Phase 1: Footprinting

Footprinting is the first phase of the ethical hacking process and is the subject of this chapter. This phase consists of passively gaining information about a target. The goal is to gather as much information as possible about a potential target with the objective of getting enough information to make later attacks more accurate. The end result should be a profile of the target that is a rough picture but one that gives enough data to plan the next phase of scanning.

Information that can be gathered during this phase includes:

• IP address ranges
• Namespaces
• Employee information
• Phone numbers
• Facility information
• Job information

Footprinting takes advantage of the information that is carelessly exposed or disposed of inadvertently.

Phase 2: Scanning

Phase 2 is scanning, which focuses on an active engagement of the target with the intention of obtaining more information. Scanning the target network will ultimately locate active hosts that can then be targeted in a later phase. Footprinting helps identify potential targets, but not all may be viable or active hosts. Once scanning determines which hosts are active and what the network looks like, a more refined process can take place.

During this phase tools such as these are used:

• Pings
• Ping sweeps
• Port scans
• Tracert

Phase 3: Enumeration

The last phase before you attempt to gain access to a system is the enumeration phase. Enumeration is the systematic probing of a target with the goal of obtaining user lists, routing tables, and protocols from the system. This phase represents a significant shift in your process; it is the initial transition from being on the outside looking in to moving to the inside of the system to gather data. Information such as shares, users, groups, applications, protocols, and banners all proved useful in getting to know your target, and this information is now carried forward into the attack phase.

The information gathered during Phase 3 typically includes, but is not limited to:

• Usernames
• Group information
• Passwords
• Hidden shares
• Device information
• Network layout
• Protocol information
• Server data
• Service information

Phase 4: System Hacking

Once you have completed the first three phases, you can move into the system hacking phase. You will recognize that things are getting much more complex and that the system hacking phase cannot be completed in a single pass. It involves a methodical approach that includes cracking passwords, escalating privileges, executing applications, hiding files, covering tracks, concealing evidence, and then pushing into a complex attack.

Why Perform Footprinting?

Footprinting is about gathering information and formulating a hacking strategy. With proper care you, as the attacking party, may be able to uncover the path of least resistance into an organization. Passively gathering information is by far the easiest and most effective method. If done by a skilled, inventive, and curious party (you!), the amount of information that can be passively gathered is staggering. Expect to obtain information such as:

• Information about an organization’s security posture and where potential loopholes may exist. This information will allow for adjustments to the hacking process that make it more productive.
• A database that paints a detailed picture with the maximum amount of information possible about the target.
• A network map using tools such as the Tracert utility to construct a picture of a target’s Internet presence or Internet connectivity. Think of the network map as a roadmap leading you to a building; the map gets you there, but you still have to determine the floor plan of the building.

Goals of the Footprinting Process

Before you start doing footprinting and learn the techniques, you must set some expectations as to what you are looking for and what you should have in your hands at the end of the process. Keep in mind that the list of information here is not exhaustive, nor should you expect to be able to obtain all the items from every target. The idea is for you to get as much information in this phase as you possibly can, but take your time!

Here’s what you should look for:

• Network information
• Operating system information
• Organization information, such as CEO and employee information, office information, and contact numbers and e-mail
• Network blocks
• Network services
• Application and web application data and configuration information
• System architecture
• Intrusion detection and prevention systems
• Employee names
• Work experience

Let’s take a closer look at the first three on this list.

Open Source and Passive Information Gathering

As far as intelligence gathering goes, open source or passive information gathering is the least aggressive. Basically the process relies on obtaining information from those sources that are typically publicly available and out in the open. Potential sources include newspapers, websites, discussion groups, press releases, television, social networking, blogs, and innumerable other sources.

With a skilled and careful hand, it is more than possible to gather operating system and network information, public IP addresses, web server information, and TCP and UDP data sources, just to name a few.

