Footprinting is the process of accumulating data regarding a specific network environment for the purpose of revealing system vulnerabilities. It is considered to be the first step in hacking. Reconnaissance is the process of gathering data or a preliminary inspection of an area of interest over a short period of time. The objective is to map the target network or collect all possible information about the intended target by probing the target network completely.

In this chapter, we will discuss the role of footprinting and reconnaissance in information security.   2.1 Understand the term footprinting Exam Focus: Understand the term footprinting. Objective includes:

Recognize the role of search engines in footprinting. Understand the role of financial Websites in footprinting. Understand competitive intelligence and its need. Understand DNS enumeration. Understand Whois. Learn different types of DNS records.

  Footprinting Footprinting is the process of gathering data regarding a specific computer network. An organization should regularly footprint their network, or risk attackers doing it for them! Footprinting is the first step in information gathering of hackers. They use footprinting to learn about all aspects of their target organization including their remote access capabilities, types of platforms, intranet and extranet presence, security protocols, and so on. Successful hackers use footprinting to create an information database about your company's security weaknesses.

If an organization wants to protect their systems from attacks, they must take measures to thwart potential attacks. They must conduct their own footprinting to find ways to intrude into their environment. Going through the process of footprinting can reveal system vulnerabilities and help put in measures and processes to minimize or eliminate their exploitation.

Footprinting uses various security techniques such as DNS queries, Network enumeration, Network queries, Operating system identification, Organizational queries, Ping sweeps, Point of contact queries, Port Scanning, and Registrar queries (WHOIS queries) to collect their information.  Types of information gathered by footprinting Footprinting collects domain names and associated networks related to a specific organization. It also collects system information, such as user and group names, system banners, routing tables, SNMP information, system architecture, remote system type, system names, and passwords. Other information obtained may include learning the Internet technologies being used; the operating system and hardware being used; platforms used, IP addresses; e-mail addresses and phone numbers; and policies and procedures.

Here's a summarized list of information collected by footprinting:

Domain name Internet domain names Network blocks IP addresses of the reachable systems Rogue Websites/ private Websites TCP and UDP services running Networking protocols VPN points ACLs IDSes running Analog/digital telephone numbers Authentication mechanisms

The operating system being used in the network, platforms used, and the current version of web servers.  Steps included in footprinting The EC-Council divides footprinting (and scanning) into seven basic steps:

1. Information gathering2. Determining network range 3. Identifying active machines4. Finding open ports and applications5. OS fingerprinting6. Fingerprinting services7. Mapping the network

  Footprinting sources There a variety of techniques employed by footprinting to gather system information:

Open source or passive information gathering: Gathers information regarding a target from the publicity accessible sources.

Active information gathering: Collects information via social engineering on-site visits, interviews, and questionnaires.

Anonymous footprinting: Collects information from sources where it is not possible to identify or trace the author of the information.

Pseudonymous footprinting: Gathers information that might be published under a different name in an attempt to preserve privacy.

Organizational or private footprinting: Gathers information from an organization's web-based calendar and email services.

Internet footprinting: Gathers information regarding a target from the Internet.

Competitive footprinting: Gathers information on when the company began, how it developed, where resources are placed and who controls those resources.

WHOIS footprinting: Is the quick way to get technical and administrative contacts (phone, e-mail, location) as well as Domain Name Servers, NetRange, etc.

DNS footprinting: Takes place when a hacker obtains DNS zone information from the DNS server to gather naming and IP information for resources within the network.

Network footprinting: Collects information about a company's network. Active and passive are two types of network footprinting. Passive footprinting involves viewing the company's website. Active footprinting involves gathering information through social engineering.

Website and email footprinting: In Website footprinting, a user can make a mirror copy of a Website and download the full Website. After this, the user can look for emails, phone numbers, and employee details if they are present in the Website by digging the full Website.

Google hacking: Involves using advanced operators in the Google search engine to locate specific strings of text within search results.

  Actions for a footprinting attack The attacker/hacker/penetration tester needs to perform the following actions for a footprinting attack:

Finding companies external and internal URLs: An attacker can find a company's URL using various types of tools, such as Google search engine, various types of news groups, blogs for sensitive data, etc.

