CEH v5 Module 02 Foot Printing

8/8/2019 CEH v5 Module 02 Foot Printing

1/94

Ethical Hacking Version 5

Module IIFootprinting


2/94

EC-CouncilCopyright by EC-Council

All Rights reserved. Reproduction is strictly prohibited

Scenario

Mason is fuming with anger! The notebook which he had orderedonline from Xmachi Inc., did not have the configuration that he hadrequested.

When contacted, the customer care department gave a cold response. Vengeance crept into his mind. Finally he decided to teach thenotebook manufacturer a lesson.

Being a Network Administrator of his firm, he knew exactly what he was supposed to do.

What will Mason do to defame the notebook manufacturer?

What information will Mason need to achieve his goal?


3/94



Security News

Source Courtesy : http://www.securityfocus.com/news/11412


4/94



Module Objective

This module will familiarize you with the following:

Overview of the Reconnaissance Phase

Footprinting: An Introduction

Information Gathering Methodology of Hackers

Competitive Intelligence gathering

Tools that aid in Footprinting

Footprinting steps


5/94



Module Flow

Reconnaissance Phase

Steps to performFootprinting

Competitive Intelligence

Gathering

Information GatheringMethodology

Tools Used forFootprintingFootprinting


6/94



Revisiting Reconnaissance

ClearingTracks

Maintaining Access

Gaining Access

Scanning

Reconnaissance ClearingTracks

Maintaining Access

Gaining Access

Scanning

Reconnaissance

Reconnaissance refers to the

preparatory phase where anattacker seeks to gather as

much information as possible

about a target of evaluationprior to launching an attack

It involves network scanning,

either external or internal,

without authorization


7/94



Defining Footprinting

Footprinting is the blueprint of thesecurity profile of an organization,undertaken in a methodologicalmanner

Footprinting is one of the three pre-attack phases. The others are scanningand enumeration

An attacker will spend 90% of the timein profiling an organization andanother 10% in launching the attack

Footprinting results in a unique

organization profile with respect tonetworks (Internet/intranet/extranet/wireless) andsystems involved


8/94



Information Gathering Methodology

Unearth initial information

Locate the network range

Ascertain active machines

Discover open ports/access points

Detect operating systems

Uncover services on ports

Map the network


9/94



Unearthing Initial Information

Commonly includes :

Domain name lookup

Locations

Contacts (telephone /mail)

Information sources :

Open source

Whois

Nslookup

Hacking tool

Sam Spade


10/94



Finding a Companys URL

Search for a companys URL using a search engine such as www.google.com

Type the companys name in the search engine to get the company URL

Google provides rich information to perform passive

reconnaissanceCheck newsgroups, forums, and blogs for sensitive informationregarding the network


11/94



Internal URL

By taking a guess, you may find aninternal company URL

You can gain access to internalresources by typing an internal URL For example:

beta.xsecurity.com customers.xsecurity.com products.xsecurity.com Partners.xsecurity.com Intranet.xsecurity.com Asia.xsecurity.com Namerica.xsecurity.com Samerica.xsecurity.com

Japan.xsecurity.com London.xsecurity.com Hq.xsecurityc.om Finance.xsecurity.com www2.xsecurity.com www3.xsecurity.com


12/94



Extracting Archive 0f a Website

You can get information on a company website since itslaunch at www.archive.org For example: www.eccouncil.org

You can see updates made to the website You can look for employee database, past products,

press releases, contact information, and more


13/94



Archive.org Snapshot


14/94



Google Search for Companys Info.

