A

Seminar Report
ON
FOOTPRINTING

SUBMITTED BY
Amit Kumar Rathaur
Roll No.: - 0728710005
B.Tech. 4th Year
VIIth Semester

Department Of
Computer Science & Engg.

NARAINA COLLEGE OF ENGINEERING &

TECHNOLOGY,
KANPUR-208 020

2010-2011

1
 Certificate
This is to certify that Amit Kumar Rathaur student of B.Tech,
Computer Science & Engg.,Semester – 7th has completed their
Seminar on titled FOOTPRINTING satisfactory in partial
requirement of Bachelors in Information Technology In the year
2010– 11.

This is also certified that this report is entitled to

FOOTPRINTING, is an original work of Amit Kumar Rathaur. It is
further certified that he have done his work under guidance &
supervision to the best of our knowledge

Mr. Atul Mathur Ms.

Ankita Gaur

<H.O.D.>
<Faculty>

2
 ACKNOWLEDMENT
I would like to take this opportunity to thank my institute for
offering a course like Semiar to us, so that we can show our
skills and can get the idea about how to handle presentations.
And can be familiar about the things related to how to develop
a project.

I would also like to thank our faculties Ms. Ankita Gaur for
providing us the guidelines whenever needed.

I would also like to thank our Head of the department Mr. Atul
Mathur for keeping an eye on us.

• AMIT KUMAR
RATHAUR

(0728710005)

3
 Module Objective
This module will familiarize you with the following:

~ Footprinting: An Introduction

~ Overview of the Reconnaissance Phase

~ Information Gathering Methodology of Hackers

~ Competitive Intelligence gathering

~ Tools that aid in Footprinting

~ Footprinting steps

4
 Introduction
Footprinting is the process through which an attacker goes about surveying a
chosen target. Think of it as an organized military attack, you wouldn't blindly
walk into somewhere without having done some research into the target, even
having a large amount of firepower won't help. Footprinting is often an over-
looked area of Internet security and stopping an attacker at this stage will most
likely put off all but the most determined attacker.

If you were going to take a long drive to an unknown destination you would
want to know how to get there and whether it would be easier to take the car,
train or plane; it's the same with an attack but in order to find out the best way to
get there a port scan would allow us to see what ports are available, therefore
allowing us to see what 'roads' we can use. An example of a good portscanner is
either BluesPortScanner or Nmap. Nmap provides detailed information and
functions such as, Service and Version detection, timing and performance,
Firewall / IDS evasion and Spoofing to prevent admins from isolating your IP
address it also runs on both Windows (as shown below) Unix-Systems, Mac OS
X and AmigaOS; There is also a GUI version available for Windows called
nmapfe. Blues Port Scanner is a fast and resource friendly scanner that is
capable of scanning over 300 ports a second and offers TCP and UDP scanning,
It only runs on Windows and is a GUI.

Nmap is run from the command prompt and provides you with a list of options
and functions with which you can utilize it's many functions. The program can
be easily worked out from the on screen instructions and a few example
commands are included that show off a few functions. By finding out what
services and open ports a target has open and running, an attacker can use this
information to move onto the next stage of an attack.

Just running a port scan against the target won't be enough, if the target has is a
website then reading every bit of information of the site can prove useful, for
example administrator names and telephone numbers are all potential
passwords, this information can be easily accessed through a WHOIS lookup. A
WHOIS lookup is a TCP based protocol which is used to query a database in
order to obtain information about a specific server, it was developed in order to
help system admins find IP information, traditionally it was done using the
command line but now many web based WHOIS tools exist and are a simple
google search away. Making sure that you don't use such easily guessable
passwords is something that can't be repeated enough times, as system admins
are constantly increasing their levels of software defense they are increasingly
forgetting that the weakest point in any network is the competence of the person
5
who sets it up; no amount of software or hardware defense can stop someone if
the master password is left as 'password'.

Other things that can be done to obtain information about a target are a
TraceRoute, this is a simple program that traces the amount of hops to a target,
it does this by sending a batch of packets and then increasing the TTL (time-to-
live) of each successive batch by one in order to trace the amount of hops. To
run TraceRoute in Windows open the command prompt and type:
Code:
tracert [-d] [-h maximum_hops] [-j host_list] [-w timeout] target_name

and in Linux:
Code:
Usage: traceroute [-dFInrvx] [-g gateway] [-i iface] [-f first_ttl]
[-m max_ttl] [ -p port] [-q nqueries] [-s src_addr] [-t tos]
[-w waittime] [-z pausemsecs] host [packetlen]
$ traceroute hostname

All these bits of information that are collected can all be valuable in a small or
large way, depending on the skill of the system admin and the luck of the
attacker.

