1
Modul 2
Footprinting Scanning
Enumeration
Isbat Uzzin Nadhori
Informatical Engineering PENS-ITS
Politeknik Elektronika Negeri Surabaya
ITS - Surabaya

2
Intelligence Gathering Techniques
 3 Major Steps
Foot Printing
Scanning
Enumeration
 Similar to Military
Gather information on the target
Analyze weaknesses
Construct and launch attack

3
Gathering Process Overview
 You can’t attack what you don’t know

4
Hacking Step

5
Hacking Step …

6
Gathering Process overview
Hosts
Ports
Services
Vulnerabilities

7
Footprinting

8
Footprinting
 Footprinting is the ability to obtain essential information about an
organization. Commonly called network reconnaissance.
 Result Gather information includes:
–The technologies that are being used such as, Internet, Intranet, Remote Access and the
Extranet.
–To explored the security policies and procedures
–take an unknown quality and reduce it
–Take a specific range of domain names, network blocks and individual IP addresses of a
system that is directly connected to the Internet
 This is done by employing various computer security techniques, as:
• DNS queries  nslookup, dig, Zone Transfer
• Network enumeration
• Network queries
• Operating system identification
• Organizational queries
 When used in the computer security lexicon, "footprinting" generally refers to
one of the pre-attack phases; tasks performed prior to doing the actual
attack. Some of the tools used for footprinting areSam
Spade, nslookup, traceroute, Nmap and neotrace.
• Ping sweeps
• Point of contact queries
• Port Scanning
• Registrar queries (WHOIS queries)
• SNMP queries
• World Wide Web spidering

9
DNS Query

10
Network Query Tools
* Ping
* NSlookup
* Whois
* IP block search
* Dig
* Traceroute
* Finger
* SMTP VRFY
* Web browser keep-alive
* DNS zone transfer
* SMTP relay check
* Usenet cancel check
* Website download
* Website search
* Email header analysis
* Email blacklist
* Query Abuse address

11
Information to Gather
 Attacker’s point of view
Identify potential target systems
Identify which types of attacks may be useful on target systems
 Defender’s point of view
Know available tools
May be able to tell if system is being footprinted, be more prepared for
possible attack
Vulnerability analysis: know what information you’re giving away, what
weaknesses you have

12
OS Identification

13
Point of Contact

14
Tools - Linux
 Some basic Linux tools - lower level utilities
Local System
hostname
ifconfig
who, last
Remote Systems
ping
traceroute
nslookup, dig
whois
arp, netstat (also local system)
Other tools
lsof

15
Tools – Linux (2)
 Other utilities
wireshark (packet sniffing)
nmap (port scanning) - more later
Ubuntu Linux
Go to System / Administration / Network Tools – get
interface to collection of tools: ping, netstat, traceroute,
port scan, nslookup, finger, whois

16
Tools - Windows
 Windows
Sam Spade (collected network tools)
Wireshark (packet sniffer)
Command line tools
ipconfig
Many others…

17
Traceroute
# traceroute ns1.target-company.com
traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets
1 fw-gw (209.197.192.1) 0.978 ms 0.886 ms 0.875 ms
2 s1-0-1-access (209.197.224.69) 4.816 ms 5.275 ms 3.969 ms
3 dallas.tx.core1.fastlane.net (209.197.224.1) 4.622 ms 9.439 ms 3.977 ms
4 atm8-0-024.CR-1.usdlls.savvis.net (209.44.32.217) 6.564 ms 5.639 ms 6.681 ms
5 Serial1-0-1.GW1.DFW1.ALTER.NET (157.130.128.53) 7.148 ms 6.595 ms 7.371 ms
6 103.ATM3-0.XR2.DFW4.ALTER.NET (146.188.240.38) 11.861 ms 11.669 ms 6.732 ms
7 152.63.96.85 (152.63.96.85) 10.565 ms 25.423 ms 25.369 ms
8 dfw2-core2-pt4-1-0.atlas.digex.net (206.181.125.153) 13.289 ms 10.585 ms
17.173 ms
9 dfw2-core1-fa8-1-0.atlas.digex.net (165.117.52.101) 44.951 ms 241.358 ms
248.838 ms
10 swbell-net.demarc.swbell.net (206.181.125.10) 12.242 ms 13.821 ms 27.618 ms
11 ded2-fa1-0-0.rcsntx.swbell.net (151.164.1.137) 25.299 ms 11.295 ms 23.958 ms
12 target-company-818777.cust-rtr.swbell.net (151.164.x.xxx) 52.104 ms 24.306
ms 17.248 ms
13 ns1.target-company.com (xxx.xx.xx.xx) 23.812 ms 24.383 ms 27.489 ms

