Hands-On Ethical

Hacking and Network

Defense
Chapter 4
Footprinting and Social Engineering

Last modified 2-23-09

 Objectives
 Use Web tools for footprinting
 Conduct competitive intelligence
 Describe DNS zone transfers
 Identify the types of social
engineering

2
 Using Web Tools for
Footprinting
 “Case the joint”
• Look over the location
• Find weakness in security systems
• Types of locks, alarms
 In computer jargon, this is called
footprinting
• Discover information about
 The organization
 Its network
3
Web Tools for Footprinting

4
 Conducting Competitive
Intelligence
 Numerous resources to find
information legally
 Competitive Intelligence
• Gathering information using technology
 Identify methods others can use to find
information about your organization
 Limit amount of information company
makes public
5
 Analyzing a Company’s Web
Site
 Web pages are an easy source of
information
 Many tools available
 Paros
• Powerful tool for UNIX and Windows
• www.parosproxy.org
• Requires having Java J2SE installed
 www.sun.com
6
 Analyzing a Company’s Web
Site (continued)
 Paros
• Start Paros
• Set proxy server in a browser
• Then go to a site in the browser
 mtsconsulting.net is a good test
• Analyze -> Spider to find all the pages

7
 Setting a Proxy Server in Firefox
• Tools
• Options
• Advanced
• Settings

 Then go to
• mtjconsulting.com
8
 Spider Results
 In Paros:
• Analyze
• Spider
 Finds all the pages
in a site
 Don’t scan any
sites without
permission!
 Just
mtjconsulting.com
9
 Scan Results
 In Paros:
• Analyze
• Scan
 Finds security
risks in a site
 Again, don’t scan
sites without
permission!
10
Using Other Footprinting Tools

 Whois
• Commonly used tool
• Gathers IP address and domain
information
• Attackers can also use it
 Host command
• Can look up one IP address, or the
whole DNS Zone file
 All the servers in the domain 11
ARIN Whois
from Linux
 host mit.edu
 nc whois.arin.net
 18.7.22.69

 This shows
registration
information for the
domain
12
 Sam Spade

 GUI tool
 Available
for UNIX
and
Windows
 Easy to use

13
 Using E-mail Addresses
 E-mail addresses help you retrieve
even more information than the
previous commands
 Find e-mail address format
• Guess other employees’ e-mail accounts
 Tool to find corporate employee
information
• Groups.google.com

14
 Using HTTP Basics
 HTTP operates on port 80
 Use HTTP language to pull
information from a Web server
 Basic understanding of HTTP is
beneficial for security testers
 Return codes
• Reveal information about server OS

15
16
17
Using HTTP Basics (continued)
 HTTP methods
• GET / HTTP/1.1. is the most basic
method
• Can determine information about server
OS from the server’s generated output

18
19
 Using Netcat as
a Browser
 Use Ubuntu Linux
 nc www.ccsf.edu 80
 HEAD / HTTP/1.0
• Gets header
 GET / HTTP/1.0
• Gets whole Web page
• Open www.ccsf.edu in a browser and
compare to source code
 Activity 4-3 in your book does not work 20
 Example: OPTIONS
(Not in Lecture Notes)
 To use HTTP OPTIONS Method
 In a Linux Terminal Window
nc www.w3.org 80
OPTIONS * HTTP/1.1
Host: www.w3.org:80
 Press Enter twice
• See links Ch 4c, 4d

21
 Other Methods of Gathering
Information
 Cookies
 Web bugs

22
 Detecting Cookies and Web
Bugs
 Cookie
• Text file generated by a Web server
• Stored on a user’s browser
• Information sent back to Web server
when user returns
• Used to customize Web pages
• Some cookies store personal information
 Security issue

