Scribd Logo
Carica

Benvenuto in Scribd!

  • Ceh Lab1

    Caricato da

    Linn Thet Naing
    284 visualizzazioni11 pagine
    ceh

    Titolo originale

    CEH_LAB1

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    ceh

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    284 visualizzazioni11 pagine

    Ceh Lab1

    Caricato da

    Linn Thet Naing
    ceh

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 11

    Lab 1: CEH Penetration Testing

    3.1
    Aim:

    Details
    The aim of this lab is to investigate Reconnaissance, or Footprinting and Scanning, of an organisation. The pre-attack phases of footprinting and scanning are typically the first steps in the process an ethical hacker will follow when performing a Penetration Test. Passive Reconnaissance is performed first by gathering information from outside the target network, followed by Active Reconnaissance were packets are sent into the network to map and enumerate targets.
    Written Agreement (Scope of Pen Test) Penetration Tester

    Mgt

    Active Recon

    Passive Recon

    Internet
    Bob

    One who knows the enemy and knows himself will not be in danger in a hundred battles Sun Tzu, The Art of War 500 BC (Tzu, 500 BC)

    3.2

    Activities
    An organisations web site is a good place to start when gathering information as part of a penetration test. Search for the current Napier University Web site using the google search engine. Navigate to postgraduate courses on offer.

    3.2.1 Information Gathering

    Questions Q: What is the target Web domain google has returned? Q: Which postgraduate School of Computing courses with Advanced in the title, are on offer? Q: Is browsing the target organisations web site Passive or Active Reconnaissance?
    Certified Ethical Hacker Penetration Testing Rich Macfarlane 1

    A lot of data the penetration tester may want to investigate, may no longer be available on the website, but is saved in Internet caches. The website www.archive.org can be used to view archived web pages. Go to the web site, and use the WayBackMachine to browse archived web pages from the Napier Web Site, as shown below.

    Browse the archived web pages from 2008. Questions Q: Which postgraduate courses with Advanced in the title, have been added since Sep 2008?

    To check for subdomains, go to the Netcraft.com website, and search on the napier.ac.uk domain, as shown below.

    Certified Ethical Hacker

    Penetration Testing Rich Macfarlane 2

    Questions Q: Which subdomains have been returned?

    Another good resource for information gathering is an organisations staff directories. Social engineering could be used to call these staff and get information, as shown below. Another way would be to call the helpdesk on behalf of these staff who have forgotten their passwords and to have them reset to the defaults!

    Penetration Tester

    Can I have your details plaese?

    Internet

    Bob
    Yeah, no problem, hold on.

    From the current Napier web site browse to the School of Computing Staff and find the details of a couple of Lecturers from the School of Computing. Questions Q: What information can be gathered from the staff page?

    Now use google to search using the keywords napier + the name of a lecturer, such as shown below.

    Certified Ethical Hacker

    Penetration Testing Rich Macfarlane 3

    Questions Q: Which new sub domain has been returned? Q: What extra information can be gathered from the IIDI people page?

    Google Hacking is a term used to describe the use of advanced features of the google search engine. This can turn google into a powerful information gathering, and vulnerability search tool. Search for web pages linked to the Napier domain, using the google search link: operator, and keywords napier.ac.uk, as shown below.

    Questions Q: List some external pages linked to Napiers web site?

    Use the inurl: operator with the same napier domain keywords, and perform an images search by clicking the images menu option on the left, as shown below.

    Certified Ethical Hacker

    Penetration Testing Rich Macfarlane 4

    Note: The Google Hacking Database (GHDB) http://johnny.ihackstuff.com/ghdb/ is a resource which can be used to help in penetration testing, and contains what is know as Google Dorks. Dorks are the search queries used to gather specific useful information, such as indications of Vulnerabilities, or Usernames and Passwords.

    Use the dork "unable to jump to row" "on mysql resultindex" "on line" from the google search engine, as shown below.

    This identifies web applications which are susceptible to SQL Injection attacks. The dork contains error strings which indicate web applications which have the vulnerability.
    Questions Q: How many results were returned?

