Footprinting

  • FootPrinting
    
    T.O.C
    (N00bs Tips)
    What is Footprinting?
    Internet footprinting
    Step1: Determine the Scope of Your Activities
    Step2: Network Enumeration
           --> Registrar Query
           --> Organizational Query
           --> Domain Query
           --> Network Query
           --> POC Query
    Step3: DNS Interrogation
           --> Determine Mail Exchange (MX) Records
    Step4: Network Reconnaissance
    Conclusion
    	
    (N00bs Tips)
    
    What you need to look up and read: (UNIX users)
    man whois
    man jwhois
    man nslookup
    man grep
    man host
    man traceroute
    
    What you need to do: (Windows Users)
    Read up on MS-DOS. Most of these commands are integrated with it such as:
    ping
    whois
    tracert
    host
    
    **At the end of this document, I have provided some of the better whois servers. Here is the link for many more if you would like to take a look:
    
    http://www.math.utah.edu/whois.html
    
    
    What Is FootPrinting?
    
    Footprinting is probably one of the most important things which a hacker should do before attempting to penetrate any system. Footprinting consists of gathering information related to an
     (e.g an organization is most common) Intranet, Internet, Remote Access and Extranet. It allows one to create a complete profile of the target's security posture. Footprinting must be preformed
     accurately and in a controlled fashion.
    
    Below, I talk about Internet footprinting, what to do, what to look for, and tips pertaining to getting as much information as possible. Although information gathering is a slow and boring process,
    it is probably the most important process that is needed to be done before any attacking can take place...
    
    
    
    Internet Footprinting
    
    Below, I have some suggested points of things you should do when fingerprinting an organization.
    
    Step1: Determine the Scope of Your Activities
    
    1)Decide if you plan to fingerprint the while organization(can be very daunting) or limit your activities to a specific location.
    2)Take a look at the target's website. It can be surprising how much information they floating around.
    	1.Its a good idea to mirror their website. Open, comments in the html code can be very useful and give of quite a lot of information. Its also faster to view it off-line, and wont blow up your 
     	 phone bill if you on dial-up.
    	2.Tools to use for this would be:
    		1.WGet for Unix OS
    		2.Teleport Pro for Windows OS
    3)Google for information. Many websites relating to the target, as well as stories or articles relating to the target can provide more information. Remember, the point of fingerprinting is to get as much information about a target as possible so that attacking it will be easier.
    4)After most information has been collected from the target's website and any other relevant sites, and considering that your target is a publicly traded company, conducting an EDGAR search on your target could be very helpful. The EDGAR database is located at www.sec.gov. SEC(Securities and Exchange Commission) use the EDGAR database to keep track of publicly traded companies. The best two types of publications pertaining to your target is the Q-10 (quarterly update) and K-10(annual update) concerning the organizations activities.
    	1.It might be useful to search for "subsidiaries" or "subsequent events". If the organization has added a new entity to the business, they may have done it quickly and with little regard to security so they can have it connected as soon as possible. Combining networks can often lead to such sloppiness.
    	2.With the EDGAR search, keep in mind that you are looking for entity names that are different from the parent company. This will become critical in subsequent steps when you perform organizational queries from various whois databases available (Step2: Network Enumeration).
    
    Step2: Network Enumeration
    
    First step is to identify the domain names and associated networks related to that organization. We must scour the Internet for information and there are many databases we can use for this.
    
    Whois Servers outside the USA:
    (Domains other that .com, .net, .org and .edu)
    1)http://www.ripe.net			European IP Allocations
    2)http://www.apnic.net			Asia Pacific	  "
    3)http://whois.nic.mil			US Military
    4)http://www.nic.gov/whois.html	US Government
    
    Some Programs to Use:
    1)UNIX
    	1.Jwhois
    	2.Xwhois
    2)Windows
    	1.Netscan Tools
    	2.Sam Spade
    	3.WS_Ping ProPack
    
    Query Types:
    1)Registrar Query
    2)Organizational
    3)Domain
    4)Network
    5)Point Of Contact (P.O.C)
    
    Registrar Query:
    
    Consult whois.internic.net to obtain a list of potential domains. Once done, determine the correct registrar.
    (All examples have been done in UNIX. They will be similar to Windows users that are using DOS)
    The wild card character in UNIX is "."(dot). This may differ depending on the OS your using. Its generally either e "." or a "*". 
    
    [bash]$ jwhois "."@whois.internic.net
    
    This will print all the domains that are very similar to your domain name. After you have located your target:
    
    [bash]$ jwhois ".suffix"@whois.internic.net
    
    This will then display important information about domain you are targetting. Such information should consist of:
    1.The Domain Name
    2.The Registrar
    3.The Whois Server
    4.The Referral URL
    5.The Name Servers
    6.(When last updated)
    
    (Visit http://www.math.utah.edu/whois.html for a huge list of whois servers)
    
    Organizational Query:
    
    (This method of querying has no functionality any more and therefore is not used)
    
    Domain Query:
    
    Next, we get more information out of our target.
    
