Hands-On Ethical Hacking

and Network Defense, 3rd

Edition

Chapter 4
Footprinting and Social
Engineering
 Objectives

After completing this chapter, you will be able to:

•Use Web tools for footprinting
•Conduct competitive intelligence
•Describe DNS zone transfers
•Identify the types of social engineering

Hands-On Ethical Hacking and Network Defense, 3rd 2

Edition
 Using Web Tools for Footprinting
• Many attackers do “case the joint”
– Look over the location
– Find weakness in security systems
– Types of locks and alarms used
• As a security tester, you must also find out as
much as you can about an organization
• Footprinting (may also be called reconnaissance)
– Finding information on company’s network
– Passive and nonintrusive
– Several available Web tools

Hands-On Ethical Hacking and Network Defense, 3rd 3

Edition
 Using Web Tools for Footprinting
• Active footprinting
– Actually prodding the target network in ways that
might seem suspicious to network defenders
– Includes things like
• Port scans
• DNS zone transfers
• Interacting with a target’s Web server
• A security tester tried to discover as much as
possible about the organization and its network
– Using both passive and active techniques

Hands-On Ethical Hacking and Network Defense, 3rd 4

Edition
 Using Web Tools for Footprinting

Hands-On Ethical Hacking and Network Defense, 3rd 5

Edition
 Using Web Tools for Footprinting

Hands-On Ethical Hacking and Network Defense, 3rd 6

Edition
 Conducting Competitive Intelligence
• Numerous resources are available to find
information legally
– Competitive intelligence
• Gathering information using technology
• Security professionals must:
– Explain methods used to gather information
• Have a good understanding of methods

Hands-On Ethical Hacking and Network Defense, 3rd 7

Edition
 Analyzing a Company’s Web Site
• Web pages are an easy source of critical
information
– Many available tools for this type of information
gathering
• Zed Attack Proxy (ZAP)
– Powerful tool for Linux, MacOS X, and Windows
OSs
– Requires Java to be installed

Hands-On Ethical Hacking and Network Defense, 3rd 8

Edition
 Analyzing a Company’s Web Site

Hands-On Ethical Hacking and Network Defense, 3rd 9

Edition
 Analyzing a Company’s Web Site
• ZAP has a feature called “Plug-n-Hack”
– Automatically edits the configuration of a Web
browser to direct traffic through ZAP proxy
– Allows the ZAP tool to intercept and manipulate
traffic sent between your Web browser and the
target Web server
– To use this feature
• Click the Plug-n-Hack button in the ZAP welcome
screen or browse to the URL listed using Firefox

Hands-On Ethical Hacking and Network Defense, 3rd 10

Edition
 Analyzing a Company’s Web Site

Hands-On Ethical Hacking and Network Defense, 3rd 11

Edition
 Analyzing a Company’s Web Site
• Once the browser is configured
– The attacker can browse to the target site
– Target site should appear in the ZAP tool interface
– Site can be selected for spidering
• Spidering (or crawling) is an automated way to
discover pages of a Web site by following links
• Within seconds, the filenames of Web pages on the
“spidered” site are displayed under the Spider tab

Hands-On Ethical Hacking and Network Defense, 3rd 12

Edition
 Analyzing a Company’s Web Site

Hands-On Ethical Hacking and Network Defense, 3rd 13

Edition
 Analyzing a Company’s Web Site
• After the site has been spidered
– You can actively scan the site using the ZAP “Active
Scan” feature
– Sends the Web server a series of requests designed
to identify vulnerabilities
– Vulnerabilities will display under the Alerts tab in the
bottom frame of the ZAP interface
• Indicated in the Risk Level column as either High,
Medium, Low, or Informational

Hands-On Ethical Hacking and Network Defense, 3rd 14

Edition
 Analyzing a Company’s Web Site

Hands-On Ethical Hacking and Network Defense, 3rd 15

Edition
 Using Other Footprinting Tools
• Whois utility
– Commonly used Web tool
– Gathers IP address and domain information
– Attackers can also use it

