Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Module 02
Module 02 Page 92
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Security News
ABOUT US PRODUCTS
N EW S
A p ril 1a 2012
Facebook contains a "treasure trove" of personally identifiable information that hackers manage to get their hands on. A report by Imperva revealed that users' "general personal information" can often include a date of birth, home address and sometimes mother's maiden name, allowing hackers to access this and other websites and applications and create targeted spearphishing campaigns. It detailed a concept I call "friend-mapping", where an attacker can get further knowledge of a users circle of friends; having accessed their account and posing as a trusted friend, they can cause mayhem. This can include requesting the transfer of funds and extortion. Asked why Facebook is so important to hackers, Imperva senior security strategist Noa Bar-Yosef said: "People also add work friends on Facebook so a team leader can be identified and this can lead to corporate data being accessed, project work being discussed openly, while geo-location data can be detailed for military intelligence." "Hacktivism made up 58 per cent of attacks in the Verizon Data Breach Intelligence Report, and they are going after information on Facebook that can be used to humiliate a person. All types of attackers have their own techniques."
http://www.scmogazineuk.com
am ps
Security N ew s
Facebook a ,treasure troveof Personally Identifiable Information
uii
Source: http://www.scmagazineuk.com Facebook contains a "treasure trove" of personally identifiable information that hackers manage to get their hands on. A report by Imperva revealed that users' "general personal information" can often include a date of birth, home address and sometimes mother's maiden name, allowing hackers to access this and other websites and applications and create targeted spearphishing campaigns. It detailed a concept I call "friend-mapping", where an attacker can get further knowledge of a user's circle of friends; having accessed their account and posing as a trusted friend, they can cause mayhem. This can include requesting the transfer of funds and extortion. Asked why Facebook is so important to hackers, Imperva senior security strategist Noa BarYosef said: People also add work friends on Facebook so a team leader can be identified and this can lead to corporate data being accessed, project work being discussed openly, while geolocation data can be detailed for military intelligence."
Module 02 Page 93
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
"Hacktivism made up 58 per cent of attacks in the Verizon Data Breach Intelligence Report, and they are going after information on Facebook that can be used to humiliate a person. All types of attackers have their own techniques." On how attackers get a password in the first place, Imperva claimed that different keyloggers are used, while phishing kits that create a fake Facebook login page have been seen, and a more primitive method is a brute force attack, where the attacker repeatedly attempts to guess the user's password. In more extreme cases, a Facebook adm inistrators rights can be accessed. Although it said that this requires more effort on the hacker side and is not as prevalent, it is the "holy grail" of attacks as it provides the hacker with data on all users. On protection, Bar-Yosef said the roll-out of SSL across the whole website, rather than just at the login page, was effective, but users still needed to opt into this.
By Dan Raywood
http://www.scmagazine.com.au/Feature/265065,digitial-investigations-have-matured.aspx
Module 02 Page 94
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule O bjectives
J J J J Footprinting Terminology W hat Is Footprinting? Objectives of Footprinting Footprinting Threats W J J J J Website Footprinting Email Footprinting Competitive Intelligence Footprinting Using Google J J J J J J J J WHOIS Footprinting DNS Footprinting Network Footprinting Footprinting through Social Engineering Footprinting through Social Networking Sites Footprinting Tools Footprinting Countermeasures Footprinting Pen Testing
CEH
t t t f
M odule O bjectives
This module will make you familiarize with the following: e e e Footprinting Terminologies W hat Is Footprinting? Objectives of Footprinting Footprinting Threats Footprinting through Search Engines Website Footprinting Email Footprinting Competitive Intelligence Footprinting Using Google WHOIS Footprinting DNS Footprinting Network Footprinting Footprinting through Social Engineering Footprinting through Social Networking Sites Footprinting Tools Footprinting Countermeasures Footprinting Pen Testing
Module 02 Page 95
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
Ethical hacking is legal hacking conducted by a penetration tester in order to evaluate the security of an IT infrastructure with the permission of an organization. The concept of ethical hacking cannot be explained or cannot be performed in a single step; therefore, it has been divided into several steps. Footprinting is the first step in ethical hacking, where an attacker tries to gather information about a target. To help you better understand footprinting, it has been distributed into various sections:
Xj
Footprinting Concepts
[|EJ
Footprinting Tools
Footprinting Threats
Footprinting Methodology
Module 02 Page 96
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
The Footprinting Concepts section familiarizes you with footprinting, footprinting terminology, why footprinting is necessary, and the objectives of footprinting.
