November 11th, 2002, 04:05 AM
Footprinting your target
feel free to post this tutorial anywhere
footprinting is the first logical step in any attackers preperation before the actual hack, it entails researching the target dfor specific qualitys such as open ports, services, security feature, and basicly any other information you can get out of the machine.
footprinting must be performed properly to ensure a good attack.
for the sake of length and my fingers, i will try to cover mainly internet footprinting. through internet footprinting(FP) you should be able to get some of the following info from the target TCP, and UDP services, specific IP adresses, some of the access methods ACL's etc. user names, groups, identify intrusion detection systems (IDS), banners, routing tables, SNMP info, system architechture info(OS info) domain names, and more.
if this tutorial ends up helping ill go into intranets, extranets etc..
odviously if your target computer is just a freind that your trying to play with your attack methodology is going to differ from that of an attack on a corporate entity. for sake of info i will cover the larger picture and hope that people can improvise on the info i provide.
gathering info off the web-
a lot of the time the website of the target will give away valuable information that could be used against them. look for some of the following, phone numbers, mergers, names, email adresses, apossible affiliates/sister company locations, and ive even seen actual info on servers/firewalls that the sight may be running. trust me people are stupid and often divulge way too much information. the next thing you should do is take a look at the websites source code for hidden gems, or notes. common notes will look like this <--surver running--> a lot of large website use these notes to pass along valuable info to other webauthors that might work on the page. another good idea is to download the page and view it offline in more detail. the only program ive used for this is http://www.tenmax.com/teleport/home.htm teleport PRO it works great. now it doesnt end there another good thing to do is a quick look on google for more information on your target such as mergers, news reports, articles and any other info you can dredge up. another good thin google allows you to do is search for hosts or links(host:www.hackers.com, or link:www.hackers.com)with the option of adding AND, OR operators to expand your search this can be very helpful in your quest for root. usenet and newsgroups can also contain a wealth of knowledge some large companys even have there own specific newsgroups.
the odvious first steop is going to be getting the appropriate domain name servers(dns or www.name.com), and internet protocol adress's(IP) that correspond with your target machine. there are numerous tools that one can use from here to geet more info,
there are numerous databases out there that will give you a plethora of information on a target if you just ask such as http://www.arin.net, or you can use an automated program to access the servers for you this is what i get when i search for whois info on hackers.com(public info by the way)
[Query: hackers.com, Server: whois.nsiregistry.net]
Whois Server Version 1.3
Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: HACKERS.COM
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: NS2.VBSOLUTIONS.COM
Name Server: NS1.VBSOLUTIONS.COM
Updated Date: 05-nov-2001
>>> Last update of whois database: Sat, 26 Oct 2002 16:54:27 EDT <<<
The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
[End of Data]
[Query: hackers.com, Server: whois.networksolutions.com]
there are five major whois querys that will offer info,
Registrar Query: This will give info on domains matching the target.
Organizational Query: This will resolve all instances of the target's name. showing all of the corresponding domains.
Domain Query: this will depend on what you find in the organizational query. Using a domain query, you cancompany's address's, domain names, phone numbers,DNS servers.
Network Query: using the American Registry for Internet Numbers you can discover certain blocks owned by a company.
POC(point of contact) Query: this will find all the IP adresses a machine might have. or even search for specific domain handles(users)
im sure, with the inquisitive mind of a hacker, one could possibly get the phone number and do a little social enginneering with the affore mentioned info gathered, or even use a wardialer to get more possible phone numbers. the military and goverment have their own whois servers here http://whois.nic.mil and http://whois.nic.gov .
A major problem a lot of admins neglect to do is to dissalow internet users to perform DNS zone transfers, a tool like nslookup makes this fairly easy. for more info on nslookup go here http://www.google.com/search?hl=en&i...ookup+tutorial as there is too much to cover here. if you can figure out where the mail is handled, it is very likely the firewall will be located on the same network. anyway you should get most of that answered from google.
mapping the network(determining topology)
a good way to accomplish most of this would be to perform a traceroute(tracert)Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
Tracing route to NS2.VBSOLUTIONS.COM [220.127.116.11]
over a maximum of 30 hops:
1 22 ms 13 ms 16 ms 18.104.22.168
2 9 ms 12 ms 90 ms 22.214.171.124
3 15 ms 41 ms 25 ms 126.96.36.199
4 21 ms 23 ms 22 ms gar1-p310.sc1ca.ip.att.net [188.8.131.52]
5 25 ms 29 ms 101 ms gbr3-p81.sffca.ip.att.net [184.108.40.206]
6 92 ms 58 ms 26 ms ggr1-p361.sffca.ip.att.net [220.127.116.11]
7 51 ms 45 ms 48 ms att-gw.sf.genuity.net [18.104.22.168]
8 47 ms 43 ms 48 ms p5-1.paix-bi1.bbnplanet.net [22.214.171.124]
9 43 ms 96 ms 44 ms p6-1.snjpca1-br1.bbnplanet.net [126.96.36.199]
10 50 ms 44 ms 75 ms p1-1.snjpca1-cr3.bbnplanet.net [188.8.131.52]
11 71 ms 60 ms 76 ms h0.esmart.bbnplanet.net [184.108.40.206]
12 155 ms 64 ms 62 ms 220.127.116.11
13 64 ms 57 ms 58 ms 18.104.22.168
now you can ascertain a lot from the information above such as we know that 4-6 are all att owned and 8-10 are owned by bbnplanet also im guessing that 7 is the gateway att uses and the SF possibly means San Francicso, also note that the traceroute ended at 22.214.171.124 this could possibly be the computer that directly feeds their main system. anyway its odvious their is a wealth of info here. just look at your routes and try to visualise a common route by researching numerous hops along the route. tracert gets deeper too so fool around and get more info. a great program that gives the user a visual representation of the trace is called Visual Route which provides a ton of good info such as banners, visual maps, whois lookups etc... http://www.visualroute.com and neotrace from http://www.neotrace.com .
Ping Sweep: Ping a range of IP addresses to find out which machines are alive.
TCP Scans: Scansfor services. you can either limit yopur scan to one IP for multiple ports or mujltiple IPs for one port.
UDP Scans: Sends garbage UDP packets to a port.
OS Indentification: This involves sending illegal ICMP or TCP packets to a machine.
for more info on scanning download my tutorial on scanning from http://www.geocities.com/cafenekilla/newb.html
ok thats about it for this tutorial, the next tutorial ill wright will be on specific OS's enumeration techniques. i hope this tutorial will help a little.
if anyone wants more info on any specific part of this tutorial just say so and ill go into more detail, as i only breifly cover a lot of subject which could have had their own tutorials.
November 11th, 2002, 12:28 PM
A good start into footprinting. Certainly tonnes of other methodologies can be included. I will suggest this: do not overlook a tool like Sam Spade. It is very effective at doing the initial prep footprinting work and does it fast. Kinda scary when you think about it.
November 12th, 2002, 03:11 PM
sam spade is a good program, one of my favorites is netscan
anyway i got tired of writing this tutorial maybe ill make a footprinting2 to delve a little deeper, this subject could go on for a long time.