The most useful part of this exercise will be the Nmap scan which can be used
to find services which might be vulnerable to exploits. A program called
Metasploit is a collection of exploits and payloads that can be launched against a
poorly patched server; please be aware though that most of the exploits found in
Metasploit are dated and couldn't hack a paper bag.

I hope this article gave you an insight on what footprinting involves and a few
ways in which, through proper server administration, hack attempts can be
foiled.

6
 Revisiting Reconnaissance

Reconnaissance refers to the preparatory phase where an attacker seeks to

gather as much information as possible about a target of evaluation prior to
launching an attack It involves network scanning, either external or internal,
without authorization. a preliminary survey to gain information; especially : an
exploratory military survey of enemy territory. also n. An inspection or
exploration of an area, especially one made to gather military information.
Reconnaissance is a term for efforts to gain information about an enemy, usually
conducted before, or in service to, a larger operation. The French word entered
the English language in 1810, at a time when British and other armies were at
war with Napoleon's French forces. Reconnaissance is an important component
of military and intelligence activities, as well as civilian undertakings designed
to protect the public safety from hazards both natural and manmade.

In the military or espionage environment, reconnaissance can take the form of

activities by scouts or other specialists. The use of what would now be called
"human intelligence" in a reconnaissance capacity dates back to ancient times,
when, according to the Christian Old Testament, 12 spies went into the land of
Canaan to scout out the territory. Today, reconnaissance is the work of special
units practicing a specialized craft.

Reconnaissance aircraft range from the U-2 and SR-71 Blackbird to the E-2C
Hawkeye and P-3 Orion. Additionally, the skies with reconnaissance satellites
operated by the U.S. military, the National Security Agency, and military or
intelligence services of other nations. Even some craft, most notably
submarines, can serve a reconnaissance function.

Origin of RECONNAISSANCE

French, literally, recognition, from Middle French reconoissance, from Old

French reconoistre to recognize First Known Use: 1810.

Information Gathering Methodology

7
~ Unearth initial information

~ Locate the network range

~ Ascertain active machines

~ Discover open ports/access points

~ Detect operating systems

~ Uncover services on ports

~ Map the network

Unearthing Initial Information

Unearth Initial Information Commonly Includes
Domain Name Lookups, Locations, Contacts, Telephone,E-mail

Information Sources

Search Engines and Websites Open Source

Domain and IP information
Information about Registered Domains
Smart Whois Tools

Hacking Tools
Sam Spade
Provides Whois and DNS Dig functionality

8
Footprinting Through Job Sites
9
You can gather company infrastructure details from job postings Look for
company infrastructure postings such as “looking for system administrator to
manage Solaris 10 network” This means that the company has Solaris networks
on site
• E.g., www.jobsdb.com

Passive Information Gathering

10
To understand the current security status of a particular Information System,
organizations perform either a Penetration Testing or other hacking techniques
Passive information gathering is done by finding out the details that are freely
available over the Internet and by various other techniques without directly
coming in contact with the organization’s servers Organizational and other
informative websites are exceptions as the information gathering activities
carried out by an attacker do not raise suspicion

Competitive Intelligence
Gathering

Business moves fast. Product cycles are measured in months, not years. Partners
become rivals quicker than you can say ‘breach of contract.’ So how can you
possibly hope to keep up with your competitors if you can't keep an eye on
them?” Competitive intelligence gathering is the process of gathering
information about your competitors from resources such as the Internet The
competitive intelligence is non- interfering and subtle in nature Competitive
intelligence is both a product and a process.

The various issues involved in competitive intelligence are:

Data gathering

Data analysis

Information verification

Information security

Cognitive hacking:

Single source

Multiple source
11
Why Do You Need Competitive Intelligence?

