Download - Chapter 2. Foot Printing
![Page 1: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/1.jpg)
![Page 2: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/2.jpg)
Definition of Foot Printing Internet foot printing
![Page 3: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/3.jpg)
Sun Tzu on the Art of War: "If you know the enemy and know
yourself, you need not fear the result of a hundred battles.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every battle."
![Page 4: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/4.jpg)
Definition: the gathering of information about a potential system or network (the fine art of gathering target information) a.k.a. fingerprinting
Attacker’s point of view Identify potential target systems Identify which types of attacks may be useful on target systems
Defender’s point of view Know available tools May be able to tell if system is being footprinted, be more prepared for possible attack Vulnerability analysis: know what information you’re giving away, what weaknesses you have
![Page 5: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/5.jpg)
System (Local or Remote) IP Address, Name and Domain Operating System▪ Type (Windows, Linux, Solaris, Mac)▪ Version (98/NT/2000/2003/XP/Vista/7, Redhat, Fedora,
SuSe, Ubuntu, OS X) Usernames (and their passwords) File structure Open Ports (what services/programs are
running on the system)
![Page 6: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/6.jpg)
Networks / Enterprises System information for all hosts Network topology▪ Gateways▪ Firewalls▪ Overall topology
Network traffic information Specialized servers▪ Web, Database, FTP, Email, etc.
![Page 7: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/7.jpg)
Identify information you’re giving away
Identify weaknesses in systems/network
Know when systems/network is being probed
Identify source of probeDevelop awareness of threatConstruct audit trail of activity
![Page 8: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/8.jpg)
![Page 9: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/9.jpg)
Footprinting is necessary to systematically and methodically ensure that all pieces of information related to the aforementioned technologies are identified
Footprinting is often the most arduous task of trying to determine the security posture of an entity; however, it is one of the most important.
Footprinting must be performed accurately and in a controlled fashion
Without a sound methodology for performing this type of reconnaissance, you are likely to miss key pieces of information related to a specific technology or organization
![Page 10: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/10.jpg)
Step 1: Determine the Scope of Your Activities determine the scope of your footprinting activities▪ Are you going to footprint the entire organization, or limit
your activities to certain subsidiaries or locations? ▪ What about business partner connections (extranets), or
disaster-recovery sites?▪ Are there other relationships or considerations?
Unfortunately, hackers have no sympathy for our struggles. They exploit our weaknesses in whatever forms they manifest themselves. You do not want hackers to know more about your security posture than you do!
![Page 11: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/11.jpg)
Step 2: Get Proper Authorization One thing hackers can usually disregard that
you must pay particular attention to is what we techies affectionately refer to as layers eight and nine of the seven-layer OSI Model—Politics and Funding▪ Do you have authorization to proceed with your
activities?▪ what exactly are your activities? ▪ Is the authorization from the right person(s)? ▪ Is it in writing? ▪ Are the target IP addresses the right ones?
![Page 12: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/12.jpg)
Step 3: Publicly Available Information Company web pages Related organizations Location details Phone numbers, contact names, e-mail addresses,
and personal details Current events (mergers, acquisitions, layoffs, rapid
growth, etc.) Privacy or security policies, and technical details
indicating the types of security mechanisms in place Archived information Disgruntled employees Search engines, Usenet, and resumes Other information of interest
![Page 13: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/13.jpg)
Step 4: WHOIS & DNS Enumeration So who is "managing" the Internet today, you ask?
These core functions of the Internet are "managed" by a nonprofit organization named the Internet Corporation for Assigned Names and Numbers (ICANN; http://www.icann.org).
ICANN is a technical coordination body for the Internet. Created in October 1998 by a broad coalition of the Internet's business, technical, academic, and user communities, ICANN is assuming responsibility for a set of technical functions previously performed under U.S. government contract by the Internet Assigned Numbers Authority (IANA; http://www.iana.org) and other groups. (In practice, IANA still handles much of the day-to-day operations, but these will eventually be transitioned to ICANN.)
![Page 14: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/14.jpg)
Specifically, ICANN coordinates the assignment of the following identifiers that must be globally unique for the Internet to function: Internet domain names IP address numbers Protocol parameters and port numbers
In addition, ICANN coordinates the stable operation of the Internet's root DNS server system.
