Professional Documents
Culture Documents
Seminar Report
ON
FOOTPRINTING
SUBMITTED BY
Amit Kumar Rathaur
Roll No.: - 0728710005
B.Tech. 4th Year
VIIth Semester
Department Of
Computer Science & Engg.
2010-2011
1
Certificate
This is to certify that Amit Kumar Rathaur student of B.Tech,
Computer Science & Engg.,Semester – 7th has completed their
Seminar on titled FOOTPRINTING satisfactory in partial
requirement of Bachelors in Information Technology In the year
2010– 11.
<H.O.D.>
<Faculty>
2
ACKNOWLEDMENT
I would like to take this opportunity to thank my institute for
offering a course like Semiar to us, so that we can show our
skills and can get the idea about how to handle presentations.
And can be familiar about the things related to how to develop
a project.
I would also like to thank our faculties Ms. Ankita Gaur for
providing us the guidelines whenever needed.
I would also like to thank our Head of the department Mr. Atul
Mathur for keeping an eye on us.
• AMIT KUMAR
RATHAUR
(0728710005)
3
Module Objective
This module will familiarize you with the following:
~ Footprinting: An Introduction
~ Footprinting steps
4
Introduction
Footprinting is the process through which an attacker goes about surveying a
chosen target. Think of it as an organized military attack, you wouldn't blindly
walk into somewhere without having done some research into the target, even
having a large amount of firepower won't help. Footprinting is often an over-
looked area of Internet security and stopping an attacker at this stage will most
likely put off all but the most determined attacker.
If you were going to take a long drive to an unknown destination you would
want to know how to get there and whether it would be easier to take the car,
train or plane; it's the same with an attack but in order to find out the best way to
get there a port scan would allow us to see what ports are available, therefore
allowing us to see what 'roads' we can use. An example of a good portscanner is
either BluesPortScanner or Nmap. Nmap provides detailed information and
functions such as, Service and Version detection, timing and performance,
Firewall / IDS evasion and Spoofing to prevent admins from isolating your IP
address it also runs on both Windows (as shown below) Unix-Systems, Mac OS
X and AmigaOS; There is also a GUI version available for Windows called
nmapfe. Blues Port Scanner is a fast and resource friendly scanner that is
capable of scanning over 300 ports a second and offers TCP and UDP scanning,
It only runs on Windows and is a GUI.
Nmap is run from the command prompt and provides you with a list of options
and functions with which you can utilize it's many functions. The program can
be easily worked out from the on screen instructions and a few example
commands are included that show off a few functions. By finding out what
services and open ports a target has open and running, an attacker can use this
information to move onto the next stage of an attack.
Just running a port scan against the target won't be enough, if the target has is a
website then reading every bit of information of the site can prove useful, for
example administrator names and telephone numbers are all potential
passwords, this information can be easily accessed through a WHOIS lookup. A
WHOIS lookup is a TCP based protocol which is used to query a database in
order to obtain information about a specific server, it was developed in order to
help system admins find IP information, traditionally it was done using the
command line but now many web based WHOIS tools exist and are a simple
google search away. Making sure that you don't use such easily guessable
passwords is something that can't be repeated enough times, as system admins
are constantly increasing their levels of software defense they are increasingly
forgetting that the weakest point in any network is the competence of the person
5
who sets it up; no amount of software or hardware defense can stop someone if
the master password is left as 'password'.
Other things that can be done to obtain information about a target are a
TraceRoute, this is a simple program that traces the amount of hops to a target,
it does this by sending a batch of packets and then increasing the TTL (time-to-
live) of each successive batch by one in order to trace the amount of hops. To
run TraceRoute in Windows open the command prompt and type:
Code:
tracert [-d] [-h maximum_hops] [-j host_list] [-w timeout] target_name
and in Linux:
Code:
Usage: traceroute [-dFInrvx] [-g gateway] [-i iface] [-f first_ttl]
[-m max_ttl] [ -p port] [-q nqueries] [-s src_addr] [-t tos]
[-w waittime] [-z pausemsecs] host [packetlen]
$ traceroute hostname
All these bits of information that are collected can all be valuable in a small or
large way, depending on the skill of the system admin and the luck of the
attacker.
The most useful part of this exercise will be the Nmap scan which can be used
to find services which might be vulnerable to exploits. A program called
Metasploit is a collection of exploits and payloads that can be launched against a
poorly patched server; please be aware though that most of the exploits found in
Metasploit are dated and couldn't hack a paper bag.
