX firewall administrator to start immediately….
This little gem of information tells us that the bank uses PIX firewalls, that they may have no administrator currently employed to manage it/view the logs etc (hence the immediate start) and that they may be susceptible to a social engineering attack whereby someone who does not normally configure the PIX maybe coerced into making a change OR that a new employee is likely to start very soon, who again will be very susceptible to social engineering to get him to alter the firewall’s configuration…..if you had a phone call from someone claiming to be the boss of your new company on your first day at work, would you say no to him if he told you to maybe change an ACL in the firewall? Maybe, maybe not…..
All this stems from a seemingly innocent job advert….
Newsgroups are a valuable source of information during the reconnaissance phase of an attack depending on the type of target, as they are usually used by someone to ask for help, i.e. I have a PIX 506E and I want to configure a static NAT for a web server with the IP addresses 192.168.10.10 and 220.127.116.11, how do I do it?
This innocently asked question tells us that particular organisation uses a PIX, the internal IP range, the external IP range and that the administrator is not so confident with configuring it, hence it maybe miss configured and easy to attack…..
Out of Office replies are also sent out to some newsgroups…..what better time to attack a network than when you know the administrator is out of the office and can’t examine any logs…..or if you want to phone someone up and socially engineer them under the guise of being the system administrator…. well you know he won’t be there to get in your way….
If you trawl through it you will find complete router configurations including IP addresses and passwords, firewall configurations that again include IP addresses and passwords, the list goes on. If you have managed to gleam a name from the organisations web site try searching for it and see if it throws anything up.
**When you want to search for say a PIX running configuration that may have been posted in its entirety, it is best to search for a few words that are specific to the configuration. I usually use “mtu outside” – which refers to the Maximum Transmission Unit size for the Outside interface of the firewall and is pretty specific to a firewall – if you know the domain name of your target try including this in your search string as well; most firewalls can be configured with a domain name….
The below link has over 13,000 PIX configurations that have been posted in various newsgroups:
I find PIX firewall configuration especially useful to search through as there are so many things that need to be deleted from the configuration to not give away any information. So often I see IP addresses deleted but domain names remaining intact, a quick ‘nslookup’ of the domain name will sometimes give you the IP Block assigned to the organisation, once you have worked this out take a look at the Access Control Lists and see what they allow in…..see if there are any Peer IP addresses in the VPN configuration etc
There is a very extensive search function on the Google Groups site, which will allow you to search for almost any aspect of a post, again try and use keywords specific to either the organisation you are researching or are specific to the type of post you are looking for.
You may have to trawl back a while to see if anyone has posted via their company email address in a newsgroup as people are more savvy now-a-days and usually use a hotmail/gmail/Yahoo type web mail account. However, some people sign their messages with their full name, company name and company address……and then explain their entire network setup and what is wrong with it.
We will come back to searching newsgroups in the next section when we go over WHOIS records.
The Internet is a huge directory of domain names and due to various copyright laws, trading laws and DNS workings, there can not be two identical domain names in existence at the same time on the Internet.
A domain name refers to an organisations “Internet presence” and is usually related to their normal company name. I.e. The domain name for Barclays Bank is Barclays.co.uk (http://www.barclays.co.uk/) 99% of the time this also means their email addresses will end in Barclays.co.uk.
Keeping track of all these domain names was historically done by Network Solutions until 1999 when they lost the monopoly for domain name registration. As the Internet grew so did the amount of suffixes attached to domain names ( .com, .co.uk, .org etc) and so did the amount of registrars.
Any domain name ending in . .aero, .arpa, .biz, .cat, .com, .coop, .edu, .info, .int, .jobs, .mobi, .museum, .name, .net, .org, .pro, and .travel are registered with Internic; who can be found here: http://www.internic.net .
The country code top-level domains – which are two letter suffixes that refer to the country, I.e. uk, jp, au will inform the attacker what country the target is in. A list of ccTLD’s can be found here: http://www.iana.org/root-whois/index.html
What if your targets domain name does not fall under InterNIC’s remit? Well, there is a very helpful site called Uwhois that will inform us of where to look for the registration details or our particular domain.