~ Compare your products with that of your competitors' offerings

~ Analyze your market positioning compared to the competitors
~ Pull up list of competing companies in the market
~ Extract salesperson's war stories on how deals are won and lost in the
competitive arena
~ Produce a profile of CEO and the entire management staff of the competitor
~ Predict their tactics and methods based on their previous track record

Companies Providing Competitive

Intelligence Services

Carratu International
• http://www.carratu.com
CI Center
• http://www.cicentre.com
CORPORATE CRIME MANAGEMENT
• http://www.assesstherisk.com
Marven Consulting Group
• http://www.marwen.ca
SECURITY SCIENCES CORPORATION
• http://www.securitysciences.com
Lubrinco
• http://www.lubrinco.com

DNS Enumerator
12
DNS Enumerator is an automated sub-domain retrieval tool It scans Google to
extract the results

SpiderFoot
SpiderFoot is a free, open-source, domain footprinting tool which will scrape
the websites on that domain, as well as search Google, Netcraft, Whois, and
DNS to build up information like:
• Subdomains
• Affiliates
• Web server versions
• Users (i.e. /~user)
• Similar domains
• Email addresses
• Netblocks

13
Wikito Footprinting Tool
14
 Web Data Extractor Tool
Use this tool to extract targeted company’s contact data (email, phone, fax) from
the Internet Extract url, meta tag (title, desc, keyword) for website promotion,
search directory creation, web research.

15
 Additional Footprinting Tools
 Whois
 Nslookup
 ARIN
 Neo Trace
 VisualRoute Trace
 SmartWhois
 eMailTrackerPro
 Website watcher
 Google Earth
 GEO Spider
 HTTrack Web Copier
 E-mail Spider

16
 Whois Lookup

Online Whois Tools

www.samspade.org

www.geektools.com

www.whois.net

www.demon.net

Nslookup
17
Nslookup is a program to query Internet domain name servers. Displays
information that can be used to diagnose Domain Name System (DNS)
infrastructure Helps find additional IP addresses if authoritative DNS is known
from whois MX record reveals the IP of the mail server Both Unix and
Windows come with a Nslookup client Third party clients are also available –
for example,
Sam Spade

Extract DNS information

Using www.dnsstuff.com, you can extractDNS information such as:

• Mail server extensions

• IP addresses

Locate the Network Range

Commonly includes:
18
 • Finding the range of IP addresses
• Discerning the subnet mask

Information Sources:

• ARIN (American Registry of Internet Numbers)

• Traceroute

Hacking Tool:

• NeoTrace
• Visual Route

ARIN:

ARIN allows searches on the whois database to locate information on a

network’s autonomous system numbers (ASNs), network-related handles, and
other related
point of contact (POC) ARIN whois allows querying the IP address to help find
information on the strategy used for subnet addressing.

Traceroute:

Traceroute works by exploiting a feature of the Internet Protocol called TTL, or

Time To Live Traceroute reveals the path IP packets travel between two systems
by sending out consecutive sets of UDP or ICMP packets with ever-increasing
TTLs As each router processes an IP packet, it decrements the TTL. When the
TTL reaches zero, that router sends back a "TTL exceeded" message (using
ICMP) to the originator Routers with reverse DNS entries may reveal the name
of routers, network affiliation, and geographic locationTrace Route
Analysis:
Traceroute is a program that can be used to determine the path from source to
destination By using this information, an attacker determines the layout of a
network and the location of each device For example, after running several
traceroutes, an attacker might obtain the following information:

• traceroute 1.10.10.20, second to last hop is 1.10.10.1

• traceroute 1.10.20.10, third to last hop is 1.10.10.1
• traceroute 1.10.20.10, second to last hop is 1.10.10.50
19
• traceroute 1.10.20.15, third to last hop is 1.10.10.1
• traceroute 1.10.20.15, second to last hop is 1.10.10.50

By putting this information together we can diagram the network

NeoTrace:

NeoTrace shows the traceroute output visually – map view, node view, and IP
view

VisualRoute Trace:

20
 E-Mail Spiders
Have you ever wondered how Spammers generate a huge mailing databases?
They pick tons of e-mail addresses from searching the Internet All they need is a
web spidering tool picking up e-mail addresses and storing them to a database
If these tools are left running the entire night, they can capture hundreds of
thousands of e-mail addresses

Tools:
• Web data Extractor
• 1st E-mail Address Spider

Steps to Perform Footprinting

21
  Find companies’ external and internal URLs
 Perform whois lookup for personal details
 Extract DNS information
 Mirror the entire website and look up names
 Extract archives of the website
 Google search for company’s news and press releases
 Use people search for personal information of employees
 Find the physical location of the web server using the tool “NeoTracer”
 Analyze company’s infrastructure details from job postings
 Track the email using “readnotify.com”

CONCLUSION
Information gathering phase can be categorized broadly into seven phases
Footprinting renders a unique security profile of a target system Whois and
22
ARIN can reveal public information of a domain that can be leveraged further
Traceroute and mail tracking can be used to target specific IP, and later for IP
spoofing Nslookup can reveal specific users, and zone transfers can compromise
DNS security

23