Internal URLs provide an insight into different departments and business units in an organization. You can also use trial and error methods.

The following tools can be used to search internal URLs:o http://news.netcraft.com o http://www.webmaster-a.com/link-extractor-internal.php

Performing whois lookup: The attacker can use whois queries to determine the IP address ranges associated with clients. A whois query can be run on most UNIX environments. In a Windows environment, the tools such as WsPingPro and Sam Spade can be used to perform whois queries. Whois queries can also be executed over the Web from www.arin.net and www.networksolutions.com.

Extracting DNS information: The Domain Name System (DNS) is a hierarchical distributed naming system connected to the Internet or a private network. It translates domain names meaningful to humans into the numerical identifiers associated.

Mirroring the entire Website: Website mirroring is a type of information gathering attack in which an attacker downloads a copy of an entire Website to the local hard disk for footprinting.

Searching in Google for personal information of employees: The attacker/penetration tester can use Google, Yahoo people search, Yahoo finance, Google finance, Anacubis.com, people-search-america.com, bestpeoplesearch.com, etc.

Locating the network range: In this type of footprinting attack, the attacker finds the range of IP addresses and discerns the subnet mask.

Analyzing companies' infrastructure details from job postings: In this type of footprinting attack, the hacker/penetration tester can gather company's infrastructure details from job postings. Job posting sites can be helpful in determining job requirements, employee profile, hardware information, software information, etc. For example, a job posting like "looking for system administrator to manage Solaris 15 network.

Tracking email: E-mail tracking is a method for monitoring the e-mail delivery to the intended recipient.

  Why do attackers use proxy servers? Attackers use proxy servers due to the following reasons:

Hide the source IP address so that an attacker can hack without any legal corollary. Remotely access intranets and other Website resources that are normally off limits. Interrupt all the requests that are sent by an attacker and transmit them to a third

destination; hence, victims will only be able to identify the proxy server address. Make difficult for administrators to trace the real source of task by using multiple proxy

servers for scanning and attacking.

  Footprinting through search engines Search engines are used for extracting information regarding the target such as technology platforms, employee details, login pages, intranet portals, etc. This helps attackers in performing social engineering and other types of advanced system attacks. The sensitive information that has been removed from the World Wide Web (WWW) can be provided by search engine cache.

Google Earth is used to obtain the location.  Search for a company's information A company's information should be searched in major search engines, such as Google or Bing. Complex keywords should be used to search about the company. The following information is searched:

Updates made to the Website Employee database Press release Contact information

The following techniques are used to search the information:

Extract archive and mirror Website Search the web People search Competitive intelligence

  The role of financial Websites in footprinting Financial Websites, such as Google Finance and Yahoo Finance, can be used to gather information. A company's infrastructure details can be gathered from job postings. In job posting, you can look for the job requirements, employee's profile, hardware information, and software information.  Competitive intelligence Competitive intelligence is the process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources such as the Internet. It is non-interfering and subtle in nature. The following steps should be taken during competitive intelligence gathering:

1. Compare your product with your competitor's offering.2. Analyze your market positioning compared to the competitors. 3. Pull up a list of competing companies in the market. 4. Extract salespersons' war stories on how deals are won and lost in the competitive arena.5. Produce a profile of the CEO and the entire management staff of the competitor.

During competitive intelligence, you should try to find out where the company is located, when did the company begin, who leads the company, what are the company plans, and how the company is developed.   DNS enumeration DNS enumeration is the process used to locate all DNS servers and their corresponding records for an organization. A company may have both internal and external DNS servers that can deliver information such as usernames, computer names, and IP addresses of potential target systems. Tools such as NSlookup, DNSstuff, American Registry for Internet Numbers (ARIN), and Whois can be used to gain information for performing DNS enumeration.  Tools used in extracting DNS information An attacker can use the following tools to extract DNS information:

DIG: Domain Information Groper (DIG) is a network tool, like nslookup, that queries DNS name servers. It can be used to simulate a DNS resolver or a name server. The dig command can be used for network troubleshooting also.