![Page 15: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/15.jpg)
To be thorough, we could have done the same searches via the command-line WHOIS client with the following three commands: [bash]$ whois com -h whois.iana.org [bash]$ whois keyhole.com -h whois.verisign-grs.com [bash]$ whois keyhole.com -h whois.omnis.com
There are also several websites that attempt to automate this process with varying degrees of success: http://www.allwhois.com http://www.uwhois.com http://www.internic.net/whois.html
Last but not least, there are several GUIs available that will assist you in your searches too: SamSpade http://www.samspade.org SuperScan http://www.foundstone.com NetScan Tools Pro http://www.nwpsw.com
![Page 16: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/16.jpg)
![Page 17: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/17.jpg)
Step 5: DNS Interrogation After identifying all the associated domains,
you can begin to query the DNS. DNS is a distributed database used to map IP addresses to hostnames, and vice versa. If DNS is configured insecurely, it is possible to obtain revealing information about the organization.
One of the most serious misconfigurations a system administrator can make is allowing untrusted Internet users to perform a DNS zone transfer
![Page 18: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/18.jpg)
A zone transfer allows a secondary master server to update its zone database from the primary master
This provides for redundancy when running DNS, should the primary name server become unavailable.
Generally, a DNS zone transfer needs to be performed only by secondary master DNS servers
Many DNS servers, however, are misconfigured and provide a copy of the zone to anyone who asks.
![Page 19: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/19.jpg)
A simple way to perform a zone transfer is to use the nslookup client that is usually provided with most UNIX and Windows implementations. We can use nslookup in interactive mode, as follows: [bash]$ nslookup Default Server: ns1.example.net Address: 10.10.20.2 > 216.182.1.1 Server: ns1.example.net Address: 10.10.20.2 Name: gate.tellurian.net Address: 216.182.1.1
> set type=any > ls -d Tellurian.net. >\> /tmp/zone_out
![Page 20: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/20.jpg)
Step 6: Network Reconnaissance Now that we have identified potential networks, we
can attempt to determine their network topology as well as potential access paths into the network.
To accomplish this task, we can use the traceroute (ftp://www.ee.lbl.gov/traceroute.tar.gz) program that comes with most flavors of UNIX and is provided in Windows. In Windows, it is spelled tracert due to the 8.3 legacy filename issues.
traceroute is a diagnostic tool originally written by Van Jacobson that lets you view the route that an IP packet follows from one host to the next. traceroute uses the time-tolive (TTL) option in the IP packet to elicit an ICMP TIME_EXCEEDED message from each router
![Page 21: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/21.jpg)
traceroute may allow you to discover the network topology employed by the target network, in addition to identifying access control devices (such as an applicationbased firewall or packet-filtering routers) that may be filtering our traffic
Most of what we have done up to this point with traceroute has been command-line oriented. For the graphically inclined, you can use VisualRoute (http://www.visualroute.com), NeoTrace (http://www.neotrace.com), or Trout (http://www.foundstone.com)
![Page 22: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/22.jpg)
Some basic Linux tools - lower level utilities Local System▪ hostname▪ ifconfig▪ who, last
Remote Systems▪ ping▪ traceroute▪ nslookup, dig▪ whois▪ arp, netstat (also local system)
Other tools▪ lsof
![Page 23: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/23.jpg)
Other utilities wireshark (packet sniffing) nmap (port scanning) - more later
Ubuntu Linux▪ Go to System / Administration / Network
Tools – get interface to collection of tools: ping, netstat, traceroute, port scan, nslookup, finger, whois
![Page 24: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/24.jpg)
Windows Sam Spade (collected network tools) Wireshark (packet sniffer) Command line tools▪ ipconfig
Many others…
![Page 25: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/25.jpg)
Determine host name of current system
Usage: hostname E.g. hostnamelocalhost.localdomain // default E.g. hostnamemobile.cs.uwec.edu
![Page 26: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/26.jpg)
Configure network interface Tells current IP numbers for host system Usage: ifconfig
E.g. ifconfig // command alone: display status
eth0 Link encap: Ethernet HWaddr 00:0C:29:CD:F6:D3 inet addr: 192.168.172.128 . . .lo Link encap: Local
Loopbackinet addr: 127.0.0.1 . . .