Using Google, search company news and press releasesFrom this information, get the companys infrastructuredetails


15/94



People Search

You can find personal information using People search

For example, http://people.yahoo.com For example, http://www.intellius.com You can get details like residential addresses, contactnumbers, date of birth, and change of location You can get satellite pictures of private residences


16/94



People Search Website


17/94



Satellite Picture of a Residence


18/94



Footprinting Through Job Sites

You can gather company infrastructure detailsfrom job postings

Look for company infrastructure postings such aslooking for system administrator to manageSolaris 10 networkThis means that the company has Solaris networkson site

E.g., www.jobsdb.com

Job requirements

Employee profileHardware information

Software information


19/94





20/94





21/94



Passive Information Gathering

To understand the current security status of a particular Information

System, organizations perform either a Penetration Testing or other

hacking techniques

Passive information gathering is done by finding out the details that

are freely available over the Internet and by various other techniques without directly coming in contact with the organizations servers

Organizational and other informative websites are exceptions as the

information gathering activities carried out by an attacker do notraise suspicion


22/94



Competitive Intelligence Gathering

Business moves fast. Product cycles aremeasured in months, not years. Partners become rivals quicker than you can say breach of contract. So how can you possibly hope to keep up with your competitors if youcan't keep an eye on them?

Competitive intelligence gathering is theprocess of gathering information about yourcompetitors from resources such as theInternet

The competitive intelligence is non-interfering and subtle in nature

Competitive intelligence is both a product anda process


23/94



Competitive Intelligence Gathering (contd)

The var ious issues involved in com petitive intelligence are: Data gathering

Data analysis Information verification

Information security

Cognitive hack ing:

Single source Multiple source


24/94



Why Do You Need Competitive

Intelligence?Compare your products with that of yourcompetitors offerings

Analyze your market positioning compared to thecompetitorsPull up list of competing companies in themarket

Extract salespersons war stories on how dealsare won and lost in the competitive arenaProduce a profile of CEO and the entiremanagement staff of the competitorPredict their tactics and methods based on theirprevious track record


25/94



Competitive Intelligence Resourcehttp://www.bidigital.com/ci/


26/94



Companies Providing Competitive

Intelligence ServicesCarratu International

http://www.carratu.com

CI Center http://www.cicentre.com

CORPORATE CRIME MANAGEMENT http://www.assesstherisk.com

Marven Consulting Group http://www.marwen.ca

SECURITY SCIENCES CORPORATION http://www.securitysciences.com

Lubrinco http://www.lubrinco.com


27/94



Competitive Intelligence - When Did ThisCompany Begin? How Did It Develop?

Laser D for Annual Reports to Stockholders & 10-Ks (Reference Room - workstation #12)

EDGAR database - for 10-K and other report filed with the SEC (alsoBusiness Database Selection Tool )

International Directory of Company Histories (Reference - HD 2721 D36)

Mergent Online - company history and joint ventures ( Business Database

Selection Tool )Notable Corporate Chronologies (Reference - HD 2721 N67 1995)

ORION , UCLA's Online Library Information System ( Business DatabaseSelection Tool )

Enter Search Terms: general electric [for books on GE] , click on button: Search Subject Words


28/94



Competitive Intelligence - Who Leads ThisCompany?

ABI/INFORM Global (Business Database Selection Tool )Search for: microsoft in Subject; AND; biographies in

Subject; Search

Hoover's Online - Company Profile includes Key People. ( BusinessDatabase Selection Tool )

Also in print as Hoover's Handbook of American Business (Reference -

HG 4057 A28617)National Newspaper Index (Business Database Selection Tool )

Type in: exxon ; Search

Reference Book of Corpora te Managements (Reference Index Area,section 5)

Who's Who in Finance and Industry (Reference Index Area, section 5)


29/94



Competitive Intelligence - What Are ThisCompany's Plans?

ABI/INFORM Global (Business Database Selection Tool )Search for: mci in Company/Org.; AND; alliances in Subject;OR; market strategy in Subject; Search

LexisNexis Academic (Business Database Selection Tool )Business; Industry & Market; Keyword: Palm; Industry:Computer & Telecom; Date: Previous six months; Search

Business & Industry (Web) (Business Database SelectionTool )200X BUS_IND, Open; Search/Modify, Company Name;Search/Modify, Business Subject, Modify: Company Forecasts; OK Factiva (Business Database Selection Tool )Enter free-text terms: intel near plans; Select date: in the last year; Select sources: All Content; Run Search