NSLOOKUP: NSLOOKUP is a tool for diagnosing and troubleshooting Domain Name System (DNS) problems. It performs its function by sending queries to the DNS server and obtaining detailed responses at the command prompt.

SpiderFoot: SpiderFoot is a domain footprinting tool that searches Google, Netcraft, DNS, Whois and Websites to build up lists of information. It also gives the information about subdomains, affiliates, Web server versions, users, similar domains, email addresses, netblocks, etc.

dnsstuff.com: dnsstuff.com can be used to search DNS information such as mail server extensions and IP addresses.

 

WHOIS databases WHOIS databases contain the personal information of domain owners. Regional Internet Registry maintains WHOIS databases. Attackers look for physical location, telephone number, email address, and technical and administrative contacts. The WHOIS query returns domain name details, contact details of domain owner, domain name servers, and NetRange. AfriNIC, ARIN, APNIC, LACNIC, and RIPE NCC are Regional Internet Registries. The following are WHOIS lookup tools:

http://www.tamos.com http://netcraft.com http://www.whois.net http://www.iptools.com

  SmartWhois SmartWhois is a useful network infrastructure utility. It is used to look up all the available information regarding an IP address, hostname, or domain. It also provides information about country, state or province, city, name of the network provider, administrator, and technical support contact information.  DNS records A DNS record contains all the necessary DNS information about the host such as FQDNS, ip addresses, mail server records, etc. Basically, DNS records provide essential information about the location and type of servers. The following are DNS record types:

A: It points to a host's IP address. MX: It points to domain's mail server. NS: It points to host's name server. CNAME: It is a canonical name record. It is an alias of one name to another. SOA: It indicates authority for domain. SRV: It is a generalized service location record. PTR: It maps IP address to a hostname. RP: It represents a responsible person. HINFO: It is a host information record. It includes CPU type and OS.

The following are DNS interrogation tools:

http://www.dnsstuff.com http://network-tools.com http://www.checkdns.net http://www.iptools.com

  2.2 Understand how traceroute is used in footprinting Exam Focus: Understand how traceroute is used in footprinting. Objective includes:

Traceroute Traceroute analysis

  Traceroute Traceroute is a route-tracing utility that displays the path an IP packet takes to reach its destination. It uses Internet Control Message Protocol (ICMP) echo packets to display the Fully Qualified Domain Name (FQDN) and the IP address of each gateway along the route to the remote host. Traceroute sends out a packet to the destination computer with the TTL field value of 1. When the first router in the path receives the packet, it decrements the TTL value by 1. If the TTL value is zero, it discards the packet and sends a message back to the originating host to inform it that the packet has been discarded. Traceroute records the IP address and DNS name of that router, and sends another packet with a TTL value of 2. This packet goes through the first router, and then times out at the next router in the path. The second router also sends an error message back to the originating host. Now, the process starts once again and traceroute continues to send data packets with incremented TTL values until a packet finally reaches the target host, or until it decides that the host is unreachable. In the whole process, traceroute also records the time taken for a round trip for each packet at each router.

Traceroute programs work on the concept of the ICMP protocol and discover the routers on the path to a target host by using the TTL field in the header of ICMP packets.  Traceroute analysis Attackers conduct traceroute in order to extract information about the network topology, trusted routers, and firewall locations. For example, an attacker might get the following information after running several traceroutes:

traceroute 1.10.10.20, second to last hop is 1.10.10.1 traceroute 1.10.20.10, third to last hop is 1.10.10.1z traceroute 1.10.20.10, second to last hop is 1.10.10.50

traceroute 1.10.20.15, third to last hop is 1.10.10.1 traceroute 1.10.20.15, second to last hop is 1.10.10.50

Attackers can draw the network diagram by using the above information together.  Tools used in locating the network range The tools used in the locating network range are as follows:

Traceroute: As we just learned, traceroute is a route-tracing utility that displays the path an IP packet takes to reach its destination. It uses Internet Control Message Protocol (ICMP) echo packets to display the Fully Qualified Domain Name (FQDN) and the IP address of each gateway along the route to the remote host.

NeoTrace: NeoTrace shows the hacker/penetration tester how packets get from the host to target server on the Internet by displaying all nodes between the host and the trace target.

