Unit 2 Footprinting and Reconnaisance part 1.pdf

Full Transcript

Ethical Hacking COMP 30032 Unit 2: Foot printing Disclaimer The PowerPoint presentations of the Module COMP 30032 Ethical Hacking are created merely to guide me during the delivery of this module in my class. The content included in the slides are only indicative to remind me the sequence which I will be following during the delivery. The content presented in the slides is free from any plagiarism and copyright violations and wherever needed appropriate referencing/citations have been provided. In addition to the content in this PowerPoint presentations, I will also be verbally delivering other important content in the class as well as also writing on the board, some information related to the topic being covered wherever necessary. The student is therefore advised to refer to the text books, reference books and any supplementary materials recommended in the Module Information Guide (MIG) or in the PowerPoint presentations for complete understanding of the topic. Objectives Understanding Footprinting concepts: Objective Active Footprinting Passive Footprinting Footprinting through search engines and advanced Google hacking techniques Footprinting through web services and Social Networking Sites Website Footprinting and email Footprinting Understanding Whois, DNS, and network Footprinting Footprinting through social engineering Different Footprinting tools and countermeasures Port Scanning Enumeration Objectives of footprinting Identifying the risk level related to the publicly available information is an essential aspect of footprinting. After completing the footprinting, you will be able to obtain the blueprint of the security profile. There are different ways to conduct footprinting since the information can be gathered in different ways. Gathering the crucial information before hacking a target is an important activity. Footprinting needs to follow an organized method. Footprinting Types: Passive footprinting Active footprinting Passive Footprinting Passive footprinting: Gathering information about the target without direct interaction. It is useful as the target organization will not detect the attempt. However, performing passive footprinting is technically difficult. Passive footprinting techniques involve: Passive Footprinting Searching the information using search engines. Identifying the Top-Level Domains and sub-domains Collecting location information Performing people search using social networking Collecting the financial information about the target using financial services Gathering the information on the infrastructure gathering the information from the deep and the dark web Determining the used OS Passive Footprinting Performing competitive intelligence Target Monitoring through alert services Gathering info using forums, groups, NNTP Usenet, blogs, etc. Extracting Info through social engineering Extracting info through internet archives Gathering info using business profile sites Monitoring the website traffic of the target Tracking the online reputation Active Footprinting It involves collecting the information about the victim system with direct interaction. In this type, the target will realize the ongoing information gathering process as the attacker is interacting with the target network. Active footprinting needs more preparation than the passive one. This type may result in sending alerts to the victim. Active Footprinting It includes Querying the published name servers Looking for electronic files Gathering the wordlists and Extracting website links Extracting the metadata of the published documents. Gathering the website information through mirroring tools and web spidering. Gathering the information using email tracking Harvesting the list of emails Extract DNS info Perform traceroute analysis Perform social engineering. The major objective of footprinting is to collect: Organization Information Network Information System Information Aims to identify the ways that help to intrude the system Organizational Information : Addresses and mobile phone numbers Employee details (names, designations, contact addresses, work experience.) Partners of the organization Branch and location details Web links to other companies Web technologies News articles, press releases Background of the organization Legal documents Patents and trademarks. Network Information: Domain names, Network topologies, trusted routers and firewalls, IP addresses System Information: Web server Operating System Available email addresses Location of web servers Usernames, password Footprinting helps in Know the security posture: By performing footprinting, this will give a complete profile of security posture about the target. The reports can be analyzed by hackers in order to identify the vulnerabilities Reduce the focus area: By using the combination of techniques and tools, hackers can reduce the scope to a specific domain name range, individual IP addresses of the systems and network blocks,. Footprinting helps in Identify the vulnerabilities: A detailed footprinting provide maximum information on the victim. This will allow the attackers to identify the target system vulnerabilities in order to select the appropriate exploits. Hackers also can form an information