We browse to Uwhois and enter “shedstore” in the domain box, tick .co.uk and click Go.
Depending on who the domain is registered with Uwhois may show us the complete registration record or it may tell us where to go and look for the records.
In our case we are told that the domain name is registered:
The answer to your domain search is
Uwhois search forshedstore.co.uk Registered
Notice shedstore.co.uk is a hyperlink? Click on it and you will be taken to either the registration details or you will be told where to look:
We now know that whois.nic.uk holds the registration records. Type that into Google and the first hit you get is for Nominet. http://www.nominet.org.uk/other/whois/
Browse to Nominet and enter shedstore.co.uk as the search term:
Thus plc t/a DSVR [Tag = DSVR]
Registered on: 24-Jan-2000
Renewal date: 24-Jan-2008
Last updated: 20-Jun-2006
Registered until renewal date.
Now we are getting some information that we can use to aid our attack. We have a name of someone who is probably fairly high up in the Guardian Buildings organisation; Keith Taylor. We also know Shed Store is part of the Guardian Building group from information we were able to get from their web site.
We have the address of both Shed Store and Guardian buildings; again we have this from their web site and from this WHOIS record.
We now know who they use to host their web site and who they used to register their domain name from the Registrant’s Address information: URL: http://www.dsvr.co.uk .
We can see the record was renewed in June 2006, so ‘Keith Taylor’ is probably still working for the organisation.
Finally we have the most important piece of information to us so far; the name servers, which I will talk about in a minute.
You maybe thinking, Yeah, Ok I have all this information but what use is it to me? It will all become apparent right after I run through DNS and DNS zone transfers.
[b][u]Domain Name Service – DNS[/b][/u]
DNS could be considered the post office and telephone directory of the Internet. Without it the Internet would not be anywhere near as efficient and easy to use as it is today.
In a nut shell DNS takes an IP address and ties it in to a domain name. I will presume most people know what an IP address is and will not insult you all be explaining it (PM J_K9 if you need to know)
To explain DNS it is best to give an example; so if you go to your RUN prompt (Start > Run) and type CMD into it and press enter(Or your Linux equivalent) You will get a black box popping up; this is your command prompt.
Whenever we want to perform any DNS queries, or interact with DNS in anyway we use a program called ‘nslookup’. (Linux users may want to use ‘dig’ instead of nslookup as most recent Linux distro’s have butchered the nslookup program somewhat)
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Nokia>nslookup
Default Server: speedtouch.lan
Notice the prompt changes to ‘>’, this tells us we are now in the nslookup application and not in the normal command prompt.
The Default Server will tell you what your own DNS server is. (this may not always be an actual server, especially if you are using a home router. If you are using a home router then the IP address show will usually be that of the router)
At the ‘>’ prompt type google.com:
C:\Documents and Settings\Nokia>nslookup
Default Server: speedtouch.lan
Addresses: 18.104.22.168, 22.214.171.124, 126.96.36.199
You will see that the output of the command you entered is three different IP addresses.
Now at the prompt type in one of these IP addresses:
**Tip – right click the blue bar on top of your command prompt and select properties, in the Edit Options field make sure Quick Edit and Insert Mode are ticked. You can now copy and paste as you would normal text. Try highlighting a Google IP address in the normal way by moving your cursor over it with the mouse button pressed, the text will go white; now right click. To paste the text simply right click again and the text will be pasted where the flashing cursor is.**
The output from the above command tells us the IP belongs to Google.com.
What you have just done is preformed a DNS query to find out the IP address(es) that Google use for their web presence; when you entered the domain name you done a forward DNS lookup and when you entered the IP address you done a reverse DNS lookup (rDNS).
You may still be thinking what the hell you are on about but it will become apparent now:
Try typing one of the IP addresses you got from your DNS lookup into your web browser. You are still taken to Google.
Your computer does not talk to other computers by using words such as Google.com. When you enter Google.com into your browser your computer needs to convert this into a form both it and other computers will understand. As you probably know everything on the Internet needs an IP address, as this is how all traffic is addressed on the Internet (it is different on an internal LAN but for now assume everything uses IP addresses). So something needs to take google.com and convert it to an IP address to enable your computer to go out on to the Internet and find the server that hosts the Google web site.
