Chapter 2 Gathering Target Information: Reconnaissance, Footprinting, and Social Engineering
Reconnaissance Process of Information gathering –> pre-attack phase Don’t determine what is important, just gather as much info as possible Info about people could help with social engineering Locate network addresses; ascertain active machines, discover open ports and access points, detect OSs, Uncover services on ports, map the network Eg: if open port = 80, OS=Linux, then App = ____
Reconnaissance Tools/Methods - SpyFu and KeywordSpy - EDGAR database - www.Netcraft.com web site - whois - DNS - network scanning - email tracking, dumpster diving, - read career section of a company’s website
Information-Gathering Methodology Footprinting: Mapping a Network Tools: DNS Lookup Whois NSLookup Sam Spade Neotrace: Automated network mapping Netcraft Web site: passive footprinting Nitko: Windows tool with GUI, can be used for footprinting web servers Way Back Machine & archive.org: old versions of websites EDGAR database
Information-Gathering Methodology Tools (cont): Google operators Site: one of the most important operators used for searching the Websites in Google allows a user to search only for pages that are hosted on a specific server or in a specific domain www.googleguide.com/advanced-operators.html Filetype,: search a specified file type Link: search for pages that link to other pages Cache: identifies version of a web page Intitle: search a specified text in the title of Web sites Inurl: search a specified text in the URL of Web sites Info: summary information for a site and provides links to other Google searches that might pertain to that site inanchor: searches the text representation of a link, not the actual URL
Information-Gathering Methodology DNS Enumeration – finding DNS servers and their records NSLookup DNS Resolution Issues DNSstuff Whois SuperScan, Sam Space, WsPingPro Regional Internet Registries (RIR) ARIN: North America APNIC: Asia Pacific Region LACNIC: South/Central America/Caribbean RIPE NNC: Europe, Middle East, Central Asia AfriNCC: Africa (Illegal to give false information to ICANN)
Information-Gathering Methodology DNS Records A: Forward lookup SOA: Start of Authority; 1st entry in file CNAME: Canonical Name MX: Mail Exchange SRV: Service PTR: Reverse pointer NS: Name Server Know components of SOA record (serial number, refresh rate, retry timer, expiry timer, TTL) http://www.debianhelp.co.uk/dnsrecords.htm
Information-Gathering Methodology Traceroute Records the time taken for a round trip for each packet at each router Uses ICMP echo packets to display the FQDN and the IP address of each gateway along the route to the remote host ‘lft’: advancedTtraceroute tool Email Tracking Exchange Server Files: EDB, STM, Temp, Checkpoint Web based: History, Cookies, Temporary Internet folders Web Spiders
Information-Gathering Methodology Social Engineering Email Phone In Person Impersonation Shoulder Surfing Dumpster Diving Phishing URL Obfuscation (Know how to convert Dec <-> Hex <-> IP)