Gonzalez Posted October 7, 2006 Report Posted October 7, 2006 What is footprinting?Footprinting is the first logical step in any attackers preparation before the actual hack. It entails researching the target for specific qualities such as open ports, services, security feature, and basically any other information you can get out of the machine. Footprinting must be performed properly to ensure a good attack.Through internet footprinting(FP) you should be able to get some of the following info from the target TCP, and UDP services, specific IP addresses, some of the access methods ACL's etc. user names, groups, identify intrusion detection systems (IDS), banners, routing tables, SNMP info, system architecture info (OS info) domain names, and more.Gathering info off the web.A lot of the time the website of the target will give away valuable information that could be used against them. Look for some of the following, phone numbers, mergers, names, email addresses, a possible affiliate/sister company locations, and even seen actual info on servers/firewalls that the sight may be running. Trust me people are stupid and often give too much information.Using the network.The next thing you should do is take a look at the websites source code for hidden gems, or notes. common notes will look like this <--server running--> a lot of large website use these notes to pass along valuable info to other webauthors that might work on the page. another good idea is to download the page and view it offline in more detail. Another good thing to do is a quick look on google for more information on your target such as mergers, news reports, articles and any other info you can dredge up. Another good thing google allows you to do is search for hosts or links (host:www.name.com, or link:www.name.com) with the option of adding AND, OR operators to expand your search this can be very helpful in your quest for root. Usenet and newsgroups can also contain a wealth of knowledge some large companies even have there own specific newsgroups.Using tools and services.We must then find the domain name and servers (if we dont know them yet) by using some tools and services:Whois Clients – There are a lot of programs which have nslookup, whois, dns, ping, finger and more.Net Services – Domain'>http://www.internic.netDomain Name: INTERNIC.NET Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.comReferral URL: Name'>http://www.networksolutions.comName Server: NS.APNIC.NETName Server: NS1.CRSNIC.NETName Server: SVC00.APNIC.NETName Server: NS2.NSIREGISTRY.NETName Server: NS.ICANN.ORGName Server: A.IANA-SERVERS.NETName Server: C.IANA-SERVERS.NETName Server: B.IANA-SERVERS.ORGStatus: REGISTRY-LOCKUpdated Date: 19-jun-2003Creation Date: 01-jan-1993Expiration Date: 31-dec-2010>>> Last update of whois database: Wed, 16 Jul 2003 06:15:23 EDT <<<Using whois queries.There are five major whois queries that can give us information:Registrar Query - This will give info on domains matching the target.Organizational Query - This will resolve all instances of the target's name. showing all of the corresponding domains.Domain Query - This will depend on what you find in the organizational query. Using a domain query, you can get company's address's, domain names, phone numbers,DNS servers.Network Query - Using the American Registry for Internet Numbers you can discover certain blocks owned by a company.POC (point of contact) Query - This will find all the IP addresses a machine might have or even search for specific domain handles (users).NOTE: Someone related with War dialers can use them to get more phone numbers.NOTE: The military and goverment (talking for U.S.A) have their own whois servers here http://whois.nic.mil and Dns'>http://whois.nic.govDns interrogation.A major problem a lot of admins neglect to do is to disallow internet users to perform DNS zone transfers, a tool like nslookup makes this fairly easy. If you can figure out where the mail is handled, it is very likely the firewall will be located on the same network. I suggest to do aMapping the network (determining topology).A good way to accomplish most of this would be to perform a traceroute (tracert):C:>tracert internic.netTracing route to internic.net [198.41.0.6]over a maximum of 30 hops:Microsoft Windows XP [Version 5.1.2600] Quote