18
Traceroute - Network Mapping
cw
swb
Internet Routers

19
Traceroute - Network Mapping
cw
swb
Internet Routers

20
Traceroute - Network Mapping
Firewall
DMZ
cw
swb
VPN
Internet Routers

21
Traceroute - Network Mapping
Firewall
DMZ
www
ftp
cw
swb
VPN
Internet Routers

22
Traceroute - Network Mapping
Firewall
DMZ
www
ftp
cw
swb
VPN
Internet Routers

23
Traceroute - Network Mapping
Sun
Linux
Firewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers

24
Traceroute - Network Mapping
Sun
Linux
Firewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
Linux 2.0.38
xxx.xx.48.2
AIX 4.2.1
xxx.xx.48.1
Checkpoint Firewall-1
Solaris 2.7
xxx.xx.49.17
Checkpoint Firewall-1
Nortel VPN
xxx.xx.22. 7
Cisco 7206
204.70.xxx.xxx
Nortel CVX1800
151.164.x.xxx
IDS?

25
Domain Name: UWEC.EDU
Registrant:
University of Wisconsin - Eau Claire
105 Garfield Avenue
Eau Claire, WI 54702-4004
UNITED STATES
Contacts:
Administrative Contact:
Computing and Networking Services
105 Garfield Ave
Eau Claire, WI 54701
UNITED STATES
(715) 836-5711
networking@uwec.edu
Name Servers:
TOMATO.UWEC.EDU 137.28.1.17
LETTUCE.UWEC.EDU 137.28.1.18
BACON.UWEC.EDU 137.28.5.194
Whois

26
Scanning

27
Introduction
 Scanning can be compared to a thief checking all the doors and
windows of a house he wants to break into.
 Scanning- The art of detecting which systems are alive and
reachable via the internet and what services they offer, using
techniques such as ping sweeps, port scans and operating
system identification, is called scanning.
The kind of information collected here has to do with the
following:
1) TCP/UDP services running on each system identified.
2) System architecture (Sparc, Alpha, x86)
3) Specific IP address of systems reachable via the internet.
4) Operating System type.

28
Ping Sweeps
ping sweep is a method that can establish a range of IP
addresses which map to live hosts.
 ICMP Sweeps (ICMP ECHO requests)
 Broadcast ICMP
 Non Echo ICMP
 TCP Sweeps
 UDP Sweeps

29
PING SWEEPS
ICMP SWEEPS
ICMP ECHO request
ICMP ECHO reply
Target alive
Intruder
Querying multiple hosts – Ping sweep is fairly slow
Examples UNIX – fping and gping
WINDOWS - Pinger

30
Broadcast ICMP
Intruder Network
ICMP ECHO request
ICMP ECHO reply
ICMP ECHO reply
ICMP ECHO reply
Can Distinguish between UNIX and WINDOWS machine
UNIX machine answers to requests directed to the network
address.
WINDOWS machine will ignore it.

31
PING SWEEPS
NON – ECHO ICMP
Example ICMP Type 13 – (Time Stamp)
 Originate Time Stamp
- The time the sender last touched the message before sending
 Receive Time Stamp
- The echoer first touched it on receipt.
 Transmit Time Stamp
- The echoer last touched on sending it.

