Chapter 2 - 03 - Understand Network-level Attacks - 02_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 DNS Footprinting O O DNS records provide important information about the location and types of servers Attackers can gather DNS information to determine key hosts Record Type ‘ A Description Points to a host’s IP address MX Points to domain’s mail server NS Points to host’s name server CNAME Canonical naming allows aliases to a host SOA Indicate authority for a domain SRV Service records PTR Maps IP address to a hostname RP Responsible person HINFO Host information record includes CPU type and OS TXT Unstructured text records DNS Footprinting (Cont’d) DNSdumpster O Attackers query DNS servers using DNS interrogation tools, such as DNSdumpster.com and DNS Records, to retrieve the record structure that contains information about the target DNS DNS Footprinting DNS footprinting reveals information about DNS zone data. DNS zone data include DNS domain names, computer names, IP addresses, and much more information about a network. An attacker uses DNS information to determine key hosts in the network and then performs social engineering attacks to gather even more information. Module 02 Page 180 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 DNS footprinting helps in determining the following records about the target DNS: Record Type A Description Points to a host’s IP address MX Points to domain’s mail server NS Points to host’s name server CNAME Canonical naming allows aliases to a host SOA Indicate authority for a domain SRV Service records PTR Maps IP address to a hostname RP Responsible person HINFO XT Host information record includes CPU type and OS Unstructured text records Table 2.1: DNS records and their description DNS interrogation tools such as DNSdumpster (https://dnsdumpster.com) and DNS Records (https://network-tools.com) enable the user to perform DNS footprinting. DNSstuff (Professional Toolset) extracts DNS information about IP addresses, mail server extensions, DNS lookups, Whois lookups, and so on. It can extract a range of IP addresses using an IP routing lookup. If the target network allows unknown, unauthorized users to transfer DNS zone data, then it is easy for an attacker to obtain the information about DNS with the help of the DNS interrogation tool. When the attacker queries the DNS server using the DNS interrogation tool, the server responds with a record structure that contains information about the target DNS. DNS records provide important information about the location and types of servers. Module 02 Page 181 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Hosting NS (IP Exam 212-82 block ocumers) GeolIP Host Locations Servers n32.bluchost.com. 162.159.35.175 QOxXre n3l.blochost. QOdxXsr MX of £32.blushost.com com. 162.159.24.80 o £3l.Bluahost.com Records 0 mail.certifiedhacker.com. 162.241.216.11 =xXe TXT Box3131.blealost.com Records “wv=spfl a mx ptr include:bluehost.com 2all” Host Recorxds (A) soc.certifiedhacker.com =HOoxXe 162.241.216.11 Bom33)1. BluaRost, UNIFIFDIAYFR-AS-1 com Daitad Statas Figure 2.7: Screenshot of DNSdumpster Attackers also use DNS lookup tools such as Bluto, and Domain Dossier to retrieve DNS records for a specified domain or hostname. These tools retrieve information such as domains and IP addresses, domain Whois records, DNS records, and network Whois records. Module 02 Page 182 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Packet Sniffing O Packet sniffing is the process of monitoring and capturing all data packets passing through a given network using a software application or hardware device O 1t allows an attacker to observe and access the entire network traffic from a given point in order to gather sensitive information such as Telnet passwords, email traffic, syslog traffic, etc. ! through the switch v Packet Sniffing Packet sniffing is the process of monitoring and capturing all data packets passing through a given network using a software application or hardware device. Sniffing is straightforward in hub-based networks, as the traffic on a segment passes through all the hosts associated with that segment. However, most networks today work on switches. A switch is an advanced computer networking device. The major difference between a hub and a switch is that a hub transmits line data to each port on the machine and has no line mapping, whereas a switch looks at the Media Access Control (MAC) address associated with each frame passing through it and sends the data to the required port. A MAC address is a hardware address that uniquely identifies each node of a network. An attacker needs to manipulate the functionality of the switch to see all the traffic passing through it. A packet sniffing program (also known as a sniffer) can capture data packets only from within a given subnet, which means that it cannot sniff packets from another network. Often, any laptop can plug into a network and gain access to it. Many enterprises’ switch ports are open. A packet sniffer placed on a network in promiscuous mode can therefore capture and analyze all the network traffic. Sniffing programs turn off the filter employed by Ethernet network interface cards (NICs) to prevent the host machine from seeing other stations’ traffic. Thus, sniffing programs can monitor all traffic. Although most networks today employ switch technology, packet sniffing is still useful. This is because installing remote sniffing programs on network components with heavy traffic flows such as servers and routers is relatively easy. It allows an attacker to observe and access the entire network traffic from one point. Packet sniffers can capture data packets containing sensitive information such as passwords, account information, syslog traffic, router configuration, DNS Module 02 Page 183 traffic, email traffic, web traffic, chat sessions, and FTP passwords. This Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 allows an attacker to read passwords in cleartext, the actual emails, credit card numbers, financial transactions, etc. It also allows an attacker to sniff SMTP, POP, IMAP traffic, IMAP, HTTP Basic, telnet authentication, SQL database, SMB, NFS, and FTP traffic. An attacker can gain a substantial amount of information by reading captured data packets; then, the attacker can use that information to break into the network. An attacker carries out more effective attacks by combining these techniques with active transmission. The following diagram depicts an attacker sniffing the data packets between two legitimate network users: M Switch M........................................... m Smith }“" Copy of data passing : through the switch ' < Lena Attacker Figure 2.8: Packet sniffing scenario Module 02 Page 184 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.