Ceh v5 module 02 footprinting

Ethical Hacking
Version 5
Module II
Footprinting

EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objective
This module will familiarize you with the following:
Overview of the Reconnaissance Phase
Footprinting: An Introduction
Information Gathering Methodology of Hackers
Competitive Intelligence gathering
Tools that aid in Footprinting
Footprinting steps

EC-Council
Module Flow
Reconnaissance Phase
Steps to perform
Footprinting
Competitive Intelligence
Gathering
Information Gathering
Methodology
Tools Used for
Footprinting
Footprinting

EC-Council
Revisiting Reconnaissance
Clearing
Tracks
Maintaining
Access
Gaining
Access
Scanning
Reconnaissance
Clearing
Tracks
Maintaining
Access
Gaining
Access
Scanning
Reconnaissance
Reconnaissance refers to the
preparatory phase where an
attacker seeks to gather as
much information as possible
about a target of evaluation
prior to launching an attack
It involves network scanning,
either external or internal,
without authorization

EC-Council
Defining Footprinting
Footprinting is the blueprint of the
security profile of an organization,
undertaken in a methodological
manner
Footprinting is one of the three pre-
attack phases. The others are scanning
and enumeration
An attacker will spend 90% of the time
in profiling an organization and
another 10% in launching the attack
Footprinting results in a unique
organization profile with respect to
networks (Internet/
intranet/extranet/wireless) and
systems involved

EC-Council
Information Gathering Methodology
Unearth initial information
Locate the network range
Ascertain active machines
Discover open ports/access points
Detect operating systems
Uncover services on ports
Map the network

EC-Council
Unearthing Initial Information
Commonly includes:
• Domain name lookup
• Locations
• Contacts (telephone /
mail)
Information sources:
• Open source
• Whois
• Nslookup
Hacking tool
Sam Spade

EC-Council
Finding a Company’s URL
Search for a company’s URL using a search engine such as
www.google.com
Type the company’s name in the search engine to get the company
URL
Google provides rich information to perform passive
reconnaissance
Check newsgroups, forums, and blogs for sensitive information
regarding the network

EC-Council
Extracting Archive 0f a Website
You can get information on a company website since its
launch at www.archive.org
• For example: www.eccouncil.org
You can see updates made to the website
You can look for employee database, past products,
press releases, contact information, and more

EC-Council
People Search
You can find personal information using People search
For example, http://people.yahoo.com
• For example, http://www.intellius.com
You can get details like residential addresses, contact
numbers, date of birth, and change of location
You can get satellite pictures of private residences

EC-Council
Footprinting Through Job Sites
You can gather company infrastructure details
from job postings
Look for company infrastructure postings such as
“looking for system administrator to manage
Solaris 10 network”
This means that the company has Solaris networks
on site
• E.g., www.jobsdb.com
Job requirements
Employee profile
Hardware information
Software information

EC-Council
Passive Information Gathering
To understand the current security status of a particular Information
System, organizations perform either a Penetration Testing or other
hacking techniques
Passive information gathering is done by finding out the details that
are freely available over the Internet and by various other techniques
without directly coming in contact with the organization’s servers
Organizational and other informative websites are exceptions as the
information gathering activities carried out by an attacker do not
raise suspicion

EC-Council
Competitive Intelligence Gathering
“Business moves fast. Product cycles are
measured in months, not years. Partners
become rivals quicker than you can say
‘breach of contract.’ So how can you possibly
hope to keep up with your competitors if you
can't keep an eye on them?”
Competitive intelligence gathering is the
process of gathering information about your
competitors from resources such as the
Internet
The competitive intelligence is non-
interfering and subtle in nature
Competitive intelligence is both a product and
a process

EC-Council
Competitive Intelligence Gathering (cont’d)
The various issues involved in competitive intelligence are:
• Data gathering
• Data analysis
• Information verification
• Information security
Cognitive hacking:
• Single source
• Multiple source

EC-Council
Why Do You Need Competitive
Intelligence?
Compare your products with that of your
competitors’ offerings
Analyze your market positioning compared to the
competitors
Pull up list of competing companies in the
market
Extract salesperson’s war stories on how deals
are won and lost in the competitive arena
Produce a profile of CEO and the entire
management staff of the competitor
Predict their tactics and methods based on their
previous track record

EC-Council
Companies Providing Competitive
Intelligence Services
Carratu International
• http://www.carratu.com
CI Center
• http://www.cicentre.com
CORPORATE CRIME MANAGEMENT
• http://www.assesstherisk.com
Marven Consulting Group
• http://www.marwen.ca
SECURITY SCIENCES CORPORATION
• http://www.securitysciences.com
Lubrinco
• http://www.lubrinco.com