Active Information Gathering

Active information gathering involves engagement with the target through techniques such as social engineering. Attackers tend to focus their efforts on the “soft target,” which tends to be human beings. A savvy attacker engages employees under different guises under various pretenses with the goal of socially engineering an individual to reveal information.

Pseudonymous Footprinting

Pseudonymous involves gathering information from online sources that are posted by someone from the target but under a different name or in some cases a pen name. In essence the information is not posted under a real name or anonymously; it is posted under an assumed name with the intention that it will not be traced to the actual source.

Internet Footprinting

A pretty straightforward method of gaining information is to just use the Internet. I’m talking about using techniques such as Google hacking (which uses Google Search and other Google apps to identify security holes in websites’ configuration and computer code) and other methods to find out what your target wants to hide (or doesn’t know is public information) that a malicious party can easily obtain and use.

Using Search Engines

One of the first steps in the process of footprinting tends to be using a search engine. Search engines such as Google and Bing can easily provide a wealth of information that the client may have wished to have kept hidden or may have just plain forgotten about it. The same information may readily show up on a search engine results page (SERP).

Using a search engine you can find a lot of information, some of it completely unexpected or something a defender never considers, such as technology platforms, employee details, login pages, intranet portals, and so on. A search can easily provide even more details such as names of security personnel, brand and type of firewall, and antivirus protection, and it is not unheard of to find network diagrams and other information.

To use a search engine effectively for footprinting, always start with the basics. The very first step in gathering information is to begin with the company name. Enter the company name and take note of the results, as some interesting ones may appear.

Once you have gotten basic information from the search engine, it’s time to move in a little deeper and look for information relating to the URL.

If you need to find the external URL of a company, open the search engine of your choice, type the name of the target organization, and execute the search. Such a search will generally obtain for you the external and most visible URLs for a company and perhaps some of the lesser known ones. Knowing the internal URLs or hidden URLs can provide tremendous insight into the inner structure or layout of a company. However, tools are available that can provide more information than a standard search engine. Let’s examine a couple.

Netcraft Actually a suite of related tools, you can use Netcraft to obtain web server version, IP address, subnet data, OS information, and subdomain information for any URL. Remember this tool—it will come in handy later.

Link Extractor This utility locates and extracts the internal and external URLs for a given location.

Location and Geography

Not to be overlooked or underestimated in value is any information pertaining to the physical location of offices and personnel. You should seek this information during the footprinting process because it can yield other key details that you may find useful in later stages, including physical penetrations. Additionally, knowing a company’s physical location can aid in dumpster diving, social engineering, and other efforts.

To help you obtain physical location data, a range of useful and powerful tools are available. Thanks to the number of sources that gather information such as satellites and webcams, there is the potential for you as an attacker to gain substantial location data. Never underestimate the sheer number of sources available, including:

Google Earth This popular satellite imaging utility has been available since 2001 and since that time it has gotten better with access to more information and increasing amounts of other data. Also included in the utility is the ability to look at historical images of most locations, in some cases back over 20 years.

Google Maps Google Maps provides area information and similar data. Google Maps with Street View allows you to view businesses, houses, and other locations from the perspective of a car. Using this utility, many people have spotted things such as people, entrances, and even individuals working through the windows of a business.

Webcams These are very common, and they can provide information on locations or people.

People Search Many websites offer information of public record that can be easily accessed by those willing to search for it. It is not uncommon to come across details such as phone numbers, house addresses, e-mail addresses, and other information depending on the website being accessed. Some really great examples of people search utilities are Spokeo, ZabaSearch, Wink, and Intelius.

Social Networking and Information Gathering

One of the best sources for information is social networking. Social networking has proven not only extremely prolific, but also incredibly useful as an information-gathering tool. A large number of people who use these services provide updates on a daily basis. You can learn not only what an individual is doing, but also all the relationships, both personal and professional, that they have.

