FootPrinting
T.O.C
(N00bs Tips)
What is Footprinting?
Internet footprinting
Step1: Determine the Scope of Your Activities
Step2: Network Enumeration
--> Registrar Query
--> Organizational Query
--> Domain Query
--> Network Query
--> POC Query
Step3: DNS Interrogation
--> Determine Mail Exchange (MX) Records
Step4: Network Reconnaissance
Conclusion
(N00bs Tips)
What you need to look up and read: (UNIX users)
man whois
man jwhois
man nslookup
man grep
man host
man traceroute
What you need to do: (Windows Users)
Read up on MS-DOS. Most of these commands are integrated with it such as:
ping
whois
tracert
host
**At the end of this document, I have provided some of the better whois servers. Here is the link for many more if you would like to take a look:
http://www.math.utah.edu/whois.htmlWhat Is FootPrinting?
Footprinting is probably one of the most important things which a hacker should do before attempting to penetrate any system. Footprinting consists of gathering information related to an
(e.g an organization is most common) Intranet, Internet, Remote Access and Extranet. It allows one to create a complete profile of the target's security posture. Footprinting must be preformed
accurately and in a controlled fashion.
Below, I talk about Internet footprinting, what to do, what to look for, and tips pertaining to getting as much information as possible. Although information gathering is a slow and boring process,
it is probably the most important process that is needed to be done before any attacking can take place...
Internet Footprinting
Below, I have some suggested points of things you should do when fingerprinting an organization.
Step1: Determine the Scope of Your Activities
1)Decide if you plan to fingerprint the while organization(can be very daunting) or limit your activities to a specific location.
2)Take a look at the target's website. It can be surprising how much information they floating around.
1.Its a good idea to mirror their website. Open, comments in the html code can be very useful and give of quite a lot of information. Its also faster to view it off-line, and wont blow up your
phone bill if you on dial-up.
2.Tools to use for this would be:
1.WGet for Unix OS
2.Teleport Pro for Windows OS
3)Google for information. Many websites relating to the target, as well as stories or articles relating to the target can provide more information. Remember, the point of fingerprinting is to get as much information about a target as possible so that attacking it will be easier.
4)After most information has been collected from the target's website and any other relevant sites, and considering that your target is a publicly traded company, conducting an EDGAR search on your target could be very helpful. The EDGAR database is located at
www.sec.gov. SEC(Securities and Exchange Commission) use the EDGAR database to keep track of publicly traded companies. The best two types of publications pertaining to your target is the Q-10 (quarterly update) and K-10(annual update) concerning the organizations activities.
1.It might be useful to search for "subsidiaries" or "subsequent events". If the organization has added a new entity to the business, they may have done it quickly and with little regard to security so they can have it connected as soon as possible. Combining networks can often lead to such sloppiness.
2.With the EDGAR search, keep in mind that you are looking for entity names that are different from the parent company. This will become critical in subsequent steps when you perform organizational queries from various whois databases available (Step2: Network Enumeration).
Step2: Network Enumeration
First step is to identify the domain names and associated networks related to that organization. We must scour the Internet for information and there are many databases we can use for this.
Whois Servers outside the USA:
(Domains other that .com, .net, .org and .edu)
1)http://www.ripe.net European IP Allocations
2)http://www.apnic.net Asia Pacific "
3)http://whois.nic.mil US Military
4)http://www.nic.gov/whois.html US Government
Some Programs to Use:
1)UNIX
1.Jwhois
2.Xwhois
2)Windows
1.Netscan Tools
2.Sam Spade
3.WS_Ping ProPack
Query Types:
1)Registrar Query
2)Organizational
3)Domain
4)Network
5)Point Of Contact (P.O.C)
Registrar Query:
Consult whois.internic.net to obtain a list of potential domains. Once done, determine the correct registrar.
(All examples have been done in UNIX. They will be similar to Windows users that are using DOS)
The wild card character in UNIX is "."(dot). This may differ depending on the OS your using. Its generally either e "." or a "*".
[bash]$ jwhois "<domain name>."@whois.internic.net
This will print all the domains that are very similar to your domain name. After you have located your target:
[bash]$ jwhois "<domain name>.suffix"@whois.internic.net
This will then display important information about domain you are targetting. Such information should consist of:
1.The Domain Name
2.The Registrar
3.The Whois Server
4.The Referral URL
5.The Name Servers
6.(When last updated)
(Visit
http://www.math.utah.edu/whois.html for a huge list of whois servers)
Organizational Query:
(This method of querying has no functionality any more and therefore is not used)
Domain Query:
Next, we get more information out of our target.
