In this chapter, you will learn about footprinting and what type of information can be sought using this technique, including how to recognize the types of information that a hacker may want to obtain. In this chapter, you will gain an understanding of various information-gathering tools and methodologies. There are several additional concepts that will be covered in this chapter: port scanning, network scanning, vulnerability scanning, Transmission Control Protocols (TCP) communication flags, types of port scans, and scanning countermeasures.
Identify the types of information sought in the process of footprinting.
Describe information-gathering tools and methodologies.
Explain DNS enumeration.
Perform active and passive reconnaissance.
Recognize the differences between port scanning, network scanning, and vulnerability scanning.
Identify TCP flag types.
Identify types of port scans.
Identify scanning countermeasures.
Footprinting
There are various resources available on the Internet to assist you in deciding how a company’s network is built. The mechanism of discovering details of an organization’s network is known as footprinting. The detection techniques used to gather information about a target are referred to as reconnaissance . Footprinting is a non-intrusive process. You are not obtaining unauthorized access to data. Numerous tools are available to help collect a wealth of information legally and this is described as competitive intelligence. You expand the competitive intelligence when you add innovation to the mix. Network attacks typically start with information gathered from the site of a company.
The WHOIS tool is used to collect information about IP addresses and domain names. It can also be used to identify company email accounts. You may use a URL to find out which web server and operating system are being used, as well as the names of IT workers. Footprinting is the first of three preattack phases. Information sought while footprinting includes domain names, telephone numbers, authentication, access control lists, IP addresses, service, and presence of IDS.
Information Gathering Methodology
- 1.
Acquire initial information (domain name).
- 2.
Locate the network range (Nslookup, WHOIS).
- 3.
Confirm active machines (ping).
- 4.
Discover open ports or access points (port scanners).
- 5.
Detect operating systems (telnet query).
- 6.
Map the network.
Archived Websites
Some of the archived information available for CSSIA (http://cssia.org/)
Searching Public Records
Google (www.google.com)
VitalRec.com (www.vitalrec.com)
Switchboard (www.switchboard.com )
Zabasearch.com (www.zabasearch.com)
USA.gov (www.usa.gov)
Tools
The WHOIS (www.whois.com) utility is used to gather IP addresses and domain information. Recall that DNS uses name servers to resolve names. After determining the name server that a company uses, you can try to transfer all of the records for which the DNS server is responsible. This is called a zone transfer. To determine an organization’s primary DNS server, look for a DNS server containing a Start of Authority (SOA) record. Once the primary DNS server has been determined, perform another zone transfer to see all host computers on the network. This information can help to form the organization’s network diagram.
A few of the tools used are categorized by the type of information that they help gather:
WHOIS (www.whois.com)
SmartWhois.com
Active Whois Network Tool (www.tucows.com/preview/1597378/Active-Whois-Browser)
ViewDNS.info
DNS Enumerator (https://code.google.com/p/dnsenum/)
SpiderFoot (www.spiderfoot.net/)
Nslookup (built-in command in Linux and Windows)
DNStuff (www.dnsstuff.com/)
Expired Domains (www.expireddomains.net/)
Locating the Network Range
You can now proceed onward to locating the network range of a target system. Traceroute tools such as NeoTrace and Visual Route can be of use. Use of the Traceroute utility can be detected, but the other tools are passive in nature.
ARIN (www.arin.net/)
Traceroute (built-in command in Linux)
3D Traceroute (www.d3tr.de/)
McAfee Visual Trace (www.mcafee-neotrace-professional.com-about.com/)
VisualRoute (www.visualroute.com/)
Path Analyzer Pro (www.pathanalyzer.com/)
TouchGraph (www.touchgraph.com/navigator)
Maltego (www.paterva.com/web6/)
Other useful tools include web spiders, which can pick up email addresses and store them in a database. Think spammers here. Other tools like GEO spiders can plot network activity on a world map. And Google Earth provides imagery and geographic information for almost any location.
Finally, there are many metasearch engine tools that send a user’s request to several other search engines and then display the aggregated results including Dogpile, WebFerret, Robots.txt, WTR-Web the Ripper 2, and Website Watcher.
Conducting Active and Passive Reconnaissance Against a Target
Before you begin scanning, you should have a clear understanding of how networks connected to the Internet work.
Network attack
Scanning Networks
After an attacker has identified a target system and does reconnaissance, the attacker will move on to gaining entry into the target system. With network scanning, the attacker can obtain information about the target such as what operating system is used and the services that are being run.
Scanning is a form of extended reconnaissance in which the attacker tries to find ways to intrude into the target system. A sound understanding of the TCP, UDP, and ICMP protocols is important to understand the objectives of this chapter.
It is important to note that in Internet protocols, 65,535 is the number of TCP and UDP ports available in an IP address. You need to know which ports attackers are going after so those ports can be protected. When an attacker discovers an open service, finding a vulnerability is not difficult. Port scanning analyses a range of IP addresses in order to identify services that are running. Network scanning investigates the activity on a network, such as tracking data flow and network devices’ functionality, and can detect active hosts on a network. Vulnerability scanning proactively identifies security vulnerabilities on a network to evaluate where a system can be exploited.
