Unit 2

Ethical Hacking - Footprinting

Footprinting Overview

Footprinting is the blueprinting of the security profile of an organization,

undertaken in a methodological manner. Footprinting is a passive process of
that is designed to profile an organization with respect to networks (Internet
/ Intranet / Extranet / Wireless).

Footprinting Steps

Internet Footprinting

1. Get Proper Authorization

2. Define the Scope of the Assessment
3. Find Publicly Available Information
4. Perform WHOIS & DNS Enumeration
5. Attempt DNS Interrogation
6. Perform Network Reconnaissance

1: Get Proper Authorization

Ethical Hackers and professional penetration testers must obtain

authorization in writing before beginning the security assessment
2: Define the Scope of the Assessment

During discussions with the client you may determine the assessment scope
will include:

 The entire organization

 Only certain locations
 Business partner connections
 The clients disaster-recovery sites

3: Find Publicly Available Information

The first place to begin the security assessment is the company's web site
following an initial review of the website you will next want to examine the
following:

 Review Archived Information

 Examine The Wayback Machine
 Ripe the web site tools such as Wget and Teleport Pro
 Look for other sites beyond the main site of "www" such as:
o Outlook Web Access
o https://owa.company.com or https://outlook.company.com
o Virtual Private Networks (VPNs)
o http://vpn.company.com or http://www.company.com/vpn
o Examine any related organizations for backend connectivity
 Scan the web for:
o Phone Numbers, Contact Names, E-mail Addresses, and Personal
Details
o Current Events
o Mergers, scandals, layoffs, etc. create security holes
o Privacy or Security Policies, and Technical Details Indicating the
Types of Security Mechanisms in Place
o Extract data from Usenet
o Review Groups.google.com
o Search for Employee Resumes
o Perform Google Hacking
 Examine Web 2.0 sites
o Search Facebook
o Examine Blogs
o Find Disgruntled Employee Web Sites
 Map the Physical Address
o Google Maps / Google Earth
o Microsoft Live
 Visit the Physical Location and consider techniques such as:
 o Dumpster-diving
o Surveillance
o Social Engineering

4: Perform WHOIS & DNS Enumeration

Examine Internet Assigned Numbers Authority (IANA) and Regional Internet

Registry (RIR) data:

 Manual Process - Three Steps:

o Authoritative Registry for top-level domain
o Domain Registrar
o Finds the Registrant
 Automated Process - Available Tools
o Whois.com
o Sam Spade
o SuperScan

5: Attempt DNS Interrogation

Perform a Zone Transfer via Windows or Linux. When successful you will
obtain a list of all the hosts and IP addresses.

6: Perform Network Reconnaissance

 Manual - Traceroute or Tracert

o Windows Tracert uses ICMP
o Linux Traceroute uses UDP by default
 Automatic - Neotrace, Trout or other traceroute software.

 what is authoritative dns serve?

An authoritative name server is a name server that gives answers that have
been configured by an original source, for example, the domain
administrator or by dynamic DNS methods, in contrast to answers that
were obtained via a regular DNS query to another name server. An
authoritative-only name server only returns answers to queries about
domain names that have been specifically configured by the
administrator.An authoritative name server can either be a master server or
a slave server. A master server is a server that stores the original (master)
copies of all zone records. A slave server uses an automatic updating
 mechanism of the DNS protocol in communication with its master to
maintain an identical copy of the master records.

 2.what is non-authoritative dns serve?

