FootPrinting - One of the most Important steps
What is FootPrinting ?
The systematic and methodical footprinting of an organization
enables attackers to create a near complete profile of an
organization's security posture. Using a combination of tools and
techniques coupled with healthy dose of patience and mind-melding,
attackers can take an unknown entity and reduce it to a specific range
of domain names, network blocks, subnets, routers, and individual IP
addresses of systems directly connected to the Internet, as well as
many other detailspertaining to its security posture. Although there
are many tipes of footprinting techniques, they are primiraly aimed at
discovering information related to the following envirouments:
Internet, intranet, remote access and extranet. FootPrinting is
necessary for one basic reason: it gives you a picture of what the
hacker sees. And if you know what the hacker sees, you know what
potential security exposures you have in your enviroument. And when you
know all that, you know how to prevent exploitation.
Hackers are very good at one thing: getting inside your head,
and
you will don't even know it. FootPrinting is often the most ardous task
of trying to determine the security posture of an entity; and it tends
to be most boring for freshly minted security proffesionals eager to
cut their teeth on some test hacking. However FootPrinting is one of
the most important steps.
Public Available
Information
Company Web Pages
Persuing the target's arganization's webpage will often get
you
off too good start. In most of the cases a website will provide
excessive amounts of information that can aid attackers. Believe it, or
not, there are organizations that list security configuration details
and detailed spreadsheets directly on their Internet Web Servers.
Another good try is to list the HTML file for comments. Many
items not listed for public are buried in HTML comment tags, such as
<, !, --, */ and so on. Viewing the target's site offline is
maybe
the better choice that viewing it online. Actually having a copy of the
target's website on your machine is very good idea. This will give you
the time to search for components that may be interesting.
For Onlibe viewing from *NIX/Linux system you can use curl :
curl http://example.com *** where example.com is the target's website
For Offline viewing you can use wget (wget is in the official
three of any distribution and very often comes installed by default,
but still if you do not have it refer HERE )
wget http://example.com
*** where example.com is the target's website
Also a good try is to investigate other sites beyond the main
"http://www" and "https://www". Places like "www1", "www2",
"web", "web1" and so on are a good place to start.
Archived
Information
It is important to be aware that there are sites on the
Internet
where you can retreive archied copies of information taht may no longer
be available from the original source. This can allow atacker to gain
access to information that has been removed for security purposes. A
good example for that is HERE
.
Search Engines
The Search engines available today are just fantastic. For just a
second you can find everything you could ever want to know about
everything. For example if you write in some search engine
"allinurl:tsweb/default.htm" it will reveal Microsoft Windows servers
with Remote Desktop Web Connection exposed. This can lead to a complete
graphical console access to the server via Remote Desktop Protocol
(RDP) using only Internety Explorer and the ActiveX RDP client that the
target Windows server offers to the attacker when this feature is
enabled. There are hundred other examples, but instead of showing you
all that We will rfer you to something better. It is called Google Hacking
DataBase and it offers great basic listing of many of the
Google search strings that hackers can use to digg up information on
the Web. But this is not enough. There are tools available online that
can take concept to the next level.
Web Server Scanners and
Forums
There are a lot of scanning tools for both platforms *NIX and Windows,
but we are going to pay some more attention on Nikto, because we are
Unix
Fans. Anyway Nikto is available in the official three of almost any
distribution, refer to our Howto compile
and use Nikto page.
Nikto is Web server scanner which performs
comprehensive
tests against web servers for multiple items, including over 3300
potentially dangerous files/CGIs, versions on over 625 servers, and
version specific problems on over 230 servers. Usage is
simple and a output of basic usa on a new server looks like
this :
scshot
It can give very useful information about executable scripts, PHP
version and so on, that why if you are new to Web Server administration
we suggest you to hide PHP version (Check Hiding PHP version) and to
remove the Apache executable scripts (default and others) that you do
not need.
Another good try is searching Forums for "iptables config help" ,
"limit incoming traffic firewall" and other entries like that. In most
of the cases you are going to see "cut'n'pasted" configuration files
including very useful information for an attacker, like IP addresses,
password hashes, NAT mappings and many many other user specific
variables.
If you are looking for support never-ever paste you config
files, because if you paste user specific information you are most
likely to become attackers target. The simpliest example is, if you
paste on a forum you configuration files, the attacker will check your
Forum user's details and 95% of the system administrators are
using emails like admin@example.com.