EC-Council
Competitive Intelligence - When Did This
Company Begin? How Did It Develop?
Laser D for Annual Reports to Stockholders & 10-Ks (Reference Room -
workstation #12)
EDGAR database - for 10-K and other report filed with the SEC (also
Business Database Selection Tool)
International Directory of Company Histories (Reference - HD 2721 D36)
Mergent Online - company history and joint ventures (Business Database
Selection Tool)
Notable Corporate Chronologies (Reference - HD 2721 N67 1995)
ORION, UCLA's Online Library Information System (Business Database
Selection Tool)
Enter Search Terms: general electric [for books on GE] , click on
button: Search Subject Words

EC-Council
Competitive Intelligence - Who Leads This
Company?
ABI/INFORM Global (Business Database Selection Tool)
Search for: microsoft in Subject; AND; biographies in
Subject; Search
Hoover's Online - Company Profile includes Key People. (Business
Database Selection Tool)
Also in print as Hoover's Handbook of American Business (Reference -
HG 4057 A28617)
National Newspaper Index (Business Database Selection Tool)
Type in: exxon ; Search
Reference Book of Corporate Managements (Reference Index Area,
section 5)
Who's Who in Finance and Industry (Reference Index Area, section 5)

EC-Council
Competitive Intelligence - What Are This
Company's Plans?
ABI/INFORM Global (Business Database Selection Tool)
Search for: mci in Company/Org.; AND; alliances in Subject;
OR; market strategy in Subject; Search
LexisNexis Academic (Business Database Selection Tool)
Business; Industry & Market; Keyword: Palm; Industry:
Computer & Telecom; Date: Previous six months; Search
Business & Industry® (Web) (Business Database Selection
Tool)
200X BUS_IND, Open; Search/Modify, Company Name;
Search/Modify, Business Subject, Modify: Company
Forecasts; OK
Factiva (Business Database Selection Tool)
Enter free-text terms: intel near plans; Select date: in the last
year; Select sources: All Content; Run Search

EC-Council
Competitive Intelligence - What Does
Expert Opinion Say About The Company?
ABI/INFORM Global [academics] (Business
Database Selection Tool)
First Call [analyst reports] (Business Database
Selection Tool)
FINDEX: Directory of Market Research
Reports (Reference - HF 5415.2 F493)
Market Research Monitor (Business Database
Selection Tool)
Multex [analyst reports] (Business Database
Selection Tool)
Nelson's Directory of Investment Research (Reference
- HG 4907 N43)
Wall Street Transcript "TWST Roundtable Forums"
and "CEO Forums" Features (Unbound Periodicals -
2nd floor)
[analysts' discussion of a given industry, see this
sample issue with Semiconductor Equipment Industry
Roundtable]

EC-Council
Competitive Intelligence - Who Are The
Leading Competitors?
Business Rankings Annual (Reference - HG 4057 A353)
Hoover's Online - Top Competitors free, More
Competitors available, use (Business Database Selection
Tool)
Market Share Reporter (Reference - HF 5410 M37)
U.S. Patent and Trademark Office [identify players in
emerging product areas, see also other patent resources ]
Reference USA [companies by SICs and
more] (Business Database Selection Tool)
TableBase (Web) [find market shares within
articles] (Business Database Selection Tool)
Ward's Business Directory of U.S. Private and Public
Companies (Reference Room, Index Section 1)
World Market Share Reporter (Reference - HF 1416
W67)

EC-Council
Public and Private Websites
A company might maintain public and private websites for
different levels of access
Footprint an organization’s public www servers
• Example:
– www.xsecurity.com
– www.xsecurity.net
– www.xsecurity.net
Footprint an organization’s sub domains (private)
• Example:
– http://partners.xsecurity.com
– http://intranet.xsecurity.com
– http://channels.xsecurity.com
– http://www2.xsecurity.com

EC-Council
DNS Enumerator
DNS Enumerator is an automated sub-domain retrieval tool
It scans Google to extract the results

EC-Council
SpiderFoot
SpiderFoot is a free, open-source, domain footprinting tool which
will scrape the websites on that domain, as well as search Google,
Netcraft, Whois, and DNS to build up information like:
• Subdomains
• Affiliates
• Web server versions
• Users (i.e. /~user)
• Similar domains
• Email addresses
• Netblocks

