I detected a dump - for and against - the study of electronic system vulnerabilities. Identification of vulnerabilities of information systems Elements of various types of image vulnerabilities
Identification of Information Systems Vulnerabilities
Sergei Konovalenko.
postgraduate of Krasnodar Higher Military School,
Russia, Krasnodar
Igor korolev
doctor of Engineering, Professor, Professor of the Department of Protected Information Technologies, Krasnodar Higher Military School,
Russia, Krasnodar
ANNOTATION
An assessment of existing means of analyzing the security of information systems, on the basis of which models of identifying, identifying and evaluating the images of information systems vulnerabilities are constructed. The main characteristics (elements) are defined inherent in the images of existing information systems vulnerabilities.
Abstract
An Assessment of Existing Tools For Analyzing Information Systems Security Was Performed. ON THE BASIS OF THE ACHIEVED RESULTS THE MODELS OF DETECTION, Identification and Evaluation of Information Systems Vulnerabilities Imags Were Built. The Main Characteristics (Elements) Inherent To the Images of the Existing Information Systems Vulnerabilities Were Defined.
Keywords:detection; Information system; identification; evaluation; image description; vulnerability.
Keywords: Detection; Information System; identification; evaluation; Description of the image; Vulnerability.
Any information system (hereinafter referred to as defined vulnerabilities, the list of which is quite voluminous and is constantly refreamed (expansion). IP vulnerabilities are due to the shortcomings (errors) arising in the process of the "life cycle" of this system. In this view, the possibility of implementing the threats to the security of IP directly depends on the actions of an attacker to detect and using vulnerabilities inherent in it. On the other hand, the process of identifying IP vulnerabilities conducted by a specialist is a fundamental to counteract an attacker in the early stages of attacks.
The purpose of this article is to build generalized models of identifying, identifying and evaluating IP vulnerability images, as well as the definition of characteristics (elements) inherent in the images of existing vulnerabilities, which will allow a specialist to better systematize its work in the field of security of controlled IP.
According to GOST R 56545-2015, "Vulnerability" is a disadvantage (weakness) of software (software-technical) tools or IP as a whole, which (which) can be used to implement the threats to the safety of information. "Information system" is a combination of the data contained in databases (hereinafter referred to as the text - database) of information and ensuring its processing information technologies and technical means.
Any IC vulnerability can be represented as an image that includes a set of specific characteristics (elements describing this vulnerability) formed by certain rules.
The description of the IP vulnerability is information about the identified (detected) vulnerability. The rules for describing the vulnerability of the IC are a set of provisions regulating the structure and content of the description of the vulnerability.
According to the image of vulnerabilities, divided into images of famous vulnerabilities, images of zero-day vulnerabilities and images for the first time identified vulnerabilities. A well-known vulnerability is a vulnerability published in publicly available sources with a description of the corresponding information security measures, deficiency fixes and relevant updates. The vulnerability of the zero day is a vulnerability that becomes known until the developer of the IP component of the corresponding information security measures, deficiency corrections or relevant updates. For the first time identified vulnerability is a vulnerability, unpublished in publicly available sources.
Each type of IP vulnerability images are inherent in both general and specific characteristics (elements), which can be reduced to the table. The example of the table is presented below.
Table 1.
Elements different types IS. vulnerabilities
Characteristics of vulnerability |
Element inherent in the image of a known vulnerability |
The element inherent in the image of the zero day vulnerability |
The element inherent in the image for the first time identified vulnerability |
|
Place of detection (detection) vulnerability in IP. |
||||
The method of detection (identification) of vulnerability. |
||||
Name of vulnerability. |
||||
Before moving to models of identifying, identifying and evaluating vulnerability images, it is necessary to explain that the IP consists of levels:
- level applied software (hereinafter referred to as the text), responsible for interaction with the user;
- the level of database management system (hereinafter referred to as the DBMS) responsible for storing and processing IP data;
- operating system level (hereinafter referred to as the OS), which is responsible for servicing the DBMS and Applied software;
- network level responsible for the interaction of IP nodes.
Each of the levels of IP correlate various types (classes) of vulnerabilities. To identify vulnerabilities, it is necessary to develop models for identifying, identifying and evaluating vulnerability.
The main sources of the occurrence of IP vulnerabilities are:
- errors in developing (designing) IP (for example, errors in software);
- errors when implementing IP (IP administrator error) (for example, incorrect configuration or software configuration, not an effective safety policies and so paragraph.);
- errors when using IP (Custom errors) (for example, weak passwords, violation in safety policies, etc.).
To identify, identify and evaluate IP vulnerabilities, as well as the formation of reports and elimination (neutralization) of vulnerabilities, the network security analysis tools (hereinafter referred to as SAZ) (security scanners (hereinafter referred to as Sat)), which can be divided into two types :
- network SAZ (Sat) (carry out a remote analysis of the states of controlled hosts on the network level);
- SAZ (Sat) OS level (carry out a local analysis of states of controlled hosts, sometimes it is necessary to install a special agent on controlled hosts).
