NMCSP

2008 Batch-I

Module II
Footprinting
Scenario

Adam is furious. He had applied for the network

engineer job at targetcompany.com He believes
that he was rejected unfairly. He has a good track
record, but the economic slowdown has seen many
layoffs including his. He is frustrated – he needs a
job and he feels he has been wronged. Late in the
evening he decides that he will prove his mettle.

 What do you think Adam would do?

 Where would he start and how would he go about it?
 Are there any tools that can help him in his effort?
Can he cause harm to targetcompany.com?
 As asecurity professional, where can you lay checkpoints and how
can you deploy countermeasures?
Module Objectives

 Overview of the Reconnaissance Phase

 Introducing Footprinting
 Understanding the information gathering
methodology of hackers
 Comprehending the implications
 Learning some of the tools used for
reconnaissance phase
 Deploying countermeasures
Module Flow

Reconnaissance Defining Footprinting

Hacking Tools Information gathering

Revisiting Reconnaissance

 Reconnaissance refers to
the preparatory phase
Clearing
where an attacker seeks
Reconnaissance
Tracks to gather as much
information as possible
about a target of
evaluation prior to
Scanning
Maintaining launching an attack.
Access
 It involves network
scanning, either external
Gaining
Access or internal, without
authorization.
Defining Footprinting

 Footprinting is the blueprinting of the security

profile of an organization, undertaken in a
methodological manner.
 Footprinting is one of the three pre-attack
phases. The others are scanning and
enumeration.
 Footprinting results in a unique organization
profile with respect to networks (Internet/
Intranet/Extranet/Wireless) and systems
involved.
Information Gathering Methodology

 Unearth initial information

 Locate the network range
 Ascertain active machines
 Discover open ports/access points
 Detect operating systems
 Uncover services on ports
 Map the Network
Unearthing Initial Information

Commonly includes:
Domain name lookup
Locations
Contacts (Telephone/
mail)
Information Sources:
Open source
Whois
Nslookup

Hacking Tool:
Sam Spade
Passive Information Gathering

 To understand the current security status of a

particular Information System, the
organizations carry out either a Penetration
Test or utilizing other hacking techniques.
 Passive information gathering is done by
finding out the details that are freely available
over the net and by various other techniques
without directly coming in contact with the
organization’s servers.
Competitive Intelligence Gathering

 Competitive Intelligence Gathering is the

process of gathering information from
resources such as the Internet.
 The competitive intelligence is non-interfering
and subtle in nature.
 Competitive Intelligence is both a product and
process.
Competitive Intelligence Gathering (contd.)

 The various issues involved in Competitive

Intelligence are:
• Data Gathering
• Data Analysis
• Information Verification
• Information Security
 Cognitive Hacking
• Single source
• Multiple source
Hacking Tools

 Whois
 Nslookup
 ARIN
 Neo Trace
 VisualRoute Trace
 SmartWhois
 VisualLookout
 eMailTrackerPro
Whois
Registrant:
targetcompany (targetcompany-DOM)
# Street Address
City, Province
State, Pin, Country
Domain Name: targetcompany.COM

Administrative Contact:
Surname, Name (SNIDNo-ORG) targetcompany@domain.com
targetcompany (targetcompany-DOM) # Street Address
City, Province, State, Pin, Country
Telephone: XXXXX Fax XXXXX
Technical Contact:
Surname, Name (SNIDNo-ORG) targetcompany@domain.com
targetcompany (targetcompany-DOM) # Street Address
City, Province, State, Pin, Country
Telephone: XXXXX Fax XXXXX

Domain servers in listed order:

NS1.WEBHOST.COM XXX.XXX.XXX.XXX
NS2.WEBHOST.COM XXX.XXX.XXX.XXX
Nslookup

 http://www.btinternet.com/~simon.m.parker/IP-
utils/nslookup_download.htm
 Nslookup is a program to query Internet domain name
servers. Displays information that can be used to
diagnose Domain Name System (DNS) infrastructure.
 Helps find additional IP addresses if authoritative DNS
is known from whois.
 MX record reveals the IP of the mail server.
 Both Unix and Windows come with an Nslookup client.
 Third party clients are also available – e.g. Sam Spade.
Scenario (contd.)

