Enterprise Intrusion Analysis
Total Page:16
File Type:pdf, Size:1020Kb
Enterprise Intrusion Analysis Student Guide SC375_REVA D62034GC10 Edition 1.0 D63867 Copyright © 2006, 2009, Oracle and/or its affiliates. All rights reserved. Disclaimer This document contains proprietary information, is provided under a license agreement containing restrictions on use and disclosure, and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except as expressly permitted in your license agreement or allowed by law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle. The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free. Sun Microsystems, Inc. Disclaimer This training manual may include references to materials, offerings, or products that were previously offered by Sun Microsystems, Inc. Certain materials, offerings, services, or products may no longer be offered or provided.Oracle and its affiliates cannot be held responsible for any such references should they appear in the text provided. Restricted Rights Notice If this documentation is delivered to the U.S. Government or anyone using the documentation on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract. Trademark Notice Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered trademark licensed through X/Open Company, Ltd. This page intentionally left blank. This page intentionally left blank. Table of Contents About This Course .................................................................................................................i Course Goals............................................................................................................................... i Course Map................................................................................................................................ ii Topics Not Covered................................................................................................................. iii How Prepared Are You?......................................................................................................... iv Introductions..............................................................................................................................v How to Use the Course Materials.......................................................................................... vi Conventions............................................................................................................................. vii Icons..................................................................................................................................... vii Typographical Conventions............................................................................................ viii Introducing Enterprise Intrusion Analysis........................................................................1-1 Objectives................................................................................................................................ 1-1 Additional Resources.............................................................................................................1-2 Introducing Enterprise Intrusion Analysis......................................................................... 1-3 Identifying Attacker Methodology...................................................................................... 1-4 Outsider Attacker Methodology......................................................................................1-4 Insider Attacker Methodology.........................................................................................1-6 Identifying Investigator Methodology................................................................................ 1-7 Module Summary...................................................................................................................1-8 Enterprise Footprinting...................................................................................................2-1 Objectives.............................................................................................................................2-1 Additional Resources......................................................................................................... 2-2 Introducing Enterprise Footprinting ............................................................................... 2-3 Least Disclosure and Privilege ................................................................................... 2-3 Revealing Technical Engineering Methods.....................................................................2-4 Finding Systems - Active Footprinting........................................................................2-4 Domain Name Service – DNS Queries .................................................................. 2-5 Domain Name Service – DNS Zone Transfers .....................................................2-6 Internet Control Messaging Protocol – Single ping Requests .............................2-8 Internet Control Messaging Protocol – Broadcast ping Requests.......................2-8 Discovering Open Ports and Services – Using telnet........................................... 2-9 Finding Systems – Passive Footprinting ....................................................................... 2-11 Domain Registrar Queries.......................................................................................... 2-11 Google Search Engine Queries ..............................................................................2-13 Discovering Remote and Vulnerable Services .............................................................2-16 Banner Enumeration.................................................................................................... 2-16 TCP/UDP Port Scanning........................................................................................2-17 Finding User Accounts ....................................................................................................2-21 Introducing Enterprise Intrusion Analysis i Copyright 2006 Sun Microsystems, Inc, All Rights Reserved. Sun Services, Revision A SC 375 - Enterprise Intrusion Analysis for Investigators Querying the sendmail daemon.................................................................................2-21 Querying Remote Account Information Services.................................................... 2-22 Brute Force Log-in Attempts..................................................................................2-23 Revealing Social Engineering Methods......................................................................... 2-25 Exploiting the People Factor – Conning ...................................................................2-25 Appearance.............................................................................................................. 2-25 Credibility.................................................................................................................2-26 Distraction................................................................................................................ 2-26 Helpful Desires........................................................................................................ 2-26 Reactance.................................................................................................................. 2-27 Fear............................................................................................................................ 2-27 Exploiting the Proximity Factor................................................................................. 2-28 Dumpster Diving.....................................................................................................2-28 Cell Phone Camera..................................................................................................2-29 Other Social Engineering Proximity Attacks....................................................... 2-29 Module Summary............................................................................................................. 2-30 Exercise: Performing System Fingerprinting ................................................................2-31 Preparation....................................................................................................................2-31 Task 1 – Using DNS and ICMP to Identify Target Systems....................................2-31