Scribd
Upload
6 views

CH 01

Uploaded by

anitapodder050
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
6 views

CH 01

Uploaded by

anitapodder050
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 41

Chapter 1

Footprinting
Google Hacking
Find sensitive data about a company from
Google
Completely stealthy—you never send a
single packet to the target (if you view the
cache)
To find passwords:
– intitle:"Index of" passwd passwd.bak
See links Ch 1a, 1b on my Web page
(samsclass.info, click CNIT 124)
Other fun searches
Nessus reports (link Ch 1c)
More passwords (link Ch 1d)
Be The Bot

See pages the way Google's bot sees


them
Custom User Agents
Add the "User Agent Switcher" Firefox
Extension
Try this Nokia one for fun
More in Project 2
Footprinting
Gathering target information
"If you know the enemy and know
yourself, you need not fear the result of a
hundred battles. If you know yourself but
not the enemy, for every victory gained
you will also suffer a defeat. If you know
neither the enemy nor yourself, you will
succumb in every battle."
– Sun Tzu on the Art of War
Environments and the Critical
Information Attackers Can Identify
Extranet Remote Access
(vendors (travelling
and employees)
business
partners)

Internet
Presence
Intranet
Internet
Domain name
Network blocks
Specific IP addresses of systems reachable via
the Internet
TCP and UDP services running on each system
identified
System architecture (for example, Sparc vs. x
86)
Access control mechanisms and related access
control lists (ACLs)
Intrusion-detection systems (IDSs)
System enumeration (user and group names,
system banners, routing tables, and SNMP
information) DNS hostnames
Intranet
Networking protocols in use (for example, IP, IPX,
DecNET, and so on)
Internal domain names
Network blocks
Specific IP addresses of systems reachable via the
intranet
TCP and UDP services running on each system
identified
System architecture (for example, SPARC vs. x 86)
Access control mechanisms and related ACLs
Intrusion-detection systems
System enumeration (user and group names, system
banners, routing tables, and SNMP information)
Remote access
Analog/digital telephone numbers
Remote system type
Authentication mechanisms
VPNs and related protocols (IPSec and
PPTP)
Extranet
Connection origination and destination
Type of connection
Access control mechanism
Internet Footprinting
Step 1: Determine the Scope of Your
Activities
Step 2: Get Proper Authorization
Step 3: Publicly Available Information
Step 4: WHOIS & DNS Enumeration
Step 5: DNS Interrogation
Step 6: Network Reconnaissance
Step 1: Determine the Scope of
Your Activities
Entire organization
Certain locations
Business partner connections (extranets)
Disaster-recovery sites
Step 2: Get Proper Authorization
Ethical Hackers must have authorization in
writing for their activities
– "Get Out of Jail Free"
card
– Criminals omit this step
Image from
www.blackhatseo.fr
Step 3: Publicly Available
Information
Company web pages
– Wget and Teleport Pro are good tools to
mirror Web sites for local analysis (links Ch 1o
& 1p)
– Look for other sites beyond "www"
– Outlook Web Access
https://owa.company.com or
https://outlook.company.com
– Virtual Private Networks
http://vpn.company.com or
http://www.company.com/vpn
Step 3: Publicly Available
Information
Related
Organizations
Physical Address
– Dumpster-diving
– Surveillance
– Social
Engineering
Tool: Google Earth
(link Ch 1q)
Step 3: Publicly Available
Information
Phone Numbers, Contact Names, E-mail
Addresses, and Personal Details
Current Events
– Mergers, scandals, layoffs, etc. create
security holes
Privacy or Security Policies, and Technical
Details Indicating the Types of Security
Mechanisms in Place
Step 3: Publicly Available
Information
Archived Information
– The Wayback Machine (link Ch 1t)
– Google Cache
Disgruntled Employees
Search Engines
– SiteDigger seems to be out of date—I tried to
get it to work with a Google AJAX key but it
doesn't
– Wikto is an alternative that might still work
(link Ch 1u)
Step 3: Publicly Available
Information
Usenet
– Groups.google.com
Resumes
Step 4: WHOIS & DNS
Enumeration
Two organizations manage domain
names, IP addresses, protocols and port
numbers on the Internet
– Internet Assigned Numbers Authority (IANA;
http://www.iana.org)
– Internet Corporation for Assigned Names and
Numbers (ICANN; http://www.icann.org)
– IANA still handles much of the day-to-day
operations, but these will eventually be
transitioned to ICANN
Step 4: WHOIS & DNS Enumeration