Unfortunately there is one other type of attack called "social
engineering attack". In that case an attacker can friendly
offer to the person of in need of help assistance and helping
with his/her issue, which can take to the same information despite.
REMEMBER: Once you give out information to the Web, you will never get
it back!!!
WHOIS and DNS
Public DataBase
There are a lot of online Whois tools available. All you have
to do is to search for something like "whois online" into some search
engine and a thousands of results will pop up in seconds.
Better option is to use the command line Whois client for
*NIX/Linux. If you don't have it installed or never worked with it,
check the Howto
compile and
use whois client page.
From the whois output you can get some very useful information like
whois server, DNS server, registrants Name, Addrress, Phone Number,
E-mail address and so on ...
That's why some Domain Name Providers like GoDaddy.com offer private
registration features, where for an extra $9.99 or so per year you can
get you private information like address, phone number and etc. not
listed. This is the best way to make sure your private information is
not listed.
DNS
After identifying all the associated domains, you can begin
to query the DNS. DNS is a distributed database used to map IP
addresses to hostnames. If DNS is configured insecurely, it is possible
to obtain a lot of information. Most of the tools are available for
Windows and *NIX (For more information on using host, dig and etc.
please refer to our Howto
compile and use dns tools page). This utilities are being
used for a simple DNS lookups. It is normally used to convert names to
IP addresses and vice versa. With more advanced options it can be used
to determine where mail is handled ( this is a great starting place to
locate the target's firewall network).
Tipical output of "host" looks like :
kickar@linnewbies ~ $
host -v example.com
Trying "example.com"
;;
->>HEADER<<- opcode: QUERY, status:
NOERROR, id: 22337
;; flags: qr rd ra;
QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;example.com.
IN A
;; ANSWER SECTION:
example.com.
3290
IN
A
83.222.190.245
;; AUTHORITY SECTION:
example.com.
3290
IN
NS ns21.example.com.
example.com.
3290
IN
NS ns22.example.com.
;; ADDITIONAL SECTION:
ns21.example.com.
3393
IN
A
216.69.185.11
ns22.example.com.
3393
IN
A
208.109.255.11
Received 132 bytes from
192.168.0.1#53 in 20 ms
Trying "example.com"
;;
->>HEADER<<- opcode: QUERY, status:
NOERROR, id: 40815
;; flags: qr rd ra;
QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;example.com.
IN AAAA
;; AUTHORITY SECTION:
example.com.
10490
IN
SOA ns21.example.com.
dns.example.com. 2009031800 28800 7200 604800 86400
Received 100 bytes from
192.168.0.1#53 in 28 ms
Trying "example.com"
;;
->>HEADER<<- opcode: QUERY, status:
NOERROR, id: 37542
;; flags: qr rd ra;
QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4
;; QUESTION SECTION:
;example.com.
IN MX
;; ANSWER SECTION:
example.com.
3291
IN
MX 0 smtp.example.com.
example.com.
3291
IN
MX 10
mailstore1.example.com.
;; AUTHORITY SECTION:
example.com.
3290
IN
NS ns22.example.com.
example.com.
3290
IN
NS ns21.example.com.
;; ADDITIONAL SECTION:
smtp.example.com.
289
IN
A
72.167.238.201
mailstore1.example.com.
141 IN
A
72.167.238.201
ns21.example.com.
3393
IN
A
216.69.185.11
ns22.example.com.
3393
IN
A
208.109.255.11
Received 212 bytes from
192.168.0.1#53 in 22 ms
This is just an example.
None of this is real, of course.
DNS information provides
a plethora of data to attackers, so it is
important to reduce the amount of information available to the
Internet. From a host configuration prespective, you should restrict
zone tranfers to only authorized servers. On a network side, a firewall
(or packat filtering router) can be configured to deny all unauthorized
inbound connections to TCP port 53.
Now that we
have identified potential networks, we have to
determine their network topology and potential access paths to the
network. The best way to do this is to use traceroute. If you
are not familiar please check our Howto
compile and use traceroute
page. Traceroute is a diagnostic
tool originally written by Van Jacobson that let's you view the route
that an IP packet follows from one host to the next. Traceroute uses
time-to-live (TTL) field in the IP packet to elicit an ICMP
TIME_EXCEEDED message from each router. Each router that handles the
packet is reqired to determine the TTL field. This field (TTL)
effectively becomes a hop counter.
