Version 5
Module II Footprinting
Module Objective
This module will familiarize you with the following:
Overview of the Reconnaissance Phase Footprinting: An Introduction Information Gathering Methodology of Hackers Competitive Intelligence gathering Tools that aid in Footprinting Footprinting steps
EC-Council
Module Flow
Reconnaissance Phase Competitive Intelligence Gathering
Footprinting
EC-Council
Revisiting Reconnaissance
Reconnaissance refers to the preparatory phase where an
Reconnaissance Clearing Tracks
attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack
Scanning
Maintaining Access
Gaining Access
EC-Council
Defining Footprinting
Footprinting is the blueprint of the security profile of an organization, undertaken in a methodological manner Footprinting is one of the three preattack phases. The others are scanning and enumeration An attacker will spend 90% of the time in profiling an organization and another 10% in launching the attack Footprinting results in a unique organization profile with respect to networks (Internet/ intranet/extranet/wireless) and systems involved
EC-Council
Information sources:
Open source Whois Nslookup
EC-Council
You can see updates made to the website You can look for employee database, past products, press releases, contact information, and more
EC-Council
People Search
You can find personal information using People search
EC-Council
EC-Council
EC-Council
EC-Council
Cognitive hacking:
EC-Council
EC-Council
CI Center
http://www.cicentre.com
Lubrinco
http://www.lubrinco.com
EC-Council
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
EC-Council
EC-Council
EC-Council
EC-Council
EC-Council
DNS Enumerator
DNS Enumerator is an automated sub-domain retrieval tool It scans Google to extract the results
EC-Council
SpiderFoot
SpiderFoot is a free, open-source, domain footprinting tool which will scrape the websites on that domain, as well as search Google, Netcraft, Whois, and DNS to build up information like:
Subdomains Affiliates Web server versions Users (i.e. /~user) Similar domains Email addresses Netblocks
EC-Council
SpiderFoot
EC-Council
qtrace.pl
qtrace is used to plot the boundaries of networks. It uses a heavily modified traceroute using a #custom compiled hping# to perform multiple traceroutes to boundary sections of a class C network Command:
perl qtrace.pl [ip_address_file] [output_file]
vet-mx.pl
The tool performs MX lookups for a list of domains, and stores each IP it gets in a file Command:
perl vet-mx.pl [input file] [true domain file] [output file] EC-Council
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
jarf-dnsbrute
The jarf-dnsbrute script is a DNS brute forcer, for when DNS zone transfers are not allowed. jarf-dnsbrute will perform forward DNS lookups using a specified domain name with a list of names for hosts. Command:
perl jarf-dnsbrute [domain_name] [file_with_names]
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
EC-Council
EC-Council
EC-Council
EC-Council
EC-Council
EC-Council
EC-Council
EC-Council
Information Sources:
ARIN (American Registry of Internet Numbers) Traceroute
Hacking Tool:
NeoTrace Visual Route
EC-Council
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
ARIN
http://www.arin.net/whois/ ARIN allows searches on the whois database to locate information on a networks autonomous system numbers (ASNs), network-related handles, and other related point of contact (POC) ARIN whois allows querying the IP address to help find information on the strategy used for subnet addressing
EC-Council
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
Traceroute
Traceroute works by exploiting a feature of the Internet Protocol called TTL, or Time To Live Traceroute reveals the path IP packets travel between two systems by sending out consecutive sets of UDP or ICMP packets with ever-increasing TTLs As each router processes an IP packet, it decrements the TTL. When the TTL reaches zero, that router sends back a "TTL exceeded" message (using ICMP) to the originator Routers with reverse DNS entries may reveal the name of routers, network affiliation, and geographic location
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
EC-Council
By putting this information together we can diagram the network (see the next slide)
EC-Council
NeoTrace shows the traceroute output visually map view, node view, and IP view
EC-Council
GEOSpider
GEO Spider helps you to detect, identify and monitor your network activity on world map You can see website, IP address location on the Earth GEO Spider can trace a hacker, investigate a website, trace a domain name
EC-Council
EC-Council
GoogleEarth
Google Earth puts a planet's worth of imagery and other geographic information right on your desktop You can footprint the location of a place using GoogleEarth Valuable tool for Hackers
EC-Council
It shows the connection path and the places where bottlenecks occur
EC-Council
EC-Council
EC-Council
Tool: SmartWhois
http://www.softdepia.com/smartwhois_download _491.html SmartWhois is a useful network information utility that allows you to find out all available information about an IP address, host name, or domain, including country, state or province, city, name of the network provider, administrator, and technical support contact information
Unlike standard Whois utilities, SmartWhois can find the information about a computer located in any part of the world, intelligently querying the right database and delivering all the related records within a short time
EC-Council
It shows the number of hops made and the respective IP addresses, the node name, location, time zone, and network
EC-Council
Tool: eMailTrackerPro
eMailTrackerPro is the email analysis tool that enables analysis of an email and its headers automatically, and provides graphical results
EC-Council
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
Mail Tracking is a tracking service that allows you to track when your mail was read, for how long and how many times, and the place from where the mail has been posted. It also records forwards and passing of sensitive information (MS Office format) EC-Council
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
EC-Council
EC-Council
robots.txt
This page located at the root folder holds a list of directories and other resources on a site that the owner does not want to be indexed by search engines All search engines comply to robots.txt You might not want private data and sensitive areas of a site, such as script and binary locations indexed
EC-Council
Website Watcher
EC-Council
E-Mail Spiders
Have you ever wondered how Spammers generate a huge mailing databases? They pick tons of e-mail addresses from searching the Internet All they need is a web spidering tool picking up e-mail addresses and storing them to a database If these tools are left running the entire night, they can capture hundreds of thousands of e-mail addresses Tools: Web data Extractor 1st E-mail Address Spider
EC-Council
EC-Council
EC-Council
Summary
Information gathering phase can be categorized broadly into seven phases Footprinting renders a unique security profile of a target system Whois and ARIN can reveal public information of a domain that can be leveraged further Traceroute and mail tracking can be used to target specific IP, and later for IP spoofing Nslookup can reveal specific users, and zone transfers can compromise DNS security
EC-Council
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited