 So if you came for that little show, you missed it yesterday, and my name is Deramo, I'm from Columbus, Ohio, also known as Brent Houston, and I'm a member of a security group called the WIFPAC, from Maricode 614, and I'm going to talk today about system profiling, and I want to talk about how you can take a network or a target, analyze it, and create a much finer method of attack, and if you're a system administrator, why this should interest you is I want to explain today how a real attacker targets you, and some of those things that you can look for to know before it actually happens, as well as some of the steps that you can take to prevent network mapping and those types of attacks. So as we start to talk about this stuff, we're going to start out by talking about target location, some of the basic things of how you pick and find information about your target. Of course we'll cover the general port scanning because that's a part of the process. System examination, we're going to talk a little bit about planning the attack, and we'll talk about touching base on some of the serious issues you need to think about if you're going to do some of these things. And then we'll talk again about how to protect yourself against these types of profiling and attacking, and we'll do a question and answer at the end. So a couple of things to start off with, just generally to help you decide whether you want to say and see this or go see something else, we're not going to cover how to exploit a host or network. So if you came here for that, you're probably not going to get what you're looking for. We are going to give you an introduction to the basic and intermediate network mapping and system profiling. You're going to hear a little bit about from granted my bias point of view why that's a very important and indeed a very sexy part of learning about networking. And hopefully we're going to give you the skills to explore the wide networks that are on the internet. Let's see the show of hands here. If you have a 50,000 node network at home that you can play with freely, not too many folks, but there are plenty of them available to you on the internet. And there's a great and fantastic way that you can learn about them without actually exploiting anyone, pissing anyone off or making it a little harder for your system administrators. The first question I always get is what is system profiling? And I guess two things about system profiling mean something to me. First of all, this is not just randomly picking up the latest UFTP buffer overflow and scanning every system on your subnet to see which one has it. What we're looking for here is a process by which we can actually learn something about a foreign network, a remote network, one that we don't have access to and we cannot see. Question number two that I get quite often is why exactly do people do this? Well the first and hopefully most obvious one if you're a system administrator is all the myriad of reasons that makes you a target, why you have risk in your organization. If you're a publicly traded company, maybe it's to manipulate stock prices, maybe you're learning to attack. But more often than not, these network mapping exercises and the things that you're going to see are simply exploration. And they are, what I want you folks to learn today is that this is a great way to go out and learn about networking and to get a close up view of what the myriad of conditions and configurations look like. So I guess the last question I get quite frequently is what is it that we're looking for when we do system and network profiling? And I can't stress enough the number one goal is to build an intimate knowledge of the network layout. So this is the whole point and I think it's dead. Unfortunately now I get to sit down. So to build an intimate knowledge of the network layout is the primary goal. And following that it is to analyze the security posture and the potential for vulnerability. Because if I'm an attacker I want to have a very direct and targeted method of attacking the networks that I'm looking for information on. I don't want to throw everything in the kitchen sink at it in hopes of gaining some rude exploit to get the information. That's how people get caught. It's very sloppy. So building this information ahead of time will allow you to target your attacks and to do it more stealthily. And then lastly I want to learn about the caveats that may create either an opportunity or a reason why I shouldn't attack this network. For example, if there's some links here to information that might be a confidential or maybe a classified major or maybe there's some indirect links to a gov or a mill net I want to know that ahead of time before I accidentally exploit something that sends this sound to my door. So how do we go about looking up our target? And obviously the first thing is doing a simple NS lookup command. Hopefully you have some concept of who it is that you're looking to profile. For example, xyz.com or some other company. Just a simple NS lookup will reveal to you some of the basic IPs that they're using. Take that information, you feed it through an Aaron and who is lookup and begin to create profiles of the different network addresses and network spaces that these folks are utilizing and that they own. If they're a public company, a simple Edgar search will reveal to you an amazing amount of information about the folks who actually make decisions there. And if I were an attacker attacking a financial company, this is a fantastic way for me to learn about the specific accounts and systems that I want to target. Basic web searches, I can't even begin to tell you the amount of times that I found hidden websites or intranet sites that were listed in search engines that were inadvertently advertised and placed out