Sunday, September 26, 2010

Alive & kicking ?

Alive & kicking ?
Alive & kicking ?
In the previous chapter we saw how to know where your target is. As we have seen, this is not such a simple matter as your target might be a international company (or even a country). Mapping the presence of the target on the Internet is only the first part of gaining intelligence on your target. You still have no idea of the operating system, the service(s) running on the server. At this stage we are still not doing any "hacking", we are only setting the stage for the real fun. If the previous chapter was finding the correct houses, this chapter deal with strolling past the house, peeping through the front gate and maybe even ringing the doorbell to see if anyone answers.
The techniques explained in this chapter could cause warning lights to dimly flash. An alert sysop might notice traces of activity, but as we are legally not doing anything wrong at this stage, it is hard to make a lot of noise about it. We are going to do our best to minimize our level of exposure.
Unrouted nets, NAT
The output of the previous section is lot of IP numbers. We are still not sure that these are all the IP numbers involved - we suspect that it is used. We have netblocks - blocks of IP numbers. Within that block there might be only one host that is even switched on. The first step here is thus to try to find out which machines are actually alive (its of no use to attack a machine that is not plugged into the 'net). The only way to know that a host is actively alive on the 'net is to get some sort of response from the machine. It might be a ICMP ping that is return, it might be that the IP is listed in a bounced mail header, it might be that we see a complete telnet banner.
Companies spend thousands of dollars hiding machines. They use unrouted/experimental IP blocks (10.0.0.0/8 type of thing) and use NAT (network address translation) on their outbound routers or firewalls. They have fancy proxies that'll proxy anything from basic HTTP request to complicated protocols such as Microsoft Netmeeting. They build tunneling devices that will seamlessly connect two or more unrouted/experimental subnets across the Internet. In many cases the main concern for the company is not the fact that they want to hide their IP numbers - the driving force might be that they are running out of legal IP numbers, and the fact that they are hiding the IP blocks is a nice side-effect.
The ratio between legal and illegal IP blocks varies from company to company and from country to country. The South African Telecom use 6 class B networks - all their equipment has legal IP numbers. On the other hand a very well known European telecom used a single IP and NAT their whole network through that IP. As a general rule (very general) one can assume a ratio of legal to illegal netblocks of 1:10. Given that Citibank has over 60 legal netblocks, one can safely assume that they should have many times more illegal netblocks.
The problem with illegal IP blocks is that one cannot discover if machine on an illegal IP number is alive - not directly in anyway. The packets that are suppose to trigger a response simply does not arrive at the correct destination. I have seen many wannabe "Security experts" scanning their own private network whilst thinking that they are in fact scanning a client (with a very worried look in their eyes they then tell the client that they have many problems on their network:)). Other problems that arise are that a client might be using a legal netblock, but that the netblock does not actually belong to them. Some legacy sysop thought it OK to use the same netblock as the NSA. Scanning this client "legal" netblock might land you in a spot of hot water. When conducting any type of scan, make sure that the netblock is actually routed to the correct location. Another note - if an IP number is connected with a DNS name is does NOT mean the IP number is legal (or belongs to them. Many companies use internal IP numbers in their zone files - for secondary MX records for instance.

No comments:

Post a Comment

hacking tools