30/94



Competitive Intelligence - What DoesExpert Opinion Say About The Company? ABI/INFORM Global [academics] ( BusinessDatabase Selection Tool )

First Call [analyst reports] ( Business DatabaseSelection Tool )FINDEX: Directory of Market ResearchReports (Reference - HF 5415.2 F493)Market Research Monitor (Business DatabaseSelection Tool )

Multex [analyst reports] ( Business DatabaseSelection Tool )

Nelson's Directory of Investment Research (Reference- HG 4907 N43) Wall Street Transcript "TWST Roundtable Forums"

and "CEO Forums" Features (Unbound Periodicals -2nd floor)[analysts' discussion of a given industry, see this

sample issue with Semiconductor Equipment Industry Roundtable]


31/94



Competitive Intelligence - Who Are TheLeading Competitors?

Business Rankings Annual (Reference - HG 4057 A353)

Hoover's Online - Top Competitors free, MoreCompetitors available, use ( Business Database SelectionTool )

Market Share Reporter (Reference - HF 5410 M37)

U.S. Patent and Trademark Office [identify players in

emerging product areas, see also other patent resources ]Reference USA [companies by SICs andmore] ( Business Database Selection Tool )

TableBase (Web) [find market shares withinarticles] ( Business Database Selection Tool )

Ward's Business Directory of U.S. Private and PublicCompanies (Reference Room, Index Section 1)

World Market Share Reporter (Reference - HF 1416 W67)


32/94



Public and Private Websites

A company might maintain public and private websites fordifferent levels of access

Footprint an organizations public www servers Example:

www.xsecurity.com

www.xsecurity.net

www.xsecurity.net

Footprint an organizations sub domains (private) Example:

http://partners.xsecurity.com

http://intranet.xsecurity.com

http://channels.xsecurity.com

http://www2.xsecurity.com


33/94



DNS Enumerator

DNS Enumerator is an automated sub-domain retrieval toolIt scans Google to extract the results


34/94



SpiderFoot

SpiderFoot is a free, open-source, domain footprinting tool which will scrape the websites on that domain, as well as search Google,

Netcraft, Whois, and DNS to build up information like:

Subdomains

Affiliates

Web server versions

Users (i.e. /~user)

Similar domains

Email addresses Netblocks


35/94



SpiderFoot


36/94



Sensepost Footprint Tools - 1 www.sensepost.com

BiLE.pl

BiLE leans on Google and HTTrack to automate the collections to and fromthe target site, and then applies a simple statistical weighing algorithm todeduce which websites have the strongest relationships with the target site

Command: perl BiLE.pl www.sensepost.com sp_bile_out.txt

BiLE-weigh.pl

BiLE-weigh, which takes the output of BiLE and calculates the significance of each site found

Command: perl bile-weigh.pl www.sensepost.com

sp_bile_out.txt.mine out.txt

tld-expand.pl

The tld-expand.pl script is used to find domains in any other TLDs

Command: perl exp-tld.pl [input file] [output file]


37/94




vet-IPrange.pl The results from the BiLE-weigh have listed a number of domains with

their relevance to target website Command:

per l vet-IPra nge.pl [input file] [tru e dom ain file] [output file]BiLE-weigh.pl

qtrace.pl qtrace is used to plot the boundaries of networks. It uses a heavily

modified traceroute using a #custom compiled hping# to performmultiple traceroutes to boundary sections of a class C network

Command: per l qtrace.pl [ip_addr ess_file] [output_file]

vet-mx.pl The tool performs MX lookups for a list of domains, and stores each IP it

gets in a file Command:

per l vet-m x.pl [inpu t file] [tru e dom ain file] [output file]


38/94




jarf-rev jarf-rev is used to perform a reverse DNS lookup on an IP range. All

reverse entries that match the filter file are displayed to screen Command:

perl jarf-rev [subnetblock]

pe rl jar f-r ev 192.168.37.1-192.168.37.118

jarf-dnsbrute The jarf-dnsbrute script is a DNS brute forcer, for when DNS zone

transfers are not allowed. jarf-dnsbrute will perform forward DNSlookups using a specified domain name with a list of names for hosts.