Module 02 Page 97
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Anonymous Footprinting
Gather information from sources where the author of the information cannot be identified or traced
Pseudonymous Footprinting
Collect information that might be published under a different name in an attempt to preserve privacy
Internet Footprinting
Collect information about a target from the Internet
00 ooo
00
used in footprinting. These terms help you understand the concept of footprinting and its structures.
about the target organization. It refers to the process of gathering information from the open sources, i.e., publicly available sources. This requires no direct contact with the target organization. Open sources may include newspapers, television, social networking sites, blogs, etc. Using these, you can gather information such as network boundaries, IP address reachable via the Internet, operating systems, web server software used by the target network, TCP and UDP services in each system, access control mechanisms, system architecture, intrusion detection systems, and so on.
Module 02 Page 98
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
the target organization. Attackers try to extract information from the employees by conducting social engineering: on-site visits, interviews, questionnaires, etc.
*s
Private footp rint""ing involves collecting information from an organization's webbased calendar and email services.
Internet Footprinting
Internet footprinting refers to the process of collecting information of the target
Module 02 Page 99
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W h a t I s F o o tp rin tin g ?
Footprinting is the process of collecting as much information as possible about a target network, for identifying various ways to intrude into an organization's network system
Determine the operating system used, platforms running, web server versions, etc.
di i iH a
af , a a
What Is Footprinting?
Footprinting, the first step in ethical hacking, refers to the process of collecting information about a target network and its environment. Using footprinting you can find various ways to intrude into the target organization's network system. It is considered methodological" because critical information is sought based on a previous discovery. Once you begin the footprinting process in a methodological manner, you will obtain the blueprint of the security profile of the target organization. Here the term "blueprint" is used because the result that you get at the end of footprinting refers to the unique system profile of the target organization. There is no single methodology for footprinting as you can trace information in several routes. However, this activity is important as all crucial information needs to be gathered before you begin hacking. Hence, you should carry out the footprinting precisely and in an organized manner. You can collect information about the target organization through the means of footprinting in four steps: 1. 2. Collect basic information about the target and its network Determine the operating system used, platforms running, web server versions, etc.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
3. 4.
Perform techniques such as Whois, DNS, network and organizational queries Find vulnerabilities and exploits for launching attacks
Furthermore, we will discuss how to collect basic information, determine operating system of target computer, platforms running, and web server versions, various methods of footprinting, and how to find and exploit vulnerabilities in detail.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W h y F o o tp rin tin g ?
Urti*W
CEH
itkM l lUckw
I'n'n'r'n'n'
Why Footprinting?
For attackers to build a hacking strategy, they need to gather information about the
target organization's network, so that they can find the easiest way to break into the organization's security perimeter. As mentioned previously, footprinting is the easiest way to gather information about the target organization; this plays a vital role in the hacking process. Footprinting helps to: Know Security Posture
Performing footprinting on the target organization in a systematic and methodical manner gives the complete profile of the organization's security posture. You can analyze this report to figure out loopholes in the security posture of your target organization and then you can build your hacking plan accordingly. Reduce Attack Area
By using a combination of tools and techniques, attackers can take an unknown entity (for example XYZ Organization) and reduce it to a specific range of domain names, network blocks, and individual IP addresses of systems directly connected to the Internet, as well as many other details pertaining to its security posture. Build Information Database
Module 02 Page 102 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
A detailed footprint
provides
maximum
information
Attackers can build their own information database about security weakness of the target organization. This database can then be analyzed to find the easiest way to break into the organization's security perimeter. Draw Network Map
Combining footprinting techniques with tools such as Tracert allows the attacker to create network diagrams of the target organization's network presence. This network map represents their understanding of the targets Internet footprint. These network diagrams can guide the attack.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
O b jectiv es of F ootprinting
0 0 0 0 Domain name Internal domain names Network blocks IP addresses of the reachable systems Rogue websites/private websites TCP and UDP services running Access control Mechanisms and ACL's * Networking protocols
CEH
0 0 0
0 0 0 0 0
tf
VPN Points ACLs IDSes running Analog/digital telephone numbers Authentication mechanisms System Enumeration
1 1v / <
* System banners
Routing tables
: SNMP information
System names
: Passwords
0 0 0
Employee details Organization's website Company directory Location details Address and phone numbers
0
0
Comments in HTML source code Security policies implemented Web server links relevant to the organization Background of the organization News articles/press releases
0 0 0
0 0
O bjectives of Footprinting
The information, major system objectives of footprinting and the include collecting the information. target's network out information, organizational By carrying footprinting at various network levels, you can gain information such as: network blocks, network services and applications, system architecture, intrusion detection systems, specific IP addresses, and access control mechanisms. W ith footprinting, information such as employee names, phone numbers, contact addresses, designation, and work experience, and so on can also be obtained.