Because of the openness and ease of information sharing on these sites, a savvy and determined attacker can locate details that ought not to be shared. In the past, I have found information such as project data, vacation information, working relationships, and location data. This information may be useful in a number of ways. For example, armed with personal data learned on social networking sites, an attacker can use social engineering to build a sense of trust.

Some popular social networking services that are worth scouring for information about your target may be the ones that you are already familiar with:

Facebook The largest social network on the planet boasts an extremely large user base with a large number of groups for sharing interests. Facebook is also used to share comments on a multitude of websites, making its reach even further.

Twitter Twitter has millions of users, many of whom post updates several times a day. Twitter offers little in the way of security, and those security features it does have are seldom used. Twitter users tend to post a lot of information with little or no thought to the value of what they are posting.

Google+ This is Google’s answer to the popular Facebook. Although the service has yet to see the widespread popularity of Facebook, there is a good deal of information present on the site that you can search and use.

LinkedIn One of my personal favorites for gathering information is LinkedIn. The site is a social networking platform for job seekers and as such it has employment history, contact information, skills, and names of those the person has worked with.

Financial Services and Information Gathering

Popular financial services such as Yahoo! Finance, Google Finance, and CNBC provide information that may not be available via other means. This data includes company officers, profiles, shares, competitor analysis, and many other pieces of data.

Gathering this information may be incredibly easy. Later in the book, we will talk about attacks such as phishing and spear-phishing that are useful in this area.

The Value of Job Sites

An oft-overlooked but valuable method of gathering information about a target is through job sites and job postings. If you have ever looked at a job posting, as many of us have, you will notice that they can take a lot of forms, but something they tend to have in common is a statement of desired skills. This is the important detail that we are looking for. If you visit a job posting site and find a company that you are targeting, you simply need to investigate the various postings to see what they are asking for. It is not uncommon to find information such as infrastructure data, operating system information, and other useful data.

A quick perusal through job sites such as Monster.com, Dice.com or even Craigslist.com can prove valuable. This information is essentially free, because there is little investment in time or effort to obtain it in many cases.

When analyzing job postings, keep an eye out for information such as:

• Job requirements and experience
• Employer profile
• Employee profile
• Hardware information (this is incredibly common to see in profiles; look for labels such as Cisco, Microsoft, Juniper, Checkpoint, and others that may include model or version numbers)
• Software information

Some of the major search engines have an alert system that will keep you apprised of any updates as they occur. The alert systems allow you to enter a means of contacting you along with one or more URLs you’re interested in and a time period over which to monitor them. Search engines such as Google and Yahoo! include this service.

Working with E-mail

E-mail is one of the tools that a business relies on today to get its mission done. Without e-mail many businesses would have serious trouble functioning in anything approaching a normal manner. The contents of e-mail are staggering and can be extremely valuable to an attacker looking for more inside information. For a pen tester or an attacker, plenty of tools exist to work with e-mail.

One tool that is very useful for this purpose is PoliteMail (www.politemail.com), which is designed to create and track e-mail communication from within Microsoft Outlook. This utility can prove incredibly useful if you can obtain a list of e-mail addresses from the target organization. Once you have such a list, you can then send an e-mail to the list that contains a malicious link. Once the e-mail is opened, PoliteMail will inform you of the event for each and every individual.

Another utility worth mentioning is WhoReadMe (http://whoreadme.com). This application lets you track e-mails and also provides information such as operating system, browser type, and ActiveX controls installed on the system.

Competitive Analysis

We’ve covered some great tools so far, but there is another way of gathering useful data that may not seem as obvious: competitive analysis. The reports created through competitive analysis provide information such as product information, project data, financial status, and in some cases intellectual property.

