Chapter 4: Footprinting

Netcraft

A suite of related tools, Netcraft lets you obtain web server version, IP address, subnet data, OS information, and subdomain information for any URL. Showing the Main domain with many subdomains helps a lot when it comes to gaining info. Subdomains are the child to the parent domain, and they help because it gives clues or insight on what maybe going on like small projects with your target you may find out. There have been beta versions of company websites, company extranets, and many more.

Personally Identifiable Information (PII)

Any information that can be used to uniquely identify an individual such as name, address, phone number, or social security number. You must seriously let your client know about this in your report if you do penetration testing, because as easy as it was to obtain it (ESPECIALLY FOOTPRINTING) If the disclosure of PII gets to unauthorized parties it can be catastrophic, leading to lawsuits, bad publicity, regulatory penalties, and many more.

Social Engineering: The Art of Hacking Humans

Eavesdropping: This is practicing to covertly listen in on conversations from others talking. it is reading form of faxes or memos as well. Info is surprisingly available if you listen carefully. Phishing: Making emails to a group of email addresses and sending it out and making the message look legitimate enough that the recipient will click a link in the email. The bank requesting personal data to reset their account is one of them. Spearphishing is acting like they work with one of their workers within a business or company and makes it look more legitimate that they will click on it. Whaling targets are targets in an organization that you are sure has lot's of valuable information and uses the same methods of Spearphishing. Shoulder Surfing: Standing behind a victim while they work on a computer system or medium working with secret information. This helps gain passwords, account numbers, or other secrets. Dumpster Diving: This is one of the oldest Social Engineering techniques, but still effective. Going through a victim's trash can yield bank account numbers, phone records, source code, sticky notes, CDs, DVDs, and other similar items. Potentially damaging information if it were to get in the wrong hands.

Working with Email

Email is very valuable to a company, otherwise it couldn't function the way it does today, which means it is commonly used and carries very valuable info of what goes on inside a business, and the best part is their is many different types of tools an attacker has to get the emails. www.politemail.com is designed to create and track email communication from within Microsoft Outlook. Obtaining a list of email addresses of a target organization can be good as you can send an email to the list that contains a malicious link, it will show you the event of each individual. http://whoreadme.com is an application that tracks emails and provides info such as operating systems, browser types, and ActiveX controls installed on the system. Discussion groups and other resources can lead to emails posted with valuable information.

Social Networking and Information Gathering

Extremely prolific and an incredibly useful as an information-gathering tool. People using social media always provide updates. You can learn them as individuals or their relationships, both personal and professional. Openness and ease of information sharing on these sites, a savvy determined attacker can locate details that ought not to be shared. In the past, Hackers have found project data, vacation information, working relationships, and location data. Social engineering can be very valuable with people in a business to build trust if they know what you like, or spear phishing. Keep in mind that while social networking is enormously powerful and beneficial when it comes to sharing information, an attacker can use the information you have and attack you.

Popular Social Networking Services

Facebook: Boasts an extremely large user base, large number of groups for sharing interests, and shares comments on a multitude of websites, making it's reach further. Twitter: Twitter users tend to post valuable information without noticing, and with the security features it has, they are seldom used. Google+: There is a good deal of information present on the site that you can search and use. (Could be gone because of a coding error on google+ mixed with YouTube) LinkedIn: Social networking platform for job-seekers, as well as employment history, contact information, skills, and names of those the person has worked with. Instagram: Used for sharing photos, it's extremely popular and is used by a large number of people worldwide.

Footprinting/steps ensuring proper information retrieval

Footprinting has steps to ensure proper information retrieval: 1. Collect information that is publicly available about a target (for example, host and network information). 2. Ascertain the operating system(s) in use in the environment, including web server and web application data where possible. 3. Issue queries such as Whois, DNS, network, and organizational queries. 4. Locate existing or potential vulnerabilities or exploits that exist in the current infrastructure that may be conducive to launching later attacks.

What is Footprinting?

Footprinting, or reconnaissance, is a method of observing and collecting information about a potential target with the intention of finding a way to attack the target. You look for information and later analyze it, looking for weaknesses or potential vulnerabilities. A careless or haphazard process of collecting information can waste time when moving forward, or even cause an attack to fail. It can make being haphazard an undesired effect of attracting the defender's attention, which thwarts your information gathering. Smart or careful attacker spends a good amount of time in this phase gathering and confirming information.

Gaining Network Information

Gain info about a target network but through these tools: Whois: This utility helps you gain information about a domain name, like ownership information, IP information, netblock data, and other information. It is also available in Linux and Unix or downloaded as a third-party add-on on Windows. Ping: Utilizing ICMP, it determines if a host is reachable and if it's up or down. Nslookup: Used to query DNS servers and gain information on parts of the DNS namespace or individual hosts. Name Server Lookup is what it stands for. DIG is the same thing as Nslookup if using Unix or Linux. Tracert: follows the path of traffic from one point to another, including points in between. provides relative performance, and latency between hops. Server names and related details it has can be valuable information. Free on all OS's

Introducing Echosec

Helps extract information from social media such as Instagram. It helps show on social media the location of where photos were originally taken or originated. You can search and refine search by username or keywords and search by date range. Entering the address of a company or a box around the address can give you info in as recent as 1 to 2 minutes of their recent posts. It answers who, what, when, and where an organization is doing at the time.