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
So far, we discussed footprinting concepts, and now we will discuss the threats associated with footprinting:
Footprinting Concepts
Footprinting Tools
o Footprinting Threats
Footprinting Countermeasures
C L)
Footprinting Methodology
xi
? * The Footprinting Threats section familiarizes you with the threats associated with footprinting such as social engineering, system and network attacks, corporate espionage, etc.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting T hreats
J Attackers gather valuable system and network information such as account details, operating system and installed applications, network components, server names, database schema details, etc. from footprinting techniques
Types off T h re a ts
Information Leakage
Privacy Loss
J.
Corporate Espionage
Business Loss
C o p yrigh t b y
EG-G*ancil. All
Footprinting Threats
As discussed previously, attackers perform footprinting as the first step in an attempt to
hack a target organization. In the footprinting phase, attackers try to collect valuable systemlevel information such as account details, operating system and other software versions, server names, and database schema details that will be useful in the hacking process. The following are various threats due to footprinting:
Social E ngineering
W ithout using any intrusion methods, hackers directly and indirectly collect information through persuasion and various other means. Here, crucial information is gathered by the hackers through employees without their consent.
footprinting, attackers can gather information related to the target organization's system configuration, operating system running on the machine, and so on. Using this information, attackers can find the vulnerabilities present in the target system and then can exploit those
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
vulnerabilities. Thus, attackers can take control over a target system. Similarly, attackers can also take control over the entire network.
&
pa,
L 3 3
If sensitive organizational information falls into the hands of attackers, then they can build an attack plan based on the information, or use it for monetary benefits.
G P
Privacy
L oss
With the help of footprinting, hackers are able to access the systems and networks of
the company and even escalate the privileges up to admin levels. W hatever privacy was maintained by the company is completely lost.
Corporate Espionage
Corporate espionage is one of the major threats to companies as competitors can spy and attempt to steal sensitive data through footprinting. Due to this type of espionage, competitors are able to launch similar products in the market, affecting the market position of a company.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
Now that you are familiar with footprinting concepts and threats, we will discuss the footprinting methodology. The footprinting methodology section discusses various techniques used to collect information about the target organization from different sources.
Footprinting Concepts
Footprinting Tools
Footprinting Threats
Footprinting Countermeasures
G O
Footprinting Methodology
v!
