8/17/2019 Footprinting Project
1/38
Footprinting MEMBERS
Name Fathername
Jafar Mehr ali
Mustafa Karim
Ali Zamen
Alireza Noormohammad
Abdul khaliq Mohammad Halim
Hussein Ahmad
Rahman
Aliakbar
8/17/2019 Footprinting Project
2/38
Footprinting
•
Definition: the gathering of information
about a potential system or network
• a.k.a. fingerprinting
• Attacker’s point of view• Identify potential target systems
• Identify which types of attacks may be useful on
target systems
• Defender’s point of view
8/17/2019 Footprinting Project
3/38
• Know available tools
• May be able to tell if system is being footprinted,
be more prepared for possible attack
• Vulnerability analysis: know what information
you’re giving away, what weaknesses you have
Information to Gather
• System (Local or Remote)
•
IP Address, Name and Domain• Operating System
• Type (Windows, Linux, Solaris, Mac)
8/17/2019 Footprinting Project
4/38
• Version (98/NT/2000/2003/XP/Vista/7, Redhat,
Fedora, SuSe, Ubuntu, OS X)
•
Usernames (and their passwords)
• File structure
• Open Ports (what services/programs are running
on the system)
8/17/2019 Footprinting Project
5/38
Information to Gather (2)
• Networks / Enterprises • System information for all hosts • Network topology
• Gateways •
Firewalls
• Overall topology
• Network traffic information
• Specialized servers
• Web, Database, FTP, Email, etc.
8/17/2019 Footprinting Project
6/38
Defender Perspective
• Identify information you’re giving away
• Identify weaknesses in systems/network
•
Know when systems/network is beingprobed
• Identify source of probe
• Develop awareness of threat
• Construct audit trail of activity
8/17/2019 Footprinting Project
7/38
Tools - Linux •
Some basic Linux tools - lower levelutilities • Local System
• hostname •
ifconfig • who, last
• Remote Systems • ping
• traceroute • nslookup, dig • whois
• arp, netstat (also local system)
8/17/2019 Footprinting Project
8/38
Tools –
Linux (2)
• Other utilities • wireshark (packet sniffing)
• nmap (port scanning) - more later
• Ubuntu Linux • Go to System / Administration / Network Tools –
et interface to collection of tools: ping, netstat,
traceroute, port scan, nslookup, finger, whois
8/17/2019 Footprinting Project
9/38
8/17/2019 Footprinting Project
10/38
hostname
• Determine host name of current system
• Usage: hostname •
E.g. hostname localhost.localdomain
// default
• E.g. hostname
mobile.cs.uwec.edu
8/17/2019 Footprinting Project
11/38
ifconfig •
Configure network interface • Tells current IP numbers for host system
• Usage: ifconfig •
E.g. ifconfig // command alone: display status eth0
Link encap: Ethernet
HWaddr 00:0C:29:CD:F6:D3
inet addr: 192.168.172.128
. . .
lo Link encap: Local
Loopback
inet addr: 127.0.0.1 . . .
8/17/2019 Footprinting Project
12/38
who
• Basic tool to show users on current system
• Useful for identifying unusual activity (e.g.activity by newly created accounts orinactive accounts)
• Usage: who • E.g. who
root
tty1
Jan 9 12:46
paul
tty2
Jan 9 12:52
8/17/2019 Footprinting Project
13/38
last
• Show last N users on system • Default: since last cycling of file • -
N: last N lines
• Useful for identifying unusual activity in recent past
• Usage: last [ - n] • E.g. last -
3
wagnerpj
pts/1 137.28.253.254 Sat Feb 5 15:40 still logged in
flinstf
pts/0 137.28.191.74 Sat Feb 5 15:38 still logged in
rubbleb
pts/0 c48.someu.edu Sat Feb 5 14:38 -
15:25 (00:46)
8/17/2019 Footprinting Project
14/38
8/17/2019 Footprinting Project
15/38
traceroute
• Potential Uses • Determine physical location of machine
• Gather network information (gateway, otherinternal systems)
• Find system that’s dropping your packets – evidence of a firewall
• Notes • Can use UDP or ICMP packets
•
Results often limited by firewalls
• Several GUI
-
based traceroute
utilities available
• Usage: traceroute
system
• E.g. traceroute cs.umn.edu
8/17/2019 Footprinting Project
16/38
traceroute example -
Success
C:
\
Users
\
Temp>
tracert
telkomuniversity.ac.id
Tracing route to telkomuniversity.ac.id [10.14.203.238]
over a maximum of 30 hops:
1
1 ms
8/17/2019 Footprinting Project
17/38
traceroute example -
blocked
C:
\
Users
\
Temp>
tracert
detik.com
Tracing route to detik.com [203.190.242.69]
over a maximum of 30 hops:
1 1 ms 1 ms 2 ms 192.168.60.1
2 5 ms 2 ms 2 ms 10.11.221.1
3 4 ms 9 ms 3 ms 10.0.0.254
4 * * * Request timed out.
5 * * * Request timed out.
Trace complete.
C:
\
Users
\
Temp>
8/17/2019 Footprinting Project
18/38
Visual Traceroute Example
8/17/2019 Footprinting Project
19/38
whois
• Potential Uses • Queries nicname/whois servers for Internet
registration information
•
Can gather contacts, names, geographicinformation, servers, … -
useful for socialengineering attacks
• Notes •
Usage: whois domain
• e.g. whois telkomuniversity.ac.id
8/17/2019 Footprinting Project
20/38
whois example -
wildcards
•
whois uw%.edu
Your search has matched multiple domains.