If you haven’t guessed it already, it is DNS’s job to do this.
Without DNS you would have to remember 188.8.131.52 and use this when you wanted to go to Google. Then when you wanted to go to Hotmail you would have to enter 184.108.40.206, and then if you wanted to go to Digg you would have to enter 220.127.116.11…… can you see how confusing this would become. If you wanted to advertise your business web site you would have to use an IP address and hope everyone could remember it……
DNS allows us to use a human readable syntax that we can remember easily, to browse the Internet. Without it, the Internet would be very chaotic.
You can find a very good explanation of DNS here:
But what has all this got to do with our reconnaissance? Well there are different types of DNS records that will be used for different services. If we wanted to send an email to an organisation the a DNS record would tell the appropriate mail server the IP address of where that organisations mail server is located. This records is called an MX record (Mail Exchange), DNS records can also be used for web servers, FTP servers etc.
If we could get our hands on all of these DNS records for our target domain, we would have a huge chuck of valuable information for when it comes to the next phase of our attack; as we would know where to go to try and gain specific entry to the network….if we wanted to exploit their mail server DNS would tell us where it is, if we wanted to attack their FTP server DNS would tell us where it is……..
DNS servers support something called a Zone Transfer and what this is, is a way of the DNS server telling someone all the information it has about a certain domain, MX records, A records, PTR records etc.
There is a catch to this though and that is properly configured DNS servers only support Zone Transfers to authorised people and sometimes not at all. To go back to the WHOIS record we found, the very last entry listed is the DNS servers that our target uses:
So let us try and see if a Zone Transfer will work on these DNS servers:
Go back to your nslookup prompt:
C:\Documents and Settings\Nokia>nslookup
Default Server: speedtouch.lan
And type “server ns0.serve.co.uk” (you could even do an nslookup for this and use the IP address if you wanted to 😉 )
> server ns0.serve.co.uk
Default Server: ns0.serve.co.uk
This is telling the nslookup application to query the server you have specified and not your own default one. (Obviously since this is where the information relating to the shedstore.co.uk domain is located, it is the server we need to get the info off)
To ask it for all the information it has on the shedstore.co.uk domain (a Zone Transfer), we use the following command:
> ls -d shedstore.co.uk
If Zone Transfers are enabled to casual users, and we have the right DNS server for our domain, it should reply will all of the DNS records it holds:
> server ns0.serve.co.uk
Default Server: ns0.serve.co.uk
> ls -d shedstore.co.uk
shedstore.co.uk. SOA ns0.serve.co.uk hostmaster.dsvr.co.uk. (2
006122800 3600 1800 86400 3600)
shedstore.co.uk. NS ns0.serve.co.uk
shedstore.co.uk. NS ns0.serve.net.uk
shedstore.co.uk. MX 5 mx81.emailfiltering.com
shedstore.co.uk. MX 10 mx82.emailfiltering.com
shedstore.co.uk. MX 20 mx83.emailfiltering.com
shedstore.co.uk. A 18.104.22.168
ftp CNAME www.shedstore.co.uk
mail CNAME www.shedstore.co.uk
smtp CNAME www.shedstore.co.uk
www A 22.214.171.124
shedstore.co.uk. SOA ns0.serve.co.uk hostmaster.dsvr.co.uk. (2
006122800 3600 1800 86400 3600)
** Tip – there will nearly always be two name servers listed on the WHOIS records – if the first one does not allow Zone Transfers always try the second one too, as this is usually a backup DNS server and may not be configured the same as the first one.. **
So what have we got?
We have the Start of Authority (SOA) which is the authoritative DNS server for the shedstore.co.uk domain – the numbers after it are pretty unimportant to us but refer to the zones serial number, refresh rate, retry rate etc.
The Name Server (NS) records basically tie the domain name to the DNS server. Think of it a mapping so others can find the correct DNS server.
The MX records which we have already covered refer to where all email should be sent to for the domain. In our case it looks like Shed Store is outsourcing their email to a hosting provider of some kind.
The CNAME or Canonical name records are aliases and point back to the A record. They are usually used when there is more than one type of service using the same IP address. In this case it is FTP, HTTP and SMTP.