on the internet. You'd be amazed when you can just do a simple search, find their intranet and download all of the names and addresses of the people who work there. Pretty interesting information. Also, profiling their network users via searches of deja and things like that to establish a profile from the folks who use Usenet and mailing lists. Obviously if they continually post to things about Windows such as the Windows support news groups, you know they might have NT servers inside. If they're posting to various other applications, you can begin to profile some of the applications that may be in use and transfer that into some of the vulnerabilities that may exist. One of the most fantastic ways to find out and target your company is to simply read their WAN ads that they post. If they're looking for network administrators that are proficient in Cisco and Bay, do you think they have a bunch of 3-com switches hanging out? Of course not. Start to think like your victim. We continually tell security people they need to think like hackers, but we never tell hackers they need to think like victims. You need to begin to do that. So you take that information that you've built from your profiling and you start to create a simple and basic network map. You provide the list of their access providers. Are they using redundancy? Do they have more than one main internet provider that's feeding information into their network? Do a simple errand search. Look across multiple ranges. Find out. Are they hiding some IP addresses? Where are their DNS servers? Add those into your actual physical map. Get out a piece of paper or a whiteboard and actually draw this stuff up. You'll be amazed at what you can discover when you see it visually. Look at their public access systems, web, mail, FTP, those various systems, and if they're public, explore them. We're talking about basic simple things here like looking at anonymous FTP that's open to the public. You'll be amazed at some of the information that you can find there. If you're really concerned about things at this point, as you should be, if I were a true attacker, I'd be using proxies to do that or using throwaway hosts. Now that you have your basic network map of where their basic web and public servers are, as well as their DNS, you want to look for the not so public hosts and servers. So sometimes a simple ping of various servers will reveal to you changes in their ping times that may indicate either alternate routes or systems like proxies where the ping, the ICMP time varies due to the traversal of the proxy. So you can begin to analyze what types of defenses they have just by sending simple ICMP traffic. Trace routes to all the various hosts you have and start to add those hosts into your network map. Are there alternate routes between specific servers? Can you establish the relationship between servers to determine whether they have a single DMZ or a multiple DMZ? Or hopefully if you're a system administrator to your worst nightmare that they just simply route straight into your private internal network. So you take that pathing information and you actually create a physical map about their perimeter. The next step that I suggest that you take is doing a simple DNS zone transfer. This works about 75% of the time and you can accomplish this by again using your familiar tool NSLookup. Simply type NSLookup, do a set type equals A, put in server equals or excuse me on some system it's server space, the target's DNS. And then a simple ls-d target.com and make sure that you follow that up with a trailing dot. And what this is going to do is it will dump out all of the IP addresses and all of the system names that are registered for public use. Now a lot of folks will find that their primary DNS is the one that you admins are controlling have this locked down. But about another 70% of the time, the secondary or tertiary DNS is not so configured and will gladly give up the information that you have tried to secure yourself. So I urge you to take a look at that. Next step would be to perform simple things like ping sweeps using either NMAP or any of the other myriad of products in either OS. And find the hosts that maybe they didn't intend for you to find. Maybe they have some hosts that are sitting out there providing VPN or SSH access, telnet access into their perimeter. And for those of you folks, I guess I'll stop for just a second who are trying like mad to write stuff down. This presentation will be available on my website at the end. I'll give you the URL so you can come back and get this stuff. And the following thing after the ping sweep that we see most everybody seems to perform is using advanced host location tricks. And this is doing things like NMAP act scanning or sending multitudes of various ICMP types to elicit responses from hosts that may have either host based protection or may be protected by a firewall that is restricting the types of traffic it can respond to. I guess I want to take a moment and talk about port scanning techniques. And the first thing is we get asked continually why systems on the internet are port scanned. And I want folks as attackers to start to realize that it is simply a beginning to identify what system processes are in use. And I say it's a beginning because things are not always as they appear. I can't count the number of times that I've set up some other service on port 80 and I watch people continually throw HTTP exploits against them even though there's not even an HTTP server running there. So that's why I want you guys to understand that it is simply a beginning to that process. And to perform port scanning there are myriad of tools or if you really want a good challenge, take a lot of libnet and write your own. That'll be kind of fun. It's a good exercise. And if you