Footprinting

Before a hacker attacks your system per se, they harvest all the information they can about their target. This is called a footprint and depending on the steps taken to countermeasure the availability of such information a footprint can be quite large. A footprint is a measure and summary of a company or individual's security posture. This includes info like domain names, subnets, routers and specific IP addresses. Footprinting is necessary because it allows you to see what the hacker sees and know your vulnerabilities.

Internet Footprinting

Determining the scope of your activities is where you decide whether you are focusing on your own organization, information leaked by subsidiaries and partners, both, or a subset of one. This footprinting exercise requires you as a network security admin to get the proper authorization. Third, realize that there are many sources of publicly available info such as company web pages, related organizations, location details, employee contact information, current events, telltale security policies, archived information and disgruntled employees. Mirroring a website using Wget or Teleport Pro and perusing the HTML tags for all too informative comments can provide security configuration details. Other websites that may be useful to a hacker include remote access, mainframe access, and VPN access sites. Partner companies can be a security leak if they are less security-minded. Google Maps offers excellent satellite imagery for getting location details. Since user names and email addresses many times use the employee's name this piece of information can be especially useful to a hacker. Information websites allow contact info to be searched for based on a specific detail providing a wealth of contact info. Targeting an employee's home computer is an exceptional way to gain access to the company through remote access perhaps. Privacy or security policies can tell the software and or devices that provide security for an organization. Information that has been removed for security reasons is still in some cases archived and just as good as a company website. Disgruntled employees may be more than happy to sell company secrets or reveal them in a passionate speal. Search engines can be very revealing. Usenet is a forum or news group that IT professionals use to get help with projects and ask advice. This can be a security leak providing lots of security details. Resumes and job ads also provide insight into the security measures a company uses. careerbuilder or Monster are sources of such info. Countermeasures to these include endeavoring to remove sensitive information, using aliases, and also isolated phone numbers.

WHOIS & DNS Enumeration

The core functions of the Internet are managed by the Internet Corporation for Assigned Names and Numbers (ICANN) and is responsible for assigning globally-unique Internet domain names, IP address numbers, protocol parameters and port numbers. The Address Supporting Organization (ASO) allocates IP address blocks to Regional Internet Registries (RIRs) who in turn manage distribution and registration of public Internet number resources within their respective regions.These RIRs include APNIC, ARIN, LACNIC, RIPE, and AfriNIC. Generic top-level domains are managed by Generic Names Supporting Organization (GNSO) and country-code top-level domains by Country Code Domain Name Supporting Organization (CCNSO). These three sub-organizations of ICANN are of particular interest because their data is stored in WHOIS servers across the globe. Using a domain name, the authoritative registry for a top-level domain can be found on whois.iana.org. Searching the registry's site for who registered the domain name, say google.com gives us another site that we can search for the registrant details. This query can in many times be continued to lower levels of the hierarchy. GUI's like Sam Spade, SuperScan and NetScan Tools Pro may also assist in domain name-related searches.

ARIN's website allows for the facilitation of IP-related searches by providing the name of the RIR that manages a particular range of IP's. The RIR's website in turn can provide the name of the IP addresses manager. Knowing the administrative contact information is valuable for impersonation attacks and this information can also be found on ARIN sometimes. DNS interrogation will be discussed.

Countermeasures to administrator impersonations include using a fictitious name that will tip off the security department, using a number for the administrative contact that is not in the organization's phone exchange, using anonymity features when registering the domain that allows for contact info to be hidden (best solution), and lastly changing information that pertains to the domain should be monitored and restricted to only those who verify authorization in the most secure way possible.

DNS Interrogation

A zone transfer is one in which a secondary master server is allowed to update its zone database from the primary master. If the primary master is a DNS server, a zone transfer can be all too helpful for a hacker. Private DNS information can be like an open door to a hacker providing them with internal hostnames and IP addresses. DNS servers should be programmed to only allow zone transfers to an authorized secondary master DNS server. nslookup allows for a zone transfer. This zone transfer may show such info as the OS that is running and the IP addresses for each computer. nslookup can only query one nameserver at a time, but other tools such as Sam Spade, axfr, and dig can speed up the process. Mail exchange records also reveal the location of an organization's firewall network.

Countermeasures for DNS interrogation you can restrict unauthorized zone transfers. On the network side, you would implement cryptographic transaction signatures to filter out unauthorized zone transfers. External nameservers should not provide internal network information.

Network Reconnaissance

Network topology and access paths can be determined through a traceroute which counts hops using TTL and can be used to determine the route of network packets. port 53 is the vulnerability here and programs that implement traceroute include NeoTrace Professionaland Trout. Tracerouting to specific ports can be done by Cain & Abel as well as tcptraceroute.

Countermeasures for Network Reconnaissance include intrusion protection systems. A great network one of course is Snort. Generating fake responses to traceroute requests can be done with RotoRouter. Limiting UDP and ICMP traffic to specific systems may minimize exposure as well.

Quiz

What well-known online app can be used to study a company's location through satellite imagery? Google Maps
When using public forums, what is one of the advisable things to use when trying to hide your organization or name? aliases
DNS is a database used to map IP addresses to hostnames. What is it called when an Internet user makes a 'copy' of this database? zone transfer
How can studying resumes uncover the weaknesses of a company? Revealing security software the company uses is done by requesting that an employee be experienced in a certain area. The employee hired is likely to have on his resume the name of the software that experience is required in.