[bash]$ jwhois <domain>.<suffix>@whois.bulkregister.com
This query provides information related to the organizations:
1)Registrant
2)Domain name
3)Administrative contact
4)When the record was created and updated
5)The primary and secondary DNS servers
Now to decipher the information provided. Excess and unneeded information is called "enticements" because it entices you away from the more important stuff.
The administrative contact is an important piece of information because it will sometimes give you the name of the person that has set up the server and most probably firewalls and such things.
Using the administrators email address, it is possible to send spoofed emails to unsuspecting employees and requesting them, to, for example, change there password for administrative purposes.
Voice and fax numbers is also an enormous help when performing a dial-up penetration review. Just fire up the war-dialers in the noted range, and you're off to a good start in identifying potential
modem numbers.
Social engineering is also a possibility with the administrators phone numbers.
The record creation can tell you how old the records are. If they are out of date, information regarding that target may have changed.
Finally, the DNS servers are important for when you want to try a DNS interrogation(Step3). You can also try and use the network range listed as a starting point for the network query with the
ARIN(American Registry for Internet Numbers) database.
Network Query
It is particularly important to perform the search in the ARIN database to determine if a system is actually owned by the target organization or if it is being co-located of hosted by another
organization, such as an ISP.
Note the wild card "*".
[bash]$ jwhois "<domain name> <suffix>*"@whois.arin.net
Displayed will be information concerning the different blocks of the organization with their IP addresses. From the information collected from this search, a more specific search can be
conducted on single block of the organization.
[bash]$ whois <ip address>@whois.arin.net
This prints out more detailed information concerning that specific block. Included in this information will most probably be the number of IP address it uses. E.g. 200.200.0.0 to 200.200.63.255.
POC(Points of Contact) Query
Basically, the POC query involves querying the email address of the administrator of the organization to see if he is the administrator of any other organizations. This is also done on the ARIN database.
Don't be surprised if no results are found. Not every email address is registered on this. Wild card searches can also be done "@company_name" which will show you any people who have registered handle
with the domain you are searching for.
Step 3: DNS Interrogation
After identifying all the associated domains, you can begin to query the DNS. DNS is a distributed database used to map IP addresses to hostnames, and vice versa. If DNS is configured insecurely, it is
possible to obtain revealing information about the organization. Allowing someone to make a zone transfer is the most dangerous misconfiguration they can make. A Zone Transfer allows a secondary master
server to update its zone database from the primary master. If its mis-configured, then anyone can perform a zone transfer. This will give the attacker information about the hostnames in the organization
which are connected to the Internet. This isn't that big a problem. The real problem comes when the DNS server is not configured with a public/private mechanism to split the information the query will
provide. If the internal private information is displayed, it is possible to design a blueprint of what the organization looks like, which can be very useful.
The nslookup client on UNIX systems is very good for doing a DNS query. Here's how to do this:
[bash]$ nslookup
> <IP address of DNS server here>
*information will be displayed here
> set type=any
> ls -d <domain>.<suffix>. >> /tmp/zone_out
The "any" option allows us to pull and DNS records available. The "ls" option is to list all the associated records for the domain. The "-d" switch is used to list all records for the domain. The output
is stored in the /tmp/ folder in the zone_out file.
To view the data in the zone_out file, type:
[bash]$ more zone_out
This will display all the information that has been saved in the zone_out file. Two important things to notice concerning the information is the entries that have an 'A' on them. These denotes the
IP Addresses of the system names located to the right. Also, the HINFO record identifies the OS running on that system.
Now, lets say you are an expert with SunOS or Solaris, you could programmatically find out all the IP Addresses related to computers running that system by typing the following:
[bash]$ grep -i solaris zone_out | wc -l
A number showing how many systems there are that run this OS will be displayed. Similarly, test systems can be found by:
[bash]$ grep -i test zone_out | wc -l
Test systems are good to look for because administrators don't really spend much time setting up security and changing the passwords on these machines because they not really that important to the
organization.
*Please note, this query only queries one nameserver at a time. If there are subdomains, you would have to perform the same query on them.
Whats been stated above is the manual method which this query can be done. Some useful tools to speed this process up are host, Sam Spade, axfr and dig.
Axfr is one of the best tools around to do a zone transfer can be downloaded at
http://packetstormsecurity.nl/groups/ADM/axfr-0.5.2.tar.gz .
By Gaius. This program will recursively transfer zone information and create a compressed database of zone and host files for each domain queried.
[bash]$ axfr <domain>.<suffix>
axfr: Using default directory: /root/axfrdb
Found <number> name servers for domain '<domain>';
Test deleted.