The relevance of the use of SAZ (Sat) is due to the fact that a specialist is able to determine in advance to identify a sufficiently large list of types of (classes) of vulnerabilities inherent in controlled IP, and take the necessary measures (in some cases, to try to take) to eliminate or exception (minimization) to use the possibility of using detected Vulnerabilities attacker.
To systematize the work of a specialist in ensuring security, controlled IP and based on the analysis, a generalized model of identification of IP vulnerability images are built (Figure 1).
Figure 1. A generalized model for identifying image vulnerabilities
The process of identifying IP vulnerabilities is based on passive checks to perform passive checks (scanning - Scan) and active checks (probing - PROBE) availability of vulnerabilities of controlled IP.
In the SAZ scanning process, sending the corresponding requests to the controlled IC (on the controlled host ports), analyzes the return banners (data packet headers) and makes the appropriate conclusions about the type of IP type and the availability of potential (possible) vulnerabilities. The scanning result is not always worth a hundred percent on the presence of possible (typical) IP vulnerabilities, since the text content of the banner could be specially modified, or well-known vulnerabilities inherent in this IP were eliminated by a specialist in the process of its implementation (use). Another way to perform scanning actions are active probing checks that provide the ability to analyze the returned digital lock (FingerPrint) of the fragment on controlled IC (i.e. to compare the resulting result with a digital track of the known vulnerability of this type of IP). This method provides a more reliable and accurate procedure for identifying possible (typical) vulnerabilities of controlled IP.
In the process of sounding the SAZ imitates the execution of the attack on controlled IP using the image of a possible (typical) vulnerability obtained when scanning. The result of the sensing process is the most accurate and reliable information on the presence of vulnerabilities of controlled IP. This method is not always applied, since there is a chance of a violation of performance (output) of controlled IP. The decision to apply the above method receives the network administrator in cases not to complete or the need to confirm the results of scanning and active probing checks.
The scanning and sensing results come to the database of vulnerability, in which images of vulnerabilities of controlled IP are stored. Based on the procedure for comparing the image of a detected vulnerability with vulnerabilities of the controlled SAZ IC forms a report on the absence or presence of coincidences in vulnerabilities (detection of vulnerabilities), which is preserved in the database of vulnerability.
Details a generalized model for identifying vulnerabilities, a generalized identification model and evaluation of IP vulnerability images (Figure 2).
Figure 2. A generalized identification model and evaluation of image vulnerabilities
The process of identifying the image of the detected IC vulnerability, which has specific characteristics (elements), is carried out by means of the procedure of its comparison with the images of famous vulnerabilities and vulnerabilities of the zero day stored in the database of vulnerability. A formalized description of known vulnerabilities and vulnerabilities of the zero day is made in the form of passports that contain information on specific characteristics (elements) of a particular vulnerability. To accurately identify the image of a detected vulnerability, it must contain name information and version of the IP, which detected vulnerability, the identifier, name and class of the detected vulnerability. Based on the above information, the SAZ relates the image of a detected vulnerability to one of the types of vulnerabilities. For a qualitative evaluation evaluation, the identified image of the vulnerability must contain information about the identifier and type of deficiency of the IP, in which the vulnerability is detected, about the place of detection of vulnerability in the IP, the method of identifying vulnerability. The vulnerability image assessment process ends with the development of recommendations to eliminate vulnerability or to exclude its use. In cases where the image was found for the first time identified vulnerability, the SAZ places information about it in the database of vulnerabilities with the formation of a new passport of the zero day vulnerability. When the developer is issued by the development of information security measures, the necessary updates and when fixing shortcomings, the vulnerability of the zero day passes into the status of a known vulnerability.
Reasoning the results of this article, note that the Safety Specialist is obliged to constantly carry out work on identifying vulnerabilities in the system, clearly submit and understand the processes occurring in the SAZ, monitor the update (expansion) of vulnerabilities, to develop the shortcomings in the system in a timely manner, to establish the corresponding Protection measures and updates to controlled IP.
Bibliography:
- Astakhov A.S. Analysis of the security of corporate automated networks // Newsletter JET INFO. - 2002. - № 7 (110). / - [Electronic resource]. - Access mode: URL: http://www.jetinfo.ru (date of handling: 09/15/2016).
- Gorbatov VS, Meshcheryakov A.A. Comparative analysis of the means of monitoring the security of the computing network // Safety of information technology. - 2013. - № 1. / - [Electronic resource]. - Access mode: URL: http://www.bit.mephi.ru (date of handling: 09/14/2016).
- GOST R 56545-2015 "Protection of information. Vulnerabilities of information systems. Rules for the description of vulnerabilities. " - M.: Starotinform, 2015.
- GOST R 56546-2015 "Protection of information. Vulnerabilities of information systems. Classification of information systems vulnerabilities. " - M.: Starotinform, 2015.