The A record (Address record) is the main DNS record and does the actual mapping of the domain name to the IP address. The CNAME records referred to above all refer to this A record. ( if you now do an nslookup for shedstore.co.uk it is this very A record that will be consulted to return the IP address to you)
The one glaring omission is a PTR record – which handles the rDNS lookup. (the opposite of the A record so to speak) If you do an nslookup on the IP address 126.96.36.199 you won’t get shedstore.co.uk:
C:\Documents and Settings\Nokia>nslookup 188.8.131.52
This is another indication that the website is hosted by a third party, probably called Internet Design and they have only bothered to update the A record and not the PTR record. If you go back to the WHOIS record it will back this theory up:
Thus plc t/a DSVR [Tag = DSVR]
If we couple this with the fact the DNS server itself is not configured adequately and we were able to complete a Zone Transfer we could come up with the conclusion that this is a very sloppy setup and could mean they are not using as good a web hosting service as they could do, that they do not understand the DNS implications of their own setup, that the have never tested their security – hence more proof they may not be very IT savvy……
Just like domain names are registered and entered on a WHOIS database, IP addresses are also registered and entered on a database. For Europe and Asia an organisation called RIPE handles this. (http://www.ripe.net/) and for America ARIN handles it (http://www.arin.net/index.shtml). If you browse to them and enter the IP address mentioned in the A record you will find out who it is registered to:
inetnum: 184.108.40.206 – 220.127.116.11
descr: Hosting in iP House
status: ASSIGNED PA
source: RIPE # Filtered
role: AS5587.NET Network Operations
address: Victoria Building
address: Salford Quays
address: M5 2SP
phone: +44 207 3455256
fax-no: +44 207 3455257
As I said it is not really applicable in this case as it is only for a web server that belongs to a hosting company. But if it was for an organisation that hosted their web server internally you would be able to get more contact details for the company from here. In this case we only get the name and address of the hosting company, which is in Salford Keys, Manchester. – It may come in handy for a social engineering attempt later on, who knows but it is worth writing it all down.
Mail servers are a good way of finding information out about a company and what email addresses are valid in the company. It is possible to telnet to a mail server on both port 25 and 110. When you connect you are greeted with a banner saying the type of mail server and its version.
Open a command prompt again and type the following:
C:\Documents and Settings\Nokia>telnet shedstore.co.uk 25
This is telling the telnet application to open a connection to shedstore.co.uk on port 25.
You should now see this:
220 internetdesign.dsvr.co.uk ESMTP Exim 4.52 Wed, 07 Feb 2007 20:03:06 +0000
The mail server banner is telling us the type of mail server is Exim, and it is located in the UK. It also tells us that this mail server belongs to the same people who host Shed Stores web site….but the MX records from the DNS Zone Transfer are for a different company. The must have a web mail solution and another hosted email solution.
Going by the MX record they also have email hosted with emailfiltering.com So they may have another domain name in place for email, or it may have something to do with the Guardian Buildings organisation that they are a part of. It’s hard to tell exactly why they have another email solution but it is something worth bearing in mind.
MX 5 mx81.emailfiltering.com
Browse to emailfiltering.com in your browser and see if there is a web site for it.
Yes, there is – but it has a URL redirect in place and takes you to http://www.emailsystems.com/ . If you put an ‘s’ after the HTTP (https://www.emailsystems.com/ ) and go to their secure site you are presented with a logon…….probably where you go to check your emails on line…..
Try telenting to the mail server mentioned in the MX record on port 25……now this is a seriously locked down mail server……my guess is their email hosting company do know what they are doing, unlike their web hosting company.
All this information comes in handy when we try to social engineer some information out of the companies we have discovered are target uses.
Did anyone notice their was a CNAME record for an FTP server? Let us see if it is active.
Go back to your command prompt and type:
C:\Documents and Settings\Nokia>ftp shedstore.co.uk
You should be presented with the following:
C:\Documents and Settings\Nokia>ftp shedstore.co.uk
Connected to shedstore.co.uk.
