Become a Ethical Hacker Step by Step Learning....
What is Footprinting?
Why Is Footprinting Necessary?
- Footprinting is necessary for one basic reason: it gives you a picture of what the hacker sees. And if you know what the hacker sees, you know what potential security exposures you have in your environment. And when you know what exposures you have, you know how to prevent exploitation.
- Hackers are very good at one thing: getting inside your head, and you don’t even knowit. They are systematic and methodical in gathering all pieces of information related tothe technologies used in your environment. Without a sound methodology for performingthis type of reconnaissance yourself, you are likely to miss key pieces of informationrelated to a specific technology or organization—but trust me, the hacker won’t.
- Be forewarned, however, footprinting is often the most arduous task of trying todetermine the security posture of an entity; and it tends to be the most boring for freshlyminted security professionals eager to cut their teeth on some test hacking. However,footprinting is one of the most important steps and it must be performed accurately andin a controlled fashion.
INTERNET FOOTPRINTING:
It is difficult to provide a step-by-step guide on footprinting because it is an activity
that may lead you down many-tentacled paths. However, this article delineates basic
steps that should allow you to complete a thorough footprinting analysis. Many of these
techniques can be applied to the other technologies mentioned earlier.
Step 1: Determine the Scope of Your Activities:
The first item of business is to determine the scope of your footprinting activities. Are
you going to footprint the entire organization, or limit your activities to certain subsidiaries
or locations? What about business partner connections (extranets), or disaster-recovery
sites? Are there other relationships or considerations? In some cases, it may be a daunting
task to determine all the entities associated with an organization, let alone properly
secure them all. Unfortunately, hackers have no sympathy for our struggles. They exploit
our weaknesses in whatever forms they manifest themselves. You do not want hackers
to know more about your security posture than you do, so figure out every potential
crack in your armor.
Step 2: Get Proper Authorization:
One thing hackers can usually disregard that you must pay particular attention to is
what we techies affectionately refer to as layers 8 and 9 of the seven-layer OSI Model—Politics and Funding. These layers often find their way into our work one way or another,
but when it comes to authorization, they can be particularly tricky. Do you have
authorization to proceed with your activities? For that matter, what exactly are your
activities? Is the authorization from the right person(s)? Is it in writing? Are the target IP
addresses the right ones? Ask any penetration tester about the “get-out-of-jail-free card,”
and you’re sure to get a smile.While the very nature of footprinting is to tread lightly (if at all) in discovering publicly available target information, it is always a good idea to inform the powers that
be at your organization before taking on a footprinting exercise.
Step 3: Publicly Available Information:
After all these years on the web, we still regularly find ourselves experiencing moments
of awed reverence at the sheer vastness of the Internet—and to think it’s still quite young!
Setting awe aside, here we go…
Publicly Available Information
Popularity: 9
Simplicity: 9
Impact: 2
Risk Rating: 7
The amount of information that is readily available about you, your organization, its
employees, and anything else you can image is nothing short of amazing.
So what are the needles in the proverbial haystack that we’re looking for?
Company web pages
• Related organizations
• Location details
• Employees: phone numbers, contact names, e-mail addresses, and personal
details
• Current events: mergers, acquisitions, layoffs, rapid growth, and so on
• Privacy or security policies and technical details indicating the types of security
mechanisms in place
• Archived information
• Disgruntled employees
• Search engines, Usenet, and resumes
• Other information of interest
Company Web Pages
In addition, try reviewing the HTML source code for comments. Many items not
listed for public consumption are buried in HTML comment tags, such as <, !, and --.
Viewing the source code offline may be faster than viewing it online, so it is often
beneficial to mirror the entire site for offline viewing, provided the website is in a format
that is easily downloadable—that is, HTML and not Adobe Flash, usually in a Shockwave
Flash (SWF) format. Having a copy of the targeted site locally may allow you to
programmatically search for comments or other items of interest, thus making your
footprinting activities more efficient. A couple of tried and true website mirroring tools are
• Wget (http://www.gnu.org/software/wget/wget.html) for UNIX
• Teleport Pro (http://www.tenmax.com) for Windows
Be sure to investigate other sites beyond the main “http://www” and “https://
www” sites as well. Hostnames such as www1, www2, web, web1, test, test1, etc., are all
great places to start in your footprinting adventure. But there are others, many others.
Many organizations have sites to handle remote access to internal resources via a
web browser. Microsoft’s Outlook Web Access is a very common example. It acts as a
proxy to the internal Microsoft Exchange servers from the Internet. Typical URLs for this
resource are https://owa.example.com or https://outlook.example.com. Similarly,
organizations that make use of mainframes, System/36s or AS/400s may offer remote
access via a web browser via services like WebConnect by OpenConnect (http://www
.openconnect.com), which serves up a Java-based 3270 and 5250 emulator and allows for
“green screen” access to mainframes and midrange systems such as AS/400s via the
client’s browser.Virtual Private Networks (VPN) are very common in most organizations as well, so
looking for sites like http://vpn.example.com, https://vpn.example.com, or http://www
. example.com/vpn will often reveal websites designed to help end users connect to their
companies’ VPNs. You may find VPN vendor and version details as well as detailed
instructions on how to download and configure the VPN client software. These sites may
even include a phone number to call for assistance if the hacker—er, I mean, employee—
has any trouble getting connected.
Comments
Post a Comment