database on the target organization security weaknesses. Footprinting helps in Draw the network Map: This will allow the attacker to create a graphical representation of the target organization. It will allow the attacker to draw the map and summarize the target organization’s network infrastructure in order to understand the actual environment to break. Examples of important information to collect Error messages Files containing juicy Files containing passwords Sensitive online shopping info Network vulnerability data Pages containing login Various online devices Footprinting through search engines Helps to extract critical information on a target from the WWW Search Engine Results Pages (SERPs) include different type of content. The display order is according to the relevance: The information to extract include important information on the target organization such as employee details, technology platforms, contact information, login pages, intranet portals,.. The collected information helps the hacker in conducting the social engineering and other types of advanced system attacks. Footprinting through search engines Searching with Google can reveal: Security personnel posts in some forums Firewalls or antivirus software brands used by the target. The hacker may identify the vulnerabilities in the security controls. Examples of Search engines: Google, Yahoo, Bing, Ask, Baidu, Aol, WolframAlpha and DuckDuckGo. Footprinting through search engines Attackers can use advanced search operators available with these search engines and create complex queries to find, filter, and sort specific information regarding the target. also used to find other sources of publicly accessible information. For example, you can type “top job portals” to find major job portals that provide critical information about the target organization. Footprinting using advanced Google hacking techniques Google hacking means using advanced Google search operators for creating complex search queries to collect critical information. The result information can help in finding the vulnerabilities on the target system Valuable data can be retrieved on a target company from these results. Footprinting using advanced Google hacking techniques Using Google hacking, websites that are vulnerable to exploitations can be found by attackers Sensitive data can be identified by Attackers using the Google Hacking Database (GHDB) specific strings of text such as specific versions of vulnerable web applications can be located using advanced Google operators. When a normal query is executed, Google searches the query keywords in any part of the webpage, including the text, title, digital files, URL, and so on. Google offers advanced search operators to create a confined search. Footprinting using advanced Google hacking techniques Syntax: operator: search_term Note: Do not enter any spaces between the operator and the query. Source: http://www.googleguide.com site: it restricts the search results to the specified site or domain. For example, the [tutorial site: www.certifiedhacker.com] query finds the information on tutorial from the certified hacker site. Examples of operators allinurl: This operator restricts results to only the pages containing all the query terms specified in the URL. For example, the [allinurl: google career] query returns only pages containing the words “google” and “career” in the URL. inurl: This operator restricts the results to only the pages containing the specified word in the URL. For example, the [inurl: copy site:www.google.com] query returns only Google pages in which the URL has the word “copy.” allintitle: This operator restricts results to only the pages containing all the query terms specified in the title. For example, the [allintitle: detect malware] query returns only pages containing the words “detect” and “malware” in the title. intitle: This operator restricts results to only the pages containing the specified term in the title. For example, the [malware detection intitle:help] query returns only pages that have the term “help” in the title, and the terms “malware” and “detection” anywhere within the page. Footprinting through social engineering (Ric Messier., 2021) Understanding DNS footprinting (Ric Messier., 2021) Extracting DNS Information Tools for DNS interrogation: Professional Toolset (https://tools.dnsstuff.com) DNS Records (https://network-tools.com) which enables the user to complete the DNS footprinting. DNSstuff (Professional Toolset): used for extracting the DNS information about the IP addresses, DNS lookups, mail server extensions, Whois lookups, and so on. Extracting a range of IP addresses through IP routing lookup. If the unknown access is allowed on the target network, the unauthorized users can transfer DNS zone data, which makes the obtainment of information about the DNS easy to attackes by using the DNS interrogation tool. Network Footprinting (Ric Messier., 2021) Network Footprinting Gathering network information is the next step after retrieving the DNS information It aims to locate the Network Range Regional registry database can provide Detailed information regarding the IP allocation and the allocation method. The subnet mask of the domain can be found by the attacker and tracing the route between the system