VisualRoute: VisualRoute performs fullhope traceroute, reverse tracing, giving hope response time, packet loss reporting, performing reverse DNS, ping plotting, port probing, network scanning, etc.

  2.3 Google hacking, Website mirroring, and email tracking Exam Focus: Google hacking, Website mirroring, and email tracking. Objective includes:

Understand Google hacking and its tools. Learn the Website mirroring tools. Understand how e-mail tracking works. Learn the countermeasures to be taken in footprinting. Understand pen testing.

  Google hacking Google hacking is a computer hacking technique that uses Google search and other Google applications to find security holes in the configuration and computer code that Web sites use. Google hacking involves using advanced operators in the Google search engine to locate specific strings of text within search results. For example, the following search query would locate all Web pages that have that particular text contained within them. It is normal for default installations of applications to include their running version in every page they serve, e.g., intext:"Powered by XOOPS 2.2.3 Final".

One can even retrieve the username and password list from Microsoft FrontPage servers by inputting the following microscript in Google search field:

"#-Frontpage-" inurl:administrators.pwd

The intitle Google search query operator is used to search sites having specific key terms. For example, you will use the intitle:Sample.page.for.Apache Apache.Hook.Function search query to get all Apache Web servers having version 2.0.

The filetype Google search query operator is used to search a specified file type. For example, if you want to search all pdf files having the word hacking, you will use the search query filetype:pdf pdf hacking.

The "filetype:pdf "Assessment Report" nessus" is used to search the assessment report of nessus.

The inanchor operator searches the text representation of a link, not the actual URL. The inanchor operator helps search the anchor, or the displayed text on the link.

  What can a hacker do with Google hacking? A hacker can do the following with Google hacking:

Identify advisories and server vulnerabilities. Identify error messages that contain sensitive information. Identify files containing passwords. Identify sensitive information. Identify pages containing logon portals. Identify pages containing network or vulnerability data.

  Footprinting using Google hacking techniques The following are Google hacking techniques used in footprinting:

Query string: Google hacking is the art of creating complex search engine queries. Vulnerability sites: Google hacking detects Websites that are vulnerable to several

exploits and vulnerabilities. Google operators: Google hacking uses Google operators to find particular strings of

text within the search results.

  Google Hacking Database The Google Hacking Database is a database list of queries that expose known issues with software that runs Websites. There are some bugs that expose information that a developer might not want the public reading (passwords, etc.). It can be used to gather the following information:

Advisories and Vulnerabilities Error Messages Files containing juicy info Files containing passwords Files containing usernames Queries that can help a hacker gain a foothold into a web server Pages containing login portals Pages containing network or vulnerability data Sensitive Directories Sensitive Online Shopping Info Various Online Devices

Vulnerable Files Vulnerable Servers Web Server Detection

  Google hacking tools Google offers several hacking tools:

MetaGoofil: It is an information gathering tool used to extract metadata of public documents (pdf, doc, xls, ppt, docx, pptx, xlsx) that belong to a target company. It will perform a search in Google in order to identify and download the documents to local disk and will extract the metadata with different libraries.

Google Cartography: It uses the Google Search API in order to build a visual representation of the interconnectivity of streets in an area.

Goolink Scanner: It only gathers and displays the links and removes the cache information from your searches. It is useful for finding vulnerable sites that are wide open to Google and Googlebots.

Google Hack Honeypot: It is used to provide reconnaissance against attackers that use search engines as hacking tool against resources.

SiteDigger: It searches Google's cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on Websites.

GMapCatcher: It is an offline maps viewer. It can display maps from many providers such as: CloudMade, OpenStreetMap, Yahoo Maps, Bing Maps, Nokia Maps, SkyVector, and Google Map. It displays them using a custom GUI.

Google Hacks: It is used to see the timeline of search results, view a map, search for music, search for books, and perform many other specific kinds of searches. It can also be used to use Google as a proxy.