Command: perl jarf-dnsbru te [domain_nam e] [file_with_nam es]


39/94



Wikito Footprinting Tool


40/94



Web Data Extractor Tool

Use this tool to extracttargeted companyscontact data (email,

phone, fax) from theInternetExtract url, meta tag(title, desc, keyword) for website promotion,search directory creation, web research


41/94



Additional Footprinting Tools

WhoisNslookup

ARINNeo Trace VisualRoute TraceSmartWhois

eMailTrackerPro Website watcherGoogle EarthGEO Spider

HTTrack Web CopierE-mail Spider


42/94



Whois Lookup

With whois lookup, you can get personal and contactinformation For example, www.samspade.com


43/94



Whois

Registrant:targetcompany (targetcompany-DOM)# Street AddressCity, ProvinceState, Pin, Country Domain Name : targetcompany.COM

Domain servers in listed order: NS1.WEBHOST.COM XXX.XXX.XXX.XXX NS2.WEBHOST.COM XXX.XXX.XXX.XXX

Administrative Contact:Surname, Name (SNIDNo-ORG) t [email protected] (targetcompany-DOM) # Street AddressCity, Province, State, Pin, Country Telephone: XXXXX Fax XXXXX

Technical Contact :Surname, Name (SNIDNo-ORG) t [email protected] (targetcompany-DOM) # Street AddressCity, Province, State, Pin, Country Telephone: XXXXX Fax XXXXX


44/94



Online Whois Tools

www.samspade.org www.geektools.com www.whois.net www.demon.net


45/94



Nslookup

http://www.btinternet.com/~simon.m.parker/IP-utils/nslookup_download.htm

Nslookup is a program to query Internet domain nameservers. Displays information that can be used todiagnose Domain Name System (DNS) infrastructureHelps find additional IP addresses if authoritative DNSis known from whoisMX record reveals the IP of the mail serverBoth Unix and Windows come with a Nslookup client

Third party clients are also available for example,Sam Spade


46/94



Extract DNS information

Using www.dnsstuff.com , you can extractDNS information such as: Mail server extensions

IP addresses


47/94



Snapshot


48/94



Types of DNS Records


49/94



Necrosoft Advanced DIG

Necrosoft AdvancedDIG (ADIG) is aTCP-based DNS

client that supportsmost of the availableoptions, including AXFR zone transfer


50/94



Locate the Network Range

Commonly includes:

Finding the range of IP

addresses

Discerning the subnetmask

Information Sources: ARIN (American Registry

of Internet Numbers)

Traceroute

Hacking Tool:

NeoTrace

Visual Route


51/94



ARIN

http://www.arin.net/whois/

ARIN allows searches on the whois database to locateinformation on a networksautonomous system numbers(ASNs), network-relatedhandles, and other relatedpoint of contact (POC)

ARIN whois allows querying

the IP address to help findinformation on the strategy used for subnet addressing

h h


52/94



Screenshot: ARIN Whois Output

ARIN allows searches onthe whois database to locateinformation on a networksautonomous systemnumbers (ASNs), network-related handles, and otherrelated point of contact(POC).

T


53/94

EC-Council Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Traceroute

Traceroute works by exploiting a feature of the InternetProtocol called TTL, or Time To Live

Traceroute reveals the path IP packets travel between twosystems by sending out consecutive sets of UDP or ICMPpackets with ever-increasing TTLs

As each router processes an IP packet, it decrements theTTL. When the TTL reaches zero, that router sends back a"TTL exceeded" message (using ICMP) to the originator

Routers with reverse DNS entries may reveal the name of routers, network affiliation, and geographic location

T R A l i


54/94


Trace Route Analysis

Traceroute is a program that can be used to determine the pathfrom source to destination

By using this information, an attacker determines the layout of anetwork and the location of each device