Identify live systems on a network.
Find out what ports are open.
Figure out the target’s operating system.
Figure out what services are running and/or listening.
Find out IP addresses.
Identify particular applications.
Find vulnerabilities in any system on the network.
Scanning Methodology
Understanding scanning methodology is essential to selecting the appropriate tools needed to complete this task. There are five steps that can guide the process of scanning: checking for live systems, checking for open ports, fingerprinting the operating system, scanning for vulnerabilities, and probing the network.
A ping sweep is a scanning technique used to determine the range of IP addresses mapping to live systems on the network.
A familiarity with the three-way handshake and the TCP communications flags that guide the connection between hosts are inputs into selecting a scanning method.
It is a great advantage to the attacker if the operating system running on a target system is known. Banner grabbing can be used to help identify the OS.
There are many tools available for vulnerability scanning including Nessus, SAINT, and GFI LANgard.
Three-Way Handshake
Three-way handshake
TCP Flags
URG: Marks incoming data as urgent
ACK: Confirms that packets have been obtained successfully
PUSH: Ensures that data is prioritized and processed at the transmitting or receiving end, and is used at the start and end of a data transfer
SYN: Begins the three-way handshake between two hosts
FIN: Disconnects the connection formed using the SYN flag
RST: Used when a segment comes in which is not expected for the current connection. It also indicates the remote host has reset the connection.
Types of Port Scans
- 1.
SYN scan: With the three-way handshake, the attacker’s computer sends the initial SYN packet. If the attacker receives a SYN/ACK packet back in response, the attacker quickly responds with an RST/ACK packet to close the session so that the connection does not complete. The attacker knows that port is open.
- 2.
Connect scan: With a connect scan, the three-way handshake is completed, which makes this scan easily detected.
- 3.
NULL scan: In a NULL scan, all packet flags are off. A closed port will respond to a NULL scan with an RST packet. If no packet is received, the probability that the port is open is high.
- 4.
XMAS scan: With the XMAS scan, the FIN, PSH, and URG flags are set. Closed ports will respond to this type of packet with an RST packet.
- 5.
ACK scan: An ACK scan is used to get past a firewall, which is a filtering device. A filtering device looks for the SYN packet. If the attacked port returns an RST packet, the port is unfiltered.
- 6.
FIN scan: With the FIN scan, a FIN packet is sent to the target. If the port is closed, an RST packet will be returned.
- 7.
UDP scan: With a UDP scan, a UDP packet is sent to the target computer. A response of “Port Unreachable” means that the port is closed.
Using Nmap
Nmap shows five open ports
Without any switches, Nmap will be successful against systems that block ICMP.
The default Nmap scan scans numerous ports, but not all.
You won’t see a MAC address while scanning a system over the Internet.
Zenmap
Zenmap is the GUI front end for Nmap
Nmap scan results
Zenmap scan and weblog file
Crafting Packets
With Fping (www.fping.com/), you can specify a range of IP addresses at the command prompt or you can create a file containing multiple IP addresses and use it as an input file. This is included in BackTrack software.
Hping (www.hping.org/download) can bypass filtering devices through crafting or modifying packets . To find out more, type Hping -help at the command line.
Scanning Countermeasures
Utilize a firewall, which should detect probes.
Install a network intrusion detection system. It should identify the OS detection methods used by various tools.
Close any unneeded ports.
Deploy tools to detect port scans.
Summary
Many tools are available to help you protect an organization’s networks. The process involves footprinting, or finding information on the network, by using reconnaissance, which are the detection methods you use to find information. You learned how attackers use network scanning to get information on the target.
Resources
Wayback Machine: www.archive.org/
CSSIA: http://cssia.org/
Google: www.google.com
VitalRec.com: www.vitalrec.com
Switchboard: www.switchboard.com
Zabasearch.com: www.zabasarch.com
USA.gov: www.usa.gov
Whois: www.whois.com
SmartWhois: http://smartwhois.com/
Active Whois Network Tool: www.tucows.com/preview/1597378/Active-Whois-Browser
ViewDNS: http://viewdns.info/
DNS Enumerator: https://code.google.com/p/dnsenum/
SpiderFoot: www.spiderfoot.net/
DNStuff: www.dnsstuff.com/
Expired Domains: www.expireddomains.net/
ARIN: www.arin.net/
3D Traceroute: www.d3tr.de/
McAfee Visual Trace: www.mcafee-neotrace-professional.com-about.com/
VisualRoute: www.visualroute.com/
Path Analyzer Pro: www.pathanalyzer.com/
TouchGraph: www.touchgraph.com/navigator
Maltego: www.paterva.com/web6/
Fping www.fping.com/
Hping www.hping.org/download