Passive Reconnaissance on Website

5749 words (23 pages) Essay

8th Feb 2020 Computer Science Reference this

Tags:

Disclaimer: This work has been submitted by a university student. This is not an example of the work produced by our Essay Writing Service. You can view samples of our professional work here.

Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UKEssays.com.

 

Table of Contents

INTRODUCTION

What is Passive Reconnaissance?

ABOUT THE ORGANIZATION: “THE NAIT”

Why NAIT

TARGETED ASSETS FOR ATTACK:

Impact and Severity

VULNERABILITY REPORT AND CORRESPONDING ATTACK PROPOSALS

Vulnerability 1: Online Observance Using Campus View

Physical Evaluation Plan

Exit Strategy

Vulnerability 2: Vulnerability in NAIT website

The website uses HTTP protocol instead of HTTPS for securing web content

The website uses of outdated jQuery library

Deficiencies in their web application upgrade

Covering the Tracks

Vulnerability 3: Usage of Online Foot printing tools to gather information

Using FOCA TOOL

Using NetCraft tool

Using WHOIS Command

CONCLUSION

APPENDIX

CITATIONS

INTRODUCTION

In this assignment, passive reconnaissance was performed on NAIT website i.e. http://www.nait.ca and important results have been obtained regarding the organizations online behavior. As a 4 member team, we aim to conduct a passive reconnaissance to gather information on a target company and this information will be used as an attack vector for our active attacks. Our researches gave information like domain name, corresponding IP addresses of the hosts, servers, reverse DNS, the webhost name and the location of the server. Furthermore, we have also discovered and analyzed many files such as .doc, .pdf, .xls from online public sources which in return gave valuable information about the organization such as the username of few employees who have created those files, the software that was used to create those files, date of creation, date of edit, what server it was uploaded to, the operating system in use etc. All this critical information about the internet footprint of the organization was easily available from public sources.

What is Passive Reconnaissance?

The term passive reconnaissance derives its meaning from the military use, which means Information gathering. Gathering information about the target, without letting the target know about it, is called Passive Reconnaissance. Attackers can gain useful information from the Internet especially social-media about an organization and its employees. This information is used by the attackers to determine the management hierarchy and targets of interest, which is generally used to plan subsequent attacks.

ABOUT THE ORGANIZATION: “THE NAIT”

The Northern Alberta Institute of Technology (NAIT) is a polytechnic and applied sciences institute in EdmontonAlberta, Canada. NAIT provides careers programs in applied research, technical training, applied education, and learning designed to meet the demands of Alberta’s technical and knowledge-based industries. NAIT offers approximately 120 credit programs leading to degrees, applied degrees, diplomas and certificates. As of 2018, there are approximately 16,000 students in credit programs 12,000 apprentices registered in apprenticeship training, 14,500 students enrolled in non-credit courses, and more than 20,000 registrants for customized corporate based training. NAIT also attracts international students from 94 countries. NAIT is similar to an Institute of technology or university of applied sciences as termed in other jurisdictions [7]

Why NAIT:

Firstly, a reputed education institution like NAIT has enormous personally Identifiable Data (PII). Personally, identifiable information (including SSNs), payment information and medical records of applicants, students, alumni and faculty are stored and processed by a campus system. That amount of sensitive data is enormous and the average cost of a data record from a university is estimated at $200 and hacking a university is a lucrative business deal for any attacker [8]

Secondly, choosing NAIT as a passive attack target is to gain information about students in deceive them in grant fraud. This is where students are sent phishing emails purporting to offer free grants or requesting bank details are updated so that loans can be paid. NAIT also holds incredibly valuable and commercially-sensitive research data.

NAIT does not support active and rigorous monitoring of events and security logs, when an attack happens, just because, NAIT allows BYOD (Bring Your Own Device), which may be source of many network attacks and lacks strong event management systems, that filters or tracks threats, vulnerabilities and attacks from the thousands of traffic that are hit on NAIT servers per minute.

TARGETED ASSETS FOR ATTACK:

The asset intended for attack here is NAIT database.

Impact and Severity:

Since NAIT’s database is attacked, there will a business advantage for its competitors as the reputation of NAIT would be highly impacted.