32
PING Sweeps
TCP Sweeps
Server
Client
C(SYN:PortNo & ISN)
S (SYN & ISN) + ACK[ C (SYN+!) ]
RESET (not active)
S(ISN+1)
When will a RESET be sent?
When RFC does not appear correct while appearing.
RFC = (Destination (IP + port number) & Source( IP & port
number))

33
PING Sweeps
Depends on ICMP PORT UNREACHABLE message.
UDP data gram
ICMP PORT UNREACHABLE
Unreliable because
• Routers can drop UDP packets
•UDP services may not respond when correctly probed
•Firewalls are configured to drop UDP
•Relies on fact that non-active UDP port will respond
Target System

34
PORT SCANNING
Types:
 TCP Connect() Scan
 TCP SYN Scan( Half open scanning)
 Stealth Scan
 Explicit Stealth Mapping Techniques
SYN/ACL , FIN, XMAS and NULL
 Inverse Mapping
Reset Scans, Domain Query Answers
 Proxy Scanning / FTP Bounce Scanning
 TCP Reverse Ident Scanning

35
Port Scanning Types
 TCP Connect() Scan
SYN packet
SYN/ACK listening
RST/ACK (port not listening)
SYN/ACK
A connection is terminated after the full length connection establishment
process has been completed

36
Port Scanning Type
 TCP SYN Scan (half open scanning)
SYN packet
SYN/ACK listening
RST/ACK (port not listening)
We immediately tear down the connection by sending a RESET

37
Port Scanning Type
Stealth Scan
A scanning technique family doing the following
 Pass through filtering rules.
 Not to be logged by the targeted system logging mechanism
 Try to hide themselves at the usual site / network traffic.
The frequently used stealth mapping techniques are.
 SYN/ACK scan
 FIN scans
 XMAS scans
 NULL scans

38
PORT Scanning
Techniques:
 Random Port scan
 Slow Scan
 Fragmentation Scanning
 Decoy
 Coordinated Scans

39
PORT Scanning
“Random” Port Scan
Randomizing the sequence of ports probed may prevent detection.
Slow Scan
Some hackers are very patient and can use network scanners that spread out the
scan over a long period of time. The scan rate can be, for example, as low as 2
packets per day per target site.
Fragmentation scanning
In case of TCP the 8 octets of data (minimum fragment size) are enough to
contain the source and destination port numbers. This will force the TCP flags
field into the second fragment.
Decoy
Some network scanners include options for Decoys or spoofed address in their
attacks.
Coordinated Scans
If multiple IPs probe a target network, each one probes a certain service on a
certain machine in a different time period, and therefore it would be nearly
impossible to detect these scans.

40
Operating System Detection
 Banner Grabbing
 DNS HINFO Record
 TCP/IP Stack Fingerprinting

41
Operating System Detection

42
Operating System Detection
 DNS HINFO Record
The host information record is a pair of strings identifying
the host’s hardware type and the operating system
www IN HINFO “Sparc Ultra 5” “Solaris 2.6”
One of the oldest technique

43
Operating System Detection
 TCP/IP Finger Printing
The ideas to send specific TCP packets to the target IP
and observe the response which will be unique to
certain group or individual operations.
Types of probes used to determine the OS type
The FIN Probe, The Bogus Flag Probe, TCP initial
sequence number sampling, Don’t Fragment bit, TCP
initial window, ACK value, ICMP error Message
Quenching, ICMP message quoting, ICMP error
message Echoing Integrity, Type of service,
fragmentation handling, TCP options

44
Firewalking
 Gather information about a remote network protected
by a firewall
 Purpose
Mapping open ports on a firewall
Mapping a network behind a firewall
If the firewall’s policy is to drop ICMP ECHO Request/Reply
this technique is very effective.

45
How does Firewalking work?
 It uses a traceroute-like packet filtering to
determine whether or not a particular packet
can pass through a packet-filtering device.
 Traceroute is dependent on IP layer(TTL field),
any transport protocol can be used the same
way(TCP, UDP, and ICMP).

46
What Firewalking needs?
 The IP address of the last known gateway
before the firewall takes place.
Serves as WAYPOINT
 The IP address of a host located behind the
firewall.
Used as a destination to direct packet flow

47
Getting the Waypoint
 If we try to traceroute the machine behind a
firewall and get blocked by an ACL filter that
prohibits the probe, the last gateway which
responded(the firewall itself can be determined)
 Firewall becomes the waypoint.

48
Getting the Destination
 Traceroute the same machine with a different
traceroute-probe using a different transport protocol.
 If we get a response
That particular traffic is allowed by the firewall
We know a host behind the firewall.
 If we are continuously blocked, then this kind of traffic
is blocked.
 Sending packets to every host behind the packet-
filtering device can generate an accurate map of a
network’s topology.