- Lukatsky A.V. How does the security scanner work? / - [Electronic resource]. - Access mode: http://www.citforum.ru/security/internet/scaner.shtml (Date of handling: 09/14/2016).
- Lukatsky A.V. Detection of attacks. - St. Petersburg. : Publishing house "BVC", 2001. - 624 p.
- User's Guide of the Software Installation Complex "Scanner-Sun security analysis agent. NPSH.00606-01. CJSC "NPO" Echelon ", 2011.
- Xspider security scanner. Administrator's Guide / - [Electronic Resource]. - Access mode: http://www.ptsecurity.ru (Reference date: 09/15/2016).
- Security scanner MAXPATROL. Security control system / - [Electronic resource]. - Access mode: http://www.ptsecurity.ru (Calling date: 09/16/2016).
- Stephen Northska, Judy Novak. Detection of security violations in networks. 3rd ed.: Per. from English - M.: Publishing House "Williams", 2003. - P. 265-280.
I detected a dump - for and against
Greetings. I am a man on your forum absolutely new, came with my own problems. But several people asked to write about the detection of dumps, so I will write as I can.
To begin with, let's look at what "dump" is - expressing in a simple language. This information is written on a magnetic tape of a card that carries data. It is these data (account, balance, PIN, FULL NAME, Cardholeder and TD) make it possible to make money from ATMs and pay shopping in the store.
In this example B4000001234567890 ^ Petrov / Ivan ^ 03101011123400567000000 is the information of the first track, and 4000001234567890=03101011123495679991
- Information listed in the second track. You should not try to use the first track construction algorithm using the data from the second, since the example above is only a visual manual, and different templates are used in different banks.
Now let's see closely on the first track: it starts with a Latin letter in, which indicates that it is bank card. 400000 123456789 0
- this is the so-called card number or Pan, as professionals call it, 400000
- Bin, in which you can define a bank emitting a card, and the type of credit card itself, 123456789
- Map number in the bank.
Zero at the very end of PAN is a check digit. ^ Petrov / Ivan ^ - the name of the card holder, Card Heder. 0310 - Expire card, that is, the date that the card is valid. In this case, this is October 2003. 101 - Service code. It is usually equal to 101. 1 - the key number in which the PIN card is encrypted. Need only when working with an ATM and with those operations when PIN is required. 1234 - encrypted PIN value. It is necessary in the same cases as the key number above. 567 - CVV, verification value for the card number. It turns out by encrypting a pair of banking keys of the service code, PAN and Expyr. CVV2 is obtained in the same way, only the service code is replaced with zeros, which is why the TsVV and TsVO2 values \u200b\u200bdiffer from each other. The second track is largely similar to the first, but it is the main, and, having it, you can build information from the first track.
By itself, the credential is white plastic, which carries the function of the matrix to which info about the dump is entered. The recording is made using the MSR machine that you can buy now approximately on a free sale only google.
Sale of dumps.
It is not very pleasant to realize that in our life there are people who are trying to get into this business reading the ad "Sell Dump + Pin"
Remember: "Sell Dump + Pin" - Kidalovo. People who really can get a dump with pin, can themselves and rent money from the card. Therefore, only dumps sell.
Damps are sold as a rule in the form of tracks, which was written above. Next, you take the MSR, write a dump on plastic and get ready-made credentials.
How to cash off? As a rule, by means of shopping. Shopping in stores is very easy if you sold the card correctly. That's right - it was not just drove on the blank, and at least at least printed a picture and so on. After all, you will agree that with simple white plastic you can do onala either in the stores of friends or at home)
And so the way to detect 1
White plastic. We go to a friend to the store, we buy that thread up to 900 bucks for example, a laptop there or a TV. A friend is clear that in the subject, pleased, got his rollback on all the problems of him.
Pluses: Not Hurry, sellers do not smell, their store.
Cons: you will not repeat many times if they come to him (and they will come to him) can pass you
Method number 2.
Shopping in ordinary stores. Well, that's simple, just think up from the cameras to hide and get plastic already with a painted picture
Pluses: With a constant change in shops for the shop, less chance will be saved, and people do not know you
Cons: cameras, do not always pass payments, can not always send plastic with picture
Method number 3.
Message PE with terminal. The essence is generally simple, there are no few firms sell PE on left people, or in general missing. With such an emergency, it is convenient to work, so it does not associate anything with you. All incoming money can be displayed with checkbooks or corp cards. There is such an emergency of approximately 2-3k bucks, with a cross terminal, account, and open acquiring
Now Privat Bank (Ukraine) offers users a mini terminal who works with Android and IOS phones. The bottom line is that you can receive payments yourself on your card through this terminal. But about it on the site of the bank. And yes, I have not tried.
To work properly in this topic, I consider it necessary to have:
Msp
Plastic
Printer for printing on plastic
With this set, you do not fall with shipment of cards, but just get a dump in ICQ, do not soar with white plastic and print your photo on the map yourself. Well, in general, so much more convenient.