still don't have many ideas about how to accomplish this just a simple man space end map will cough up all kinds of ideas. So to perform the actual port scan you can and should always use a throwaway host and that may simply be enough. Some hosts are not configured to resist or to log any port scanning attempts and you may be able to simply accomplish your goal with a throwaway host. The other thing that a throwaway host can tell you is if you port scan once and you get x set of results and you port scan again from that same host and you get a different set of results you may find that they have adaptive defenses in place. In which case it's much better to find that from a throwaway host than from your real attack host as you may then be blocked out of their network or added to some of their other defensive measures. And the key point here is that when you start looking at some of these clever things that you can do with end map is remember that it may bypass a firewall or an IDS, but that as a network administrator it also raises the bar. I don't really care if folks just send simple port scans to my network, but I guarantee I'm going to be a lot more concerned if I start seeing some tricky things like fragmented packets or axe scanning. And I'm going to take some more steps to make sure that you don't continue to do that. And I want to remind everyone that slow and low and that means targeted scanning is always a good bet. And I get the question next of well what exactly do you mean by slow and low scanning? I mean use a throwaway host just in case, but also target the scans. You want to make sure that you're not scanning for every single port in the 65,000 plus ports that are available. Only scan for the few that you're looking for plus a few decoys to throw off any tricky admins. And make sure you vary the timing if you're going to slow the scan down and don't use the standards. If you just do a standard paranoia scan for example, many IDS's now are smart enough and those patterns of timing set into them to realize that you're still in a nop scan. So vary the timing yourself. And remember that slower is always better. The more time that it takes you to map a host or a network, the more likely you are to slip past the attention of any IDS or below any threshold that a system administrator or network administrator might notice. So at this point you should have a table of information that shows various host that you scanned. And you can begin to explore those because as I said things may not always be as they seem. So simple banner grabbing, using either a telemed or netcat or some of the other specialized clients will reveal systems that are running specific applications and often the versions of that application they're running. If you've run nop or queso or some of the other tools you also now have a basic identification of the operating system, you can begin to build tables and cases of anomalies. For example if you have one host that appears to be running three different services that runs on three different operating systems, you probably have a port forwarding device. And you can begin to create a process of profiling those types of hosts. And at this point I'd like to touch on SNMP I can't count the number of times in the some thousands of networks that I've mapped in the last ten years that SNMP has given up very valuable information and allowed me to profile the network very quickly. Simply scanning for common strings and using tools like SolarWinds or SNMPWalk has really made this process very easy. And often times you can create complete profiles of systems and devices that are on the network with these tools. Now that we have an understanding of what systems are available, what their operating systems are, and what they're doing, the next step in actually attacking or learning about this network is to do user enumeration. And in Windows NT and some Windows other Windows systems this is very easy. You can often do it through null sessions. You can use specific mail hosts using the expanding verify commands and finger. Common system names and naming conventions are another way of actually starting to do user enumeration. For example, if you notice that folks have named all of their users, first and initial last name is a naming convention. It's not too hard to start to guess some of the basic and common combinations. Starting to look at public file shares, maybe to mount up some of the anonymous shares that are available on their network, this is very, very common. It's so common in fact that it actually made the Sandtop 10 list. Then performing things like browsing the registry and system settings, and there are many tools to do the stomp back all included. And after Jennifer Granick's speech yesterday I added this little thing that to note that not only do many of these processes raise the bar for administrators to see if they're mapping their network, but now as Jennifer said that some of these things may actually be illegal, such as mounting other folks C drives and D drives. So at this point you should have a general map of the target network's perimeter and you should understand what their defenses are. Do they have a firewall? By now you probably know what kind of firewall they have and what types of IDS systems they might be trying to protect against attacks. And hopefully by this time you've started to gain a bonding and an understanding with this network what types of systems they use, what their backbone capacity looks like. So I guess the next step is probably the one that everyone says is very boring, but I kind of think it's a little sexy. And you're actually going to learn some stuff if you take the very next step. So this is what we all started for. And really at this point is where script kiddies get left behind. They are more