![Page 27: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/27.jpg)
Basic tool to show users on current system
Useful for identifying unusual activity (e.g. activity by newly created accounts or inactive accounts)
Usage: who E.g. whoroot tty1 Jan 9 12:46paul tty2 Jan 9 12:52
![Page 28: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/28.jpg)
Show last N users on system Default: since last cycling of file -N: last N lines
Useful for identifying unusual activity in recent past
Usage: last [-n] E.g. last -3wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still logged inflinstf pts/0 137.28.191.74 Sat Feb 5 15:38 still logged inrubbleb pts/0 c48.someu.edu Sat Feb 5 14:38 - 15:25 (00:46)
![Page 29: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/29.jpg)
Potential Uses Is system online?▪ Through response
Gather name information▪ Through DNS
Tentatively Identify operating system▪ Based on TTL (packet Time To Live) on each packet line▪ TTL = number of hops allowed to get to system▪ 64 is Linux default, 128 is Windows default (but can be
changed!) Notes
Uses ICMP packets Often blocked on many hosts; more useful within network Usage: ping system▪ E.g. ping ftp.redhat.com▪ E.g. ping localhost
![Page 30: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/30.jpg)
Potential Uses Determine physical location of machine Gather network information (gateway, other
internal systems) Find system that’s dropping your packets –
evidence of a firewall Notes
Can use UDP or ICMP packets Results often limited by firewalls Several GUI-based traceroute utilities available Usage: traceroute system▪ E.g. traceroute cs.umn.edu
![Page 31: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/31.jpg)
[wagnerpj@data ~]$ traceroute cs.umn.edutraceroute to cs.umn.edu (128.101.34.202), 30
hops max, 38 byte packets1 137.28.109.2 (137.28.109.2) 0.247 ms 0.220
ms 0.208 ms2 v101.networking.cns.uwec.edu (137.28.9.1)
0.245 ms 0.229 ms 0.220 ms3 uweauclairehub2-ge50.core.wiscnet.net
(216.56.90.1) 1.315 ms 1.194 ms 1.343 ms4 * * *<ctrl-c>[wagnerpj@data ~]$
![Page 32: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/32.jpg)
H:\>tracert www.google.comTracing route to www.google.akadns.net [64.233.167.99] over a maximum of
30 hops:
1 <1 ms <1 ms <1 ms v61.networking.cns.uwec.edu [137.28.61.1]2 4 ms 6 ms 3 ms UWEauClaireHub2-ge50.core.wiscnet.net
[216.56.90.1]3 2 ms 1 ms 2 ms r-uweauclaire-isp-gig2-0.wiscnet.net
[140.189.8.141]4 17 ms 17 ms 17 ms chi-edge-08.inet.qwest.net [65.113.85.5]5 18 ms 16 ms 18 ms chi-core-02.inet.qwest.net [205.171.20.113]6 17 ms 18 ms 19 ms cer-core-01.inet.qwest.net [205.171.205.34]7 18 ms 19 ms 21 ms chp-brdr-01.inet.qwest.net [205.171.139.146]8 18 ms 17 ms 18 ms P11-0.CHICR2.Chicago.opentransit.net
[193.251.129.113]9 15 ms 16 ms 16 ms Google-EU-Customers-2.GW.opentransit.net
[193.251.249.30]10 16 ms 16 ms 18 ms 216.239.46.1011 21 ms 19 ms 17 ms 64.233.175.3012 18 ms 16 ms 16 ms 64.233.167.99 Trace complete.
![Page 33: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/33.jpg)
![Page 34: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/34.jpg)
Potential Uses Queries nicname/whois servers for
Internet registration information Can gather contacts, names, geographic
information, servers, … - useful for social engineering attacks
Notes Usage: whois domain▪ e.g. whois netcom.com
![Page 35: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/35.jpg)
Domain Name: UWEC.EDURegistrant: University of Wisconsin - Eau Claire 105 Garfield Avenue Eau Claire, WI 54702-4004 UNITED STATESContacts: Administrative Contact: Computing and Networking Services 105 Garfield Ave Eau Claire, WI 54701 UNITED STATES (715) 836-5711 [email protected] Servers: TOMATO.UWEC.EDU 137.28.1.17 LETTUCE.UWEC.EDU 137.28.1.18 BACON.UWEC.EDU 137.28.5.194
![Page 36: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/36.jpg)
whois uw%.eduYour search has matched multiple domains.Below are the domains you matched (up to 100).
