Footprinting is the ability to obtain essential information about an
organization. Commonly called network reconnaissance.
Result Gather information includes:
–The technologies that are being used such as, Internet, Intranet, Remote Access and the
–To explored the security policies and procedures
–take an unknown quality and reduce it
–Take a specific range of domain names, network blocks and individual IP addresses of a
system that is directly connected to the Internet
This is done by employing various computer security techniques, as:
• DNS queries nslookup, dig, Zone Transfer
• Network enumeration
• Network queries
• Operating system identification
• Organizational queries
When used in the computer security lexicon, "footprinting" generally refers to
one of the pre-attack phases; tasks performed prior to doing the actual
attack. Some of the tools used for footprinting areSam
Spade, nslookup, traceroute, Nmap and neotrace.
• Ping sweeps
• Point of contact queries
• Port Scanning
• Registrar queries (WHOIS queries)
• SNMP queries
• World Wide Web spidering
Information to Gather
Attacker’s point of view
Identify potential target systems
Identify which types of attacks may be useful on target systems
Defender’s point of view
Know available tools
May be able to tell if system is being footprinted, be more prepared for
Vulnerability analysis: know what information you’re giving away, what
weaknesses you have
Tools - Linux
Some basic Linux tools - lower level utilities
arp, netstat (also local system)
Tools – Linux (2)
wireshark (packet sniffing)
nmap (port scanning) - more later
Go to System / Administration / Network Tools – get
interface to collection of tools: ping, netstat, traceroute,
port scan, nslookup, finger, whois
Tools - Windows
Sam Spade (collected network tools)
Wireshark (packet sniffer)
Command line tools
# traceroute ns1.target-company.com
traceroute to ns1.target-company.com (xxx.xx.xx.xx), 30 hops max, 40 byte packets
1 fw-gw (184.108.40.206) 0.978 ms 0.886 ms 0.875 ms
2 s1-0-1-access (220.127.116.11) 4.816 ms 5.275 ms 3.969 ms
3 dallas.tx.core1.fastlane.net (18.104.22.168) 4.622 ms 9.439 ms 3.977 ms
4 atm8-0-024.CR-1.usdlls.savvis.net (22.214.171.124) 6.564 ms 5.639 ms 6.681 ms
5 Serial1-0-1.GW1.DFW1.ALTER.NET (126.96.36.199) 7.148 ms 6.595 ms 7.371 ms
6 103.ATM3-0.XR2.DFW4.ALTER.NET (188.8.131.52) 11.861 ms 11.669 ms 6.732 ms
7 184.108.40.206 (220.127.116.11) 10.565 ms 25.423 ms 25.369 ms
8 dfw2-core2-pt4-1-0.atlas.digex.net (18.104.22.168) 13.289 ms 10.585 ms
9 dfw2-core1-fa8-1-0.atlas.digex.net (22.214.171.124) 44.951 ms 241.358 ms
10 swbell-net.demarc.swbell.net (126.96.36.199) 12.242 ms 13.821 ms 27.618 ms
11 ded2-fa1-0-0.rcsntx.swbell.net (188.8.131.52) 25.299 ms 11.295 ms 23.958 ms
12 target-company-818777.cust-rtr.swbell.net (151.164.x.xxx) 52.104 ms 24.306
ms 17.248 ms
13 ns1.target-company.com (xxx.xx.xx.xx) 23.812 ms 24.383 ms 27.489 ms
Traceroute - Network Mapping
Hosts Inside DMZ
Domain Name: UWEC.EDU
University of Wisconsin - Eau Claire
105 Garfield Avenue
Eau Claire, WI 54702-4004
Computing and Networking Services
105 Garfield Ave
Eau Claire, WI 54701
Scanning can be compared to a thief checking all the doors and
windows of a house he wants to break into.
Scanning- The art of detecting which systems are alive and
reachable via the internet and what services they offer, using
techniques such as ping sweeps, port scans and operating
system identification, is called scanning.
The kind of information collected here has to do with the
1) TCP/UDP services running on each system identified.
2) System architecture (Sparc, Alpha, x86)
3) Specific IP address of systems reachable via the internet.
4) Operating System type.
ping sweep is a method that can establish a range of IP
addresses which map to live hosts.
ICMP Sweeps (ICMP ECHO requests)
Non Echo ICMP
ICMP ECHO request
ICMP ECHO reply
ICMP ECHO reply
ICMP ECHO reply
Can Distinguish between UNIX and WINDOWS machine
UNIX machine answers to requests directed to the network
WINDOWS machine will ignore it.
NON – ECHO ICMP
Example ICMP Type 13 – (Time Stamp)
Originate Time Stamp
- The time the sender last touched the message before sending
Receive Time Stamp
- The echoer first touched it on receipt.
Transmit Time Stamp
- The echoer last touched on sending it.
Depends on ICMP PORT UNREACHABLE message.
UDP data gram
ICMP PORT UNREACHABLE
• Routers can drop UDP packets
•UDP services may not respond when correctly probed
•Firewalls are configured to drop UDP
•Relies on fact that non-active UDP port will respond
Port Scanning Types
TCP Connect() Scan
RST/ACK (port not listening)
A connection is terminated after the full length connection establishment
process has been completed
Port Scanning Type
TCP SYN Scan (half open scanning)
RST/ACK (port not listening)
We immediately tear down the connection by sending a RESET
Port Scanning Type
A scanning technique family doing the following
Pass through filtering rules.
