In this chapter, you’ll begin the process of investigating a system with the intention of attacking and compromising the target. You’ll start with the step known as footprinting, and subsequent steps depend on the results of the previous one.
For an overview of the process, let’s look at the steps of ethical hacking to see where footprinting fits in as well as what future phases hold.
Footprinting is the first phase of the ethical hacking process and is the subject of this chapter. This phase consists of passively gaining information about a target. The goal is to gather as much information as possible about a potential target with the objective of getting enough information to make later attacks more accurate. The end result should be a profile of the target that is a rough picture but one that gives enough data to plan the next phase of scanning.
Information that can be gathered during this phase includes:
Footprinting takes advantage of the information that is carelessly exposed or disposed of inadvertently.
Phase 2 is scanning, which focuses on an active engagement of the target with the intention of obtaining more information. Scanning the target network will ultimately locate active hosts that can then be targeted in a later phase. Footprinting helps identify potential targets, but not all may be viable or active hosts. Once scanning determines which hosts are active and what the network looks like, a more refined process can take place.
During this phase tools such as these are used:
The last phase before you attempt to gain access to a system is the enumeration phase. Enumeration is the systematic probing of a target with the goal of obtaining user lists, routing tables, and protocols from the system. This phase represents a significant shift in your process; it is the initial transition from being on the outside looking in to moving to the inside of the system to gather data. Information such as shares, users, groups, applications, protocols, and banners all proved useful in getting to know your target, and this information is now carried forward into the attack phase.
The information gathered during Phase 3 typically includes, but is not limited to:
Once you have completed the first three phases, you can move into the system hacking phase. You will recognize that things are getting much more complex and that the system hacking phase cannot be completed in a single pass. It involves a methodical approach that includes cracking passwords, escalating privileges, executing applications, hiding files, covering tracks, concealing evidence, and then pushing into a complex attack.
Now let’s circle back around to the first step in the process of ethical hacking: footprinting. Footprinting, or reconnaissance, is a method of observing and collecting information about a potential target with the intention of finding a way to attack the target. Footprinting looks for information and later analyzes it, looking for weaknesses or potential vulnerabilities.
Footprinting generally entails the following steps to ensure proper information retrieval:
Footprinting is about gathering information and formulating a hacking strategy. With proper care you, as the attacking party, may be able to uncover the path of least resistance into an organization. Passively gathering information is by far the easiest and most effective method. If done by a skilled, inventive, and curious party (you!), the amount of information that can be passively gathered is staggering. Expect to obtain information such as:
Before you start doing footprinting and learn the techniques, you must set some expectations as to what you are looking for and what you should have in your hands at the end of the process. Keep in mind that the list of information here is not exhaustive, nor should you expect to be able to obtain all the items from every target. The idea is for you to get as much information in this phase as you possibly can, but take your time!
Here’s what you should look for:
Let’s take a closer look at the first three on this list.
On the network side of things a lot of information is invaluable—if you can get ahold of the data. Amazingly, much of the network information that is useful to you in starting the initial phase of an attack is easily available or can be easily obtained with little investigation. During the footprinting phase, keep your eyes open for the following items:
See Exercise 4.1 to find the IP address of a website.
The operating system is one of the most important areas you must gain information about. When sorting through the wealth of information that typically is available about a target, keep an eye out for anything that provides technical details:
Not all information is technical, so look for information about how an organization works. Information that provides details about employees, operations, projects, or other details is vital. This includes:
In this section you’ll learn definitions that may appear on the CEH exam.
As far as intelligence gathering goes, open source or passive information gathering is the least aggressive. Basically the process relies on obtaining information from those sources that are typically publicly available and out in the open. Potential sources include newspapers, websites, discussion groups, press releases, television, social networking, blogs, and innumerable other sources.
With a skilled and careful hand, it is more than possible to gather operating system and network information, public IP addresses, web server information, and TCP and UDP data sources, just to name a few.
Active information gathering involves engagement with the target through techniques such as social engineering. Attackers tend to focus their efforts on the “soft target,” which tends to be human beings. A savvy attacker engages employees under different guises under various pretenses with the goal of socially engineering an individual to reveal information.
Pseudonymous involves gathering information from online sources that are posted by someone from the target but under a different name or in some cases a pen name. In essence the information is not posted under a real name or anonymously; it is posted under an assumed name with the intention that it will not be traced to the actual source.
