This document discusses footprinting and information gathering techniques for network security. It defines footprinting as gathering information about potential target systems and networks. Both attacker and defender perspectives are considered. Basic Linux and Windows tools are covered, such as hostname, ifconfig, who, ping, traceroute, dig, nslookup, whois, arp and netstat for gathering system, network topology and user information. Packet sniffers like Wireshark are also introduced for analyzing network traffic. The document emphasizes that even basic tools can provide a lot of useful information to attackers, so defenders should aim to minimize what they reveal.

1. Footprinting
Keamanan Jaringan
D3 Teknik Telekomunikasi

2. Footprinting
• Definition: the gathering of information
about a potential system or network
• a.k.a. fingerprinting
• Attacker’s point of view
• Identify potential target systems
• Identify which types of attacks may be useful on
target systems
• Defender’s point of view
• Know available tools
• May be able to tell if system is being footprinted,
be more prepared for possible attack
• Vulnerability analysis: know what information
you’re giving away, what weaknesses you have

3. Information to Gather
• System (Local or Remote)
• IP Address, Name and Domain
• Operating System
• Type (Windows, Linux, Solaris, Mac)
• Version (98/NT/2000/2003/XP/Vista/7,
Redhat, Fedora, SuSe, Ubuntu, OS X)
• Usernames (and their passwords)
• File structure
• Open Ports (what services/programs are
running on the system)

4. Information to Gather (2)
• Networks / Enterprises
• System information for all hosts
• Network topology
• Gateways
• Firewalls
• Overall topology
• Network traffic information
• Specialized servers
• Web, Database, FTP, Email, etc.

5. Defender Perspective
• Identify information you’re giving away
• Identify weaknesses in systems/network
• Know when systems/network is being
probed
• Identify source of probe
• Develop awareness of threat
• Construct audit trail of activity

6. Tools - Linux
• Some basic Linux tools - lower level
utilities
• Local System
• hostname
• ifconfig
• who, last
• Remote Systems
• ping
• traceroute
• nslookup, dig
• whois
• arp, netstat (also local system)

7. Tools – Linux (2)
• Other utilities
• wireshark (packet sniffing)
• nmap (port scanning) - more later
• Ubuntu Linux
• Go to System / Administration / Network Tools –
get interface to collection of tools: ping, netstat,
traceroute, port scan, nslookup, finger, whois

8. Tools - Windows
• Windows
• Sam Spade (collected network tools)
• Wireshark (packet sniffer)
• Command line tools
• ipconfig
• Many others…

9. hostname
• Determine host name of current system
• Usage: hostname
• E.g. hostname
localhost.localdomain // default
• E.g. hostname
mobile.cs.uwec.edu

10. ifconfig
• Configure network interface
• Tells current IP numbers for host system
• Usage: ifconfig
• E.g. ifconfig // command alone: display status
eth0 Link encap: Ethernet
HWaddr 00:0C:29:CD:F6:D3
inet addr: 192.168.172.128. . .
lo Link encap: Local
Loopback
inet addr: 127.0.0.1 . . .

11. who
• Basic tool to show users on current system
• Useful for identifying unusual activity (e.g.
activity by newly created accounts or
inactive accounts)
• Usage: who
• E.g. who
root tty1 Jan 9 12:46
paul tty2 Jan 9 12:52

12. last
• Show last N users on system
• Default: since last cycling of file
• -N: last N lines
• Useful for identifying unusual activity in recent past
• Usage: last [-n]
• E.g. last -3
wagnerpj pts/1 137.28.253.254 Sat Feb 5 15:40 still logged in
flinstf pts/0 137.28.191.74 Sat Feb 5 15:38 still logged in
rubbleb pts/0 c48.someu.edu Sat Feb 5 14:38 - 15:25 (00:46)

13. ping
• Potential Uses
• Is system online?
• Through response
• Gather name information
• Through DNS
• Tentatively Identify operating system
• Based on TTL (packet Time To Live) on each packet line
• TTL = number of hops allowed to get to system
• 64 is Linux default, 128 is Windows default (but can be
changed!)
• Notes
• Uses ICMP packets
• Often blocked on many hosts; more useful within network
• Usage: ping system
• E.g. ping ftp.redhat.com
• E.g. ping localhost

14. traceroute
• Potential Uses
• Determine physical location of machine
• Gather network information (gateway, other
internal systems)
• Find system that’s dropping your packets –
evidence of a firewall
• Notes
• Can use UDP or ICMP packets
• Results often limited by firewalls
• Several GUI-based traceroute utilities available
• Usage: traceroute system
• E.g. traceroute cs.umn.edu

15. traceroute example - Success
C:UsersTemp>tracert telkomuniversity.ac.id
Tracing route to telkomuniversity.ac.id [10.14.203.238]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms 192.168.60.1
2 6 ms 6 ms 4 ms 10.11.221.1
3 7 ms 3 ms 2 ms 10.0.0.254
4 3 ms 1 ms 1 ms 10.14.203.238
Trace complete.
C:UsersTemp>