220 ProFTPD 1.3.0rc2 Server (ProFTPD) [18.104.22.168]
It has told us what type of FTP server it is (ProFTPD) and is asking for a user name and password. At this point DO NOT try and gain access to anything. Remember we are researching the target passively and do not want to try and connect to anything directly related to the Shed Store company until we have taken the proper countermeasures to obscure our own identity and location on the WWW.
Web hosting companies typically provide FTP access for their customers so they can upload their web site and make any changes that are needed. I pointed out that there is a members only part to the web site earlier on, my guess would be that members can logon and maybe buy direct from the company via the user portal? If so all their details are stored on the server somewhere and if we manage to get FTP access we can also get access to all of the files and do not have to worry about trying to exploit the web service….
At this point it is enough for us to just know it is there and how to access it.
*Hey look, we have learnt they have a web site, a mail server and an FTP server and the IP address of them all…..and we didn’t have to fire up Nmap up once to tell us what services they have….**
[b][u]Social Engineering [/b][/u]
Social Engineering is the art of interacting with someone with the sole reason of maliciously soliciting information out of them. The common example is to get a user name and password, but this is not always the case. I have endless hours of fun teaching this and getting students to phone places up and trying out what they learn in real life. It is an incredibly hard skill to master. But once you have mastered it you can save yourself hours of pain staking work trying to crack user accounts etc the hard way.
Most people think Social Engineering is something reserved for the determined attacker or for the people carrying out a Pen Test. I would suspect that 99% of the people reading this have never tried it or are ever likely too……yet they wouldn’t think twice about firing Nmap up and scanning someone’s system. In my view if you can get some information out of someone such as a password, well then it saves you having to spend hours running a dictionary attack or trying to brute force the password which you have just got hold of in a few minutes via social engineering. NEVER underestimate the Social Engineering stage of reconnaissance it nearly always pays off and saves you a lot of time and hassle.
The reason not many people do it is that to carry out an [i]effective[/i] Social Engineering attack you need a rather large set of gonads, a very good reason to want to do it and some prior information about the person or the persons organisation that you are speaking to.
Social Engineering is not something that can be taught and is more of a skill you pick up over time. The more you do it, the better you can become at it.
There are a couple of facts about human beings in general that need to be mentioned to better explain how to carry out effective social engineering attacks:
Humans are very easily programmed and become stuck when something happens out of the ordinary.
Being extra nice to someone and making that person like you and want to help you, does pay off sometimes
People generally do not say no to an authoritative figure or to someone who is higher placed then them in the organisational structure.
It is usually easier to coerce someone into doing something they don’t normally do, than to coerce them into doing something they do everyday.
[b][u] Humans are very easily programmed and become stuck when something happens out of the ordinary.[/b][/u]
Think of a normal hand shake; if someone walks up to you and extends their hand in a motion that signifies to you that they are about to shake yours, you are programmed to lift your hand up in response.
In certain scenarios such as when meeting someone, this is expected. But what if it happens in a situation you don’t expect it, i.e. when you are walking down the street and a perfect stranger walks up to you with an outstretched hand signifying that he wants to shake hands with you? You still lift your hand to respond to that person, maybe not very far but you will still do it.
Now what if when meeting someone, and when you expect a hand shake, the person stops half way through extending their hand and puts it in their pocket? You still extend yours and when something happens you don’t expect, such as someone putting their hand in their pocket, your programming breaks down and for a second or two you go into limbo as you have no idea what to do. Why – Because like as not this will have never happened to you before so you have no programmed response to it.
Consider this – whilst you are in limbo during this hand shake, if the other person was to ask you what your phone number is, what would you do? You are programmed to respond to a question, so whilst your mind is in limbo wondering what the hell to do, the programmed part of it will respond to the question that has just been directed towards you and unless you manage to stop yourself in time you will answer the question.
When I was learning about Social Engineering the course was taught by a Psychologist and not an IT security professional. Half way though one talk the speaker invited a hypnotist into the seminar. The first thing this hypnotist done was to walk up to someone near the front of the audience and introduce himself – just as they were about to shake hands he put his in his pocket and said something to him, in a few seconds this guy was hypnotised and answered any question the guy asked him. He very effectively utilized the moment when his mind was wondering what it should do, to hypnotize him.
