Footprinting tools for security auditors

Footprinting for securty auditors
Security track
Footprinting for security auditors
Jose Manuel Ortega
@jmortegac

Agenda
• Information gathering
• Footprinting tools
• Port scanning with nmap
• Nmap scripts

Security auditing phases
Analyze publicly
available
information. Set
scope of attack
and identify key
targets.
Check for
vulnerabilities
on each target
resource
Attack targets
using library of
tools and
techniques
Footprint
Analysis
Who is
DNS Lookup
Search Engines
Enumeration
Exploitation
Buffer Overflows
Spoofing
Password
Rootkit
Scanning
Machines
Ports
Applications

Security Track
Information Gathering

Footprinting (gather target information)
➔ names, addresses, system types, ...
Scanning (detect systems and services)
➔ response from network stack, applications, ...
Fingerprinting (identify topologies & systems)
➔ network layout, operating systems, services
passive
passive
or
active
active
Enumeration (collect access information)
➔ list of user accounts, share names, …
Sniffing (collect network traffic)
➔ addresses, names, information (passwords, ...)
Information gathering

Footprinting
• Identify locations, domain names, IP address
ranges, e-mail addresses, dial-in phone
numbers, systems used, administrator
names, network topology.
• Using public information.
• Without network /physical connection to the
target.

Security Track
Tools

Kali Linux

Whois Online Tools
• Get information about domains, IP address, DNS
• Identify the domain names and associated networks related to a
particular organization
• https://www.whois.net/
• https://tools.whois.net/
• http://www.whois.com/whois
• http://who.is
• http://toolbar.netcraft.com/site_report
• http://whois.domaintools.com/

Netcraft
• http://toolbar.netcraft.com/site_report/?url=fosdem.org

Whois

Whois command

Host command
• Ge IPv4,v6,mail server

Network tools
• http://network-tools.com/

NETWORK Tools
• https://www.dnssniffer.com/networktools

Robtex
• Provides graphical information from DNS and Whois
• https://www.robtex.com/dns-lookup/fosdem.org

Robtex

Nslookup
• Query DNS server in order to extract valuable information about the
host machine.
• Find names of machines through a domain/zone transfer
• Nslookup -d→ list all associated records for the domain

Dig /DNS Resolver

Dnsmap

Dnsenum

DnsRecon

Zone Transfer
• How does one provide security against DNS Interrogation?
• Restrict zone transfers to authorized servers.
• Set your firewall or router to deny all unauthorized inbound
connections to TCP port 53
• Best practice to restrict Zone transfers is review file
configuration /etc/bind/named.conf.local

Zone Transfer

The harvester
• Catalogue email address and subdomains from a specific domain.
• It works with all the major search engines including Bing and Google.
• The objective is to gather emails, subdomains, hosts, employee
names, open ports and banners from different public sources like
search engines, PGP key servers and SHODAN computer database.

The harvester

Subdomains
• https://api.hackertarget.com/hostsearch/?q=fosdem.org

Maltego

Maltego
∙ Company Stalker (this gathers email information)
∙ Footprint L1 (basic information gathering)
∙ Footprint L2 (moderate amount of information
gathering)
∙ Footprint L3 (intense and the most complete
information gathering)

Shodan

Censys.io

Mr looquer

Web robots
• https://wordpress.com/robots.txt
• https://wordpress.com/sitemap.xml

Web Archive

Spider foot

Scanning tools
• Active footprinting
• Number and type of opened ports
• Type of services running in the servers
• Vulnerabilities of the services and software
• Nmap is a great tool for discovering Open ports, protocol
numbers, OS details, firewall details, etc.

Security Track
NMAP

Nmap Port Scanner
• Unix-based port scanner
• Support for different
scanning techniques
• Detects operating system
of remote hosts
• Many configuration options
- timing
- scanned port range
- scan method
• Various front ends
for easier handling

Zenmap Port Scanner

Sparta

Nmap whois

Guessing the Operating System
• We can use the --osscan-guess option to force Nmap
into discovering the OS.

Banner Grabbing
nmap -p80 -sV -sT fosdem.org

Nmap Script Engine
• Simple scripts to automate a wide variety of networking
tasks
• Are written in Lua programming language.
• Network discovery
• Vulnerability detection
• Backdoor detection
• Vulnerability exploitation

Nmap Script Engine
usr/local/share/nmap/scripts

Nmap Script Engine
• https://github.com/cldrn/nmap-nse-scripts/tree/master/
scripts

Banner grabbing with nmap script
nmap --script banner fosdem.org

http-enum script
nmap -v --script http-enum.nse fosdem.org

↘mysql-databases
nmap -v -d -p3306 --script mysql-databases.nse
--script-args='mysqluser=root' 192.168.100.8

↘mysql-databases

Find vulnerabilities with nmap
•XSS / SQL Injection
↘nmap -p80 –script http-unsafe-output-escaping <target>
↘http://svn.dd-wrt.com/browser/src/router/nmap/scripts/http-un
safe-output-escaping.nse?rev=28293
↘https://nmap.org/nsedoc/scripts/http-unsafe-output-escaping.ht
ml

Security Track
Vulnerability Scanner

Arachni Vulnerability Scanner

Links & References
• http://www.0daysecurity.com/penetration-testing/net
work-footprinting.html
• http://nmap.org/nsedoc/
• https://secwiki.org/w/Nmap/External_Script_Library
• https://nmap.org/book/man-os-detection.html
• https://hackertarget.com/7-nmap-nse-scripts-recon/

Books

Security track
Thank you!
Jose Manuel Ortega
@jmortegac

Footprinting tools for security auditors

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Footprinting tools for security auditors (20)

More from Jose Manuel Ortega Candel (20)

Recently uploaded (20)

Footprinting tools for security auditors