interested in targeting systems of opportunity rather than specific hosts. So this is really the next step. And the next step also gives you some knowledge and as everyone knows knowledge equals power and you can take these skills and use them to make money legitimately. So if you want to move into the profession of being a security consultant it's a good step to take. And the simple process is actually sitting down and creating a vulnerability matrix. So you take the systems that you have profiled the applications that they're running and you use the publicly known vulnerability databases to learn about what exploits they might potentially be vulnerable to. And I don't mean just simply create a map that says there's a buffer refilling this version. Actually learn about why it works. Look at the exploit code. Look at some of the advisories that have been issued so that you begin to understand how the attack actually functions. Once you've researched each of the vulnerabilities that are available you can actually begin to create a map by priority and the things that you might gain out of it as well as to find what risk is involved. Is it a high noise attack or is it a low noise attack? Is it something subtle that you can get away with or if it fails is it going to denial a server? So at this point I get the major question of now what do we do? We have this information and I guess I return at this point the responsibility to you. You can either analyze the data, learn from it and move on to the next network or you can choose to attack systems if you say desire. And my point here is that I want you to take from this speech that you can learn from these systems at the point to which you would perform those exploits. But at this point you can move on and learn more about another network. And there's some reasons why you should do that. First of all the minimum risk is that these attacks and these actions that you've created will be a violation of your ISPs terms of service and they will disconnect you and you'll have to choose another ISP. Not a big deal on today's market but still an issue possibly nonetheless. This also could be a violation of the law. Some other things here that you need to know is these things that we've talked about trace routing and mapping networks. Do not do them to .gov or .mil sites. Those folks tend to take it a lot more seriously than your average.com and if you mount some of their shares they probably will come looking for you. Beware of hunting pots. If you see some things that are too good to be true they probably are and they're probably waiting for someone like you to stumble into them. But the key point is here remember that if you are going to build a succession of profiles that stupidity does exist and it gives you a great chance to look at Network X versus Network Y. Kind of a cute story at this point. I have some folks in my friends here who are system and security administrators and a couple of them have actually used this technique to look at networks before they went to work there and they could judge what their profit and job opportunities might be by mapping these networks. I'm not suggesting you set up an insecure network by the way as a recruiting tool but that's always a possibility in today's job market. So if I'm a system administrator what would I do to protect myself against profiling? First of all I want to not let attackers get this information. We continually as we do audits around the country we hear that network mapping is not a risk to you and I'm here to tell you that as system administrators what other people know about you can hurt you and you need to start to take network mapping very seriously. So the first step is of course blocking ICMP at the routers or at the borders of your network using things like implicit denials on your firewalls. Use smart naming conventions folks don't name your firewall, firewall.whatever.com it just makes it incredibly easy to do these types of attacks. Router should be named something other than Router 1, Router 2. At least make it fun for us. That's what I'm asking. Restricts and transfers and if you've already done that go back to your service providers and make sure they've done it as well. Don't just call them and ask them but audit that process. I've seen highly secure networks that the tertiary DNS had both internal and external addresses for the target. That will hurt you every time. The other related function there is never use public or common community strings I should never be able to get read or write access to routers with a public community string via SNMP. It happens continually over and over again. Also take steps to disable user enumeration by restricting access to the expanded verify commands in send mail restricting the use of finger, removing the ability for service traffic to pass into your network. Begin to educate your users. The folks that post to UseNet ask them to do so from addresses other than your dot com address. Maybe teach those folks how to sign up for Yahoo or some of these other free mail services and use email to news gateways because this is becoming a very easy way of profiling some of these companies that are out here. If you're a Fortune 500 company and you think that folks are not posting information to the world about you you're dead wrong. I'm here to tell you. It happens continually and it becomes very easy to make you a target. Begin to provide proxy access to public services to protect against things like browser based attacks or hostile code. And apply the registry queues to disable remote access. This is a good idea not just for external host but for internal host as well. There's probably no reason why users should be able to dump out registry access from their own systems or others around them. Obviously disable that bias at