I’m not suggesting you need to walk around shaking hands with people and hypnotising them to socially engineer them, but am trying to demonstrate that when something happens out of the ordinary, people let their guard drop very temporarily and the mind is very open to external influences.
To apply this psychology to a ‘real life’ social engineering attack – imagine you phone up the web hosting company that Shed Store use (we know this info from the DNS records and the WHOIS record), and went through the normal process everyone goes through when initiating a phone call – the other person says hello, you say hello and state the reason why you are phoning – the other person will go through the process they have probably gone through 1000’s of times and asks you for your credentials to authenticate yourself……… Ooops, we hang up as we can’t do that.
To apply the methodology of breaking someone’s programming you need to do something unexpected that may have never happened to the other person before.
The list of how to do this is endless – but you have just found out your name server allows anonymous Zone Transfers right? So your going to be a tad angry – what’s the odds that if you phone up and instead of saying ‘hello’ which the poor help desk dude will be expecting, you start yelling down the phone straight away asking why their DNS server is miss configured. What you are going to do is put them in a situation they may have not been in before and do not know how to handle properly (chances are at the help desk level they will not even know what a DNS Zone Transfer is). So whilst they are fumbling around trying to make sense of what you are angry about, mention (in a very pissed off voice) you cant logon to your web server and need to know your details – now this is something the person will be programmed to do and will understand, so whilst they are still trying to figure out what the hell a DNS Zone Transfer is and who they can escalate it too, they will be only too happy to do something they are familiar with (and which gives them a bit of breathing space) and lookup the details for you.
Of course you don’t have to rant and rave at someone to throw them of their guard. Try phoning an up-market hotel who do not normally give out the details of who is staying in a certain room…..when they answer just simply ask if they have the time (be very polite), I can pretty much guarantee the receptionist will have never had this happen to her before…so whist she is in the state of registering what you have just asked and what she should do in response to you, ask her who is staying in room 101 – her programming will kick in and she may very well divulge the information to you. The trick is to be nice and extra polite to her.
After you have tried this method a few times you will develop a few methods that usually work most of the time and stick to them.
[b][u] Being extra nice to someone and making that person like you and want to help do, does pay off sometimes [/b][/u]
This one kind of speaks for itself and is not something I need to cover in great detail. Use your charm to try and make someone like you enough to want to help you. This usually works best when talking to someone of the opposite sex (unless you swing the other way). The best way to do it is not to try and solicit any information during your first conversation. Phone up initially, explain who you are (or who you are pretending to be) and ask an innocent question that will not require her to ask you some questions to authenticate yourself. Such as:
“Hi, I’m Keith Taylor the Managing Director of Shed Store, well Guardian Buildings but you have us down as Shed Store. You host one of our web sites called shedstore.co.uk and I was wondering if you are experiencing any technical difficulties again, as at the moment we can’t reach it.”.
If we examine that seemingly harmless and everyday initial introduction more closely you can see what we have just done:
“Hi, I’m Keith Taylor the Managing Director of Shed Store” = Using the name we got from the WHOIS record we have introduced ourselves to her – putting a name to a voice on the telephone forces her to automatically construct a mental picture of you, which will aid us in getting her on our side. We have told her we are very high up in the company, the MD no less. How many MD’s does she speak to on a daily basis? Not many I bet, so we will now stick in her mind and she will remember us next time we call. By identifying the company we are from, we allow her to learn a little more about us by offering her extra information, which goes in our favour but more importantly we let her know what company we are from so when we try to extract some information from her later on she may not feel the need to authenticate us.
“well Guardian Buildings but you have us down as Shed Store” – This again offers her a little more information to add to her mental picture of us. The second part of this sentence implies we have contacted them before and have regular dealings with them – again adding to our authenticity.
“You host one of our web sites called shedstore.co.uk” – Here we have told her what our web site is and that we are indeed one of their customers. This is important later on when we ask her for our login details, as she will not need to ask us what our domain name is which is usually the prelude to asking us to authenticate ourselves – we will be breaking her programming.