16. traceroute example - blocked
C:UsersTemp>tracert detik.com
Tracing route to detik.com [203.190.242.69]
over a maximum of 30 hops:
1 1 ms 1 ms 2 ms 192.168.60.1
2 5 ms 2 ms 2 ms 10.11.221.1
3 4 ms 9 ms 3 ms 10.0.0.254
4 * * * Request timed out.
5 * * * Request timed out.
Trace complete.
C:UsersTemp>

17. Visual Traceroute Example

18. whois
• Potential Uses
• Queries nicname/whois servers for Internet
registration information
• Can gather contacts, names, geographic
information, servers, … - useful for social
engineering attacks
• Notes
• Usage: whois domain
• e.g. whois telkomuniversity.ac.id

19. whois example - wildcards
• whois uw%.edu
Your search has matched multiple domains.
Below are the domains you matched (up to 100). For specific
information on one of these domains, please search on that domain.
UW.EDU
UWA.EDU
UWB.EDU
UWC.EDU
UWEC.EDU
UWEST.EDU
UWEX.EDU
….

20. nslookup
• Potential Uses
• Query internet name servers
• Find name for IP address, and vice versa
• Notes
• Now deprecated – generally use dig
• Sometimes useful when dig fails
• Usage
• nslookup xxxxxxx // name or IP addr.
• E.g. nslookup academic.telkomuniversity.ac.id
• E.g. dig academic.telkomuniversity.ac.id

21. dig
• Potential Uses
• Domain Name Service (DNS) lookup utility
• Associate name with IP address and vice versa
• Notes
• Many command options
• General usage: dig <somehost>
• E.g. dig academic.telkomuniversity.ac.id
• E.g. dig 10.14.203.238

22. arp
• Tracks addresses, interfaces accessed by
system
• Possible uses
• Find systems that your system has recently talked
to
• Notes
• arp // display names
• arp –n // display numeric addresses

23. netstat
• Shows connections, routing information,
statistics
• Possible uses
• find systems that your system has recently
talked to, find recently used ports
• Notes
• Many flags
• netstat // open sockets, etc.
• netstat –s // summary statistics
• netstat – r // routing tables
• netstat – p // programs
• netstat – l // listening sockets

24. Windows Tools
• Sam Spade
• “swiss army knife” of footprinting
• Has most of the Linux tools
• Plus other functionality
• Usage
• Start application
• Fill in name or IP address
• Choose option desired in menus

25. Packet Sniffers
• Definition: Hardware or software that can
display network traffic packet information
• Usage
• Network traffic analysis
• Example packet sniffers
• tcpdump (command line, Linux)
• wireshark (GUI interface, Linux, Windows – open
source)
• others…

26. Limitations – Packet Sniffing
• Packet sniffers only catch what they can see
• Users attached to hub – can see everything
• Users attached to switch – only see own traffic
• Wireless – wireless access point is like hub
• Need to be able to put your network interface
card (NIC) in “promiscuous” mode to be able to
process all traffic, not just traffic for/from itself
• NIC must support
• Need privilege (e.g. root in Linux)

27. OSI Network Protocol
• Layer 7 – Application (incl. app. content)
• Layer 6 – Presentation
• Layer 5 – Session
• Layer 4 – Transport (incl. protocol, port)
• Layer 3 – Network (incl. source, dest)
• Layer 2 – Data Link
• Layer 1 – Physical

28. wireshark
• Created as tool to examine network problems in
1997
• Various contributors added pieces; released 1998
• Name change (2007): ethereal -> wireshark
• Works with other packet filter formats
• Information
• http://www.wireshark.org
• Demonstration

29. Using wireshark
• Ubuntu – Applications / Internet / Wireshark (as root)
• Enter your administrative account pw: user
• Capture/Interfaces/eth0:, Start
• Capture window shows accumulated totals for different
types of packets
• Stop – packets now displayed
• Top window – packet summary
• Can sort by column – source, destination, protocol are useful
• Middle window – packet breakdown
• Click on + icons for detail at each packet level
• Bottom window – packet content

30. Wireshark capture analysis
• Can save a session to a capture file
• Can reopen file later for further analysis
• Open capture file
• Ubuntu: /home/user/Support/MOBILEcapture.cap
• W2K3: C:SupportMOBILEcapture.cap
• Identify and follow different TCP streams
• Select TCP packet, Analyze/Follow TCP Stream
• MOBILEcapture.cap has http, https, ftp, ssh streams
• Any interesting information out there?
• HINT: follow stream on an ftp packet

31. Related Tool
• Hunt
• TCP sniffer
• Watch and reset connections
• Hijack sessions
• Spoof MAC address
• Spoof DNS name

32. Related Tool
• EtherPEG – image capture on network
• http://www.etherpeg.com

33. Summary
• Basic tools can generate much information
• Remember principle of accumulating
information
• Attacker will build on smaller pieces to get bigger
pieces
• Message to defenders: don’t give away any
information if you can avoid it

34. Ref
• www.cs.uwec.edu

35. Thank You
D3 Teknik Telekomunikasi