Non authoritative name servers do not contain copies of any domains.
Instead they have a cache file that is constructed from all the DNS lookups
it has performed in the past for which it has gotten an authoritative
response. When a non-authoritative server queries an authoritative server
and receives an authoritative answer, it passes that answer along to the
querier as an authoritative answer. Thus, non-authoritative servers can
answer authoritatively for a given resolution request. However, non-
authoritative servers are not authoritative for any domain they do not
contain specific zone files for. Most often, a non-authoritative server
answers with a previous lookup from its lookup cache. Any answer
retrieved from the cache of any server is deemed non-authoritative
because it did not come from an authoritative server.

understading the imformation gathering methodology

of the hackers
The EC-Council divides footprinting and scanning into seven basic steps. These
include

1. Information gathering
2. Determining the network range
3. Identifying active machines
4. Finding open ports and access points
5. OS fingerprinting
6. Fingerprinting services
7. Mapping the network

Information Gathering
The information gathering steps of footprinting and scanning are of utmost
importance. Good information gathering can make the difference between a
successful pen test and one that has failed to provide maximum benefit to the
client. An amazing amount of information is available about most organizations in
business today. This information can be found on the organization's website,
trade papers, Usenet, financial databases, or even from disgruntled employees.
Some potential sources are discussed, but first, let's review documentation.

 Documentation
 The Organization's Website
 Job Boards
 Alternative Websites
 Google Hacking

Determining the Network Range

Objective:
Locate the network range

Now that the pen test team has been able to locate name, phone numbers,
addresses, some server names, and IP addresses, it's important to find out what
range of IP addresses are available for scanning and further enumeration. If you
take the IP address of a web server discovered earlier and enter it into the Whois
lookup at www.arin.net, the network's range can be determined.

Identifying Active Machines

Objective:

Identify active machines

Attackers will want to know if machines are alive before they attempt to attack.
One of the most basic methods of identifying active machines is to perform a
ping sweep. Although ping is found on just about every system running TCP/IP, it
has been restricted by many organizations. Ping uses ICMP and works by
sending an echo request to a system and waiting for the target to send an echo
reply back. If the target device is unreachable, a request time out is returned.
Ping is a useful tool to identify active machines and to measure the speed at
which packets are moved from one host to another or to get details like the
TTL. Figure 3.7 shows a ping capture from a Windows computer. If you take a
moment to examine the ASCII decode in the bottom-left corner, you will notice
that the data in the ping packet is composed of the alphabet, which is unlike a
Linux ping, which would contain numeric values. That's because the RFC that
governs ping doesn't specify what's carried in the packet as payload. Vendors fill
in this padding as they see fit. Unfortunately, this can also serve hackers as
a covert channel. However, hackers can use a variety of programs to place their
own information in place of the normal padding. Then what appears to be normal
pings are actually a series of messages entering and leaving the network.

Ping does have a couple of drawbacks: First, only one system at a time is pinged
and second, not all networks allow ping. To ping a large amount of hosts, a ping
sweep is usually performed. Programs that perform ping sweeps typically sweep
through a range of devices to determine which ones are active. Some of the
programs that will perform ping sweeps include

 Angry IP Scanner
 Pinger
 WS_Ping_ProPack
 Network scan tools
 Super Scan
 Nmap

Finding Open Ports and Access Points

Objective:

Understand how to map open ports and identify their underlying

applications

With knowledge of the network range and a list of active devices, the next step is
to identify open ports and access points. Identifying open ports will go a long way
toward potential attack vectors. There is also the possibility of using war dialing
programs to find ways around an organization's firewall. If the organization is
located close by, the attacker might war drive the area to look for open access
points.

Port Scanning
Objective:

Describe the differences between TCP and UDP scanning

Port scanning is the process of connecting to TCP and UDP ports for the
purpose of finding what services and applications are running on the target
device. After running applications, open ports and services are discovered, the
hacker can then determine the best way to attack the system.

OS Fingerprinting
Objectives:

Describe passive fingerprinting

State the various ways that active fingerprinting tools work

At this point in the information gathering process, the hacker has made some real
headway. IP addresses, active systems, and open ports have been identified.
Although the hacker might not yet know the type of systems he is dealing with,
he is getting close. There are two ways in which the hacker can attempt to
identify the targeted devices. The hacker's first choice is passive fingerprinting.
The hacker's second choice is to perform active fingerprinting, which basically
sends malformed packets to the target in hope of eliciting a response that will
identify it. Although active fingerprinting is more accurate, it is not as stealthy as
passive fingerprinting.