  Website mirroring Website mirroring is a process in which an attacker mirrors the Website to get juicy information in Website, to make a clone of the Website for future study, etc. Web mirroring tools permit you to download a Website to a local directory. You can recursively build all directories, HTML, images, flash, video, and other files from the server to your computer. The following tools are used to mirror an entire Website:

Wget Website Ripper Copier Webripper BlackWidow WinWSD Reamweaver xaldon webspider 2 Teleport Pro

The following are some important tools used to mirror the entire Website:

Web The Ripper: It is a Website mirroring tool that can download the whole Website into a password protected the ZIP file. Web The Ripper maintains unique filenames to avoid the same file name from being overwritten.

HTTrack: It is a Website mirroring tool that allows downloading a Website from the Internet to a local directory, building recursively all directories, getting html, images, etc. It arranges the original site's relative link-structure. It can update an existing mirrored site, and resume interrupted downloads.

  Email Tracking E-mail tracking is a method for monitoring e-mail delivery to the intended recipient. Most tracking technologies utilize some form of digitally time-stamped record to reveal the exact time and date that your e-mail was received or opened, as well the IP address of the recipient.

E-mail tracking is useful when the sender wants to know if the intended recipient actually received the e-mail, or if they clicked the links. However, due to the nature of the technology, e-mail tracking cannot be considered an absolutely accurate indicator that a message was opened or read by the recipient. Email tracking tools can be used to perform the following tasks:

Gathering information of when the email was received or read Sending destructive emails Getting GPS location and maps of the recipient Finding time taken in reading email Checking whether victim visited to links given in the email or not Tracking PDF and other attachment information Setting message to expire after a specified time.

The following are email tracking tools:

VisualRoute Trace: It is a graphical tool that determines where and how traffic is flowing on the route between the desired destination and the user trying to access it. It does this by providing a geographical map of the route and performance on each portion of that route.

GEOSpider: It is used to trace, identify and monitor the network activity on world map. It can be used to trace any website or IP address on the map.

vTrace: It is a software for fast getting a lot of information about target host {visual traceroute from your host, IANA information (WhoIs, ASN for BGP systems), DNS records (like nslookup or DIG), geographical placement, open TCP ports (simple port scanner)...}, and also few information about your machine.

Magic NetTrace: It reveals the entire ip trace route from you to any place in the Web. It is useful in resolving connectivity problems and finding out where the spam goes from.

Visual IP Trace: It is used to trace an IP address or web site back to its origin/location.

  Email threats to information security

There are a variety of threats to information security whose source is email. Here are a few that we will be discussing in some detail:

Mail bombing E-mail storm E-mail spoofing

  Mail bombing Mail bombing is an attack that is used to overwhelm mail servers and clients by sending a large number of unwanted e-mails. The aim of this type of attack is to completely fill the recipient's hard disk with immense, useless files, causing at best irritation, and at worst total computer failure. E-mail filtering and properly configuring email relay functionality on mail servers can be helpful for protection against this type of attack.  E-mail storm An e-mail storm is a sudden spike of Reply All messages on an e-mail distribution list, usually caused by a controversial or misdirected message. Such storms start when multiple members of the distribution list reply to the entire list at the same time in response to an instigating message. Other members soon respond, usually adding vitriol to the discussion, asking to be removed from the list, or pleading for the cessation of messages. If enough members reply to these unwanted messages, this triggers a chain reaction of e-mail messages. The sheer load of traffic generated by these storms can render the e-mail servers carrying them inoperative, similar to a DDoS attack. Some e-mail viruses also have the capacity to create e-mail storms, by sending copies of themselves to an infected user's contacts, including distribution lists, infecting the contacts in turn.  E-mail spoofing E-mail spoofing is a term used to describe e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source. E-mail spoofing is a technique commonly used for spam e-mail and phishing to hide the origin of an e-mail message. By changing certain properties of the e-mail, such as the From, Return-Path, and Reply-To fields (which can be found in the message header), ill-intentioned users can make the e-mail appear to be from someone other than the actual sender. The result is that, although the e-mail appears to come from the address indicated in the From field, it actually comes from another source.  Email header The email header holds information about the origin of the email. This will include the IP address of the source, the method used to send it, and who is the sender. Each message has exactly one header, which is structured into fields. Each field has a name and a value. The field name starts in the first character of the line and ends before the separator character ":". The separator is then followed by the field value. Field names and values are restricted to 7-bit ASCII characters. Non-ASCII values may be represented using MIME encoded words.  eMailTrackingPro