For example, after running several traceroutes, an attacker mightobtain the following information:

traceroute 1.10.10.20, second to last hop is 1.10.10.1

traceroute 1.10.20.10, third to last hop is 1.10.10.1


traceroute 1.10.20.15, third to last hop is 1.10.10.1


By putting this information together we can diagram the network (see the next slide)

T R t A l i


55/94


Trace Route Analysis

1.10.10.1Router

1.10.20.15Mail Server

1.10.20.50Firewall

1.10.10.50Firewall

1.10.20.10Web Server

20.20.10.20Bastion Host

DMZ ZONE

Hacker

3D T t


56/94


3D Traceroute

3D Traceroute is a full-blown

three-dimensional traceroute

program that allows you to

visually monitor Internet

connectivity

It offers an attractive and fast

loading 3D interface as well as

optional text results

Tool: NeoTrace (Now McAfee Visual


57/94


(

Trace)

NeoTrace shows thetraceroute output

visually map view,node view, and IP view

GEOSpider


58/94


GEOSpider

GEO Spider helps you todetect, identify andmonitor your network activity on world map

You can see website, IPaddress location on theEarth

GEO Spider can trace ahacker, investigate a website, trace a domainname

Geowhere Footprinting Tool


59/94



Geowhere handles many popular newsgroups to find answers to yourqueries in an easy and fast manner

Geowhere can also seek information from country specific search enginesfor better results

Use Geowhere to footprint an organization

Newsgroups Search

Mailing list finder Easy Web Search

Daily News



60/94



Tool: Path Analyzer Pro http://vostrom com


61/94


Tool: Path Analyzer Pro - http://vostrom.com

Path Analyzer Pro integrates is the world's most advanced route tracingsoftware with performance measurements, DNS, whois, and specializednetwork resolution in footprinting a target network

Research IP addresses, e-mail addresses, and network paths

Pinpoint and troubleshoot network availability and performance issues

Determine what ISP, router, or server is responsible for a network problem Locate firewalls and other filters that may be impacting your connections

Visually analyze a network's path characteristics

Graph protocol latency, jitter and other factors

Trace actual applications and ports, not just IP hops

Generate, print, and expor t a variety of impressive reports

Perform continuous and timed tests with real-time reporting and history

Note: This slide is not in your courseware

Path Analyzer Pro Screenshot


62/94






63/94






64/94






65/94




GoogleEarth


66/94


GoogleEarth

Google Earth puts aplanet's worth of imagery and other

geographicinformation right on your desktop You can footprint thelocation of a place

using GoogleEarth Valuable tool forHackers

GoogleEarth (Chicago)


67/94


GoogleEarth (Chicago)

GoogleEarth Showing Pentagon


68/94


g g g

Tool: VisualRoute Trace


69/94


www.visualware.com/download/

It shows the connection pathand the places where bottlenecks occur

Kartoo Search Enginekartoo com


70/94

EC-Council Copyright by EC-Council


www.kartoo.com

Touchgraph Visual Browserwww touchgraph com


71/94



www.touchgraph.com

Tool: SmartWhois


72/94



http://www.softdepia.com/smartwhois_download _491.html

SmartWhois is a useful network information utility

that allows you to find out all available informationabout an IP address, host name, or domain,including country, state or province, city, name of the network provider, administrator, and technicalsupport contact information

Unlike standard Whois utilities,SmartWhois can find theinformation about a computerlocated in any part of the world,intelligently querying the rightdatabase and delivering all therelated records within a short time

VisualRoute Mail Tracker


73/94



It show s the num ber of hops made an d therespective IP addr esses,the node nam e, location,time zone, and n etwor k

Tool: eMailTrackerPro


74/94



eMailTrackerPro is the emailanalysis tool that enables analysisof an email and its headersautomatically, and providesgraphical results

Tool: Read Notify www readnotify com


75/94



www.readnotify.com

Mail Tracking is a tracking service that allows you to track w hen your m ail wasread, for how long and how m any t imes, and the place from w here the m ail has been po sted. It also records forw ards an d passing of sensitive inform ation (MSOffice for ma t)

