Lab 1: Introduction to Reconnaissance

Lab Requirements:
To earn credit towards your final grade, you must:

1. Sign the Student Agreement Regarding Acceptable Use of Knowledge and hand it in.
2. Complete the lab activities
3. Submit your answers to the Review Questions in this lab within 7 days of this lab assigned
date. For dates see the Critical Path on the course Blackboard site.
4. Sign the lab attendance sheet

Setup
In this lab you need access to the host Windows XP operating on the your removable drive. You can
also do this lab on any operating system with internet access.

Background information
Penetrating a network can take several approaches. Computer networks are dynamic environments
with many events happening in real time. Similar to a wasp nest, a network can react rapidly to an un-
authorized attempt to enter it. The goal is to enter the nest without arousing the sting of the wasps.

The skilled hacker will devise a plan of attack which will make entry as un-intrusive as possible, so
that the layers of defense on the network will not react. In planning an attack, the hacker will follow a
methodology similar to the one illustrated below:

In the labs for this course you will have the opportunity to learn tools and techniques for each of the
five steps. The labs will follow the sequence shown in the illustration beginning with reconnaissance.
Use of a disciplined approach in penetrating and testing a network is essential. An unplanned ad-hock
plan of attack will likely be noticed by the administrators or users of a target network and
vulnerabilities may be eliminated.

Reconnaissance – Refers to the preparatory phase where the attacker seeks to gather as much
information as possible about a target of evaluation prior to launching the attack. In this phase the
1 of 5
Prof: Jeremy Brooks
Ver.: 19/01/10
attacker can use a combination of active and passive tools. Passive tools will use public sources of
information to harvest as much data as possible about the target. Newspapers, the internet and other
media can offer much information in a passive way. The hacker does not even need to approach the
target to obtain the data. Active reconnaissance does require making contact. Social engineering is a
very effective way to actively learn more about a target. Telephone calls, emails and even visits to the
target’s offices are active reconnaissance tools. Reconnaissance is also known as footprinting.

Exercise 1: Unearthing initial information.

Duration; 120 minutes

Objective
After completing this lab, you will be able to:

 Use ARIN WhoIs to gather information.

 SmartWhois to show you available information about an IP address, host
name or domain including country, state, province, network provider. Similar
but possibly more complete than regular WhoIs.
 Use Nslookup to query internet domain servers. Query for MX records.
 Use Traceroute to reveal name of routers, network affiliation and geographic
location.
 Use NeoTrace to show the traceroute output visually – map view, node view
and IP view.
 Email Tracker Pro to analyze email headers.
 MailTracking.com to discover when mail was read, where and discloses other
SMTP information.

In this exercise, you will use the internet to select a target organization and then gather information
about it to build a profile.

2 of 5
Prof: Jeremy Brooks
Ver.: 19/01/10
Scenario

You wish to learn more about a firm that employs junior network administrators, preferably a mid to
large size firm. You start your job search by using Workopolis or JobShark to find employment
opportunities.

Step 1: Select a target firm by searching for network administrator job openings for
an IT job you may be interested in.

a. Open a job search engine such as workopolis.ca and search for key terms such as
MCSE, CCNA, and Java etc.
b. Select a firm and visit their web site.
c. Open MS Word and begin creating your lab report. You will be creating a profile of
the target firm by gathering the reports from the various footprinting tools into one
document. Most of the tools have edit functions to permit extracting their reports into
a wordprocessor.
d. Include the URL of your target firm into your lab report. Look for a Contact Us or
similar link on the web site. Paste any contact information into your report.

Step 2: Use American Registry for Internet Numbers to gather information.

a. Go to the ARIN web page and enter the name of the target firm into the search
window.
b. What is the name of the name servers for this organization?
c. Cut and paste the results into a .doc file and include it with your lab report.

Step 3: Use SmartWhois to show you additional information.

a. Install Smartwhois from the web.
b. Do a query for the target server and if needed its name servers.
c. How does this information compare to the ARIN report?
d. Cut and paste the Smartwhois is data into your lab report.