    Certified Ethical Hacker

    Penetration Testing Rich Macfarlane 5

    Add the google search operator site: and the keywords napier.ac.uk to check if the Napier domain has any such flaws. Domain Name Information
    Domain name information is now very easy to get via websites. Regional Internet Registries (RIR) manage public IP addresses within regions, such as ARIN for the Americas, and RIPE for Europe. The main tool to query Domain Name Services (DNS) is Whois. It returns information about a specific domain name, such as contact person, address, phone numbers and DNS Servers. Linux has the whois tool built in, and it can be run from the command line. From Windows download the Sam Spade tool from www.samspade.org or use a web based whois tool, such as at: www.ripe.net www.dnsstuff.com www.whoisdomaintools.com www.samspade.org Use the a web site tool to gather information on the napier.ac.uk domain: Questions Q: List the Registrar Contact, Phone Number, Campus Address, and Email Address:

    Q: List any Server IP Addresses:

    The DNS Results should look similar to the following:

    Certified Ethical Hacker

    Penetration Testing Rich Macfarlane 6

    The subdomains found can be investigated further also. The contact details and other information gathered here, could be used for social engineering or for wardialing. Questions Q: Which particular information might be used for wardialing for modems? Q: Are Social Engineering and Wardialing Active of Passive Reconnaissance?

    Note: Wardialing is a reconnaissance technique were a modem automatically dials phone numbers looking for computer systems. The term, along with other such as backdoor, is from from the film WarGames (Badham, 1983), in which a teenager hacks into the US DoD war simulation computer system and very nearly starts WWIII. Film Trailer: http://www.youtube.com/watch?v=tAcEzhQ7oqA

    3.2.1 Determining the Network Range


    DNS Enumeration Additional information can be found from the DNS servers, using the nslookup tool. This can provide system name and IP Address information. Open a command window and use the following command to find the IP Address of Napiers web server.
    nslookup www.napier.ac.uk

    Certified Ethical Hacker

    Penetration Testing Rich Macfarlane 7

    Questions Q: What is the IP Address of the Web Server?

    The nslookup output should look similar to the following:

    To check the Web Server IP Address is correct, run the network traffic sniffer Wireshark. Select Capture>Interfaces, and start sniffing the traffic on the interface with packets flowing through it (it should be the wired Ethernet interface in the lab). Browse to the Napier Web Server (use CTRL+F5 to refresh the page from the server and not the local cache). Stop the capture with Capture>Stop. The results should look similar to below.

    Questions Q: What is the IP Address of the Web Server?

    The subdomains found can be enumerated in the same way.


    Certified Ethical Hacker Penetration Testing Rich Macfarlane 8

    Email Server Enumeration To find the IP Address of an organisations mail server, an email can be sent which will bounce. This will be returned with the IP address of the email server in the header, as shown below.

    Questions Q: From the mail above, what is the IP Address of the mail server?

    To find the range of IP Addresses for the organisation take the IP Address of the web server, and enter it into the RIPE Whois tool at www.ripe.org, as shown below.

    Certified Ethical Hacker

    Penetration Testing Rich Macfarlane 9

    Questions Q: What is the IP range? Q: Document the administrators and their phone numbers:

    Q: Which Organisations web site would you use

    Certified Ethical Hacker

    Penetration Testing Rich Macfarlane 10

    References
    Badham, J. (Director). (1983). Wargames - http://www.imdb.com/title/tt0086567/ [Motion Picture]. Gregg, M. (2009). Exam Prep: Certified Ethical Hacker. ExamGear. Nitesh Dhanjani, B. R. (2010). Hacking: The Next Generation. O'Reilly. Tzu, S. (500 BC). The Art of War - Chapter 3. Retrieved June 2009, from Sun Tzu - The Art of War: http://www.sonshi.com/sun3.html

    Certified Ethical Hacker

    Penetration Testing Rich Macfarlane 11

    Potrebbero piacerti anche