Looking at Maltego

It helps retrieve information from social media but can also show relationships of information too. certain information from a company can help mention certain info such as specific IP's and more.

Why perform Footprinting?

It is meant to gather information and formulate a hacking strategy. The attacking party can find the least resistance into a organization. Passively gathering info is the easiest and most effective method. If a very skilled individual and very curious one at that looks for information passively, you'd be surprised how much information you can obtain, it can be tremendous. Info to specifically look for: Information about an organization's security posture and where potential loopholes may exist. This allows you to adjust the hacking process so that you can be more productive. A database that paints a detailed picture with maximum amount of info about the target. An application such as a web application or other source. A network map using tools such as the Tracert utility to construct a picture of a target's Internet presence or Internet connectivity. The network map can be thought of as a roadmap leading you to a building; the map is what gets you there, but you'd have to determine the floor plan of that building.

Operating System Information

Keep an eye out on technical details on operating systems, like browsing information on job sites that ask for experience in certain types of Operating Systems. Things to look for: User and group information names Operating System versions System Architecture Remote System Data System Names Passwords

The Footprinting Process

Logging info is very important. Using Search Engines: Search engines tend to be the go to. Whether it be Bing, Google, or Search Engine Results Page (SERP), You can find a ton of information, like technology platforms, employee details, login pages, intranet portals, and so on. You can find names of security personnel, brand and type of firewall, and antivirus protection, and you could find network diagrams and other info. Google Hacking: Nothing new, it has been around for a long time, and is not widely known to the public. You can use advanced operators to fine-tune your results to get what you want instead of being left at the whim of the search engine. You have the ability to gain passwords, certain file types, sensitive folders, logon portals, configuration data, and other data. Use google hacks only after you do initial reconnaissance, so you can make more of a targeted approach based on what you have learned. To use effectively start with the basics: Begin with the company's name, search other engines as they yield different results, not just your favorite one. After that, look for information in the URL. Find the external URL of the company, type the name of the target organization, and execute the search, as it can yield tremendous amount of info such as inner structure or layout of a company. You will often find most visible URL's with some less visible URL's or hidden/internal URL's that don't always show up. It is worth going through 3-5 pages before searching again as info can be placed hidden in different pages. You can also extract info from Archive.org of old websites that can be extracted of info that is not on the internet or was taken down.

Organization Data

Look to see how an organization works, details like: Employee details Organization's Website Company Directory Location Details Address and Phone Numbers Comments in HTML Source Code Security policies implemented Web server links relevant to the organization Background of the Organization News articles and press releases

People Search

Many websites offer information of public record that can be easily accessed by those willing to search for it. Phone Numbers, House addresses, email addresses, and other information depending on the website being accessed. (Spokeo, ZabaSearch, Wink, and Intelius.)

Goals of the Footprinting Process

Network Information Operating System Information Organization information, such as CEO and employee information, office information, contact numbers, and email Network Blocks Network Services Application and web application data and configuration information System Architecture Intrusion detection and Prevention Systems Employee Names Work Experience

The Value of Job Sites

Often overlooked but a valuable method is job sites and job postings. They can take on many forms, but the statement of desired skills is a common one, which is important because if you were to visit job posting site and find the company your targeting, you can scroll and gain data on what they are asking for. Infrastructure data, operating system information, and useful facts are not uncommon either. Monster.com/Dice.com/Craigslist.com prove valuable sites to look at for job postings and info such as: Job requirements and Experience Employer Profile Employee Profile Hardware information (This is incredibly common to see in profiles; look for labels such as Cisco, Microsoft, Juniper, Checkpoint, and others that may include model or version numbers.) Software Information Some major search engines will give you alert messages on updates and monitoring purposes, but the downside is you might get caught because you'd have to register, use a separate account in order to stay hidden to prevent this downside, you just may get caught.

Terminology in Footprinting

Open Source and Passive Information Gathering: The least aggressive to get info, relies on public resources that are out in the open for everyone to see. Newspapers, Websites, Discussion Groups, Press Releases, Television, Social Networking, Blogs, and innumerable other sources. If skilled and careful, you can gain info such as Operating Systems, Network information, Public IP addresses, web server information, and TCP and UDP data sources. Active Information Gathering: Involves engagement with the target, like Social-engineering. Human beings are the soft targets, where savvy attackers engage employees under different guises under various pretenses with the goal of social engineering an individual to reveal info. Passive Information Gathering: Gathering information indirectly in a passive manner that does not engage the target, this is the least aggressive and probably the easiest way to gain info about the target. Pseudonymous Footprinting: Involves gathering information from online sources that are posted by someone from the target but under a different name or in some cases a pen name. This technique helps get unsuspecting parties to contact you, and when using the name of someone within the company from another office or location can be easy way to gain useful information. Internet Footprinting: Using the internet for info basically, like google hacking, and methods on what your target wants to hide that a malicious party can obtain and use easily.