Passive fingerprinting is really sniffing, as the hacker is sniffing packets as they

come by. These packets are examined for certain characteristics that can be
pointed out to determine the OS.

Fingerprinting Services
Objective:

Be able to perform banner grabbing with tools such as Telnet and netcat

If there is any doubt left as to what a particular system is running, this next step
of information gathering should serve to answer those questions. Knowing what
services are running on specific ports allows the hacker to formulate and launch
application specific attacks. Knowing the common default ports and services and
using tools such as Telnet, FTP, and Netcat are two techniques that can be used
to ensure success at this pre-attack stage.
Mapping the Network
The hacker would have now gained enough information to map the network.
Mapping the network provides the hacker with a blueprint of the organization.
There are manual and automated ways to compile this information. Manual and
automated tools are discussed in the following sections.

Manual Mapping
If you have been documenting findings, the matrix you began at the start of this
Chapter should be overflowing with information. This matrix should now contain
domain name information, IP addresses, DNS servers, employee info, company
location, phone numbers, yearly earnings, recently acquired organizations, email
addresses, the publicly available IP address range, open ports, wireless access
points, modem lines, and banner details.

Automated Mapping
If you prefer a more automated method of mapping the network, a variety of tools
are available. Visual traceroute programs, such as NeoTrace and Visual Route,
are one option. Running traceroute to different servers, such as web, email, and
FTP, can help you map out the placement of these servers. Automatic mapping
can be faster but might generate errors or sometimes provide erroneous results.

For more information kindly visit

here…http://www.pearsonitcertification.com/articles/article.aspx?p=472323&seq
Num=5
Reconnaissance /footprinting
tools
Reconnaissance can be either active or passive. In active
reconnaissance you send traffic to the target machine while a
passive reconnaissance use Internet to gather information.
When you use active reconnaissance, you need to remember
that the target machine may notice that you are planning a
penetration test. In the case of passive test, target machine has
no clue about who is gather intelligence and planning an
attack. The following are the tools you can use:

1. Google: use advanced Google search to gather

information about the target’s website, webservers and
vulnerable information. Sometimes, jobs posted in the
companies’ websites reveal valuable information about
the type of information technologies used in the target
company.
2. The harvester: you can use it to catalogue email address
and subdomains. It works with all the major search
engines including Bing and Google. This is a build in tool
of Kali Linux.
3. WHOIS: to get information about domains, IP address,
DNS you can run whois command from your Linux
machine. Just type whois followed by the domain name:
Whois yourdomain.com

Alternatively, you can visit whois.net and type the domain

name of your target.

4. Netcraft: they have a free online tool to gather

information about webservers including both the client and
server side technologies.
Visit http://toolbar.netcraft.com/site_report/ and type the
domain name.
5. Nslookup: you can use it to query DNS server in order to
extract valuable information about the host machine. You
can use this tool both in Linux and Windows. From your
windows machine, open the command prompt and the
type ‘nslookup’ followed by the domain name.
6. Dig: another useful DNS lookup tool used in Linux
machine. Type dig followed by the domain name.
7. MetaGoofil: it’s a meta data collection tool. Meta data
means data about data. For instance, when you create
word document in Microsoft word, some additional
information are added to this word file such as file size,
date of creation, the user name of the creator etc.-all these
additional information is called meta data. MetaGoogle
scours the Internet for metadata of your target. You can
use it with both Linux (built in Kali Linux) and Windows.
8. Threatagent drone: it is a web based tool. You need to
signup at https://www.threatagent.com/ and type the
domain name that you want to reconnaissance. Once the
drone extracts all the information about your target, it will
create a complete report about the target, which will
include the IP address range, email address, point of
contacts etc.
9. Social engineering: it is perhaps the easiest way to gather
information about an organization. You can find lots of
free information about social engineering in the Internet.
Depending on the types of information you need about
your target organization, you need to choose the
appropriate technique. But remember that this technique
needs time to master and you need to plan it very
carefully, otherwise your activity can easily trigger an
alert.