Footprinting - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Footprinting

Description:

Footprinting Introduction What information needed to be identify How to get these information Introduction What is footprinting Create a complete profile of an ... – PowerPoint PPT presentation

Number of Views:321
Avg rating:3.0/5.0
Slides: 36
Provided by: OOP
Category:

less

Transcript and Presenter's Notes

Title: Footprinting


1
Footprinting
  • Introduction
  • What information needed to be identify
  • How to get these information

2
Introduction
  • What is footprinting
  • Create a complete profile of an organizations
    security posture
  • Why is footprinting necessary
  • You would not miss key pieces of information
    related to specific technology
  • Who does attacking
  • Script kiddie
  • Special Purpose attackers
  • Malicious insider
  • Temporary employee
  • Hacker

3
Introduction Purpose of attackers
  • Just for fun
  • Try their tools
  • Get information
  • Steal Bandwidth
  • Use your computer to attack
  • Get privilege account

4
What information needed to be identify
  • Internet
  • Domain name
  • Network blocks
  • IP address (can be reached)
  • IDS, Firewall (if possible)
  • System enumeration

5
What information needed to be identify
  • Intranet
  • Network protocols in use
  • Internal domain name
  • IP address via the intranet
  • System architecture
  • Access control mechanisms and ACLs
  • IDS
  • System enumeration
  • Routing tables

6
Steps of footprinting
  • Determine the scope of your activities
  • Webferret (A tool)
  • www.dogpile.com, altavista, edgar
  • Social Engineering
  • An example of gather information
  • Network Enumeration
  • DNS interrogation
  • Network Reconnaissance

7
Determine the scope of your activities
  • Step 1 Peruse the target organizations web
    page, look for information about
  • Locations to get an idea of the physical
    location of the server
  • Related companies or entities to determine point
    with weaker security, to start from
  • Merger or acquisition news to determine possible
    weak points in the network
  • Phone numbers to have a place to dial in from
    outside
  • Contact names and email addresses to obtain use
    names
  • Privacy or security policies indicating the types
    of security mechanisms in place to find the type
    of security mechanisms in place
  • Links to other web servers related to the
    organization to determine possible weak points
  • (Give an example of web page our web site)

8
A Tool Webferret
  • Search 15 search engines at the same time
  • Log your search results

9
Webferret setting
  • Search the entire page, search the abstract and
    title, search the URL
  • None, Remove duplicate URLs, Remove duplicate
    titles, ..

10
Search Result
11
Edgar search
  • Financial search site (http//www.sec.gov/cgi-bin/
    srch-edgar)
  • Hacking exposed suggest we read 10-Q and 10-K
  • Example search amazon
  • Q-10
  • Balance Sheet
  • K-10
  • Can get many contact information (amazons)

12
What Q-10 says
  • PART I.    FINANCIAL INFORMATION
  •  Item 1.    Financial Statements (Unaudited)
                   
  • Consolidated Balance SheetsMarch 31, 2001 and
    December 31, 2000   
  • Consolidated Statements of OperationsThree
    months ended March 31, 2001 and 2000  
  • Consolidated Statements of Cash FlowsThree
    months ended March 31, 2001 and 2000
  • Notes to Consolidated Financial StatementsMarch
    31, 2001
  • Item 2.    Managements Discussion and Analysis
    of Financial Condition and Results of Operations
  • Item 3.    Quantitative and Qualitative
    Disclosure of Market Risk
  • PART II.    OTHER INFORMATION  
  • Item 1.    Legal Proceedings
  • ..

13
What 10-K says
  • PART I
  • Item 1. Business
  • Item 2. PropertiesItem 3. Legal Proceedings
  • Item 4. Submission of Matters to a Vote of
    Security Holders
  • PART II Item 5. Market for the Registrant's
    Common Stock and Related Stockholder Matters
  • Item 6. Selected Consolidated Financial Data
  • Item 7. Management's Discussion and Analysis of
    Financial Condition and Results of Operations

14
Is these information useful?An Example of Social
Engineering
  • Story From Taiwan.cnet.com
  • Goal find everything related to someone
  • Assumption We know his/her name, location of
    his/her working place
  • Target victim Margaret Truman (false name)
  • Step1 Search engine
  • Yahoo, people search? get phone number and
    address (wrong place hundred miles away)
  • Bigfoot, InfoSpace ? find nothing
  • AOL, Netfind, Switchboard? bingo

15
The Story (contd.)
  • Step 2 Find his/her full name
  • Found some books she wrote, and articles she
    wrote
  • Know her college name, and the year she graduated
  • She teach somewhere
  • The address book of her college tell me her
    abandon e-mail address
  • Her name is E. Margaret Truman (Margaret is her
    middle name)
  • Step 3 Find her SSN (Social Security Number)
  • Private investigator (On Web Site)
  • In 24 hours
  • Real full name Erin Margaret Truman
  • SSN

16
The Story (contd.)
  • Get private information
  • Experian, Equifax, TransUnion
  • ???? ?????? ??????????? ??????? ????
    ???????/?????