Good places to obtain competitive information are:

• EDGAR (the Electronic Data-Gathering, Analysis, and Retrieval system) contains reports publicly traded companies make to the Securities & Exchange Commission (SEC). Learn more at www.sec.gov/edgar.shtml.
• LexisNexis maintains a database of public record information on companies that includes detailed information such as legal news and press releases. Learn more at www.lexisnexis.com/en-us/home.page.
• BusinessWire (www.businesswire.com/portal/site/home/) is another great resource that provides information about the status of a company as well as financial and other data.
• CNBC (www.cnbc.com) offers a wealth of company details as well as future plans and in-depth analysis.

When analyzing these resources, look for specific types of information that can prove insightful such as the following:

• When did the company begin? How did it evolve? Such information gives insight into their business strategy and philosophy as well as corporate culture.
• Who are the leaders of the company? Further background analysis of these individuals may be possible.
• Where are the headquarters and offices located?

Google Hacking

Up to this point you may have collected a lot of information from various sources, but now is the time to fine-tune those results and look deeper. One of the tools you used earlier, Google, has much more power than you’ve taken advantage of so far. Now is the time to unleash the power of Google through a process known as Google hacking.

Google hacking is not anything new and has been around for a long time; it just isn’t widely known by the public. The process involves using advanced operators to fine-tune your results to get what you want instead of being left at the whim of the search engine. With Google hacking it is possible to fine-tune results to obtain items such as passwords, certain file types, sensitive folders, logon portals, configuration data, and other data.

Before you perform any Google hacking you need to be familiar with the operators that make it possible.

cache Displays the version of a web page that Google contains in its cache instead of displaying the current version. Syntax: cache:<website name>

link Lists any web pages that contain links to the page or site specified in the query. Syntax: link:<website name>

info Presents information about the listed page. Syntax: info:<website name>

site Restricts the search to the location specified. Syntax: <keyword> site:<website name>

allintitle Returns pages with specified keywords in their title. Syntax: allintitle:<keywords>

allinurl Returns only results with the specific query in the URL. Syntax: allinurl:<keywords>

If you are still a little confused about how these special queries and operators work, a very good resource is the Google Hacking Database (GHDB). This website (www.exploit-db.com/google-dorks/) has been maintained for a very long time; here you will find the operators described here along with plenty of new ones. It is through the observation of the queries and the results that they provide that you may be able to gain a better understanding of how things work.

Try using these Google hacks only after you have done some initial reconnaissance. The reasoning here is that after you have some initial information about a target from your more general investigation, you can then use a targeted approach based on what you have learned.

Gaining Network Information

An important step in footprinting is to gain information, where possible, about a target’s network. Fortunately there are plenty of tools available for this purpose, many of which you may already be familiar with.

Whois This utility helps you gain information about a domain name, including ownership information, IP information, netblock data, and other information where available. The utility is freely available in Linux and Unix and must be downloaded as a third-party add-on for Windows.

Tracert This utility is designed to follow the path of traffic from one point to another, including intermediate points in between. The utility provides information on the relative performance and latency between hops. Such information can be useful if a specific victim is targeted because it may reveal network information such as server names and related details. The utility is freely available for all OSs.

Social Engineering: The Art of Hacking Humans

Inside the system and working with it is the human being, which is frequently the easiest component to hack. Human beings tend to be, on average, fairly easy to obtain information from. Although Chapter 10, “Social Engineering,” delves into this topic in greater depth, I want to introduce some basic techniques that can prove useful at this stage of information gathering:

Eavesdropping This is the practice of covertly listening in on the conversations of others. It includes listening to conversations or just reading correspondence in the form of faxes or memos. Under the right conditions, you can glean a good amount of insider information using this technique.

Shoulder Surfing This is the act of standing behind a victim while they interact with a computer system or other medium while they are working with secret information. Using shoulder surfing allows you to gain passwords, account numbers, or other secrets.

Dumpster Diving This is one of the oldest means of social engineering, but it’s still an effective one. Going through a victim’s trash can easily yield bank accounts, phone records, source code, sticky notes, CDs, DVDs, and other similar items. All of this is potentially damaging information in the wrong hands.