This IMHO, wrote since 4 people asked in LS.
Thank you
She has been found in black (gray) na.
She has been found in black (gray) na.
Firstly:
Secondly:
I think that this topic is here as it concerns only little by one.
Go.
1 way
2 way
In principle, not my horse is not very spatially and deployed, but I give the essence who wants to get himself. The article itself is written in order to recall once again that the rule for detecting is not more than 10%. Well, a little more for a small amount.
Everything is simple - enrollment from the payments (any ru because we have been talking about hand) on bi - 0%, with sim per card - 0%, from cards through kiwi on plastic - 5.45% (3.45% Card Commission and 2 % + 20 (40) rubles. KIVI) so 10% are the norms.
There are more favorable ways, but they make sense to speak if the sums are more than more.
Virtual map Beeline, obtained by * 100 * 22 # - This is a map of Alfa Bank ()
And according to [ Links only visible to registered users. ] In the line "Enumeration of funds using a bank prepaid Visa virtual card - Beeline - Alfa-Bank" We see "magic" words "3.45% of the amount of operation."
Through QIWI more - "5.45% (3.45% Card Commission and 2% + 20 (40) Rub. Kiwi Commission)".
Restrictions on the transaction operations - 15 tyar per day, 40 per week with one card. [ Links only visible to registered users. ]
Seek it on the second day. Either to first. Depends on the source of funds.
Transfer to another card is free only if the Issuer Bank's second card is also alpha. Otherwise, 1.95% of the transfer amount.
If used, for example, VISA translation system, then according to [ Links only visible to registered users. ] "Partner banks and payment terminal operators can at its discretion to set the amount of the Service Commission" ©.
Everyone can arise the interest on the fingers and think who will fool for someone to do similar "manipulations" with the search for drops or left docks, ordering cards, binding, left sims, commissions and removal in ATMs with a clumsy for ssane 10%? If it comes out.
Only yourself, handles. and legs.
In general, the topic is old as Cal Mammoth. It is called "the pages of the Bilain and banks of half an hour and ready." It is easier in the described method to use the cards of the Bank Tauride. It was just a long time ago
And so relevance tends to zero.
Other sums, other methods. And this is a pampering student.
Firstly:
I do not urge anyone to use the data layouts in practice - it's only purely theoritical calculations!
Secondly:
I think that this topic is here as it concerns only little by one.
We are talking about the possible way to detect black (gray) money for a possible way, it seems like less detailed information on the forum. At least, I will summarize the essence, and then the announced by a lot of deft - but ask something unreal.
Go.
Let's say on a second that we have 100k in our payments (sieve on the example of the ru, although the difference will not be big), but if you take this money to your card, then you know for sure that you will then look good and well if you do not resort to the help of tremorectal Detector Truth! What do you do you need this money.
1 waythe easiest way and most unpleasant and heavy IMHO is to find someone who is cleaning, the minuses 2 but what: 1 - can throw. Therefore, work is only through the guarantor of the proven resource - the slightest doubts - immediately refuse. The 2nd minus and it is more sick of the first if you do not have your proven wash maker. Get ready to pay hell 15-25% - tramp it because it is very much.
And therefore I consider as the main method 2 (Well, if there is no one who is pouring you in 8% (justice for such interest comes from 100k just!))
2 wayI will not be sprayed about the configuration of the safe exit Internet - google, well, or later the article will add. Although presumably if you were able to get 100k - you know it and so.
- The first than the plastic card on the left data should be concerned. At the rate of 99k - 1 card (the option is possible, but most often - so)
- The second left symcards of the Beelain (OGA is about the OPSSE) at the rate of 10K - 1Sim
That's actually all you need for bare.
So everything is ready - for each SIM fill on 10K - Next, call where the thread is far and pronounce 150r (most often the left sim you will not need new, if not, you do not need to call) - now register the virtual map of the Pchelene (* 100 * 22 # challenge) and We get details - register in Kiwi's payment (Wow, as I love it), we bring a virtual about (Data left of course) and using our details pay using the MasterCard Moneysend option or using the VISA payment and transfers to receive Profit (if those that are specified in my article for example, Money will fall for 2-3 minutes. Well, it remains only to cash these funds through an ATM!
In principle, not my horse is not very spatially and deployed, but I give the essence who wants to get himself. The article itself is written in order to recall once again that the rule for detecting is not more than 10%. Well, a little more for a small amount.
Everything is simple - enrollment from the payments (any ru because we have been talking about hand) on bi - 0%, with sim per card - 0%, from cards through kiwi on plastic - 5.45% (3.45% Card Commission and 2 % + 20 (40) rubles. KIVI) so 10% are the norms.
There are more favorable ways, but they make sense to speak if the sums are more than more.
So I will continue on the article on the day probably unsubscribe.
Request for specification:
Total:
Learn the first on new events, articles and video tutorials!