Tipical output looks like
:
kickar@linnewbies ~ $
traceroute example.com
traceroute to example.com
(192.0.32.10), 30 hops max, 60 byte packets
1
10.4.64.1 (10.4.64.1) 308.444
ms 311.607 ms 311.966 ms
2
83.222.191.241 (83.222.191.241) 312.324
ms 314.398 ms 321.372 ms
3
83.222.174.177 (83.222.174.177) 329.180
ms 332.538 ms 332.772 ms
4
195.34.104.173 (195.34.104.173) 333.112
ms n132.sofia.cabletel.bg (62.221.132.82) 333.963
ms 335.206 ms
5
te1-2.265.ccr01.sof01.atlas.cogentco.com
(149.6.112.9) 335.556 ms
SPECTRUM-NE.edge6.Frankfurt1.Level3.net (195.16.161.82)
368.868 ms te1-2.265.ccr01.sof01.atlas.cogentco.com
(149.6.112.9) 335.791 ms
6
130.117.49.5 (130.117.49.5) 344.800 ms
xe-8-1-0.edge6.Frankfurt1.Level3.net (195.16.161.81) 359.618
ms 347.070 ms
7
vlan89.csw3.Frankfurt1.Level3.net
(4.68.23.190) 408.085 ms te4-8.ccr01.bts01.atlas.cogentco.com
(130.117.1.77) 362.390 ms
te2-3.ccr01.tsr01.atlas.cogentco.com (130.117.49.142) 344.112
ms
8
ae-92-92.ebr2.Frankfurt1.Level3.net
(4.69.140.29) 351.755 ms ae-62-62.ebr2.Frankfurt1.Level3.net
(4.69.140.17) 354.316 ms te1-2.ccr01.vie01.atlas.cogentco.com
(130.117.3.25) 368.066 ms
9 *
te3-2.ccr01.vie01.atlas.cogentco.com
(130.117.49.26) 360.668 ms
te2-8.ccr01.bts01.atlas.cogentco.com (130.117.3.57) 382.671 ms
10
ae-92-92.csw4.Washington1.Level3.net
(4.69.134.158) 463.469 ms
te1-2.ccr01.vie01.atlas.cogentco.com (130.117.3.25) 394.892
ms ae-72-72.csw2.Washington1.Level3.net (4.69.134.150)
463.051 ms
11
ae-64-64.ebr4.Washington1.Level3.net
(4.69.134.177) 465.111 ms
ae-74-74.ebr4.Washington1.Level3.net (4.69.134.181) 465.471
ms te1-2.ccr01.fra03.atlas.cogentco.com (130.117.0.73)
279.020 ms
12
te2-4.mpd01.ymq02.atlas.cogentco.com
(154.54.28.93) 400.164 ms ae-4.ebr3.LosAngeles1.Level3.net
(4.69.132.81) 412.867 ms te9-8.ccr02.ord01.atlas.cogentco.com
(66.28.4.137) 404.546 ms
13
te3-4.ccr02.mci01.atlas.cogentco.com
(154.54.5.173) 406.391 ms
ae-11-60.car1.LosAngeles1.Level3.net (4.69.144.3) 411.209 ms
ae-31-80.car1.LosAngeles1.Level3.net (4.69.144.131) 413.168 ms
14
INTERNET-CO.car1.LosAngeles1.Level3.net
(4.71.140.222) 412.223 ms 411.951 ms
412.395 ms
15
te9-8.ccr02.ord01.atlas.cogentco.com
(66.28.4.137) 404.674 ms te9-2.ccr02.lax01.atlas.cogentco.com
(154.54.3.186) 413.954 ms
te7-4.ccr02.dfw01.atlas.cogentco.com (154.54.2.113) 483.512 ms
16
te7-4.ccr02.dfw01.atlas.cogentco.com
(154.54.2.113) 484.618 ms
te9-2.ccr02.lax01.atlas.cogentco.com (154.54.3.186) 414.162 ms
kickar@linnewbies ~ $
This example is with example.com and we all know that these
domains is being used for documentation and testing purposes, so none
of this is real!
From this output we can see the path of the packets traveling several
hops to the final destination. The packets go through the various hops
without being blocked. This is very simplistic example. In a complex
enviroument, there might be multiple routing paths.
There is a tool called RotoRouter that can log traceroute requests and
if configured give fake responses. If you are not familiar check our
Howto compile
and use RotoRouter page.
You can now refer to Discovering
open ports and Using Scanners
For any additional questions or comments please refer to our FORUM
. 