Footprinting FAQ-v0.1 _______________________________________________________________________________________________________________________ Maintained by By tag Tuesday October 24th, 2000 Long Island Underground Networks http://liun.hektik.org The following is a list of questions that are frequently asked about Foot Printing. To contribute to the FAQ please send all questions, comments, suggestions to contagis@yahoo.com Introduction * What is footprinting? * What can I find footprinting? * What good does it do me? * Where do I start? * Ok I did what you said and wrote everything down now what? * References * Appendixes What is footprinting? The best description I have found for footprinting was from the book "Hacking Exposed"(1). "The systematic footprinting of an organization's security posture. By using a combination of tools and tech-niques, attackers can take an unknown quantity (Widget Company's Internet connection) and reduce it to a specific range of domain names, network blocks, and individual IP addresses of systems directly connected to the Internet. While there are many types of footprinting techniques, they are primarily aimed at discovering information related to these technologies: Internet, intranet, remote access, and extranet." What can I find footprinting? Depending on the size of the company or organization that you are footprinting will determine the amount of information you find out about it. The majority of the information will include IP addresses, operating system types, port numbers and services, phone numbers either to dialups to internal networks or just a voice mail system, and even some times you will find logins on a website while they may not be for the system your looking for, they are a good start. Routing tables are also good because they will let you know what other IP ranges you need to scan and what routers control information between internal and external systems. E-mail addresses and a simple link to another site can all aid you in exploiting the target. What good does it do me? Well thats easy, why would you waste your time attempting to access a system or network when you can make it easy on yourself by gathering all the information you need, and simply going after systems which are vulnerable. I don't think you would want to be scanning a complete subnet of VMS machines and at the same time looking for Net-BIOS. All and all it will save you time and make it much easier for you to gain access to the network. In some cases as I said you can even find logins, and dialups right on the website of the company. Where do I start? To start off first ask yourself this question is this company or organization so big I have to target my footprint to a specifc area? Or is this the ISP down the block that has under a dozen servers and nodes? I will compare large and small like this. A large university can be completly footprinted but its not practical to do so. A large university will most often have complete subdomains for areas of study like, math.something.edu, cs.something.edu etc. In that case its up to you as to how much time you want to spend gathering information. A small university can be completely footprinted in easily under a day. Once you decide which way your going to approach this the first thing you should do is gather information about your targets domain.Be sure to log all this too. Also this is not the order in which you have to do things in. I just numbered them to make it easier to read. 1. Run a whois on the target domain 2. Check if host -l reveals anything if so run host -l -v -t any something.com 3. If you get a refused query then use nmap or another port scanner to ping sweep the IP of the domain. Then DNS any other IP that responds to the ping and if you see something that may be another subnet ping sweep that too. 4. Use nmap to check for services on all the hosts and also check the OS 5. Check for links on target site that point to other computers on the company subnet 6. Gather all e-mail addresses found on the site that are for people who work for the company 7. On the companies webiste veiw the HTML source and look for comments and other information such as where directories are and what the names are. 8. If the target has a search engine for their site run words like these threw it, dialin, dial-in, dialup, dial-up, modem, phone number, login, userid, access, internal. You may say isn't dialin and dial-in the same well from persoanl experience it can mean the diffrence between getting back 0 results and getting back links to pages with dialups to internal systems. 9. Also see if they have a company phone directory online 10. If you see on your targets site them talking about working with another company or something write down the name of the other company. 11. Go to search engines and enter the targets name and see what other sites link to them if there is another company working with your target make note of it. 12. Run the targets name threw usenet search engines. Ok I did what you said and wrote everything down now what? Now I will go over exploiting the information. All the information has some type of value, it just all depends on what other information you got and how you plan to access the target. 1. Whois will give you phone numbers, e-mail addresses, locations, and other contact information. If your good at social engineering then this will help you allot. 2. Running host -l or host -l -v -t any will let you gather IPs which you should then scan looking for services on each host and also checking to see what each hosts operating system is. From there you can determine what computers are vulnerable to what exploits. 3. E-mail addresses help becaue you can spoof mail and attempt to get private information or you can simply mail someone a trojan in the event you cant get in you most likely will never have to do this. 4. By viewing HTML you can get an idea of directory structure and from there you can see if manipulating the URL will alow you to get the entire directory index and view files you would normaly not have access to. 5. If you run words like dialin and login threw a companies search engine and get a phone number or login you can either gain access to a system or even having the dialin is fine since you have some phone numbers and will possibly get more later. Social engineering is best for finding logins to internal networks, but you should know who is who in the company before calling anyone. For instance if you want to break into a bank a copy of the quarterly report is always a good thing to have. 6. A company phone directory is good just so you can write down important phone numbers for later use if you plan to social engineer anyone. 7. If you see on your targets site that they are working with another company for whatever reasons. Keeping track of this other company will be good, because if you can get into your target directly maybe you can get in a diffrent route. In this case threw this other company. If you exploit this other company you can attempt to sniff a login onto you original targets network. This is whats known as exploiting the weakest links. Just because your target is secure doesn't mean everyone they work with is. If you do this my favorite command is grep telnet /home/*/.bash_history or whatever works on the given system. 8. By running your targets name threw search engines you can find out about more companies working with them possibly which can give you more areas to exploits if needed. 9. Running the targets name threw usenet is like a grab bag you never know what you will find which is why its a good idea to do it. Maybe one of their administrators needed help configuring NIS or something. Either way its a good idea to do it. References Hacking Exposed Network Security Secrets & Solutions By. Stuart Mcclure, Joel Scambray, and George Kurtz ISBN: 0-07-212127-0 Appendixes Search engines Altavista Find sites that link to your target Yahoo Same as above Dogpile Search multiple search engines Google Google Search Engine SEC Get detailed information about the company and its associates ARIN American Registry for Internet Numbers Scanners nmap ISS Cybercop Winfingerprint Exploits Technotronic BugTraq Information Retrieval Names, Addresses, E-mail addresses, phone numbers etc... http://people.yahoo.com http://www.anywho.com