Preparation of "CEH"
Part 1
Security problems are incredibly relevant today. In order to protect their networks from unwanted penetration, the specialist needs to master the basic methods and hacking methods.
The experts have developed a unique comprehensive training program "Certified Ethical Hacker", aimed at the preparation of high-class specialists in the field of work on the successful identification and solving problems of security in mixed computer networks, as well as in the work of investigating hacker incidents and measures of their prevention.
Ethical Hacker - Computer Security Specialist, which specializes in testing the security of computer systems.
Intelligence Stage: Information Collection
Introduction
Have you ever read the "art of war" Sun Tzu? If not, let me warn you: this work is not from those reading in bed while holding his breath and anticipating than everything will end. However, this is a masterpiece that persistently describes the military strategy, which is applicable today, as then, in the times of its writing by the Chinese General, two thousand years ago. It seems to me that during the writing of the work of Sun Tzu, he could not imagine what powerful leadership he would create, but the fact that the book to this day is still considered obligatory to read for military leaders confirms that Sun Tzu is something Yes, he knew about warfare. Since the information technology field is a virtual battlefield, then why not use the "art of war" as a guide?
Two (or several) thousand years ago, in order to move the army for a certain distance had to spend a lot of time and resources. It turned out that with a large transition in a short time, the army could be so strongly tired, which was already physically able to participate in the battle. At the same time, we all know all this, during the war it is impossible to take a time out to drink the driver. Sun Tzu approached the development of a waging strategy on the intellectual level. The strategy is based on exploration. He had a firm conviction that if you spent a lot of time and effort, to study the army of your enemy, then during the fight against him, the victory will be as you ensured at the reconnaissance stage. In the time of Sun Tzu, the intelligence was "manually": many spies were involved, which mastered the enemy territories, observed, eavenned, and reported what was happening on the opponent's side. Sun Tzu said that "spies are as important as the water for the army."
On the battlefield, where we are, even though it is virtually, the judgments of Sun Tzu remain as relevant. Do you want to be successful as an ethical hacker? Then you should know how to collect information about your goals before you try to attack them. This chapter contains information about the necessary tools and methods for data collection. Those of you that make the idea of \u200b\u200bspies and espionage as a whole, can use spy people and old good running, although now most of this process occurs with virtual means. First, we should take into account and make sure that we only know that there is an attack and vulnerability on the virtual battle field.
Study of vulnerabilities
I imagine that some of you can say. I can almost hear you screaming to the page and trying to reach me, claiming that the study of vulnerabilities is not part of Footprinting "A (determining which we will give after a minute). And, honestly, I have to agree with you: You are right, This is definitely not part of Footprinting "but, as defined in CEH. Nevertheless, the main goal of this article is to help you really become an ethical hacker. Only applying knowledge from day to day, you become their owner. This section is dedicated not to current vulnerabilities that you have already collected some data - it will be later. The section is devoted to relevant knowledge that will make you an effective specialist.
For those of you who are only now involved in ethical hacking, I want to emphasize that the study of vulnerabilities is a substantially important step that you must learn and assimilate. How can you be ready for an attack of a system or network if there is no concept which vulnerabilities can be detected there? Therefore, close attention should be paid attention to the study of vulnerabilities.
The study of vulnerabilities requires tremendous efforts from their specialists. The most part of the studied vulnerabilities remains known only as they can touch our lives. It is imperative to keep in mind that despite the fact that all major work is already done for you, it remains in your responsibility to follow and react to research. Most of your research will be reduced to reading a huge amount of information, especially from websites. The main task in these studies is tracking latest news, analyzing outbreaks of zero day attacks, viruses and malicious programs, as well as collecting recommendations to combat them. Go back with the news and read what is happening, but remember that by the time they appear on the first page of Kaspersky.com or Foxnews.com probably passed a lot of time. A good specialist knows what, where to look, and how it Use, has an advantage in the "battle". Here are some sites that you should add to your favorites list:
- National Vulnerability Database (NVD.Nist.gov)
- Exploit-Database (exploit-db.com)
- SecurityTracker (www.securityTracker.com)
- Securiteam (www.securiteam.com)
- Secunia (www.secunia.com)
- Hackerstorm Vulnerability Research Tool (www.hackerstorm.com)
- Hackerwatch (www.hackerwatch.org)
- SecurityFocus (www.securityfocus.com)
- SECURITY MAGAZINE (www.securitymagazine.com)
- Dr Web (www.drweb.com)
- Kaspersky Lab (www.kaspersky.com)
- Checkpoint (www.checkpoint.com)
- SRI International - R & D For Government and Business (www.sri.com)
One of the most magnificent places where you can meet the Guru of Information Security, these are professional events in organizations. For example, ISSA (Information Systems Security Association) carried out throughout the United States, participation in meetings, which are usually free.
Exercise 1: Study of Vulnerabilities
This exercise is aimed at studying one of the above HACKERSTORM OPEN resources.
