Basic Footprinting

This is my first tutorial so please forgive me for any mistakes that I ahave made and if you don't mind please point them out! So much information can be found out by footprinting an organization and most of the time it can be prevented. I am new to all of this but I usually learn by doing and looking so here goes. This tutorial (probably not the first) is to show the methods and tools used to footprint an organization. Footprinting can pretty much be summarized as learning as much as you can about the targets ip adresses, registrars, affiliates, websites, OSs used, user names, etc... Some of this may not seem very important where other parts are but it all is linked together :)

One thing that many people overlook when footprinting is to look at EVERYTHING you can use Google to search for keywords and links to and from the targets website. Information can sometimes be found by looking at the source code of the website. For example: I looked at my schools website and saw in the source code the comment that is left by Frontpage when creating a webpage (Anyone want to take a guess at the OS?). If you didn't know you can usually save the source from webpages with your browser.

Network enumeration is the next major step in footprinting the target. For Windows I find that Samspade is one of the easiest tools to use and is pretty straight forward when performing a whois search or dns look up. For *nix whois is usually already installed and is not very complicated to use. When using "whois" it usually follws syntax like this:
whois "targetname"@whois.crsnic.net
This will give you some very important info about the site such as the admins name and contact number (Social engineering!), the DNS server addys, and the registrant.

Depending on what type of site you are footprinting you may want to use a different database. Some sites with info and databases are:
ripe.net <---Euro ip addy's
whois.nic.mil <---United States military
whois.arin.net <---General one
These are just three examples there are many more out there just do a google search and you will be sure to find some more.

DNS Interogation comes next. Zone transers can be very devastating because if you do not have it configured correctly and it gives out more information than you wanted it to such as the internal network structure. (Something that people on the outside don't even need to have a clue about) Here is how it works:

Do a basic nslookup then type in the IP address that you found for the site earlier then press enter.
After that type "set type=any" press enter
then "ls -d targetname.com. >> /tmp/transfer" press enter

You can then use grep to search through the transfer file in the /tmp directory for specific things in these records such as operating system names or even test systems and the like.

Traceroute is also a very handy tool to use when you are footprinting an organization. It's simple to use also. For example:
traceroute targetname.com

When you get the results most of the time the packet will probably be blocked by firewalls or router but it helps you identify them!
If you change the port number with the -p switch it may help you go a little bit deeper into the network.

After this basic information is gathered you can start using port scanners to find out which ports on the machines are open and by chance what operating sytem they are running. Nmap is a great tool for this purpose.



Well I hope that has helped a bit . If you have any feedback please send it to [email protected]

Quote:

---

I looked at my schools website and saw in the source code the comment that is left by Frontpage when creating a webpage (Anyone want to take a guess at the OS?).

---

That only tells you what OS the page itself was created in, not the server's OS.

Quote:

---

After this basic information is gathered you can start using port scanners to find out which ports on the machines are open and by chance what operating sytem they are running.

---

Provided nmap finds at least one open and one closed port (which is almost always), OS detection almost always succeeds. So this isn't really a matter of chance. Also another nice tool to use is Netcraft which tells you what webserver software (if any) your target is running.

Otherwise, nice concise tutorial for beginners.

Cheers,
cgkanchi

Quote:

---

Do a basic nslookup then type in the IP address that you found for the site earlier then press enter.
After that type "set type=any" press enter
then "ls -d targetname.com. >> /tmp/transfer" press enter

---

I think this should read, type nslookup then press enter
Then type set type=any
Then type the IP address and press enter


A good tutorial all the same though, nice one!

Nokia:

Quote:

---

I think this should read, type nslookup then press enter
Then type set type=any
Then type the IP address and press enter

---

Actually you are both half right.... ;)

nslookup yahoo.com <ENTER>

will return the basic nameserver information for the target domain. However, nslookup has no other command switches in windows thus you can't issue a nice command like:-

nslookup -any yahoo.com

which would be very nice. To get "special" you need to drop to interactive mode and then you can issue the set type, server etc. commands.

Hobb:

Quote:

---

Information can sometimes be found by looking at the source code of the website.

---

It can also often be found in Google's cache..... This means that you can study the source code of everything Google indexes, (usually everything static), from the comfort of your own IP address.....

Quote:

---

Depending on what type of site you are footprinting you may want to use a different database.

---

To be absolutely correct it's not always an issue of "what" type of site. In the case of the US military you are correct but most of the rest of the whois databases are geographically oriented.

Quote:

---

then "ls -d targetname.com. >> /tmp/transfer" press enter

---

Thats all fine and dandy.... but a properly set up authoritative DNS server will respond with:-

*** Can't list domain target.com: BAD ERROR VALUE

On the bright side that's a hint..... The person setting up the DNS server knew what he was doing...... That's important... It means that others might know what they are doing too.... Which means you need to be more careful.... They may have an IDS that alerts on an attempted zone transfer..... Normal people don't zone transfer.....

Quote:

---

Traceroute is also a very handy tool to use when you are footprinting an organization

---

A simple tracert/traceroute doesn't tell you a whole lot except where the ICMP type 11, (TIME_EXCEEDED), are blocked on the return or the ICMP type 8, (ECHO_REQUEST), are blocked inbound. Of course, that may or may not indicate a firewall - but it could be the border router with appropriate ACL's or, in the case of some ISP's, (Sprint is one), they allow no contact with the border router.

