Ethical Hacking and Countermeasures Version 6
o u e
Footprinting
Module Objective This module will familiarize you with: Overview of the Reconnaissance Reconnaissance Phase Footprinting: An Introduction
Competitive Intelligence gathering Tools that aid in Footprinting Footpr Footprint inting ing steps steps EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Revisiting Reconnaissanc Reconnaissancee
1 Reconnaissance
5
2
Clearing Tracks
Scanning
4 Maintaining Access
EC-Council
3
Reconnaissance refers to the preparatory phase where an attacker seeks to ather as much information as possible about a target of evaluation prior to launching an attack
It involves network scanning, , without authorization
Gaining Access
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Defining Footprinting Footprinting is the blueprint of the security profile of an organization, undertaken in a methodological manner
Footprinting is one of the three pre-attack phases
An attacker spends 90% of the time in profiling an organization and another 10% in launching the attack Footprinting results in a unique organization profile with respect to networks n erne n rane ex rane w re ess an systems involved EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Why is Footprinting Necessary Footprinting is necessary to systematically and methodically ensure that all pieces of information related to the aforementioned technologies are identified Footprinting is often the most difficult task to determine the security posture of an entity
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Information Gathering Unearth initial information Locate the network range Ascertain active machines
Detect operating systems Uncover services on ports Map the metwork EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Unearthing Initial Information Hacking tool Sam Spade Commonly includes: • Doma Domain in nam namee looku lookup p • • Contac Contacts ts (tele (telepho phone ne / mail) mail)
Information Sources: • Open Open sour source ce • Whois • Nslookup
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Finding a Company’s URL Search for a com an ’s URL usin a search en ine such as Goo le Type the company’s name in the search engine to get the company’s URL Google provides rich information to perform passive reconnaissance Check newsgroups, forums, and blogs for sensitive information regarding the network
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Internal URL By taking a guess, you may find an internal company URL You can gain access to internal resources by typing an internal URL • • • • • • • • • • • • • • EC-Council
eta.xsecur ty.com custom customers ers.xs .xsecu ecurit rity.c y.com om product products.x s.xsec securi urity. ty.com com Partne Partners. rs.xse xsecur curity ity.co .com m n rane .xsecur y.com Asia Asia.x .xse secu curi rity ty.c .com om Nameri Namerica. ca.xse xsecur curity ity.co .com m Sameri Samerica. ca.xse xsecur curity ity.co .com m apan.xsecur y.com London London.xs .xsecu ecurit rity.c y.com om Hq.x Hq.xse secu curi rity tyc. c.om om Financ Finance.x e.xsec securi urity. ty.com com . . www3 www3.x .xse secu curi rity ty.c .com om Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Extracting Archive 0f a Website
company’s website since the time it was launched at www.archive.org at www.archive.org • For exampl example: e: www.ec www.eccou council ncil.or .org g
website You can look for employee’s database, past products, press releases, contact info inform rmat atio ion n and and more more EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Footprinting Through Job Sites You can gather company’s infrastructure details from job postings Look for company’s infrastructure postings such as “looking for system administrator to manage Solaris 10 network” s means t at t e company as o ar s networ s on s te • E.g., .g., www.jobsdb.com www.jobsdb.com
Job requirements Employee profile Hardware information Software information
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Passive Information Gathering
To understand the current security status of a particular Information System, organizations perform either a Penetration Testing or other hacking techniques
Passive information gathering is done by finding out the freely available details over the Internet and by various ot er tec n ques w t out com ng n contact w t t e organization’s servers
Organizational and other informative websites are exceptions as the information gathering activities carried out by an attacker do not raise suspicion
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Footprinting Tools
Some Footprinting Tools:
EC-Council
• • • • • • •
os Nslookup ARIN Neo Tr Trace Visu Visual alRo Rout utee Trace Trace Smar Sm artW tWho hois is eMai eM ailT lTra rack cker erPr Pro o
• • • •