- Create a folder on the disk from: \\ with the name HackersTorm (for storing everything).
- Go to www.hackerstorm.com to the OSVDB tab, this is a free tool at the top. Additional link: http://freecode.com/projects/hackerstorm-vdb
- Click the Download GUI v.1.1 button, saving the file to the HackerStorm folder. Unzip files to the folder.
- Click the DOWNLOAD XML DB button, save the file to the HackersTorm folder Unpack the files to the folder. Select "Yes for all" when the file rewriting request appears.
- In the HackerStorm folder, double-click the Start.html file. OSVDB window will appear on the screen.
- Press the SEARCH OSVDB button at the bottom. Scroll down, select Mozilla Organization, and then click the View button.
- On the next screen, select View All. Scroll through the vulnerability list, select one of them, click on it. Read the description, solution, details, links, and participants. So you can view any information about the specific vulnerability (see Figure 2).
Window Hakerstorm OSVBD.
Details of vulnerabilities
The database of this tool is updated daily, so you can download it and follow the newest studied attacks, viruses, vulnerabilities to the first published news. This is an excellent tool, to start mastering the exploration stage.
On the use of scan tools themselves will be told later.
NOTE
From a purely philosophical point of view, there is a new ethical hacker to follow the tactics of Sun Tzu: "Determine" victory before entering the battle. Keep in mind that any activity carried out without a goal is a risk. Consequently, if you are not sure why you should analyze / collect information, do not do this.
Footprinting.
Collecting information about your intended goal is more than just the initial step in a general attack is a priceless skill that you need to improve like ethical hacker. I believe that most people who want to learn more in this area are eventually come to two questions: what kind of information I'm looking for, and how can I find it? Both questions are excellent, and both we will reply in this section.
It seems important to me, an understanding that there is a difference in definitions between intelligence and footprinting "Ohm. For many, intelligence is a more general, inclusive term, as a collection of information on targets, while Footprinting efforts are aimed at planning a higher planning level to understand the overall picture. These terms are interchangeable in the Sest language, but you should remember that footprinting is part of the intelligence.
At the Footprinting stage, you are looking for any information that can give some idea of \u200b\u200bthe goal, no matter how large it is or small. Of particular importance in our case have items related to high-level architecture (which routers are used which servers are purchased), applications and websites (private or public), physical security measures (what type of control system is used, which barriers in it are present, which Activities make employees and how often?). Of course, everything that provides information about the employees themselves is very useful, as employees are one of the most important goals for you in the future. A serious work is mined only a small part of this information, a large amount of data lies right in front of you, just open your virtual eyes.
First of all, let's deal with a pair of terms: active and passive footprinting. During the process of active footpring "And it is required that the attacker is physically touching or changed something in the settings of devices or networks, while this should not happen during passive footprinting. For example, the passive footprinting" EP can view sites or public records, while scanning your IP active footprinting "EPROM. You are considered passive footprinting" EPROM, when you are on the Internet, check the websites and see DNS records, and you are considered an active footprinting "Yer when you collect data from Employees using social engineering methods.
NOTE
Footprinting is a process for collecting information in computer systems and networks. This is the very first data collection step, providing a plan for the system or high-level system. It is about collecting as much information as possible as possible.
At the Footprinting stage, "as in other steps of hacking, there is an organized path from the beginning to the end. You should start with information that you can collect for" 50,000 views "using web resources that are aimed at collecting a target data. For example , let's consider the term competitive intelligence (especially since this is the direct goal of ethical hacker). The inquisite mind collects information about the subject, about his business activities, about his competitors, about his clients, about its products and marketing. Most of this information is easily accessible and can be obtained using various means. There are several competitive intelligence methods that you will be useful to learn.
Great place to start - this is the company's website. Think about what: What information do company employees want to lay out on their website? They want to provide as much information as possible for potential customers about who they are and what they can offer. Although, sometimes, the page can be literally overloaded with data. Sometimes publicly available information may include the company's history, directory lists, current and future plans, and even technical information. Developed, with the aim of locating clients to themselves, sometimes sites inadvertently give hackers with detailed information on technical capabilities and network composition.
NOTE
Sometimes companies have internal references aimed at employees and business partners. The easiest way to see these links is to use Netcraft or other link extractors, from companies like IWebtool or Webmaster Alpha.
Products about potential target are job vacancies. On the resources like hh.ru, superjob.ru, rabota.ru or in any other of a variety of similar, you can literally find everything you would like to know about the company's technical infrastructure. For example, with the help of listing that "the candidate must be well discussed in Windows 2003 Server, MS SQL 2000 and Veritas Backup." Social networking sites can also provide relevant information for you. For example, such as LinkedIn. Facebook and Twitter are also large sources of information. And, only for the sake of fun, it is worth checking http://en.wikipedia.org/wiki/.
