Network Applications and Network Applications Lab
Chapter One Notes
Other Chapter Notes:
a hacker to get information to compile a complete profile of the
information penetrating to internet, intranet, remote access, and
to what a robber would do if he/she were to rob a bank, getting all
the important information in detail.
is footprinting necessary?
necessary to systematically and methodically ensure that all pieces
of information are gathered, otherwise you are likely to miss key
be preformed accurately and in a controlled fashion.
1-1 on page 5
and UDP services running on each system identifies
Control mechanisms and access control lists
does it do when I am footprinting
and User names
out exactly what the system is
(Simple Network Mail Protocol) information
of the same things as INTERNET
a lot of security here due to constantly changing situations and
lead you down many different paths
1: Determining the scope of your activities
a starting point, look at the company's web site.
whole site to review offline
tools to download all web pages contained in the web site
allows you to figure ways to change certain aspects of the page.
in HTML code for notes and comments; many times they will put too
much information out there that can aid a hacker and a potential
for web articles, newspapers
they previously been attacked
was it done? Who did it?
information about that hack
to do advanced searches for information
EGDAR (www.sec.gov) search for
the state of the company
and acquisition news.
prone to attacks if merging due to multiple networks joining
Visit the Site Security Handbook (RFC2196) www.ietf.org/rfc/rfc2196.txt
any unnecessary information from your website that may help a
2: Network Enumeration
everything out about network and machines on that network.
whois databases out there: a good one is Sam
Spade Web Interface
You can use any whois database search for basic information, but
if you want more in depth information, you need to search the
whois database of the registrar.
specific registrar information and associated whois servers.
to particular registrar site.
all information related to a particular organization.
and associated organizations.
whois "name Acme Networks"@whois.networksolutions.com.
all information related to a particular domain.
number, maybe telephone hacking
the record was created and when it was last updated.
long has this been registered
primary and secondary DNS servers.
contact is important because this may be the person that is
responsible for the internet connection and/or firewall.
and Fax numbers are critical when doing a dial-in attack.
may also try to get usernames and send "spoofed" email
to users asking them to change their password, therefore giving
the hacker access to the accounts.
all information related to a particular network or a single IP
and IP address range
IP address are registered to particular organization
Example One: "Acme
of Contact (POC) query
all information related to a specific person, typically the
Public Database Security
information regularly and after a network administrator has left
an employee that no longer works there has access to the
databases, he may be able to cause some serious damage, to both
the network and customer confidence.
putting a toll free 800 number as your contact, one that is not in
your range of phone numbers.
a fictitious admin. Contact so you are aware if someone is trying
to do stuff using that fake name, people are likely to notice.
3: DNS Interrogation
you to obtain information that an organization is presenting to
public IP address
be more information on there that could be useful to you
server should only contain public information
Transfer: Allows a
secondary master server to update
its zone database from the primary master. This provides for
redundancy when running DNS, should the primary name server become
Should only have the necessary information on them, donít give
away internal IP Addresses.
for test systems because they donít have many security features,
have easily guessed passwords, and administrators tend to not
notice or care who logs in to them.
for where the mail is handled is a good starting place to locate
- Restrict zone transfers to only authorized
- DNS should have only the necessary
information on them, donít give away internal IP Addresses.
- Could configure a firewall or
packet-filtering router to deny unauthorized inbound connections
to TCP port 53 (is a violation of the RFC).
- Restricting zone transfers will increase
the time necessary for hackers to probe for IP addresses and
- Provide information only about computers
directly connected to the internet.
4: Network Reconnaissance
we can attempt to determine their network topology.
find potential access paths into the network.
can accomplish this with traceroute
in Windows NT.
can use traceroute
to determine the exact path our packets are taking.
to multiple systems on the network, you can begin to create a
network diagram that depicts the architecture of the internet
gateway and the location of devices that are providing access
control functionality, referred to as an access path diagram.
#2: traceroute ĖS Ėp53 10.10.10.2
- Sent a probe with a fixed
Thwarting Network Reconnaissance
- Many commercial network intrusion
detection systems (NIDS) will detect this type of network
- One of the best free NIDS program is Snort
[Home] [Procedures] [Reading
Notes] [Back to Top]
Questions or Comments? Click here
to email me.