Not to be logged by the targeted system logging mechanism
Try to hide themselves at the usual site / network traffic.
The frequently used stealth mapping techniques are.
“Random” Port Scan
Randomizing the sequence of ports probed may prevent detection.
Some hackers are very patient and can use network scanners that spread out the
scan over a long period of time. The scan rate can be, for example, as low as 2
packets per day per target site.
In case of TCP the 8 octets of data (minimum fragment size) are enough to
contain the source and destination port numbers. This will force the TCP flags
field into the second fragment.
Some network scanners include options for Decoys or spoofed address in their
If multiple IPs probe a target network, each one probes a certain service on a
certain machine in a different time period, and therefore it would be nearly
impossible to detect these scans.
Operating System Detection
DNS HINFO Record
The host information record is a pair of strings identifying
the host’s hardware type and the operating system
www IN HINFO “Sparc Ultra 5” “Solaris 2.6”
One of the oldest technique
Operating System Detection
TCP/IP Finger Printing
The ideas to send specific TCP packets to the target IP
and observe the response which will be unique to
certain group or individual operations.
Types of probes used to determine the OS type
The FIN Probe, The Bogus Flag Probe, TCP initial
sequence number sampling, Don’t Fragment bit, TCP
initial window, ACK value, ICMP error Message
Quenching, ICMP message quoting, ICMP error
message Echoing Integrity, Type of service,
fragmentation handling, TCP options
Gather information about a remote network protected
by a firewall
Mapping open ports on a firewall
Mapping a network behind a firewall
If the firewall’s policy is to drop ICMP ECHO Request/Reply
this technique is very effective.
How does Firewalking work?
It uses a traceroute-like packet filtering to
determine whether or not a particular packet
can pass through a packet-filtering device.
Traceroute is dependent on IP layer(TTL field),
any transport protocol can be used the same
way(TCP, UDP, and ICMP).
What Firewalking needs?
The IP address of the last known gateway
before the firewall takes place.
Serves as WAYPOINT
The IP address of a host located behind the
Used as a destination to direct packet flow
Getting the Waypoint
If we try to traceroute the machine behind a
firewall and get blocked by an ACL filter that
prohibits the probe, the last gateway which
responded(the firewall itself can be determined)
Firewall becomes the waypoint.
Getting the Destination
Traceroute the same machine with a different
traceroute-probe using a different transport protocol.
If we get a response
That particular traffic is allowed by the firewall
We know a host behind the firewall.
If we are continuously blocked, then this kind of traffic
Sending packets to every host behind the packet-
filtering device can generate an accurate map of a
How to identify/avoid threats?
Long-standing rule for Unix System
administrators to turn off any services that
aren’t in use
For personal workstations!
Hackers have access to utilities to scan the servers
but so do you!.
Hackers look in for open ports. So we can our
servers first and know what the hackers will see and
close any ports that shouldn’t be open.
Some tools to help us
It is a utility that scans a particular server and informs
us which ports are open.
It is a utility that will scan the network and help us
decode what is going on.
We can watch the network traffice and find out if
hackers can see anything that will help them break
into our systems.
Introduction to Enumeration
Enumeration extracts information about:
–Resources or shares on the network
–User names or groups assigned on the network
–Last time user logged on
Before enumeration, you use Port scanning and
–To Determine OS being used
NBT (NetBIOS over TCP/IP)
–is the Windows networking protocol
–used for shared folders and printers
–Tool for enumerating Microsoft OSs
Null Session Information
Using these NULL connections allows you to gather the
following information from the host:
–List of users and groups
–List of machines
–List of shares
–Users and host SIDs (Security Identifiers)
•From brown.edu (link Ch 6b)
Demonstration of Null Sessions
Start Win 2000 Pro
Share a folder
From a Win XP command prompt
–NET VIEW ip-address Fails
–NET USE ip-addressIPC$ "" /u:""
•Creates the null session
–NET VIEW ip-address Works now
Produces a graphical view of NetBIOS running on a network
Enumerates any shares running on the computer
Verifies whether access is available for shared resource
using its Universal Naming Convention (UNC) name
Costs about $250 per machine (link Ch 6i)
Enumeration tool for Microsoft systems
Produced by Foundstone, Inc.
Allows user to connect to a server and “dump” the
–Permissions for shares
–Permissions for printers
–Permissions for the Registry
–Users in column or table format
–Policies and rights
Excellent GUI product for managing and securing
Shows shares and user logon names for Windows
servers and domain controllers
Displays graphical representation of:
–Microsoft Terminal Services
–Microsoft Windows Network
–Web Client Network
This is the client part of Nessus
Allows enumeration of different OSs on a large network
–Be sure Nessus server is up and running
–Open the NessusWX client application
–To connect your client with the Nessus server
•Click Communications, Connect from the menu on the session
•Enter server’s name
•Log on the Nessus server
–NetBIOS names in use
–Vulnerabilities with shared resources
•Also offers solutions to those vulnerabilities
Enumerating the *NIX Operating System
–Most popular tool for security testers
–Finds out who is logged in to a *NIX system
–Determine owner of any process
–Another important *NIX enumeration tool