I hope this article gave you an insight on what footprinting involves and a few
ways in which, through proper server administration, hack attempts can be
foiled.
6
Revisiting Reconnaissance
Reconnaissance aircraft range from the U-2 and SR-71 Blackbird to the E-2C
Hawkeye and P-3 Orion. Additionally, the skies with reconnaissance satellites
operated by the U.S. military, the National Security Agency, and military or
intelligence services of other nations. Even some craft, most notably
submarines, can serve a reconnaissance function.
Origin of RECONNAISSANCE
Information Sources
Hacking Tools
Sam Spade
Provides Whois and DNS Dig functionality
8
Footprinting Through Job Sites
9
You can gather company infrastructure details from job postings Look for
company infrastructure postings such as “looking for system administrator to
manage Solaris 10 network” This means that the company has Solaris networks
on site
• E.g., www.jobsdb.com
Competitive Intelligence
Gathering
Business moves fast. Product cycles are measured in months, not years. Partners
become rivals quicker than you can say ‘breach of contract.’ So how can you
possibly hope to keep up with your competitors if you can't keep an eye on
them?” Competitive intelligence gathering is the process of gathering
information about your competitors from resources such as the Internet The
competitive intelligence is non- interfering and subtle in nature Competitive
intelligence is both a product and a process.
Data gathering
Data analysis
Information verification
Information security
Cognitive hacking:
Single source
Multiple source
11
Why Do You Need Competitive Intelligence?
Carratu International
• http://www.carratu.com
CI Center
• http://www.cicentre.com
CORPORATE CRIME MANAGEMENT
• http://www.assesstherisk.com
Marven Consulting Group
• http://www.marwen.ca
SECURITY SCIENCES CORPORATION
• http://www.securitysciences.com
Lubrinco
• http://www.lubrinco.com
DNS Enumerator
12
DNS Enumerator is an automated sub-domain retrieval tool It scans Google to
extract the results
SpiderFoot
SpiderFoot is a free, open-source, domain footprinting tool which will scrape
the websites on that domain, as well as search Google, Netcraft, Whois, and
DNS to build up information like:
• Subdomains
• Affiliates
• Web server versions
• Users (i.e. /~user)
• Similar domains
• Email addresses
• Netblocks
13
Wikito Footprinting Tool
14
Web Data Extractor Tool
Use this tool to extract targeted company’s contact data (email, phone, fax) from
the Internet Extract url, meta tag (title, desc, keyword) for website promotion,
search directory creation, web research.
15
Additional Footprinting Tools
Whois
Nslookup
ARIN
Neo Trace
VisualRoute Trace
SmartWhois
eMailTrackerPro
Website watcher
Google Earth
GEO Spider
HTTrack Web Copier
E-mail Spider
16
Whois Lookup
www.geektools.com
www.whois.net
www.demon.net
Nslookup
17
Nslookup is a program to query Internet domain name servers. Displays
information that can be used to diagnose Domain Name System (DNS)
infrastructure Helps find additional IP addresses if authoritative DNS is known
from whois MX record reveals the IP of the mail server Both Unix and
Windows come with a Nslookup client Third party clients are also available –
for example,
Sam Spade
Information Sources:
Hacking Tool:
• NeoTrace
• Visual Route
ARIN:
Traceroute:
NeoTrace:
NeoTrace shows the traceroute output visually – map view, node view, and IP
view
VisualRoute Trace:
20
E-Mail Spiders
Have you ever wondered how Spammers generate a huge mailing databases?
They pick tons of e-mail addresses from searching the Internet All they need is a
web spidering tool picking up e-mail addresses and storing them to a database
If these tools are left running the entire night, they can capture hundreds of
thousands of e-mail addresses
Tools:
• Web data Extractor
• 1st E-mail Address Spider
21
Find companies’ external and internal URLs
Perform whois lookup for personal details
Extract DNS information
Mirror the entire website and look up names
Extract archives of the website
Google search for company’s news and press releases
Use people search for personal information of employees
Find the physical location of the web server using the tool “NeoTracer”
Analyze company’s infrastructure details from job postings
Track the email using “readnotify.com”
CONCLUSION
Information gathering phase can be categorized broadly into seven phases
Footprinting renders a unique security profile of a target system Whois and
22
ARIN can reveal public information of a domain that can be leveraged further
Traceroute and mail tracking can be used to target specific IP, and later for IP
spoofing Nslookup can reveal specific users, and zone transfers can compromise
DNS security
23