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting M ethodology
EH
W H O IS Footprinting
DNS Footprinting
Email Footprinting
Network Footprinting Footprinting through Social Engineering Footprinting through Social Networking Sites
Competitive Intelligence
I ^
Footprinting M ethodology
The footprinting methodology is a procedural way of collecting information about a determining URL, location, establishment details, number of employees, the
target organization from all available sources. It deals with gathering information about a target organization, specific range of domain names, and contact information. This information can be gathered from various sources such as search engines, Whois databases, etc. Search engines are the main information sources where you can find valuable information about your target organization. Therefore, first we will discuss footprinting through search engines. Here we are going to discuss how and what information we can collect through search engines. Examples of search engines include: www.google.com ,www.yahoo.com ,www.bing.com
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M C D M Tzerperator
Microsoft
IIM l tv| h *tiV .ro w *M idmIn ts ia p * * n j
s*
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
contact address, the services offered, number of employees, etc. that may prove to be a valuable source for hacking. O wcbcachc.googleusercontent.com scarch?q-cache:ARbFVg INvoJ:en.wikipcdia.org/wiki/Micn & ,|
This i3 Google's cache of http i / e n wikipedia 0 rgAviki/Micro soft t is a snapshot of the page as it appeared on 17 Jul 2012 13:15:03 GMT The current page could have changed in the meantirre Learn more Text-only /ersicn
Microsoft
From Wikipedia. the free encyclopedia
- 47'38*22 55N 12274242W
Main page
Donate to vviKipeaia
Interaction
Microsoft Corporation (NASDAQ: MSFTt? ) is ar American multinational corporation headquartered n ReJrrond. Washington. United States that develops, manufactures licenses, and supports a wide range cf products and services rolatod to computing. Tho company was foundoc by Bill Gatos and Paul Allen on Apr J 4. 1975. Microsoft is the world's largest software corporation measured by revenues Microsoft was established to develop and sell BA SC inteipieteis foi the Altai! 8800 It rose to dominate the home computer operating system market wth MS-OOS n the m id 1980s followed by the Microsoft Wndows line of operating systems The companys 1986 initial public oferng. and subsequent rise in the share price, created ar estimated three billionaires and 12.000 millionaires from Microsoft employees Since the 1990s. the company has increasingly d1 \ersrf1 ed from the operating system market. In May 2011 Microsoft acquired Skype for $8 5 billion in its largest acquisition to date PI
M ic ro s o rt c o rp o ra tio n
Microsoft
Type Rjblc Traded as NASDAQ: MSFT ^ SEHK: 4 3 3 3( > Cow Jones Industrial Average component
NASDAQ-100com ponent
S&P50D component
Induttry Computer tofiwar Onlir t#rvic Video gorroo Albuquerque, New Mexico, United States (April 4,1975) Bill Gates, Paul Alien Microsoft Redmond Campts,
Contact Wikipedia
Founded
Founder()
Print/export Languages
Headquarters
As an ethical hacker, if you find any sensitive information of your company in the search engine result pages, you should remove that information. Although you remove the sensitive information, it may still be available in a search engine cache. Therefore, you should also check the search engine cache to ensure that the sensitive data is removed permanently.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
To o ls to Search Internal UR Ls
http://news.netcraft.com h t t p : / / w w w . webmaster-a.com/ l i n k - e x t r a c tor-internal.php
A
Internal U R Ls of m icrosoft.com
t ) s u p p o r t . m icrosoft.com e s 0 O 6 0 office.mi c r o s o f t . c o m s e a r c h . m icrosoft.com msdn. m i c r o s o f t . c o m update.mi c r o s o f t . c o m t e c h n e t . m icrosoft.com windo w s . m i c r o s o f t . c o m
f j ^
2. Type the name of the target company in the Search box and press Enter. The internal URL is used for accessing the company's vault server directly inside the corporate network. The internal URL helps to access the internal functions of a company. Most companies use common formats for internal URLs. Therefore, if you know the external URL of a company, you can predict an internal URL through trial and error. These internal URLs provide insight into different departments and business units in an organization. You can also find the internal URLs of an organization using tools such as netcraft. Tools to Search Internal URLs
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Netcraft
Source: http://news.netcraft.com Netcraft deals with web server, web hosting market-share analysis, and operating system detection. It provides free anti-phishing toolbar (Net craft toolbar) for Firefox as well as Internet Explorer browsers. The netcraft toolbar avoids phishing attacks and protects the Internet users from fraudsters. It checks the risk rate as well as the hosting location of the websites we visit.
Link Extractor
Source: http://www.webmaster-a.com/link-extractor-internal.php Link Extractor is a link extraction utility that allows you to choose between external and internal URLs, and will return a plain list of URLs linked to or an html list. You can use this utility to competitor sites. Examples of internal URLs of microsoft.com: support.microsoft.com office.microsoft.com search.microsoft.com msdn.microsoft.com update.microsoft.com
technet.microsoft.com windows.microsoft.com
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Urt1fw4
CEH
ilh iu l lUtbM
Welcome to Microsoft
Irocua Dt+noaSz Sicuity Stifpcrt Su
http://offlce.microsoft.com
http://answers.microsoft.com
Public W ebsite
Restricted W ebsite
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
A restricted website is a website that is available to only a few people. The people may be employees of an organization, members of a department, etc. Restrictions can be applied based on the IP number, domain or subnet, username, and password. Restricted or private websites of microsoft.com include: http://technet.microsoft.com, http://windows.microsoft.com, http://office.microsoft.com, and http://answers.microsoft.com.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Microsoft | TechNet
W1 * I TKMCINfMS IVMUAIIOM lMl fVINIl .< * < % U*VKTU*I% IKHM lM kOC
EZESZ1
NBOUn
lunott
W A C tt U V fjm
OOMQW
Welcome to Office
F - .