VULNERABILITY REPORT AND CORRESPONDING ATTACK PROPOSALS:

Vulnerability 1: Online Observance Using Campus View

Vulnerability 2: Vulnerability in host site

Vulnerability 3: Usage of Online Foot printing tools to gather information

Vulnerability 1: Online Observance Using Campus View

All detailed information of the campus, the entry and exit points are displayed online and are viewed using the campus view option on NAIT’s website.

The details are available in campus and map view along with the floor plan details, which is very essential to develop a strong strategic plan for active attacks. Evidence is shown below:

Attack proposal:

      Dates of entry into NAIT Campus:

  • June 20, 2019 – PCRG & Quench [1]
  • June 29, 2019 – Spring term ends for 8-week programs [2]

      Modes of entry:

  • Through the building at the location (11760 109 St NW, Edmonton, AB T5G 2T8) which is available for rent for outsiders.
  • Through Tim Hortons (Bytes) in HP Centre for Information and Communication Technology

      Target Centers:

  • Admin Building
  • HP Centre for Information and Communication Technology (Research and Innovation Centres)

Physical Evaluation Plan

    All the information inside the NAIT campus are derived from NAIT Campus View [3]

      Plan-1

On the event of PCRG & Quench, we plan to use the the building available for rent as this building share the same fence with the NAIT main campus. Since this is a huge event, the security will be around the event location which is far away from this building and getting inside is very easy. The admin building will be the target centre which is diagonally located to the place of entry. This gives a clear view as the place in between them is the parking space. On successful entry into the admin building where the core administration is done, by gaining access to the systems with high privileged access, we can compromise them using the vulnerabilities we have found. If the computers are placed in a secure room, our next plan is to use the ceiling for entering the room as it has the typical air duct ventilation system.

      Plan-2

If any obstruction to this entry point has happened, and if the attack could not be carried on that day, the fallback plan which can be implemented at any day which starts at Tim Hortons in HP Center for Information and Communication Technology block of NAIT which is at the opposite side of the main campus. Ways of entry include direct entry to the block, using a walkway on the road from main campus which will give us enough access to that block.

Above Tim Hortons, there is computer lab filled with many systems, making them vulnerable as they do not have system auto logout after an idle time.

After we get access to the systems inside NAIT network, we plan to use the vulnerabilities which have been found.

Exit Strategy

Physical exit can be normally through the main gate or if stuck in any room, we plan to use the ceiling as it is typical air vent system which gives us enough way to escape. In times of urgency or if the attackers are spotted, we can use the fire sprinkle system to create a distraction and get out of that location by alerting everyone and causing a rush out.

Vulnerability 2: Vulnerability in NAIT website

 NAIT’s website has numerous vulnerabilities listed below:

The website uses HTTP protocol instead of HTTPS for securing web content

Attack proposal:

By exploiting the HTTP vulnerability, we can implement,

  • Perform SQL Injection to get access to NAIT databases which consist of confidential and sensitive data such as personal information and SIN numbers of staff and students, Department research findings and other proprietary information and payment details stored for regular usage.
  • Using Cross Side Scripting (XSS), we can redirect the payment pages such as http://www.nait.ca/shoppingcart.htm can be redirected to a malicious web page which will trick users to reveal their payment mode details in our fabricated website.
  • We can get access to any user’s identity and perform a DoS attack or make use of their identity to manipulate data inside the web application as HTTP gives a way to Broken Authentication and Session Management.
  • Insecure Object References such as http://www.nait.ca/includes/nait_responsive_050415/js/scripts-published.min.js can also be used to get access to files that are not supposed to be publicly available or consists of business information in them.
  • Using CROSS-SITE REQUEST FORGERY (CSRF), we can also get hold of user’s sensitive information such as bank details, social accounts information etc.
  • Domain Spoofing, BGP Hijack and DNS Hijack can also be attempted using this vulnerability.

 The website uses of outdated jQuery library

Attack Proposal:

  • Exploiting this outdated UI Development framework jQuery (v 1.11.2), Using CVE-2019-11358, CVE-2016-10707, CVE-2016-710.2, CVE-2015-9251 from https://www.cvedetails.com/, we can Pitfalls in their web application upgrade.