Domain-Related Searches
– Every domain name, like msn.com, has a top-
level domain - .com, .net, .org, etc.
If we surf to http://whois.iana.org, we can
search for the authoritative registry for all
of .com
– .com is managed by Verisign
Step 4: WHOIS & DNS Enumeration
Step 4: WHOIS & DNS Enumeration

Verisign Whois (link Ch 1v)


– Search for ccsf.edu and it gives the Registrar
Whois.educause.net
Three steps:
– Authoritative Registry for top-level domain
– Domain Registrar
– Finds the Registrant
Step 4: WHOIS & DNS Enumeration

Automated tools do all three steps


– Whois.com
– Sam Spade
– Netscan Tools Pro
They are not perfect. Sometimes you
need to do the three-step process
manually.
Step 4: WHOIS & DNS Enumeration

Once you've homed in on the correct


WHOIS server for your target, you may be
able to perform other searches if the
registrar allows it
You may be able to find all the domains
that a particular DNS server hosts, for
instance, or any domain name that
contains a certain string
– BUT a court decision in South Dakota just
declared this illegal (link Ch 1o)
Step 4: WHOIS & DNS Enumeration

How IP addresses are assigned:


– The Address Supporting Organization (ASO
http://www.aso.icann.org) allocates IP
address blocks to
– Regional Internet Registries (RIRs), which
then allocate IPs to organizations, Internet
service providers (ISPs), etc.
– ARIN (http://www.arin.net) is the RIR for North
and South America
Step 4: WHOIS & DNS Enumeration

IP-Related Searches
– To track down an IP address:
Use arin.net (link Ch 1x)
It may refer you to a different database
Examples:
– 147.144.1.1
– 61.0.0.2
Step 4: WHOIS & DNS Enumeration

IP-Related Searches
– Search by company name at arin.net to find IP
ranges, and AS numbers
– AS numbers are used by BGP (Border Gateway
Protocol) to prevent routing loops on Internet routers
(link Ch 1y)
– Examples: Google, CCSF
Step 4: WHOIS & DNS Enumeration

Administrative contact gives you name,


voice and fax numbers
Useful for social engineering
Authoritative DNS Server can be used for
Zone Transfer attempts
– But Zone Transfers may be illegal now (link
Ch 1s)
Step 4: WHOIS & DNS Enumeration

Public Database Security


Countermeasures
– When an administrator leaves an
organization, update the registration database
– That prevents an ex-employee from changing
domain information
– You could also put in fake "honeytrap" data in
the registration
eBay's domain was hijacked (link Ch 1z1)
Step 5: DNS Interrogation
Zone Transfers
– Gives you a list of all the hosts when it works
– Usually blocked, and maybe even illegal now
– Demonstration (with Ubuntu)
dig soa hackthissite.org
– ANSWER shows SOA is dns1.nettica.com
dig @ dns1.nettica.com hackthissite.org axfr
Step 5: DNS Interrogation
Determine Mail Exchange (MX) Records
– You can do it on Windows with NSLOOKUP in
Interactive mode
Step 5: DNS Interrogation
DNS Security Countermeasures
– Restrict zone transfers to only authorized
servers
– You can also block them at the firewall
DNS name lookups are UDP Port 53
Zone transfers are TCP Port 53
Step 5: DNS Interrogation
DNS Security Countermeasures
– Attackers could still perform reverse lookups
against all IP addresses for a given net block
– So, external nameservers should provide
information only about systems directly
connected to the Internet
Step 6: Network Reconnaissance
Traceroute
– Can find route to target, locate firewalls,
routers, etc.
Windows Tracert uses ICMP
Linux Traceroute uses UDP by default
Tracert
NeoTrace
NeoTrace combines Tracert and Whois to
make a visual map (link Ch 1z2)
Step 6: Network Reconnaissance
Cain & Abel has a customizable
Traceroute function that lets you use any
TCP or UCP port, or ICMP
– Link Ch 1z4
– But it didn't work when I tried it on XP or Vista
Step 6: Network Reconnaissance
Firewalk uses traceroute techniques to
find ports and protocols that get past
firewalls
We will discuss Firewalk later (Chapter 11)
Step 6: Network Reconnaissance
Countermeasures
– Many of the commercial network intrusion-
detection systems (NIDS) and intrusion
prevention systems (IPS) will detect this type
of network reconnaissance
– Snort – the standard IDS(link Ch 1z5)
– RotoRouter – Detects traceroutes and sends
fake responses (link Ch 1z6)
Step 6: Network Reconnaissance
Countermeasures
– You may be able to configure your border
routers to limit ICMP and UDP traffic to
specific systems, thus minimizing your
exposure

– Last modified 1-21-08

You might also like