eMailTrackerPro is a tool that is used to track received email to find the location, and the relevant ISP of the target. It uses the advanced header analysis and IP database. It can pin point the real IP address of the sender and track it down to the town/city the email came from. When a user uses this tool to send an e-mail, forward an e-mail, reply to an e-mail, or modify an e-mail, the resulting actions and tracks of the original e-mail are logged. The sender is notified of all actions performed on the tracked e-mail by an automatically generated e-mail.  MailTracking.com MailTracking.com is an email tracking tool that can be used to track the receiver of the email. A user can track the email by adding mailtracking.com to the end of recipients email address or by installing the ActiveTracker plugin. It can display the date and time the email opened, location of recipient, map of location, recipient's IP address, referrer details, URL clicks, if the email was forwarded, or opened on a different computer.  Footprinting countermeasures The following are footprinting countermeasures:

Configure routers in order to restrict the responses to footprinting requests. Configure web servers in order to avoid information leakage and disable unwanted

protocols. Lock the ports with the suitable firewall configuration. Use an IDS that can be configured in order to refuse suspicious traffic and pick up

footprinting patterns. Evaluate the information before publishing it on the Website/Internet. Perform footprinting techniques and remove any sensitive information found. Prevent search engines from caching a webpage and use anonymous registration services. Disable directory listings and use split-DNS.

  Footprinting pen test Footprinting pen test is used to find organization's publicly available information on the Internet such as network architecture and operating systems. The tester tries to collect as much information as possible about the target organization from the Internet and other publicly accessible sources. Footprinting pen testing supports administrators in preventing information leakage, social engineering attempts, and DNS record retrieval from publically available servers.  Steps in footprinting pen testing The following steps are taken to perform footprinting pen testing:

1. Get proper authorization and define the scope of the assessment.2. Perform Internet footprinting by using tools such as Web Data Extractor, Link Extractor,

etc. 3. Gather competitive intelligence using tools such as SEC Info, Business Wire, C-SPAN,

etc.4. Perform WHOIS fingerprinting using tools such as SmartWHOIS, Alchemy Eye, etc.5. Perform network footprinting using tools such as NetInspector, NsLookup, etc.

6. Perform Website footprinting using tools such as 3D Traceroute, LoriotPro, etc. 7. Perform email footprinting using tools such as eMailTrackerPro, PoliteMail, etc. 8. Perform Google hacking using tools such as GHDB, MetaGoofil, SiteDigger, etc. 9. Document all the findings at the end of pen testing.

  Chapter Summary In this chapter, we learned about footprinting, its purpose, the tools used in footprinting, tools, footprinting countermeasures, Pen-testing, and the role of competitive intelligence. We also discussed DNS records, traceroute, and role of search engines in footprinting.Glossary  Competitive intelligence Competitive intelligence is the process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources such as the Internet.  DNS records DNS records provide essential information about location and type of servers.  E-mail tracking E-mail tracking is a method for monitoring e-mail delivery to the intended recipient.  eMailTrackerPro eMailTrackerPro is a tool that is used to track received email to find the location, and the relevant ISP of the target.  Footprinting Footprinting is an information gathering technique that is used to gather information about computer systems.  Footprinting pen test Footprinting pen test is used to find organization's publicity available information on the Internet such as network architecture, operating systems, applications, and users.  Google hacking Google hacking is a computer hacking technique that uses Google search and other Google applications to find security holes in the configuration and computer code that Web sites use.  Google Hacking Database The Google Hacking Database is a database list of queries that expose known issues with software that runs Websites.  MailTracking.com MailTracking.com is an email tracking tool that can be used to track the receiver of the email.  Pipl

Pipl can be used for people search. It extracts information about people by using a technique, known as "the deep web".  Traceroute Traceroute is a route-tracing utility that displays the path an IP packet takes to reach its destination.  Web Data Extractor Web Data Extractor is used to extract targeted company contact data (email, phone, fax) from web for responsible b2b communication.  Website mirroring Website mirroring is a process in which an attacker mirrors the Website to get juicy information in Website, to make a clone of Website for future study, etc.