EC-Council
SpiderFoot

EC-Council
Sensepost Footprint Tools - 1
www.sensepost.com
BiLE.pl
• BiLE leans on Google and HTTrack to automate the collections to and from
the target site, and then applies a simple statistical weighing algorithm to
deduce which websites have the strongest relationships with the target site
• Command:
– perl BiLE.pl www.sensepost.com sp_bile_out.txt
BiLE-weigh.pl
• BiLE-weigh, which takes the output of BiLE and calculates the significance of
each site found
• Command:
– perl bile-weigh.pl www.sensepost.com
sp_bile_out.txt.mine out.txt
tld-expand.pl
• The tld-expand.pl script is used to find domains in any other TLDs
• Command:
– perl exp-tld.pl [input file] [output file]

EC-Council
www.sensepost.com
vet-IPrange.pl
• The results from the BiLE-weigh have listed a number of domains with
their relevance to target website
• Command:
– perl vet-IPrange.pl [input file] [true domain file] [output file]
<range>BiLE-weigh.pl
qtrace.pl
• qtrace is used to plot the boundaries of networks. It uses a heavily
modified traceroute using a #custom compiled hping# to perform
multiple traceroutes to boundary sections of a class C network
• Command:
– perl qtrace.pl [ip_address_file] [output_file]
vet-mx.pl
• The tool performs MX lookups for a list of domains, and stores each IP it
gets in a file
• Command:
– perl vet-mx.pl [input file] [true domain file] [output file]

EC-Council
www.sensepost.com
jarf-rev
• jarf-rev is used to perform a reverse DNS lookup on an IP range. All
reverse entries that match the filter file are displayed to screen
• Command:
– perl jarf-rev [subnetblock]
– perl jarf-rev 192.168.37.1-192.168.37.118
jarf-dnsbrute
• The jarf-dnsbrute script is a DNS brute forcer, for when DNS zone
transfers are not allowed. jarf-dnsbrute will perform forward DNS
lookups using a specified domain name with a list of names for hosts.
• Command:
– perl jarf-dnsbrute [domain_name] [file_with_names]

EC-Council
Wikito Footprinting Tool

EC-Council
Web Data Extractor Tool
Use this tool to extract
targeted company’s
contact data (email,
phone, fax) from the
Internet
Extract url, meta tag
(title, desc, keyword) for
website promotion,
search directory creation,
web research

EC-Council
Additional Footprinting Tools
Whois
Nslookup
ARIN
Neo Trace
VisualRoute Trace
SmartWhois
eMailTrackerPro
Website watcher
Google Earth
GEO Spider
HTTrack Web Copier
E-mail Spider

EC-Council
Online Whois Tools
www.samspade.org
www.geektools.com
www.whois.net
www.demon.net

EC-Council
Extract DNS information
Using www.dnsstuff.com, you can extract
DNS information such as:
• Mail server extensions
• IP addresses

EC-Council
Types of DNS Records

EC-Council
Necrosoft Advanced DIG
Necrosoft Advanced
DIG (ADIG) is a
TCP-based DNS
client that supports
most of the available
options, including
AXFR zone transfer

EC-Council
Locate the Network Range
Commonly includes:
• Finding the range of IP
addresses
• Discerning the subnet
mask
Information Sources:
• ARIN (American Registry
of Internet Numbers)
• Traceroute
Hacking Tool:
• NeoTrace
• Visual Route

EC-Council
ARIN
http://www.arin.net/whois/
ARIN allows searches on the
whois database to locate
information on a network’s
autonomous system numbers
(ASNs), network-related
handles, and other related
point of contact (POC)
ARIN whois allows querying
the IP address to help find
information on the strategy
used for subnet addressing

EC-Council
Traceroute
Traceroute works by exploiting a feature of the Internet
Protocol called TTL, or Time To Live
Traceroute reveals the path IP packets travel between two
systems by sending out consecutive sets of UDP or ICMP
packets with ever-increasing TTLs
As each router processes an IP packet, it decrements the
TTL. When the TTL reaches zero, that router sends back a
"TTL exceeded" message (using ICMP) to the originator
Routers with reverse DNS entries may reveal the name of
routers, network affiliation, and geographic location

EC-Council
Trace Route Analysis
Traceroute is a program that can be used to determine the path
from source to destination
By using this information, an attacker determines the layout of a
network and the location of each device
For example, after running several traceroutes, an attacker might
obtain the following information:
• traceroute 1.10.10.20, second to last hop is 1.10.10.1
• traceroute 1.10.20.10, third to last hop is 1.10.10.1
• traceroute 1.10.20.15, third to last hop is 1.10.10.1
By putting this information together we can diagram the network
(see the next slide)

EC-Council
Tool: NeoTrace (Now McAfee Visual
Trace)
NeoTrace shows the
traceroute output
visually – map view,
node view, and IP
view