A pretty straightforward method of gaining information is to just use the Internet. I’m talking about using techniques such as Google hacking (which uses Google Search and other Google apps to identify security holes in websites’ configuration and computer code) and other methods to find out what your target wants to hide (or doesn’t know is public information) that a malicious party can easily obtain and use.
Let’s take a closer look at the threats that can be used to gain information:
Social Engineering One of the easiest ways to gain information about a target or to get information in general is to just ask for it. When asking doesn’t work, you can try manipulating people with the goal of getting that gem of information that can give you useful insight.
Network and System Attacks These are designed to gather information relating to an environment’s system configuration and operating systems.
Information Leakage This one is far too common nowadays as organizations frequently have become victims of data and other company secrets slipping out the door and into the wrong hands.
Privacy Loss Another one that is common—all too common sadly—is privacy loss. Attackers gaining access to a system can compromise not only the security of the system, but the privacy of the information stored on it as well. If you happen to be the target of such an attack, you may easily find yourself running afoul of laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or Sarbanes–Oxley, to name a couple.
Revenue Loss Loss of information and security related to online business, banking, and financial-related issues can easily lead to lack of trust in a business, which may even lead to closure of the business itself.
There are many steps in the footprinting process, each of which will yield a different type of information. Remember to log each piece of information that you gather no matter how insignificant it may seem at the time.
One of the first steps in the process of footprinting tends to be using a search engine. Search engines such as Google and Bing can easily provide a wealth of information that the client may have wished to have kept hidden or may have just plain forgotten about it. The same information may readily show up on a search engine results page (SERP).
Using a search engine you can find a lot of information, some of it completely unexpected or something a defender never considers, such as technology platforms, employee details, login pages, intranet portals, and so on. A search can easily provide even more details such as names of security personnel, brand and type of firewall, and antivirus protection, and it is not unheard of to find network diagrams and other information.
To use a search engine effectively for footprinting, always start with the basics. The very first step in gathering information is to begin with the company name. Enter the company name and take note of the results, as some interesting ones may appear.
Once you have gotten basic information from the search engine, it’s time to move in a little deeper and look for information relating to the URL.
If you need to find the external URL of a company, open the search engine of your choice, type the name of the target organization, and execute the search. Such a search will generally obtain for you the external and most visible URLs for a company and perhaps some of the lesser known ones. Knowing the internal URLs or hidden URLs can provide tremendous insight into the inner structure or layout of a company. However, tools are available that can provide more information than a standard search engine. Let’s examine a couple.
Netcraft Actually a suite of related tools, you can use Netcraft to obtain web server version, IP address, subnet data, OS information, and subdomain information for any URL. Remember this tool—it will come in handy later.
Link Extractor This utility locates and extracts the internal and external URLs for a given location.
Websites that are intended not to be public but to be restricted to a few can provide you with valuable information. Because restricted websites—such as technet.microsoft.com and developer.apple.com—are not intended for public consumption, they are kept in a subdomain that is either not publicized or that has a login page. (See Exercise 4.2.)
Not to be overlooked or underestimated in value is any information pertaining to the physical location of offices and personnel. You should seek this information during the footprinting process because it can yield other key details that you may find useful in later stages, including physical penetrations. Additionally, knowing a company’s physical location can aid in dumpster diving, social engineering, and other efforts.
To help you obtain physical location data, a range of useful and powerful tools are available. Thanks to the number of sources that gather information such as satellites and webcams, there is the potential for you as an attacker to gain substantial location data. Never underestimate the sheer number of sources available, including:
Google Earth This popular satellite imaging utility has been available since 2001 and since that time it has gotten better with access to more information and increasing amounts of other data. Also included in the utility is the ability to look at historical images of most locations, in some cases back over 20 years.
Google Maps Google Maps provides area information and similar data. Google Maps with Street View allows you to view businesses, houses, and other locations from the perspective of a car. Using this utility, many people have spotted things such as people, entrances, and even individuals working through the windows of a business.
Webcams These are very common, and they can provide information on locations or people.
People Search Many websites offer information of public record that can be easily accessed by those willing to search for it. It is not uncommon to come across details such as phone numbers, house addresses, e-mail addresses, and other information depending on the website being accessed. Some really great examples of people search utilities are Spokeo, ZabaSearch, Wink, and Intelius.