ML
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
* *
* Liytit
S 0 5
OS fto *
Je Q>flrwr1cvyec
5. 0
o ***
0fllv
Q 0 1 1 c
M o
Example: maps.google.com Google Maps provides a Street View feature that provides you with a series of images of building, as well as its surroundings, including WI-FI networks. Attackers may use Google Maps to find or locate entrances to buildings, security cameras, gates, places to hide, weak spots in perimeter fences, and utility resources like electricity connections, to measure distance between different objects, etc.
=ssa
C
You
fi https' maps.google.fc
Starch Imago* Mall Oocuinonl Calondai Shot ConUctt Ma p
. \ l
Google
Gt ArtcM** My piac! A oo <
*port P0C 4m. uc* L*M Hlp O oogi ue* Mi: 001 rm1 01 um* *
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
P e o p le S e a r c h
Information about an individual can be found at various people search websites
inform ation ab ou t a person: S
C EH
The people search returns th e follow ing Residential addresses and email addresses Contact numbers and date of birth Photos and social networking profiles Blog URLs Satellite pictures of private residencies
frfi
S S
PP *
!is 2 !;
K ttje O. I* tan C A .U .w e* * < *U
http://pipl.com
http://www.spokeo.com
Copyright by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
People Search
You can use the public record websites to find information about people's email addresses, phone numbers, house addresses, and other information. Usingthis information you can try to obtain bank details, credit card details, mobile numbers, past history, etc. There are many people search online services available that help find people, http://pipl.com and http://www.spokeo.com are examples of people search services that allow you to search for the people with their name, email, username, phone, or address. These people search services may provide information such as: Q O Q Residential addresses and email addresses Contact numbers and date of birth Photos and social networking profiles Blog URLs
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Zoomlnfo
h ttp ://w w w .zo o m in fo . com
PeekYou
h ttp ://w w w .p e e kyo u . com
Intelius
h ttp ://w w w .inte liu s.com
AnyWho
http ://w w w .an yw h o.co m
&
m o IP
PeopleSmart
h ttp ://w w w .pe op le sm a rt. com
People Lookup
S https://w w w .peoplelookup.com
WhitePages
V/ > J
.3;
At present, many Internet users are using people search engines to find information about other people. Most often people search engines provide people's names, addresses, and contact details. Some people search engines may also reveal the type of work an individual does, businesses owned by a person, contact numbers, company email addresses, mobile numbers, fax numbers, dates of birth, personal -mail addresses, etc. This information proves to be highly beneficial for attackers to launch attacks. Some of the people search engines are listed as follows:
Zaba Search
Source: http://www.zabasearch.com Zaba Search is a people search engine that provides information such as address, phone number, current location, etc. of people in the US. It allows you to search for people by their name.
Zoom lnfo
Source: http://www.zoominfo.com
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Zoom Info is a business people directory using which you can find business contacts, people's professional profiles, biographies, work histories, affiliations, links to employee profiles with verified contact information, and more.
E.
Wink People Search is a people search engine that provides information about people by name and location. It gives phone number, address, websites, photos, work, school, etc.
AnyWho
Source: http://www.anywho.com
AnyWho is a website that helps you find information about people, their businesses, and their locations online. With the help of a phone number, you can get all the details of an individual.
P eople Lookup
Source: https://www.peoplelookup.com People Lookup is a people search engine that allows you to find, locate, and then connect with people. It also allows you to look up a phone number, search for cell numbers, find an address or phone number, and search for people in the US. This database uses information from public records.