17
Gather information Our web site
  • ??gt gt ?????????MIS,gt gt ????????????,gt gt
    ??e-mail???????gt gt ??
  • ??? (Nike Chan)TEL02-2696-2366M/B0922-416803e
    -mail nike_at_gennet.com.tw

18
Our crew revealed their personal information to
everyone?
  • ???,???????83?A?,??801011
  • , ????02-25772696
  • ????02-26962366-213
  • ????02-25772696, 0950330322099
  • ???????68?10?4?1F
  • Stewart_at_www.gennet.com.tw? failure
  • Try Stewart_at_www.gennet.com.tw
  • ?????????,????,??????????????????,,????????,??
    ??????????
  • stewart_at_mail.gennet.com.tw
  • Goal MIS account

19
Information Found on internet An term project
report
  • Smurf Denial of Service
  • ??
  • ???????????????-??????ServerGuard???????140.128.10
    1.110?..

20
Information Found on internet
  • ????????????????01/18/00 123518
  • ???????????????????Linux???????????????,??Linux???
    ?????????????????????????????????????????,????????
    ??Linux??????????

21
Information Found on internet
  • ?????-????î ?????1Q??????(????(2349)????????3990
    0?,???10?)?,?????????(??????????),????????????????
    ???28?????,????1H???1-2,000????,????????(?/???)??
    ?????(??????1,000????)?????????2Q???????????,?????
    ????(5341)???????????

22
Network Enumeration
  • Step2 Identify domain name and associated
    networks related to particular organization
  • Search
  • InterNIC database, run by Network Solutions
  • American Registry for Internet Numbers (ARIN)
  • Looking for the following type of information
  • RegistrarDisplays specific registrar information
    and associated whois servers
  • Organization Display all information related to
    a particular organization
  • Domain Displays all information related to a
    particular domain
  • Network Displays all information related to a
    particular network or IP address
  • Point of Contact (POC) Displays all information
    related to a specific person

23
Network Enumeration Tools
  • Whois
  • For windows http//www.networksoultion.com,
    http//www.arin.net
  • For Unix whois
  • ..
  • Whois server www.ripe.net, whois.apnic.net,
    whois.nic.gov, whois.nic.mil

24
Registrar Query
  • Get information from WWW.internic.net
  • Domain Name TRENDMICRO.COM
  • Registrar NETWORK SOLUTIONS, INC.
  • Whois Server whois.networksolutions.com
  • Referral URL http//www.networksolutions.com
  • Name Server WNS.TRENDMICRO.COM
  • Name Server WNSE.TRENDMICRO.COM
  • Updated Date 02-may-2001 Organization Query

25
Domain Query what we want are
  • The registrant
  • The domain name
  • The administrative contact
  • When the record was created and updated
  • The primary and secondary DNS servers

26
Domain Query
  • Get information from networksoultions.com
  • Registrant Trend Micro, Inc. (TRENDMICRO-DOM)
    10101 N. De Anza Blvd., 4th Floor Cupertino, CA
    95014 US
  • Domain Name TRENDMICRO.COM
  • Administrative Contact Trend, Dnsadmin (DTZ188)
    dnsadmin_at_TRENDMICRO.COM Trend Micro, Inc 2nd Flr.
    Cupertino, CA 95014 US 408-2571500 408-2572003
  • Technical Contact Chen, Jing (JC33946)
    jing_chen_at_TRENDMICRO.COM Trend Micro.com 10101 N.
    De Anza Blvd Cupertino, CA 95014 US 408-2571500
    408-2572003
  • Billing Contact Marienlund, Robin (RM26662)
    robin_marienlund_at_TRENDMICRO.COM Trend Micro, Inc
    10101 N. De Anza Blvd Cupertino, CA 95014
    408-8636307 (FAX) 408-2554521
  • Record last updated on 02-May-2001. Record
    expires on 21-Apr-2003. Record created on
    20-Apr-1995. Database last updated on 11-Jun-2001
    125600 EDT. Domain servers in listed order
  • WNS.TRENDMICRO.COM 208.185.125.8
  • WNSE.TRENDMICRO.COM 216.33.22.8

27
Network Query
  • Get information from networksoultions.com
  • Abovenet Communications, Inc. (NETBLK-ABOVENET-6)
    50 W. San Fernando St., Suite 1010 San Jose, CA
    95113 US
  • Netname ABOVENET-6
  • Netblock 208.184.0.0 - 208.185.255.255
  • Maintainer ABVE
  • Coordinator Metromedia Fiber Networks/AboveNet
    (NOC41-ORG-ARIN) noc_at_ABOVE.NET 408-367-6666 Fax-
    408-367-6688
  • Domain System inverse mapping provided by
    NS.ABOVE.NET 207.126.96.162 NS3.ABOVE.NET
    207.126.105.146
  • ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
  • Record last updated on 27-Apr-2001.
  • Database last updated on 9-Jun-2001 230436 EDT.

