Your SlideShare is downloading. ×
Ce hv8 module 02 footprinting and reconnaissance
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Ce hv8 module 02 footprinting and reconnaissance

1,362

Published on

Published in: Technology, News & Politics
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,362
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
378
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Footprinting and R econnaissance Module 02
  • 2. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting and R econnaissance Module 02 Ethical Hacking and Countermeasures v8 M o d u l e 02: Foot prin ting and Reconnaissance Exam 31 2- 50 Module 02 Page 92 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 3. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Security News ABOUT US PRODUCTS N EW S F aceb o o k a 'tre a s u re tro v e' o f P erso n ally Id e n tifia b le In fo rm ation A ril 1a 2012 p Facebook contains a "treasure trove" of personally identifiable information that hackers manage to get their hands on. A report by Imperva revealed that users' "general personal information" can often include a date of birth, home address and sometimes mother's maiden name, allowing hackers to access this and other websites and applications and create targeted spearphishing campaigns. It detailed a concept I call "friend-mapping", where an attacker can get further knowledge of a user’s circle of friends; having accessed their account and posing as a trusted friend, they can cause mayhem. This can include requesting the transfer of funds and extortion. Asked why Facebook is so important to hackers, Imperva senior security strategist Noa Bar-Yosef said: "People also add work friends on Facebook so a team leader can be identified and this can lead to corporate data being accessed, project work being discussed openly, while geo-location data can be detailed for military intelligence." "Hacktivism made up 58 per cent of attacks in the Verizon Data Breach Intelligence Report, and they are going after information on Facebook that can be used to humiliate a person. All types of attackers have their own techniques." http://www.scmogazineuk.com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. ‫״‬ am ps uii Security N ew s ‫״־‬ Facebook a ,treasure trove‫״‬of Personally Identifiable Information Source: http://www.scmagazineuk.com Facebook contains a "treasure trove" of personally identifiable information that hackers manage to get their hands on. A report by Imperva revealed that users' "general personal information" can often include a date of birth, home address and sometimes mother's maiden name, allowing hackers to access this and other websites and applications and create targeted spearphishing campaigns. It detailed a concept I call "friend-mapping", where an attacker can get further knowledge of a user's circle of friends; having accessed their account and posing as a trusted friend, they can cause mayhem. This can include requesting the transfer of funds and extortion. Asked why Facebook is so important to hackers, Imperva senior security strategist Noa BarYosef said: ‫״‬People also add work friends on Facebook so a team leader can be identified and this can lead to corporate data being accessed, project work being discussed openly, while geolocation data can be detailed for military intelligence." Module 02 Page 93 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 4. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker "Hacktivism made up 58 per cent of attacks in the Verizon Data Breach Intelligence Report, and they are going after information on Facebook that can be used to humiliate a person. All types of attackers have their own techniques." On how attackers get a password in the first place, Imperva claimed that different keyloggers are used, while phishing kits that create a fake Facebook login page have been seen, and a more primitive method is a brute force attack, where the attacker repeatedly attempts to guess the user's password. In more extreme cases, a Facebook adm inistrators rights can be accessed. Although it said that this requires more effort on the hacker side and is not as prevalent, it is the "holy grail" of attacks as it provides the hacker with data on all users. On protection, Bar-Yosef said the roll-out of SSL across the whole website, rather than just at the login page, was effective, but users still needed to opt into this. By Dan Raywood http://www.scmagazine.com.au/Feature/265065,digitial-investigations-have-matured.aspx Module 02 Page 94 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 5. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker M odule O bjectives J Footprinting Terminology J WHOIS Footprinting J W hat Is Footprinting? J DNS Footprinting J Objectives of Footprinting J Network Footprinting J Footprinting Threats J Footprinting through Social Engineering J J Website Footprinting CEH Footprinting through Social Networking Sites W J Email Footprinting J Footprinting Tools J Competitive Intelligence J Footprinting Countermeasures J Footprinting Using Google J Footprinting Pen Testing Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. t t t f M odule O bjectives This module will make you familiarize with the following: e Footprinting Terminologies © WHOIS Footprinting e W hat Is Footprinting? © DNS Footprinting © Objectives of Footprinting © Network Footprinting © Footprinting Threats © Footprinting through Social e Footprinting through Search Engines © Website Footprinting © Email Footprinting © Footprinting Tools © Competitive Intelligence © Footprinting Countermeasures © Footprinting Using Google © Footprinting Pen Testing Engineering Module 02 Page 95 © Footprinting through Social Networking Sites Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 6. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker M odule Flow Ethical hacking is legal hacking conducted by a penetration tester in order to evaluate the security of an IT infrastructure with the permission of an organization. The concept of ethical hacking cannot be explained or cannot be performed in a single step; therefore, it has been divided into several steps. Footprinting is the first step in ethical hacking, where an attacker tries to gather information about a target. To help you better understand footprinting, it has been distributed into various sections: Xj Footprinting Concepts [|EJ Footprinting Tools Footprinting Threats C J Module 02 Page 96 FootP rint'ng Countermeasures Footprinting Methodology Footprinting Penetration Testing Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 7. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker The Footprinting Concepts section familiarizes you with footprinting, footprinting terminology, why footprinting is necessary, and the objectives of footprinting. Module 02 Page 97 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 8. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting Term inology Open Source or Passive Information Gathering CEH Active Information Gathering Collect information about a target from the publicly accessible sources Gather information through social engineering on-site visits, interviews, and questionnaires Anonymous Footprinting Pseudonymous Footprinting Gather information from sources where the author of the information cannot Collect information that might be published under a different name in be identified or traced an attempt to preserve privacy Organizational or Private Footprinting Internet Footprinting Collect information from an organization's web-based calendar and email services Collect information about a target from the Internet Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. 00 ooo — 00 Footprinting Term inology ‫־‬ Before going deep into the concept, it is important to know the basic terminology used in footprinting. These terms help you understand the concept of footprinting and its structures. !,n V 'nVI 'n n Open Source or P assive Information G athering Open source or passive information gathering is the easiest way to collect information about the target organization. It refers to the process of gathering information from the open sources, i.e., publicly available sources. This requires no direct contact with the target organization. Open sources may include newspapers, television, social networking sites, blogs, etc. Using these, you can gather information such as network boundaries, IP address reachable via the Internet, operating systems, web server software used by the target network, TCP and UDP services in each system, access control mechanisms, system architecture, intrusion detection systems, and so on. Active Information Gathering In active information gathering, process attackers mainly focus on the employees of Module 02 Page 98 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 9. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker the target organization. Attackers try to extract information from the employees by conducting social engineering: on-site visits, interviews, questionnaires, etc. Anonym ous Footprinting This refers to the process of collecting information from sources anonymously so that your efforts cannot be traced back to you. < — Pseudonym ous Footprinting — i Pseudonymous footprinting refers to the process of collecting information from the sources that have been published on the Internet but is not directly linked to the author's name. The information may be published under a different name or the author may have a well-established pen name, or the author may be a corporate or government official and be prohibited from posting under his or her original name. Irrespective of the reason for hiding the author's name, collecting information from such sources is called pseudonymous. *s r • V t 4 O rganizational or Private THI 4 • • Footprinting 4 Private footp rint""ing involves collecting information from an organization's webbased calendar and email services. | | Internet Footprinting Internet footprinting refers to the process of collecting information of the target organization's connections to the Internet. Module 02 Page 99 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 10. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker W h a t I s F o o tp rin tin g ? | Footprinting is the process of collecting as much information as possible about a target network, for identifying various ways to intrude into an organization's network system Process involved in Footprinting a Target © Determine the operating system Collect basic information about the target and its network Perform techniques such as Whois, DNS, network and organizational queries used, platforms running, web server versions, etc. di i iH a af , ‫ י‬a a ■ © Find vulnerabilities and exploits for launching attacks Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. What Is Footprinting? Footprinting, the first step in ethical hacking, refers to the process of collecting information about a target network and its environment. Using footprinting you can find various ways to intrude into the target organization's network system. It is considered ‫״‬methodological" because critical information is sought based on a previous discovery. Once you begin the footprinting process in a methodological manner, you will obtain the blueprint of the security profile of the target organization. Here the term "blueprint" is used because the result that you get at the end of footprinting refers to the unique system profile of the target organization. There is no single methodology for footprinting as you can trace information in several routes. However, this activity is important as all crucial information needs to be gathered before you begin hacking. Hence, you should carry out the footprinting precisely and in an organized manner. You can collect information about the target organization through the means of footprinting in four steps: 1. Collect basic information about the target and its network 2. Determine the operating system used, platforms running, web server versions, etc. Module 02 Page 100 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 11. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker 3. Perform techniques such as Whois, DNS, network and organizational queries 4. Find vulnerabilities and exploits for launching attacks Furthermore, we will discuss how to collect basic information, determine operating system of target computer, platforms running, and web server versions, various methods of footprinting, and how to find and exploit vulnerabilities in detail. Module 02 Page 101 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 12. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker W h y F o o tp rin tin g ? I'n'n'r'n'n' CEH Urti*W itkM l lUckw Why Footprinting? For attackers to build a hacking strategy, they need to gather information about the target organization's network, so that they can find the easiest way to break into the organization's security perimeter. As mentioned previously, footprinting is the easiest way to gather information about the target organization; this plays a vital role in the hacking process. Footprinting helps to: • Know Security Posture Performing footprinting on the target organization in a systematic and methodical manner gives the complete profile of the organization's security posture. You can analyze this report to figure out loopholes in the security posture of your target organization and then you can build your hacking plan accordingly. • Reduce Attack Area By using a combination of tools and techniques, attackers can take an unknown entity (for example XYZ Organization) and reduce it to a specific range of domain names, network blocks, and individual IP addresses of systems directly connected to the Internet, as well as many other details pertaining to its security posture. Build Information Database Module 02 Page 102 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 13. Ethical Hacking and Countermeasures Footprinting and Reconnaissance A detailed footprint Exam 312-50 Certified Ethical Hacker provides maximum information about the target organization. Attackers can build their own information database about security weakness of the target organization. This database can then be analyzed to find the easiest way to break into the organization's security perimeter. • Draw Network Map Combining footprinting techniques with tools such as Tracert allows the attacker to create network diagrams of the target organization's network presence. This network map represents their understanding of the targets Internet footprint. These network diagrams can guide the attack. Module 02 Page 103 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 14. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker O b jectiv es of F ootprinting CEH 0 0 Rogue websites/private websites 0 TCP and UDP services running 0 Access control Mechanisms and ACL's tf System Enumeration ‫ג‬ O IP addresses of the reachable systems 0 0 0 0 0 VPN Points Network blocks 0 Collect Network Information ‫ -׳‬Networking protocols * Internal domain names 0 O Domain name 0 User and group names ACLs IDSes running Analog/digital telephone numbers Authentication mechanisms System architecture * Remote system type • Routing tables • System names : SNMP information : Passwords 0 1v 1/< ‫־‬ Collect System Information ‫־‬ * System banners Employee details 0 Comments in HTML source code 0 0 Collect Organization’s Information 0 Address and phone numbers Background of the organization 0 Location details 0 Web server links relevant to the organization 0 Company directory 0 Security policies implemented 0 Organization's website News articles/press releases Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. O bjectives of Footprinting The information, major system objectives of footprinting information, and the include collecting the organizational information. target's network By carrying out footprinting at various network levels, you can gain information such as: network blocks, network services and applications, system architecture, intrusion detection systems, specific IP addresses, and access control mechanisms. W ith footprinting, information such as employee names, phone numbers, contact addresses, designation, and work experience, and so on can also be obtained. C ollect Network Information The network information can be gathered by performing a W hois database analysis, trace routing, etc. includes: Q Domain name Q Internal domain names Q Network blocks © IP addresses of the reachable systems -‫ י‬Rogue websites/private websites Module 02 Page 104 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 15. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Q Exam 312-50 Certified Ethical Hacker TCP and UDP services running © Access control mechanisms and ACLs © Networking protocols © VPN points Q ACLs 9 IDSes running © Analog/digital telephone numbers © Authentication mechanisms © System enumeration C ollect System Information Q User and group names © System banners Q Routing tables Q SNM P information © System architecture © Remote system type Q System names Q Passwords C ollect O rganization’s Information Q Employee details Q Organization's website Q Company directory Q Location details Q Address and phone numbers Q Comments in HTML source code Q Security policies implemented Q W eb server links relevant to the organization © Background of the organization U News articles/press releases Module 02 Page 105 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 16. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker M odule Flow So far, we discussed footprinting concepts, and now we will discuss the threats associated with footprinting: ‫ף‬ Footprinting Concepts Footprinting Tools Footprinting Countermeasures o ‫ ר‬Footprinting Threats C L) Footprinting Methodology Footprinting Penetration Testing xi ‫? * ר‬ The Footprinting Threats section familiarizes you with the threats associated with footprinting such as social Module 02 Page 106 engineering, system and network attacks, corporate espionage, etc. Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 17. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting T hreats J Attackers gather valuable system and network information such as account details, operating system and installed applications, network components, server names, database schema details, etc. from footprinting techniques Types off T h re a ts Information Leakage Privacy Loss J C o p yrigh t © b y ‫0ם‬- ‫ם‬ J. EG-G*ancil. All Corporate Espionage Business Loss Rights Reserved. Rep rod u ctio n is S trictly Prohibited. Footprinting Threats As discussed previously, attackers perform footprinting as the first step in an attempt to hack a target organization. In the footprinting phase, attackers try to collect valuable systemlevel information such as account details, operating system and other software versions, server names, and database schema details that will be useful in the hacking process. The following are various threats due to footprinting: Social E ngineering W ithout using any intrusion methods, hackers directly and indirectly collect information through persuasion and various other means. Here, crucial information is gathered by the hackers through employees without their consent. ©J System and Network Attacks Footprinting helps an attacker to perform system and network attacks. Through footprinting, attackers can gather information related to the target organization's system configuration, operating system running on the machine, and so on. Using this information, attackers can find the vulnerabilities present in the target system and then can exploit those Module 02 Page 107 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 18. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker vulnerabilities. Thus, attackers can take control over a target system. Similarly, attackers can also take control over the entire network. pa», Inform ation L eakage L 3 3 Information leakage can be a great threat to any organization and is often overlooked. & If sensitive organizational information falls into the hands of attackers, then they can build an attack plan based on the information, or use it for monetary benefits. G P ‫—יי‬ Privacy L oss ‫ ׳‬With the help of footprinting, hackers are able to access the systems and networks of the company and even escalate the privileges up to admin levels. W hatever privacy was maintained by the company is completely lost. Corporate Espionage Corporate espionage is one of the major threats to companies as competitors can spy and attempt to steal sensitive data through footprinting. Due to this type of espionage, competitors are able to launch similar products in the market, affecting the market position of a company. B usin ess Loss Footprinting has a major effect on businesses such as online businesses and other ecommerce websites, banking and financial related businesses, etc. Billions of dollars are lost every year due to malicious attacks by hackers. Module 02 Page 108 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 19. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker M odule Flow Now that you are familiar with footprinting concepts and threats, we will discuss the footprinting methodology. The footprinting methodology section discusses various techniques used to collect information about the target organization from different sources. x Footprinting Concepts ‫ן־דיןן‬ Footprinting Threats G O Module 02 Page 109 Footprinting Methodology Footprinting Tools Footprinting Countermeasures v! Footprinting Penetration Testing Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 20. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting M ethodology Footprinting through Search EH W H O IS Footprinting Engines Website Footprinting DNS Footprinting Email Footprinting Network Footprinting Competitive Intelligence Footprinting through Social Engineering Footprinting using Google Footprinting through Social Networking Sites Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. I ^ — Footprinting M ethodology The footprinting methodology is a procedural way of collecting information about a target organization from all available sources. It deals with gathering information about a target organization, determining URL, location, establishment details, number of employees, the specific range of domain names, and contact information. This information can be gathered from various sources such as search engines, Whois databases, etc. Search engines are the main information sources where you can find valuable information about your target organization. Therefore, first we will discuss footprinting through search engines. Here we are going to discuss how and what information we can collect through search engines. Examples of search engines include: www.google.com ,www.yahoo.com ,www.bing.com Module 02 Page 110 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 21. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting through Search Engines Attackers use search engines to extract information about a target such as technology platforms, employee details, login pages, intranet portals, etc. which helps in performing social engineering and other types of advanced system attacks Microsoft » a u •» •> • ic p i 0 M s »!*>* rc s th * M *C ivx co ciim x a M.r 1 A m Cr nm n w ■ M D Tzerperator CM Microsoft n P> u r*, A 41 : M * nt■ d» b jn V em h J Search engine cache may provide sensitive information that has been removed from the World Wide Web (W W W ) i 1 :am iiwm1wn• w ■ 1 S O<M m y < w t MMOS 1 r*& 1 IIM l tv| *tiV wM In sa*« j h .ro * idm t i p* n 1b -a«'MI1h • u to c d n M jM iM 1M r * e h t t• rtM a ■ m h n trfQr• *rt V/ K u* ti * m a t* 1 Mro S c in 111 1•<n> '‫ • «׳‬n ^ ••‫*אי‬an n• • *0 1 pu V tn n r - • s* ‫יי‬ Footprinting through Search Engines w , -- A web search engine is designed to search for information on the World W ide Web. The search results are generally presented in a line of results often referred to as search engine results pages (SERPs). In the present world, many search engines allow you to extract a target organization's information such as technology platforms, employee details, login pages, intranet portals, and so on. Using this information, an attacker may build a hacking strategy to break into the target organization's network and may carry out other types of advanced system attacks. A Google search could reveal submissions to forums by security personnel that reveal brands of firewalls or antivirus software in use at the target. Sometimes even network diagrams are found that can guide an attack. If you want to footprint the target organization, for example XYZ pvt ltd, then type XYZ pvt ltd in the Search box of the search engine and press Enter. This will display all the search results containing the keywords "XYZ pvt ltd." You can even narrow down the results by adding a specific keyword while searching. Furthermore, we will discuss other footprinting techniques such as website footprinting and email Footprinting. For example, consider an organization, perhaps Microsoft. Type Microsoft in the Search box of a search engine and press Enter; this will display all the results containing information about Microsoft. Browsing the results may provide critical information such as physical location, Module 02 Page 111 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 22. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker contact address, the services offered, number of employees, etc. that may prove to be a valuable source for hacking. O © wcbcachc.googleusercontent.com scarch?q-cache:ARbFVg INvoJ:en.wikipcdia.org/wiki/Micn & ,‫|ן‬ This i3 Google's cache of http i / e n wikipedia 0 rgAviki/Micro soft t is a snapshot of the page as it appeared on 17 Jul 2012 13:15:03 GMT The current page could have changed in the meantirre Learn more Text-only /ersicn Create account & Log in Read View source View history Microsoft - 47'38*22 55‫״‬N 122‘74242‫־‬W From Wikipedia. the free encyclopedia Main page Contents Featured content Current events Random article Donate to vviKipeaia Microsoft Corporation (NASDAQ: MSFTt? ) is ar American multinational corporation headquartered n ReJrrond. Washington. United States that develops, manufactures licenses, and supports a wide range cf products and services rolatod to computing. Tho company was foundoc by Bill Gatos and Paul Allen on Apr J 4. 1975. Microsoft is the world's largest software corporation measured by revenues Interaction inteipieteis foi the Altai! 8800 It rose to dominate the home computer operating system market wth MS-OOS n the m id• 1980s followed by the Microsoft Wndows line of operating systems The company’s 1986 initial public oferng. and subsequent rise in the share price, created ar estimated three billionaires and 12.000 millionaires from Microsoft employees Since the 1990s. the company has increasingly d1 ersrf1 from ed the operating system market. In May 2011 Microsoft acquired Skype for $8 5 billion in its largest acquisition to date PI Microsoft‫׳‬ Type Rjblc Traded as NASDAQ: MSFT ^ SEHK: 4 3 ( 33£ > Cow Jones Industrial Average component Microsoft was established to develop and sell BA SC Help About Wikipedia Community portal M ic ro s o rt c o rp o ra tio n Recent changes Contact Wikipedia ► Print/export ▼ Languages NASDAQ-100com ponent S&P50D component Induttry Computer tofiwar• Onlir• t#rvic♦• Video gorroo Founded Albuquerque, New Mexico, United States (April 4,1975) Founder(•) Bill Gates, Paul Alien Headquarters Microsoft Redmond Campts, FIGURE 2.1: Screenshot showing information about Microsoft As an ethical hacker, if you find any sensitive information of your company in the search engine result pages, you should remove that information. Although you remove the sensitive information, it may still be available in a search engine cache. Therefore, you should also check the search engine cache to ensure that the sensitive data is removed permanently. Module 02 Page 112 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 23. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Finding Company’s External and Internal URLs To o ls to Search Internal UR Ls Search for the target company's external URL in a search engine such as Google or Bing Internal URLs provide an insight into different departments and business units in CEH 5 http://news.netcraft.com 6 h t t p : / / w w w . webmaster-a.com/ l i n k - e x t r a c tor-internal.php an organization You may find an internal company's URL by trial and error method A Internal U R L’s of m icrosoft.com t s u p p o r t . m icrosoft.com ) e office.mi c r o s o f t . c o m s s e a r c h . m icrosoft.com 0 msdn. m i c r o s o f t . c o m O update.mi c r o s o f t . c o m 6 t e c h n e t . m icrosoft.com 0 windo w s . m i c r o s o f t . c o m f j ^ , Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. Finding C om pany’s External and Internal URLs A company's external and internal URLs provide a lot of useful information to the attacker. These URLs describe the company and provide details such as the company mission and vision, history, products or services offered, etc. The URL that is used outside the corporate network for accessing the company's vault server via a firewall is called an external URL. It links directly to the company's external web page. The target company's external URL can be determined with the help of search engines such as Google or Bing. If you want to find the external URL of a company, follow these steps: 1. Open any of the search engines, such as Google or Bing. 2. Type the name of the target company in the Search box and press Enter. The internal URL is used for accessing the company's vault server directly inside the corporate network. The internal URL helps to access the internal functions of a company. Most companies use common formats for internal URLs. Therefore, if you know the external URL of a company, you can predict an internal URL through trial and error. These internal URLs provide insight into different departments and business units in an organization. You can also find the internal URLs of an organization using tools such as netcraft. Tools to Search Internal URLs Module 02 Page 113 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 24. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Netcraft Source: http://news.netcraft.com Netcraft deals with web server, web hosting market-share analysis, and operating system detection. It provides free anti-phishing toolbar (Net craft toolbar) for Firefox as well as Internet Explorer browsers. The netcraft toolbar avoids phishing attacks and protects the Internet users from fraudsters. It checks the risk rate as well as the hosting location of the websites we visit. Link Extractor Source: http://www.webmaster-a.com/link-extractor-internal.php Link Extractor is a link extraction utility that allows you to choose between external and internal URLs, and will return a plain list of URLs linked to or an html list. You can use this utility to competitor sites. Examples of internal URLs of microsoft.com: © support.microsoft.com © office.microsoft.com © search.microsoft.com © msdn.microsoft.com © update.microsoft.com © technet.microsoft.com © windows.microsoft.com Module 02 Page 114 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 25. