2. FOOT PRINTING
The aim of foot printing is to gather as much information as possible about the organisation and its network. One would ask why would I need to perform such step when I have all the information about my network?
Joel Scambray, Stuart McClure and George Kurtz (2009, page 10), answers this question:
“Foot printing is necessary for one basic reason: it gives you a picture of what the hacker sees. And if you know what the hacker sees, you know what potential security exposures you have in your environment. And when you know what exposures you have, you know how to prevent exploitation.
Hackers are very good at one thing: getting inside your head, and you don’t even know it. They are systematic and methodical in gathering all pieces of information related to the technologies used in your environment. Without a sound methodology for performing this type of reconnaissance yourself, you are likely to miss key pieces of information related to a specific technology or organization—but trust me, the hacker won’t.”
“Foot printing is one of the most important steps and it must be performed accurately and in a controlled fashion.”
With foot printing, you need to find out as much information as possible about the network that is available from public resources, from whois and DNS enumeration, from interrogating DNS and from implementing network reconnaissance.
Publicly available information:
- Company Website – look at information leakage (source code).
- Related Organisations – company that did your website could hold sensitive information about the network.
Whois and DNS Enumeration
All an attacker has before attacking a network is probably the web address. To mount a successful attack the attacker would gather as much information as possible about the network:
- Names, emails, addresses and phone numbers of employees.
- Who the domain is registered with.
- Is the website hosted by a hosting company or is it on the organisation’s web server.
- The range of IP addresses of the network.
To do this a domain-related and maybe an IP-related searches would be performed.
Domain-related search – who the domain belongs to, who is it registered with and any other information such as IP addresses of name (DNS) servers.
IP-related search – as above except you’re searching using an IP address instead of a domain name.
There are many tools available for all sorts of security tasks including information gathering (foot printing), some are online, such as www.allwhois.com:
And some are software based.
Tools like Backtrack, which is a Linux distribution that was specially designed for penetration testing, contains hundreds of tools that are categorised into the categories shown on the following screenshot:
To enumerate whois we can use the whois command available on all Unix/ Linux OS as well as Backtrack:
The information that we can get from this if it was a real domain are:
- Who the domain is registered with.
- When was it issued, last updated and when it expires.
- Admin contact details.
- Names and IPs of name servers.
DNS servers if they’re not configured correctly they can leak out valuable information to an attacker, so performing this step would show us what an attacker can see about our network.
Zone Transfers – allows a secondary DNS server to update its database from the primary server.
nslookup – runs the tool in interactive mode.
188.8.131.52 – tells the tool which DNS server to query (primary DNS server of target).
set type=any – tells nslookup to pull any record.
ls –d or dir –d – used to list all records for the domain.
zone_out – the name of the file the output results was saved on
We can then use more zone_out to view the results or to manipulate the results we can use grep, sed, awk or perl:
root@bt:#grep –i Solaris zone_out | wc –l
root@bt:#grep –I test zone_out | wc –l
These steps would be performed on each DNS server and on each sub domain.
Tools like host and dig automates this process:
root@bt:#host –l example.com
root@bt:#host –l -v –t any example.com
Finding the mail exchange (MX) record – this is an important information because in many environments mail is handled on the same system as the firewall or on the same network as the firewall.
The previous will give the attacker enough information to start mapping out the network topology. A tool such as traceroute, tcptrace or tcptracroute can be used for this. Using such tools will give an attacker a clear view of the topology as well as the location of any access control devices.
-I – ICMP packets.
-g – loose source routing.
-p n – starting UDP port number (n) that is incremented by 1. This bypass ACLs.
-S – a patch to stop incrimination and so only the specified port will be used.
root@bt:#traceroute –p 53 example.com
port 53 is one of the ports that attackers prefer because many networks allow inbound DNS queries.
In the above screen shot the start of access control devices are identified by the “*”.