PeekYou
Source: http://www.peekyou.com PeekYou is a people search engine that allows you to search for profiles and contact information of people in India and cities' top employers and schools. It allows you to search for the people with their names or usernames.
Intelius
Source: http://www.intelius.com Intelius is a public records business that provides information services. It allows you to search for the people in US with their name, address, phone number, or email address.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
PeopleSm art
Source: http://www.peoplesmart.com People Smart is a people search service that allows you to find people's work information with their name, city, and state. In addition, it allows you to perform reverse phone lookups, email searches, searches by address, and county searches.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W hitePages
Source: http://www.whitepages.com WhitePages is a people search engine that provides information about people by name and location. Using the phone number, you can find the person's address.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
r Google
ft R30er Feoerer
i i n s *
h ttp ://tw itte r.c o m
! 3a
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Facebook
Source: http://www.facebook.com Facebook allows you to search for people, their friends, colleagues, and people living around them and others with whom they are affiliated. In addition, you can also find their professional information such as their company or business, current location, phone number, email ID, photos, videos, etc. It allows you to search for people by username or email address.
facebook
Carmen f lectra
A na*<raof hamd-watt. Carmangraw near Cmamas, 900 . and got hor ! braak *htn a tcout for fw c* aponad har danang and a*ad har to cama and audon for
Carman *roto a bock. >to* toBaSaxv'wfvtftwat oubkihad by Random noma In +* book Carman convayi tm ascW ird ifM n d n g ifo n tln w M lfaN co r
Carman * aiao the *ace of Ma* factor,a brand that a W t J aknoat 10 0 yaari ago and nwadataJY Mad to < 101aod1 moat baauHU facaa. Carmanparm m Mai factor *eahset her mTv and pm ..$
FIGURE 2.7: Facebook a social networking service to search for people across the world
L inkedln
1
Source: http://www.linkedin.com
Linkedln is a social networking website for professional people. It allows you to find people by name, keyword, company, school, etc. Searching for people on Linkedln gives you information such as name, designation, name of company, current location, and education qualifications, but to use Linkedln you need to be registered with the site.
Twitter
Source: http://twitter.com
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Twitter is a social networking service that allows people to send and read text messages (tweets). Even unregistered users can read tweets on this site.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
G oogle+
Source: https://plus.google.com Google+ is a social networking site that aims to make sharing on the web more like sharing in real life. You can grab a lot of useful information about users from this site and use it to hack their systems.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
(> ^
useful information such as the market value of a company's shares, company profile, competitor details, etc. The information offered varies from one service to the next. In order to avail themselves of services such as e-mail alerts and phone alerts, users need to register on the financial services. This gives an opportunity for an attacker to grab useful information for hacking. Many financial firms rely on web access, performing transactions, and user access to their accounts. Attackers can obtain sensitive and private information of users using information theft, key loggers, etc. Attackers can even grab this information by implementing cybercrimes, and exploit it with the help of non-vulnerable threats (software design flaw example; breaking authentication mechanism). The following are some of non-vulnerable threats: Q Service flooding Brute force attack S Phishing