HTTrack Web Site Copier


76/94



This tool mirrors anentire website to the

desktop You can footprint thecontents of an entire website locally ratherthan visiting theindividual pages Valuable footprintingtool

Web Ripper Tool


77/94



robots.txt


78/94



This page located at the root folder holds a list of directories and other resources on a site that the ownerdoes not want to be indexed by search engines

All search engines comply to r o b o t s . t x t You might not want private data and sensitive areas of asite, such as script and binary locations indexed

Robots.txt fileUser-agent: *

Disallow: /cgi-binDisallow: /cgi-perlDisallow: /cgi-store

Website Watcher


79/94



Website watchers can be used to get updates on the website

Can be used for competitive advantages

Website Watcher


80/94



Website Watcher


81/94



Website Watcher


82/94



How to Setup a Fake Website?


83/94



Mirror the entire website from a target URL Example: www.xsecurity.com

Register a fake domain name which sounds like the real

website Example:

Original website URL: www.xsecurity.com Fake website URL: www.x-security.com

Host the mirrored website into fake URL websiteSend phishing e-mails to victim to the fake website You must continuously update your fake mirror with real website

Real Website

Fake Website

Note: This slide is not in yourcourseware

Website Stealing Tool: Reamweaver


84/94



Reamweaver has everything you need toinstantly steal" anyone's website, copying thereal-time "look and feel" but letting youchange any words, images, etc. that you

choose When a visitor visits a page on your stolen(mirrored) website, Reamweaver gets thepage from the target domain, changes the words as you specify, and stores the result

(along with images, etc.) in the fake website With this tool your fake website will alwayslook current, Reamweaver automatically updates the fake mirror when the contentchanges in the original website

Download this tool fromhttp://www.eccouncil.org/cehtools/reamwea ver.zip

Note: This slide is not in yourcourseware

Reamweaver

Automatically updates the mirror copy

Real

Fake

Mirrored Fake Website


85/94



Atlanta Credit Union

Note: This slideis not in yourcourseware

E-Mail Spiders


86/94



Have you ever wondered how Spammers generate a huge mailingdatabases?

They pick tons of e-mail addresses from searching the Internet

All they need is a web spidering tool picking up e-mail addressesand storing them to a database

If these tools are left running the entire night, they can capture

hundreds of thousands of e-mail addresses

Tools:

Web data Extractor

1st E-mail Address Spider

1st E-mail Address Spider


87/94



Power E-mail Collector Tool


88/94



Power E-mail Collector is a powerful email address harvesting program

It can collect up to 750,000 unique valid email addresses per hour with aCable/DSL connection

It only collects valid email addresses

You do not have to worry about ending up with undeliverable addresses

How does it work? Just enter a domain that you want to collect email addresses from and press the

start button. The program opens up many simultaneous connections to thedomain and begins collecting addresses

Power E-mail Collector Tool


89/94



Brute forced

usernames

Steps to Perform Footprinting


90/94



Find companies external and internal URLs

Perform whois lookup for personal details

Extract DNS informationMirror the entire website and look up names

Extract archives of the website

Google search for companys news and press releasesUse people search for personal information of employees

Find the physical location of the web server using the toolNeoTracer

Analyze companys infrastructure details from job postings

Track the email using readnotify.com

What happened next?


91/94



Mason footprints Xmachi Inc and gets some critical information which willhelp him in his assault on the notebook manufacturer.

Following is a partial list of information that Mason gathered Domains and Sub Domains

IP address and address range

Contact Details of some employees including the Network Administrator; it

included telephone number, email id, and address

Current Technologies

DNS information

Firewalls

Mason now has enough information to bring down the network of XmachiInc

Summary


92/94



Information gathering phase can be categorized broadly into seven

phases

Footprinting renders a unique security profile of a target system

Whois and ARIN can reveal public information of a domain that can

be leveraged furtherTraceroute and mail tracking can be used to target specific IP, and

later for IP spoofing

Nslookup can reveal specific users, and zone transfers can

compromise DNS security


93/94




94/94



CEH v5 Module 02 Foot Printing

Documents