For specificinformation on one of these domains, please search
on that domain. UW.EDU UWA.EDU UWB.EDU UWC.EDU UWEC.EDU UWEST.EDU UWEX.EDU
….
![Page 37: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/37.jpg)
Potential Uses Query internet name servers Find name for IP address, and vice versa
Notes Now deprecated – generally use dig Sometimes useful when dig fails
Usage nslookup xxxxxxx // name or IP
addr.▪ E.g. nslookup data.cs.uwec.edu▪ E.g. dig data.cs.uwec.edu
![Page 38: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/38.jpg)
Potential Uses Domain Name Service (DNS) lookup utility Associate name with IP address and vice
versa Notes
Many command options General usage: dig <somehost>▪ E.g. dig data.cs.uwec.edu▪ E.g. dig 137.28.109.33
![Page 39: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/39.jpg)
Tracks addresses, interfaces accessed by system
Possible uses Find systems that your system has
recently talked toNotes
arp // display names arp –n // display numeric
addresses
![Page 40: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/40.jpg)
Shows connections, routing information, statistics
Possible uses find systems that your system has recently
talked to, find recently used ports Notes
Many flags▪ netstat // open sockets, etc.▪ netstat –s // summary statistics▪ netstat – r // routing tables▪ netstat – p // programs▪ netstat – l // listening sockets
![Page 41: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/41.jpg)
Lists open files on your systemUseful to see what processes are
working with what files, possibly identify tampering
Usage: lsof
![Page 42: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/42.jpg)
Sam Spade “swiss army knife” of footprinting Has most of the Linux tools Plus other functionality
Usage Start application Fill in name or IP address Choose option desired in menus
![Page 43: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/43.jpg)
Definition: Hardware or software that can display network traffic packet information
Usage Network traffic analysis
Example packet sniffers tcpdump (command line, Linux) wireshark (GUI interface, Linux, Windows
– open source) others…
![Page 44: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/44.jpg)
Packet sniffers only catch what they can see Users attached to hub – can see everything Users attached to switch – only see own traffic Wireless – wireless access point is like hub
Need to be able to put your network interface card (NIC) in “promiscuous” mode to be able to process all traffic, not just traffic for/from itself NIC must support Need privilege (e.g. root in Linux)
![Page 45: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/45.jpg)
Layer 7 – Application (incl. app. content)
Layer 6 – Presentation Layer 5 – SessionLayer 4 – Transport (incl. protocol,
port)Layer 3 – Network (incl. source,
dest)Layer 2 – Data LinkLayer 1 – Physical
![Page 46: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/46.jpg)
Created as tool to examine network problems in 1997
Various contributors added pieces; released 1998
Name change (2007): ethereal -> wireshark
Works with other packet filter formats Information
http://www.wireshark.org Demonstration
![Page 47: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/47.jpg)
Ubuntu – Applications / Internet / Wireshark (as root) Enter your administrative account pw: user Capture/Interfaces/eth0:, Start
Capture window shows accumulated totals for different types of packets
Stop – packets now displayed Top window – packet summary
Can sort by column – source, destination, protocol are useful
Middle window – packet breakdown Click on + icons for detail at each packet level
Bottom window – packet content
![Page 48: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/48.jpg)
Can save a session to a capture file Can reopen file later for further analysis Open capture file
Ubuntu: /home/user/Support/MOBILEcapture.cap W2K3: C:\Support\MOBILEcapture.cap
Identify and follow different TCP streams Select TCP packet, Analyze/Follow TCP Stream MOBILEcapture.cap has http, https, ftp, ssh
streams Any interesting information out there?
HINT: follow stream on an ftp packet
![Page 49: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/49.jpg)
Hunt TCP sniffer Watch and reset connections Hijack sessions Spoof MAC address Spoof DNS name
![Page 50: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/50.jpg)
EtherPEG – image capture on network http://www.etherpeg.com
![Page 51: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/51.jpg)
Basic tools can generate much information
Remember principle of accumulating information Attacker will build on smaller pieces to
get bigger pieces Message to defenders: don’t give
away any information if you can avoid it
![Page 52: Chapter 2. Foot Printing](https://reader035.vdocument.in/reader035/viewer/2022062401/577cce0e1a28ab9e788d316e/html5/thumbnails/52.jpg)
McClure S., Joel S. Hacking Exposed 5th .