Deficiencies in their web application upgrade

Generally, when a system or application upgrade happens, it does not happen completely. Especially in the case of web applications where there are many other dependant services, application and technologies which may delay the upgrade on a single go. So, the web application migration phase is more vulnerable to attacks as the upgradation happens stage by stage which has a huge room for error. By analysing carefully, the vulnerabilities found here are

      Disabled HSTS

  • This vulnerability, we can attack on the pages or parts of the application that have been        migrated to HTTPS, with SSL strip attack or HTTP downgrade attack by downgrading those parts to HTTP and exploiting the HTTP vulnerability again on those pages also giving us a way to access the application even it is secure.

      Network calls are moved temporarily

  • This vulnerability can be exploited for finding out the similarities between the old version and new version of the web application so that while estimating the directory structure and other details in new the version, giving us a way to find out defects in the old version that are still a part of new version in the programming perspective.

      Using the same libraries using in the old version

  • Upgraded parts of the application still uses the same libraries that was used in old versions. This still give a way to exploit those vulnerabilities even after complete upgrade happens. In this case we can get that information using a URL to the library file or using a predefined variable in jQuery object: jQuery.fn.jquery

Evidences:

  • Pre-Migration pages or sites

http://www.nait.ca/includes/nait_responsive_050415/js/libs/jquery-1.11.2.min.js    (Base file for entire application)

  • Post-Migration pages or sites

https://accounts.nait.ca (jQuery -> “1.10.2”)

https://one.nait.ca/OneWeb/Scripts/jquery-1.11.0.min.js

Covering the Tracks

After the attack and collecting the information needed from the target centres, it is a compulsion to clear our tracks. By using Tor Browser, we make our identity anonymous which hides information of the attacker. But Tor Browser gives out information of the Tor Exit Node, thus the reason we are planning an inside attack by using their own systems and network so that it cannot be traced back to the attacker. And in addition to that, all the data is gathered in a portable external hard drive, easy enough to carry and escape. The systems that are used for the attack needs to be sanitized in the following sequence:

1)      Registries both hardware and software need to be cleared

2)      System should undergo a hard reset followed by flashing a brand-new version of the same operating system which is Windows 10 derived from NAIT Campus View [3]

3)      The hard disks need to be disconnected and tampered using DBAN [4]

4)      Dell Inspiron One (All-in-One: CPU integrated in the monitor) computers have been used in the library at HP Center for Information and Communications Technology block. Physical tampering or usage of physical force is visible and attention driving. To tamper the disks usage of chemical acid using a syringe or strong electromagnet which will tamper the hard drive.

Vulnerability 3: Usage of Online Foot printing tools to gather information

Using FOCA TOOL

FOCA is an easy to use GUI tool made for windows whose main purpose is to extract metadata from the given website. FOCA automates the process of finding and downloading all the public documents of various format from the website, analyzing them and presenting the analyzed information in a human readable format on the FOCA windows GUI.[6]

Upon analyzing the documents, we were able to fetch important details about NAIT’s revenue summary, its donors’ details who sponsor’s for scholarships and various research titles submitted by NAIT.

The evidence is attached below:

 

Attack Proposal

 

The student’s details, the donor details will be used to deceive the students in grant fraud. This is where students are sent phishing emails purporting to offer free grants or requesting bank details are updated so that loans can be paid. NAIT also holds incredibly valuable and commercially-sensitive research data, which will be sold in black market or its competitors to collapse its reputation.

 

 Using NetCraft tool

NetCraft tool tracks almost all websites. Using this tool, we can obtain all the domains, site report with information like registrar information, location, DNS admin email address, hosting company, netblock owner etc. It also enables us to look at the hosting history with the name and version of the webserver and display what web technologies have been used on the website [6]

 

Attack Proposal

 

The IP address blocks and server details will be used to initiate IP spoofing and DNS server details will be used to initiate DNS cache poisoning.