23
 Viewing Cookies
 In Firefox
 Tools, Options
 Privacy tab
 Show Cookies

24
 Detecting Cookies and Web
Bugs (continued)
 Web bug
• 1-pixel x 1-pixel image file (usually
transparent)
• Referenced in an <IMG> tag
• Usually works with a cookie
• Purpose similar to that of spyware and
adware
• Comes from third-party companies
specializing in data collection
25
 Bugnosis

 Bugnosis is gone,
 but Firefox has
 an experimental
 extension named
 Foxbeacon
• http://www.shyyonk.net/foxbeacon/download.html
 See links Ch 4g, 4h 26
 Using Domain Name Service
(DNS) Zone Transfers
 DNS
• Resolves host names to IP addresses
• People prefer using URLs to IP
addresses
• Extremely vulnerable
 Zone Transfer tools
• Dig
• Host

27
 Primary DNS Server
 Determining company’s primary DNS
server
• Look for the Start of Authority (SOA)
record
• Shows zones or IP addresses

28
 Using dig to find the SOA
 dig soa mit.edu
 Shows three
servers, with IP
addresses
 This is a start at
mapping the MIT
network

29
 Using (DNS) Zone Transfers
 Zone Transfer
• Enables you to see all hosts on a
network
• Gives you organization’s network
diagram
 MIT has protected their network – zone
transfers no longer work
 dig @BITSY.mit.edu mit.edu axfr
 Command fails now

30
 Blocking Zone Transfers
(not in Lecture Notes)
• See link Ch 4e

31
 Introduction to Social
Engineering
 Older than computers
 Targets the human component of a
network
 Goals
• Obtain confidential information
(passwords)
• Obtain personal information

32
 Tactics
• Persuasion
• Intimidation
• Coercion
• Extortion/blackmailing

33
 Introduction to Social
Engineering (continued)
 The biggest security threat to
networks
 Most difficult to protect against
 Main idea:
• “Why to crack a password when you can
simply ask for it?”
• Users divulge their passwords to IT
personnel

34
 Studies human behavior
• Recognize personality traits
• Understand how to read body language

35
 Introduction to Social
Engineering (continued)
 Techniques
• Urgency
• Quid pro quo
• Status quo
• Kindness
• Position

36
 Preventing Social Engineering
 Train user not to reveal any
information to outsiders
 Verify caller identity
• Ask questions
• Call back to confirm
 Security drills

37
38
39
40
 The Art of Shoulder Surfing
 Shoulder surfer
• Reads what users enter on keyboards
 Logon names
 Passwords
 PINs

41
 Tools for Shoulder Surfing
 Binoculars or telescopes or cameras
in cell phones
 Knowledge of key positions and
typing techniques
 Knowledge of popular letter
substitutions
• s equals $, a equals @

42
 The Art of Shoulder Surfing
(continued)
 Prevention
• Avoid typing when someone is nearby
• Avoid typing when someone nearby is
talking on cell phone
• Computer monitors should face away
from door or cubicle entryway
• Immediately change password if you
suspect someone is observing you

43
 Dumpster Diving
 Attacker finds information in victim’s trash
• Discarded computer manuals
 Notes or passwords written in them
• Telephone directories
• Calendars with schedules
• Financial reports
• Interoffice memos
• Company policy
• Utility bills
• Resumes of employees

44
 The Art of Dumpster Diving
(continued)
 Prevention
• Educate your users about dumpster
diving
• Proper trash disposal
• Use “disk shredder” software to erase
disks before discarding them
 Software writes random bits
 Done at least seven times
• Discard computer manuals offsite
• Shred documents before disposal
45
 The Art of Piggybacking
 Trailing closely behind an employee
cleared to enter restricted areas
 How it works:
• Watch authorized personnel enter an area
• Quickly join them at security entrance
• Exploit the desire of other to be polite
and helpful
• Attacker wears a fake badge or security
card
46
 The Art of Piggybacking
(continued)
 Prevention
• Use turnstiles
• Train personnel to notify the presence of
strangers
• Do not hold secured doors for anyone
 Even for people you know
• All employees must use secure cards

47