Finally, two more aspects of web footprinting "Worth worth noting. The first, copying of a website directly to your system will definitely help speed up the processing of objects, and such utilities as BlackWidow, Wget and TeleportPro. Second, information regarding your research could be placed. On the site once a long time ago, and now its data can be updated or removed. Sites like www.archive.org and Google Cache can give an idea of \u200b\u200binformation from which they thought have long got rid of, but as they say, one Once the post is available forever.
NOTE
Not so long ago, two new terms concerning Footprinting-A - anonymous and pseudonym. After an anonymous footprinting, it is impossible to track the attacker that is closely related to the pseudonym when the attacker tracking will take on another person.
List all methods for collecting information at the FootPrinting stage almost impossible. The fact is that everywhere there are opportunities for collecting information. Do not forget to enable in this list and collecting data using search engines, you will be surprised how much information you can find by searching by company name. Here are still competitive tools for collecting and analyzing information Google Alerts, Yahoo! Site Explorer, SEO for Firefox, Spyfu, Quarkbase and Domaintools.com
Spend some time to explore these methods at your discretion. Remember that all these tools and opportunities are completely legitimate, everyone can use them at any time for any purpose.
FootPrinting tools "A
NOTE
Have you ever looked at the email header? You can get interesting details from it, sending any company from the fake email, you can define the future vector attack on the returned letter.
Footprinting and DNS.
DNS, as you, undoubtedly, is already known, provides the name of the BIP (and vice versa) - this is a service that allows us to enter the name of the resource, and get to its address.
Basics of DNS.
The DNS system consists of servers all over the world. Each server contains records of its small corner of the world, known as DNS namespace, and manages them. Each of these records gives specifying a specific type of resources. Some entries are IP addresses leading to individual systems on the network, while others provide addresses for email servers. Some of the addresses provide links to other DNS servers that help you find people what they are looking for.
NOTE
The port numbers are very important when discussing systems and networks. When we are talking About DNS service, use 53 port. When searching for names, UDP protocol is usually used, while the TCP protocol is used when searching for zones.
Large, huge servers can handle namespace as a large top-level domain ".. The beauty of this system is that each server is worried only about the name of the entry for its own part of the namespace and knows how to contact the server" higher by level " . The system looks like an inverted tree, and can be pointed as a specific resource request can be easily sent to the appropriate server. For example, in Figure 3-4, there is a third-level AnyName.com server that manages all the names of its own namespace, so anyone who is looking for a resource from their site can contact the server to find the address.
DNS system
The only disadvantage of this system is that by type DNS records, a hacker can learn about your network configuration. For example, what do you think may be important for an attacker, know which server in the network holds and manages all DNS records? Or where are the email servers? Damn it, if it happens, will it be useful to know where public sites are actually located?
All this is determined by studying the types of DNS records, which I listed below:
DNS record type; label; Description
SRV; SERVICE; Specifies the host name and server port number providing certain services, for example, server directory service. SOA; Start of Authority; This entry identifies the primary name server for the zone. SOA record contains many server names that are responsible for all DNS records in the namespace, as well as the basic properties of the PTR domain; POINTER; converts the IP address in the host name (provided that in the DNS there is an entry in the reverse zone) PTR record does not always be configured In the DNS zone, but PTR record as a rule indicates the mail server NS; Name Server; This entry defines the name servers within your namespace. These servers are those that are able to respond to requests from their customers named MX; Mail Exchange; This entry identifies email servers within your CNAME; Canonical Name; This entry allows you to assign a nipper to the alias (alias) for example, you can have FTP service And web service running on the same IP address. CNAME records can be used with DNS a; Addres; This entry matches the IP address with the host name, and is used most often for DNS search
These records are saved and manage using the authoritative server of your namespace, which shares them with other DNS servers. The process of replication of all these records is known as a zone transfer
Given the importance of records stored here, it is obvious that administrators should be very careful with what IP addresses are allowed to transmit zone. If you allowed the transmission of the zone to any IP, then you can also place the network card on the web site to avoid problems. That is why most administrators restrict the possibility of even requests from the zone gear with a small list of name servers inside their network.
Think about a minute about the DNS search for resources on the network: For example, a person is trying to connect to the FTP server to download some important, confidential data. The user dials ftp.anycomp.com, enter. The DNS server is closest to the user, he checks his cache to see if he knows the address for ftp.anycomp.com. If this is not there, the server is looking for a path through the DNS architecture, finding an authoritative server for anycomp.com, gets a faithful IP address that is returned to the client, and finally begins the FTP session.
NOTE
When it comes to DNS, it is important to remember that there are two real servers on your system. Name Resolvers simply responds to requests. Authoritative servers hold records for a specified namespace, information from an administrative source, and answers.