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Urtifwl
CEH
ilhiul lUtbM
Look fo r th ese:
e 6 Job requirements Employee's profile
En:ep 3 Applicators EngincerfCBA Aboa Us Sanre ISfti. t * WarJ k Bc\v Faraiy c( nnpjwt h. r ht>rornuylm c bowmt toinlntp-l'adin( *slutkm in even *wt of andlwrwflft tvHikuk *vl fwrir* v tt arr>^< c th* tcol< mvl tci-hiolosr' rtjtfhWp fcffli <are<ed V* o il if proivSnj. "S m rf of I ' 1 1 .*1< Fxrflmr ' Wt eitaxi ths1aoe fe\el ofservice !0 our no* *witm* aisrt otr uivktuv V { otf 0inprttT. r taanrt and b enefits, but out tbrtiztli it on timh iltuf We fosta 1 cisual b ut h*d uoriar.fi mwcnrxctt. ottmizt fin
p o s it io nla ro ra u T io
Wr04 town niciK*
A C H |
http://www.indeed.com http://www.usajobs.gov
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M D
17123M546706 4 2 3 1 9 1 7 3 0 0 4
BocaRaton. FL 3 3 4 1 7
J06 M jfin
IT/Sofcare D evolopm ert
Design and vnpiemort Ik Iv k iI ukAooi on N ,gitfgiT.te g >_____________ Support fusing V W n d o w s tmtaitucljrf VM OrtctofY 2 0 0 3 . SMS. SUS. C SOL Sew. SOL Clusters. Ewhange 55. Eahange 2 0 0 3 . vn war*, vertas backip i *wir. h court and Mn securty. Master Recwery wivkm. RM O technologies. and FOrt^AN < * s *
1 0 K M lo r U __________________
5 or m ore years espenence *wttig IT *nplem erAng and sgppodngiglobalbusntss >Pnor nponorxt r supportng a global Wlad M l ttftW and Doma* tofrastoxture E^m m ik ( npltfnonlng and supposingV M Dwlwy. Cfttr M etalrafne. SOL Server. SOL Cluster. DNS. DHCP. WHS. and Etthange 2 0 0 3man Enterprise ecM ronm ert VKy strongsystemstowweshoolng sMs Eipenence mpro w fcn g2 4 h o u r supportto a gktoai erterpnse as partofan orvcal rotaton Edectweinterpersonal sloiswdhfieabrtortobepersuasae Otttf stalls Bulling Elect* * Team s, Acton Onerted Peer RtlaftonsMps, Custom er Focus. Pnor% Setng, ProWwi SoM ng, andBusinessAcum en Bachelor**** D egreeor equwalerteipenence MCSE (2003) certtcafton a plus. Cdra Certtcafton a plus
Usually attackers look for the following information: Job requirements Employee's profile Hardware information Software information
Examples of job websites include: Q Q S C D S Q http //www. monster.com http //www.careerbu ilder.com http //www.dice.com a 4- 4- -C //www.simplvhired.com
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Google
Search query
C o o g i A le rt Security New*
Alerts
Tkta New
Security News
N#Vf Yoric Time* BEIRUT Lebanon The hilling on Wednesday of President Bashat al-Assads key security aides a brazen bombog attack close to Mr Assads own residonce. called into question the ability of a government that depends on an insular group of loyalists to S t t ! ?ft te a t r
S i n a eRaa 11 aL a n dD t a f l l i B t e f t l aA j i a d a l a n t r C i i c l g
Trei
Result type
Everything
San Jose Mercury Mews Turr.s out <Mas 3s easy as using a rug to scale a ra20r *ire topped security fence at a small Utah arport in the rroddie cf night slipping past security bearding an idle empty S0-passeog?r SkyWest Aifhnes and rewng up the engines. He Clashed the ...
How often
Once a day
?tpnts m th!?
How many:
Reuters BEIRUT'AMMAN (Reuters) - Mystery surrounded the whereabouts of S y r an President Basha* 31Assad cn Thursday a day after a oomoer killed and wounded his security cnefs anc rebels closed in on the centre of Damascus vowing to *liberate" the capital.
>
Your email
@yahoo com
C R EA TE A LER T Manage your alerts
W a l Street Journal BEIRUTSyrian rebels pierced the innermost circle 0 1 President Bashar a -Assads regime wKh a bomb blast that kiled thiee high-lewl officials and raised questions about the aMity of the courftry's security forces to sustain the embattled government Syna
w ii st^! a<
Yahoo!