    [bash]$ jwhois .@whois.bulkregister.com
    
    This query provides information related to the organizations:
    1)Registrant
    2)Domain name 
    3)Administrative contact
    4)When the record was created and updated
    5)The primary and secondary DNS servers
    
    Now to decipher the information provided. Excess and unneeded information is called "enticements" because it entices you away from the more important stuff.
    
    The administrative contact is an important piece of information because it will sometimes give you the name of the person that has set up the server and most probably firewalls and such things. 
    Using the administrators email address, it is possible to send spoofed emails to unsuspecting employees and requesting them, to, for example, change there password for administrative purposes.
    Voice and fax numbers is also an enormous help when performing a dial-up penetration review. Just fire up the war-dialers in the noted range, and you're off to a good start in identifying potential 
    modem numbers.
    Social engineering is also a possibility with the administrators phone numbers.
    
    The record creation can tell you how old the records are. If they are out of date, information regarding that target may have changed.
    
    Finally, the DNS servers are important for when you want to try a DNS interrogation(Step3). You can also try and use the network range listed as a starting point for the network query with the 
    ARIN(American Registry for Internet Numbers) database.
    
    Network Query
    
    It is particularly important to perform the search in the ARIN database to determine if a system is actually owned by the target organization or if it is being co-located of hosted by another 
    organization, such as an ISP.
    Note the wild card "*".
    
    [bash]$ jwhois " *"@whois.arin.net
    
    Displayed will be information concerning the different blocks of the organization with their IP addresses. From the information collected from this search, a more specific search can be 
    conducted on single block of the organization. 
    
    [bash]$ whois @whois.arin.net
    
    This prints out more detailed information concerning that specific block. Included in this information will most probably be the number of IP address it uses. E.g. 200.200.0.0 to 200.200.63.255.
    
    POC(Points of Contact) Query 
    
    Basically, the POC query involves querying the email address of the administrator of the organization to see if he is the administrator of any other organizations. This is also done on the ARIN database. 
    Don't be surprised if no results are found. Not every email address is registered on this. Wild card searches can also be done "@company_name" which will show you any people who have registered handle 
    with the domain you are searching for.
    
    Step 3: DNS Interrogation
    
    After identifying all the associated domains, you can begin to query the DNS. DNS is a distributed database used to map IP addresses to hostnames, and vice versa. If DNS is configured insecurely, it is 
    possible to obtain revealing information about the organization. Allowing someone to make a zone transfer is the most dangerous misconfiguration they can make. A Zone Transfer allows a secondary master 
    server to update its zone database from the primary master. If its mis-configured, then anyone can perform a zone transfer. This will give the attacker information about the hostnames in the organization
    which are connected to the Internet. This isn't that big a problem. The real problem comes when the DNS server is not configured with a public/private mechanism to split the information the query will 
    provide. If the internal private information is displayed, it is possible to design a blueprint of what the organization looks like, which can be very useful.
    
    The nslookup client on UNIX systems is very good for doing a DNS query. Here's how to do this:
    
    [bash]$ nslookup
    > 
      *information will be displayed here 
    > set type=any
    > ls -d .. >> /tmp/zone_out
    
    The "any" option allows us to pull and DNS records available. The "ls" option is to list all the associated records for the domain. The "-d" switch is used to list all records for the domain. The output 
    is stored in the /tmp/ folder in the zone_out file.
    
    To view the data in the zone_out file, type:
    
    [bash]$ more zone_out
    
    This will display all the information that has been saved in the zone_out file. Two important things to notice concerning the information is the entries that have an 'A' on them. These denotes the 
    IP Addresses of the system names located to the right. Also, the HINFO record identifies the OS running on that system.  
    
    Now, lets say you are an expert with SunOS or Solaris, you could programmatically find out all the IP Addresses related to computers running that system by typing the following:
    
    [bash]$ grep -i solaris zone_out | wc -l
    
    A number showing how many systems there are that run this OS will be displayed. Similarly, test systems can be found by: 
    
    [bash]$ grep -i test zone_out | wc -l
    
    Test systems are good to look for because administrators don't really spend much time setting up security and changing the passwords on these machines because they not really that important to the 
    organization. 
    
    *Please note, this query only queries one nameserver at a time. If there are subdomains, you would have to perform the same query on them.
    
    Whats been stated above is the manual method which this query can be done. Some useful tools to speed this process up are host, Sam Spade, axfr and dig.
    
    Axfr is one of the best tools around to do a zone transfer can be downloaded at http://packetstormsecurity.nl/groups/ADM/axfr-0.5.2.tar.gz .
    By Gaius. This program will recursively transfer zone information and create a compressed database of zone and host files for each domain queried.
    