Receive XXX answers (XXX records).
To query the database:
[bash]$ axfrcat <domain>.<suffix>
Determine Mail Exchange (MX) Records:
Determining where the mail is handled is a great place to start to locate the organization's firewall because they are most often found on the same system. The host command briefly mentioned above will
help you determine the MX records.
[bash]$ host <domain>.<suffix>
<domain>.<suffix> has address 255.255.255.255
<domain>.<suffix> mail is handled (pri=10) by <server>
<domain>.<suffix> mail is handled (pri=20) by <server>
Step 4: Network Reconnaisance
This final step is to give a person an understanding of the networks topology we are trying to attack. For this, the tools you will need are traceroute for UNIX users and tracert for Windows users.
What traceroute does is it sends packets from your computer out to the target computers. Every switch or router is passes through sends information back to your computer such as the routers address and
the speed at which the packets were received and sent.
First, start of by tracerouting the target network:
[bash]$ traceroute <domain>.<suffix>
You will be greeted by a whole host of information, for example:
[bash]$ traceroute
www.roxbury.co.zatraceroute to
www.roxbury.co.za (196.25.190.131), 64 hops max, 40 byte packets
1 gw (146.231.115.254) 6.318 ms 9.638 ms 10.079 ms
2 incanda.ru.ac.za (146.231.128.204) 9.570 ms 9.775 ms 10.009 ms
3 ru03.tenet.ru.ac.za (192.42.99.1) 11.117 ms 8.343 ms 9.981 ms
4 bb-ru-mc-ipnet.uni.net.za (155.232.210.9) 25.978 ms 24.893 ms 24.296 ms
5 unknown.uni.net.za (155.232.210.6) 61.537 ms 47.080 ms 52.064 ms
6 int-ru-mc-ipnet.uni.net.za (155.232.200.145) 376.040 ms 223.358 ms 224.651 ms
7 tenet-national-router.uni.net.za (155.232.216.2) 45.892 ms 43.787 ms 53.357 ms
8 nat-ru-mc-ipnet.uni.net.za (155.232.202.145) 50.791 ms 71.585 ms 56.101 ms
9 wblv-ip-esr-1-wan.telkom-ipnet.co.za (196.25.251.153) 43.296 ms 48.826 ms 48.247 ms
10 eel-ip-er-1-atm-6-0-5.telkom-ipnet.co.za (196.43.11.73) 76.126 ms 298.927 ms
180.148 ms
11 prm-media-marketing-gw.ec.saix.net (196.25.128.86) 370.002 ms 94.990 ms 146.403 ms
12 albany1.albanynet.co.za (196.25.190.131) 183.212 ms 123.657 ms 143.289 ms
Generally, and depending on the complexity of the organization, we can presume that the hop before the final destination is the border router for the organization which performs the routing functions
(e.g firewall, router etc). It is important to map out the targets network using traceroute. You create a path access diagram as it is referred to.
In UNIX, User Datagram Protocol (UDP) packets are sent by default. If this type of packet is blocked by the firewall, the '-I' option will make you send Internet Control Messaging Protocol (ICMP) packets.
*Note: Windows users, by default, send ICMP packets.Another interesting feature of traceroute is the '-g' feature which allows the user to specify loose source routing. Don't expect this to work though
because it is a cardinal sin for a server to accept these packets
. The '-p n' option or traceroute may allow us to bypass access control devices during our probe. It allows us to specify a starting
UDP port number (n) that will increment by one when launched. A good starting point would be UDP port 53 (DNS Queries).
[bash]$ traceroute -p53 <IP Address>
Some interesting programs to look at for tracerouting is NeoTrace (
www.neotrace.com) and VisualRoute (
www.visualroute.com). They provide a graphical view of the tracing progress, VisualRoute being the
best one, although its scale is not very good for detailed network reconnaissance.
Conclusion
Footprinting is a must for any hacker preparing a large scale attack on an organization. I hope this tutorial has been of help. Best of luck ...
Peace.
Invas10n
Good Whois Servers:
com, net rs.internic.net
edu whois.educause.net
gov whois.nic.gov
org whois.publicinterestregistry.net
ARIN (American Registry for Internet Numbers)
http://ww1.arin.net/whois/APNIC database (Asia Pacific Network Information Centre)
http://www.apnic.net/search/Network Solutions (COM, NET, ORG and EDU domain names)
http://www.netsol.com/cgi-bin/whois/whois/Universal Whois for Internet domains
http://uwhois.com/ [search multiple Whois servers in parallel]
References:
HACKING EXPOSED - Stuart McClure, Joel Scambray, George Kurtz