Quote:

---

If you change the port number with the -p switch

---

That's traceroute which is standard on *nix boxes...... You're gonna frustrate the hell out of the windows users with that statement..... Firstly, windows can't find traceroute and secondly tracert -p will error you out..... ;)

After your traceroute/tracert you should probably run NMap against the third hop away from the first failure..... it should show a router, probably the ISP's router, then against the second hop... It should be the border router unless you are dealing with Sprint or similar, in which case it will be Sprint's own final router.... See where all this is going? You're tracert may have shown a "dead" hop which needs to be taken into account. But then the next hop may show, and others..... Determining the final trail into the target isn't quite as simple as a tracert.... There are issues that need to be understood and enumerated otherwise you might start scanning a router for open ports and get totally the wrong answer. You also need to remember that between the border router and the firewall there might be a "silent" IDS watching your activity.... At this point in the process you don't want to set off the "alarm bells" for the admin..... ;)

Good try at a first tutorial though.... You got the basics in there which is exactly what you said you would do. You took on a huge subject though, unless you are planning on writing an entire book for the tutorial it's a good idea to pick a very specific subject that can be covered without writing "War and Peace".....

Thanks for the feedback and the corrections! When writing a tutorial I have been seeing it is best to treat it almost exactly like a reasearch paper in school. Keep the topic narrow and cover it well instead of going broad and just skimmming the high points. The next time I attempt another tutorial I will be sure to remember that. Thanks!

Very well written, and glad to see you have taken a firm welcoming into the community :)

Quote:

---

Also another nice tool to use is Netcraft which tells you what webserver software (if any) your target is running

---

Won't even need that for the majority of online servers. Simply run a:

Quote:

---

telnet targetip 80

get blahblahblah //

---

Which will return an error because you are using an improper HTML request, similar to this:

taken from AO's webserver:

Quote:

---

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD>
<TITLE>400 Bad Request</TITLE>
</HEAD><BODY>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>
Invalid URI in request get blahblahblah//<P>
<HR>
<ADDRESS>Apache/1.3.29 Server at www.antionline.com Port 80</ADDRESS>
</BODY></HTML>

---

Of course you can turn that off in apache configurations, but as I said, the majority does not. Regardless, that method -is- how netcraft finds out the server versions of the websites :)

/me runs and hides in a corner while the mighty Pooh takes the stage. In case the thing hasn't been turned off in the options, just typing http://target.com/arstjnhsfsdhfasqweowiusgnfjsdf.html *should* give you a 404 which contains version information. So, even telnet isn't really required :).

Cheers,
cgkanchi

Quote:

---

In case the thing hasn't been turned off in the options, just typing http://target.com/arstjnhsfsdhfasqweowiusgnfjsdf.html *should* give you a 404 which contains version information. So, even telnet isn't really required .

---

Good point, but if an attacker decides to use their web browser, it will send the identification of the browser and OS in the GET request field. Thus, not only is your IP in their log files but also what browser you used and the OS identification string. So from a grey-hat point of view, using a browser means giving out far too much extra information about the attacker.

Quote:

---

/me runs and hides in a corner while the mighty Pooh takes the stage

---

Hardly mighty. Just offering my humble opinion . I do hope I did not offend anyone here with my above post?

Quote:

---

Hardly mighty. Just offering my humble opinion . I do hope I did not offend anyone here with my above post?

---

Offend? WTF Pooh? I was just playing with you there.

EDIT:

Quote:

---

Good point, but if an attacker decides to use their web browser, it will send the identification of the browser and OS in the GET request field. Thus, not only is your IP in their log files but also what browser you used and the OS identification string. So from a grey-hat point of view, using a browser means giving out far too much extra information about the attacker.

---

Another good point from Pooh. However, if I were to ever try to h4x0r someone, I'd do it off a live Linux distro like Phlak or Knoppix-STD. That way, you don't reveal anything about your actual OS and browser. OK, I'll admit that this is just splitting hairs, but that's what I'd do.


Cheers,
cgkanchi

Quote:

---

I'd do it off a live Linux distro like Phlak or Knoppix-STD.

---

Telnet in linux reveals and retrieves the same information as Windows. Browser access sends off the same information in Linux as in Windows. Every single aspect of security inspect, prevention, and penetration testing can be done in both and with the same level of proffessionalism.

I can understand merely having it be a 'preference' to hack in windows, but let's not pit one OS other the other. You should know better than that ;)

Quote:

---

I can understand merely having it be a 'preference' to hack in windows, but let's not pit one OS other the other. You should know better than that

---

No, no! It's not that at all. The reason I said Knoppix-STD/Phlak was because you reveal nothing about the actual installed OS you're running on your computer. Heck, I'd probably do my h4x0ring in XP if there was a live version of XP available.

Cheers,
cgkanchi

Quote:

---

Heck, I'd probably do my h4x0ring in XP if there was a live version of XP available.

---

Here you go :)

http://www.nu2.nu/pebuilder/