the above information provides details of the isp and the email server that has
a domain name different from acme-widgets.co.uk and may be on a separate
network. also listed are the web server and another server named �dev� on a
separate network.
the mail server name and ip address indicates acme widgets ltd is part of a
group of companies and that another company within the group handles email. this
would represent another potential avenue of attack against acme.
subsequent work has shown that the server dev.acme-widgets.co.uk no longer
exists. however, the listed ip address is an internal address that should not be
accessible from the internet. records for internal servers should only be listed
on internal dns servers.
whois query
whois is a database system listing information about the registrant of a domain
name. information submitted should include only the minimum detail necessary.
the registrant information for acme-widgets.co.uk is:
acme widgets ltd
123 web way
aldermaston
rg12 3ab
berkshire
great britain (uk)
registered on 20th june 2000
registered by isp.net
this gives us the company name and address. it also confirms the isp acme use.
ripe query
ripe are an organisation that maintain the database of ip address allocations
for europe. a query will show the address space allocated to an organisation.
the information provided should be the minimum necessary. it is good practice to
use job titles, such as �hostmaster� instead of the names of individuals.
a ripe query for the ip address of www.acme-widgets.co.uk (10.0.0.21) shows that
it belongs to the block 10.0.0.0 � 10.0.0.255.
the person these were allocated to was:
dave mann
acme widgets ltd
99 acacia avenue
reading
rg3 4yz
berkshire
+44 118 111 9898
the above information gives us the range of ip addresses that acme will use for
systems accessible over the internet, acme�s previous address and a name � dave
mann � that could be used for social engineering attempts.
usenet search
usenet is a vast collection of newsgroups, each devoted to a particular subject.
text, similar to an email, is posted to one or more groups; replies are posted
under the same heading, forming a thread.
a search of usenet can reveal contact details � such as name, job title and
internal phone extensions � together with details of system environment through
questions regarding problems with applications, operating systems, etc.
posts to usenet should be done from a non-organisation related account and
should not reveal internal details.
a search of usenet for �acme-widgets.co.uk� found references to a request for
help in installing a software package to a windows nt server named acme1.
web meta search
the majority of web pages published on the internet are included in one or more
of the large search engines, such as yahoo, lycos and google. a meta search will
query the major search engines and extract information pertaining to the search
criteria entered.
most of the information has been gathered by �spiders� (also known as �crawlers�
or �bots�) � software that reads a web page, sends the information back to the
search engine database for indexing, and then follows all the links from that
page, reading each subsequent page as it goes.
an organisation�s personnel should never include their corporate smtp email
address within a web page or web submission.
a meta search for acme widgets failed to find any information beyond that stated
above.
ip scanning
having identified information about the acme network during the footprinting
stage, it is now necessary to delve a little deeper by probing the network
itself. using out burglar analogy of earlier we are now going to ring the
doorbell to see if anyone is in.
ping
with the ip address range identified by the ripe query above, it is now possible
to ascertain which ip addresses are allocated to systems accessible over the
internet.
ping is a utility to check network connectivity. it sends a request to an ip
address requiring a response. a ping scan was run against the ip address range.
the addresses that responded are shown in the following table:
addressname
10.0.0.2unknown
10.0.0.21www.acme-widgets.co.uk
the above information tells us that a possible two systems are accessible over
the internet and one has a registered dns name.
it is useful to note that no response to a ping scan does not mean nothing is
there. ping scans can be blocked by a firewall or other gateway device.
traceroute
having identified the web server the traceroute utility is used to determine the
path to the system. this utility traverses the internet to the target,
requesting each hop to report back to the source it�s ip address, name and the
time taken to reach it.
the traceroute report was as follows:
trace complete.
the information returned shows the isp is isp.net and there is a system,
10.0.0.2, within the ip address range returned by the ripe query one hop before
the web server. as this system did not respond with a name it may be a firewall
or other gateway device.
port scan
internet communication is conducted by using ip addresses that uniquely identify
a system, and ports, used for applications to communicate.
a port scan identifies open ports on a system. the open ports will allow an
attacker to determine the applications running and even what operating system is
installed, thus �tuning� their attack for maximum effect.
a port scan was conducted against the web server ip address. the ports found
were:
portstateservice
80/tcpopenhttp
443/tcpopenhttps
port 80 is for http traffic to a web server, port 443 is for secure http
traffic. as it is extremely unlikely these are the only ports open on a system,
it would be correct to conclude � as intimated in the sections above � that the
web server is behind a firewall.
conclusion
publicly available information can be a rich source of data for an attacker.
information on acme is sparse but there is a member of acme�s personnel listed,
a ddi phone number, an internal server name and ip address, a firewall ip
address and the nt name of a server; this is information that could assist an
attacker.
website hacking
this exercise uses a number of methods that would be employed in a real attack.
firstly we'll take a look at acme's website. by connecting to the ip address
instead of the name and seeing what is returned we can see whether this is a
virtual web server. if it was a different page or no page at all would be
returned. as we can see, it is not a virtual server:
website environment
the port scan referred to above was configured to return information on
accessible services. for port 80 the banner returned stated the web server was
running microsoft�s web server software iis 4.0. version 4.0 is used primarily
on windows nt 4.0 systems.
website crawl
many websites contain information that is not shown in the browser window. the
entire website was downloaded so it could be searched offline. a search of the
content and a scan for hidden directories revealed the following:
personnel names john doe john smith dave mann
address123 web way, aldermaston, berkshire, rg12 3ab
phone numbers0118 999 1111
0118 999 1115 (ddi for dave mann)
0118 999 2222
email addressessales@acme-widgets.co.uk
webmaster@acme-widgets.co.uk
dave.mann@acme.co.uk
hidden webserver directories_themes
/blends/
_derived/
_private/
the directory listing shows a typical iis directory tree and confirms the hidden
directories discovered above, as well as several others.
by running this command through the web browser we can confirm that the iis_user
account (used to access the web server through a web browser) has executable
permissions in the �scripts� directory. from there, using the trivial file
transfer utility (tftp.exe) installed by default in windows nt 4.0 we were able
to upload a utility called �netcat.exe� to the web server. netcat can open a
connection out through a firewall to allow an attacker to open a command prompt
on the web server. we were able to do this.
the results returned show the web server is �multi-homed� � it has two network
connections, one on the internal and one on the external networks. this allows
us to use the web server as a stepping-stone into the internal network.
having already ascertained the name of an internal server (acme1) we are able to
ping the name to discover if it can be reached from the web server:
the arp command lists the ip addresses of systems that have recently
communicated with a system. having pinged acme1 it should show in the arp cache:
the results show the ip address of acme1 and the physical address. as this is
different from the physical address for the firewall (10.0.0.2), it indicates
access to acme1 is across the internal network.
the nt domain is not the same as the one for the web server. however, as this is
an internal server it is more likely to be in the corporate domain.
the net view command shows shared directories on microsoft servers. using it to
discover shares on acme1 returned the following:
we could now browse all directories on the c:\ drive with full administrator
rights and copy files containing confidential information to the web server:
then, using tftp the files can be copied anywhere on the internet: