Hands-On Ethical Hacking

and Network Defense

Chapter 4
Footprinting and Social Engineering

Updated 9-27-17
 Objectives
■ Use Web tools for footprinting
■ Conduct competitive intelligence
■ Describe DNS zone transfers
■ Identify the types of social
engineering
Using Web Tools for Footprinting

■ “Case the joint”

• Look over the location
• Find weakness in security systems
• Types of locks, alarms
■ In computer jargon, this is called
footprinting
• Discover information about
■ The organization
■ Its network
Table 4-1 Summary of Web tools
Table 4-1 Summary of Web tools (cont’d.)
Conducting Competitive Intelligence

■ Numerous resources to find

information legally
■ Competitive Intelligence
• Gathering information using technology
■ Identify methods others can use to find
information about your organization
■ Limit amount of information company
makes public
Analyzing a Company’s Web Site

■ Web pages are an easy source of

information
■ Many tools available
■ BurpSuite
• Powerful proxy for all platforms (uses
Java)
• https://portswigger.net/burp/
 Burp Configuration
■ "Proxy" tab, "Intercept" sub-tab
• Adjust to "Intercept is off"
■ "Proxy" tab, "Options" sub-tab
• Start running on port 8080
 Proxy Settings in Firefox
■ At top right, click "3
bars" icon, then the
Gear icon
■ In "Advanced", on the
"Network" tab, click
"Settings”
 Surf an Insecure Site like ietf.org
■ "HTTP History" tab shows each
request and response
 Surf a Secure Site like samsclass.info

■ Browser detects Burp's MITM attack

and warns you
Demo: Stitcher
 Installing the Burp Certificate
▪ On computer, in Firefox, using the
proxy, visit http://burp
▪ Click the "CA Certificate" link
▪ Change file extension to .cer
▪ Drag file onto Genymotion phone
▪ On phone, settings, Security, "Install
from SD card"
Demo: Posting a Long Tweet
 Other Proxy Functions
▪ Intercept & Modify Requests
▪ Can exploit poorly-made shopping sites
▪ Spider
▪ Finds all the pages in a site
▪ Saves a local copy of them
▪ Scan for vulnerabilities
▪ Get authorization first
 Other Proxies
■ Zed Attack Proxy from OWASP
• Can scan for vulnerabilities
■ Tamper Data
• Firefox plug-in for easy interception and
alteration of requests
■ Chrome Developer Tools
• Click 3-bars, "More Tools", "Developer
Tools"
• Allows you to examine requests and
responses
 Timeline
■ Shows requests & responses even for
secure sites
 Using Other Footprinting Tools

■ Whois
• Commonly used tool
• Gathers IP address and domain
information
• Attackers can also use it
■ Host command
• Can look up one IP address, or the whole
DNS Zone file
■ All the servers in the domain
ARIN Whois
from Linux
■ host mit.edu
■ nc whois.arin.net
■ 18.7.22.69

■ This shows
registration
information for the
domain
 Sam Spade

■ GUI tool
■ Available
for UNIX
and
Windows
■ Easy to use
Maltego
 Using E-mail Addresses
■ E-mail addresses help you retrieve
even more information than the
previous commands
■ Find e-mail address format
• Guess other employees’ e-mail accounts
■ Tool to find corporate employee
information
• Groups.google.com
 Using HTTP Basics
■ HTTP operates on port 80
■ Use HTTP language to pull
information from a Web server
■ Basic understanding of HTTP is
beneficial for security testers
■ Return codes
• Reveal information about server OS
Using HTTP Basics (continued)
■ HTTP methods
• GET / HTTP/1.1. is the most basic
method
• Can determine information about server
OS from the server’s generated output
Using the OPTIONS Method
Using the GET Method
 Other Methods of Gathering
Information
■ Cookies
■ Web bugs
Detecting Cookies and Web Bugs
■ Cookie
• Text file generated by a Web server
• Stored on a user’s browser
• Information sent back to Web server
when user returns
• Used to customize Web pages
• Some cookies store personal information
■ Security issue
 Viewing Cookies
■ In Firefox
■ Tools, Options
■ Privacy tab
■ Show Cookies
 Detecting Cookies and Web Bugs
(continued)
■ Web bug
• 1-pixel x 1-pixel image file (usually
transparent)
• Referenced in an <IMG> tag
• Usually works with a cookie
• Purpose similar to that of spyware and
adware
• Comes from third-party companies
specializing in data collection
 Ghostery

■ Firefox & Chrome extension to reveal Web bugs

 Using Domain Name Service (DNS)
Zone Transfers
■ DNS
• Resolves host names to IP addresses
• People prefer using URLs to IP addresses
■ Zone Transfer tools
• Dig
• Host
 Primary DNS Server
■ Determining company’s primary DNS
server
• Look for the Start of Authority (SOA)
record
• Shows zones or IP addresses
 Using dig to find the SOA
■ dig soa mit.edu
■ Shows three
servers, with IP
addresses
■ This is a start at
mapping the MIT
network
 Using (DNS) Zone Transfers
■ Zone Transfer
• Enables you to see all hosts on a
network
• Gives you organization’s network
diagram
■ MIT has protected their network – zone
transfers no longer work
■ dig @BITSY.mit.edu mit.edu axfr
■ Command fails now
 Blocking Zone Transfers
• See link Ch 4e
 Introduction to Social Engineering
■ Older than computers
■ Targets the human component of a
network
■ Goals
• Obtain confidential information
(passwords)
• Obtain personal information
■ Link Ch 4l
■ Link Ch 4m
 HB Gary Federal Hacked

■ Link Ch 4n
 Tactics
• Persuasion
• Intimidation
• Coercion
• Extortion/blackmailing
 Introduction to Social Engineering
(continued)
■ The biggest security threat to networks
■ Most difficult to protect against
■ Main idea:
• “Why to crack a password when you can
simply ask for it?”
• Users divulge their passwords to IT
personnel
 Social Engineer Studies Human
Behavior
• Recognize personality traits
• Understand how to read body language
 Introduction to Social Engineering
(continued)
■ Techniques
• Urgency
• Quid pro quo
• Status quo
• Kindness
• Position
 Preventing Social Engineering
■ Train user not to reveal any
information to outsiders
■ Verify caller identity
• Ask questions
• Call back to confirm
■ Security drills
DEF CON Social Engineering Contest

■ Link Ch 4k
 The Art of Shoulder Surfing
■ Shoulder surfer
• Reads what users enter on keyboards
■ Logon names
■ Passwords
■ PINs
 Tools for Shoulder Surfing
■ Binoculars or telescopes or cameras
in cell phones
■ Knowledge of key positions and
typing techniques
■ Knowledge of popular letter
substitutions
• s equals $, a equals @
 The Art of Shoulder Surfing
(continued)
■ Prevention
• Avoid typing when someone is nearby
• Avoid typing when someone nearby is
talking on cell phone
• Computer monitors should face away
from door or cubicle entryway
• Immediately change password if you
suspect someone is observing you
 Dumpster Diving
■ Attacker finds information in victim’s
trash
• Discarded computer manuals
■ Notes or passwords written in them
• Telephone directories
• Calendars with schedules
• Financial reports
• Interoffice memos
• Company policy
• Utility bills
• Resumes of employees
The Art of Dumpster Diving (continued)

■ Prevention
• Educate your users about dumpster
diving
• Proper trash disposal
• Use “disk shredder” software to erase
disks before discarding them
■ Software writes random bits
■ Done at least seven times
• Discard computer manuals offsite
• Shred documents before disposal
 Piggybacking
■ Trailing closely behind an employee
cleared to enter restricted areas
■ How it works:
• Watch authorized personnel enter an area
• Quickly join them at security entrance
• Exploit the desire of other to be polite
and helpful
• Attacker wears a fake badge or security
card
 Piggybacking Prevention
• Use turnstiles
• Train personnel to notify the presence of
strangers
• Do not hold secured doors for anyone
■ Even for people you know
• All employees must use secure cards
 Phishing
■ Deceptive emails or text messages
■ Can take money, passwords, or install
malware on your computer