CS3695 – Network Vulnerability Assessment & Risk Mitigation – Supplemental Slides to Module #2 Footprinting and Reconnaissance Intelligence Gathering CEH Ver. 8 By Scott Coté

Use of Footprinting Script kiddies, worms, viruses and the like usually do NOT footprint… –Just constantly scan with automated tools a pool of addresses A true Cracker will take the time (and it is a lot of time) to footprint a network… –End result should be a thorough knowledge of the network systems, IP addresses, services, etc…

Footprinting What is footprinting? –A systematic approach to re-create a complete profile of an organizations network and security posture… Internet, intranet, remote access and extranet Why is it necessary? –To ensure that all pieces of information related to the network and posture are known

Develop the Network To develop a snapshot of the target’s network –Identify the domain names and records associated with a specific target… –Domain names represent the targets presence on the Internet… –Many tools to this for you, but lets look at how they all work under the hood by doing it manually first!

Robots.txt Web sites use it to give instructions about their site to web robots –this is called The Robots Exclusion Protocol. It works likes this: –a robot wants to vists a Web site URL –Before it does so, it firsts checks for –The "Disallow: x" tells the robot that it should not visit pages x on the site. These are publicly readable by everyone!

Example

whois? whois tool –Searches domain registries for information on a specific domain –Important tool with legitimate uses Notification of Sys Admin when there is a problem –Easily used for bad purposes by crackers

Example

whois… Wild Cards! Use of a wild card can also help Note: wildcards may differ by the type of search performed. RTFM.

whois…Digging Deeper! whois can be used to get more and more info depending on how you use it… Use pieces from one whois search to perform additional whois searches!

ARIN: American Registry for Internet Numbers ARIN will give you the IP addresses assigned to a target... Use one of the IP addresses (from the whois DNS server or an nslookup on

CEH, MCITP, CCNA, CCNP, VMware sPhere, LPI, Web Design

host –a geneseo.edu

Zone Transfers Domain Name Servers (DNS) –Map IP addresses to host names Valuable information knowing IP Addresses Creates a “blueprint” of a network May be able to do a Zone Transfer –Tool used to allow secondary DNS to get DNS records from Primary DNS

Results from a Zone Xfer Remember, a name can tell you a LOT!!!

DNS Mitigation: Internal And External DNS A smart company will split their DNS across two hosts –External DNS In the DMZ, contains just externally accessible host names –Internal DNS On the internal LAN, contains records on just those hosts accessible from the inside. –Never put them on the same host!

Mail Verification Use telnet to confirm mail addresses: –SMTP will allow the use of vrfy and expn vrfy is used to verfy an address –Usually addresses are the same as user accounts expn is used to see the real address of an alias –Good to know where it is actually going…

Mail Verification telnet mail.geneseo.edu 25 Trying Connected to helios.geneseo.edu. Escape character is '^]'. 220 helios.geneseo.edu ESMTP Sendmail {omitted} vrfy bean Samuel N Bean expn bean Samuel N Bean vrfy root Super-User expn root Mark T. Valites Kirk M. Anne Super-User quit helios.geneseo.edu closing connection Connection closed by foreign host.

Can you get an from them? From: Subject: Re: Intros Date: June 13, :49:53 AM PDT To: {omitted}, Received: from virginia.nps.edu ([ ]) by virginia.nps.edu with Microsoft SMTPSVC( ); Wed, 13 Jun :49: Received: from barracuda.nps.edu ([ ]) by virginia.nps.edu with Microsoft SMTPSVC( ); Wed, 13 Jun :49: Received: from smtp103.sbc.mail.mud.yahoo.com (smtp103.sbc.mail.mud.yahoo.com [ ]) by barracuda.nps.edu (Spam Firewall) with SMTP id C87BB57468 for ; Wed, 13 Jun :49: (PDT) Received: (qmail invoked from network); 13 Jun :49: Received: from unknown (HELO ? ?) with login) by smtp103.sbc.mail.mud.yahoo.com with SMTP; 13 Jun :49: Internal NAT Address! IP Address of the public host/router sent from, like a DLS IP Address! View the long headers of the for possible IP addresses!! You may want to send and to a bogus acccount at your target as well, to see how the mail server at the target handles it!

Viewing Mail Headers on (web)mail Clients Look at this URL for how to view the header info for several different webmail servers and clients. – l=en&answer=22454

Page: 65

CEH, MCITP, CCNA, CCNP, VMware sPhere, LPI, Web Design Page: 69 Anonymity!! intitle:index.of Intitle:error Intitle:logon intitle:index.of Intitle:error Intitle:logon inurl:“/admin/* Don’t forget: 1.Extension Walking (*replacing.htm with.bak or.old) 2.Excluding pages or extensions: -www or -.htm 3.Filetype: look for certain file types such as.pdf or.doc 4.Look for default installs: Query for “Microsoft-IIS/5.0 server at” or apache 5.Limit to only current pages: append &as_qdr=d[# of days] i.e. &as_qdr=d50

ww. exploit- db.com/ google- dorks/

End Results Some of the final products from a good foot-printing are: –Registered names –Range of IP addresses associated with target –Some idea on what the network might look like Routers, host name, etc –Idea of user accounts Taken from addresses –Security posture

Foot-Printing is the 1st Step Remember… –Registered names lead to IP addresses –IP addresses lead to ports –Ports lead to services –Services lead to… Applications OS Protocols More? Exploitable? Enumeration… Step 3 Scanning… Step 2