footprint of an organization from which they can
launch an attack. By following some simple advice, network
administrators can make footprinting more difficult. Figure
outlines the process detailed below. Hackers can build a
complete profile or “footprint” of the company security
posture. Using a range of tools and techniques, an attacker can
discover the company domain names; network blocks; IP addresses
of systems, ports, and services used; and many other details
pertaining to the company security posture as related to the
Internet, an intranet, remote access, and an extranet. In a
simple scenario, an attacker might start with the company web
page. A web page can lead to other sources of information.
After the hacker has the company domain name (an easy thing to
find), determining the IP addresses of servers and devices is
relatively easy. In another scenario, assume that the footprint
reveals a recently acquired startup company. Assume as well
that this startup company has weaker security than the new
parent company. The attacker may be able to use this weakness,
possibly through poorly protected virtual private network (VPN)
links. Building a footprint, or “footprinting,” is an iterative
process. Initially, footprinting provides a number of
hostnames, their IP addresses, and a basic picture of the
network topology. Hackers can use the whois databases
maintained by the InterNIC and domain name registrars to build
on this information. WHOIS databases contain name server,
registrar, and, in some cases, full contact information about a
domain name. The InterNIC maintains a central registry whois
database containing only registrar and name server information
for all .com, .net, and .org domains. However, each registrar
must maintain a whois database containing all of the contact
information for the domains that they host. These are some of
the tools used in footprinting: - Commands:
Using the information revealed by the whois effort, the hacker
can execute more searches using these commands to develop a
more detailed footprint:
- nslookup: Performs
Domain Name System (DNS) queries and zone transfers
-
traceroute (tracert): Helps build network maps of the
target network presence
- Programs and
utilities:
- WHOIS Tools: Multiple web
interfaces are available that perform whois lookups, forward
and reverse DNS searches, and traceroutes.
-
Nmap: Network Mapper (Nmap) is a free open source
utility for network exploration or security auditing. Nmap
rapidly scans large networks and single hosts. For more
information, go to http://www.insecure.org/nmap/.
-
Foundstone ScanLine: Foundstone ScanLine is a Microsoft
Windows NT-based port scanner.
Figure
outlines some basic steps to take to make footprinting more
difficult: - Keep all information that has the
potential to identify and compromise the security of your
organization offline. This includes access to business plans,
formulas, and proprietary documents.
- In determining
how much corporate information to provide to the public,
balance business needs against security and privacy. Generally,
a minimum amount of information is all that is required.
- Audit the website of your organization from the point of
view of a hacker to find any potential insecurity.
-
Run a ping sweep on your network and carefully examine the
results from the point of view of a hacker.
-
Familiarize yourself with the American Registry for Internet
Numbers (ARIN) to determine network blocks.
Content 5.1 Thinking Like a Hacker
5.1.3 Step 2: Enumerate Information Footprinting
generates a map of the target network. Enumeration is the
effort aimed at building on the footprint and compiling more
specific network data. Hackers are interested in finding this
information : - Server applications and
versions: Hackers find out what web, FTP, and mail server
versions you are running by listening to TCP and User Datagram
Protocol (UDP) ports and sending random data to each. Hackers
cross-reference this information using vulnerability databases
to look for potential exploits. The SecurityFocus website at
http://www.securityfocus.com/ provides an index of exploits and
vulnerabilities.
- Exploiting selected TCP
ports: Hackers select TCP ports based on the sensitive
information contained on known ports. For example, file sharing
using Server Message Block (SMB) protocol in Microsoft Windows
NT, 2000, and XP uses TCP port 445. In Windows NT, SMB runs on
top of NetBIOS over TCP/IP (NetBT) ports 137 (TCP and UDP), 138
(UDP), and 139 (TCP). If hackers are able to contact the host
on these ports, they attempt to enumerate anonymously sensitive
information from the system including user names, last login
dates, password change dates, and group memberships.
Hackers look for information from listening ports and
estimate the level of permission that is required to enumerate
this information. They also want to know if a login is required
to determine if someone has enumerated this information.
Hackers also look to see if a potential exists for an
authenticated user to view security-sensitive data or
personally identified information that might compromise privacy
concerns. Hackers can use some of the tools listed here. All of
these tools are readily available to download, and security
staff should know how these tools work. -
Netcat: Netcat is a featured networking utility that
reads and writes data across network connections using the
TCP/IP protocol. You can use Netcat directly or driven by other
programs and scripts as a reliable back-end tool. Netcat is a
feature-rich network debugging and exploration tool because it
can create almost any kind of connection you would need and has
several interesting built-in capabilities. Hackers use Netcat
to grab banners and to scan ports. You will find Netcat at
http://netcat.sourceforge.net/.
- Microsoft EPDump
and Microsoft Remote Procedure Call (RPC) Dump: These tools
provide information about Microsoft RPC services on a
server:
- The Microsoft EPDump application shows
applications that are currently running and those which are
waiting on dynamically assigned ports. For more information,
see http://www.securityfocus.com/tools/532.
- The RPC
Dump (rpcdump.exe) application is a command-line tool that
queries RPC endpoints for status and other information on RPC.
For more information, see http://www.microsoft.com/windows2000/
techinfo/reskit/tools/existing/rpcdump-o.asp.
- GetMAC: This application provides a quick way to
find the MAC (Ethernet) layer address and binding order for a
computer running Microsoft Windows 2000 locally or across a
network. This application is useful when you want to enter the
address into a sniffer, or if you need to know what protocols
are currently in use on a computer. For more information, see
http://www.microsoft.com/windows2000/
techinfo/reskit/tools/existing/getmac-o.asp.
-
Software development kits (SDKs): SDKs provide hackers
with the basic tools that they need to learn more about
systems. The Microsoft Windows SDK provides the documentation,
samples, header files, libraries, and tools that you need to
develop applications that run on Microsoft Windows. See the
Microsoft site at http://www.microsoft.com/downloads/details.aspx?Fami