Below are the domains you matched (up to 100). For specific
information on one of these domains, please search on that domain.
UW.EDU
UWA.EDU
UWB.EDU
UWC.EDU
UWEC.EDU
UWEST.EDU
UWEX.EDU
….
8/17/2019 Footprinting Project
21/38
nslookup
• Potential Uses • Query internet name servers
• Find name for IP address, and vice versa
•
Notes
• Now deprecated –
enerally use dig
• Sometimes useful when dig fails
• Usage •
nslookup xxxxxxx // name or IP addr. • E.g. nslookup academic.telkomuniversity.ac.id
• E.g. dig academic.telkomuniversity.ac.id
8/17/2019 Footprinting Project
22/38
dig
• Potential Uses • Domain Name Service (DNS) lookup utility
• Associate name with IP address and vice versa
• Notes • Many command options
• General usage: dig
• E.g. dig academic.telkomuniversity.ac.id • E.g. dig 10.14.203.238
8/17/2019 Footprinting Project
23/38
arp
• Tracks addresses, interfaces accessed bysystem
• Possible uses • Find systems that your system has recently talked
to
• Notes •
arp // display names • arp – n // display numeric addresses
8/17/2019 Footprinting Project
24/38
netstat
• Shows connections, routing information,statistics
• Possible uses
•
find systems that your system has recentlytalked to, find recently used ports
• Notes
• Many flags
• netstat // open sockets, etc. •
netstat – s // summary statistics • netstat
– r // routing tables • netstat
–
p
// programs
• netstat – l // listening sockets
8/17/2019 Footprinting Project
25/38
Windows Tools
• Sam Spade • “swiss army knife” of footprinting
• Has most of the Linux tools
• Plus other functionality
• Usage • Start application
• Fill in name or IP address
• Choose option desired in menus
8/17/2019 Footprinting Project
26/38
Packet Sniffers
• Definition: Hardware or software that candisplay network traffic packet information
• Usage • Network traffic analysis
• Example packet sniffers • tcpdump (command line, Linux)
•
wireshark (GUI interface, Linux, Windows – opensource)
• others…
8/17/2019 Footprinting Project
27/38
Limitations – Packet Sniffing•
Packet sniffers only catch what they can see• Users attached to hub – can see everything
• Users attached to switch – only see own traffic
•
Wireless – wireless access point is like hub
• Need to be able to put your network
interface card (NIC) in “promiscuous” mode
to be able to process all traffic, not justtraffic for/from itself
8/17/2019 Footprinting Project
28/38
• NIC must support
• Need privilege (e.g. root in Linux)
8/17/2019 Footprinting Project
29/38
OSI Network Protocol
• Layer 7 – Application (incl. app. content)
• Layer 6 – Presentation
• Layer 5 – Session
• Layer 4 –
ransport (incl. protocol, port)
• Layer 3 – Network (incl. source, dest)
• Layer 2 – Data Link
• Layer 1 –
Physical
8/17/2019 Footprinting Project
30/38
wireshark •
Created as tool to examine network problems in1997
• Various contributors added pieces; released 1998
• Name change (2007): ethereal - > wireshark
• Works with other packet filter formats
• Information • http://www.wireshark.or
• Demonstration
http://www.wireshark.org/http://www.wireshark.org/http://www.wireshark.org/http://www.wireshark.org/
8/17/2019 Footprinting Project
31/38
Using wireshark
• Ubuntu – Applications / Internet / Wireshark ( as root )
• Enter your administrative account pw: user
• Capture/Interfaces/eth0:, Start
• Capture window shows accumulated totals for differenttypes of packets
• Stop –
packets now displayed
• Top window –
packet summary
• Can sort by column – source, destination, protocol are useful
• Middle window –
packet breakdown
• Click on + icons for detail at each packet level
• Bottom window –
packet content
8/17/2019 Footprinting Project
32/38
Wireshark capture analysis
•
Can save a session to a capture file
• Can reopen file later for further analysis
• Open capture file
•
Ubuntu: /home/user/Support/MOBILEcapture.cap
• W2K3: C:\Support\MOBILEcapture.cap
• Identify and follow different TCP streams
8/17/2019 Footprinting Project
33/38
• Select TCP packet, Analyze/Follow TCP Stream •
MOBILEcapture.cap has http, https, ftp, ssh streams • Any
interesting information out there?
• HINT: follow stream on an ftp packet
8/17/2019 Footprinting Project
34/38
Related Tool
• Hunt • TCP sniffer
• Watch and reset connections
• Hijack sessions
• Spoof MAC address
• Spoof DNS name
8/17/2019 Footprinting Project
35/38
Related Tool
• EtherPEG – image capture on network • http://www.etherpeg.co
m
http://www.etherpeg.com/http://www.etherpeg.com/http://www.etherpeg.com/http://www.etherpeg.com/http://www.etherpeg.com/http://www.etherpeg.com/
8/17/2019 Footprinting Project
36/38
Summary
• Basic tools can generate much information
• Remember principle of accumulatinginformation • Attacker will build on smaller pieces to get bigger
pieces
• Message to defenders: don’t give away any
information if you can avoid it
8/17/2019 Footprinting Project
37/38
Ref
• www.cs.uwec.edu
8/17/2019 Footprinting Project
38/38
Thank You IF any Question :D