Step 4: Use Nslookup to query internet domain servers. Query for MX records.
Nslookup.exe is a command-line administrative tool for testing and troubleshooting DNS
servers. One of its best uses is to extract entire DNS zone files from target DNS servers.
DNS zones contain internal network information such as the DNS names and IP
addresses of hosts and dedicated servers such as email, web and active directory. There
are many on-line tutorials for Nslookup, one is here
http://support.microsoft.com/default.aspx/kb/200525
a. Start Nslookup on the command line.
b. Using the data from previous steps, attempt to query the DNS servers of the target.
c. Using the appropriate commands, try to get a zone transfer from the target DNS
servers.
d. Paste the output from your Nslookup queries into the lab report.

3 of 5
Prof: Jeremy Brooks
Ver.: 19/01/10
Step 5: Use Traceroute to reveal the name of routers, network affiliation and
geographic location.
Traceroute is an older footprinting tool; it shows you the route over the network between
two hosts, listing all the intermediate routers a connection must go through to reach its
destination. For a tutorial on traceroute go to
http://www.exit109.com/~jeremy/news/providers/traceroute.html

a. Perform a traceroute on the IP address and/or domain name of the target firm.
b. Paste the output into your lab report.

Step 6: Use NeoTrace to show the traceroute output visually – map view, node view
and IP view.
NeoTrace is a GUI version of traceroute, with additional tools. One of the best features is
the map mode which shows the geographical location of the target. It is also possible to
obtain the physical street address and the Cartesian coordinates of the target. Input these
coordinates into a GPS unit or Google Maps to get additional information. Another nice
feature of this NeoTrace is the ability to run external applications from inside NeoTrace.
Access the external application by opening the InfoPane.
a. Download NeoTrace from the web and install it.
b. Paste the domain name or the IP address of the target. You may also want to query
the DNS servers of the target, too.
c. Open Map View.
a. In what city is the target server located? _______________________
b. Right click on target; attempt an FTP connection to the target server.
Result______________
c. Attempt a Telnet session. Result_______________
e. Paste the output into your lab report.

Step7: Email Tracker Pro to analyze email headers

Email headers contain plenty of information of use to the hacker, such as information
about the path an email took.
a. Download Email Tracker Pro from the web and install it.
b. Open the in-box for an e-mail account in your name. Open an e-mail and view the
header.
c. Paste the header into Email Tracker Pro and view the report.
d. Paste the output into your lab report.

Step 8: MailTracking.com to discover when mail was read, where and discloses
other SMTP information
One footprinting method is to send an email to a valid address on the target network, then
track the status of the email. From this one can tell the IP of the host where the mail was
opened, the OS on the host, the IP of the mail server etc. This technique is called
backtracking.
a. Visit MailTracking.com and open a free account.
4 of 5
Prof: Jeremy Brooks
Ver.: 19/01/10
b. Send an email to another student in this course using the Quicksend tool on the
MailTracking.com
c. Have the student open the email and reply
d. Open your MailTracking Personal Tracking Page and review the report. The report
may take up to an hour to receive.
e. Paste the output into your lab report.

Conclusion:
In this lab you were given a simple introduction to footprinting. The tools can be used in
creative ways to gather information about the target. You will have noticed that some
tools are able to obtain information that other tools can’t, for instance the IP address of
the name servers or the location of the web portals. It is necessary therefore to use a
collection of tools in order to assemble an accurate profile of the target network.

Pre-view
Footprinting is one of three pre-arrack phases. In the next lab we will cover the remaining
two phases, scanning and enumeration.

Review Questions:

Provide your (short 3 or 4 sentence) opinion to the following questions. These are
subjective questions with no wrong or right answers.

1. In your own words, describe what you learned during this lab.
2. What is your opinion about the right to privacy of the target and the information
you gathered in this lab? Has the privacy of the target been violated?
3. How might the results of this reconnaissance help you if you were to be
interviewed for a job at the target firm? Would you disclose to the interviewer
how you got the information?
4. Reconnaissance tools have a dual nature; they can be used for good and evil.
Explain.
5. What countermeasures can a firm do to protect itself from being the target of
reconnaissance tools? Is it possible to defend against reconnaissance?

Gather the results of your reconnaissance tools and the review

questions into one document. Add a cover page and upload the
lab report into the Lab drop box in Blackboard by the due date.

For due dates see the Critical Path

On the course Blackboard site.

5 of 5
Prof: Jeremy Brooks
Ver.: 19/01/10