the border, I covered that. Remove finger print information from banners. If someone can tell Net to your FTP site or FTP, excuse me, if they can FTP to your FTP site and find out what version of woo that you're running by looking at the banner you're just making yourself even more of a target. Don't give away this information. Well these folks say don't depend on security through obscurity. That is correct but you certainly should take that away as a tool. And remember that security through obscurity is always ineffective. There are methods to get around that every single time. And I urge you folks, assistant administrators to deploy IDS technology and honeypots. That's my presentation. I'll take questions. The presentation and the abstract will be available at wolfpack.dineip.com. We've got that on some stickers and we've got that on business cards. So if you have any questions you can also email me. Again I'm Deramel and I'd be happy to take your questions at this time. The question is what are some of the good ways to try a detet if you've found a honeypot? Again if things are too good to be true or appear to be too good to be true they just may be. One of the classic examples I like to throw out of this is a host that I audited recently had a supposed net bus infection. The name of the system was firewall.whatever.com Obviously folks are going to protect their firewall a little bit better than to have net bus running on it. So some of the really common stupidity type exploits if you see many of those or even a few of them on a host it may be a honeypot. Look for things like variances in the operating systems and the banner information that you gather. Does that answer your question? In the back of the hat. Good point. The gentleman's point is that sometimes blocking ICMP at the borders will break other things. For example a little bit of a headache. IPsec, VPN connectivity. My thing here is it's a level of mitigation risk. Can you accept this for that? If you're using IPsec this may not be an option for you so you take other steps to mitigate that risk. Perhaps by example we have one client who does this very similar situation so what they did was they forced all of their road warrior folks that are traveling out there to use one ISP for their road trips and then they added that range specifically into the firewall so that those folks could pass their required traffic but the rest of the internet could not. Yes. A follow-up comment on the ICMP is just to be very granular on it. The problem is talking about specifically allowing a subtype of ICMP to go up towards the internet. Correct. This gentleman down here points out that he has a fix for you sir for your ICMP issue so you two should probably meet afterwards and talk about that but that if you allow certain types of ICMP and are very granular on your access controls that you can fix that IPsec issue. As well he points out that as system administrators you should be setting up egress rules for your firewalls and systems and I certainly agree with that. It was a little bit beyond the scope of this talk but certainly you should be doing so. Back there in the back. I'm sorry I couldn't hear you. The question is is there tools to automate drawing maps from trace routes? Absolutely. There are a couple of good products in the Linux environment. One of them is slipping, do you know thumb them off top of your head that it draws that great network map? Keops, yes, for Linux and there are a couple of good ones for NT as well although their names are slipping my mind at this point. Visual route, yes. His question is is there a way to keep SNMP tools like SNMP walk and solar wins from working on your system? There are two ways. First of all you can restrict SNMP requests to hosts that you want to allow SNMP access from. You can also change your community strings to something other than the common ones. If you come up with an inventive one they won't be able to dump your information unless they know it. Comments, concerns. I have a t-shirt to give away and I've got the folks at Phoenix that make the Phoenix Firewall from Progressive Systems and they donated a t-shirt that I'm supposed to give away to you guys. I'm going to ask a good trivia question. I spoke at DEF CON last year and Black Hat. Does anybody here know what t-shirt what I talked about? Good call. Anyone else? That's absolutely correct. Appliance Firewall review. Here's your t-shirt. What's your name sir? Fed. Congratulations. Folks, is the next speaker here yet? Yes sir. Wow, I wish I had a penny for every person that asked me this. The last year's report on the appliance firewalls did not get posted. We began to do so and were litigated against and our lawyers never worked it out so we did not post. It seems that when specific appliance firewall creators send their product to you for evaluation that you are not allowed to publicize the results of that evaluation without their express written consent in advance. Yeah, I wish I could say that. But my attorney tells me that I shouldn't talk too much more about that so I apologize. It might start with an N. There are some great appliance firewalls out there and in actuality if you have been watching the firewall market some of those products have matured to a fantastic point. There are some great ones like for example the Phoenix Firewall that I just gave the t-shirt away for those folks have become a larger company now and they've done a great job with it as have some of the other folks like WatchGuard and if you've looked at any of the new revisions of the Cisco PIX which I recommended last year the Cisco folks have been busy and have actually fixed about 90% of the issues that I pointed out so those folks deserve some attention as well. Okay, that's it. Next presentation. Thanks for coming out today.