“I was wondering if you are experiencing any technical difficulties again, as at the moment we can’t reach it” – This reinforces the fact we have spoken to them before as we mentioned the word ‘again’. But more importantly it is a question that does not require her to authenticate us and is something she will have to search for, and gives you that ‘moment of silence’ to make idle chat with her……get to know her….and make her like and trust you.
She now has a mental image of you, knows who you work for, knows a little more info about your organisation than she may normally get to find out with most customers (which could make you stand out amongst others), she knows you are a Managing Director which again makes you more likely to be remembered by her (and all women like important men don’t they?), we have let her know that we have phoned up before, she knows your domain name – which means she won’t have to ask for it, she knows you are having technical difficulties but are still being nice to her – not many other customers would be as nice when experiencing technical difficulties, again you will stick out in her mind because of this.
After this all you can do is use your charm during the ‘moment of silence’ to get to know her.
Give it a few hours and phone back up, you may have to do this a few times until the same person answers the phone.
The second conversation could go something like this:
“it’s Keith again the MD from shedstore.co.uk” – This time we just use the first name, to make the conversation more friendly and social, we reinforce the fact we are an MD and again we tell her our domain name.
“I phoned you earlier to ask about some technical difficulties, I’m just wondering if you are having some issues now as we can’t access our site again and are really starting to lose business over this.” – This last part is designed to make her go off and search for something again – which will give us another moment of silence to make idle chit chat. Most important we have no emphasised that this is a serious matter to our business and needs to be resolved…but we are still being very civil and chatty to her……..this will be out of the norm for most cases she has experienced when something is going wrong….and it stresses the fact that we must be an exceptionally nice person if we are still being nice to her….hell I would want to marry me!
The knack here is to make idle chat but around a subject that you can refer to later on.
The third time you phone up, don’t mention anything work related. Start the conversation off about the subject you made idle chat about. When you feel the time is right say something along the line of “Oh I’ve forgot what it is I’m phoning for now….Oh that’s right, I can’t remember my logon for the shedstore account, can you help us out?” – Or words to that effect.
If you have done your part right she will know your domain name, be under the impression you work for Shed Store and may just go right ahead and give you the credentials you need.
I have provided a theoretical example that only uses three phone calls. In reality it could take week or even months to gain the trust of someone and it is not always done over the phone, it can quite easily be done in person. You only get one shot, if you try it to soon and she asks for credentials, obviously you can’t supply then and have to hang up wasting what could be weeks of effort in trying to gain her trust.
[b][u]People generally do not say no to an authoritative figure or to someone who is higher placed then them in the organisational structure. & It is usually easier to coerce someone into doing something they don’t normally do, than to coerce them into doing something they do everyday.[/b][/u]
You should have grasped the basics by now. If you can convince them you are important enough, they maybe willing to skip procedure to accommodate your request. Or, if you can put them under enough direct ‘managerial’ pressure they may rush the job and again not authenticate you.
The last one relates to things like the job advert I mentioned further up the page: It will be easier to get the person filling in for the missing firewall admin to make a change that it will be to get the regular firewall admin to make the change.
Accidentally phoning the wrong person, when you know the real person is away (maybe by an OOO reply to a newsgroup) can be a lot more rewarding that phoning the correct person.
Likewise instead of phoning a hosting company who are trained to authenticate people before dealing with them, try phoning the target company direct and claiming to be from the hosting centre…..it maybe easier to coerce an un-trained company employee who has never had to ask anyone for credentials in their life to part with some logon details.
[b][u]Prior Information [/b][/u]
What ever tactic you decide to use you are always going to need one thing – prior information about the person/organisation you are trying to imitate. You can’t pretend to be someone else if you know nothing about them…
What information have we managed to get from all of the above steps?
Company name – An obvious one that we need
Domain name – Handy to guess email addresses, needed for WHOIS lookups and for social engineering attempts.
Office Opening hours – What better time to attack their network than when they are not there, or if you want to phone someone claiming to be an employee it is best to do so when they are not in the office
Telephone number range – People still do use modems. With the phone range we can Wardial the company looking for them.