One of the best sources for information is social networking. Social networking has proven not only extremely prolific, but also incredibly useful as an information-gathering tool. A large number of people who use these services provide updates on a daily basis. You can learn not only what an individual is doing, but also all the relationships, both personal and professional, that they have.
Because of the openness and ease of information sharing on these sites, a savvy and determined attacker can locate details that ought not to be shared. In the past, I have found information such as project data, vacation information, working relationships, and location data. This information may be useful in a number of ways. For example, armed with personal data learned on social networking sites, an attacker can use social engineering to build a sense of trust.
Some popular social networking services that are worth scouring for information about your target may be the ones that you are already familiar with:
Facebook The largest social network on the planet boasts an extremely large user base with a large number of groups for sharing interests. Facebook is also used to share comments on a multitude of websites, making its reach even further.
Twitter Twitter has millions of users, many of whom post updates several times a day. Twitter offers little in the way of security, and those security features it does have are seldom used. Twitter users tend to post a lot of information with little or no thought to the value of what they are posting.
Google+ This is Google’s answer to the popular Facebook. Although the service has yet to see the widespread popularity of Facebook, there is a good deal of information present on the site that you can search and use.
LinkedIn One of my personal favorites for gathering information is LinkedIn. The site is a social networking platform for job seekers and as such it has employment history, contact information, skills, and names of those the person has worked with.
Popular financial services such as Yahoo! Finance, Google Finance, and CNBC provide information that may not be available via other means. This data includes company officers, profiles, shares, competitor analysis, and many other pieces of data.
Gathering this information may be incredibly easy. Later in the book, we will talk about attacks such as phishing and spear-phishing that are useful in this area.
An oft-overlooked but valuable method of gathering information about a target is through job sites and job postings. If you have ever looked at a job posting, as many of us have, you will notice that they can take a lot of forms, but something they tend to have in common is a statement of desired skills. This is the important detail that we are looking for. If you visit a job posting site and find a company that you are targeting, you simply need to investigate the various postings to see what they are asking for. It is not uncommon to find information such as infrastructure data, operating system information, and other useful data.
A quick perusal through job sites such as Monster.com, Dice.com or even Craigslist.com can prove valuable. This information is essentially free, because there is little investment in time or effort to obtain it in many cases.
When analyzing job postings, keep an eye out for information such as:
Some of the major search engines have an alert system that will keep you apprised of any updates as they occur. The alert systems allow you to enter a means of contacting you along with one or more URLs you’re interested in and a time period over which to monitor them. Search engines such as Google and Yahoo! include this service.
E-mail is one of the tools that a business relies on today to get its mission done. Without e-mail many businesses would have serious trouble functioning in anything approaching a normal manner. The contents of e-mail are staggering and can be extremely valuable to an attacker looking for more inside information. For a pen tester or an attacker, plenty of tools exist to work with e-mail.
One tool that is very useful for this purpose is PoliteMail (www.politemail.com), which is designed to create and track e-mail communication from within Microsoft Outlook. This utility can prove incredibly useful if you can obtain a list of e-mail addresses from the target organization. Once you have such a list, you can then send an e-mail to the list that contains a malicious link. Once the e-mail is opened, PoliteMail will inform you of the event for each and every individual.
Another utility worth mentioning is WhoReadMe (http://whoreadme.com). This application lets you track e-mails and also provides information such as operating system, browser type, and ActiveX controls installed on the system.
We’ve covered some great tools so far, but there is another way of gathering useful data that may not seem as obvious: competitive analysis. The reports created through competitive analysis provide information such as product information, project data, financial status, and in some cases intellectual property.
Good places to obtain competitive information are:
When analyzing these resources, look for specific types of information that can prove insightful such as the following:
Up to this point you may have collected a lot of information from various sources, but now is the time to fine-tune those results and look deeper. One of the tools you used earlier, Google, has much more power than you’ve taken advantage of so far. Now is the time to unleash the power of Google through a process known as Google hacking.
Google hacking is not anything new and has been around for a long time; it just isn’t widely known by the public. The process involves using advanced operators to fine-tune your results to get what you want instead of being left at the whim of the search engine. With Google hacking it is possible to fine-tune results to obtain items such as passwords, certain file types, sensitive folders, logon portals, configuration data, and other data.
Before you perform any Google hacking you need to be familiar with the operators that make it possible.
cache
Displays the version of a web page that Google contains in its cache instead of displaying
the current version. Syntax: cache:<website name>
link
Lists any web pages that contain links to the page or site specified in the query.
