Footprinting - Hacker's Intel
Introduction
Footprinting is the process through which an attacker goes about surveying a chosen target. Think of it as an organized military attack, you wouldn't blindly walk into somewhere without having done some research into the target, even having a large amount of firepower won't help. Footprinting is often an over-looked area of Internet security and stopping an attacker at this stage will most likely put off all but the most determined attacker.
If you were going to take a long drive to an unknown destination you would want to know how to get there and whether it would be easier to take the car, train or plane; it's the same with an attack but in order to find out the best way to get there a port scan would allow us to see what ports are available, therefore allowing us to see what 'roads' we can use. An example of a good portscanner is either BluesPortScanner or Nmap. Nmap provides detailed information and functions such as, Service and Version detection, timing and performance, Firewall / IDS evasion and Spoofing to prevent admins from isolating your IP address it also runs on both Windows (as shown below) Unix-Systems, Mac OS X and AmigaOS; There is also a GUI version available for Windows called nmapfe. Blues Port Scanner is a fast and resource friendly scanner that is capable of scanning over 300 ports a second and offers TCP and UDP scanning, It only runs on Windows and is a GUI.
Nmap is run from the command prompt and provides you with a list of options and functions with which you can utilize it's many functions. The program can be easily worked out from the on screen instructions and a few example commands are included that show off a few functions. By finding out what services and open ports a target has open and running, an attacker can use this information to move onto the next stage of an attack.
Just running a port scan against the target won't be enough, if the target has is a website then reading every bit of information of the site can prove useful, for example administrator names and telephone numbers are all potential passwords, this information can be easily accessed through a WHOIS lookup. A WHOIS lookup is a TCP based protocol which is used to query a database in order to obtain information about a specific server, it was developed in order to help system admins find IP information, traditionally it was done using the command line but now many web based WHOIS tools exist and are a simple google search away. Making sure that you don't use such easily guessable passwords is something that can't be repeated enough times, as system admins are constantly increasing their levels of software defense they are increasingly forgetting that the weakest point in any network is the competence of the person who sets it up; no amount of software or hardware defense can stop someone if the master password is left as 'password'.
Other things that can be done to obtain information about a target are a TraceRoute, this is a simple program that traces the amount of hops to a target, it does this by sending a batch of packets and then increasing the TTL (time-to-live) of each successive batch by one in order to trace the amount of hops. To run TraceRoute in Windows open the command prompt and type:
Code:
tracert [-d] [-h maximum_hops] [-j host_list] [-w timeout] target_name
Code:
Usage: traceroute [-dFInrvx] [-g gateway] [-i iface] [-f first_ttl] [-m max_ttl] [ -p port] [-q nqueries] [-s src_addr] [-t tos] [-w waittime] [-z pausemsecs] host [packetlen] $ traceroute hostname
The most useful part of this exercise will be the Nmap scan which can be used to find services which might be vulnerable to exploits. A program called Metasploit is a collection of exploits and payloads that can be launched against a poorly patched server; please be aware though that most of the exploits found in Metasploit are dated and couldn't hack a paper bag.
I hope this article gave you an insight on what footprinting involves and a few ways in which, through proper server administration, hack attempts can be foiled.
Comments