ERIC BRUHN

Network Applications and Network Applications Lab

Chapter One Notes

 

Other Chapter Notes:

[Chapter One

[Chapter Two

[Chapter Three]

[Hacking Exposed Outline]

[Back to Notes]

[Home]

Footprinting

  • What is footprinting?
    • Allows a hacker to get information to compile a complete profile of the company
    • Gathering information penetrating to internet, intranet, remote access, and extranet.
    • Similar to what a robber would do if he/she were to rob a bank, getting all the important information in detail.
  • Why is footprinting necessary?
    • Is necessary to systematically and methodically ensure that all pieces of information are gathered, otherwise you are likely to miss key pieces.
    • Must be preformed accurately and in a controlled fashion.
  • Different technologies:
    • Table 1-1 on page 5
    • Internet
      • Domain names
      • Specific IP addresses
      • TCP and UDP services running on each system identifies
        • Ping specific ports
      • Access Control mechanisms and access control lists
        • Restricted access
      • Intrusion detection systems
        • What type
        • What does it do when I am footprinting
        • Does it log?
      • System Enumeration
        • Users and User names
        • Groups
        • System Banners
          • Find out exactly what the system is
        • SNMP (Simple Network Mail Protocol) information
    • Intranet
      • Many of the same things as INTERNET
    • Remote Access
      • Need a lot of security here due to constantly changing situations and setting
    • Extranet
  • Internet Footprinting
    • May lead you down many different paths
    • Step 1: Determining the scope of your activities
      • As a starting point, look at the company's web site.
      • Mirror whole site to review offline
        • Use tools to download all web pages contained in the web site
        • Also allows you to figure ways to change certain aspects of the page.
        • Utilities
          • Telport Pro  
      • Look in HTML code for notes and comments; many times they will put too much information out there that can aid a hacker and a potential attack.
      • Look for web articles, newspapers
        • Have they previously been attacked
        • How was it done? Who did it?
        • Important information about that hack
      • Use altavista.com and hotbot.com to do advanced searches for information
      • SEC EGDAR (www.sec.gov) search for the state of the company
        • Publicly traded companies
        • Merger and acquisition news.
        • More prone to attacks if merging due to multiple networks joining together.
      • Visit the Site Security Handbook (RFC2196) www.ietf.org/rfc/rfc2196.txt
      • Remove any unnecessary information from your website that may help a hacker.
    • Step 2: Network Enumeration
      • Finding everything out about network and machines on that network.
      • Many whois databases out there: a good one is Sam Spade Web Interface
      • Registrar Query
        • You can use any whois database search for basic information, but if you want more in depth information, you need to search the whois database of the registrar.
        • Displays specific registrar information and associated whois servers.
        • Example: whois "acme.net"@whois.crsnic.net.
      • Organizational Query
        • Go to particular registrar site.
        • Displays all information related to a particular organization.
        • Root and associated organizations.
        • Example: whois "name Acme Networks"@whois.networksolutions.com.
      • Domain Query
        • Displays all information related to a particular domain.
        • Registrant
        • Administrative Contact
        • Telephone number, maybe telephone hacking
        • When the record was created and when it was last updated.
        • How long has this been registered
        • The primary and secondary DNS servers.
        • Administrative contact is important because this may be the person that is responsible for the internet connection and/or firewall.
        • Voice and Fax numbers are critical when doing a dial-in attack.
        • Attacker may also try to get usernames and send "spoofed" email to users asking them to change their password, therefore giving the hacker access to the accounts.
        • Query Example: whois acme.net@whois.networksolutions.com
      • Network Query
        • Displays all information related to a particular network or a single IP address.
        • IP and IP address range
        • Which IP address are registered to particular organization
        • Example One: "Acme Net."@whois.arin.net
        • Example Two: whois 10.10.10.0@whois.arin.net
      • Point of Contact (POC) query
        • Displays all information related to a specific person, typically the administrative contact.
        • Example: whois "HANDLE WB9201"@whois.networksolutions.com
    • Countermeasure: Public Database Security
      • Update information regularly and after a network administrator has left the company.
      • If an employee that no longer works there has access to the databases, he may be able to cause some serious damage, to both the network and customer confidence.
      • Consider putting a toll free 800 number as your contact, one that is not in your range of phone numbers.
      • Use a fictitious admin. Contact so you are aware if someone is trying to do stuff using that fake name, people are likely to notice.
    • Step 3: DNS Interrogation
      • Allow you to obtain information that an organization is presenting to you
      • Resolve public IP address
      • Contactable IP address
      • Might be more information on there that could be useful to you
      • DNS server should only contain public information
      • Zone Transfer: Allows a secondary master server to  update its zone database from the primary master. This provides for redundancy when running DNS, should the primary name server become unavailable.
      • DNS Should only have the necessary information on them, don’t give away internal IP Addresses.
      • Look for test systems because they don’t have many security features, have easily guessed passwords, and administrators tend to not notice or care who logs in to them.
      • Looking for where the mail is handled is a good starting place to locate the firewall.
      • Countermeasure: DNS Security
        • Restrict zone transfers to only authorized servers.
        • DNS should have only the necessary information on them, don’t give away internal IP Addresses.
        • Could configure a firewall or packet-filtering router to deny unauthorized inbound connections to TCP port 53 (is a violation of the RFC).
        • Restricting zone transfers will increase the time necessary for hackers to probe for IP addresses and hostnames.
        • Provide information only about computers directly connected to the internet.
    • Step 4: Network Reconnaissance
      • Now we can attempt to determine their network topology.
      • Also find potential access paths into the network.
      • We can accomplish this with traceroute and tracert in Windows NT.
      • We can use traceroute to determine the exact path our packets are taking.
      • After you traceroute to multiple systems on the network, you can begin to create a network diagram that depicts the architecture of the internet gateway and the location of devices that are providing access control functionality, referred to as an access path diagram.
      • Example: traceroute 10.10.10.2
      • Example #2:  traceroute –S –p53 10.10.10.2
        • Sent a probe with a fixed port of UDP 53
      • Countermeasure: Thwarting Network Reconnaissance
        • Many commercial network intrusion detection systems (NIDS) will detect this type of network reconnaissance.
        • One of the best free NIDS program is Snort (www.snort.org)

 

[Home] [Procedures] [Reading Notes] [Back to Top]

Questions or Comments? Click here to email me.