Syntax: link:<website name>
info
Presents information about the listed page. Syntax: info:<website name>
site
Restricts the search to the location specified. Syntax: <keyword> site:<website name>
allintitle
Returns pages with specified keywords in their title. Syntax: allintitle:<keywords>
allinurl
Returns only results with the specific query in the URL. Syntax: allinurl:<keywords>
If you are still a little confused about how these special queries and operators work, a very good resource is the Google Hacking Database (GHDB). This website (www.exploit-db.com/google-dorks/) has been maintained for a very long time; here you will find the operators described here along with plenty of new ones. It is through the observation of the queries and the results that they provide that you may be able to gain a better understanding of how things work.
Try using these Google hacks only after you have done some initial reconnaissance. The reasoning here is that after you have some initial information about a target from your more general investigation, you can then use a targeted approach based on what you have learned.
An important step in footprinting is to gain information, where possible, about a target’s network. Fortunately there are plenty of tools available for this purpose, many of which you may already be familiar with.
Whois This utility helps you gain information about a domain name, including ownership information, IP information, netblock data, and other information where available. The utility is freely available in Linux and Unix and must be downloaded as a third-party add-on for Windows.
Tracert This utility is designed to follow the path of traffic from one point to another, including intermediate points in between. The utility provides information on the relative performance and latency between hops. Such information can be useful if a specific victim is targeted because it may reveal network information such as server names and related details. The utility is freely available for all OSs.
Inside the system and working with it is the human being, which is frequently the easiest component to hack. Human beings tend to be, on average, fairly easy to obtain information from. Although Chapter 10, “Social Engineering,” delves into this topic in greater depth, I want to introduce some basic techniques that can prove useful at this stage of information gathering:
Eavesdropping This is the practice of covertly listening in on the conversations of others. It includes listening to conversations or just reading correspondence in the form of faxes or memos. Under the right conditions, you can glean a good amount of insider information using this technique.
Shoulder Surfing This is the act of standing behind a victim while they interact with a computer system or other medium while they are working with secret information. Using shoulder surfing allows you to gain passwords, account numbers, or other secrets.
Dumpster Diving This is one of the oldest means of social engineering, but it’s still an effective one. Going through a victim’s trash can easily yield bank accounts, phone records, source code, sticky notes, CDs, DVDs, and other similar items. All of this is potentially damaging information in the wrong hands.
This chapter explored the process of gaining information about a target. As you saw, the first step is to use search engines to gain initial information about a target with the goal of seeing what was available and how the data you discover can guide your future efforts.
In the next phase you move on to gathering information from other sources such as e-mail and financial resources. As you learned, e-mail tracking tools and notifications allow you to build a profile of target organizations and see how they respond to messages (which may assist in phishing efforts later).
Once you’ve gathered enough information, you try to refine the results to get to the information you truly want or can act upon. Using techniques such as Google hacking and social engineering, you can gain even more insight.
Understand the process of footprinting. Know how footprinting functions and what the ultimate goals of the process are. Understand the various types of information that may be obtained.
Know the different places and sources through which to gain information. Understand that a complete profile of an organization cannot be built from one source and that you must access and investigate many different sources to get a complete picture. You can use websites, people, and other sources to fill out the picture of your target.
Know how to do competitive analysis. Understand that if you run into a “black hole” and cannot get a complete picture from analyzing a target directly you can get information from competitors. Competitors and outside sources may have done research for you in the form of competitive analysis.
Which of the following best describes footprinting?
Which of the following cannot be used during footprinting?
Which of the following is used to increase access to a system?
Which of the following is the process of exploiting services on a system?
What is EDGAR used to do?
Which of the following is a method of manipulating search results?
Which of the following can an attacker use to determine the technology within an organization?
Which of the following can be used to assess physical security?
Which of the following can help you determine business processes of your target?
The Wayback Machine is used to do which of the following?
Which port number is used by DNS for zone transfers?
Which tool can be used to view web server information?
What can be configured in most search engines to monitor and alert you of changes to content?
What phase comes after footprinting?
If you can’t gain enough information directly from a target, what is another option?
What is the purpose of social engineering?
Which of the following would be effective for social engineering?
Footprinting can determine all of the following except:
Footprinting has two phases:
Which tool can trace the path of a packet?