Company Address – A post code is often used in authentication steps. We also now know were to go to look through their rubbish if you are that way inclined
Senior Person from the company – From the WHOIS record we know the name of a person who is likely to be high up in the company. Also good as a search string in newsgroups
Name Servers – You have seem why these are important
Mail Servers – In this case the email is outsourced – another avenue for a social engineer attack, either to the target claiming to be from the email company, or vice versa. The also may have a second email service for another domain.
Web site hosting company – As above; ideal for Social Engineering attempts. We also know they host a web mail solution for the company too – more info we can use for our social engineering. If we did want to social engineer them we also know their address and phone number from the RIPE record we looked up.
FTP Site – We know they have FTP access to the web site. This can come in very handy when wanting to try and exploit parts of the web site as all we have to do is find an FTP logon, we don’t need to spend a lot of time looking for web vulnerabilities.
[b][u]Caller ID spoofing[/b][/u]
You could use all of the information we have gathered together so far and you could use the very best methods of social engineering and it could all fail. They are not foolproof methods as they have a huge human element to it, and humans are very unpredictable.
However, there is one final trick in our arsenal that can sometimes work when all other attempts fail and that is to spoof our caller ID.
If someone was to ring you up at work and say “Hi its Jim, I am filling in for the System Administrator today.” You may or may not believe him. If he called and said the same thing but on your caller ID display it came up that he was indeed calling from the Sys Admins desk then the chances are that you would indeed believe him……unless his desk is in the same room as you of course.
Think of Caller ID spoofing as instantaneous credibility 😀
It is relatively easy to spoof a caller ID, the hard part is finding what number to spoof it too.
TeleSpoof: http://www.telespoof.com/ is probably the most popular service to use since Star38 and Comophone where forced to shutdown due to very negative publicity…usually CallerID ‘falsification’ services do not stay in business very long but TeleSpoof seem to be doing a good job of it so far.
You have to pay to use TeleSpoof but it is relatively cheap and is worth trying out on your friends a few times to get the hang of it all.
If you have a VoIP setup than you can spoof your own caller ID for free, notably the Asterisk PBX is quite good for doing this and is free…
Once you have learnt of a telephone number, probably via a WHOIS record or a RIPE / ARIN record, which both usually list the System Administrators of organisation (and what better person could you pick to pretend to be!) you can spoof away and see who reveals information to you.
If you can’t find the System Administrators number, usually phoning reception and asking for it will work…. After all, why would they not give it to you?
Reconnaissance is not very glamorous, it is tedious, probably not much fun to read about and is almost never done by Script Kiddies. It is largely based on common sense and reading publicly available information, However, it is a very important part of the bigger picture. It puts you ‘in tune’ with the target so you don’t go wondering in blindly Nmap’ing away. There is not much skill involved in it – which is why I think it puts the Skiddies off….:D
I have tried to run through all the steps an attacker may go through when researching your organisation. I have chosen a real life company as nothing in this paper is illegal to do. The company I chose looks to be a largely web based company and I have not revealed anything that could list their internal network presence, although there are a few ways of finding it out and the more astute of you may be able to do so by utilizing most of what I have mentioned.
The next part will cover the prelude to gaining access to a network – i.e. network discovery, mapping out a network, scanning for services, looking for weaknesses, WLAN scanning etc and will utilize the information we have learnt here. I won’t use Shed Store for this as they are a real organisation trying to run a business over the Internet and it would not be right to demonstrate methods of accessing their network, if indeed there are any.
If someone from Shed Store does read this hopefully they will look at it as a free partial vulnerability assessment and leave it at that. 😀
Remember to write everything down that you learn about a target, no matter how small and trivial it maybe. You never know when that little bit of information may come in handy. Try out your social engineering on a few innocent people in a harmless manner; maybe try and find out who is staying in a particular hotel room etc. After a while you will get good at it and be able to use it for more ‘daring’ situations.
Some of you maybe wondering why I have not mentioned Google much at all – that is because I plan on writing another paper in the near future on how to use Google from a ‘hacking’ 😉 prospective.
Please post any questions in this thread or start a new one in the relevant forum; PM’s, Email’s and MSN messages will not be answered.
If you liked this paper please [url=http://digg.com/security/2007_A_hacking_Odyssey_Part_One_n_Reconnaissance]Digg it[/url]