Suppose you are a hacker, and you really want to get some confidential data. One of possible methods Make it can be a change in cache on a local name server, for example, an indication of a fictitious server instead of a real address for ftp.anycomp.com. The user, if it is not attentive, will connect and download documents to your server. This process is known as DNS Poisoning, and one of the ways to confront this is to limit the storage time in the cache until they are updated. There are many other ways to protect against this, but we will not discuss them here, it's just important to demonstrate how valuable such entries for the attacker are valued.
The SOA record contains a large amount of information, on behalf of the host of the primary server in the DNS namespace (zones), it contains the following information:
- Source Host - SOA Server Host Name.
- CONTACT Email - human email address responsible for the zone file.
- Serial Number - version of the zone file. (When changing the zone file increases).
- Refresh Time - a time interval through which, the secondary DNS server will update the zone.
- Retry Time - a time interval through which, the secondary DNS server will re-attempt to update the zone if the zone transfer was unsuccessful.
- EXPIRE TIME - the time interval during which the secondary server will try to complete the transmission of the zone.
- TTL is the minimum lifetime of all records in the zone. (If not updated, by sending zones, they will be deleted)
Exercise 2: Demonstration of the DNS attack results
In fact, in this exercise, we are not going to change the DNS records on the server, nor steal something. We will use the host file built into Windows to demonstrate the DNS search problems. Before the system will check its own cache or local DNS server, it looks, by default, the file named "host" for a specific entry. This exercise will show how easy it is to redirect the target to the site that it was not going to visit (when you change the entries on the local server in this way, the user will see the same result).
Follow these steps:
- Open the browser and go to www.google.com. . DNS-recording of this site is now in the cache. You can view it by typing on the IPConfig / DisplayDNS command prompt. Type IPConfig / Flushdns to delete all records. Close the browser.
- Using the conductor, open C: \\ Windows \\ System32 \\ Drivers \\ ETC (if you use the 64-bit version of Windows XP or 7, then try to open C: \\ Windows \\ Syswow64 \\ System32 \\ Drivers \\ etc.).
- Open the HOSTS file in notepad. Save the copy before continuing.
- At the end of the host file, enter 209.191.122.70 www.google.com. (under the last string 127.0.0.1 or :: 1). Save the file and exit it.
- Open the browser again and try to access www.google.com. . Your browser, instead of Google opens Yahoo!. We updated the file hosts, pointing to the search engine address Yahoo! "S as Google.
INSTRUMENTS DNS Footprinting: WHOIS, NSLOOKUP and dig
At the dawn of networks, DNS systems demanded not only the development of hierarchical design, but also someone who would manage. Someone had to be responsible for the registration of names and the corresponding address ranges. First of all, someone had to distribute the addresses.
Management IP addresses began with a small group known as IANA (Internet Assigned Numbers Authority), and then this case continued ICANN (Internet Corporation for Assigned Names and Numbers). ICANN controls the IP distribution. Companies and individuals receive their IP addresses here (ranges), after which the rest of the world can find them using the DNS system.
Along with such registration addresses, regional Internet registrars provide management of the public space of IP addresses within their geographic region.
There are 5 regional Internet registrars:
- ARIN (American Registry Internet Numbers): North and South America, as well as African countries south of Sahara
- APNIC (Asia-Pacific Network Information Center): Asia-Pacific
- RIPE (RÉSEAUX IP EUROPEENS): Europe, Middle East, and Central Asia / North Africa.
- Lacnic (Latin American and Caribbean Internet Addresses Registry): Latin America and Caribbean
- Afrinic (Afrinic): Africa
You can also use a tool that is known as WHOIS. Originally created under UNIX, it began to be used in operating systems around the world. He requests the register and returns information about the ownership of the domain, addresses, locations, phone numbers, DNS servers, etc.
Here are some more tools for the same goals: www.geektools.com, www.dnsstuff.com, www.samspade.com, www.checkdns.net.
Another useful DNS footprinting tool is a command line. We will get acquainted with the team: nslookup, which is part of almost any operating system. This is a DNS server request tool for information.
NOTE
You should deal with the WHOIS service, pay special attention to the registrars, administrative names, contact phone numbers for individualsas well as the names of the DNS servers.
SYNTAX
NSLOOKUP [-Options] (HostName | [-Server])
The command can provide information based on the selected parameters, or can work online, waiting for the input of subsequent parameters from you. On Microsoft Windows When you enter a nslookup, you will see the window that displays your DNS server by default and the IP address associated with it. The command is performed in interactive mode. Drawing a question mark, you will see everything possible options Display information using this command. For example, the subsequent MX command will send a request to the nslookup command to the fact that you are looking for entries about email servers. NSLookup can also provide information about the transfer of the zone. As mentioned earlier, the transmission of the zone differs from the "regular" query of DNS by the fact that it transmits every DNS server record, and not just the one you are looking for. To use nslookup to transfer the zone, first make sure that you are connected to the SOA zone server, and then follow these steps:
- Enter nslookup on the command line.
- Server Type
, SOA IP address. - Set Type \u003d Any.
- Enter LS -D DomainName.com, where domainname.com is the name of the zone.