Hands-On Ethical Hacking and Network Defense, 3rd 16

Edition
 Using E-mail Addresses
• E-mail addresses
– Help retrieve even more information
• Find out a company’s e-mail address format
– You might be able to guess other employees’ e-mail
accounts
• Tool to find corporate employee information
– Groups.google.com

Hands-On Ethical Hacking and Network Defense, 3rd 17

Edition
 Using HTTP Basics
• HTTP operates on port 80
• HTTP commands
– Security testers can pull information from a Web
server using these commands
• A basic understanding of HTTP
– Is beneficial for security testers
• Return codes
– Reveal information about OS used
• Most basic HTTP method
– GET/ HTTP/1.1.
Hands-On Ethical Hacking and Network Defense, 3rd 18
Edition
 Using HTTP Basics

Hands-On Ethical Hacking and Network Defense, 3rd 19

Edition
 Using HTTP Basics

Hands-On Ethical Hacking and Network Defense, 3rd 20

Edition
 Using HTTP Basics

Hands-On Ethical Hacking and Network Defense, 3rd 21

Edition
 Using HTTP Basics

Hands-On Ethical Hacking and Network Defense, 3rd 22

Edition
 Using HTTP Basics
• If you know HTTP methods
– You can send a request to a Web server
– From generated output you can determine what OS
the Web server is using
• Other information can be determined that could be
used in an attack
– Such as vulnerabilities of OSs and other software

Hands-On Ethical Hacking and Network Defense, 3rd 23

Edition
 Other Methods of Gathering
Information
• With just a URL, you can determine:
– Web server
– OS
– Names of IT personnel
• Other methods:
– Cookies
– Web bugs

Hands-On Ethical Hacking and Network Defense, 3rd 24

Edition
 Detecting Cookies and Web Bugs
• Cookie
– Text file generated by a Web server
– Stored on a user’s browser
– Information sent back to Web server when user
returns
– Used to customize Web pages
– Some cookies store personal information
• Causes security issues

Hands-On Ethical Hacking and Network Defense, 3rd 25

Edition
 Detecting Cookies and Web Bugs
• Web bug
– 1-pixel X 1-pixel image file
– Referenced in an <IMG> tag
– Usually works with a cookie
– Purpose similar to spyware and adware
– Comes from third-party companies
• Specializing in data collection
– Sometimes match the color of the Web page’s
background
• Renders them invisible

Hands-On Ethical Hacking and Network Defense, 3rd 26

Edition
 Using Domain Name System Zone
Transfers
• Domain Name System (DNS)
– Resolves host names to IP addresses
– People prefer URLs to IP addresses
– DNS is vulnerable for network attacks
• DNS uses name servers to resolve names
– After determining what name server a company is
using, you can attempt to transfer all the records for
which the DNS server is responsible
– Process is called a zone transfer

Hands-On Ethical Hacking and Network Defense, 3rd 27

Edition
 Using Domain Name System Zone
Transfers
• Recommended zone transfer tool
– The dig command
• Determining primary DNS server
– Start of Authority (SOA) record
• Shows zones or IP addresses
– Zone transfer gives an organization’s network
diagram
– This can be used to attack other servers or
computers that are part of the network infrastructure

Hands-On Ethical Hacking and Network Defense, 3rd 28

Edition
 Using Domain Name System Zone
Transfers

Hands-On Ethical Hacking and Network Defense, 3rd 29

Edition
 Introduction to Social Engineering
• Art of social engineering is older than computers
– Targets the human component of a network
• Goals
– Obtain confidential information (passwords)
– Obtain other personal information
• Tactics
– Persuasion
– Intimidation
– Coercion
– Extortion/blackmailing
Hands-On Ethical Hacking and Network Defense, 3rd 30
Edition
 Introduction to Social Engineering
• Biggest security threat
– Most difficult to protect against
• Main idea:
– “Why try to crack a password when you can simply
ask for it?”
• Users divulge passwords to IT personnel
• Social engineers study human behavior
– They recognize personality traits
– Understand how to read body language
– Can read a person’s tone of voice for clues