EC-Council
GEOSpider
GEO Spider helps you to
detect, identify and
monitor your network
activity on world map
You can see website, IP
address location on the
Earth
GEO Spider can trace a
hacker, investigate a
website, trace a domain
name

EC-Council
Geowhere Footprinting Tool
Geowhere handles many popular newsgroups to find answers to your
queries in an easy and fast manner
Geowhere can also seek information from country specific search engines
for better results
Use Geowhere to footprint an organization
• Newsgroups Search
• Mailing list finder
• Easy Web Search
• Daily News

EC-Council
GoogleEarth
Google Earth puts a
planet's worth of
imagery and other
geographic
information right on
your desktop
You can footprint the
location of a place
using GoogleEarth
Valuable tool for
Hackers

EC-Council
Tool: VisualRoute Trace
www.visualware.com/download/
It shows the connection path
and the places where bottlenecks occur

EC-Council
Kartoo Search Engine
www.kartoo.com

EC-Council
Touchgraph Visual Browser
www.touchgraph.com

EC-Council
Tool: SmartWhois
http://www.softdepia.com/smartwhois_download
_491.html
SmartWhois is a useful network information utility
that allows you to find out all available information
about an IP address, host name, or domain,
including country, state or province, city, name of
the network provider, administrator, and technical
support contact information
Unlike standard Whois utilities,
SmartWhois can find the
information about a computer
located in any part of the world,
intelligently querying the right
database and delivering all the
related records within a short time

EC-Council
VisualRoute Mail Tracker
It shows the number of
hops made and the
respective IP addresses,
the node name, location,
time zone, and network

EC-Council
Tool: eMailTrackerPro
eMailTrackerPro is the email
analysis tool that enables analysis
of an email and its headers
automatically, and provides
graphical results

EC-Council
Tool: Read Notify
www.readnotify.com
Mail Tracking is a tracking service that allows you to track when your mail was
read, for how long and how many times, and the place from where the mail has
been posted. It also records forwards and passing of sensitive information (MS
Office format)

EC-Council
HTTrack Web Site Copier
This tool mirrors an
entire website to the
desktop
You can footprint the
contents of an entire
website locally rather
than visiting the
individual pages
Valuable footprinting
tool

EC-Council
Web Ripper Tool

EC-Council
robots.txt
This page located at the root folder holds a list of
directories and other resources on a site that the owner
does not want to be indexed by search engines
All search engines comply to robots.txt
You might not want private data and sensitive areas of a
site, such as script and binary locations indexed
Robots.txt file
User-agent: *
Disallow: /cgi-bin
Disallow: /cgi-perl
Disallow: /cgi-store

EC-Council
Website Watcher

EC-Council
E-Mail Spiders
Have you ever wondered how Spammers generate a huge mailing
databases?
They pick tons of e-mail addresses from searching the Internet
All they need is a web spidering tool picking up e-mail addresses
and storing them to a database
If these tools are left running the entire night, they can capture
hundreds of thousands of e-mail addresses
Tools:
• Web data Extractor
• 1st E-mail Address Spider

EC-Council
1st E-mail Address Spider

EC-Council
Power E-mail Collector Tool
Power E-mail Collector is a powerful email address harvesting program
It can collect up to 750,000 unique valid email addresses per hour with a
Cable/DSL connection
It only collects valid email addresses
You do not have to worry about ending up with undeliverable addresses
How does it work?
• Just enter a domain that you want to collect email addresses from and press the
start button. The program opens up many simultaneous connections to the
domain and begins collecting addresses

EC-Council
Steps to Perform Footprinting
Find companies’ external and internal URLs
Perform whois lookup for personal details
Extract DNS information
Mirror the entire website and look up names
Extract archives of the website
Google search for company’s news and press releases
Use people search for personal information of employees
Find the physical location of the web server using the tool
“NeoTracer”
Analyze company’s infrastructure details from job postings
Track the email using “readnotify.com”

EC-Council
Summary
Information gathering phase can be categorized broadly into seven
phases
Footprinting renders a unique security profile of a target system
Whois and ARIN can reveal public information of a domain that can
be leveraged further
Traceroute and mail tracking can be used to target specific IP, and
later for IP spoofing
Nslookup can reveal specific users, and zone transfers can
compromise DNS security

Ceh v5 module 02 footprinting

More Related Content

What's hot (20)

Viewers also liked (13)

Similar to Ceh v5 module 02 footprinting (20)

More from Vi Tính Hoàng Nam (20)

Recently uploaded (20)

Ceh v5 module 02 footprinting