Day 8: ITSM Vulnerability Assessment techniques
Lesson 8:Two days ago we covered VoIP assessments, and yesterday we covered Intranets and the use of proxies. Most of last week also covered internal network infrastructure assessments, except for some topics such as PDA phones and WiFi devices.
Today I wanted to talk about reconnaissance, which some people refer to as footprinting. Besides the usual sources of trouble (i.e. Google), there are plenty of old school avenues to take when finding information about a company, organization, or person.
Of particular interest is to look at external network connectivity. How does an organization connect to the Internet? I talked about war dialing on Day 6, which has a similar goal and effort. However, war dialing is pure enumeration -- start with a number and increment. Searching for external network information is much different as we will see.
We'll also be covering DOM-based XSS tools in the software assurance section today. I hope you enjoy it.
Part 1: Information assurance vulnerability assessment — Footprinting the perimeter
Whether you know about it or not, your company or organization connects to the Internet the same way that everyone else does. Using the Border Gateway Protocol, version 4. If you don't run it, then your upstream does -- or possibly their upstream.
BGP-4 requires an autonomous system number (ASN) for every organization connecting. Usually these are ISP's and very large Enterprises. Every owned IPv4 prefix is announced from one of these ASN's (some organizations have more than one).
This information leaves a trail of data that anyone can query using a whois client. First of all, a Regional Internet Registry (RIR) must be contacted in order to acquire an ASN. If an upstream provider (an ISP) provides the IP prefix(es), this is known as provider-aggregated IP space (PA). Most RIR's (well, ARIN who is the RIR for North America) loosely require that PA space have additional downstream information placed into their database. There have been two typical ways of doing this: Shared Whois IP (SWIP) and Referral Whois (RWhois). SWIP is in the RIR database, while RWhois is kept in a local ISP database, which can be queried by the RIR to keep information updated.
If an organization goes directly to an RIR to acquire an ASN or IP prefix(es), their IP space is known as provider-independent (PI). Getting PI space usually requires a minimum infrastructure size (a certain number of IP's to be used). Detailed ASN and IP prefix information, along with organization information (such as contacts for billing, technical support, and abuse issues) is available in the RIR database. This is what is queried via whois/RWhois.
Similarly, you may be familiar with network information center type services (NIC) as provided by the original Network Solutions. Today, we call these domain registrars, and their antiquated whois services, which have access to their databases, may one day disappear. Network Solutions whois even still supports querying antiquated role handles, although I have no idea how to get one of these since around 1999.
Recommendation: Find and protect your Whois data. I suggest a service, such as the one from Namecheap, called WhoisGuard, when you setup your domains (or change them to this). Make sure that your modification of this information is protected by passwords (or better yet -- PKI) in the safest manner possible.
Similarly, protect your RIR, RADB, and RWhois data. The RADB is a part of the IRR, with free IRR services available from ALTDB. If this information for your IP prefixes is not secure, then your entire traffic or source could be subverted. This could happen regardless of whether or not your organization runs BGP-4 because it could be a lack of precision by one of your upstream providers that could cause this to happen. Better -- use a new type of service to provide assurance to your routing such as using a commercial service from Renesys or the free service from Packet Clearing House, Prefix Sanity Checker.
Querying live BGP information is best done with a Looking Glass server, PWhois, Network ThinkTank, FixedOrbit, and the Team Cymru Network Monitoring pages. My two favorite projects around this space have been Route Views and MERIT's BGP Inspect, just because of how much data they maintain. Searching through an old BGP table snapshot, or an old copy of the RADB database (or Domain registrar, RIR, and other IRR data) -- even in text format -- can be extremely revealing about an organization's network infrastructure.
Other services such as CompleteWhois maintain information about ASN/IP hijacking (and information on individual/group hijackers, which are often -- but not always -- spammers). The Web Security Authority combines some CompleteWhois information lists to create mod-security rules, which may be an interesting way to protect externally-facing web applications.
I also suggest getting away from the web and using your command line to query this sort of information. You'll never know when an adversary will insert an XSS as whois database information (although one could argue that a client-side attack could also happen with command-line whois).
whois -h com.whois-servers.net tssci-security.com | grep Server:
This command tells us which domain registrar's whois server to query for more information. (Note it is possible to change com.whois-servers.net to net, org, us, edu, and many other possibilities if the default com Whois server does not provide the detailed information you want). Whois-servers.net is basically a referral service for domain information. Let's query the real (i.e. referred) domain registrar now:
whois -h whois.godaddy.com tssci-security.com
Here you can see that TS/SCI uses DomainsByProxy (a similar service as WhoisGuard, but provided by GoDaddy instead of Namecheap).
whois -h whois.arin.net 188.8.131.52
You'll see both the ARIN information, as well as the RWhois information. If we connect to that RWhois server, as seen below, there are other techniques you can use to gain more information about both the ISP and their customers.
nc rwhois.host.net 4321 %rwhois V-1.5:003eff:00 whois.host.net (by Network Solutions, Inc. V-184.108.40.206) -holdconnect on %ok -forward on %ok -limit 600 %ok -status %status limit:600 %status holdconnect:ON %status forward:ON %status objects:682 %status display:DUMP %status contact:email@example.com %ok host*
(You'll also want to check out other RWhois commands such as -security and -register from the RWhois specification, RFC 1714)
whois -h whois.radb.net 220.127.116.11/17 route: 18.104.22.168/17 descr: HOST-64-135-0-0-17-BLOCK origin: AS13645 notify: firstname.lastname@example.org mnt-by: MAINT-HOST changed: email@example.com 20040621 source: HOST
whois -h whois.radb.net maint-host mntner: MAINT-HOST descr: HOST/BroadbandONE maintainer object admin-c: HNA-ORG-ARIN tech-c: HNA-ORG-ARIN upd-to: firstname.lastname@example.org mnt-nfy: email@example.com auth: CRYPT-PW IZVSxc8/dvNpk mnt-by: MAINT-HOST changed: firstname.lastname@example.org 20040811 source: HOST
whois -h whois.radb.net as13645 ...
As you can see, there is quite a bit of information available from Whois/RWhois from Domain Registrars (which you can find using Whois-servers.net), RIR's, IRR's, and individually hosted RWhois servers. There is quite a lot to explore, so check out the specifications and also use the server "help or ?" functionality (e.g. `whois -h whois.networksolutions.com \?').
Part 2: Software assurance vulnerability assessment — XSS on the DOM
Best DOM-based XSS attack tools