Information Gathering
A little over fifteen years ago the “world wide web” was slowly beginning to look like the Internet as it is recognized today. In 1995, “the internet encompass(ed) an estimated 50,000 networks worldwide, about half of which (were) in the United States.” (Cerf, 1997) As it stands today, one would find it difficult to find a good estimation of that number. However, according to internetworldstats.com there are 1.7 billion internet users in the world. For the purpose of information gathering, this presents a challenge in choosing one out of that large pool of targets. For this information gathering project Calvary Baptist Church, located in Renton WA, granted permission for both remote and local information gathering. The tools used in the project were netcat, NESSUS, dnsstuff.com, and Netcraft.com.
The first step taken, with the target having been chosen, was to determine the organizations online presence. A Google map search provided the address, phone number, and main website. Using netcat, a HEAD request was made;
This reveals the following important information:
- Website IP Address: 74.220.207.195
- Webserver is Apache (ver. 2.2.14 with SSL module)
- Open SSL (ver. 0.9.81)
- Has FrontPage Extensions available (ver. 5.0.2.2635)
- Is hosted by outside company; www.hostmonster.com
The fact that it is being hosted by an outside company is likely the most important information. Unless the intent is to deface the organizations website, the IP address associated with the website can be ignored since it is almost certain that it is not the static IP address of the organization’s actual network. A WHOIS search beginning at dnsstuff.com lead to networksolutions.com where the following information was found:
- Domain Name Registered to Fred DeBerry
- Listed address and phone number matches that found in Google map search
- A Technical Contact Entertainhare Unlimited Inc. (info@DAVIDHARE.COM )
- Domain registration set to expire on Sep 30, 2011
- DNS Servers for Webhost (74.220.195.131, 69.89.16.8)
- IP’s physical location in Auburn, WA
This information confirms that the website is indeed connected with the organization, though not being hosted at its physical location. The information that is listed in the WHOIS hasn’t been updated since Oct 14th, 2006 so it’s likely that the organization doesn’t have staff person dedicated to IT. Also, the physical location of the websites address is confirmed to be in a different city from the actual, organization so in order to attack its network, the actual IP address of the organization will have to be determined some other way.
The next step was to gather more specific information for use in human engineering. Going back to the organization’s website, information personnel can be found on the staff page:
Name |
Position |
Contact |
Grant Bowles Brad McCulloch Thana Packard Fred DeBerry |
Pastor Music Pastor Deaf Pastor |
pastor@calvaryrenton.com
|
The name Fred Deberry shows up here as well as in the WHOIS lookup, calvaryrenton.com is registered in his name and it’s possible that he is the technical person for the organization. The email address for him, however, is not the same as the one listed in the WHOIS and that might be useful in a human engineering attempt (possibly be pretending to be someone from the webhost trying to get information). Other information gleaned from the website is as follows;
Physical Address |
Phone Numbers |
Websites |
Calvary Baptist Church1032 Edmonds Ave NERenton, WA 98056 | Main: (425) 254-8057FAX: (425) 254-8057 | www.calvaryrenton.comwww.square1youth.com
|
Known Hours of Operation |
Other Points of Contact |
|
Sundays 9:30AM – Noon Wed 7PM – 8PM |
church@calvaryrenton.com |
From the information found on the main website provides several points of contact that could be used in a human engineering attack. With several names listed as staff, it would be possible to pretend to have spoken with one in order to convince one of the other staff members that the attacker is who they say they are. This would be especially useful if Fred DeBerry is the unofficial IT person for the organization. Using his name as a way to legitimize and build trust in order to get more information. There would be a danger in that Mr. DeBerry could possibly be present during the attempt. However, the website provides pictures for each staff member so the organization could be watched or visited in order to determine if he is there or not. One issue with any human engineering attempt is that there are no listed hours of operation for weekdays. Because of this it would be difficult to make an attempt without first visiting the location to determine who is there and when.
There is another potential point of entry via Wifi. Since none of the information that was gathered from the website could reveal if wireless access is there or not, this had to be done on location. The area surrounding the building is residential, so there were several SSID’s showing up. In order to narrow down the possibilities the list was checked from three different locations.
Out of the three lists there are two SSID’s that are the most likely to belong to the target, CBC and CBC3. The CBC network didn’t show up on one side of the building where the bottom floor wasn’t visible so it’s possible that these two access points are on different floors. Both networks are using WPA2 encryption. These networks were accessible in a parking lot at about one hundred yards from the building.
With permission from the owners of the network port scans from outside the network were done. Given the information that was gathered about the website it is obvious that the website is not hosted at the physical location and therefore the IP address attached to it is not that of the organizations network. In order to get that external IP address without going into the building itself a human engineering attempt would need to be made or one of the wireless access points would have to be cracked. The internet connection to the building is a “business connection” so the IP address is static: 76.121.207.8. Scans using netcat showed that several ports were open, 135, 2121, and 2175.
Port 135 is a known port (dcom-scm) and is a potential entry point, but the other two are not standard ports to be open. Since it has already been determined that the organization’s website is not being hosted from here there are other possibilities. These ports are apparently forwarded (not being blocked by the router’s firewall) then it’s possibly forwarded for an FTP server, gaming, SSL, or remote access. An attempt to connect via ftp to ports 2175 and 2121 resulted in no reply on port 2175 but 2121 displayed FTP server information and requested a username;
Trying to telnet into port 2175 responded with RFB 004.000 which means it’s a VNC port. Those seem to be the only entry points from the outside.
From the information gathered about the network there are multiple avenues of attack on this network, the most obvious one being the wireless connection that extends a good distance from the building. Since the wireless connection is using WPA it would be possible to capture the necessary packets and then leave the area to crack it. (Teska 2002) This of course would be dependent on someone using the wireless at the time. Because of this, it would be wise to have the access points log connections and the log be checked for unknown MAC addresses. There are also seems to be enough people to do some kind of human engineering.(Gaudin 2002) However, being such a small group of people means that each individual is going to know all the others so one wouldn’t be able to call and pretend to be someone on staff. Likely this kind of attack would have to take the form of pretending to be their internet service provider or webhost. To guard against this, staff should be trained to never give out information to someone who has called in. There is also the possibility of attempting an attack on the open ports discovered on the external IP address; 135, 2121, and 2175. With the knowledge that there is an FTP server listening on port 2121 and a VNC server listening on port 2175, brute force attacks could be made on both of them. so they should be configured to lock out after a certain number of tries. Finally, port 135, if not being specifically used, should be closed in the router’s firewall.
References
Asadoorian, P, Douglas, M, & Strand, J. (2009). Best of Web Application Penetration Testing Tools. Retrieved from http://www.pdfqueen.com/html/aHR0cDovL3BhdWxkb3Rjb20uY29tL1RyaXBsZVBsYXktV2ViQXBwUGVuVGVzdGluZ1Rvb2xzLnBkZg==
Cerf, V. G. (1997). Computer Networking: Global Infrastructure for the 21st Century. Retrieved March 26, 2010, from cs.washington.edu: http://www.cs.washington.edu/homes/lazowska/cra/networks.html
Gaudin, S. (2002). Social engineering: the human side of hacking. Datamation, Retrieved from http://itmanagement.earthweb.com/secu/article.php/1040881
Teska, B. (2008). How to Crack wpa / wap2. SmallNetBuilder, Retrieved from http://www.smallnetbuilder.com/content/view/30278/98/