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker P u b lic and R estricted W eb sites CEH Urt1fw4 ilh iu l lUtbM Welcome to Microsoft Irocua Dt+noaSz Sicuity Stifpcrt Su h ttp ://w w w .m ic ro s o ft.c o m Public W ebsite http://offlce.microsoft.com http://answers.microsoft.com Restricted W ebsite Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. Public and R estricted W ebsites —___ , A public website is a website designed to show the presence of an organization on the Internet. It is designed to attract customers and partners. It contains information such as company history, services and products, and contact information of the organization. The following screenshot is an example of a public website: Source: http://www.microsoft.com Module 02 Page 115 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 26. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker FIGURE 2.2: An example of public website A restricted website is a website that is available to only a few people. The people may be employees of an organization, members of a department, etc. Restrictions can be applied based on the IP number, domain or subnet, username, and password. Restricted or private websites of microsoft.com include: http://technet.microsoft.com, http://windows.microsoft.com, http://office.microsoft.com, and http://answers.microsoft.com. Module 02 Page 116 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 27. Ethical Hacking and Countermeasures Footprinting and Reconnaissance 4‫־‬ C Exam 312-50 Certified Ethical Hacker H *O *< 1 ‫״‬U0*n c*w T r© 0 Microsoft | TechNet W1 *• I TKMCINfMS IVMUAIIOM lM«»l .< » *% < fVINIl U*VKTU*I% IKHM lM kOC Discover the N ew Office for IT Prc |(«4a> tNc«r iecK ew r Shw1»ew1 » 1 >• I Tc< «m Ntw Office1* IT*tot »C er 0 IW ftM T tM qt 20 *o fm 11 I I« K « ‫*׳‬er < *o S«e0*Ve X i l n t e w jq ‫׳‬ bcneJOIl ‫י‬ EZESZ1 NBOUn lunott ■ A tt U V fjm WC OOMQW Welcome to Office F - . ML i with Office 365 FIGURE 2.3: Examples of Public and Restricted websites Module 02 Page 117 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 28. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Collect Location Information CEH Use G o og le Earth tool to get th e location of th e place C ollect Location Inform ation Information such as physical location of the organization plays a vital role in the hacking process. This information can be obtained using the footprinting technique. In addition to physical location, we can also collect information such as surrounding public Wi-Fi hotspots that may prove to be a way to break into the target organization's network. Attackers with the knowledge of a target organization's location may attempt dumpster diving, surveillance, social engineering, and other non-technical attacks to gather much more information about the target organization. Once the location of the target is known, detailed satellite images of the location can be obtained using various sources available on the Internet such as http://www.google.com/earth and https://maps.google.com. Attackers can use this information to gain unauthorized access to buildings, wired and wireless networks, systems, and so on. Example: earth.google.com Google Earth is a valuable tool for hacking that allows you to find a location, point, and zoom into that location to explore. You can even access 3D images that depict most of the Earth in high-resolution detail. Module 02 Page 118 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 29. Ethical Hacking and Countermeasures Footprinting and Reconnaissance * Pldcwe Exam 312-50 Certified Ethical Hacker * ‫יג*י‬ U, PI0C63 C ‫ ט‬farperar/Phces * Liytit S 0 Je Q«>flr«wr1cvyec OS fto * • 5 O BuMngo t£ '* :troct > ‘osv * H r B c r l n <rd latcti □ Q ►1 0c 1 ‫ם י‬o ‫***־‬ ‫׳‬ ‫־‬ 5. 0 0fll»‫׳‬v •□v >C A irv v W1 w iwi « & D t F ee fiw it ta eo rro ‫ םי‬M ‫ס‬o • B fc ffim FIGURE 2.4: Google Earth showing location Example: maps.google.com Google Maps provides a Street View feature that provides you with a series of images of building, as well as its surroundings, including WI-FI networks. Attackers may use Google Maps to find or locate entrances to buildings, security cameras, gates, places to hide, weak spots in perimeter fences, and utility resources like electricity connections, to measure distance between different objects, etc. .‫־‬ =ssa C •You .» l fi https' maps.google.fc Starch Imago* Mall Oocuinonl• Calondai Shot ConUctt Ma p • Google G«t ArtcM**• My piac•! A oo < Om O kxh S**fchn#*fby S*v»lom*p mor*» *•port •P0C . u«c* L*M •H«lp 4«m O oogi• u«e* ■ •Mi: 00««1• r«m1 01 um•* ‫*♦יי‬ FIGURE 2.5: Google Maps showing a Street View Module 02 Page 119 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 30. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker P e o p le S e a r c h Information about an individual can be found at various people search websites C EH The people search returns th e follow ing inform ation ab ou t a person: “ Contact numbers and date of birth S frfi Residential addresses and email addresses S Photos and social networking profiles £ Blog URLs S Satellite pictures of private residencies P‘P * !is 2 !;‫״‬ K ttje O. I* tan , C .U .w • *• < U A » e* « ■ * http://www.spokeo.com http://pipl.com Copyright © by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. People Search You can use the public record websites to find information about people's email addresses, phone numbers, house addresses, and other information. Usingthis information you can try to obtain bank details, credit card details, mobile numbers, past history, etc. There are many people search online services available that help find people, http://pipl.com and http://www.spokeo.com are examples of people search services that allow you to search for the people with their name, email, username, phone, or address. These people search services may provide information such as: Q Residential addresses and email addresses O Contact numbers and date of birth Q Photos and social networking profiles © Blog URLs © Satellite pictures of private residences Module 02 Page 120 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 31. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Module 02 Page 121 Exam 312-50 Certified Ethical Hacker Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 32. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker P eo p le Search O n lin e S erv ic es M M Zaba Search % 123 People Search http://ww w.zabasearch.com h ttp ://w w w . 123people, com C Zoomlnfo h ttp ://w w w .zo o m in fo . com PeekYou h ttp ://w w w .p e e kyo u . com Wink People Search Intelius h ttp ://w in k.co m h ttp ://w w w .inte liu s.com & h ttp ://w w w .pe op le sm a rt. com m o • IP AnyWho http ://w w w .an yw h o.co m http://w w w .w hite p ag es.co m People Lookup S® CEH PeopleSmart WhitePages https://w w w .peoplelookup.com V/ > —J Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. .3;► People Search O nline Services — ‫ ׳׳‬At present, many Internet users are using people search engines to find information about other people. Most often people search engines provide people's names, addresses, and contact details. Some people search engines may also reveal the type of work an individual does, businesses owned by a person, contact numbers, company email addresses, mobile numbers, fax numbers, dates of birth, personal -mail addresses, etc. This information proves to be highly beneficial for attackers to launch attacks. Some of the people search engines are listed as follows: Zaba Search Source: http://www.zabasearch.com Zaba Search is a people search engine that provides information such as address, phone number, current location, etc. of people in the US. It allows you to search for people by their name. Zoom lnfo Source: http://www.zoominfo.com Module 02 Page 122 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 33. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Zoom Info is a business people directory using which you can find business contacts, people's professional profiles, biographies, work histories, affiliations, links to employee profiles with verified contact information, and more. ‫צ_ו‬ E. Wink P eople Search Source: http://wink.com Wink People Search is a people search engine that provides information about people by name and location. It gives phone number, address, websites, photos, work, school, etc. ‫״‬ AnyWho Source: http://www.anywho.com AnyWho is a website that helps you find information about people, their businesses, and their locations online. With the help of a phone number, you can get all the details of an individual. P eople Lookup Source: https://www.peoplelookup.com People Lookup is a people search engine that allows you to find, locate, and then connect with people. It also allows you to look up a phone number, search for cell numbers, find an address or phone number, and search for people in the US. This database uses information from public records. 123 P eople Search Source: http://www.123people.com 123 People Search is a people search tool that allows you to find information such as public records, phone numbers, addresses, images, videos, and email addresses. PeekYou Source: http://www.peekyou.com PeekYou is a people search engine that allows you to search for profiles and contact information of people in India and cities' top employers and schools. It allows you to search for the people with their names or usernames. Intelius Source: http://www.intelius.com Intelius is a public records business that provides information services. It allows you to search for the people in US with their name, address, phone number, or email address. Module 02 Page 123 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 34. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker PeopleSm art Source: http://www.peoplesmart.com People Smart is a people search service that allows you to find people's work information with their name, city, and state. In addition, it allows you to perform reverse phone lookups, email searches, searches by address, and county searches. Module 02 Page 124 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 35. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker W hitePages Source: http://www.whitepages.com WhitePages is a people search engine that provides information about people by name and location. Using the phone number, you can find the person's address. Module 02 Page 125 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 36. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker People Search on Social Networking Services CEH h ttp ://w w w .Iinked in. com h ttp ://w w w .fa ce b o o k. com r Google♦ ft R30er Feoerer n tn llweM irtK n fjailtofeiledewlwpeiewlkw ! ■‫ ׳‬3a ‫י‬ i i n s »‫*־‬ h ttp ://tw itte r.c o m h ttps ://p lu s, google, com Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. People Search on Social N etw orking Services Searching for people on social networking websites is easy. Social networking services are the online services, platforms, or sites that focus on facilitating the building of social networks or social relations among people. These websites provide information that is provided by users. Here, people are directly or indirectly related to each other by common interest, work location, or educational communities, etc. Social networking sites allow people to share information quickly and effectively as these sites are updated in real time. It allows updating facts about upcoming or current events, recent announcements and invitations, and so on. Therefore, social networking sites prove to be a great platform for searching people and their related information. Through people searching on social networking services, you can gather critical information that will be helpful in performing social engineering or other kinds of attacks. Many social networking sites allow visitors to search for people without registration; this makes people searching on social networking sites an easy task for you. You can search a person using name, email, or address. Some sites allow you to check whether an account is currently in use or not. This allows you to check the status of the person you are looking for. Some of social networking services are as follows: Module 02 Page 126 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 37. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Facebook Source: http://www.facebook.com Facebook allows you to search for people, their friends, colleagues, and people living around them and others with whom they are affiliated. In addition, you can also find their professional information such as their company or business, current location, phone number, email ID, photos, videos, etc. It allows you to search for people by username or email address. facebook □ Carmen f lectra Sear<* for people, places and tvig i About * A na*<raof «hamd-watt. Carmangraw near Cmamas, 900. and got hor • ! braak *htn a tcout for fw c* ‫״‬ aponad har danang and a*ad har to cama and aud«on for Carman *roto a bock. >to* toBaSaxv'wfvtftwat oubkihad by Random noma In +* book Carman convayi tm ascW ird ifM n d n g ifo n tln w M lfaN co r• Carman * aiao the *ace of Ma* factor,a brand that ‫• ״‬ a W t J aknoat 10 yaari ago and • •nwadataJY Mad to 0 < «1‫»׳‬aod1 moat baauHU facaa. Carman•parm m 10 »‫י«י‬ Mai factor *eahset her mTv and pm ..$•• FIGURE 2.7: Facebook a social networking service to search for people across the world L inkedln 1 J Source: http://www.linkedin.com Linkedln is a social networking website for professional people. It allows you to find people by name, keyword, company, school, etc. Searching for people on Linkedln gives you information such as name, designation, name of company, current location, and education qualifications, but to use Linkedln you need to be registered with the site. Twitter Source: http://twitter.com Module 02 Page 127 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 38. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Twitter is a social networking service that allows people to send and read text messages (tweets). Even unregistered users can read tweets on this site. FIGURE 2.9: Twitter screenshot Module 02 Page 128 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 39. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker G oogle+ Source: https://plus.google.com Google+ is a social networking site that aims to make sharing on the web more like sharing in real life. You can grab a lot of useful information about users from this site and use it to hack their systems. FIGURE 2.10: Google+ screenshot Module 02 Page 129 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 40. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Gather Inform ation from Financial Services CEH Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. (> ^ Gather Inform ation from F inancial Services j Financial services such as Google Finance, Yahoo! Finance, and so on provide a lot of useful information such as the market value of a company's shares, company profile, competitor details, etc. The information offered varies from one service to the next. In order to avail themselves of services such as e-mail alerts and phone alerts, users need to register on the financial services. This gives an opportunity for an attacker to grab useful information for hacking. Many financial firms rely on web access, performing transactions, and user access to their accounts. Attackers can obtain sensitive and private information of users using information theft, key loggers, etc. Attackers can even grab this information by implementing cybercrimes, and exploit it with the help of non-vulnerable threats (software design flaw example; breaking authentication mechanism). The following are some of non-vulnerable threats: Q Service flooding Brute force attack S Phishing Module 02 Page 130 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 41. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker FIGURE 2.11: Examples of financial services website for gathering information Module 02 Page 131 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 42. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker CEH Footprinting through Job Sites Urtifwl You can gather company's infrastructure details from job postings Look fo r th ese: p s io la ra T ■ o it n ro u io Aboa Us‫־‬ Sanre ISfti. t * WarJ k B»cv» Faraiy c£( nnpjwt h».‫ ־‬h«t>rornuylm r c bowmt toinlntp’-l'adin( *slutkm in even *wt of andlwrwflft e Job requirements 6 En:e‫־‬p 3 Applicators EngincerfCBA « ilhiul lUtbM Employee's profile Wr04 town niciK* © Hardware information A C £ H | © Software information tvHikuk *vl fwrir* v tt arr>^< »c th* tcol< mvl tci-hiolosr' rtjtfhWp fcffli <are<ed V* o il if proivSnj. "S m rf of I ' 1 ‫ <1 1ז‬Fxrflm‫־‬r ' ‫ז *וין.״‬ Wt eitaxi ths1aoe feel ofservice !0 our no* ■*witm* aisrt otr uivktuv V { otf« 0inprttT. r taanrt and b enefits, but out tbrtiztli it on timh iltuf We fosta• 1 cisual b h*d uoriar.fi mwcnrxctt. ottmizt fin ut pati weafcepnfe apraantngticniwtha1 E xam p les o f Job W ebsites » .o* K K « M r « d bldb ?00B3a1r|u1n tla*g luuwtrtlg o W < C fexknv1 «1vn 2CO V2008 Actvr Oarv u • MkanMMUjodndnctuitkaig (TCP IP ve14.DS'S <*kIDHCP! M • u .; i*r> ;ip c mciLt *th. juJ *Haig wmU^ U n w u f NOciuvjH SQL 2303 aul :0)8 I 201) 1 ucM^i1« lyxcai. WiumA 5 V rP.«1 > a1 . MkicxA CRM dul NLliomA SCOM Mu* 1 ‫.»״‬c Pj dc* C• aui Pov»c1 SbcB *.1Iftiikj ■ ladw■( m Ndwuik iifiawaluc l>> .!*» id cl co‫ ״ .״‬c'iocjcb. SQL etc xvl cr MCTS, MCSE ■ o itgpcc ■Com a-Jid 1 pute! Siiaicc u Network ttn n; or <quvdcat« — C0N1AU IMOMMAIMI http://www.monster.com « •AwnW m l < |1 « ‫׳‬o»* n |W afplrahon < A ‫ <(׳‬for < < o »!f n ur > v fp « «**11 *‫" יז*ןז‬Tm n.‫־‬l»V< hi* it ant mit*l 1‫ יי‬Vfcrtoti'rt US. Vfi-touA 4»» F <k « - 1afr 20!0 Mkl I'nrfvM Victim•* Nfirtotoft Sha*‫•׳‬ Point V ‫־‬rn»r« Cnrm f< TUm I«to«* CRM M il Sm rt 2 0 m 12 0 < < 00S Tr«m FoaJatM 'fOt awl 20 . MniwA SCOM. ‫מןיו1ון‬ 10 «‫ יז»ו‬rinflopwl *4m n md 0f»n «1 »‫׳‬f nvk•**‫ «־‬irtrH kv Ihf 1‫־‬o p ‫'׳‬ m ‫׳‬nv http://www.careerbuilder.com « http://www.dice.com http://www.simplyhired.com * ^ © http://www.indeed.com © http://www.usajobs.gov Copyright © by EG-Gtlincil. All Rights Reserved. Reproduction is Strictly Prohibited. Footprinting through Job Sites Attackers can gather valuable information about the operating system, software versions, company's infrastructure details, and database schema of an organization, through footprinting various job sites using different techniques. Depending upon the posted requirements for job openings, attackers may be able to study the hardware, network-related information, and technologies used by the company. Most of the company's websites have a key employees list with their email addresses. This information may prove to be beneficial for an attacker. For example, if a company wants to hire a person for a Network Administration job, it posts the requirements related to that position. Module 02 Page 132 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 43. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker M D 17123M546706 439704 21130 BocaRaton. FL 3 4 7 31 J06 M jfin IT/Sofcare D evolopm ert E facebook Network Administrator. Active Directory CIW*. Euhange Design and vnpiemort Ik Iv k iI ukAooi on N ,gitfgiT.te « g — >_____________ Support fusing V n o s tmtaitucljrf Wdw VM OrtctofY 2 0 . SMS. SUS. C»« 03 SOL Sew. SOL Clusters. Ewhange 55. Eahange 2 0 . vn war*, vertas 03 backip i *wir«. h court and M«n securty. Master Recwery wivkm. RM technologies. and FOrt^AN <s O ** 1 0 Klo ■ Mr __________________ U • 5 or m years espenence *wttig ‫ מ‬IT *nplem ore erAng and sgppodngiglobalbusntss >Pnor nponorxt r supportng a global Wlad l ttftW and M Doma* tofrastoxture ‫ י‬E^m m ik ( ■ npltfnonlng and supposingV M Dwlwy. Cfttr M etalrafne. SOL Server. SOL Cluster. DNS. DHCP. WHS. and Etthange 2 0 man Enterprise ecM 03 ronm ert ‫ י‬VKy strongsystemstowweshoolng sMs ‫ י‬Eipenence mpro fcn 2 - o r supportto a gktoai erterpnse w g 4hu as partofan orvcal rotaton • Edectweinterpersonal sloiswdhfieabrtortobepersuasae • Otttf stalls Bulling Elect*■ Team Acton Onerted Peer * s, RtlaftonsMps, Custom Focus. Pnor% Setng, ProWwi er SoM andBusinessAcum ng, en Bachelor***•* D egreeor equwalerteipenence ‫ י‬MCSE (2003) certtcafton a plus. Cdra Certtcafton a plus 1 FIGURE 2.12: Gathering information through Job websites Usually attackers look for the following information: • Job requirements • Employee's profile • Hardware information • Software information Examples of job websites include: Q http //www. monster.com Q http //www.careerbu ilder.com S http //www.dice.com C D a 4- ‫׳‬ 4- ‫׳‬ -C S http //www.indeed.com Q http //www. usajobs.gov //www.simplvhired.com Module 02 Page 133 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 44. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker M onitoring Target Using Alerts Alerts are the content monitoring services C EH Examples of A lert Services that provide up-to-date information based M onitoring Targets Using Alerts “ Alerts are the content monitoring services that provide automated up-to-date information based on your preference, usually via email or SMS. In order to get alerts, you need to register on the website and you should submit either an email or phone number to the service. Attackers can gather this sensitive information from the alert services and use it for further processing of an attack. I^jl G oogle Alerts Source: http://www.google.com/alerts Google Alerts is a content monitoring service that automatically notifies users when new content from news, web, blogs, video, and/or discussion groups matches a set of search terms selected by the user and stored by the Google Alerts service. Google Alerts aids in monitoring a developing news story and keeping current on a competitor or industry. Module 02 Page 134 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 45. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Google Exam 312-50 Certified Ethical Hacker C o o g i• A le rt • Security New* Alerts Tkta lu ilo n i bkokad HiMyc■. 27 new results • Security News j New» S n eRaa 1 L n DaliBetaA i d l n r i c g ia 1 a a d tfl-tfl j a a a t C i l Search query N#Vf Yoric Time* BEIRUT Lebanon — The hilling on Wednesday of President Bashat al-Assads key security aides ‫ וזי‬a brazen bombog attack close to Mr Assads own residonce. called into question the ability of a government that depends on an insular group of loyalists to Security News S t t «! Result type How often ?ft Trei te a t r Everything San Jose Mercury Mews Turr.s out <Mas 3s easy as using a rug to scale a ra20r *ire topped security fence at a small Utah arport in the rroddie cf night slipping past security bearding an idle empty S0-passeog?r SkyWest Aifhnes and rewng up the engines. He Clashed the ... Once a day ?tpnts m th!? . K S nfltA iantramMiiajm a aost m ti-ta SM utm i How many: Reuters BEIRUT'AMMAN (Reuters) - Mystery surrounded the whereabouts of S y r an President Basha* 31Assad cn Thursday a day after a oomoer killed and wounded his security cnefs anc rebels closed in on the centre of Damascus vowing to *liberate" the capital. Only the best results 5 1 9 ?tp ?‫»ח‬ nts .h? Your email @yahoo com C R EA TE A LER T Manage your alerts > ftista Sira Laamra Inrcr Cirflg W a l Street Journal BEIRUT—Syrian rebels pierced the innermost circle 0 President Bashar a -Assads 1 regime wKh a bomb blast that kiled thiee high-lewl officials and raised questions about the aMity of the courftry's security forces to sustain the embattled government Syna w ii st^«! a—< FIGURE 2.13: Google Alert services screenshot Yahoo! Alerts is available at http://alerts.yahoo.com and Giga Alert is available at http://www.gigaalert.com: these are two more examples of alert services. Module 02 Page 135 Ethical Hacking and Countermeasures Copyright © by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 46. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting M ethodology Footprinting through Search CEH W H O IS Footprinting Engines Website Footprinting DNS Footprinting Email Footprinting Network Footprinting Competitive Intelligence Footprinting through Social Engineering Footprinting using Google Footprinting through Social Networking Sites Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. Footprinting M ethodology So far, we have discussed the first step of footprinting methodology, i.e., footprinting via search engines. Now we will discuss website footprinting. An organization's website is a first place where you can get sensitive information such as names and contact details of chief persons in the company, upcoming project details, and so on. This section covers the website footprinting concept, mirroring websites, the tools used for mirroring, and monitoring web updates. Module 02 Page 136 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 47. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker W e b site F o o tp rin tin g C EH Information obtained from target's website enables an attacker to build a detailed m ap of w ebsite's structure and architecture Browsing the target website may provide: - Software used and its version t Operating system used t: Sub-directories and parameters t Filename, path, database field name, or query - Scripting platform Contact details and CMS details Use Zaproxy, Burp Suite, Firebug, etc. to view headers that provide: w Connection status and content-type ~ Accept-Ranges - Last-Modified information t; X-Powered-By information Web server in use and its version W ebsite Footprinting It is possible for an attacker to build a detailed map of a website's structure and architecture without IDS being triggered or without raising any sys admin suspicions. It can be accomplished either with the help of sophisticated footprinting tools or just with the basic tools that come along with the operating system, such as telnet and a browser. Using the Netcraft tool you can gather website information such as IP address, registered name and address of the domain owner, domain name, host of the site, OS details, etc. But this tool may not give all these details for every site. In such cases, you should browse the target website. Browsing the target website will provide you with the following information: Q Software used and its version: You can find not only the software in use but also the version easily on the off-the-shelf software-based website. Q Operating system used: Usually the operating system can also be determined. 9 Sub-directories and parameters: You can reveal the sub-directories and parameters by making a note of all the URLs while browsing the target website. Module 02 Page 137 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 48. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Filename, path, database field name, or query: You should analyze anything after a query that looks like a filename, path, database field name, or query carefully to check whether it offers opportunities for SQL injection. -‫ י‬Scripting platform: With the help of the script filename extensions such as .php, .asp, .jsp, etc. you can easily determine the scripting platform that the target website is using. S Contact details and CMS details: The contact pages usually offer details such as names, phone numbers, email addresses, and locations of admin or support people. You can use these details to perform a social engineering attack. CMS software allows URL rewriting in order to disguise the script filename extensions. In this case, you need to put little more effort to determine the scripting platform. Use Paros Proxy, Burp Suite, Firebug, etc. to view headers that provide: Q Connection status and content-type Q Accept-ranges © Last-Modified information Q X-Powered-By information © W eb server in use and its version Source: http://portswigger.net The following is a screenshot of Burp Suite showing headers of packets in the information pane: FIGURE 2.14: Burp Suite showing headers of packets in the information pane Module 02 Page 138 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 49. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker W e b site F o o tp rin tin g (Cont’d) Examining H TM L source provides: CEH Urt1fw4 ilh iu l lUtbM Examining cookies may provide: © Comments in the source code 6 Software in use and its behavior 9 Contact details of web developer or admin © Scripting platforms used © File system structure 9 Script type Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. W ebsite Footprinting (Cont’d) Examine the HTML source code. Follow the comments that are either created by the CMS system or inserted manually. These comments may provide clues to help you understand what's running in the background. This may even provide contact details of the web admin or developer. Observe all the links and image tags, in order to map the file system structure. This allows you to reveal the existence of hidden directories and files. Enter fake data to determine how the script works. Module 02 Page 139 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 50. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker T V ew « j u 1< e w w w jn 1<rc•. 1 C ft T H ‫ץ‬ ft © view sour‫ , ״‬www.microsoft.com en-us/defaultaspx A 2 < OT P h i PU 1 'D CYC riw BLIC • // 3 / D DX T L 1 Trtnsicififltl//CNa — WC/ T HM *0 s <html dir‫"־‬ltr" lang“‫״‬en• xml:lar.g“*er.■ xmlns“‫״‬http://www.w3.org/1999/xhtml• xmlns :b1 ~'urn:schemas-m1 crosoft-com:mscom:b1 *> « <headxt 1 tle> Microsoft Corporation: Software, Smartphones, Online, Saxes, Cloud Computing, IT Business Technology, Downloads 0 </tltlexmeta http-equiv'X-UA-Cospatlble■ content•“IE-10* /xmeta httpequ1 v”"C0 ntent-Type” content~*text/html: charset“utf-8" /xmeta httpeq1 ‫״‬v*"X-UA-IE9-TextLaycutMetries* content”"snap-vert1 cal* /> ‫ ־‬o e n p t type‫"״‬text^avascr 1 pt*> var QosInitTime ■ <new Date()) •getTime ( ; ) 9 var QosLoadTim* • •‫;י‬ var QosPageUn • encodeURI (window, location); var QosBaseSrc • window.location.protocol ♦ ‫//י‬e.micro‫צ‬oft.com/tran^_plxel.a3px?route*64DE^ctrl-9C5A4tz•‫(( + י‬new Date()) .getTimezoneOffset ( / 60) ♦ •tcot-Stqos.un■• ♦ QosPagetJri; ) document.write("clink rel”"3tylesheet■ type“*text/css• href•"' ♦ QosSuildUrl(•lnit‘) ♦ •"/>'); function QosBuildUn (n) ( 1 4 var time » (new Date ()).getTuse ( ; ) var cd - window.cookieDisabled; if (typeof cd “ *undefined*) cd • 1; // Default to 1 (cookies disabled) if the wedcs script has not set it yet return QosBaseSrc ♦ *ted•' • cd ♦ •tqos.ti■' ♦ QosInitTme ♦ •4ts■' ♦ time + ,*qos.tl“ • ♦ QosLoadTlme ♦ •iqos.n•1 ♦ n; t» } l I v FIGURE 2.15: Screenshot showing Microsoft script works Examine cookies set by the server to determine the software running and its behavior. You can also identify the script in platforms by observing sessions and other supporting cookies. Cook* * ar*d site data Sit• X Remove $0 Locally stored data 0d«yM<u11(y.«Kn 100bcttbuy.com SeercH toofc*et A J (oobn 2 coobes N«mc Content. _utmx 1928742&2.1342446822.1.1 utmcv a lOOmoney -*jtmccn‫־‬ (r«ferr*l)futmcmd=refen*l|utmcct‫' ־‬lendmg/moneyde•!• >««■ »*> Dom#«n .100bettbuy.com P*h / Send for Aity krnd of connection Accrv.4>teto script Yet Created Mondey. Ju»y 1 12012 &S3^1 AM 6 Expires: Mondey. Jjnu.ry U. 2013 *5341 PM y Remove www.tOObestbuy.com 1cookie www.100nests.com 1cootoe 125rf.com }co«bet www.l23d.com 2 cootaes. local storage v OK FIGURE 2.16: Showing details about the software running in a system by examining cookies Module 02 Page 140 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 51. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker M ir r o r in g E n tire W e b site J Mirroring an entire website onto the local system enables an attacker to dissect and identify vulnerabilities; it also assists in finding directory structure and other valuable information J C EH W eb mirroring tools allow you to download a website to a local directory, building recursively without multiple requests to web server all directories, HTML, images, flash, videos, and other files from the server to your computer Original Website M irrored Website Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. 1 ‫־‬ ‫ך‬ M irroring an Entire W ebsite Website mirroring is the process of creating an exact replica of the original website. This can be done with the help of web mirroring tools. These tools allow you to download a website to a local directory, recursively building all directories, HTML, images, flash, videos and other files from the server to your computer. Website mirroring has the following benefits: Q It is helpful for offline site browsing. Website mirroring helps in creating a backup site for the original one. Q A website clone can be created. Q Website mirroring is useful to test the site at the time of website design and development. Q It is possible to distribute to multiple servers instead of using only one server. Module 02 Page 141 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 52. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Original Website Mirrored Website FIGURE 2.17: JuggyBoy's Original and Mirrored website Module 02 Page 142 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 53. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker W e b site M ir r o r in g T ools CEH W ebsite M irroring Tools © HTTrack Web Site Copier Source: http://www.httrack.com HTTrack is an offline browser utility. It allows you to download a World W ide W eb site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative linkstructure. Open a page of the "mirrored" website in your browser, browse the site from link to link, and you can view the site as if you were online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. Module 02 Page 143 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 54. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker ‫יפד‬ Site mirroring in progress (2/2.10165 bytes) - [FR.wt1 tt] File Preference* Mirrcx Log Window Help S jy lo< «^ »M i si. N 8 i. p I ) Bi ■ W etion orm BvletMvwj T • im Tmnrfer rat• Act** comeacr* 992*6 21 2 lr*u •canred FiMwKUn 2 6*0n o/ (59/) e>e& » 2/2 ‫ו‬ 0 0 W Actons *W ircom ffltw " cont4»w«con <© FIGURE 2.18: HTTrack Web Site Copier Screenshot SurfOffline Source: http://www.surfoffline.com SurfOffline is a website download software. The software allows you to download entire websites and download web pages to your local hard drive. After downloading the target website, you can use SurfOffline as an offline browser and view downloaded web pages in it. If you prefer to view downloaded webpages in another browser, you can use the Export Wizard. SurfOffline's Export Wizard also allows you to copy downloaded websites to other computers in order to view them later and prepares websites for burning them to a CD or DVD. J SurfOffline Professional 2.1 Unregistered trial version. You have 30 day(s) left F.4e View Projects i L 8rowver I ** 1° 1 x HHp £ Zi O H>O ^ O Q j j ) i $ O Promts <5 New Project J u g g y b o y Q u e stio n the Rules + 1m 1 http:.‫/'׳‬w : ww.j1» g t> g y ... 2: http7/www^u9gyb— J: http--//w w w .;1>ggyb... * http,// w w/uggyb. w S http://www.;u9g> : -b... Pfoywi *»*m ■ __________ > g. 0 Set 0 0 0 0 0 10*6*4 1 1 + Loaded byt« 0 0 0 0 0 Queued S1 Sutus Connoting Connoting Connecting Connecting Connecting vJ (1 < (*) rem tem **1rK D nloading picture http‫//־‬ww j) ow . 1 FIGURE 2.19: SurfOffline screenshot BlackW idow Source: http://softbvtelabs.com Module 02 Page 144 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 55. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker BlackWidow is a website scanner for both experts and beginners. It scans websites (it's a site ripper). It can download an entire website or part of a website. It will build a site structure first, and then downloads. It allows you to choose what to download from the website. Module 02 Page 145 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 56. Ethical Hacking and Countermeasures Footprinting and Reconnaissance 1 X l« W M » Exam 312-50 Certified Ethical Hacker MaowACotporjBon Scftmn. V iw lcto n n O rtnr G m v Claud Co‫ ״‬cw tn j It ^ » — [()»■ 0|V»» ■ 'fj l« « t n g liw 1 a• m Q » »> t«trw «og> Omot o H^ ‫״‬ ‫י‬ 2J***'‫ ״‬S ’ * *■ U h jh Welcome to Microsoft *o*ucta 0 0 » « e *d 1 S*o^» Support •wy FIGURE 2.20: SurfOffline screenshot W ebripper Source: http://www.calluna-software.com WebRipper is an Internet scanner and downloader. It downloads massive amount of images, videos, audio, and executable documents from any website. WebRipper uses spider-technology to follow the links in all directions from the start-address. It filters out the interesting files, and adds them to the download-queue for downloading. You can restrict downloaded items by file type, minimum file, maximum file, and image size. All the downloaded links can also be restricted by keywords to avoid wasting your bandwidth. W R»ppef 03 -Copyright (0 200S-2009 -Stm rt> sonSoft Ne M > T00H *dp 0 SamsonSoft □ H■!►Ixl ^|%| ® Fxsy3 m < M fiwemgW•• SucceeAiMee fM ta Seemedpage• F<*rdpagee Sotte.n Selected!* ^ Tarqolod [www !uqqyboy com)634782117892930200 Oowteed* | Sodtn | St«je Reojetfngheader ReojeCng header Regjecng healer Reaietfrg header Re«je*rg header | Log ‫ז מג צי‬ “Cp W • ccrr, *petixTctr p ng ■ p 1 p jyo y cot n. conrw.‫ מ י מ י‬f C ‫״‬wti ^ p WwfjgyK-y comvjxwwonShewe* e. C tip /»w« pgsftcy car. ltd KJp/A‫״‬ww,jgg»boy ccm Hee. arter>c*rtag» WebRipper The u ltim ate tool for wehsite ripping 001M8M4 0 12KES FIGURE 2.21: Webripper screenshot Module 02 Page 146 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 57. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker W e b site M ir r o r in g T ools (Cont’d) o Website Ripper Copier PageNest ‫ן‬ h ttp ://w w w . tensons.com (EH Urt.fi•* | ttk.ul MmIm h ttp ://w w w .p a g e n e st. com Teleport Pro Backstreet Browser h ttp ://w w w . tenmax.com h ttp ://w w w . spadixbd. com Portable Offline Browser _ ,_ Offline Explorer Enterprise h ttp ://w w w .metaproducts.com http://w w w .m etaproducts.com Proxy Offline Browser GNU Wget h ttp ://w w w .proxy-offline-brow ser.com h ttp ://w w w .g n u .o rg iMiser « Hooeey Webprint I 2 ‫־‬A Z J http://internetresearchtool.com h ttp://w w w .hooeeyw ebprint.com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. W ebsite M irroring Tools (Cont’d) In addition to the website mirroring tools mentioned previously, a few more wellknown tools are mentioned as follows: 9 Webiste Ripper Copier available at http://www.tensons.com £ Teleport Pro available at http://www.tenmax.com © Portable Offline Browser available at http://www.metaproducts.com Q Proxy Offline Browser available at http://www.proxy-offline-browser.com Q iMiser available at http://internetresearchtool.com © PageNest available at http://www.pagenest.com 0 Backstreet Browser available at http://www.spadixbd.com © Offline Explorer Enterprise available at http://www.metaproducts.com 9 GNU Wget available at http://www.gnu.org Hooeey Webprint available at http://www.hooeeywebprint.com Module 02 Page 147 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 58. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. Extract W ebsite Inform ation from ------- http:7/w w w . arch ive. org E I Archive is an Internet Archive W ayback Machine that allows you to visit archived versions of websites. This allows you to gather information on a company's web pages since their creation. As the website www.archive.org keeps track of web pages from the time of their inception, you can retrieve even information that has been removed from the target website. Module 02 Page 148 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 59. Ethical Hacking and Countermeasures Footprinting and Reconnaissance »‫־־‬ C n i' ' Exam 312-50 Certified Ethical Hacker '.) wayback.arch1vc.org ~ ‫ ~כ‬ ii ‫ : ־‬rosottcon ‫! י י‬http://microsoft.com ■ J!" * Go Waytoackl 1 ».h 3 9 10 11 16 17 18 7 8 9 1• 12 13 14 15 13 14 15 16 17 131415‫81 715 ־‬ 10 11 12 13 14 15 1 6 19 JO < 1 2 22 20 2 22 1 23 24 20 212223 24 25 17 18 19 20 21 22 23 28 29 27 28 2758293• 24 23 26 27‘ 28 29 30 23 24 25 26 ‫7׳‬ ft 7 t 9 10 11 12 30 3 1 MAY 1 2 3 • 9 10 111 4 5 6 7 12 13 14 5 7 8 < 1 0 11 12 13 14 15 16 17 18 10 19 20 21 ?2 2) )4 25 17 26 27 28 29 3« 24 15 16 17 18 19 20 2 1 22 23 24 26 26 27 28 29 30 31 ft 1 11 01 2 11 12 13 U 15 16 14 15 16 171919 1• 1® 20 21 22 23 31 22 23 24252» 75 26 27 2 29 30 • 28 29 30 31 FIGURE 2.22: Internet Archive Wayback Machine screenshot Module 02 Page 149 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 60. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Monitoring Web Updates Using Website Watcher Website Watcher automatically checks web pages for updates and changes WebSite-Watcher 2012 < 2 > 1 _2 [ 1* 1 goot/narks £h«ck Took Jcnpt Qptions Jftew tJelp a| .cockmartcwsw. 28 days available Byy Now ‫ ם‬j 4|[b1 rs ^ change http:Vww1 t.hotm A ail.com http://www.miuoicftcom 2 1 - 7 1 1&2&22 020- 8 http-7/w a^ne com'dowmloa— 2 0 - 0 0 1fclS27 ww 0®1- 7 http:/ ‫«'׳‬wrw.a1gne1.com'fo»v»n'1- 2 C - 0 C 1 7 4 s 1 0 S 1 - 7 5 4 :4 SignIn fAcrosoft Corporation: Software ... WebS4e-Watcher -Download WebSrte-Watcher -SupportForum Statu* Warning:whole content _ CK. mibafccrilRecSrect.on CK CK. pfcp6B2 Plugin proc... WebSite- Watche Hchpp r p jju w Scfp^rwhot*; VWo< e. EowpIo.kI■ , Last check 1 :1 34 2 1 - 7 1 16:2*33 020- 8 2 0 - 0 0 15:4*30 081- 7 2 0 - 0 0 1 :4 :4 081- 7 5 4 9 S l a y In Buy Now Siionort D o w n lo a d W rb S ite - W a lc tw r W ebSite Wrtt< h e r 4 .4? ID o w lo ai | (4.3 MS) 2 -hit• 0 ‫•ג‬ 1 0 Im w c l (O MB) » * ^ * 4 2 0 ^ 0X A f^« r» T / 0 0 0 y P ‫•«׳‬ V»fc1an H.rfcyy If yo*J insta■•«*‫»*׳‬or. 40 ‫״‬ot u anata■ your •justing copy oI WebS«*-W*tch«r - just install 0 n Page T«t Analysw http://aignes.com Copyright © by EG-Gllincil. All Rights Reserved. Reproduction is Strictly Prohibited. M onitoring Web Updates Using W ebsite W atcher Source: http://www.aignes.com Website W atcher is used to keep track of websites for updates and automatic changes. When an update or change occurs, Website W atcher automatically detects and saves the last two versions onto your disk, and highlights changes in the text. It is a useful tool for monitoring sites to gain competitive advantage. Benefits: Frequent manual checking of updates is not required. Website W atcher can automatically detect and notify users of updates: Q It allows you to know what your competitors are doing by scanning your competitors‫׳‬ websites © The site can keep track of new software versions or driver updates © It stores images of the modified websites to a disk Module 02 Page 150 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 61. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker FIGURE 2.23: Website watcher monitoring web updates Module 02 Page 151 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 62. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting M ethodology Footprinting through Search CEH W H O IS Footprinting Engines Website Footprinting DNS Footprinting Email Footprinting Network Footprinting Competitive Intelligence Footprinting through Social Engineering Footprinting using Google Footprinting through Social Networking Sites Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. Footprinting M ethodology So far we have discussed Footprinting through search engines and website footprinting, the two initial phases of footprinting methodology. Now we will discuss email footprinting. W H O IS Footprinting DNS Footprinting Network Footprinting Footprinting through Social Engineering Footprinting through Social Networking Sites This section describes how to track email communications, how to collect information from email headers, and email tracking tools. Module 02 Page 152 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 63. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Tracking Email Communications c El (•ttifwtf 1 lt»K4l N hat m J Attacker tracks email to gather information about the physical location of an individual to perform social engineering that in turn may help in m apping target organization's n etw o rk J Email tracking is a m ethod to m onitor and spy on th e delivered em ails to the intended recipient When the email was received and read Set messages to GPS location and expire after a specified time map of the recipient Track PDF and other types Time spent on reading of attachments the emails Whether or not the recipient it visited any links sent to them Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. Tracking Em ail C om m unications Email tracking is a method that helps you to monitor as well as to track the emails of a particular user. This kind of tracking is possible through digitally time stamped records to reveal the time and date a particular email was received or opened by the target. A lot of email tracking tools are readily available in the market, using which you can collect information such as IP addresses, mail servers, and service provider from which the mail was sent. Attackers can use this information to build the hacking strategy. Examples of email tracking tools include: eMailTrackerPro and Paraben E-mail Examiner. By using email tracking tools you can gather the following information about the victim: Geolocation: Estimates and displays the location of the recipient on the map and may even calculate distance from your location. ‫-׳‬ Read duration: The duration of time spent by the recipient on reading the mail sent by the sender. ‫׳‬Q Proxy detection: Provides information about the type of server used by the recipient. Links: Allows you to check whether the links sent to the recipient through email have been checked or not. Module 02 Page 153 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 64. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker ' ' Operating system: This reveals information about the type of operating system used by the recipient. The attacker can use this information to launch an attack by finding loopholes in that particular operating system. Q Forward email: W hether or not the email sent to you is forwarded to another person can be determined easily by using this tool. Module 02 Page 154 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 65. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker C ollecting Inform ation from Em ail Header CEH Delivored-To: _ 0gmc1il.com The address from which Received: by 10.112.39.167 with SMTP id q7cj the message was sent Fri, 1 Jun 2012 21:24:01 - O T O O i f ^ Return-Path: < ‫- - •״‬erma@gmail.com> * Received-SPF: pass (google.com: domain of ‫ ־‬esignates 10.224.205.137 as permitted d sender) client‫־‬ip=10.224.205.1 377 Sender's mail server Authentication-Results:| m ^ g o o g ^ ^ ^ o m ^ l rrw 10.224.205.137 as p e r m i ^ ? ? ^ SmtpTml^H fcm; dkim=pass header.i«;_ • «*. * rma@gmail.com » -. Received: frommr.google.com ([10.224.205.137]) Date and time received !hY wir.h SMTP I i fr»^..n^8570qab.39.131 r by the originator's IFri, 01 Jun 2Q12 21;24:QQ -0700 (PDT)I — email servers d=gma11.com; 3=20120113; h-mime-version:in-reply-to: Authentication system ect:from:to :content-type; used by sender's bh=TGEIPb4ti7gfQG+ghh70kPj kx+Tt/iAClfl mail server b‫־‬KyuZLTLfg2-»-QZX;cZKexlNnvRcnD/ + P4+Nkl ! ‫57־‬MxDR8 2P t ‫־‬ bl PK3p J3Uf/CsaB7.Wr>TTOXI‫״‬ aKOAGrP3BOt 92MCZFxeUUQ9uwL/xHAI‫״‬ SnkoUTF.F.*»KGqOC 0a9hD59D30Xl8KAC7ZmkblGzXmV4DlWf fCL894RaMBOU1*MzRwOWWIib95al I38cqt If P ZhrWFKh5xSnZXsE73xZPEYzp7yeeCeQuYHZNGslKxc07xQjeZuw+HWK/vR6xChDJapZ4 K5ZAfYZmkIkFX+VdLZqu7YGFzy60HcuP16y3/C2fXHVd3uY<‫״‬nMT/yecvhCV080y7FKt6 /Kzw-■ MIME-Veraion: 1.0 Received; by 10.224.205.137 with SMTP id fq9; 1040318; Fri, 01 Jun 2012 21:24:00 -0700 (PDT) Received: by 10.229.230.79 with HTTP; Fri In-Reply-To: <CAOYWATTlzdDXE308D2rhiE4Ber l.com> Referaaa • ( f anYM »f aranrai ftTT1rrinytr Infi n? rh i Fdf ■ j A unique number assigned b m .google.com to itify theme: Date nO’ -EMJcgfgX+mUf jB tt2sy2dXA0mail.gmail .com> ‫ ן‬o;LUTIONS ::: 1 ■erma6gmail.com> ‫ץ‬ ubj ‫— —ן‬ I.com. ‫)־‬LUTIONS < Sender's full name r0yahoo.com> Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. C ollecting Inform ation from Em ail Headers An email header is the information that travels with every email. It contains the details of the sender, routing information, date, subject, and recipient. The process of viewing the email header varies with different mail programs. Commonly used email programs: © SmarterMail Webmail © Outlook Express 4-6 e Outlook 2000-2003 e Outlook 2007 © Eudora 4.3/5.0 © Entourage © Netscape Messenger 4.7 © MacMail The following is a screenshot of a sample email header. Module 02 Page 155 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 66. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Delivered-To: 8 . » » ■ » ! « gmail.com - - » « »‫׳‬ Received: by 10.112. 39". 167 with SMTP id q7csp4894121bk; Fri, 1 Jun 2012 21:24:01 -0700 (PDT) Return-Path: < »•-— -erma@gmail.com> Received-SPF: pass (google.com: domain of ■ 1enna0gmail.com designates 10.224.205.137 as permitted sender) client-ip=10.2 2 Authentication-Results:pnr7googl^^om»J 3pf-pa33 (google.com: domain of erma8gmail.com designates 10.224.205.137 as permitted senaerj smtp.mail3 - ‫׳־‬ ‫־‬rmaggmail.com; dkim=pass header. i=; ?rma8gmail.com Received: f r o m m r . g o o g l e . c o m ([10.224.205.137]) hv in.??<!■?05-137 win, s m t p in ^ , 0 ^ < ; 7 8 » ; 7 0 ^ - ‫ ( ר ) 4ו)וו*«ררו.<>ר‬n u m h o p s = 1); 177 | F n , 01 Jun 2012 21:24:00 -0700 (PDT)! DKIM-Signature: v=l/l^^rsa-sha^^o/J c=relaxed/relaxed; d=gma i 1. com; ? 01 2011 h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=TGEIPb4ti7gfQG+ghh70kPjkx4Tt/iAClPPyWmNgYHc=; b‫־‬KguZLTLfg2+QZXzZKexlNnvRcnD/+P4+Nk5NKSPtG7uHXDsfv/hGH46e2P+75MxDR8 blPK3eJ3Uf/CsaBZWDITOXLaKOAGrP3BOt92MCZFxeUUQ9uwL/xHALSnkeUIEEeKGqOC oa9hD59D3oXI8KAC7ZmkblGzXmV4DlWffCL894RaMB0UoMzRw0WWIib95alI38cqtlfP ZhrWFKh5xSnZXsE73xZPEYzp7yecCeQuYHZNGslKxc07xQjeZuw+HWK/vR6xChDJapZ4 K5 ZAf YZmkI kFX 4‫־‬ VdLZqu 7 YGFzy 60 HcuPl6yS/C2 fXHVdsuYamMT/yecvhCVo80g7FKt 6 /KzwMIME-Version: 1.0 Received: by 10.224.205.137 with SMTP id fq9mr6704586qab.39.1338611040318; Fri, 01 Jun 2012 21:24:00 -0700 (PDT) Received: by 10.229.230.79 with HTTP; Fri, 1 Jun 2012 21:23:59 -0700 (PDT) In-Reply-To: <CAOYWATTlzdDXE3o8D2rhiE4Ber2MtV0uhro6r47Mu7c8ubp8Eg@mail.gmail•com> Referoflfiga^^£^2iiJ^2Xlidfi2£ia2fiiiJi^4^er2MtVOuhro6r+7Mu7c8ubp8Eg0mail.g m a i l .com> Date:|Sat, 7 Jun 201? 09:53:59 40530 1 Message-it: <(!:AMivoX'fl !1cf£1‫־‬ n£'w!iW<i5zihNnO-EMJcgfgX+mUfjB_tt2sy2dXA0mail.g m a i l .com> S u b j e j ^ ^ i i ‫ _ _ _ ״‬j i * , _ 0 L U T I 0 N S ::: From:| ■■ ~ Mirza|< ‫- • -״‬ermapgmail.com> To: iftsamaii.com, • 1LUTI0NS < • -* - - ‫־‬ • •tions8gmail.com>, — .. . ■ ■ e 1 <tm ‫־‬ ‫׳‬ ■aAk_er8yahoo.com>, FIGURE 2.24: Email header screenshot This email header contains the following information: e e e e e e e e Sender's mail server Data and time received by the originator's email servers Authentication system used by sender's mail server Data and time of message sent A unique number assigned by mr.google.com to identify the message Sender's full name Senders IP address The address from which the message was sent The attacker can trace and collect all of this information by performing a detailed analysis of the complete email header. Module 02 Page 156 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 67. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker E m a il T r a c k in g T ools C EH Em ail Lookup - Free Em ail Tracker Trace Email - Track Email Email Header Analysis IP Address: 72.52.192 147 (ho8t.marhsttanrrediagro1 jp.con) IP Address Country: Unred States ip con tinen t north America IP Address City Location: Lansing IP Address Region: Michigan IP Address Latitude: *2.7257. IP Address longtitude: -84.636 Organ i rat on: So jrcoDNS tmaii Lookup wap (sno w n ide) Map Satellite Bath Charter Township Email M e tric s O ard !5MH • (105* » UO t 1«M> ‫-־‬ w W,* ‫י‬ ( f t Lansing E 03t Lansing / I‫־‬ !!!!!!!! 1 j!.!!! 1 ! 1 1 1 m 1! Po liteM ail ( h tt p :/ / w w w .p o lite m a il.c o m ) IVac dfcta 82012 Gooole - Terms of Use Report a map e Em ail Lookup - Free Em ail Tracker (http://www.ipaddresslocation.org) Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. Em ail Tracking Tools Email tracking tools allow you to track an email and extract information such as sender identity, mail server, sender's IP address, etc. You can use the extracted information to attack the target organization's systems by sending malicious emails. Numerous email tracking tools are readily available in the market. The following are a few commonly used email tracking tools: eM ailTrackerPro Source: http://www.emailtrackerpro.com eMailTrackerPro is an email tracking tool that analyzes email headers and reveals information such as sender's geographical location, IP address, etc. It allows you to review the traces later by saving all past traces. Module 02 Page 157 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 68. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker «M*fTrKtfT*o v9Qh Advanced {(Woiv Trul a»y 3 of M • n*r» s M K mt*•( TT» n v n o ‫»ז‬vv*• t* * a ( n * y•* (t p ^ d tftf) ono • ntrtiiwHTmMn*( 18( 82 14 17 1«2 ‫»עב‬ 2 *‫ג‬ 18087 385 80231 217 17 80231217 2 80 231 2006 80 231 91 X 80 231 1382 1 ? ‫ י. ג נ »י. ז‬STATIC ‫ד‬ w l M(Ot01 1‫.* ׳ ׳‬ !• <0 o ‫ ו‬W - jm i MUU M M A 0 !c r• .V W H t jrrfe* Mt level WTM to n i i mMS3 ‫»*״‬ *2 2 IC ‫ ; •״‬W IN ItoM * * M 3 mi C *$-2tC« 1 « I9MW| O thrt tvKM• (tkt A port nctoM<A ■ T*#f• n no m wnw nm ■! ontMt (t»» port « (frt*e*l I W 4 SH■• <♦21 « 2 V *>»«»mM O w c * S » !* ■ » <:2k m ) • & »‫ «״‬h m m »‫* ׳‬h *• • v Ooitiim * Tu•t a day J c fa tt * y in * . lo if ^ tM n o ia i U i ia it c r p t f d iM a e r 'KMMU •w * out of <M«. 10| « ttnuiw* drtabM OOJau FIGURE 2.25: eMailTrackerPro showing geographical location of sender PoliteM ail Source: http://www.politemail.com PoliteMail is an email tracking tool for Outlook. It tracks and provides complete details about who opened your mail and which document has been opened, as well as which links are being clicked and read. It offers mail merging, split testing, and full list management including segmenting. You can compose an email containing malicious links and send it to the employees of the target organization and keep track of your email. If the employee clicks on the link, he or she is infected and you will be notified. Thus, you can gain control over the system with the help of this tool. FIGURE 2.26: Politemail screenshot NIC Em ail Lookup - Free Em ail Tracker W W W Source: http://www.ipaddresslocation.org Module 02 Page 158 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 69. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Email Lookup is an email tracking tool that determines the IP address of the sender by analyzing the email header. You can copy and paste the email header into this email tracking tool and start tracing email. Module 02 Page 159 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 70. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Email Lookup - Free Email Tracker Trace Email • Track Email Em ail H e a d e r A n a ly s is IP A d d ress: 72.52.192.147 (host manhattanmed1 agroup.com) IP A d d ress Country: United States f e i IP Continent: North America IP A d d ress City Location: Lansng IP A d d ress Region: Michigan IP A d d ress Latitude: 42 7257, IP A d d ress Longtitude: -84 636 Organization: SourceDNS Email Lookup Map (show/hide) FIGURE 2.27: Email Lookup Screenshot Module 02 Page 160 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 71. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker E m a il T r a c k in g T ools (Cont’d) Read Notify '— h ttp :/ /w w w .p o in to fm ail. com DidTheyReadlt © Pointofmail h tt p :/ / w w w . re ad notify, com CEH Super Email Marketing Software h tt p :/ / w w w . didtheyreadit. com h ttp ://w w w .b u lk -e m a il-m a rk e tin g -so ftw a re .n e t ■ Trace Email WhoReadMe h ttp ://w h a tism yipaddress. com h ttp ://w h o re a d m e . com MSGTAG GetNotify h ttp :/ /w w w .m s g ta g .c o m httn■//iajiaj.g e j t> h ttp ://w w wa n tn o tify .c o m Zendio S '/ G-Lock Analytics ' h ttp ://w w w .z e n d io .c o m a JJS> C o p yrigh t © b y m h ttp://glockanalytics.com — EG-G(IIIICil. All Rights Reserved. Rep rod u ctio n Is S trictly Prohibited. Em ail Tracking Tools (Cont’d) Read Notify M --- Source: http://www.readnotify.com Read Notify provides an email tracking service. It notifies you when a tracked email is opened, re-opened, or forwarded. Read Notify tracking reports contain information such as complete delivery details, date and time of opening, geographic location of recipient, visualized map of location, IP address of the recipients, referrer details (i.e., if accessed via web email account etc.), etc. ^ DidTheyR eadlt Source: http://www.didtheyreadit.com DidTheyReadlt is an email tracking utility. In order to use this utility you need to sign up for an account. Then you need to add ".DidTheyReadlt.com" to the end of the recipient's e-mail address. For example, if you were sending an e-mail to ellen@aol.com, you'd just send it to ellen@aol.com.DidTheyReadlt.com instead, and your email would be tracked, ellen@aol.com would not see that you added .DidTheyReadlt.com to her email address. This utility tracks every email that you send invisibly, without alerting the recipient. If the user opens your mail, then it Module 02 Page 161 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 72. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker informs you when your mail was opened, how long your email remained open, and the geographic location where your email was viewed. TraceEm ail Source: http://whatismyipaddress.com The TraceEmail tool attempts to locate the source IP address of an email based on the email headers. You just need to copy and paste the full headers of the target email into the Headers box and then click the Get Source button. It shows the email header analysis and results. This Email header analysis tool does not have the ability to detect forged emails headers. These forged email headers are common in malicious email and spam. This tool assumes all mail servers and email clients in the transmission path are trustworthy. MSGTAG Source: http://www.msgtag.com MSGTAG is Windows email tracking software that uses a read receipt technology to tell you when your emails are opened and when your emails are actually read. This software adds a small track and trace tag that is unique to each email you need delivery confirmation for. When the email is opened an email tracking code is sent to the MSGTAG email tracking system and an email read confirmation is delivered to you. MSGTAG will notify you when the message is read via an emailed confirmation, a pop-up message, or an SM S text message. vSW, Zendio Source: http://www.zendio.com Zendio, the email tracking software add-in for Outlook, notifies you once your recipient reads the email, so you can follow up, knowing when they read it and if they clicked on any links included in the email. Pointofm ail Source: http://www.pointofmail.com Pointofmail.com is a proof of receipt and reading service for email. It ensures read receipts, tracks attachments, and lets you modify or delete sent messages. It provides detailed information about the recipient, full history of email reads and forwards, links and attachments tracking, email, and web and SM S text notifications. 3 ‫ יו‬Super Em ail M arketing Software Source: http://www.bulk-email-marketing-software.net Super Email Marketing Software is a professional and standalone bulk mailer program. It has the ability to send mails to a list of addresses. It supports both text as well as HTML formatted emails. All duplicate email addresses are removed automatically by using this application. Each mail is sent individually to the recipient so that the recipient can only see his or her email in the Module 02 Page 162 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 73. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker email header. It saves the email addresses of the successful sent mails as well as the failed mails to a text, CSV, TSV or Microsoft Excel file. Module 02 Page 163 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 74. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker W hoReadMe " 5 ‫©׳‬ ource: http://whoreadme.com W hoReadM e is an email tracking tool. It is completely invisible to recipients. The recipients will have no idea that the emails sent to them are being tracked. The sender is notified every time the recipient opens the mail sent by the sender. It tracks information such as type of operating system and browser used, Active X Controls, CSS version, duration between the mails sent and read time, etc. GetNotify Source: http://www.getnotify.com GetNotify is an email tracking tool that sends notifications when the recipient opens and reads the mail. It sends notifications without the knowledge of recipient. I r G‫־‬Lock A nalytics *—‫׳ *י ׳‬ ‫י‬ — Source: http://glockanalytics.com G-Lock Analytics is an email tracking service. This allows you to know what happens to your emails after they are sent. This tool reports to you how many times the email was printed and forwarded. Module 02 Page 164 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 75. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting M ethodology Footprinting through Search Engines WHOIS Footprinting Website Footprinting DNS Footprinting Email Footprinting Network Footprinting Competitive Intelligence Footprinting through Social Engineering Footprinting using Google CEH Footprinting through Social Networking Sites C o p yrigh t © b y EG -G (IIIIC il. All Rights Reserved. Rep rod u ctio n is S trictly Prohibited. Footprinting M ethodology The next phase in footprinting methodology after email footprinting is competitive intelligence. Competitive intelligence is a process that gathers, analyzes, and distributes intelligence about products, customers, competitors, and technologies using the Internet. The information that is gathered can help managers and executives of a company make strategic decisions. This section is about competitive intelligence gathering and sources where you can get valuable information. Module 02 Page 165 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 76. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker C om petitive In telligen ce G athering J Competitive intelligence is the process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources such as the Internet J Competitive intelligence is non-interfering and subtle in nature Sources of Competitive Intelligence ♦ 1 Company websites and em ploym ent ads 6‫׳‬ Search engines, Internet, and online databases 7 Press releases and annual reports Analyst and regulatory reports - Trade journals, conferences, and newspaper Customer and vendor interviews 5 Patent and trademarks ‫ר‬ Product catalogues and retail outlets 3 0 Social engineering employees 2 0 10 C o p yrigh t © b y Agents, distributors, and suppliers EG-G*ancil. All Rights Reserved. Rep rod u ctio n is S trictly Prohibited. C om petitive In tellig en ce G athering Various tools are readily available in the market for the purpose of competitive intelligence gathering. Acquisition of information about products, competitors, and technologies of a company using the Internet is defined as competitive intelligence. Competitive intelligence is not just about analyzing competitors but also analyzing their products, customers, suppliers, etc. that impact the organization. It is non-interfering and subtle in nature compared to the direct intellectual property theft carried out through hacking or industrial espionage. It mainly concentrates on the external business environment. It gathers information ethically and legally instead of gathering it secretly. According to Cl professionals, if the intelligence information gathered is not useful, then it is not called intelligence. Competitive intelligence is performed for determining: Q W hat the competitors are doing Q How competitors are positioning their products and services Sources of Competitive Intelligence: Company websites and employment ads S Search engines, Internet, and online databases Module 02 Page 166 Ethical Hacking and Countermeasures Copyright © by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 77. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker e Press releases and annual reports e Trade journals, conferences, and newspapers e Patents and trademarks e Social engineering employees e Product catalogs and retail outlets e Analyst and regulatory reports e Customer and vendor interviews e Agents, distributors, and suppliers Competitive intelligence can be carried out by either employing people to search for the information or by utilizing a commercial database service, which incurs a lower cost than employing personnel to do the same thing. Module 02 Page 167 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 78. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker C om p etitive In te llig e n c e - W hen D id th is C om pany B egin ? How D id it D evelop ? C EH V is it T h e s e S it e s When did it begin? ♦------------------------------------------------ 01. EDGAR Database http://www.sec.gov/edgar.shtml ♦ --------------------------------- 02. Hoovers How did it develop? http://www.hoovers.com «______________________________________ 03. LexisNexis M ■2) http://www.lexisnexis.com ♦ --------------------------------- 04. Business Wire ^ K > http://www.businesswire.com C op yrigh t © b y EG -G (IIIIC il. All Rights Reserved. Reproduction is Strictly Prohibited. C om petitive In telligen ce ‫ ־‬When Did this Com pany Begin? How Did it D evelop? Gathering competitor documents and records helps improve productivity and profitability and stimulate the growth. It helps determine the answers to the following: W hen did it begin? Through competitive intelligence, the history of a company can be collected, such as when a particular company was established. Sometimes, crucial information that isn't usually available for others can also be collected. How did it develop? It is very beneficial to know about how exactly a particular company has developed. W hat are the various strategies used by the company? Their advertisement policy, customer relationship management, etc. can be learned. W ho leads it? This information helps a company learn details of the leading person (decision maker) of the company. W here is it located? Module 02 Page 168 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 79. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker The location of the company and information related to various branches and their operations can be collected through competitive intelligence. You can use this information gathered through competitive intelligence to build a hacking strategy. The following are information resource sites that help users gain competitive intelligence. ‫ע‬ 01 EDGAR c— Source: http://www.sec.gov/edgar.shtml 3 All companies, foreign and domestic, are required to file registration statements, periodic reports, and other forms electronically through EDGAR. Anyone can view the EDGAR database freely through the Internet (web or FTP). All the documents that are filed with the commission by public companies may not be available on EDGAR. Hoovers M = I ‫ = ־‬i ‫־‬ Source: http://www.hoovers.com Hoovers is a business research company that provides complete details about companies and industries all over the world. Hoovers provides patented business-related information through Internet, data feeds, wireless devices, and co-branding agreements with other online services. It gives complete information about the organizations, industries, and people that drive the economy and also provide the tools for connecting to the right people, in order for getting business done. L exisN exis Source: http://www.lexisnexis.com LexisNexis is a global provider of content-enabled workflow solutions designed specifically for professionals in the legal, risk management, corporate, government, law enforcement, accounting, and academic markets. It maintains an electronic database through which you can get legal and public-records related information. Documents and records of legal, news, and business sources are made accessible to customers. B usin ess Wire Source: http://www.businesswire.com Business W ire is a company that focuses on press release distribution and regulatory disclosure. Full text news releases, photos, and other multimedia content from thousands of companies and organizations are distributed by this company across the globe to journalists, news media, financial markets, investors, information website, databases, and general audiences. This company has its own patented electronic network through which it releases its news. Module 02 Page 169 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 80. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Competitive Intelligence - What Are the Company's Plans? c ‫ך‬ ^^^P^^^^^^^ompetitiv^ntelligenc^Site^^™ Market Watch (http://www.marketwatch.com) M a rk e t^ The Wall Street Transcript ( http://www.twst.com) J ^ Lipper Marketplace ( http://www.lippermarketplace.com) / Euromonitor ( http://www.euromonitor.com) s ' Fagan Finder ( y' http://www.faganfinder.com) fe M rtM tw s t.c o m upper m arketplace I tUROMONMOR J SEC Info ( http://www.secinfo.com) ^ Fag an -^ Finder S E C In fo The Search Monitor ( http://www.thesearchmonitor.com) Search M pm It o r Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited M M to C om petitive In tellig en ce ‫ ־‬What Are the Com pany's Plans? The following are a few more examples of websites that are useful to gather valuable information about various companies and their plans through competitive intelligence: MarketW atch Source: http://www.marketwatch.com MarketWatch tracks the pulse of markets. The site provides business news, personal finance information, real-time commentary, and investment tools and data, with dedicated journalists generating hundreds of headlines, stories, videos, and market briefs a day. Sfli The W all Street Transcript Pi Source: http://www.twst.com The Wall Street Transcript is a website as well as paid subscription publication that publishes industry reports. It expresses the views of money managers and equity analysts of different industry sectors. Interviews with CEOs of companies are published. Lipper M arketplace Module 02 Page 170 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 81. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Source: http://www.lippermarketplace.com Lipper Marketplace offers web-based solutions that are helpful for identifying the market of a company. Marketplace helps in qualifying prospects and provides the competitive intelligence needed for transforming these prospects into clients. Its solutions allow users to identify net flows and track institutional trends. ■ Ill'll■ Euromonitor Source: http://www.euromonitor.com Euromonitor provides strategy research for consumer markets. It publishes reports on industries, consumers, and demographics. It provides market research and surveys focused on your organization's needs. Fagan Finder R 1 Source: http://www.faganfinder.com Fagan Finder is a collection of internet tools. It is a directory of blog sites, news sites, search engines, photo sharing sites, science and education sites, etc. Specialized tools such as Translation Wizard and URL info are available for finding information about various actions with a web page. M ^ SEC Info > —‫׳‬ Source: http://www.secinfo.com SEC Info offers the U.S. Securities and Exchange Commission (SEC) EDGAR database service on the web, with billions of links added to the SEC documents. It allows you to search by Name, Industry, and Business, SIC Code, Area Code, Accession Number, File Number, ClK, Topic, ZIP Code, etc. The Search Monitor Source: http://www.thesearchmonitor.com The Search Monitor provides real-time competitive intelligence to monitor a number of things. It allows you to monitor market share, page rank, ad copy, landing pages, and the budget of your competitors. W ith the trademark monitor, you can monitor the buzz about yours as well as your competitor's brand and with the affiliate monitor; you can watch monitor ad and landing page copy. Module 02 Page 171 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 82. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Competitive Intelligence - What Expert Opinions Say About the Company Compete PRO™ Copernic Tracker http://www.compete.com http://www.copernic.com ABI/INFORM Global SEMRush http://www.proquest.com Attention Meter http://www.attentionmeter.com CEH http://www.semrush.com as! Jobltorlal http://www.jobitorial.com Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction Is Strictly Prohibited. C om petitive In tellig en ce ‫ ־‬What Expert O pinions Say About the Com pany Copernic Tracker Source: http://www.copernic.com Copernic is website tracking software. It monitors a competitor's website continuously and acknowledges you content changes via an email, if any. The updated pages as well as the changes made in the site are highlighted for your convenience. You can even watch for specific keywords, to see the changes made on your competitor's sites. SEMRush Source: http://www.semrush.com SEMRush is a competitive keyword research tool. For any site, you can get a list of Google keywords and AdWords, as well as a competitors list in the organic and paid Google search results. Necessary means for gaining in-depth knowledge about what competitors are advertising and their budget allocation to specific Internet marketing tactics are provided by SEMRush Module 02 Page 172 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 83. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Jokitorial Source: http://www.iobitorial.com Jobitorial provides anonymous employee reviews posted for jobs at thousands of companies and allows you to review a company. AttentionM eter Source: http://www.attentionmeter.com AttentionMeter is a tool used for comparing any website you want (traffic) by using Alexa, Compete, and Quancast. It gives you a snapshot of traffic data as well as graphs from Alexa, Compete, and QuantCast. ABI/INFORM Global Source: http://www.proauest.com ABI/INFORM Global is a business database. ABI/INFORM Global offers the latest business and financial information for researchers at all levels. With ABI/INFORM determine business conditions, management techniques, Global, users can business trends, management practice and theory, corporate strategy and tactics, and the competitive landscape. IB C om pete PRO Source: http://www.compete.com Compete PRO provides an online competitive intelligence service. It combines all the site, search, and referral analytics in a single product. Module 02 Page 173 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 84. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting M ethodology Footprinting through Search Engines WHOIS Footprinting Website Footprinting DNS Footprinting Email Footprinting Network Footprinting Competitive Intelligence Footprinting through Social Engineering Footprinting using Google C EH Footprinting through Social Networking Sites Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. Footprinting M ethodology Footprinting u sin g G oogle Though Google is a search engine, the process of footprinting using Google is not similar to the process of footprinting through search engines. Footprinting using Google deals with gathering information by Google hacking. Google hacking is a hacking technique to locate specific strings of text within search results using an advanced operator in Google search engine. Google will filter for excessive use of advanced search operators and will drop the requests with the help of an Intrusion Prevention System Module 02 Page 174 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 85. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprint Using Google Hacking Techniques -‫- יי‬ r~j Footprinting u sin g G oogle H acking T echniques J_ Google hacking refers to the art of creating complex search engine queries. If you can construct proper queries, you can retrieve valuable data about a target company from the Google search results. Through Google hacking, an attacker tries to find websites that are vulnerable to numerous exploits and vulnerabilities. This can be accomplished with the help of Google hacking database (GHDB), a database of queries to identify sensitive data. Google operators help in finding required text and avoiding irrelevant data. Using advanced Google operators, attackers locate specific strings of text such as specific versions of vulnerable web applications. Some of the popular Google operators include: Q .Site: The .Site operator in Google helps to find only pages that belong to a specific URL. Q allinurl: This operator finds the required pages or websites by restricting the results containing all query terms. Q Inurl: This will restrict the results to only websites or pages that contain the query terms that you have specified in the URL of the website. © allintitle: It restricts results to only web pages that contain all the query terms that you have specified. Module 02 Page 175 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 86. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker intitle: It restricts results to only the web pages that contain the query term that you have specified. It will show only websites that mention the query term that you have used. Q Inanchor: It restricts results to pages containing the query term that you have specified in the anchor text on links to the page. Q Allinanchor: It restricts results to pages containing all query terms you specify in the anchor text on links to the page. Module 02 Page 176 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 87. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker What a Hacker can do with Google Hacking? EH Attacker gathers: Error messages that contain sensitive information Advisories and server vulnerabilities Pages containing network or vulnerability data Files containing passwords Pages containing logon portals Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. What Can a Hacker Do with G oogle Hacking? — If the target website is vulnerable to Google hacking, then the attacker can find the following with the help of queries in Google hacking database: Q Error messages that contain sensitive information -‫ י‬Files containing passwords Q Sensitive directories Q Pages containing logon portals Pages containing network or vulnerability data Q Advisories and server vulnerabilities Module 02 Page 177 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 88. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker G oogle Advance Search Operators CEH Google supports several advanced operators that help in m o d ify in g t h e se arch [cache:] Displays the w eb pages stored in the Google cache [link:] Lists w eb pages that have links to the specified w eb page [related:] V‫׳‬ Lists w eb pages that are similar to a specified w eb page [info:] Presents some information that Google has about a particular web page [site:] Restricts the results to those websites in the given domain [allintitle:] i [intitle:] [allinurl:] [inurl:] t Restricts the results to those websites with all of the search keywords in the title Restricts the results to documents containing the search keyword in the title Restricts the results to those with all of the search keywords in the URL Restricts the results to documents containing the search keyword in the URL Copyright © by EG-GtailCil. All Rights Reserved. Reproduction is Strictly Prohibited. G oogle A dvance Search Operators Source: http://www.googleguide.com Cache: The CACHE query displays Google's cached version of a web page, instead of the current version of the page. Example: cache: www.eff.org will show Google's cached version of the Electronic Frontier Foundation home page. Note: Do not put a space between cache: and the URL (web address). link: Link lists web pages that have links to the specified web page. For example, to find pages that point to Google Guide's home page, enter: link: www.googleguide.com Note: According to Google's documentation, "you cannot combine a link: search with a regular keyword search." Module 02 Page 178 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 89. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Also note that when you combine link: with another advanced operator, Google may not return all the pages that match. The following queries should return lots of results, as you can see if you remove the -site: term in each of these queries. related: If you start your query with "related:", then Google displays websites similar to the site mentioned in the search query. Example: related:w w w .microsoft.com will provide the Google search engine results page with websites similar to microsoft.com. info: Info will present some information the corresponding web page. For instance, info:gothotel.com will show information about the national hotel directory GotHotel.com home page. Note: There must be no space between the info: and the web page URL. This functionality can also be obtained by typing the web page URL directly into a Google search box. site: If you include site: in your query, Google will restrict your search results to the site or domain you specify. For example, admissions site:w w w .Ise.ac.uk will show admissions information from London School of Economics' site and [peace site:gov ] will find pages about peace within the .gov domain. You can specify a domain with or without a period, e.g., either as .gov or gov. Note: Do not include a space between the "site:" and the domain. allintitle: If you start your query with allintitle:, Google restricts results to those containing all the query terms you specify in the title. For example, allintitle: detect plagiarism will return only documents that contain the words "detect" and "plagiarism" in the title. This functionality can also be obtained through the Advanced W eb Search page, under Occurrences. intitle: The query intitle: term restricts results to documents containing term in the title. For instance, flu shot intitle:help will return documents that mention the word "help" in their titles, and mention the words "flu" and "shot" anywhere in the document (title or not). Note: There must be no space between the intitle: and the following word. allinurl: If you start your query with allinurl:, Google restricts results to those containing all the query terms you specify in the URL. For example, allinurl: google faq will return only documents that contain the words "google" and "faq" in the URL, such as " www.google.com/help/faq.html." This functionality can also be obtained through the Advanced W eb Search page, under Occurrences. In URLs, words are often run together. They need not be run together when you're using allinurl. inurl: If you include inurl: in your query, Google will restrict the results to documents containing that word in the URL. For instance, inurkprint site:w w w .googleguide.com searches for pages on Google Guide in which the URL contains the word "print." It finds PDF files that are in the directory or folder named "print" on the Google Guide website. The query [ inurkhealthy eating ] will return Module 02 Page 179 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 90. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker documents that mention the words "healthy" in their URL, and mention the word "eating" anywhere in the document. Note: There must be no space between the inurl: and the following word. Module 02 Page 180 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 91. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Finding Resources Using Google Advance Operator f 1z . _‫״‬ E 5! Copyright © by EG-G(ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Finding R esources u sin g G oogle Advance Operator By using the Google Advance Operator syntax [ i n t i t l e : i n t r a n e t in u rl:in tranet + i n t e x t : ‫ ״‬human r e s o u r c e s ‫ : ] ״‬the attacker can find private information of a target company as well as sensitive information about the employees of that particular company. The information gathered by the attackers can be used to perform social engineering attacks. Google will filter for excessive use of advanced search operators and will drop the requests with the help of an Intrusion Prevention System. The following screenshot shows a Google search engine results page displaying the results of the previously mentioned query: Module 02 Page 181 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 92. Ethical Hacking and Countermeasures Footprinting and Reconnaissance ♦You Search Exam 312-50 Certified Ethical Hacker Images Mail Documents Calendar Sites Contacts Maps More ‫־‬ (in itk intranet inurt intranet ♦ C e intext 'human resource^ Search Web Images ).taps Videos News About ?3 800 rest*s (0 16 second 3 Humaj LS«Purc»» Human Resource* Intranet > Department 0 Human Resources 1 1 Jun 2012- Human Resources 4 — Hom« >Department of Human Resources >Human Resources Intranet Human Resources Intranet... intranet*/ 6 Jun 2012 Human Resources 201112‫ ׳‬DeaAnes Faculty and Human Resources —- *Personnel Specials! assignments by Ur* (OOC)... m Shopping •■mmmm • — or rg More Error Cookies are not enabled You must enable cookies before you can log n Please log in This section of the Human Resources *ebsite IS for UNC Health ... Show search tools Intr»n»t Benefits (or Human Resource Management ■ ‫ - *״•־‬v /krtrantt benefesforJwmin-resource-manage 3 Nov 2010 - Tags enterpnse 2 0 enterprise coiaboratwn human resources intranet 2 0 intranets social crm Intranet Benefit for Human Resowce... Human Reiourcet I . . Intranet. /i h ‫ ♦ י־‬Juau < Tht Faculty Human Resources Taam aims to work acad*rr»c haads managers and staff to •nsur• that human resources a*«c• and actMties translat# into... w i h Intranet Human Retourcet. intranet personnel/perps him Human Resources Employee Benefts and Resources Ag Leam provides education serwees for — • • contractors.‫.״‬ > • _ds php^_id«41 The Human Resources oftce is responsible tor proa&nq vanous support services to all FIGURE 2.28: Search engine showing results for given Google Advance Operator syntax Module 02 Page 182 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 93. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Google Hacking Tool: Google Hacking Database (GHDB) A dvisories andV ulnerabilrt.es CEH Pages Containing Login Portals G oogle H acking Tool: G oogle H acking D atabase (GHDB) Source: http://www.hackersforcharity.org The Google Hacking database (GHDB) is a database of queries that identify sensitive data. GHDB is an HTML/JavaScript wrapper application that uses advanced JavaScript techniques to scrape information from Johnny's Google Hacking Database without the need for hosted server-side scripts. The Google Hacking Database exposes known issues with software that run websites. There are some bugs that expose information that might not warrant public reading. Module 02 Page 183 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 94. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker r ■ 6HM •Hadun far Our‫• ׳‬ C MW( I www.rucicersforchar1ty.org/ndo. ‫׳‬fiincton M1rrmaryfiK.it> 19 POOJCCTC ABOUT || «- E S 2 ] C rtv‫׳‬wnadtmforchanty.org,0^rtr)/‫ ׳‬lunrt1on‫ ־‬tumm,vy&ca! 1/ - * YouTtt• OHOO - r U c ld i fo r Charity onoe HACKERS FOR CHARITY.ORC C*€>9 s: P1 g « cO'tOnng lopr porta* According a. Miaosoft ‫־‬Miuosoft (R) Outlook (TK) VJ*t! a rre4s * ‫ ג‬M< * ‫׳־‬osofr Ftrharo* Artwe Servrr C Application that t> you prvitc access to veo Ttus 1 U * » 1 1 (11 p»e« fa CokJfuson 0* adrnr1«mon. Although m»01 «‫ ׳‬m•** are uirurM. t C1« s an Irdicator of a dtfau't into lito‫» ־‬nd > Th* is die default tofin pa$e for ColdFojron. Aimoucft rraiv ot tnese are secured, rm is an • ncicatcf of a d*fault insQllaton, and iray bo OHDe - Hm W > ‫ ־׳׳‬Charity *, 0H0e S‫ « ״‬t Ad/tsenes ard ViJr^ranJrtes « webmn is ‫ ג‬hen acrnrn irtar'ace fee Unix Coxes it 5 ‫ ־‬run or. ‫ ג‬propriataiy web co'vcv isterirg on tho ! CdajX port of 10090. 1 t* a typical login page. It h» 1e1«rflr Oetoaie * t*4 txg* for SQL ln}*ctJO C sac-f artld* at ‫׳‬v om hOp:/'ww>v.govcrrrrKrvsc<ur1ty.or5/art)C lca/S n»s » a cypical login page, itfus ■ ecentir becotn* a taro* for SQL injection. Con*«c'« artjd* at 1 j 1t> cd3/‫־‬dnn/I0or‫.־‬a j MJp://vrww.goverom tr«5e«unty.© re/artjde5/S . VNC U f«nwte-cc»W 01ied Cwlttpp produa. i ?004- ‫־‬v^c rxK jc ’ r< > d or rh conttcuraBon. rn‫׳‬ro» u«« nay T *n 1no (* rot be pre*4nt«d with 3 password. Cven when (H-» ‫ווו‬tart* eon n 2O C t03‫*•־‬ XO*- 2C 04 •5 2 -1 2004 Tic E»t‫ ׳‬l‫־‬ rpi<t PioducKart cortaioj m ultiple /uineratiltes, *hen cojM eotoited to allow an G P-odjctrart atC ackar to mat u««r cr«d«ntjak or mounx other f atta Accorcare to1 http:j'/Avrw.M furtvff>cue.cor%'b1d/0<^7. cartar | rmSoSaareh wH«abd*y ‫ גז < 0 ׳‬c/ im &Swc'i contdn a buftei oveiftow 0 vulnfrafcilty which *Howan XttrkM to Advanced Guestbook v7.7 has an SQl !rjecnor rWKjutsttwok 'jrv»r«‫־‬sc Jw ssthooW >oblcm which al 0*5 unauthomod acces*. Aaaourfiom thee, hit ‫־‬Admn‫ ־‬then 00 we 2.2 pcv« following VP-AS* (Virtual Progra‫׳‬ming ASP) has won V*-ASP Shopetng C awarifo both in Vte US anti France. X is now mum art ‫כ‬ j t C I»«. ‫״,־״׳.״״‬x t. ' C a C WtltifW . H P t.■ ‫־‬ C . [_ TH» 11 the ftort page entry potnt to e "Miuo 7k" . 1 I lhsts the loan page for M icrosoft's Renote Deslax? W«b C or«nocQ on, which a'lows r«r‫ > ־‬ucart to ‫׳‬ x tn |connect to (and optionally corttol) a u ser in tl.i’M fla p d k ta rm/ e asp ' •nttteftqjo ITw ! ais Otim Metafiaine login ptxt^s. AU‫״‬ m Kkw» ran 11(0 (txxa tn prr.fl• ‫ ג‬ti'e jnd nn 1*• ncarur• < setup! of thi* application to acce*• the »t» FIGURE 2.29: Screenshots showing Advisories and Vulnerabilities & pages containing login portals Module 02 Page 184 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 95. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker G o o g le H a c k in g T ools CEH MetaGoofil h tt p :/ / w w w . edge-security, com Goolink Scanner h tt p :/ / w w w . ghacks. n et SiteDigger & h tt p :/ / w w w . m cafee.com ?& Google Hacks h ttp ://cod e .g o ogle .co m SearchDiggity h tt p :/ / w w w . s tachliu. com Google HACK DB h ttp ://w w w .se cp o in t.co m BiLE Suite Gooscan h ttp ://w w w .s e ns e p os t.co m h ttp :/ /w w w .d a rk n e t. org. uk Copyright © by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited. G oogle H acking Tools Besides the Google Hacking Database (GHDB) tool featured previously, there are some other tools that can help you with Google hacking. There are a few more Google hacking tools mentioned as follows. Using these tools, attackers can gather advisories and server vulnerabilities, error message information that may reveal attack paths, sensitive files, directories, logon portals, etc. ‫ג‬ M etagoofil Source: http://www.edge-securitv.com Metagoofil is an information-gathering tool designed for extracting metadata of public documents (pdf, doc, xls, ppt, docx, pptx, xlsx) belonging to a target company. Metagoofil performs a search in Google to identify and download the documents to a local disk and then extracts the metadata with different libraries such as Hachoir, PdfMiner?, and others. With the results, it generates a report with usernames, software versions, and servers or machine names that may help penetration testers in the information gathering phase. Goolink Scanner Module 02 Page 185 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 96. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Source: http://www.ghacks.net The Goolink Scanner removes the cache from your searches, and collects and displays only vulnerable site's links. Thus, it allows you to find vulnerable sites wide open to Google and googlebots. ^‫ י־‬SiteD igger Source: http://www.mcafee.com SiteDigger searches Google's cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on websites. G oogle Hacks £ * 4) Source: http://code.google.com Google Hacks is a compilation of carefully crafted Google searches that expose novel functionality from Google's search and map services. It allows you to view a timeline of your search results, view a map, search for music, search for books, and perform many other specific kinds of searches. BiLE Suite Source: http://www.sensepost.com BiLE stands for Bi-directional Link Extractor. The BiLE suite includes a couple of Perl scripts used in enumeration processes. Each Perl script has its own functionality. BiLE.pl is the first tool or Perl script in the collection. BiLE leans on Google and HTTrack to automate the collections to and from the target site, and then applies a simple statistical weighing algorithm to deduce which websites have the strongest relationships with the target site. G oogle Hack Honeypot Source: http://ghh.sourceforge.net Google Hack Honeypot is the reaction to a new type of malicious web traffic: search engine hackers. It is designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources. GHH implements the honeypot theory to provide additional security to your web presence. & GM apCatcher Source: http://code.google.com GMapCatcher is an offline maps viewer. It displays maps from many providers such as: CloudMade, OpenStreetMap, Yahoo Maps, Bing Maps, Nokia Maps, and SkyVector. maps.py is a GUI program used to browse Google map. With the offline toggle button unchecked, it can download Google map tiles automatically. Once the file downloads, it resides on your hard disk. Thus, you don't need to download it again. Module 02 Page 186 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 97. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker SearchD iggity a - ‫נ‬ Source: http://www.stachliu.com SearchDiggity is the primary attack tool of the Google Hacking Diggity Project. It is Stach & Liu's MS Windows GUI application that serves as a front-end to the most recent versions of Diggity tools such as GoogleDiggity, BingDiggity, Bing LinkFromDomainDiggity, CodeSearchDiggity, DLPDiggity, MalwareDiggity, PortScanDiggity, SHODANDiggity, BingBinaryMalwareSearch, and NotlnMyBackYard Diggity. G oogle HACK DB PHP Source: http://www.secpoint.com The attacker can also use the SecPoint Google HACK DB tool to determine sensitive information from the target site. This tool helps an attacker to extract files containing passwords, database files, clear text files, customer database files, etc. G ooscan Source: http://www.darknet.org.uk Gooscan is a tool that automates queries against Google search appliances. These queries are designed to find potential vulnerabilities on web pages. Module 02 Page 187 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 98. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting M ethodology Footprinting through Search Engines WHOIS Footprinting Website Footprinting DNS Footprinting Email Footprinting Network Footprinting Competitive Intelligence Footprinting through Social Engineering Footprinting using Google C EH Footprinting through Social Networking Sites Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. Footprinting M ethodology Gathering network-related information such as whois information of the target organization is very important when hacking a system. So, now we will discuss whois footprinting. Whois footprinting focuses on how to perform a whois lookup, analyzing the whois lookup results, and the tools to gather whois information. Module 02 Page 188 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 99. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker W H O IS L o o k u p CEH Urtifi•! Ittiu l lUckw WHOIS databases are maintained by Regional Internet Registries and contain the personal information of domain owners W H O IS query returns: e Domain name details e Contact details of domain owner Domain name servers 9 NetRange When a domain has been created e Expiry records 6 Records last updated In fo rm a tio n o b ta in e d fro m W H O IS d a ta b a s e a s s is ts an a tta c k e r to : « Create detailed map of organizational network tt Gather personal information that assists to perform social engineering 6 Gather other internal network details, etc. Regional Internet Registries (RIRs) A RTN a fri a £)APNIC RIPE j Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. WHOIS Lookup WHOIS is a query and response protocol used for querying databases that stores the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system. W HOIS databases are maintained by Regional Internet Registries and contain the personal information of domain owners. They maintain a record called a LOOKUP table that contains all the information associated with a particular network, domain, and host. Anyone can connect and query to this server to get information about particular networks, domains, and hosts. An attacker can send a query to the appropriate W HO IS server to obtain the information about the target domain name, contact details of its owner, expiry date, creation date, etc. The WHOIS sever will respond to the query with respective information. Then, the attacker can use this information to create a map of the organization network, trick domain owners with social engineering once he or she gets contact details, and then get internal details of the network. Module 02 Page 189 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 100. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker c EH WHOIS Lookup Result A nalysis (citifwd 1Stats WHoia Record M Wo y h. Domain Dossier ttkKJl NMhw investioate domain3 and IP addresses domain or IP address [juggyboy.com Doza.n JLdm nistrator M icro ssft Corporation One M ic r0 3 a 2 t Way Rarinonri Hr. 93052 cs +1.4250826060 Fex; +1.4259267229 domainsgjmlcrosoff.ci 0 domain whois record 0 DNS records g c mu [ nity o s lo in|a c u g cc n □ traceroute □ service scan network whois record JU 30] lex‫ ״‬in Kane: n ic r c s o f t . com Address lookup Ee3 i3*rar Sane: Marl3cnicor.com R eg is trar W iols: wtiols.narttxmlcor.con R eg is trar Kcnepage: http://vw V.r13rircnLtcr.rcn canonical name j 1» 00vhoy.com. aliases &dxdr.13trative Contact: Dorain Administrator M icrosoft Corporation One M icrosoft Kay Reancna W 9BOS2 A t addresses —• Domain Whois record US Queried wt10ivintt>rnk:.nt*t with "doi 1 juggyfaoy.c tiorwa1nsfimicro90ft.c0m +1.42S8828080 Fox: 4L.42S9367329 Doaaia Noses JUGGYBOY.COM R egistrar: NETWORK 30LOTTOUS, LLC. Technical Contact. Zone Contact: msm H09tn*9t#r M icrosoft Corporation on• M icro io tt Hay Rednond WA 98052 US m3nhstQmittoSOfl.com *1.4258828080 Tax: 11. •12S93€"32S *h: -.1 server: vnon.ftetwor *solutions, cox R etercal URL: ftttp ://w * .n etw sfc J 01 t 1 ns.ccr,/enJJS/ u 0 N ’a!a# 3*rv*r: NS1#.W CRLONTC.COM NAM S*rv»r: NS20.WCRLON1C.COM su cu a: ciicntiransrcrProni&Lted Opdated Date: 03-feb-2009 Creation Data: 1«-Jul-200J Expiration Date: :6-01-2014‫ר‬ Createa on........................ : 1991-05-01. Expires on........................ : 2021-03-02. Reccrd la s t upaatea o n ..: 2011-03-14. » > la s t update of whola database: Thu, 1• Ju i 2012 0 4 9 : 3 :‫ < ל‬OTC 4 Quened wt10is.network50lutions.rnm with juggyboy.rom ... Dosain servers in lis t e d order: Registrant: ns3.1Ksrt.net n s4 .tu ft.n e t n sl.ttsrt.n e t ns3 net 03 r t «M RM K « N m mm http://whois.domaintools.com h ttp://cen tralops. net/co Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. WHOIS Lookup Result A nalysis A whois lookup can be performed using Whois services such as http://whois.domaintools.com or http://centralops.net/co. Here you can see the result analysis of a Whois lookup obtained with the two mentioned Whois services. Both these services allow you to perform w whois lookup by entering the target's domain or IP address. The domaintools.com service provides whois information such as registrant information, email, administrative contact information, created and expiry date, a list of domain servers, etc. The Domain Dossier available at http://centralops.net/co/ gives the address lookup, domain Whois record, network whois record, and DNS records information. Module 02 Page 190 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 101. Ethical Hacking and Countermeasures Footprinting and Reconnaissance W h i m R e c o rd Sit• Profile R e g is tra tio n Exam 312-50 Certified Ethical Hacker S e rv e r S ta ts M y W h o is Registrant: Domain Administrator Microsoft Corporation One Microsoft Way Redirond WA 98052 US dpnainscXmcrosoflcom +1.4258828080 Fax: +1.425936329‫ל‬ Domain Dossier Investigate domains and IP addresses domain or !P address ]ug9yCoy.com | domain whois record 0 DNS records □ traceroute 2 • 9° J ‫׳‬ u se r anonymous [ balance: 47 units lof in | account info 30] PfJ11tr.fi ,!,Lit Dosain !ia . : nicroaoft.com re Registrar Mane: Martenonitor.com Registrar Whois: whois. !narlatonitor. can Registrar Honepage: http://www.marJancn1 tor.co1t Address lookup canonical name juooyboy.com . aliases Adsriaistrative Contact: Domain Adnlnistrator addresses 6 Microsoft Corporation One Microsoft Way Redmoad WA 98052 US Domain Whois record Queried whois.internic.net with "dom juggyboy.com‫..״‬ . d0 mains@m 1 0 s 0ft.c0 m +1.4258828080 Fax: 4-1.425936329‫ל‬ cf Technical Contact, Zone Contact: MSN Hoatmaster Microsoft Corporation One Microsoft Way Redirond KA 98052 US m5nf1stQmitrosofl.com ♦1*4258828080 Fax: +1.4259367329 Dcxein Name: JUGGYBOY.COM Registrar: NETWORK SOLUTIONS, LLC. ¥hois Server: whois.netvforlfsolutions.cojn R e f e r r a l URL: h ttp :// w w w .n etw o rk a clu tio n s.co in /en US/ Vane Server: HS19.WORLDNIC.COM !7*2* S e r v a r : HS20.WORLDNIC.COM S t a t u s : c lic n t T r a n s f e r F r o h ib it e d Updated Date: 03-feb-2009 C r e a tio n D a ta: 16-JU1-2002 E x p ir a t io n D a te: 16-j ‫4102-1 ׳‬ j Created on : 1991-05-01. Expires on t 2021-05-02. Record :ast updated on..: 2011-08-14. » > Last update of whois database: Thu, 19 Jul 2012 07:49:36 UTC < « Queried whoib.networkbolutionb.coiii with , juggyboy.com'‘. .. Doaain servers i& listed order: Registrant: ns5.nsft.net ns4.nsft.net nsl.nsft.net ns3.nsft.net ns2.nsft.net http://whois.domaintools.com http://centralops.net/co FIGURE 2.30: Whois services screenshots Module 02 Page 191 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 102. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker WHOIS Lookup Tool: SmartWhois CEH U * Ith jl lUk rtffi• K cM SmartWhois - Evaluation Version Fie Query Edit Y!r/» Settings Help P. host crdcrran: -J nncr050ft.c< 14 miacsoft.com ^ rwcney.de »E53 tt Free SAS i ProXad 8, fuc de la ville T'Eveque 75006 Paris phone -33 173 50 20 00 fax * 3 173 50 25 0 ■3 1 hostmastcfC ptoxad.nct P Q free SAS i ProXad ruedel4v>llel"Evec|ue 75006 Pari* phone-33 173 50 20 00 fax: *33 173 502501 r.ojtmcitcri’cfo.od.nct ( | frmti1-q?0.ftM>.f1 [212.27.60.19] ( ® J ''**n:2-q2C.fr««.ff [212.27.60.20] r*at*d: 29/12/2006 I J Updated: 17/02/2004 c" u p Source: whois.nic.fr Completed at 19-07-2012 12:4*01 PM Processing ‫ם‬me 1.6$ seconds V r« M L r 1 V > ite http://www.tamos, com Copyright © by EG-GaullCil. All Rights Reserved. Reproduction is Strictly Prohibited. BC WHOIS Lookup Tool: SmartWhois Source: http://www.tarnos.com SmartWhois is a useful network information utility that allows you to look up all the available information about an IP address, hostname, or domain, including country, state or province, city, name of the network provider, administrator, and technical support contact information. It also assists you in finding the owner of the domain, the owner's contact information, the owner of the IP address block, registered date of the domain, etc. Module 02 Page 192 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 103. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker SmaitWhois ‫ ־‬Evaluation Version File Q u ery Edit V iew Settings H elp IP, host or domain: Q micro soft com V ‫ £־׳‬Q u ery » > m a t microsoft.com money.de Q jg n jfcfr 88.1902S4.12 Free SAS/ ProXad rue de 1 ville I 'Evcquc 0 75008 Paris I 8, phene: ♦33 I 73 50 20 00 fax: ♦33 1 73 50 25 01 h0 stmastergpf0xid.net Free SAS / ProXad I 8 rue de la ville I 'Eveque . 75008 Paris phene ♦33 1 73 50 20 00 fax: ♦33 1 73 50 25 01 freensl-g20Jree.fr [212.27.60.19] 1freens2-g20Jree.fr[212.27.60.20] Google Page Rank: 7 1Alexa Traffic Rank: 11,330 Created: 29/12/2008 Updated: 17/02/2004 Source: whois.nic.fr Completed at 19*07-2012 12:44:01 PM Processing time: 1.63 seconds View source FIGURE 2.31: SmartWhois screenshot Module 02 Page 193 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 104. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker WHOIS Lookup O nline Tools SmartWhois ‫ה־ז‬ 1 1 n Whois h ttp ://sm a rtw h o is. com C EH h ttp ://to o ls . w hois.net % Better Whois m r im h ttp :/ / w w w . b etterw hois. com DNSstuff h tt p :/ / w w w . dnss tuff, com ‫־ = ■־‬ m pyy §fc] Whois Source S' h tt p :/ / w w w . whois.sc Network Solutions Whois h ttp ://w w w .n e tw o rk so lu tio n s.co m Web Wiz WebToolHub h tt p :/ / w w w . w ebw iz.co. u k/d om ain ‫־‬ to ols /w hois-lookup.htm h tt p :/ / w w w . w ebtooll 1 • hois-lookup. aspx w Network-Tools.com Ultra Tools h ttp ://n e tw o rk -to o ls. com h ttp s :/ /w w w .u ltra to o ls .co m /w h o is /h o m e Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. WHOIS Lookup Tools Similar to SmartWhois, there are numerous tools available in the market to retrieve Whois information. A few are mentioned as follows: pp CountryWhois ---- Source: http://www.tamos.com CountryWhois is a utility for identifying the geographic location of an IP address. CountryWhois can be used to analyze server logs, check email address headers, identify online credit card fraud, or in any other instance where you need to quickly and accurately determine the country of origin by IP address. Lan W hois Source: http://lantricks.com LanWhols provides information about domains and addresses on the Internet. This program helps you determine who, where, and when the domain or site you are interested in was registered, and the information about those who support it now. This tool allows you to save your search result in the form of an archive to view it later. You can print and save the search result in HTML format. Module 02 Page 194 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 105. Ethical Hacking and Countermeasures Footprinting and Reconnaissance P t Exam 312-50 Certified Ethical Hacker Batch IP Converter ■ i^ t * j Source: http://www.networkmost.com Batch IP Converter is a network tool to work with IP addresses. It combines Domain-to-IP Converter, Batch Ping, Tracert, Whois, Website Scanner, and Connection Monitor into a single interface as well as an IP-to-Country Converter. It allows you to look up the IP address for a single or list of domain names and vice versa. I r1‫ ־‬CallerIP Source: http://www.callerippro.com CallerIP is basically IP and port monitoring software that displays the incoming and outgoing connection made to your computer. It also allows you to find the origin of all connecting IP addresses on the world map. The Whois reporting feature provides key information such as who an IP is registered to along with contact email addresses and phone numbers. ®1 ‫ ׳‬W hois Lookup M ultiple A ddresses — Source: http://www.sobolsoft.com This software offers a solution for users who want to look up ownership details for one or more IP addresses. Users can simply enter IP addresses or load them from a file. There are three options for lookup sites: whois.domaintools.com, whois-search.com, and whois.arin.net. The user can set a delay period between lookups, to avoid lockouts from these websites. The resulting list shows the IP addresses and details of each. It also allows you to save results to a text file. W hois Analyzer Pro Source: http://www.whoisanalvzer.com This tool allows you to access information about a registered domain worldwide; you can view the domain owner name, domain name, and contact details of domain owner. It also helps in finding the location of a specific domain. You can also submit multiple queries with this tool simultaneously. This tool gives you the ability to print or save the result of the query in HTML format. HotWhois Source: http://www.tialsoft.com HotWhois is an IP tracking tool that can reveal valuable information, such as country, state, city, address, contact phone numbers, and email addresses of an IP provider. The query mechanism resorts to a variety of Regional Internet Registries, to obtain IP Whois information about IP address. With HotWhois you can make whois queries even if the registrar, supporting a particular domain, doesn't have the whois server itself. Module 02 Page 195 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 106. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker W hois 2010 Pro Source: http://lapshins.com Whois 2010 PRO is network information software that allows you to look up all the available information about a domain name, including country, state or province, city, administrator, and technical support contact information. (W Active Who is ) Source: http://www.johnru.com ActiveWhois is a network tool to find information about the owners of IP addresses or Internet domains. You can determine the country, personal and postal addresses of the owner, and/or users of IP addresses and domains. W hoisThisD om ain Source: http://www.nirsoft.net WhoisThisDomain is a domain registration lookup utility that allows you to get information about a registered domain. It automatically connects to the right WHOIS server and retrieves the W HOIS record of the domain. It supports both generic domains and country code domains. Module 02 Page 196 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 107. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker WHOIS Lookup O nline Tools SmartWhois ‫ה־ז‬ 1 1 n Whois h ttp ://sm a rtw h o is. com C EH h ttp ://to o ls . w hois.net % Better Whois h ttp :/ / w w w . b etterw hois. com m im r DNSstuff h tt p :/ / w w w . dnss tuff, com ‫־ = ■־‬ m Whois Source Network Solutions Whois p yy h tt p :/ / w w w . whois.se §fc] Web Wiz WebToolHub h tt p :/ / w w w . w ebw iz.co. u k/d om ain ‫־‬ to ols /w hois-lookup.htm h tt p :/ / w w w . w ebtooll c h ttp ://w w w .n e tw o rk so lu tio n s.co m 1 • hois-lookup. aspx w Network-Tools.com Ultra Tools h ttp ://n e tw o rk -to o ls. com h ttp s :/ /w w w .u ltra to o ls .co m /w h o is /h o m e Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. WHOIS Lookup O nline Tools In addition to the Whois lookup tools mentioned so far, a few online Whois lookup tools are listed as follows: Q SmartWhois available at http://smartwhois.com Q Better Whois available at http://www.betterwhois.com O Whois Source available at http://www.whois.se Q W eb Wiz available at http://www.webwiz.co.uk/domain-tools/whois-lookup.htm Q Network-Tools.com available at http://network-tools.com Q Whois available at http://tools.whois.net © DNSstuff available at http://www.dnsstuff.com Q Network Solutions Whois available at http://www.networksolutions.com S WebToolHub available at http://www.webtoolhub.com/tn561381-whois-lookup.aspx Q Ultra Tools available at https://www.ultratools.com/whois/home Module 02 Page 197 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 108. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting M ethodology Footprinting through Search Engines WHOIS Footprinting Website Footprinting DNS Footprinting Email Footprinting Network Footprinting Competitive Intelligence Footprinting through Social Engineering Footprinting using Google CEH Footprinting through Social Networking Sites Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Footprinting M ethodology --- The next phase in footprinting methodology is DNS footprinting. This section describes how to extract DNS information and the DNS interrogation tools. Module 02 Page 198 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 109. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Extracting DNS Inform ation CEH (•rtifwd 0 ithiul •UtkM 0 Attacker can gather DNS information to determine key hosts in the network and can perform social engineering attacks 0 3 2 0 DNS records provide important information about location and type of servers R e co rd Type A DNS In te rro g a tio n Tools D e s c r ip t io n © http://www.dnsstuff.com © http://network-tools.com Points to a host's IP address MX Points to domain's mail server NS Points to host's name server CNAME SOA Canonical naming allows aliases to a host Indicate authority for domain SRV Service records PTR Maps IP address to a hostname RP Responsible person HINFO TXT Host information record includes CPU type and OS Unstructured text records Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Extracting DNS Inform ation DNS footprinting allows you to obtain information about DNS zone data. This DNS zone data includes DNS domain names, computer names, IP addresses, and much more about a particular network. The attacker performs DNS footprinting on the target network in order to obtain the information about DNS. He or she then uses the gathered DNS information to determine key hosts in the network and then performs social engineering attacks to gather more information. DNS footprinting can be performed using DNS interrogation tools such as www.DNSstuff.com. By using www.DNSstuff.com, it is possible to extract DNS information about IP addresses, mail server extensions, DNS lookups, Whois lookups, etc. If you want information about a target company, it is possible to extract its range of IP addresses utilizing the IP routing lookup of DNS stuff. If the target network allows unknown, unauthorized users to transfer DNS zone data, then it is easy for you to obtain the information about DNS with the help of the DNS interrogation tool. Once you send the query using the DNS interrogation tool to the DNS server, the server will respond to you with a record structure that contains information about the target DNS. DNS records provide important information about location and type of servers. Q A - Points to a host's IP address Module 02 Page 199 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 110. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Q MX ‫ ־‬Points to domain's mail server Q Exam 312-50 Certified Ethical Hacker NS - Points to host's name server © CNAME - Canonical naming allows aliases to a host © SOA - Indicate authority for domain Q SRV - Service records Q PTR - Maps IP address to a hostname © RP - Responsible person © HINFO - Host information record includes CPU type and OS A few more examples of DNS interrogation tools to send a DNS query include: © http://www.dnsstuff.com © http://network-tools.com Module 02 Page 200 Ethical Hacking and Countermeasures Copyright © by EC-C0l1ncil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 111. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Extracting DNS Inform ation (Cont’d) This tool is very useful to perform a DNS query on any host. Each domain ^ Perform DNS query name (Example: dnsqueries.com ) is structured in hosts (ex: ueries, com) and the DNS (Domain Name System) allow to translate the domain name or the hostname in an IP Address 10 contact via the 1 3 *1 IP protocol. There are serveral types of queries, ( corresponding to all the Implemen table types of DNS records such as A record, MX. AAAA, CNAME and SOA. Q CEH (•rtifwtf | EthKJi ■UckM microsoft.com Results for checks on microsoft.com Host TTL Class lype Details microsoft.com J ! 3381 IN TXT microsoft.com 3381 IN TXT mlcrosoft.com ^ 3381 IN MX v-spf1 Include: spf-a.mlcrosoft.com Include:_spf-b.mfcrosoft.com 1nclude:_spf‫־‬c.mlcrosoft.com 1nclude:_spf-ssg• a.microsoft.com ip4:l31.107.115.215 Ip4:131.107.115.214 ip4:205.248.106.64 ip4:205.248.106.30 ip4:205.248.106.32 *all 10 (nall.messaglng.mlcrosort.com J ! 1 1 1ubuft.com 1 ic 3381 IN SOA ns1.msft.net mbnhbt.n1iaosoft.com 2012071602 3C0 600 2419200 3600 microsoft.com 3381 IN A 64.4.11.37 microsoft.com 3381 IN A 65.55.58.701 $ microsoft.com J ' 141531 IN NS ns5.msft.net microsoft.com 141531 IN NS ns2.msft.net microsoft.com ^ 141531 IN NS ns1.msft.net $ microsoft.com $ 141531 IN NS ns3.msft.net $ microsoft.com $ 141531 IN NS ns4.msft.net yj} J FbUF6DbkE*Aw1 /v/i9xgDi3KVrllZus5v8L6tblQZkGrQ‫׳‬rVQKJi8CjQbBtWt£64ey4NJJv/j5J65PlggVYNabdQ— http://www.dnsqueries. com Copyright © by EG-GtailCil. All Rights Reserved. Reproduction is Strictly Prohibited. Extracting DNS Inform ation (Cont’d) Source: http://www.dnsqueries.com Perform DNS query available at http://www.dnsqueries.com is a tool that allows you to perform a DNS query on any host. Each domain name (example: dnsqueries.com) is structured in hosts (ex: www.dnsqueries.com) and the DNS (Domain Name System) allows anyone to translate the domain name or the hostname in an IP address to contact via the TCP/IP protocol. There are several types of queries, corresponding to all the implementable types of DNS records such as a record, MX, AAAA, CNAME, and SOA. Now let's see how the DNS interrogation tool retrieves information about the DNS. Go to the browser and type http://www.dnsqueries.com and press Enter. The DNS query's homesite will be displayed in the browser. Enter the domain name of your interest in the Perform DNS query's HostName field (here we are entering Microsoft.com) and click the Run tool button; the DNS information for Microsoft.com will be displayed as shown in the following figure. Module 02 Page 201 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 112. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker This tool is very useful to perform a DNS query on any host. Each domain name (Fxample: dnsqueries.com) is structured in hosts (ex: www.dnsqu0 n 0 s.com) and the DNS (Domain Name System) allow ovorybody to translato tho domain namo or tho hostname in an IP Addross to contact via the TCP/IP protocol. There are server^ types of queries, corresponding to dll the implemen table types of DNS records such as A record, MX, AAAA, CNAME and SOA. Q Perform DNS query Hostflame: [mcrosoftcom Type: ANY 0 | Run toohT Results for checks on m1 crosoft.com Host TTL Class Type Details microsoft.com 3381 IN TXT FbUF6DbkE*Avvl/wi9xgDi8KVrllZus5v8L6tblQZkGrQ/‫׳‬VQKJi8CjQbBtWtE64ey4NJJvvj5J65PlggVYNabdQ-‫־‬ micr030ft.c0m 3381 IN TXT v=spf1 lnclude:_spf-a.mfcrosofLcom lndude:_spf‫־‬ a.microsoft.com ip4:l3l.107.115.215 ip4:l3 .107.115.214 ip4:2G5.248.100.64 ip4:205.243.106.30 1 ip4:2D5.248.106.32 'all microsoft.com 3381 IN MX 10 mail.mes5aging.micro50ft.c0m microsoft.com ^ 3381 IN SOA nsl.msft.netmsnhst.microsoft.com 2012071602 300 600 2419200 3600 microsoft.com 3381 IN A 64.4.11.37 s J microsoft.com 3381 IN A 65.55.58.701 microsoft.com ^ 1 41531 IN NS ns5.msft.net microsott.com ^ ns2.mstt.net $ 141531 IN NS microsoft.com C J 141531 IN NS microsoft.com Q 141531 IN NS ns3.msft.net n1icr050ft.c0m ^ 141531 IN NS b.mfcrosoft.com lnclude:_spf-c.mlcrosoft.com lndude:_spf-ssg r154.t1tsft.r1et ns1.msft.net !£} FIGURE 2.32: Screenshot showing DNS information for Microsoft.com Module 02 Page 202 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 113. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker DNS I n te r r o g a tio n T ools A DIG DNSWatch ____ ‫נ‬ h ttp :/ /w w w .k lo th .n e t h ttp :/ /w w w .d n s watch, info myDNSTools DomainTools h ttp :/ /w w w .m y d n s tools.info ffjp s lli h ttp ://w w w .d o m a in to o ls.co m Professional Toolset 1v '- , r (0m h tt p :/ / w w w . dnsstuff. com DNS h ttp ://e -d n s .o rg DNS Records DNS Lookup Tool h ttp ://n e t w o rk- tools.com ‫ח‬ CEH h tt p :/ / w w w . w e b w iz. co. uk DNSData View DNS Query Utility h ttp ://w w w .n irs o ft.n e t h tt p :/ / w w w . w ebm as ter- toolki t. com Copyright © by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited. DNS Interrogation Tools A few more well-known DNS interrogation tools are listed as follows: © DIG available at http://www.kloth.net © myDNSTools available at http://www.mydnstools.info © Professional Toolset available at http://www.dnsstuff.com © DNS Records available at http://network-tools.com © DNSData View available athttp://www.nirsoft.net © DNSWatch available at http://www.dnswatch.info © DomainTools Pro available at http://www.domaintools.com © DNS available at http://e-dns.org © DNS Lookup Tool available at http://www.webwiz.co.uk © DNS Query Utility available at http://www.webmaster-toolkit.com Module 02 Page 203 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 114. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting M ethodology Footprinting through Search Engines CEH WHOIS Footprinting Website Footprinting ‫*ך‬ DNS Footprinting Email Footprinting Network Footprinting Competitive Intelligence Footprinting through Social Engineering Footprinting through Social Networking Sites Copyright © by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited. Footprinting M ethodology The next step after retrieving the DNS information is to gather network-related information. So, now we will discuss network footprinting, a method of gathering networkrelated information. This section describes how to locate network range, determine the operating system, Traceroute, and the Traceroute tools. Module 02 Page 204 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 115. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker L ocate th e N etw ork R an g e J Network Whois Record Network range information obtained assists an attacker to create a map of the target's network J Queried whois.arin.net with "n 207.46.232.182"... 207.46 207.46 NetRange: CIDR: OriginAS: N e tName: NetHandle: Parent: N e tType: NameServer: NameServer: NameServer: Find the range of IP addresses using ARIN whois database search tool J C EH (citifw IthKJI lU k d cM You can find the range of IP addresses and the subnet mask used by the target organization from Regional Internet NET-207-46-0-0-1 NET-207-0-0-0-0 Direct Assignment NS2.MSFT.NET NS4.MSFT.NET NS1.MSFT.NET NS5.MSFT.NET NS3.MSFT.NET 1997-03-31 2004-12-09 http://whois.arin.net/rest/net/NETMicrosoft Corp MS FT One Microsoft Way Redmond WA OrgAbuseHandle OrgAkuseName: OrgAbusePhone: OrgAbuseEmail: OrgAbuseRef: Attacker Network 207.46.255.255 .0/16 M IC R O S O F T -G L O B A L -N E T NameServer: NameServer: RegDate: Updated: Ref: 207-46-0-0-1 OrgName: Orgld: Address: City: StateProv: PostalCode: Country: RegDate: Updated: Ref: Registry (RIR) .0.0 98052 US 1998-07-10 2009-11-10 http://whois.arin.net/rest/org/MSFT ABUSE231-ARIN Abuse +1-425-882-8080 abuse@hotmail.com http://whois. arin. net/rest/poc/ABUSE231-ARIN Copyright © by EG-Gtancil. All Rights Reserved. Reproduction is Strictly Prohibited. »‫־‬ Locate the Network Range ‫נ-ז‬ To perform network footprinting, you need to gather basic and important information about the target organization such as what the organization does, who they work for, and what type of work they perform. The answers to these questions give you an idea about the internal structure of the target network. After gathering the aforementioned information, an attacker can proceed to find the network range of a target system. He or she can get more detailed information from the appropriate regional registry database regarding IP allocation and the nature of the allocation. An attacker can also determine the subnet mask of the domain. He or she can also trace the route between the system and the target system. Two popular traceroute tools are NeoTrace and Visual Route. Obtaining private IP addresses can be useful for an attacker. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private Internets: 10.0.0.0-10.255.255.255 (10/8 prefix), 172.16.0.0-172.31.255.255 (172.16/12 prefix), and 192.168.0.0-192.168.255.255 (192.168/16 prefix). The network range gives you an idea about how the network is, which machines in the networks are alive, and it helps to identify the network topology, access control device, and OS Module 02 Page 205 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 116. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker used in the target network. To find the network range of the target network, enter the server IP address (that was gathered in W HO IS footprinting) in the ARIN whois database search tool or you can go to the ARIN website (https://www.arin.net/knowledge/rirs.html) and enter the server IP in the SEARCH Whois text box. You will get the network range of the target network. If the DNS servers are not set up correctly, the attacker has a good chance of obtaining a list of internal machines on the server. Also, sometimes if an attacker traces a route to a machine, he or she can get the internal IP address of the gateway, which might be useful. N e tw o rk W h o is R e co rd Queried whois.arin.net with "n 207.46.232.182", 207.46.0.0 - 207.46.255.255 NetRange: 207.46.0.0/16 CIDR: OriginAS: MICROSOFT-GLOBAL-NET NetName: NET-207-46-0-0-1 NetHandle: NET-207-0-0-0-0 Parent: Direct Assignment NetType: N S 2 .MSFT.NET NameServer: N S 4 .MSFT.NET NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS3.MSFT.NET NameServer: 1997-03-31 RegDate: 2004-12-09 Updated: http://whois.arin.net/rest/net/NETRef: 207-46-0-0-1 Microsoft Corp OrgName: MS FT Orgld: One Microsoft Way Address: Redmond City: WA StateProv: 98052 PostalCode: US Country: 1998-07-10 RegDate: 2009-11-10 Updated: http://whois.arin.net/rest/org/MSFT Ref: OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ekbuse@hotmail.com OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE231-ARIN You need to use more than one tool to obtain network information as sometimes a single tool is not capable of delivering the information you want. Module 02 Page 206 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved, Reproduction is Strictly Prohibited.