Goog Google le Eart Earth h GEO Spider ider HTTr HTTrac ack k Web Cop Copie ierr E-ma E-mail il Spi Spide derr Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Nslookup Nslookup is a program to query query Internet domain domain name servers. servers. Displays infrastructure
–
EC-Council
, Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Nslookup: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Types of DNS Records
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Traceroute Tracer acero oute ute works orks b ex loit loitin in a fea featu ture re of the the Inter nterne nett Pro Proto toco coll called TTL or Time To Live racerou e revea s e pa pac e s rave e ween wo sys ems by sending out consecutive sets of UDP or ICMP packets with everincreasing TTLs As each router processes an IP packet, it decrements the TTL. When the TTL reaches zero, that router sends back a "TTL exceeded" message (using ICMP) to the originator Routers with reverse DNS entries may reveal the name of routers, , EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trace Route Analysis Traceroute is a program that can be used to determine determine the path from from source By using this information, an attacker determines the layout of a network and the location of each device For example: after running several traceroutes, an attacker might obtain the following information: . . . , . . . • tracer tracerout outee 1.10.2 1.10.20.1 0.10, 0, third third to last last hop hop is 1.10. 1.10.10. 10.11 • tracer tracerout outee 1.10.2 1.10.20.1 0.10, 0, second second to last last hop is 1.10. 1.10.10. 10.50 50 • tracer tracerout outee 1.10.2 1.10.20.1 0.15, 5, third third to last last hop hop is 1.10. 1.10.10. 10.11 . . . , . . .
By putting this information together, you can diagram the network (see the next
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trace Route Analysis
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: NeoTrace (Now McAfee
NeoTrace shows the traceroute output visua visually lly – map view, view, node view, and IP view
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Layer Four Traceroute ' ' faster and goes through many configurations of packet-filters
LFT implements other features such as AS numb number er look looku u s thr throu ou h seve severa rall rel relia iabl blee sou sourc rces es loose source source routing, routing, netblock netblock name lookups, lookups, and many more
It is the all-in-one all-in-one tracerout traceroutee tool because because it can launch a variety of different probes using ICMP, , , method EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Read Notify
Mail Tracking is a tracking service that allows you to track when your your mail was read, for , . records forwards and passing of sensitive information (MS Office format) EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
robots.txt This page located at the root folder holds a list of does not want to be indexed by search engines
A searc engines comp y to r o b o t s . t x t
ou m g t not want pr vate ata an sens t ve areas o a site, such as script and binary locations indexed
Robots.txt file
User-agent: * Disallow: /cgi-bin Disallow: /cgi-store EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: HTTrack Web Site Copier
This tool mirrors an entire website to the desktop You can footprint the contents of an entire website locally rather than visiting the individual pages Valuable Valuable footpri footprinting nting tool
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Steps to Perform Footprinting 1
• Find companies’ companies’ external external and and interna internall URLs
2
• Perform Perform whois whois lookup lookup for person personal al detail detailss
3 4
• Extrac Extractt DNS inform informati ation on
5
• Extrac Extractt archiv archives es of the the websi website te
6
• Google Google search search for compan company’s y’s news news and press press releases releases
7
• `Use people people search search for persona personall informatio information n of employees employees
8
• Find the the physical physical location location of the web server server using the the tool “NeoTracer “NeoTracer””
9
• Analyze Analyze company’s company’s infrastr infrastructure ucture detai details ls from job posting postingss
10 EC-Council
• Mirror the entire entire website website and and look look up names names
• Track the email using “readnotify. “readnotify.com” com” Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary Information gathering phase can be categorized broadly into seven p ases
Whois and ARIN can reveal public information of a domain that can be everage ur er Traceroute and mail tracking tracking can be used to the target specific IP and a er or spoo ng Nslookup can reveal specific specific users and zone transfers can compromise compromise secur y EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited