footprint of an organization from which they can launch an attack. By following some simple advice, network administrators can make footprinting more difficult. Figure outlines the process detailed below. Hackers can build a complete profile or “footprint” of the company security posture. Using a range of tools and techniques, an attacker can discover the company domain names; network blocks; IP addresses of systems, ports, and services used; and many other details pertaining to the company security posture as related to the Internet, an intranet, remote access, and an extranet. In a simple scenario, an attacker might start with the company web page. A web page can lead to other sources of information. After the hacker has the company domain name (an easy thing to find), determining the IP addresses of servers and devices is relatively easy. In another scenario, assume that the footprint reveals a recently acquired startup company. Assume as well that this startup company has weaker security than the new parent company. The attacker may be able to use this weakness, possibly through poorly protected virtual private network (VPN) links. Building a footprint, or “footprinting,” is an iterative process. Initially, footprinting provides a number of hostnames, their IP addresses, and a basic picture of the network topology. Hackers can use the whois databases maintained by the InterNIC and domain name registrars to build on this information. WHOIS databases contain name server, registrar, and, in some cases, full contact information about a domain name. The InterNIC maintains a central registry whois database containing only registrar and name server information for all .com, .net, and .org domains. However, each registrar must maintain a whois database containing all of the contact information for the domains that they host. These are some of the tools used in footprinting:

• Commands: Using the information revealed by the whois effort, the hacker can execute more searches using these commands to develop a more detailed footprint:
  • nslookup: Performs Domain Name System (DNS) queries and zone transfers
  • traceroute (tracert): Helps build network maps of the target network presence
• Programs and utilities:
  • WHOIS Tools: Multiple web interfaces are available that perform whois lookups, forward and reverse DNS searches, and traceroutes.
  • Nmap: Network Mapper (Nmap) is a free open source utility for network exploration or security auditing. Nmap rapidly scans large networks and single hosts. For more information, go to http://www.insecure.org/nmap/.
  • Foundstone ScanLine: Foundstone ScanLine is a Microsoft Windows NT-based port scanner.

Figure outlines some basic steps to take to make footprinting more difficult:

• Keep all information that has the potential to identify and compromise the security of your organization offline. This includes access to business plans, formulas, and proprietary documents.
• In determining how much corporate information to provide to the public, balance business needs against security and privacy. Generally, a minimum amount of information is all that is required.
• Audit the website of your organization from the point of view of a hacker to find any potential insecurity.
• Run a ping sweep on your network and carefully examine the results from the point of view of a hacker.
• Familiarize yourself with the American Registry for Internet Numbers (ARIN) to determine network blocks.

---

Content 5.1 Thinking Like a Hacker 5.1.3 Step 2: Enumerate Information Footprinting generates a map of the target network. Enumeration is the effort aimed at building on the footprint and compiling more specific network data. Hackers are interested in finding this information :

• Server applications and versions: Hackers find out what web, FTP, and mail server versions you are running by listening to TCP and User Datagram Protocol (UDP) ports and sending random data to each. Hackers cross-reference this information using vulnerability databases to look for potential exploits. The SecurityFocus website at http://www.securityfocus.com/ provides an index of exploits and vulnerabilities.
• Exploiting selected TCP ports: Hackers select TCP ports based on the sensitive information contained on known ports. For example, file sharing using Server Message Block (SMB) protocol in Microsoft Windows NT, 2000, and XP uses TCP port 445. In Windows NT, SMB runs on top of NetBIOS over TCP/IP (NetBT) ports 137 (TCP and UDP), 138 (UDP), and 139 (TCP). If hackers are able to contact the host on these ports, they attempt to enumerate anonymously sensitive information from the system including user names, last login dates, password change dates, and group memberships.

Hackers look for information from listening ports and estimate the level of permission that is required to enumerate this information. They also want to know if a login is required to determine if someone has enumerated this information. Hackers also look to see if a potential exists for an authenticated user to view security-sensitive data or personally identified information that might compromise privacy concerns. Hackers can use some of the tools listed here. All of these tools are readily available to download, and security staff should know how these tools work.

• Netcat: Netcat is a featured networking utility that reads and writes data across network connections using the TCP/IP protocol. You can use Netcat directly or driven by other programs and scripts as a reliable back-end tool. Netcat is a feature-rich network debugging and exploration tool because it can create almost any kind of connection you would need and has several interesting built-in capabilities. Hackers use Netcat to grab banners and to scan ports. You will find Netcat at http://netcat.sourceforge.net/.
• Microsoft EPDump and Microsoft Remote Procedure Call (RPC) Dump: These tools provide information about Microsoft RPC services on a server:
  • The Microsoft EPDump application shows applications that are currently running and those which are waiting on dynamically assigned ports. For more information, see http://www.securityfocus.com/tools/532.
  • The RPC Dump (rpcdump.exe) application is a command-line tool that queries RPC endpoints for status and other information on RPC. For more information, see http://www.microsoft.com/windows2000/ techinfo/reskit/tools/existing/rpcdump-o.asp.
• GetMAC: This application provides a quick way to find the MAC (Ethernet) layer address and binding order for a computer running Microsoft Windows 2000 locally or across a network. This application is useful when you want to enter the address into a sniffer, or if you need to know what protocols are currently in use on a computer. For more information, see http://www.microsoft.com/windows2000/ techinfo/reskit/tools/existing/getmac-o.asp.
• Software development kits (SDKs): SDKs provide hackers with the basic tools that they need to learn more about systems. The Microsoft Windows SDK provides the documentation, samples, header files, libraries, and tools that you need to develop applications that run on Microsoft Windows. See the Microsoft site at http://www.microsoft.com/downloads/details.aspx?Fami