49
How to identify/avoid threats?
 Long-standing rule for Unix System
administrators to turn off any services that
aren’t in use
 For personal workstations!
Hackers have access to utilities to scan the servers
but so do you!.
Hackers look in for open ports. So we can our
servers first and know what the hackers will see and
close any ports that shouldn’t be open.

50
Some tools to help us
 Nmap
It is a utility that scans a particular server and informs
us which ports are open.
 Ethereal
It is a utility that will scan the network and help us
decode what is going on.
We can watch the network traffice and find out if
hackers can see anything that will help them break
into our systems.

51
Enumeration

52
52
Introduction to Enumeration
 Enumeration extracts information about:
–Resources or shares on the network
–User names or groups assigned on the network
–Last time user logged on
–User’s password
 Before enumeration, you use Port scanning and
footprinting
–To Determine OS being used
 Intrusive process

53
53
NBTscan
 NBT (NetBIOS over TCP/IP)
–is the Windows networking protocol
–used for shared folders and printers
 NBTscan
–Tool for enumerating Microsoft OSs

54
54
Null Session Information
 Using these NULL connections allows you to gather the
following information from the host:
–List of users and groups
–List of machines
–List of shares
–Users and host SIDs (Security Identifiers)
•From brown.edu (link Ch 6b)

55
55
Demonstration of Null Sessions
 Start Win 2000 Pro
 Share a folder
 From a Win XP command prompt
–NET VIEW ip-address Fails
–NET USE ip-addressIPC$ "" /u:""
•Creates the null session
•Username="" Password=""
–NET VIEW ip-address Works now

56
56
Demonstration
of Enumeration
 Download Winfo from link
Ch 6g
 Run it – see all the
information!

57
57
NetBIOS Enumeration Tools
 Net view command
–Shows whether there are any shared resources on a network host

58
58
NetBIOS Enumeration Tools (continued)
 Net use command
–Used to connect to a computer with shared folders or files

59
Net use

60

61
61
Additional Enumeration Tools
 NetScanTools Pro
 DumpSec
 Hyena
 NessusWX

62
62
NetScanTools Pro
 Produces a graphical view of NetBIOS running on a network
 Enumerates any shares running on the computer
 Verifies whether access is available for shared resource
using its Universal Naming Convention (UNC) name
 Costs about $250 per machine (link Ch 6i)

63
63

64
64

65
65
DumpSec
 Enumeration tool for Microsoft systems
 Produced by Foundstone, Inc.
 Allows user to connect to a server and “dump” the
following information
–Permissions for shares
–Permissions for printers
–Permissions for the Registry
–Users in column or table format
–Policies and rights
–Services

66
DumpSec

67
67
Hyena
 Excellent GUI product for managing and securing
Microsoft OSs
 Shows shares and user logon names for Windows
servers and domain controllers
 Displays graphical representation of:
–Microsoft Terminal Services
–Microsoft Windows Network
–Web Client Network
–Find User/Group

68
68

69
69
NessusWX
 This is the client part of Nessus
 Allows enumeration of different OSs on a large network
 Running NessusWX
–Be sure Nessus server is up and running
–Open the NessusWX client application
–To connect your client with the Nessus server
•Click Communications, Connect from the menu on the session
window
•Enter server’s name
•Log on the Nessus server

70
70

71
71

72
72
NessusWX (continued)
 Nessus identifies
–NetBIOS names in use
–Shared resources
–Vulnerabilities with shared resources
•Also offers solutions to those vulnerabilities
–OS version
–OS vulnerabilities
–Firewall vulnerabilities

73
73

74
74

75
75

76
76

77
77
Enumerating the *NIX Operating System
 Several variations
–Solaris
–SunOS
–HP-UX
–Linux
–Ultrix
–AIX
–BSD UNIX
–FreeBSD
–OpenBSD

78
78
UNIX Enumeration
 Finger utility
–Most popular tool for security testers
–Finds out who is logged in to a *NIX system
–Determine owner of any process
 Nessus
–Another important *NIX enumeration tool

79
79

80
80

81
Footprinting And Enumeration using
netcraft.com