Phase 1: Footprinting

Phase 1: Footprinting Footprinting which is the first phase of the ethical hacking process consists of passively and actively gaining information about a target. The goal is to get reasonable and usable info in order to make more accurate attacks against the target. Information that can be gathered: IP address ranges Namespaces Employee information Phone Numbers Facility Information Job information Footprinting takes advantage of information carelessly exposed and/or disposed of inadvertently.

Phase 2: Scanning

Phase 2: Scanning Focuses on active engagement of the target with the intention of obtaining more information. Scanning the target network will locate active hosts that will be are target in a later phase. Footprinting identifies potential targets, but not all maybe viable or active hosts. Scanning helps us determine which hosts are active and what the network looks like. Tools that are used are: Pings Ping Sweeps Port Scans Tracert

Phase 3: Enumeration

Phase 3: Enumeration A systematic probing of a target with the goal of obtaining user lists, routing tables, and protocols from the system. This is going from the outside looking in to moving to the inside of the system to gather data. Information such as shares, users, groups, applications, protocols, and banners all proved useful in getting to know your target. This information is carried forward into the attack phase. The information gathered during phase 3 is but not limited too: Usernames Group Information Passwords Hidden Shares Device Information Network Layout Protocol Information Server Data Service Information

Phase 4: System Hacking

Phase 4: System Hacking Cannot be completed in a simple single pass, and can be more complex. It involves methodical approach like cracking passwords, escalating privileges, executing applications, hiding files, covering tracks, concealing evidence, and then pushing into a complex attack.

Location and Geography

Physical location of offices and personnel can also be crucial for details useful in later stages including physical penetrations. It helps you be able to dumpster dive, use social engineering, and other efforts. Utilizing Satellites and Webcams are a good example of tools to help understand physical locations and weak points.

Financial Services and Information Gathering

Popular financial services like Yahoo! Finance, Google Finance, and CNBC provide information that other places may not. Company officers, profiles, shares, competitor analysis, are just 3 of many different pieces of data that you can gain just from Financial services of companies.

Google Earth

Popular satellite imaging utility, available since 2001, getting better as time progresses and data becomes increasingly added for more info and more accuracy. You can also look at historical images of most locations, maybe back 20 years.

Google Maps

Provides area information and similar data. Google maps with street view allows you to view, houses, businesses, and other locations from the perspective a car in a road. You can spot people, entrances, or individuals just through the windows of a business.

Threats Introduced by Footprinting

Social Engineering: One of the easiest ways to gain info by engaging the target by asking information. Manipulation can be used to gain info as well if you can't just ask. Network and System Attacks: Designed to gather info relating to environment's system configuration and operating systems. Information Leakage: Far to common now-a-days, with organizations becoming victims of data and secret slipping out the door into the wrong hands. Privacy Loss: all too common sadly, If you happen to be the target of such attack, you'll run into laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or Sarbanes-Oxley. Revenue Loss: Loss of information and security related to banking, online business, and financial-related issues can easily lead to lack of trust in a business, which may even lead to closure of the business itself. Customers may take business elsewhere on top of fines, penalties, and lawsuits.

Competitive Analysis

This gives reports providing information on product information, project data, financial status, and in some cases intellectual property. Good Places to find Competitive Analysis are: EDGAR (the Electronic Data-Gathering, Analysis, and Retrieval system) contains reports publicly traded companies make to the Securities and Exchange Commission (SEC) www.sec.gov/edgar.shtml LexisNexis maintains a database of public record information on companies that includes details such as legal news and press releases. www.lexisnexis.com/en-us/home.page BusinessWire is another great resource providing information about the status of a company as well as financially with other data. www.businesswire.com/portal/site/home/ CNBC offers a wealth of company details as well as future plans and in-depth analysis. www.cnbc.com

Link Extractor

This utility locates and extracts the internal and external URLs for a given location.

Webcams

Very common, can be used to look at locations or people.

Network Information

Very invaluable information if you can get your hands on it. Info can be readily available or can be easily obtained with little investigation. Keep your eyes out for: Domain names the company uses to conduct business or other functions, including research and customer relations. Internal domain name information. IP addresses of available systems. Rogue or unmonitored websites that are used for testing or other purposes. Private Websites. TCP/UDP services that are running. Access control mechanisms, including firewalls and ACLs. Virtual Private Network (VPN) information. Intrusion detection and prevention information as well as configuration data. Telephone numbers, including analog and Voice over Internet Protocol (VoIP) Authentication mechanisms and systems.

Public and Restricted Websites

Websites that are not intended to be public but to be restricted to a few can provide valuable information. They are not intended for the public but gaining access to them will help us better understand the target more.

When analyzing resources, ask these questions

When did the company begin? How did it evolve? Such information gives insight into their business strategy and philosophy as well as corporate failure. Who are the leaders of the company? Further background analysis of these individuals may be possible. Where are the headquarters and offices located? Looking at competitors of your target often helps give insight into how your target is moving and what their intentions are, as corporate espionage is common.