and the target system can be executed. Many tools use Traceroute such as Path Analyzer Pro and VisualRoute. Network Footprinting The range of private IP addresses represents a useful information to the attackers. “The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0–10.255.255.255 (10/8 prefix), 172.16.0.0–172.31.255.255 (172.16/12 prefix), and 192.168.0.0–192.168.255.255 (192.168/16 prefix).” The network range information can reveal: Details on how the network is structured and identify the alive machines. Network topology, OS used, access control device, etc. ARIN Whois database search tool can find the network range of the target network (Ric Messier., 2021) Footprinting through Social Engineering “Non technical process in which an attacker misleads a person into providing (Ric Messier., 2021) confidential information inadvertently. “ It starts by gaining the confidence of an authorized user then misleading he/she into revealing confidential information. The aim of social engineering is to get the needed confidential information and use it after for malicious purposes such as identity theft, gaining unauthorized access to the system, network intrusion , industrial espionage, fraud, etc. The obtained information through social engineering may include: social security numbers, credit card details, usernames and passwords, other personal information, network layout information, OS and software versions, IP addresses, security products in use names of servers,, and so on. Competitive intelligence (Ric Messier., 2021) Web site footprinting (Ric Messier., 2021) Web site footprinting (Ric Messier., 2021) (Ric Messier., 2021) Harvesting Email Lists Gathering emails of the target company is an important attack vector during the later phases of hacking. Attackers can use theHarvester tool and Email Spider to collect the emails of the employees. Attackers use theHarvester tool to extract email addresses. For example. Attackers will use the following command: Theharvester –d google.com -l 200 –b baisu D means the domain, l will limit the results for 200, b extracts the results from baidu search engine Deep and Dark Web footprinting The deep web is the layer off the online cyberspace. It consists of web pages and content that are hidden and unindexed. These contents cannot be located by traditional web browsers. The size of deep web is incalculable. The deep web doesn’t allow the crawling process of basic search engine. It consists of official government or federal databases. It can be accessed using search engines like Tor browsers and WWW Virtual Library. Dark Web Dark Web or Darknet is a deeper layer of online cyberspace. It is a subset of the deep web which enables anyone to navigate without being traced. Can be accesses through specialised tools or darknet browsers. For example: Tor Browser and ExoneraTor and OnionLand Search engine The attackers use these tools to gather confidential info like credit card details, passport info, medical records, social media, Social security numbers, etc. Tor Browser Tor browser is used to access deep and dark web. It acts as a default VPN for the user. Attacker use this browser to access hidden content, unindexed websites and encrypted database. Scanning Networks Aims to identify an entry point to intrude the target system by determining the active or inactive systems. Information learned in this phase include: Operating Systems, List of services, Configuration lapses. Helps to select the strategies to attack the target system or network. Network Scanning Concepts (Ric Messier., 2021) Types of Scanning Port Scanning: List of open ports and services. Network Scanning: List of active hosts and IP addresses. Vulnerability Scanning: Identifies the presence of known weaknesses. Objectives of Network Scanning Discover the network’s live hosts, IP addresses, and open ports of the live hosts. Discover the OS and system architecture of the target. Discover the services running/listening on the target system. Identify specific applications or versions of a particular service. Identify vulnerabilities in any of the network systems. (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) TCP SYN Ping Scan TCP SYN ping can be used to determine if the host is active without creating any connection. Hence, the logs are not recorded at the system or network level, enabling the attacker to leave no traces for detection. (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) v (Ric Messier., 2021) Enumeration In this phase, the attackers enumerate the usernames and other information on the groups, services of networked computers and network shares. The identified information helps attackers in identifying the vulnerabilities in the target network. (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) v (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) (Ric Messier., 2021) References: Ric Messier. (2021). CEH V11: Certified Ethical Hacker Version 11 Practice Tests. Sybex. Penetration Testing A Hands-On Introduction to Hacking by Weidman, Georgia (z-lib.org) The Basics of Hacking and Penetration Testing, Second Edition Ethical Hacking and Penetration Testing Made Easy by Patrick Engebretson (z-lib.org) Ethical Hacking and Countermeasures v11 (CEH Exam 31250) Professional Series - by EC-Council (2020)