    [bash]$ axfr .
    axfr: Using default directory: /root/axfrdb
    Found  name servers for domain '';
    Test deleted.
    Receive XXX answers (XXX records).
    
    To query the database:
    
    [bash]$ axfrcat .
    
    Determine Mail Exchange (MX) Records:
    
    Determining where the mail is handled is a great place to start to locate the organization's firewall because they are most often found on the same system. The host command briefly mentioned above will 
    help you determine the MX records.
    
    [bash]$ host .
    . has address 255.255.255.255
    . mail is handled (pri=10) by 
    . mail is handled (pri=20) by 
    
    Step 4: Network Reconnaisance
    
    This final step is to give a person an understanding of the networks topology we are trying to attack. For this, the tools you will need are traceroute for UNIX users and tracert for Windows users. 
    What traceroute does is it sends packets from your computer out to the target computers. Every switch or router is passes through sends information back to your computer such as the routers address and 
    the speed at which the packets were received and sent. 
    First, start of by tracerouting the target network:
    
    [bash]$ traceroute .
    
    You will be greeted by a whole host of information, for example:
    
    [bash]$ traceroute www.roxbury.co.za
    traceroute to www.roxbury.co.za (196.25.190.131), 64 hops max, 40 byte packets
     1  gw (146.231.115.254)  6.318 ms  9.638 ms  10.079 ms
     2  incanda.ru.ac.za (146.231.128.204)  9.570 ms  9.775 ms  10.009 ms
     3  ru03.tenet.ru.ac.za (192.42.99.1)  11.117 ms  8.343 ms  9.981 ms
     4  bb-ru-mc-ipnet.uni.net.za (155.232.210.9)  25.978 ms  24.893 ms  24.296 ms
     5  unknown.uni.net.za (155.232.210.6)  61.537 ms  47.080 ms  52.064 ms
     6  int-ru-mc-ipnet.uni.net.za (155.232.200.145)  376.040 ms  223.358 ms  224.651 ms
     7  tenet-national-router.uni.net.za (155.232.216.2)  45.892 ms  43.787 ms  53.357 ms
     8  nat-ru-mc-ipnet.uni.net.za (155.232.202.145)  50.791 ms  71.585 ms  56.101 ms
     9  wblv-ip-esr-1-wan.telkom-ipnet.co.za (196.25.251.153)  43.296 ms  48.826 ms  48.247 ms
    10  eel-ip-er-1-atm-6-0-5.telkom-ipnet.co.za (196.43.11.73)  76.126 ms  298.927 ms                 
        180.148 ms
    11  prm-media-marketing-gw.ec.saix.net (196.25.128.86)  370.002 ms  94.990 ms  146.403 ms
    12  albany1.albanynet.co.za (196.25.190.131)  183.212 ms  123.657 ms  143.289 ms
    
    Generally, and depending on the complexity of the organization, we can presume that the hop before the final destination is the border router for the organization which performs the routing functions 
    (e.g firewall, router etc). It is important to map out the targets network using traceroute. You create a path access diagram  as it is referred to.
    In UNIX, User Datagram Protocol (UDP) packets are sent by default. If this type of packet is blocked by the firewall, the '-I' option will make you send Internet Control Messaging Protocol (ICMP) packets. 
    *Note: Windows users, by default, send ICMP packets.Another interesting feature of traceroute is the '-g' feature which allows the user to specify loose source routing. Don't expect this to work though 
    because it is a cardinal sin for a server to accept these packets ;) . The '-p n' option or traceroute may allow us to bypass access control devices during our probe. It allows us to specify a starting 
    UDP port number (n) that will increment by one when launched. A good starting point would be UDP port 53 (DNS Queries).
    
    [bash]$ traceroute -p53 
    
    Some interesting programs to look at for tracerouting is NeoTrace (www.neotrace.com) and VisualRoute (www.visualroute.com). They provide a graphical view of the tracing progress, VisualRoute being the 
    best one, although its scale is not very good for detailed network reconnaissance. 
    
    Conclusion
    
    Footprinting is a must for any hacker preparing a large scale attack on an organization. I hope this tutorial has been of help. Best of luck ...
    
    Peace.
         Invas10n
    
     
    Good Whois Servers:
    
    com, net 	rs.internic.net
    edu 	whois.educause.net
    gov 	whois.nic.gov
    org 	whois.publicinterestregistry.net
    
    
    ARIN (American Registry for Internet Numbers)
    http://ww1.arin.net/whois/
    
    APNIC database (Asia Pacific Network Information Centre)
    http://www.apnic.net/search/
    
    Network Solutions (COM, NET, ORG and EDU domain names)
    http://www.netsol.com/cgi-bin/whois/whois/
    
    Universal Whois for Internet domains
    http://uwhois.com/ 
    [search multiple Whois servers in parallel]
    
    
    References:
    HACKING EXPOSED - Stuart McClure, Joel Scambray, George Kurtz