Hands-On Ethical Hacking and Network Defense, 3rd 31

Edition
 Introduction to Social Engineering
• Techniques
– Urgency
– Quid pro quo
– Status quo
– Kindness
– Position
• Train users
– Not to reveal information
– To verify caller identity
• Ask questions and call back to confirm

Hands-On Ethical Hacking and Network Defense, 3rd 32

Edition
 Introduction to Social Engineering

Hands-On Ethical Hacking and Network Defense, 3rd 33

Edition
 The Art of Shoulder Surfing
• Shoulder surfer
– Reads what users enter on keyboards
• Logon names
• Passwords
• PINs
• Tools used by shoulder surfers
– Binoculars or high-powered telescopes
– Memorize key positions and typing techniques
– Know popular letter substitutions
• $ equals s, @ equals a

Hands-On Ethical Hacking and Network Defense, 3rd 34

Edition
 The Art of Shoulder Surfing
• Prevention
– Avoid typing when:
• Someone is nearby
• Someone nearby is talking on cell phone
– Computer monitors:
• Face away from door or cubicle entryway
– Immediately change password if you suspect
someone is observing you

Hands-On Ethical Hacking and Network Defense, 3rd 35

Edition
 The Art of Dumpster Diving
• Attacker finds information in victim’s trash
– Discarded computer manuals
– Passwords jotted down
– Company phone directories
– Calendars with schedules
– Financial reports
– Interoffice memos
– Company policy
– Utility bills
– Resumes

Hands-On Ethical Hacking and Network Defense, 3rd 36

Edition
 The Art of Dumpster Diving
• Prevention
– Educate users
• The possibility of dumpster diving
• Proper trash disposal
– Format disks before disposing them
• Software writes binary zeros
• Done at least seven times
– Discard computer manuals offsite
– Shred documents before disposal

Hands-On Ethical Hacking and Network Defense, 3rd 37

Edition
 The Art of Piggybacking
• Trailing closely behind an employee cleared to
enter restricted areas
• How it works:
– Watch authorized personnel enter an area
– Quickly join them at security entrance
– Exploit desire to be polite and helpful
– Attacker wears a fake badge or security card

Hands-On Ethical Hacking and Network Defense, 3rd 38

Edition
 The Art of Piggybacking
• Prevention
– Use turnstiles
– Train personnel to notify security about strangers
– Do not hold secured doors for anyone
• Even people they know
– All employees must use access cards

Hands-On Ethical Hacking and Network Defense, 3rd 39

Edition
 Phishing
• Phishing e-mails
– “Update your account details” is a typical subject line
– Usually framed as urgent request to visit a Web site
• Web site is a fake
• Spear phishing
– Combines social engineering and exploiting
vulnerabilities
– E-mail attacks directed at specific people
• Comes from someone the recipient knows
• Mentions topics of mutual interest

Hands-On Ethical Hacking and Network Defense, 3rd 40

Edition
 Phishing

Hands-On Ethical Hacking and Network Defense, 3rd 41

Edition
 Summary
• Footprinting
– Gathering network information with Web tools
• Competitive intelligence
– Gathered through observation and Web tools
• IP addresses and domain names
– Found by using tools (e.g., SamSpade)
• Cookies and Web bugs
– Collect and retrieve user’s information
• Zone transfers
– Used to obtain network topologies
Hands-On Ethical Hacking and Network Defense, 3rd 42
Edition
 Summary
• Social engineering
– Attacks using human nature
• Many methods
– Educate personnel
• Attacker techniques
– Shoulder surfing
– Dumpster diving
– Piggybacking
– Phishing

Hands-On Ethical Hacking and Network Defense, 3rd 43

Edition