28
Domain Hijacking raised security Issue
  • Starting from (May 29)Contacted NSI and told
    NetSol to change the contact name and DNS/IP
    addressof web.net and bali.com
  • NSI allows change to be made if
  • Email is from whois record(Email-FROM)
  • Change administrative contact, and technical
    contact
  • The original registrar TUCOWS?
  • Bali.com, sex.net(recovered)
  • Web.net?

29
The story Now
  • Domain Name WEB.NET Registrar TUCOWS, INC.
    Whois Server whois.opensrs.net Referral URL
    http//www.opensrs.org Name Server NS2.WEB.NET
    Name Server NS.WEB.NET Name Server NS3.WEB.NET
    Updated Date 09-jan-2001
  • Last update of whois database Tue, 12 Jun 2001
    020913 EDT
  • The previous information has been obtained either
    directly from the registrant or a registrar of
    the domain name other than Network Solutions.
    Network Solutions, therefore, does not guarantee
    its accuracy or completeness.
  • Still Bill Tandoco

30
Domain name hijacking AOL
  • Oct. 16, 1998, Aol is victim, by Washington post
  • June 23, 1999 AOL Accused of Stealing web
    address for new search site
  • A new jersey woman
  • AOLsearch.com (African-American OnLine Search)
  • Wrong contact address ? lose domain name

31
Result from NSI whois
  • AOL search status
  • Access to America Online, Inc.'s WHOIS service is
    for information purposes. America Online, Inc.
    makes this service available "AS IS" and does not
    guarantee its accuracy or availability. By
    submitting a WHOIS query, you agree that you will
    use this service and the information we provide
    only for lawful purposes and that, under no
    circumstances will you use this service or the
    information we provide to (1) allow, enable, or
    otherwise support the transmission of mass
    unsolicited, commercial advertising or
    solicitations via email (spam) or (2) enable
    high volume, automated, electronic processes that
    apply to America Online, Inc. (or its systems).
    America Online, Inc. reserves the right to modify
    these terms at any time. By accessing and using
    our WHOIS service, you agree to these terms.

32
DNS Interrogation
  • Step3 DNS is a distributed database used to map
    IP address to hostnames and vice versa
  • Zone transfer
  • Misconfigurations allow untrusted internet users
    to perform DNS zone transfer
  • Example command nslookup, host, dig in unix
  • HINFO..
  • OS, test systems

33
Network Reconnaissance
  • Ones you have identified potential networks, we
    can attempt to determine their network topology
    as well as potential access path into the network
  • Example traceroute in unix
  • Number of routers

34
Topology Finding
  • traceroute to www.trend.com.tw (202.132.197.8),
    30 hops max, 40 byte packets
  • 1 r254.e1-213.csie.ncu.edu.tw (140.115.50.254)
    1 ms 1 ms 1 ms
  • 2 203.72.244.33 (203.72.244.33) 2 ms 2 ms 5
    ms
  • 3 203.72.244.225 (203.72.244.225) 4 ms 3 ms
    4 ms
  • 4 203.72.38.100 (203.72.38.100) 7 ms 13 ms
    11 ms
  • 5 140.111.4.227 (140.111.4.227) 7 ms 6 ms 5
    ms
  • 6 R58-131.seed.net.tw (139.175.58.131) 5 ms 4
    ms 6 ms
  • 7 139.175.70.2 (139.175.70.2) 6 ms 6 ms 13
    ms
  • 8 192.72.48.114 (192.72.48.114) 5 ms 6 ms 6
    ms
  • 9 fe-5-0-0.ar01.cn.tw.iasiaworks.net
    (202.132.174.67) 8 ms 7 ms 7 ms
  • 10 202.132.197.8 (202.132.197.8) 6 ms 5 ms 5
    ms

35
Tracroute S p 53 www.trendmicro.com
  • traceroute to trendmicro.com (216.33.22.216), 30
    hops max, 40 byte packets
  • 1 140.115.50.254 (140.115.50.254) 2 ms 1 ms 1
    ms
  • 2 203.72.244.33 (203.72.244.33) 2 ms 2 ms 2
    ms
  • 3 203.72.244.225 (203.72.244.225) 4 ms 5 ms
    2 ms
  • 4 TANet-defaultgateway.edu.tw (203.72.38.101)
    6 ms 4 ms 4 ms
  • 5 TANet-Internet.edu.tw (210.70.55.38) 272 ms
    262 ms
  • 6 12.126.195.13 (12.126.195.13) 326 ms 275
    ms
  • 7 gbr1-p70.sffca.ip.att.net (12.123.13.58) 282
    ms 282 ms
  • 8 gr2-p340.sffca.ip.att.net (12.123.12.233)
    259 ms 290 ms 338 ms
  • 9 att-gw.sf.exodus.net (192.205.32.106) 369
    ms 340 ms
  • 10 216.33.147.52 (216.33.147.52) 302 ms
  • 11
  • 12 dcr04-g4-0.sntc03.exodus.net
    (216.33.153.68) 339 ms
  • 13 csr01-ve240.sntc03.exodus.net
    (216.33.153.197) 419 ms
  • 29 203.72.244.225 (203.72.244.225) 9 ms
Write a Comment
User Comments (0)
About PowerShow.com