Using WHOIS Command

 

The whois command queries the databases that store information on the registered users of an Internet resource, such as a domain name or IP address. Depending on the database that is queried, the response to a whois request will provide names, physical addresses, phone numbers, and e-mail addresses.[6]

 

Attack Proposal

 

Using the whois command along with other information such as location, it is straight forward to craft a for a physical attack and domain expiry dates for rafting phishing attacks. Please refer to the screenshots below for the whois output:

 

CONCLUSION

 

In this report we have established a passive reconnaissance attack by performing Target and Asset Identification, Target Assessment, Vulnerability Report and Attack Proposal, for planned active attacks. Even though the scope of the lab is to perform passive reconnaissance only, we are going a step ahead to introduce a proposal to reduce the onset of passive reconnaissance

One approach to is to do an internal assessment. The task of internal security team is to act like an adversary to identify valuable information from internet and social media, and then estimate the damage which can be caused by using the information. we must make sure that we keep a track of all the public information which is readily available on the internet such as DNS lookups, WHOIS information and all the public files hosted and make sure that no valuable information can be extracted by an attacker which in turn could prove harmful for the organization if an attack was conducted on the organization in the future. This includes sensitive research on nuclear power plants and cybersecurity defence. The stolen research papers are indeed sold in the black market for lucrative money.

Another approach can be to create and spread information about fake personas to deceive the attackers about an organization and its employees. This approach will make the attack costlier by misleading the attackers in the wrong direction.

With these considerations in place, any organization, will not fall into the trap of passive reconnaissance this sooner.

APPENDIX

  1. JQuery Vulnerability list [9]

#

CVE ID

CWE ID

# of Exploits

Vulnerability Type(s)

Publish Date

Update Date

Score

Gained Access Level

Access

Complexity

Authentication

Conf.

Integ.

Avail.

1

CVE-2019-11358

79

XSS

2019-04-19

2019-05-20

4.3

None

Remote

Medium

Not required

None

Partial

None

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

2

CVE-2016-10707

400

DoS

2018-01-18

2018-02-02

5.0

None

Remote

Low

Not required

None

None

Partial

jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit.

3

CVE-2016-7103

79

XSS

2017-03-15

2019-04-23

4.3

None

Remote

Medium

Not required

None

Partial

None

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

4

CVE-2015-9251

79

XSS

2018-01-18

2019-05-10

4.3

None

Remote

Medium

Not required

None

Partial

None

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

2.Lists of websites that supports HTTP communication

remote address: 0.0.0.0:80

3. List of websites that are migrated to HTTPS service

0.0.0.0:443  ASP.NET 4.0

CITATIONS

 [1]”PCRG & QUENCH”, NAIT, 2019. [Online]. Available: http://www.nait.ca/98870_104354.htm. [Accessed: 25- May- 2019].

[2]”Important Dates & Events”, NAIT, 2019. [Online]. Available: http://www.nait.ca/98870.htm?type=dates. [Accessed: 25- May- 2019].

[3]”Campus View”, NAIT, 2019. [Online]. Available: http://www.nait.ca/102065.htm. [Accessed: 25- May- 2019].

[4]”Darik’s Boot and Nuke – DBAN”, Darik’s Boot And Nuke, 2019. [Online]. Available: https://dban.org/. [Accessed: 25- May- 2019]

[5] JQuery Vulnerability list:[Online].Available:https://www.cvedetails.com/vulnerability-list/vendor_id-6538/Jquery.html[Accessed: 25- May- 2019]

[6]https://www.ukessays.com/essays/computer-science/passive-reconnaissance-website-9999.php

[7] About NAIT. Available Online https://en.wikipedia.org/wiki/Northern_Alberta_Institute_of_Technology

[8] why schools are vulnerable. Available Online: https://sniperwatch.com/education/

[9] CVE Details. Available Online. https://www.cvedetails.com/vulnerability-list.php?vendor_id=6538&product_id=0&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=8&sha=cb2a1701a62483883bb26bfed4bac08a56f263d1

Cite This Work

To export a reference to this article please select a referencing stye below:

Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.

Related Services

View all

DMCA / Removal Request

If you are the original writer of this essay and no longer wish to have your work published on the UKDiss.com website then please:

Related Lectures

Study for free with our range of university lectures!