Adam knows that targetcompany is based in NJ.

However, he decides to check it out. He runs a
whois from an online whois client and notes the
domain information. He takes down the email IDs
and phone numbers. He also discerns the domain
server IPs and does an interactive Nslookup.

 Ideally,
what is the extent of information that should be revealed to
Adam during this quest?
 Are there any other means of gaining information? Can he use the
information at hand in order to obtain critical information?
What are the implications for the target company? Can he cause
harm to targetcompany.com at this stage?
Locate the Network Range

Commonly includes:
Finding the range of IP
addresses
Discerning the subnet mask
Information Sources:
ARIN (American Registry of
Internet Numbers)
Traceroute

Hacking Tool:
NeoTrace

Visual Route
ARIN

 http://www.arin.net/whois/
 ARIN allows for a search
of the whois database in
order to locate
information on a
network’s autonomous
system numbers (ASNs),
network-related handles
and other related point
of contact (POC).
 ARIN whois allows for
the querying of the IP
address to help find
information on the
strategy used for subnet
addressing.
Screenshot: ARIN Whois Output

ARIN allows search on the whois

database to locate information on
networks autonomous system
numbers (ASNs), network-related
handles and other related point of
contact (POC).
Traceroute

 Traceroute works by exploiting a feature of the Internet

Protocol called TTL, or Time To Live.
 Traceroute reveals the path IP packets travel between
two systems by sending out consecutive UDP packets
with ever-increasing TTLs .
 As each router processes a IP packet, it decrements the
TTL. When the TTL reaches zero, it sends back a "TTL
exceeded" message (using ICMP) to the originator.
 Routers with DNS entries reveal the name of routers,
network affiliation and geographic location.
Tool: NeoTrace (Now McAfee Visual Trace)

NeoTrace shows the

traceroute output
visually – map view,
node view and IP view
Tool: VisualRoute Trace

 www.visualware.com/download/

It shows the connection path and

the places where bottlenecks occur
Tool: SmartWhois

http://www.softdepia.com/smartwhois_download_491.html

SmartWhois is a useful network information utility

that allows you to find out all available information
about an IP address, host name, or domain, including
country, state or province, city, name of the network
provider, administrator and technical support contact
information.

Unlike standard Whois utilities,

SmartWhois can find the
information about a computer
located in any part of the world,
intelligently querying the right
database and delivering all the
related records within a few seconds.
Scenario (contd.)

Adam makes a few searches and gets some

internal contact information. He calls the
receptionist and informs her that HR had asked
him to get in touch with a specific person in the IT
division. It’s lunch hour, and he says he’ d rather
e-mail the person concerned than disturb him. He
checks up the mail id on newsgroups and stumbles
on an IP recording. He traces the IP destination.
 What preventive measures can you suggest to check the
availability of sensitive information?
 What are the implications for the target company? Can
he cause harm to target company at this stage?
 What do you think he can do with the information he
has obtained?
Tool: VisualLookout

http://www.visualware.com/
VisualLookout provides high level
views as well as detailed and
historical views that provide traffic
information in real-time or on a
historical basis.
In addition the user can request a
"connections" window for any
server, which provides a real-time
view of all the active network
connections showing
who is connected,
what service is being used, 
whether the connection is
inbound or outbound, and
how many connections are
active and how long they have
been connected.
Screenshot: VisualRoute Mail Tracker

It shows the number of hops made

and the respective IP addresses,
Node names, Locations, Time
zones, Networks, etc.
Tool: eMailTrackerPro

eMailTrackerPro is the e-mail

analysis tool that enables analysis
of an e-mail and its headers
automatically providing graphical
results
Tool: Mail Tracking (mailtracking.com)

Mail Tracking is a
tracking service that
allows the user to track
when his mail was read,
how long the message
was open and how often
it was read. It also
records forwards and
passing of sensitive
information (MS Office
format)
Summary

 The information gathering phase can be categorized

broadly into seven phases.
 Footprinting renders a unique security profile of a
target system.
 Whois and ARIN can reveal public information of a
domain that can be leveraged further.
 Traceroute and mail tracking can be used to target
specific IPs and later for IP spoofing.
 Nslookup can reveal specific users and zone transfers
can compromise DNS security.