Data Gathering > Business Information:
The first step a hacker will take when targeting a server is to gather as much information about the company as possible. A hacker will look for any interesting information regarding the company such as recent mergers, acquisitions or large hardware purchases. The hacker will backup the company's website on a local computer to search the site locally for any interesting information. A hacker will also poll newsgroups, IRC and USENet for information regarding what type of hardware or software the system is running. Information gathered in this step will also help the hacker get a feel about how well the system administrator knows his own system.
Often companies are careless about the way they connect new mergers or acquisitions to their internal network, sacrificing security for expediency. The acquired company is often not required to instantiate company wide security policies before being connected to the internal network, causing the new computers to represent a path of insecurity into the parent company.
The hacker will download the entire company website and explored it for sensitive information. Often username and password pairs or other security problems are simply commented out within the source of the web file. Besides obvious security problems such as this, the hacker can search for sections of the company site dedicated to reporting security configurations and hardware versions. If the hacker knows specifically what hardware and software is running on the remote system attack efforts can be focused to find vulnerabilities in that hardware or software.
The hacker will also search for any recent large hardware purchases. If hardware is purchased in bulk it is difficult for the IT or Security Department to ensure each new piece of hardware is secure and up to date, often leaving this task up to the recipient of the new device. Large network upgrade purchases also can tell a hacker something about the internal network and how each device is connected. If a company fails to train its IT department sufficiently it can result in much of the hardware being configured with insecure defaults or other misconfiguration problems.
To get a better feel for the size and complexity of the company's internal network, the hacker will footprint company's IP block using DNS lookups and whois information. Both of these techniques can prove rewarding when attempting to find alternate systems to attack.
Techniques:
Technique |
Information Gathered |
Mergers/Acquisitions |
Possible careless security configuration and an easy entrance into the company |
Hardware purchases |
New hardware is difficult to secure, and requires new training of the employees and IT department |
Website |
Username and Password pairs, other commented secrets. Hardware and Software configuration information |
DNS lookup |
Additional possible systems to attack |
Whois |
IT contact, Administrative Contact, when the record was created and updated, primary and secondary DNS servers. |
Tools:
Wget – Wget is a scriptable commandline application that is interpreted by the server as a browser. Wget allows the programmer to save a local copy of the website on the hard drive. Information retrieved includes anything that the browser would see, HTML, images, forms, etc.
Sam Spade – This tool will crawl and discover any linked web pages on a site, and back them up to the hackers website. This can be used to quickly, efficiently and easily download the entire company website.
IRC – Internet Relay Chat is a good forum for discussing security issues or recent projects in a real-time situation. A hacker can get help immediately with an issue, or use it proactively to research the company.
Public newsgroups – Often public newsgroups, such as USEnet, are used to ask questions about any latest exploits, to discuss current projects or used by IT professionals to learn more about their hardware.
Whois – whois is an open database that allows the hacker to discover information regarding who registered the domain name.
Dig – Dig is a slightly more powerful and updated tool to replace the nslookup tool in the UNIX environment. A hacker will be able to discover the topology of all externally facing servers of a company. This includes redundant web servers, mail servers, load balancers, and firewalls.
| <<Previous | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | Next>> |
Provided by: Security Innovation, The Application Security Company