What is footprinting. Footprinting is the first logical step in any attackers preparation before the actual hack. It entails researching the target for specific qualities such as open ports, services, security feature, and basically any other information you can get out of the machine. Footprinting must be performed properly to ensure a good attack.
Through internet footprinting(FP) you should be able to get some of the following info from the target TCP, and UDP services, specific IP addresses, some of the access methods ACL's etc. user names, groups, identify intrusion detection systems (IDS), banners, routing tables, SNMP info, system architecture info (OS info) domain names, and more.
Gathering info off the web. A lot of the time the website of the target will give away valuable information that could be used against them. Look for some of the following, phone numbers, mergers, names, email addresses, a possible affiliate/sister company locations, and even seen actual info on servers/firewalls that the sight may be running. Trust me people are stupid and often give too much information.
The next thing you should do is take a look at the websites source code for hidden gems, or notes. common notes will look like this <--server running--> a lot of large website use these notes to pass along valuable info to other webauthors that might work on the page. another good idea is to download the page and view it offline in more detail. Another good thing to do is a quick look on google for more information on your target such as mergers, news reports, articles and any other info you can dredge up. Another good thing google allows you to do is search for hosts or links (host:www.name.com, or link:www.name.com) with the option of adding AND, OR operators to expand your search this can be very helpful in your quest for root. Usenet and newsgroups can also contain a wealth of knowledge some large companies even have there own specific newsgroups.We must then find the domain name and servers (if we dont know them yet) by using some tools and services:
Whois Clients – There are a lot of programs which have nslookup, whois, dns, ping, finger and more.
Net Services – http://www.internic.net
Domain Name: INTERNIC.NET Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS.APNIC.NET Name Server: NS1.CRSNIC.NET Name Server: SVC00.APNIC.NET Name Server: NS2.NSIREGISTRY.NET Name Server: NS.ICANN.ORG Name Server: A.IANA-SERVERS.NET Name Server: C.IANA-SERVERS.NET Name Server: B.IANA-SERVERS.ORG Status: REGISTRY-LOCK Updated Date: 19-jun-2003 Creation Date: 01-jan-1993 Expiration Date: 31-dec-2010 >>> Last update of whois database: Wed, 16 Jul 2003 06:15:23 EDT <<< Using whois queries. There are five major whois queries that can give us information:
- Registrar Query - This will give info on domains matching the target.
- Organizational Query - This will resolve all instances of the target's name. showing all of the corresponding domains.
- Domain Query - This will depend on what you find in the organizational query. Using a domain query, you can get company's address's, domain names, phone numbers,DNS servers.
- Network Query - Using the American Registry for Internet Numbers you can discover certain blocks owned by a company.
- POC (point of contact) Query - This will find all the IP addresses a machine might have or even search for specific domain handles (users).
NOTE: The military and goverment (talking for U.S.A) have their own whois servers here http://whois.nic.mil and http://whois.nic.gov
A major problem a lot of admins neglect to do is to disallow internet users to perform DNS zone transfers, a tool like nslookup makes this fairly easy. If you can figure out where the mail is handled, it is very likely the firewall will be located on the same network. I suggest to do a Mapping the network (determining topology).
A good way to accomplish most of this would be to perform a traceroute (tracert):
C:\>tracert internic.net
Tracing route to internic.net [198.41.0.6]
over a maximum of 30 hops:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
1 155 ms 147 ms 171 ms *-3-e.***** [215.26.194.164]
2 240 ms 159 ms 427 ms *-0-e.***** [215.26.194.164]
3 168 ms 199 ms 179 ms *-*0-1.***** [215.26.164.160]
4 227 ms 171 ms 159 ms *2-e.***** [215.26.144.170]
5 302 ms 297 ms 309 ms iar5-so-2-0-3.NewYork.cw.net [208.173.135.221]
6 399 ms 298 ms 309 ms agr2-loopback.NewYork.cw.net [206.24.194.102]
7 360 ms 287 ms 319 ms dcr1-so-6-1-0.NewYork.cw.net [206.24.207.53]
8 381 ms 311 ms 297 ms agr3-so-0-0-0.NewYork.cw.net [206.24.207.58]
9 342 ms 319 ms 298 ms acr2-loopback.Restonrst.cw.net [206.24.178.62]
10 330 ms 399 ms 311 ms aar4-loopback.Restonrst.cw.net [206.24.178.12]
12 155 ms 64 ms 62 ms 66.114.111.38
13 64 ms 57 ms 58 ms 66.114.91.11
Trace complete.
NOTE: *** are just for hiding my host, for personal reasons. Yea Yea ip is fake too.
The traceroute ended at 66.114.91.11 this could possibly be the computer that directly feeds their main system. Anyway its obvious there is a wealth of info here. just look at your routes and try to visualize a common route by researching numerous hops along the route. tracert gets deeper too so fool around and get more info. a great program that gives the user a visual representation of the trace is called Visual Route which provides a ton of good info such as banners, visual maps, whois lookups etc... http://www.visualroute.com and neotrace from http://www.neotrace.com .
Ping Sweep: Ping a range of IP addresses to find out which machines are alive.
TCP Scans: Scans for services. you can either limit your scan to one IP for multiple ports or multiple IPs for one port.
UDP Scans: Sends garbage UDP packets to a port.
OS Identification: This involves sending illegal ICMP or TCP packets to a machine.
No comments:
Post a Comment