  • 117. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker D eterm ine the Operating System c EH (•itifwd tUMJl N hM M Use the Netcraft tool to determine the OSes in use by the target organization Copyright © by EC-CaHCil. All Rights Reserved. Reproduction is Strictly Prohibited. D eterm ine the Operating System Source: http://news.netcraft.com So far we have collected information about IP addresses, network ranges, server names, etc. of the target network. Now it's time to find out the OS running on the target network. The technique of obtaining information about the target network OS is called OS fingerprinting. The Netcraft tool will help you to find out the OS running on the target network. Let's see how Netcraft helps you deter,ome the OS of the target network. Open the http://news.netcraft.com site in your browser and type the domain name of your target network in the What's that site running? field (here we are considering the domain name "Microsoft.com"). It displays all the sites associated with that domain along with the operating system running on each site. Module 02 Page 207 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 118. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker OS, W»b Server asd MosangM‫כ‬lory for wlnOovvs./ricrosoft.coa( i r iE T C R ^ F T * B tx k O m i k ra ice p Search W e b by Domain | lookup! I 3 a te conto.ns .nat eraft.com Results for microsoft w .x n :f5 J 0 f:.:« r 1 :u » p er tm t0 5 0 ‫ ׳‬ft.t0‫״׳‬ 1 3. 1 4. 1 5. m*d‫.»־‬microsoft com 1 6- 6 (£ 1 3 ( 83 Micrc&o• IIS/7 6 14-May-2012 10‫־‬Apr-2012 Ma080t-83f7.5 Mieroso8-8S/7 5 Microsoft IS/7.5 1 2 -Apf-2012 55 55175 183 5555.176183 85 54 175183 56 52103 234 55 52 103234 18-Uar-?01? 11 Mar-2012 55 52103 ?34 65 5€ 175 183 M ac** Cap Acre** Cap! U«rcs»«Cap Macao• Cap MCTCSJtCCfp U creot Ccrp Were5 ‫ •ג‬Cap M acsX Cap Mercs* Cap M a cs* Cap Found 2 5 2 s it e s 1. 18-May-2012 F5 e»G-P F5 BIC-P F5 6IC P ‫ «<ב‬contains 2. 14-Ju1-2012‫׳‬ MCT0S08-8S// 5 Micrcs3MS/7 6 F66IC P r s c ic p • • • ‫יי״י• ״ ׳ ׳‬ 1 M 55 175 113 M W 175183 Ft fclG-P f t 61C-P 3rd August 2012 E'pbre 1.045.745 w#& z f t u s te d ty users ofth• Naicrafl Toolbar 1 I8-JUI-20I2 14•Jul-901? 8‫ י‬Jun 2012 F N -P 5G I MUOJWM8/7.5 M 6s08-8 /75 icr S Micrc&jt IIS/7 ( Miaoao8-83/7 5 f* FJf.-P S ite 7. 1 N etb lo ck S ite R ep ort f'ec s'tfO T «*nd9M .Tkf*f«ft.tem ce-m 1:ro*oftxom social technec.microscft.ccm 8. ■'tswara.nnicroioft.coni 9. w m w pde8»m ten*eftcom F irst s e e n a e august 1995 microsoft corp otrix netscaler octobar 1997 microsoft corp unicnown august 1999 mieroseft corp otrix n■tacit— ju o • 1998 microsoft corp a a a £ 1 a a £ 1 sootennbar 1998 microsoft con> OS november 1998 microsoft corp u n oow n august 2008 microsoft corp citnx netscaler august 2009 microsoft •mtted WrCovys se •■.«■2008 ‫־‬ may 2007 ‫ *״‬r fiw . « >«0 ‫« כ 2 ׳‬ otrix *atacaler (U august 2008 11■ } • a nevember 2001 m» hatma•! ctrix nstscal•' fabuary 1999 - r S o ‫ *״‬S*'v«r 2009 13. n ffdit• c#‫׳‬r1 14. IS. soarch.mKroscft.ccm 16. ***(.mKroioftstor• co'T 17. og«r.‫־‬rteroicHoo mo.com IB. Mer.mKr0B0ft.c0m a a a a a a a fsbuary 3003 w w encarU.com w> asxovev com *MMvcaigeiAteem 52 48 46 56 91 81 41 £6 ! rriacsoCcgma mtreso* iu rrtjrjf• hcrro rmcratol com 39 38 38 39 50 84 ! c9lm acao 8 .com 3® 66 < * mw 12:2:1 r*1 n‫׳‬Krc*08c0m wwwmsncemlw 33 32 77 20 20 20 95 36 24 92 32 20 45 ?4 36 51 ! 79 8‫ו‬ > Inn* K im i! international ‫ ה‬v Unux w wminuoaot c m o ! microsoft carp november ?008 alcama! technologies January 1997 Uax 129 catccant wwwoficccom eSkenMcracallMm Mogi t#<hn«tc«m microsoft carp wr«<M1 ■••var ?90S november 2008 d«ltal river Ireland ltd. f3 b io -c december 2010 microsoft corp w r c o v • s o ‫ ־♦.״‬ZJOJ lemincom men cep LVECOU october ‫כ 00 ג‬ w rcova s « ‫ ־‬e 200 ‫•־־‬ msaccm microsoft corp (1M 1) 2*120*24:13 Awaoe 60 mado com w rio o n * * 2 0 0 8 ‫%־‬ ♦‫־‬ otrix netscaler 10. ! • o d midr'.mKroM/t.io^i 12. *»«d0»<«upd»ta.‫׳‬nKr©«©#t.<0m Mac; Uptime -the Dm* since taat rcboct !3explained I* ®»«fAO S8e MMvvpasspMtco-n Server OS v/!1«o*3 S»r.‫2 ־‬C 8 a C M1ac30C-fS/7 5 J reoG-f* &F 0 ? vvnooftS Str.fr ?K8 UKTOOT UtCTCSOM Q S/7 MacsoC-IS/7 5 Uiereaol IS/7 £ Macao** 2/7: MCTC90MS/7 5 U*<reco*-IS/7 5 Macao• IS/7 5 W T SO ‫ ־‬IP*/‫׳‬l2 0 lC C f-M Mac*0MS/7 5 52 FSBCP wnoows s*rrtf 2 8 W inrrow* Pf&C-P £0 rsoG-r Macao«-l2/7 5 185 110 20 F6AC4P Ma«S0M3//S MacsoS-IS/7 5 WV»40«s 8wva 2CC3 Mtacto• IS/7 6 *6 ItKTCMUt^f UatMHVTS DM) n«C«ral*» F5BC P MOCHOUSM 0 u>ae sol 1V7 « Macao• ■S/7 0 MOC30MS/7 3 FIGURE 2.33: Netcraft showing the operating system that is in use by Microsoft Module 02 Page 208 Ethical Hacking and Countermeasures Copyright © by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 119. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker D eterm ine the O perating System (Cont’d) ((IL* '‫״‬ ‫*“׳׳'־‬ SHODAN Search Engine Source: http://www.shodanha.com Use SHODAN search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Ex p o s e O nli ne D evi ces . W eb c a m s. Ro u t er s. POW ER PLANTS. IPHONES. W IN D TURBINES. REFRIGERATORS. VO IP PHONES. Take a T o u r Fr e e S io n U p Papular Search Querios: RuggotiConi oyposod via lolnot Wired: http:Mww.w1rcc.c0fn1l1rcaccvcy2u12;tM‫׳‬ruggodcom-IncMooti (-ull Oiscloctrc: http:/soc,.- U D e v e lo p e r API 2 ■ Ond out how 10 accc33 the Qhodan ilHtalMSH with P/lhon. Pw1 ot Ruby © Le a r n M o r e Fo l l o w M e G lrnorc oat cf ycur 5cj‫־‬cf‫־‬c3 e and find •*‫ ־‬mfnmaton >**1 rww) FIGURE 2.34: SHODAN Search Engine screenshot Module 02 Page 209 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 120. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker * SHODAN Search Services HTTP HTTP Alternate FTP SNMP UPnP Error 6,692.080 164,711 13.543 9,022 6.392 66.77.20.147 W in d o w s XP B 1 zn e w s2 4 .co m HTTP 1.0 403 Forbidden Added on 25 09 2012 S § Arington Content •Type: texthtml Content-Length 218 Server Microsoft-IIS 6.0 IISExport: This web site was exported usmg US Export v4J clients2.bn24.com X-Powered-By: ASP.NET Date: Tue? 25 Sep 2012 01:53:00 GMT Top Countries United States China United Kingdom Germany Canada 3,352,389 506,298 362,793 247,985 246,968 www.net.cn) 112.127.180.133 HiChina W e b Solu tio n s (B e rin g ) L im ite d Added on 25 092012 H Chaoyang HTTP 1.0 200 OK Content-Type: texthtml Last-Modified Wed. 22 Jun 2011 10:28:46 GMT Accept-Ranges: bytes ETag: "083b42ac730ccl:0" Top Cities Englewood Beijing Columbus Dallas Seoul Server. Microsoft-IIS 7.5 170,677 111,663 107,163 90.899 86,213 Top Organizations Verio Web Hosting 97,784 HiChina Web Solutions ... 52,629 Ecommerce Corporation 43,967 GoDaddy.com, LLC 33,234 Comcast Business Commu... 32,203 X-Powered-By ASP NET X-UA-Compatible E-EmulateIE7 Date: Tue, 25 Sep 2012 01:53:02 GMT Content •Length: 5304 The page must be viewed over a secure channel 41.216.174.82 W in d o w s XP V D T C o m m u n ic a tio n s L im ite d HTTP 1.0403 Forbidden Added on 25 092012 Content-Type: texthtml II Server Microsoft-IIS 6.0 Content-Length: 1409 X-Powered-By ASP NET Date: Tue, 25 Sep 2012 01:59:20 GMT IIS7 110.142.89.161 T e ls tr a In te rn e t Added on 25 09 2012 efl Wentworth Fals HTTP 1.0 200 OK Content-Type: texthtml Last-Modified: Sat, 20 Nov 2010 03:13:31 GMT Accept-Ranges: bytes ETag: “3a24cbe860S8cbl:0‫״‬ Server Microsoft-IIS 7.5 X-Powered-By: ASP NET Date: Tue, 25 Sep 2012 01:52:50 GMT FIGURE 2.35: SHODAN screenshot Module 02 Page 210 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved, Reproduction is Strictly Prohibited.
  • 121. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker T raceroute CEH Traceroute programs work on the concept of ICMP protocol and use the TTL field in the header of ICMP packets to discover the routers on the path to a target host IP Source Router Hop ICMP Echo request Router Hop Router Hop Destination Host TTL = 1 Traceroute Finding the route of the target host is necessary to test against man-in‫־‬the‫־‬middle attacks and other relative attacks. Therefore, you need to find the route of the target host in the network. This can be accomplished with the help of the Traceroute utility provided with most operating systems. It allows you to trace the path or route through which the target host packets travel in the network. Traceroute uses the ICM P protocol concept and TTL (Time to Live) field of IP header to find the path of the target host in the network. The Traceroute utility can detail the path IP packets travel between two systems. It can trace the number of routers the packets travel through, the round trip time duration in transiting between two routers, and, if the routers have DNS entries, the names of the routers and their network affiliation, as well as the geographic location. It works by exploiting a feature of the Internet Protocol called Time To Live (TTL). The TTL field is interpreted to indicate the maximum number of routers a packet may transit. Each router that handles a packet will decrement the TTL count field in the ICMP header by one. When the count reaches zero, the packet will be discarded and an error message will be transmitted to the originator of the packet. Module 02 Page 211 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 122. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker It sends out a packet destined for the destination specified. It sets the TTL field in the packet to one. The first router in the path receives the packet, decrements the TTL value by one, and if the resulting TTL value is 0, it discards the packet and sends a message back to the originating host to inform it that the packet has been discarded. It records the IP address and DNS name of that router, and sends out another packet with a TTL value of two. This packet makes it through the first router, then times-out at the next router in the path. This second router also sends an error message back to the originating host. Traceroute continues to do this, and records the IP address and name of each router until a packet finally reaches the target host or until it decides that the host is unreachable. In the process, it records the time it took for each packet to travel round trip to each router. Finally, when it reaches the destination, the normal ICMP ping response will be send to the sender. Thus, this utility helps to reveal the IP addresses of the intermediate hops in the route of the target host from the source. IP Source Router Hop ICMP Echo request Router Hop Router Hop Destination Host TTl = 1 .............................. « ......................................................................................................................' a a a H TSTSW S a A A A A ICMP error message ICMP Echo request -‫•• א‬ ............................. A M A i A ■■■■■■ A A A ■■■■■‫י‬ A "— 1 ‫־‬ ICMP error message ICMP Echo request ICMP error message ICMP Echo request H I :::: A A A A A | I ICMP Echo Reply FIGURE 2.36: Working of Traceroute program How to use the tracert command Go to the command prompt and type the t r a c e r t command along with destination IP address or domain name as follows: C:>tracert 216.239.36.10 Tracing route to ns3.google.com [216.239.36.10] over a maximum of 30 hops: 1 1262 ms 186 ms 124 ms 2 2796 ms 3061 ms 3436 ms 195.229.252.130 3 155 ms 217 ms 155 ms 195.229.252.114 4 2171 ms 1405 ms 1530 ms 5 2685 ms 1280 ms 655 ms dxb-emix-ra.g e 6 3 0 3 .e m i x .ae 6 202 ms 530 ms 999 ms dxb-emix-rb.s o lOO.e m i x .ae 7 609 ms Module 02 Page 212 1124 ms 1748 ms 195.229.252.10 194.170.2.57 [195.229.31.99] [195.229.0.230] iarl-so-3-2-0.Thamesside.cw.net [166.63.214.65] Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 123. Ethical Hacking and Countermeasures Footprinting and Reconnaissance 8 1622 ms 9 2377 ms 2498 ms Exam 312-50 Certified Ethical Hacker 2061 ms 968 ms 593 ms eqixva-google-gige.google.com [206.223.115.21] 216.239.48.193 10 3546 ms 3686 ms 3030 ms 216.239.48.89 11 1806 ms 1529 ms 812 ms 216.33.98.154 12 1108 ms 1683 ms 2062 ms ns3.google.com [216.239.36.10] Trace complete. Module 02 Page 213 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 124. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker T ra c e r o u te A n a ly s is Attackers conduct traceroute to extract information about: network topology, trusted routers, and firewall locations For example: after running several traceroutes, an attacker might obtain the following information: » traceroute 1 10.20.10, third to last hop is 1.10.10.1 & traceroute 1 10.20.10, second to last hop is 1.10.10.50 » traceroute 1 10.20.15, third to last hop is 1.10.10.1 a J traceroute 1.10.10.20, second to last hop is 1.10.10.1 » traceroute 1 10.20.15, second to last hop is 1.10.10.50 By putting this information together, attackers can draw the network diagram ED n o I I I I I I I I I I I I I I I I I I I I 1.10.10.20 Bastion Host 1.10.20.10 Web Server 1.10.20.50 Hacker 1.10.20. Firewall Mail Server Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Traceroute A nalysis s ‫־־־‬ W e have seen how the Traceroute utility helps you to find out the IP addresses of intermediate devices such as routers, firewalls, etc. present between source and destination. You can draw the network topology diagram by analyzing the Traceroute results. After running several traceroutes, you will be able to find out the location of a particular hop in the target network. Let's consider the following traceroute results obtained: 9 traceroute 1.10.10.20, second to last hop is 1.10.10.1 9 traceroute 1.10.20.10 1.10.20.10. third to last hop is 1.10.10.1 traceroute 1.10.20.10 second to last hop is 1.10.10.50 traceroute 1.10.20.15 third to last hop is 1.10.10.1 traceroute 1.10.20.15 second to last hop is 1.10.10.50 By analyzing these results, an attacker can draw the network diagram of the target network as follows: Module 02 Page 214 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 125. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker 1.10.20.10 W e b S e rv e r DMZ ZONE § Hacker ........ Internet 1.10.10.1 Router 1.10.20.50 1.10.10.50 F ire w a ll F ire w a ll 1.10.20.15 M a il S e r v e r FIGURE 2.37: Diagrammatical representation of the target network Module 02 Page 215 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 126. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Path Analyzer Pro and VisualRoute 2010 are the two tools similar to Traceroute intended to traceroute the target host in a network. Path Analyzer Pro < Source: http://www.pathanalyzer.com Path Analyzer Pro is a graphical-user-interface-based trace routing tool that shows you the route from source to destination graphically. It also provides information such as the hop number, its IP address, hostname, ASN, network name, % loss, latency, avg. latency, and std. dev. about each hop in the path. You can also map the location of the IP address in the network with this tool. It allows you to detect filters, stateful firewalls, and other anomalies automatically in the network. Module 02 Page 216 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 127. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker VisualRoute 2010 Source: http://www.visualroute.com This is another graphical-user-based tracing tool that displays hop-by-hop analysis. It enables you to identify the geographical location of the routers, servers, and other IP devices. It is able to provide the tracing information in three forms: as an overall analysis, in a data table, and as a geographical view of the routing. The data table contains information such as hop number, IP address, node name, geographical location, etc. about each hop in the route. Features: 9 Hop-by-hop traceroutes 9 Reverse tracing ^ Historical analysis 9 Packet loss reporting 9 Reverse DNS 9 Ping plotting 9 Port probing 9 Firefox and IE plugin Module 02 Page 217 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 128. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker ‫־‬s- VisualRoute 2010 ‫ ־‬Business Edition • Tnal day 1 of IS Frfe Ed* O ptions V M iew *p1 thorn MyCom pute* ^ H4 *p v ► :1 ttp1 Tools v».n-K «0 T0 ftaH •0 v I1« c t P M ‫? ״‬f More loolv . y swvw 1 stopped WWW m*cf0*0« com (65 55 57 8 0 )£ f|_ © ® ’? ® ‫ ש‬o < M . o«• O M.m A lo o t s , i Run once oO @ T i k « o u I • to w w w j 1iK 10to n .c o m ‫9 ״ז‬ ‫י‬ To Location Network RTT www microsoft com (65 55 57 80) Redmond. WA. USA Microsoft Corp •/•/• Firewall Not responding to pings Open to http requests on port 80 Running *enter Micro*o(WIS/7 5 Responded in 9543ms AH Port Probe Packet loss Ana• ttformftori ‫^ ן‬h< and 61 »q Kgre to movt this vkwf k /V Analysis in goneral thr* rout• is reasonablyquick, withhop* !♦*ponding ^ on arerage within 122ms However, all hops after hop 10 in network ]Network for 207 46 47 1 )* respond particularly *lowly 8 RTT 116 3m*/296m* ■ ‫־*״1 ״‬ ■ Packet Loss 36 l%/100% Route length At least 17 hops Alternate 4 hop(*) hare alternate route* (Hop{*)12.13.14 & 15) ‫ ״‬routes? OTitteioale to wwwmkio%oHxon You are on day l of a 15 day trial. For purchase information dick hare or enter a license key. Your database is 338 days out of date dick here to update. Ikst time use Spe<»»l Offer ? flkfc h flt IgMtMlglfliBBt Ofl VbmBglite'l 1 tttiflflil * Hours Only! FIGURE 2.39: VisualRoute 2010 screenshot Module 02 Page 218 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 129. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker T ra c e r o u te T ools CEH (Cont’d) p^j Network Pinger Magic NetTrace h ttp ://w w w . networkpinger. com h ttp ://w w w . tialsoft.com 0! GEOSpider 1^1 |rl h ttp ://w w w . ore ware, com 3D Traceroute h ttp ://w w w .d 3 tr.d e vTrace AnalogX HyperTrace h ttp ://v tra c e .p l h ttp ://w w w . analogx. com Network Systems Traceroute http://w w w .ne t.p rince ton .ed u Si Roadkil's Trace Route Ping Plotter imot h ttp ://w w w . roadkil. net V4V h ttp ://w w w .p in g plotter, com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Traceroute Tools (Cont’d) A few more traceroute tools similar to Path Analyzer Pro and VisualRoute 2010 are listed as follows: © Network Pinger available at http://www.networkpinger.com © GEOSpider available at http://www.oreware.com © vTrace available at http://vtrace.pl Q Trout available at http://www.mcafee.com Q Roadkil's Trace Route available at http://www.roadkil.net © Magic NetTrace available at http://www.tialsoft.com 0 3D Traceroute available at http://www.d3tr.de Q AnalogX HyperTrace available at http://www.analogx.com © Network Systems Traceroute available at http://www.net.princeton.edu Q Ping Plotter available at http://www.pingplotter.com Module 02 Page 219 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 130. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting M ethodology Footprinting through Search Engines WHOIS Footprinting Website Footprinting DNS Footprinting Email Footprinting Network Footprinting Competitive Intelligence Footprinting through Social Engineering Footprinting using Google CEH Footprinting through Social Networking Sites Copyright © by EG-Gouid. All Rights Reserved. Reproduction isStrictly Prohibited. s Footprinting M ethodology So far we have discussed various techniques of gathering information either with the help of online resources or tools. Now we will discuss footprinting through social engineering, the art of grabbing information from people by manipulating them. This section covers the social engineering concept and techniques used to gather information. Module 02 Page 220 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 131. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting through Social Engineering 0 J Social engineering is the art of convincing people to reveal confidential information J Social engineers depend on the fact that people are unaware of their valuable information and are careless about protecting it 0 0 Social engineers attempt to gather: !z n Other personal information - Security products in use S Operating systems and software versions S 0 0 Social engineers use these techniques: S Eavesdropping S Shoulder surfing Dumpster diving Impersonation on social networking sites Network layout information S 0 0 S & User names and passwords E r 4 1 r* S ‫ ה‬Credit card details and social security number S r E ll IP addresses and names of servers 0 0 a m 0 0 Copyright © by EG-G(HIICil. All Rights Reserved. Reproduction Is Strictly Prohibited. Footprinting through Social E ngineering Social engineering is a totally non-technical process in which an attacker tricks a person and obtains confidential information about the target in such a way that the target is unaware of the fact that someone is stealing his or her confidential information. The attacker actually plays a cunning game with the target to obtain confidential information. The attacker takes advantage of the helping nature of people and their weakness to provide confidential information. To perform social engineering, you first need to gain the confidence of an authorized user and then trick him or her into revealing confidential information. The basic goal of social engineering is to obtain required confidential information and then use that information for hacking attempts such as gaining unauthorized access to the system, identity theft, industrial espionage, network intrusion, commit frauds, etc. The information obtained through social engineering may include credit card details, social security numbers, usernames and passwords, other personal information, operating systems and software versions, IP addresses, names of servers, network layout information, and much more. Social engineers use this information to hack a system or to commit fraud. Social engineering can be performed in many ways such as eavesdropping, shoulder surfing, dumpster diving, impersonation on social networking sites, and so on. Module 02 Page 221 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 132. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker C ollect Inform ation Using Eavesdropping, Shoulder Surfing, and Dum pster D iving Eavesdropping Eavesdropping is unauthorized listening of conversations or reading of messages It is interception of any form of communication such as audio, video, or written © » Attackers gather information such as passwords, personal identification number, account numbers, credit card information, etc. © ™[j D u m p ster Diving S houlder Surfing & Shoulder surfing is the procedure where the attackers look over the user's shoulder to gain critical information f CU 6 Dumpster diving is looking for treasure in someone else's trash « It involves collection of phone bills, contact information, financial information, operations related information, etc. from the target company's trash bins, printer trash bins, user desk for sticky notes, etc. A Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited. C ollect Inform ation u sin g Eavesdropping, Shoulder Surfing, and D um pster D iving As mentioned previously eavesdropping, shoulder surfing, and dumpster driving are the three techniques used to collect information from people using social engineering. Let's discuss these social engineering techniques to understand how they can be performed to obtain confidential information. Eavesdropping Eavesdropping is the act of secretly listening to the conversations of people over a phone or videoconference without their consent. It also includes reading secret messages from communication media such as instant messaging or fax transmissions. Thus, it is basically the act of intercepting communication without the consent of the communicating parties. The attacker gains confidential information by tapping the phone conversation, and intercepting audio, video, or written communication. ‫י‬ —«—- Shoulder Surfing With this technique, an attacker stands behind the victim and secretly observes the victim's activities on the computer such keystrokes while entering usernames, passwords, etc. Module 02 Page 222 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 133. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker This technique is commonly used to gain passwords, PINs, security codes, account numbers, credit card information, and similar data. It can be performed in a crowded place as it is relatively easy to stand behind the victim without his or her knowledge. D um pster D iving This technique is also known as trashing, where the attacker looks for information in the target company's dumpster. The attacker may gain vital information such as phone bills, contact information, financial information, operations-related information, printouts of source codes, printouts of sensitive information, etc. from the target company's trash bins, printer trash bins, and sticky notes at users' desks, etc. The obtained information can be helpful for the attacker to commit attacks. Module 02 Page 223 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 134. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting M ethodology Footprinting through Search Engines WHOIS Footprinting Website Footprinting DNS Footprinting Email Footprinting Network Footprinting Competitive Intelligence Footprinting through Social Engineering Footprinting using Google Footprinting through Social Networking Sites Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. F o o tp rin tin g M etho d o lo g y Though footprinting through social networking sites sounds similar to footprinting through social engineering, there are some differences between the two methods. In footprinting through social engineering, the attacker tricks people into revealing information whereas in footprinting through social networking sites, the attacker gathers information available on social networking sites. Attackers can even use social networking sites as a medium to perform social engineering attacks. This section explains how and what information can be collected from social networking sites by means of social engineering. Module 02 Page 224 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 135. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Collect Inform ation through Social E ngineering on Social Networking Sites Attackers gather sensitive information through social engineering on networking websites such as Facebook, MySpace, Linkedln, Twitter, Pinterest, Google+, etc. IV social social networking sites and then use the false employees to give up their sensitive information Attackers create a fake profile on identity to lure the Employees may post personal information such as date of birth, educational and employment backgrounds, spouses names, etc. and information about their company such as potential clients and business partners, trade secrets of business, websites, company's upcoming news, mergers, acquisitions, etc. Using the details of an employee of the target organization, an attacker can § compromise a secured facility Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited C ollect In fo rm atio n th ro u g h Social E n g in e e rin g on Social N etw o rk in g Sites Social networking sites are the online services, platforms, or sites that allow people to connect with each other and to build social relations among people. The use of social networking sites is increasing rapidly. Examples of social networking sites include Facebook, MySpace, Linkedln, Twitter, Pinterest, Google+, and so on. Each social networking site has its own purpose and features. One site may be intended to connect friends, family, etc. and another may be intended to share professional profiles, etc. These social networking sites are open to everyone. Attackers may take advantage of these to grab sensitive information from users either by browsing through users' public profiles or by creating a fake profile and tricking user to believe him or her as a genuine user. These sites allow people to stay connected with others, to maintain professional profiles, and to share the information with others. On social networking sites, people may post information such as date of birth, educational information, employment backgrounds, spouse's names, etc. and companies may post information such as potential partners, websites, and upcoming news about the company. For an attacker, these social networking sites can be great sources to find information about the target person or the company. These sites help an attacker to collect only the information uploaded by the person or the company. Attackers can easily access public pages of these Module 02 Page 225 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 136. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker accounts on the sites. To obtain more information about the target, attackers may create a fake account and use social engineering to lure the victim to reveal more information. For example, the attacker can send a friend request to the target person from the fake account; if the victim accepts the request, then the attacker can access even the restricted pages of the target person on that website. Thus, social networking sites prove to be a valuable information resource for attackers. Module 02 Page 226 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 137. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Information Available on Social Networking Sites What Attacker Gets What Users Do Contact info, location, etc. User surveys.* Maintain profile Identity of a family members Connect to friends, chatting Share photos and videos User support Recruitment Background check to hire employees Business J I Business strategiesstrategies Promote products Creates events jk A. Attacker Gets Organizations Do Play games, join groups Friends list, friends info, etc. CEH * Product profile .... i Social engineering ........................ i Platform/technology '‫־‬ : information Type of business n Copyright © by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited. In fo rm atio n A vailab le on Social N etw o rk in g Sites So far, we have discussed how an attacker can grab information from social networking sites; now we will discuss what information an attacker can get from social networking sites. People usually maintain profiles on social networking sites in order to provide basic information about them and to get connected with others. The profile generally contains information such as name, contact information (mobile number, email ID), friends' information, information about family members, their interests, activities, etc. People usually connect to friends and chat with them. Attackers can gather sensitive information through their chats. Social networking sites also allow people to share photos and videos with their friends. If the people don't set their privacy settings for their albums, then attackers can see the pictures and videos shared by the victim. Users may join groups to plays games or to share their views and interests. Attackers can grab information about a victim's interests by tracking their groups and then can trap the victim to reveal more information. Users may create events to notify other users of group about upcoming occasions. With these events, attackers can reveal the victim's activities. Like individuals, organizations also use social networking sites to connect with people, promote their products, and to gather feedback about their products or services, etc. The Module 02 Page 227 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 138. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker activities of an organization on the social networking sites and the respective information that an attacker can grab are as follows: W h at Organizations Do W h at Attacker Gets User surveys Business strategies Promote products Product profile User support Social engineering Background check to hire employees Type of business TABLE 2.1: What organizations Do and What Attacker Gets Module 02 Page 228 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 139. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Collecting Facebook Information CEH Facebook is a Treasure-trove for A ttackers _ Europe 23 7, 4 2, 6 0 3 6 Middle East 1, 4, 8 8 1 0 2 0 N. A m e ric i^ J^ 1416,86 8‫'■׳‬7 57,50V/ 6 6 V , 84 8, 0 STk ,'%‫« ׳־‬ 1 Latin Am erica 11 1, 2 4, 2 0 6 2 Number of user using Facebook all over the world 845 , r * ‫יי‬ 100 o O & million monthly active users billion connections M 250 W million photos uploaded daily 1 of every 5 of all page views minutes time spent per visit Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. C o llectin g F aceb o o k In fo rm atio n Facebook is one of the world's largest social networking sites, having more than 845 million monthly active users all over the world. It allows people to create their personal profile, add friends, exchange instant messages, create or join various groups or communities, and much more. An attacker can grab all the information provided by the victim on Facebook. To grab information from Facebook, the attacker should have an active account. The attacker should login to his/her account, and search for either the target person or organization profile. Browsing the target person's profile may reveal a lot of useful information such as phone number, email ID, friend information, educational details, professional details, his interests, photos, and much more. The attacker can use this information for further hacking planning, such as social engineering, to reveal more information about the target. Module 02 Page 229 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 140. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker About Basic Info The Otooal John legend Facebook Page. John legend new song *Tonght’ now on !Tires hQpe/£flh7&Ton0tf facrbook O U H flM Biography Cm t u a/M ‫ ו מג‬lurched ha career as a sesson player and vocabt, corrbutrg to bestsekng reardngi by lairyn H i, Ak>a Key*. Jay ■ and •CanyeWest before 2 recordng hs own irfcrofcen chan of Top 10aborts • Get lifted (2004), Once • Agai ...Sea Mo* Hornet0—1 SpmgfieU. O M ItK O fd ljW GOOOMusc-Sony/Cotnt»a Artists We Also Idee General Manager TheArftsi* Orgaruabon ‫״ ״ *י‬ Steve Wonder, Ne-Yo, AJ Green, Jeff Buddey Carre•( location New York Recordng artist, concert performer and tNantfropst John legend hat won nne Grammy *ward* and wa* named one ofTwemagaane * 100mo*trAjenftal Estde, vaughn Anthony, Kanye West. Good Mj k John legend CALL »€ (713) 502-8008 Contact Info Webute http://www johrtegend com http://www.d10wmecanpegn.org http:/,*www ‫״״‬yspace cow'jyyrtegend http://www.y0u%i)eccm/)0hr*egend Crcabve Artets Agency Facebook C 2012 • Engtah (US) About CreMe an Ad C ette a Page Developer* Careers ‫־‬Privacy Cootoes -Term! H fc e> FIGURE 2.40: Facebook screenshot Module 02 Page 230 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 141. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker C o llectin g Tw itter In form ation CEH Urtifwd ilhiul lUtbM Wayne Rooney C » ~‫׳‬wayneR00ney Japan 29.9 m illion A Twee* to M ine Rooney j Q anB c c Wy a o n y Tweeta FOIW iina vm m m r'es with largest^ Tiveets *1 im > g t j Pau' WcCartnej 1a 1 a = • ‫־‬ / 1 1 donl 0ut9 u«Je18l8 w 1‫ ־׳‬Mi w« have10he*‫־‬ 81 r rd *tjr e eve-ryttm infrench Hit? ut»‫׳‬tyrdcjom j cant tele.e *H R 8 he don* *mjc'i « the couWy p#ct 0 > ct4‫־‬o1C01r ‫־‬ JR •08s aTheReaKC3fifKrtoano'a* c*f*n®njr omc yp 9 465 350 million accounts K1: million tweets a day 76% # Twitter users now post status updates 55% W ‫ט‬ Q * Twitter users access the platform via their mobile ’•Jcov»*A »V n< tfvJ s H e paulm n tr?»9I op e Wayne Rooney 3wsyr<‫»־‬J4»v,,‫־‬ I Great riotoryof Brrt»r aiiesiy. D tl'eient 1 1 r lib.o ooon UfC'B Copyright © by EG-GlllllCil. All Rights Reserved. Reproduction is Strictly Prohibited. — C o llectin g T w itter In fo rm atio n Twitter is another popular social networking site used by people to send and read text-based messages. It allows you to follow your friends, experts, favorite celebrities, etc. This site also can be a great source for an attacker to get information about the target person. This is helpful in extracting information such as personal information, friend information, activities of the target posted as tweets, whom the target is following, the followers of the user, photos uploaded, etc. The attacker may get meaningful information from the target user's tweets. Module 02 Page 231 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 142. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Wayne Rooney O * ®wayneRooney Follow A- 940 ,. ' f f ! haps/wwu. / c b o c e m ^ ’ a e o i . o . ayntMoon*i/ 119* hnp off«c*a»*aynaf©onay 00m 4,635.170 d T w e e t to W a yn e R o o n ey 1 V / e e tS M QWayneRooney No repliH Paul McCartney i . ‫ :: י‬i ■:-*y Nearly tom ptc twtter coaVSOCTlllW e 0 T w e e ts D tM M d by W iyfl• Rooney FoSowing a Foiowers Favortes P m ills rw vcni ■ ‫■׳‬ayca m U W P ie rs M o rg an j 3 M :♦-.‫;•:. ־‬j • l s ti < ‫ וח‬qute understand why me he! we have to hear ‫0צ‬ everythrg ‫ מ‬FRENCH first7 Utter* ndicutous solympicceremony □ =K*«*!K ty Wayne Rooney Expand vtrStacAV s cant befteve . TheReaUVC3 a not part of this ceremony ‫ ־‬NoResped he done so much 4 the country Imao‫= ״‬London20l2 *Olympics ‫ ש‬Rtfwwwd ty Wayna Rooney E pn xa d Wayne Rooney .», -•R::‫,« ׳‬ , Becks smie on the boat was so funny • 2012 Tw*ta» About Halp Ta‫׳‬m* Privacy Btog Statu• A Ad »*< ‫־‬ ‫♦* ד‬ft B 1 H Karl Hyde ‫ * ׳ ״״‬v . H y i ayneRooney themchaelowen becks to bght a footba■ and• '• ■ bet I straight r to the Olympic stadum torch GO Ratweatad by Wayna Rooney V«a> oonvorMbon • Ian H ich o lls a , .*‫ ©״‬Ja r WayneRooney macca « dosmg t lad canl w a r ScouseAndProud* ‫ ש‬Rar— atad by Wayna Rooney v*■ oon»ar»at«n • «R ‫ ן‬Yes the beaoes Hope paul me a Sflgng later Representing Kerpool Best band ever Wayne Rooney ‫ ן‬Ur bean Funny Expand .i > ■*Rooney Wayne Rooney vaynaRooeey , Great history of brtar already Different to any other ceremony i have seen before FIGURE 2.41: Twitter showing user's tweets Module 02 Page 232 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 143. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker C ollecting Linkedin Information lintedE). •G tackla S t>* o « c Chris Stone Pn.jr h■ ■ ‫1׳.׳‬ i ‫ :״יי׳‬U ‫.׳‬j.‫׳‬ B P “ itv ‫ •י־‬B-. 1 FWi; u ■ • rn ‫״־‬ C*rwl Pro m tn M n j> Mfrclacfc*Ban 0.Ijium g m • nn f k■ (S«H p y*d .*m t0 ) •# ‫• •יי‬ ‫•״‬ S Pwl ‫*׳‬M dotOp!!**"• PtyKt$ * Sv&oc K *XA BankEtra*• P 9 ‫׳‬r 0M re tsm1 anigwa MABjn* tu‫:׳‬c < 0 »«(•>! ^ .1 i P « r» > n >« 1 w ti *XA tPxx!r *cnttVtX tnttto* &C w lfi tni *!*?•nt'ilo‫*׳‬ fa1r»»*11!1n )pNft'ImiKonminMOm C onpjnyW «6tM 0 » is a ^ i ■ , in* FT 4 Y - •s - - ‫■־‬ 2 new members join every second 2,447 $522 million 2 million companies employees located around the world revenue for 2 0 1 1 have Linkedin company pages Copyright © by EG-G1IIIIC1I. All Rights Reserved. Reproduction is Strictly Prohibited. C o llectin g L in k e d in In fo rm atio n Similar to Facebook and Twitter, Linkedin is another social networking site for professionals. It allows people to create and manage their professional profile and identity. It allows its users to build and engage with their professional network. Hence, this can be a great information resource for the attacker. The attacker may get information such as current employment details, past employment details, education details, contact details, and much more about the target person. The attacker can collect all this information with the footprinting process. Module 02 Page 233 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 144. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Linked 03• Ac u t con Horn* ProM• bmc m**1 ‫׳‬ Contacts Group• Job■ inbox CoflipanM Non Mon € Go back 10 Soarch Results Chris Stone Se e expanded Programme Manager at Deutsche Bank Belgium Brussels Area Be*yum Management Consu»mg Connect Send InMari Save Chns's F Current Past Education Recommendations Programme Manager at Deutsche Bank Belgium Director and Consultant * Program Management Solutions sp»l (Se It employed) Head of Operations Projects & Support Investment Omsk*! at AXA Bank Europe Programme Manage* at AXA Bank Europe Outsourcing Programme & Procurement Manager at AXA BekpumO Mil•• Henot-Watt Institute of Chartered Secretaries and Adnw*st/ators 3 people have recommended Chns Connections 500• connections Websites Company Webs4e Public Protoe http //be knkedn comWcsstone FIGURE 2.42: Linkedln showing user's professional profile and identity Module 02 Page 234 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 145. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker C ollecting Youtube Inform ation I CEH 3 rd Most visited website according to Alexa 8 2 9 ,4 4 0 I Videos uploaded tm « 900 Sec Average time users spend on YouTube every day ,G E E Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. Q) 1] C o llectin g Y ouTube In fo rm a tio n YouTube is a website that allows you to upload, view, and share videos all over the world. The attacker can search for the videos related to the target and may collect information from them. FIGURE 2.43: Youtube showing videos related to target Module 02 Page 235 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 146. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Tracking Users on Social Networking Sites CEH J Users may use fake identities on social networking sites. Attackers use tools such as Get Someones IP or IP-GRABBER to track users' real identity J Steps to get someone's IP address through chat on Facebook using Get Someones IP tool: © Go to h t t p : / / w w w .m yiptest. c o m /s ta tic p a g e s / in d e x .p h p /h o w -a b o u t-y o u © Three fields exist: Link for Person Copy the generated link of this field and send it to the target via chat to get IP address Link for you Redirect URL Enter any URL you want Open the URL in this field and keep checking for the target to redirect to kKp«rs4«1: http Ifwmi nyiptesi corr/img ph3^d=z«uibg1f?8.'dr=viww gruil con&rd‫־‬ =yatoc c>rr& toeyou: ‫> מזי‬N w myiptest corvstatKpages/ndex prp«'‫׳‬to<«f-aboutyou'*d=zc»Mbj1G&shw* ip *w target's IP Link ID IP Proxy Refer Ideujbg1f2 85.93.218.204 NO NO Dateffime 2012-08-06 13:04 44 http://www.myiptest.com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. T ra c k in g U sers on Social N etw o rk in g Sites ^ In order to protect themselves from Internet fraud and attacks, people with little knowledge about Internet crimes may use fake identities on social networking sites. In such cases, you will not get exact information about the target user. So to determine the real identity of the target user, you can use tools such as Get Someone's IP or IP-GRABBER to track users' real identities. If you want to trace the identity of particular user, then do the following: • Open your web browser, paste the URL, and press Enter: http://www.myiptest.com/staticpages/index.php/how-about-you • Notice the three fields at the bottom of the web page, namely Link for person, Redirect URL: http://, and Link for you. • To get real IP address of the target, copy the generated link of the Link for person field and send it to the target via chat. • Enter any URL you want the target to redirect to in the Redirect link: http:// field. • Open the URL present in the Link for you field in another window, to monitor the target's IP address details and additional details. Module 02 Page 236 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 147. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Link for person: http //www myiptest com/1mg php7id=zdeujbq1f2&rdr=www gmail com&rdr=yahoo com& Redirect URL: http# www gmail com Link (or you: http //www myiptest com/staticpages/index php/how-about-you?id=zdeujbg1f2&showjp: Link ID IP Proxy Refer Dateffim e zdeujbglf2 85.93.218.204 NO NO 2012-08-06 13:04:44 FIGURE 2.44: Tracing identity of user's Module 02 Page 237 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 148. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting Concepts 1 Footprinting Methodology Footprinting Penetration Testing ‫־‬ Footprinting Threats Footprinting Countermeasures Footprinting Tools M odule Flow Footprinting can be f: performed with the help of tools. Many organizations offer tools that make information gathering an easy job. These tools ensure the maximum ‫ף‬ Footprinting Concepts |w‫־‬ | Footprinting Threats CD Footprinting Methodology Footprinting Tools Footprinting Countermeasures vtv Footprinting Penetration Testing This section describes tools intended for grabbing information from various sources. Module 02 Page 238 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 149. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting Tool: Maltego F o o tp rin tin g Tool: M alteg o Source: http://paterva.com Maltego is an open source intelligence and forensics application. It can be used for the information gathering phase of all security-related work. Maltego is a platform developed to deliver a clear threat picture to the environment that an organization owns and operates. It can be used to determine the relationships and real-world links between people, social networks, companies, organizations, websites, Internet infrastructure (domains, DNS names, Netblocks, IP addresses), phrases, affiliations, documents, and files. I ! ‫—ך‬ M ■ r ‫־‬V 1 ‫י‬^ ° ° 0 O 0 9 o q o ©on ~ --------| | | 9 '3‫־‬ ° ° & < o Or‫״‬ ‘ — o ‘ :J ^ O Wc r * wm Internet Domain - Personal Information FIGURE 2.45: Maltego showing Internet Domain and personal information Module 02 Page 239 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 150. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting Tool: D om ain N am e Analyzer Pro CEH Setting Window http ://www. domoinpunch.1 Copyright © by EG-Gtancil. All Rights Reserved. Reproduction is Strictly Prohibited. F o o tp rin tin g Tool: D o m ain N am e A n aly zer Pro Source: http://www.domainpunch.com Domain Name Analyzer Professional is W indow s software for finding, managing, and maintaining multiple domain names. It supports the display of additional data (expiry and creation dates, name server information), tagging domains, secondary whois lookups (for thin model whois TLDs like COM, NET, TV). The following is a screenshot of the Domain Name Analyzer Pro tool showing domain name information: Module 02 Page 240 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 151. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker T Z 0'' Testdpng •D ain N eAnalyze‫ ׳‬Pro om am ‫־‬ C» ‫*׳־‬ Output (C ■ ‫נ‬ ‫ו‬ ! ‫נ‬ 1 «‫ ׳‬S d M D oium Mrt _ A Mrtc 0*H t« SM n mctosofttom 9 u tn l p ctm ttS S M T O I VMiDoicom m n M .W it»tu1 ‫׳‬ VWw W DoalootupAt WTMJtMSJSPM Mi.1n.1S2J( cwtMhKftetca■ U|Rm<*k1 ‫מ‬ loolu* 0o«u ‫1ז‬ ‫פ‬ CO* CT O M1211*2‫׳‬i * « Ml / B D ma ar o a i cert1 fiedtwckef.com me dflman certfo^artec.com resot.es to an ip Address [202.7S.S4.101]. So t is m H not avaiafeie for reparation unless your ISP, ost cely -j Unknow networt adm rt&atof or youlux setic the local netm to resohe al host nam il m oA es. . < i)ph»t«S ft Y um use the iop Seangs and toaMe the ‫־‬Mranae Wtms loota**‘ option o ay t H h *te I you war* the •hois data nstead ths guck O S basedcheck. yp «n N W WD ‫״‬ W o fc fn»901 ed j j InAuctc‫״‬ 0 2 NctoAuc J I •9 *400 *9 • U j nt»99«dl ■ [‫׳‬NAttO 01I I W t 1fc nuu * U S MO• • Mat V I «D ‫ * ״‬J * * D o m a i n N a m e In fo rm a t io n FIGURE 2.46: Domain Name Analyzer Pro software showing Domain Name Information Module 02 Page 241 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 152. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting Tool :Web Data Extractor CEH J Extract targeted company contact data (email, phone, fax) from web for responsible b2b communication J Extract URL, meta tag (title, description, keyword) for website promotion, search directory creation, web research Copyright © by EG-G(ancil. All Rights Reserved. Reproduction is Strictly Prohibited. F o o tp rin tin g Tool: W eb D ata E x tracto r Source: http://www.webextractor.com W eb Data Extractor is a data extractor tool. It extracts targeted company contact data (email, phone, and fax) from the web, extracts the URL and meta tag (title, desc, keyword) for website promotion, searches directory creation, etc. The following is a screenshot of the W eb Data Extractor showing meta tags: Module 02 Page 242 Ethical Hacking and Countermeasures Copyright © by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 153. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Web Data Extractor 83 E‫׳‬le yiew Uelp m & n»r> 1£t«t e£ I1 ^ e £r p I d SlO http //oeitfiedhacke hftp//oe1tfiedhacke http //ce tfiedhacke http//ce tifiedhacke IV f //» tficdhacke .tD h r //ce tfiedhad-.e rtp HU//os tficdhacke tfiedhacke N.t»//osilificdhacke tficdhacke http: //cei tfiedhacke h*t>.//cc1 lficdhackc tficdhacke http //esi tfiedhacke hf.t>7/o=1lficdhacke tficdhacke htlp //ceitfiedhacko H U M 08 tfiedhacke Iv.tp//cs tfiodhacke hr.io//on tfiedhacke http //oo tfiedhacko tfiedhacke http //c»3 tfiedhacke hf(n//05 tfiedhacke Iv.tp//cc tficdhackc hrtp/Zo‫•־‬tfiedhacke Iv.tp//co tficdhackc k*tp//c®1tfiedhacke Iv.tp //coitfiedhackc tficdhackc 1Vtp//0il tfiedhacke tficdhacke Utp//&e1tfiodhotko http //0*1tliedhacke 1 //us tficdhacke l.tu http//‫ בכי‬ttiodhaoko 1r.to//c»1tfimdliacke help //c#1 tfi»dh«ok• Hta //coiUipdhacko h /c i :b /e N /0 .ID/ 3 Job• 0 1 16 | Cur tpeed Avjj stm6 1bp. 11,1 11 1 1 ‫־*־‬sT<*rr Hot! Title Domai Pao* 12 G G1 com,0nlr< Onlne Booking: I # booking, hotel Drihe Ecckr http://califcd‫־‬o c 39498 rrn/flnlr< f rlhf* Booking‫ ׳‬Hot bccking. kclel □rirwEcckr h»‫ , / ־‬c c p conw'Onlrt Onlne Booking: Prr booking, Hotel Drihe Ecckr http://califcd‫־‬o c 5G G3 corn/P-folirP-Folc hrp‫־‬ »*‫ ». ־‬c 9307 corn/'P-foli: F Tolc htip://1 califcd‫־‬o : 8531 con> fofc P-Folc yP‫־‬ M ip7;catieda c 10049 cora/P-folfcP‫־‬Folc http, ^cahfccho c ccn‫ ׳‬Keal I Frole^onal R ea ltie s eUa e.1ea=‫־‬ > ote>nx«IFWT!://cai1f€«±a c 3683 3089 corn/Real I FioIcs»b13‫ ־‬Real E; ‫ כ=ו‬c:Idc. ic< ^0fc;^3evdF htpV/ccthfccfo c l j com/Real I Ftole^malR»aIE<r»a etta€,rea:>ote?tonalFhep://C«11f€<i‫־‬a c 4352 5767 com/Real I Ftotessbnal Real E: 15 estae. tea ^ofcjiwnalFhUp://calif ed‫־‬o c 3 5789 conWReallFTole^malRaalEuaa ettae, rea 3‫־‬ ote^xial F Wcp:'/c«1‫׳‬f€cf‫־‬a c 10147 com/RecicYcu coircav-PecSonckeywd A shat desaihtlp.//califcd‫־‬o c 10081 com/'RecipYou coTpary -Fee Soto keyword A *Hat deiai http://C6fhf€<f‫ ־‬c a 5762 con/Recic Ycu corpdrv-AtcSonetev-iod A :fa ! de:c1ihUD.//cef1 ± a c ife1 9635 com/Fleci;: Ycu ODrpa-y FeeS0 n9 kyw dA skat dosaihtfp:/‫ ׳‬ccri1fcd1a c ‫־‬ 5828 com/Recic You corparp ‫ ־‬Ccr Son- key‫!״‬ad A *tort desai hip c 9366 oont/RecipYcu oorpary Fee Sons kcy‫«׳‬crd A ska• dosa1htfp:/‫ ׳‬cahfcd‫־‬o c 9594 com/RecinYcu corpary -Pet Son- keypad A ?*‫־‬cii daciiKtrp //ceiiife+a c 8397 oorn/RecipYou ooirpary Fee Sons keyMad ska• dosai M‘p:/‫ ׳‬cerlifed‫ ־‬c o 10804 conWRecir Ycu aiTf-ary -Pec Son• keyword A ?ha• de?aihrcr/;ceriliecto c 1271G oom/'Rcoif Ycu covpary Pee Sone keypad A :ha• desaihttp://ca!ifccl‫־‬o c 8862 corWRedp Y a j eoTpary • F « Son• keyword A *km dMcrih(1 ‫;/׳‬c«(M«(ta c f1 13274 com /‫׳‬Socia Unite Togclhe1ijEl.cyv»cd»,orp A beef 0«:«|hltp://ca1 ifcd‫־‬o c 12451 corn/Red(:Yaj conrpary •Fer Son* kpywrd A 1kcil deiaihltp‫,/־‬ee»Mect‫־‬A c 1409 oom/Socia h»*p://ca1ifc<J‫־‬o c corVSona Unite •1ogethei it k •ejvw-11: or p A t*el n*K‫ (*־‬Mip‫;/׳‬e«M#eto c 16239 12143 ccm/Socia Unite -1ogethci i>Ckeyv*adi. w p A btef oe1.1( U p '/!■ahfaJ o t 1 cont/Soci*Unite •1ogethei1: fc•♦ v»c13:. 0»p A b< 0»f :■f h»‫׳‬p ‫,׳‬c«»hf«< c > 4f *‫*.־‬ 16259 5227 U t '/cahfaJo t corWTuibc I ‫י׳וזז‬ndo Under tho I ro M‫׳ ' ׳‬ p ccfhfc>±o 0 8693 ht'(j.//Leftfe1 0 c J 2963 coru/Unde Under the Tie 5932 oora/Und* Undo! the I r# Mtp:/;c«M«ch» c 7909 com/RcoitYcu -•-1‫_ויי‬a 1 ‫-׳‬MerSone keypad A tka»d*!a1Wp:‫/׳‬C«W€<*-di co«n 11584 P0<‫ *׳‬i«f ‫׳‬ro Key 1 0 21 2 1 01 1-1 21 20■ 1 0 1-121 20 01 12-01 •2011 1-121 20 01 96 1-121 44 20-01 1-121 20-01 1-121 20-01 1-121 20-01 1-121 20-01 1-121 20-01 1-121 20-01 1-121 20-01 1-121 20-01 1-121 20-01 1-121 20 01 1-121 20-01 1-121 20 01 1-121 20-01 01 01 l.,/tahfaJo c 12 01 2011 1-121 20-01 1-121 20 01 1-121 20•01 12 01 2011 1-121 20•01 12 01 2011 1-121 20•01 1-121 20 01 12-01 •All I 1-121 20•01 1 □L1 2 1 01 1021 210 - 1 1-1 A ll 20• 1-121 20-01 12 -010 1 011^‫־‬ FIGURE 2.47: Web Data Extractor showing meta tags Module 02 Page 243 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 154. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Additional Footprinting Tools Prefix Whols cL U Netmask h ttp ://p w h o is.o rg CEH http ://w w w .ph en o elit-us.o rg NetScanTools Pro Binging h ttp://w w w .netscantools.com h ttp ://w w w .b lu e in fy . com Tctrace Spiderzilla http://w w w .ph en o elit-us.o rg http ://sp id erzilla .m o/d ev.org Autonomous System Scanner(ASS) » Sam Spade h ttp://w w w .m ajorgeeks.com http://w w w .ph en o elit-us.o rg ifi Robtex DNS DIGGER n <^KPj http://w w w .dnsdigger.com h ttp ://w w w .rob te x.co m Copyright © by EG-Gtancil. All Rights Reserved. Reproduction is Strictly Prohibited. A dditional F o o tp rin tin g Tools In addition to the footprinting tools mentioned previously, a few more tools are listed as follows: -‫ י‬Prefix Whols available at http://pwhois.org S NetScanTools Pro available at http://www.netscantools.com Q Tctrace available at http://www.phenoelit-us.org Q Autonomous System Scanner (ASS) available at http://www.phenoelit-us.org £ DNS DIGGER available at http://www.dnsdigger.com O Netmask available at http://www.phenoelit-us.org S Binging available at http://www.blueinfy.com Q Spiderzilla available at http://spiderzilla.mozdev.org S Sam Spade available at http://www.majorgeeks.com S Robtex available at http://www.robtex.com Module 02 Page 244 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 155. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Additional Footprinting Tools (EH (C o n t’d) § Dig Web Interface ‫■ץ‬ http://w w w .digw ebinterface.com SpiderFoot http://w w w .bin a ryp oo l.com Domain Research Tool CallerIP http://w w w .dom ainresearchtool.com http://w w w .calleripp ro .com ActiveWhois Zaba Search h ttp ://w w w .joh n ru .co m h ttp://w w w .zabasearch. com yoName m Ww GeoTrace j http://yonam e.com h ttp ://w w w .n a b b e r.o rg Ping-Probe DomainHostingView http://w w w .ping-probe.com (? W h ttp ://w w w .n irs o ft.n e t Copyright © by EG-CtllllCil. All Rights Reserved. Reproduction is Strictly Prohibited. A dditional F o o tp rin tin g Tools (C ont’d) Additional footprinting tools that are helpful in gathering information about the target person or organization are listed as follows: © Dig W eb Interface available at http://www.digwebinterface.com Q Domain Research Tool available at http://www.domainresearchtool.com Q ActiveWhois available at http://www.johnru.com Q yoName available at http://yoname.com 6 Ping-Probe available at http://www.ping-probe.com © SpiderFoot available at http://www.binarypool.com 0 CallerIP available at http://www.callerippro.com Q Zaba Search available at http://www.zabasearch.com Q GeoTrace available at http://www.nabber.org DomainHostingView available at http://www.nirsoft.net Module 02 Page 245 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 156. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker M odule Flow So far we have discussed the importance of footprinting, various ways in which footprinting can be performed, and the tools that can be used for footprinting. Now we will discuss the countermeasures to be applied in order to avoid sensitive information disclosure. x Footprinting Concepts IHJ■ Footprinting Threats C L) Footprinting Methodology Footprinting Tools footprinting Countermeasures % (( Footprinting Penetration Testing This section lists various footprinting countermeasures to be applied at various levels. Module 02 Page 246 Ethical Hacking and Countermeasures Copyright © by EC-C0UllCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 157. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting C o u n term ea su res CEH UrttfM itfciui IUck« & Configure routers to restrict the responses to footprinting requests Configure web servers to avoid information leakage and disable unwanted protocols Lock the ports with the suitable firewall configuration Use an IDS that can be configured to refuse suspicious traffic and pick up footprinting patterns Evaluate and limit the amount of information available before publishing it on the website/ Internet and disable the unnecessary services Perform footprinting techniques and remove any sensitive information found Prevent search engines from caching a web page and use anonymous registration services Enforce security policies to regulate the information that employees can reveal to third parties & Copyright © by EG-G(U(ICil. All Rights Reserved. Reproduction Is Strictly Prohibited. F o o tp rin tin g C o u n te rm e a su re s Footprinting countermeasures are the measures or actions taken to counter or offset information disclosure. A few footprinting countermeasures are listed as follows: y Configure routers to restrict the responses to footprinting requests. 9 Lock the ports with suitable firewall configuration. Q Evaluate and limit the amount of information available before publishing it on the website/Internet and disable the unnecessary services. Prevent search engines from caching a webpage and use anonymous registration services. © Configure web servers to avoid information leakage and disable unwanted protocols. Q Use an IDS that can be configured to refuse suspicious traffic and pick up footprinting patterns. Q Perform footprinting techniques and remove any sensitive information found. Q Enforce security policies to regulate the information that employees can reveal tothird parties. Module 02 Page 247 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 158. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting C o u n term ea su res CEH (C o n t’d) Set apart internal DNS and external DNS Disable directory listings and use split-DNS Educate employees about various social engineering tricks and risks Restrict unexpected input such as |; <> Avoid domain-level cross-linking for the critical assets Encrypt and password protect the sensitive information Copyright © by EG-G(ancil. All Rights Reserved. Reproduction is Strictly Prohibited. F o o tp rin tin g C o u n te rm e a su re s (C ont’d) In addition to the countermeasures mentioned previously, you can apply the following countermeasures as well: Q Set apart the internal DNS and external DNS. £ Disable directory listings and use split-DNS. Q Educate employees about various social engineering tricks and risks. S Restrict unexpected input such as |; < > . 9 Avoid domain-level cross-linking for critical assets. Q Encrypt and password protect sensitive information. © Do not enable protocols that are not required. Q Always use TCP/IP and IPSec filters. Configure IIS against banner grabbing. Module 02 Page 248 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 159. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker So far we discussed all the necessary techniques and tools to test the security of a system or network. Now it is the time to put all those techniques into practice. Testing the security of a system or network using similar techniques as that of an attacker with adequate permissions is known as penetration testing. The penetration test should be conducted to check whether an attacker is able to reveal sensitive information in response to footprinting attempts. *j Footprinting Concepts | !!J! Footprinting Threats Q O Footprinting Methodology Module 02 Page 249 Footprinting Tools FootPrint'ng Countermeasures ) Footprinting Penetration Testing Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 160. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Penetration testing is an evaluation method of system or network security. In this evaluation method, the pen tester acts as a malicious outsider and simulates an attack to find the security loopholes. Module 02 Page 250 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 161. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker F o o tp rin tin g P e n T e s tin g CEH J Footprinting pen test is used to determine organization's publicly available information on the Internet such as network architecture, operating systems, applications, and users J The tester attempts to gather as much information as possible about the target organization from the Internet and other publicly accessible sources 0 0 Prevent information ^ leakage Footprinting pen testing helps administrator to: Prevent DNS record Prevent social retrieval from publically available servers engineering attempts Copyright © by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited. F o o tp rin tin g P en T estin g A footprinting pen test is used to determine an organization's publicly available information on the Internet such as network architecture, operating systems, applications, and users. In this method, the pen tester tries to gather publicly available sensitive information of the target by pretending to be an attacker. The target may be a specific host or a network. The pen tester can perform any attack that an attacker could perform. The pen tester should try all possible ways to gather as much information as possible in order to ensure maximum scope of footprinting pen testing. If the pen tester finds any sensitive information on any publicly available information resource, then he or she should enter the information and the respective source in the report. The major advantages of conducting penetration testing include: Q It gives you the chance to prevent DNS record retrieval from publically available servers. © It helps you to avoid information leakage. Q It prevents social engineering attempts. Module 02 Page 251 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 162. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker F o o tp rin tin g P e n T e s tin g C EH (C o n t’d) J Footprint search engines such as Google, Yahoo! Search, Ask, Bing, Dogpile, etc. to gather target organization's information such as employee details, login pages, intranet portals, etc. that helps in performing social engineering and other types of advanced system attacks J START Get proper authorization and define the scope of the assessment J + Perform website footprinting using tools such as HTTrack Web Site Copier, BlackWidow, Webripper, etc. to build a detailed map of website's structure and architecture w Define the scope of the assessment Perform footprinting through search engines Perform website footprinting ‫>״‬ Use search engines such as Google, Yahoo! Search, Bing, etc. '‫״‬ y Use tools such as HTTrack Web Site Copier, BlackWidow, etc. — !■1 n Copyright © by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited. F o o tp rin tin g P en T e stin g (C ont’d) Penetration testing is a procedural way of testing the security in various steps. Steps should be followed one after the other in order to ensure maximum scope of testing. Here are the steps involved in footprinting pen testing: Step 1: Get proper authorization Pen testing should be performed with permission. Therefore, the very first step in a footprinting pen test is to get proper authorization from the concerned people, such as administrators. Step 2: Define the scope of the assessment Defining the scope of the security assessment is the prerequisite for penetration testing. Defining the scope of assessment determines the range of systems in the network to be tested and the resources that can be used to test, etc. It also determines the pen tester's limitations. Once you define the scope, you should plan and gather sensitive information using various footprinting techniques. Step 3: Perform footprinting through search engines Module 02 Page 252 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 163. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprint search engines such as Google, Yahoo! Search, Ask, Bing, Dogpile, etc. to gather the target organization's information such as employee details, login pages, intranet portals, etc. that can help in performing social engineering and other types of advanced system attacks. Step 4: Perform website footprinting Perform website footprinting using tools such as HTTrack W eb Site Copier, BlackWidow, Webripper, etc. to build a detailed map of the website's structure and architecture. Module 02 Page 253 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 164. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker F o o tp rin tin g P e n T e s tin g (C o n t’d) ^ ‫ןן‬ Urt.fi•* | ttk.ul Nm Im j J Gather competitive intelligence using tools such as Hoovers, LexisNexis, Business Wire, etc. J Perform Google hacking using tools such as GHDB, MetaGoofil, SiteDigger, etc. J Perform WHOIS footprinting using tools such as WHOIS Lookup, SmartWhois, etc. to create detailed map of organizational network, to gather personal information that assists to perform social engineering, and to gather other internal network details, etc. Use tools such as eMailTrackerPro, PoliteMail, etc. Perform email footprinting V Gather competitive Perform email footprinting using tools such as eMailTrackerPro, PoliteMail, Email Lookup - Free Email Tracker, etc. to gather information about the physical location of an individual to perform social engineering that in turn may help in mapping target organization's network Use tools such as Hoovers, LexisNexis, Business Wire, etc. ;.... intelligence y Perform Google hacking I .... Use tools such as GHDB, MetaGoofil, SiteDigger, etc. I .... Use tools such as WHOIS Lookup, SmartWhois, etc. V Perform W HOIS footprinting Copyright © by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. * F o o tp rin tin g P en T estin g (C ont’d) Step 5: Perform email footprinting Perform email footprinting using tools such as eMailTrackerPro, PoliteMail, Email Lookup - Free Email Tracker, etc. to gather information about the physical location of an individual to perform social engineering that in turn may help in mapping the target organization's network. Step 6: Gather competitive intelligence Gather competitive intelligence using tools such as Hoovers, SEC Info, Business Wire, etc. These tools help you to extract a competitor's information such as its establishment, location of the company, progress analysis, higher authorities, product analysis, marketing details, and much more. Step 7: Perform Google hacking Perform Google hacking using tools such as GHDB, MetaGoofil, SiteDigger, etc. It determines the security loopholes in the code and configuration of the websites. Google hacking is usually done with the help of advanced Google operators that locate specific strings of text such as versions of vulnerable web applications. Step 8: Perform WHOIS footprinting Module 02 Page 254 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 165. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Perform the WHOIS footprinting technique to extract information about particular domains. You can get information such as domain name, IP address, domain owner name, registrant name, and their contact details including phone numbers, email IDs, etc. Tools such as SmartWhois, CountryWhois, Whois Pro, and ActiveWhois will help you to extract this information. You can use this information to perform social engineering to obtain more information. Module 02 Page 255 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 166. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker F o o tp rin tin g P e n T e s tin g ‫ ן‬g (Cont’d) Pe‫־‬forrr DNS f ODtp-'rt'ng Ls’ng tio s ;s DIG, NsLcon.jp, DHS Records, etc. to sete'Tne hey hosts 'n the ret‫־‬ *w< and pe‫־‬form socia erj'ree-'rj attacks Perform DN5 footprinting to o s S J — ‫ ״‬se to o s Perform network s j ? i as Path n‫־‬p e‫׳‬rertsa>c'a engmeering techniques such as eavesdropping dodder surf ng and dumpster diving that fray help to gathe‫׳ ־‬r o ‫־‬e critka nfonration aboLtthe ta‫־‬get otganaibon 2 0 m . etc. ~ X / e^ient te a m q je s sjffi as esvesdrappm j, jnnuiaer Perform Social Engineering V Pe‫־‬form r.etwo‫<־‬footpr'rt'ns using too such as Path Ana yzer Pro. VisualRoute 20 10, N etw oA Pinger, etc. to c ‫־‬eate a ‫׳‬ra p of the ta'get's netwo‫<־‬ Analyzer Pro, VisualRoute footprinting Perform footprinting through social networking sites SS DIG, MSLookup etc. surfing, ! i d dumpster drwng j Gathe‫ ־‬ta‫־‬get organ 2at on en‫־‬p oyees info‫׳־‬rat or. fron‫ ־‬the'‫ ־‬pe‫־‬sara p*0F es on social netwo-icng stes stchas Facebook, Linkedln, Tvitter, Google*, Pinterest, etc.thatisssttope‫־‬far‫׳‬r s 3cia eng'rvee'ing C‫־‬eate a ^5 se aent ty on soca r e t w o - t r g s t e s s ja i as FsiebM fc, L'fceain, etc. J C c c • fey At the end of per testrg doc ument e the findings *Jl Hcuarvae 0-‫ח =יי‬ ‫ -«-יג»ב ש‬aShctfy *rr*fe 1‫־‬aS t F o o tp rin tin g P en T e stin g (C ont’d) r* — o Step 9: Perform DNS footprinting Perform DNS footprinting using tools such as DIG, NsLookup, DNS Records, etc. to determine key hosts in the network and perform social engineering attacks. Resolve the domain name to learn about its IP address, DNS records, etc. Step 11: Perform network footprinting Perform network footprinting using tools such as Path Analyzer Pro, VisualRoute 2010, Network Pinger, etc. to create a map of the target's network. Network footprinting allows you to reveal the network range and other network information of the target network. Using all this information, you can draw the network diagram of the target network. Step 12: Perform social engineering Implement social engineering techniques such as eavesdropping, shoulder surfing, and dumpster diving that may help to gather more critical information about the target organization. Through social engineering you can gather target organization's employee details, phone numbers, contact address, email address, etc. You can use this information to reveal even more information. Module 02 Page 256 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 167. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Step 13: Perform footprinting through social networking sites Perform footprinting through social networking sites on the employees of the target organization obtained in footprinting through social engineering. You can gather information from their personal profiles on social networking sites such as Facebook, Linkedin, Twitter, Google+, Pinterest, etc. that assists in performing social engineering. You can also use people search engines to obtain information about target person. Step 14: Document all the findings After implementing all the footprinting techniques, collect and document all the information obtained at every stage of testing. You can use this document to study, understand, and analyze the security posture of the target organization. This also enables you to find security loopholes. Once you find security loopholes, you should suggest respective countermeasures to the loopholes. The following is a summary of footprinting penetration testing. Module 02 Page 257 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 168. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting Pen Testing Report Tem plates EH Pen Testing Report Information obtained through search engines Information obtained through people search |J Employee details: g Date of birth: ^ Login pages: ^ Contact details: | JJ Intranet portals: £ Email ID: ^ Technology platforms: ^ Photos: Others: Others: Information obtained through website footprinting y j Operating environment: ^ Information obtained through Google Filesystem structure: T Advisories and server vulnerabilities: jgp Scripting platforms used: i A Files containing passwords: •W Contact details: ? i 0 Error messages that contain sensitive information: Pages containing network or vulnerability data: CMS details: Others: Others: Information obtained through email footprinting H Information obtained through competitive intelligence £ GPS location: ■ IP address: H Authentication system used by mail server: Financial details: Project plans: Others: Others: Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. F o o tp rin tin g P en T e stin g R eport T e m p la te s Pen T esting Report Penetration testing is usually conducted to enhance the security perimeter of an organization. As a pen tester you should gather sensitive information such as server details, the operating system, etc. of your target by conducting footprinting. Analyze the system and network defenses by breaking into its security with adequate permissions (i.e., ethically) without causing any damage. Find the loopholes and weaknesses in the network or system security. Now explain all the vulnerabilities along with respective countermeasures in a report, i.e., the pen testing report. The pen testing report is a report obtained after performing network penetration tests or security audits. It contains all the details such as types of tests performed, the hacking techniques used, and the results of hacking activity. In addition, the report also contains the highlights of security risks and vulnerabilities of an organization. If any vulnerability is identified during any test, the details of the cause of vulnerability along with the countermeasures are suggested. The report should always be kept confidential. If this information falls into the hands of attacker, he or she may use this information to launch attacks. The pen testing report should contain the following details: Module 02 Page 258 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 169. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Pen Te stin g R e p o rt Inform ation ob&ined through search engines Inform ation oboined through people search |J Employee details Q Date of birth: £ Login pages Q Contact d e ta is Intranet portals: Technology platforms: f Q Emai ID: 0 ^ Others: Inform ation obtained throi^h website fpfplgfgQJtQf’ gg Inform ation obtained through Google Operating environm ent; J Advisories and server vulnerabilities: £ | ^ Scripting platforms used: £ Error m essages that contain scnathfe information: £ R e s containing passw ords ^ ‫״‬W Contact d e ta is: ► Pages containing netw ork or v Jn e ra b iity data: CMS d e ta is: ^ Photos: O thers. Others: Others: Inform ation obtained through com petitiw intexigence Inform ation obtained throi^h email fefiJSBUDftOt £ IPwMreu: £ ^ GPS location: £ Project plans: m Authentication system used by m ai serv er ^ Others: Financial d e ta is: Others: FIGURE 2.48: Pen Testing Report Module 02 Page 259 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 170. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker Footprinting Pen Testing Report Tem plates (C t d on ) ‫ ב״‬E5 ! Pen Testing Report Information obtained through W H O IS footprinting ^ ^ Contact details of domain owner: | Domain name servers: 1 Personal information: Financial information: m Operating environment: % Netrange: ^5 Information obtained through social engineering ft Domain name details: User names and passwords: m When a domain has been created: 5$ Others: Network layout information: ft IP addresses and names of servers: Information obtained through DNS footprinting Others: Location of DNS servers: ^ Type of servers: %A Others: Information obtained through network footprinting Range of IP addresses: Information obtained through social networking sites B Subnet mask used by the target organization: OS's in use: ■ Firewall locations: £ ^ Work related information: a ^ 1 Personal profiles: Others: News and potential partners of the target company: Educational and employment backgrounds: Others: Copyright © by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. F o o tp rin tin g P en T e stin g R eport T e m p la te s (C ont’d) Pen Testing Report Inform ation obtained throi^h W HOIS fooCjirifltnfc | Inform ation obtained through social engineering Domain nam e d eters: Personal information: Contact details of dom ain o w n e r Q £ ■ Financial inform ation: Domain name servers ft ra Operating environm ent: s; Network layout information: Netrange: fcfc W hen a dom ain has b een created: ^ O thers: Inform ation obtained through D N S f£ £ $ B !^ ^ U sernam es and passwords: IP a d d re sse s and names of servers: ft ** O thers: Location of DNS servers: Type of servers: ^ O thers: Inform ation obtained throi^h network footprinti/ift || Range of IP addresses: 4PQP Subnet mas* u sed by th e target organuation: ^ OS's in use: ^ Inform ation obtained through social networking sites ■ Personal p ro fies: ■ W ort related information: Rrewafl locations: Others: N ew s and potertiai partners of th e target company: a Educational and em ploym ent background. *A O thers: FIGURE 2.49: Pen Testing Report showing information obtained through footprinting and social engineering Module 02 Page 260 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  • 171. Ethical Hacking and Countermeasures Footprinting and Reconnaissance Exam 312-50 Certified Ethical Hacker M o d u le S u m m a ry | 0 □ Footprinting is the process of collecting as much information as possible about a target network, for identifying various ways to intrude into an organization's network system □ It reduces attacker's attack area to specific range of IP address, networks, domain names, remote access, etc. □ Attackers use search engines to extract information about a target □ Information obtained from target's website enables an attacker to build a detailed map of website's structure and architecture □ Competitive intelligence is the process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources such as the Internet □ DNS records provide important information about location and type of servers □ Attackers conduct traceroute to extract information about: network topology, trusted routers, and firewall locations □ Attackers gather sensitive information through social engineering on social networking websites such as Facebook, MySpace, Linkedln, Twitter, Pinterest, Google+, etc. Copyright © by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. M odule S u m m ary Footprinting refers to uncovering and collecting as much information as possible about a target of attack. Q It reduces attacker's attack area to specific range of IP address, networks, domain names, remote access, etc. Attackers use search engines to extract information about a target. Information obtained from target's website enables an attacker to build a detailed map of website's structure and architecture. Q Competitive intelligence is the process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources such as the Internet. Q DNS records provide important information about location and type of servers. Q Attackers conduct traceroute to extract information about: network topology, trusted routers, and firewall locations. W Attackers gather sensitive information through social engineering on social networking websites such as Facebook, MySpace, Linkedln, Twitter, Pinterest, Google+, etc. Module 02 Page 261 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

×