Alerts
is available
at
http://alerts.yahoo.com
and
Giga
Alert
is available
at
Ethical Hacking and Countermeasures Copyright by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting M ethodology
CEH
W H O IS Footprinting
DNS Footprinting
Email Footprinting
Network Footprinting Footprinting through Social Engineering Footprinting through Social Networking Sites
Competitive Intelligence
Footprinting M ethodology
So far, we have discussed the first step of footprinting methodology, i.e., footprinting via search engines. Now we will discuss website footprinting. An organization's website is a first place where you can get sensitive information such as names and contact details of chief persons in the company, upcoming project details, and so on. This section covers the website footprinting concept, mirroring websites, the tools used for mirroring, and monitoring web updates.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
Use Zaproxy, Burp Suite, Firebug, etc. to view headers that provide:
w Connection status and content-type ~ t; Accept-Ranges Last-Modified information X-Powered-By information Web server in use and its version
W ebsite Footprinting
It is possible for an attacker to build a detailed map of a website's structure and architecture without IDS being triggered or without raising any sys admin suspicions. It can be accomplished either with the help of sophisticated footprinting tools or just with the basic tools that come along with the operating system, such as telnet and a browser. Using the Netcraft tool you can gather website information such as IP address, registered name and address of the domain owner, domain name, host of the site, OS details, etc. But this tool may not give all these details for every site. In such cases, you should browse the target website. Browsing the target website will provide you with the following information: Q Software used and its version: You can find not only the software in use but also the version easily on the off-the-shelf software-based website. Q 9 Operating system used: Usually the operating system can also be determined. Sub-directories and parameters: You can reveal the sub-directories and parameters by making a note of all the URLs while browsing the target website.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Filename, path, database field name, or query: You should analyze anything after a query that looks like a filename, path, database field name, or query carefully to check whether it offers opportunities for SQL injection. - Scripting platform: With the help of the script filename extensions such as .php, .asp, .jsp, etc. you can easily determine the scripting platform that the target website is using. S Contact details and CMS details: The contact pages usually offer details such as names, phone numbers, email addresses, and locations of admin or support people. You can use these details to perform a social engineering attack. CMS software allows URL rewriting in order to disguise the script filename extensions. In this case, you need to put little more effort to determine the scripting platform. Use Paros Proxy, Burp Suite, Firebug, etc. to view headers that provide: Q Q Q Connection status and content-type Accept-ranges Last-Modified information X-Powered-By information
W eb server in use and its version Source: http://portswigger.net The following is a screenshot of Burp Suite showing headers of packets in the information pane:
FIGURE 2.14: Burp Suite showing headers of packets in the information pane
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Urt1fw4
CEH
ilh iu l lUtbM
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
T
V 1 ew j u 1< e w w w jn 1<rc.
T
ft
H
\
A I
C ft
t l}
Examine cookies set by the server to determine the software running and its behavior. You can also identify the script in platforms by observing sessions and other supporting cookies.
Cook* * ar*d site data Sit
0dyM<u11(y.Kn 100bcttbuy.com
X
Remove $0
SeercH toofc*et
Nmc Content.
Dom#n P*h Send for Accrv.4>teto script Created Expires: Remove www.tOObestbuy.com www.100nests.com 125rf.com www.l23d.com 1cookie 1cootoe }cobet 2 cootaes. local storage
.100bettbuy.com / Aity krnd of connection Yet Mondey. Juy 1 6 12012 &S3^1 AM Mondey. Jjnu.ry U. 2013 *5341 PM
v
OK
FIGURE 2.16: Showing details about the software running in a system by examining cookies
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M ir r o r in g E n tire W e b site
J Mirroring an entire website onto the local system enables an attacker to dissect and identify vulnerabilities; it also assists in finding directory structure and other valuable information without multiple requests to web server J W eb mirroring tools allow you to download a website to a local directory, building recursively all directories, HTML, images, flash, videos, and other files from the server to your computer
C EH
Original Website
M irrored Website
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
This can be done with the help of web mirroring tools. These tools allow you to download a website to a local directory, recursively building all directories, HTML, images, flash, videos and other files from the server to your computer. Website mirroring has the following benefits: Q It is helpful for offline site browsing. Website mirroring helps in creating a backup site for the original one. Q Q A website clone can be created. Website mirroring is useful to test the site at the time of website design and development. Q It is possible to distribute to multiple servers instead of using only one server.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Original Website
Mirrored Website
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
W e b site M ir r o r in g T ools
CEH
HTTrack is an offline browser utility. It allows you to download a World W ide W eb site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative linkstructure. Open a page of the "mirrored" website in your browser, browse the site from link to link, and you can view the site as if you were online. HTTrack can also update an existing mirrored site, and resume interrupted downloads.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S jy lo< ^
M i si. N 8 ) i. p I Bi
W orm etion BvletMvwj T im Tmnrfer rat Act** comeacr* W Actons 992*6 2 2 1 2 lr*u canred FiMwKUn 6*0n 2/2 0
o e / > (5 e 9 & / )
*W ffltw ircom
" cont4wcon <
SurfOffline
Source: http://www.surfoffline.com SurfOffline is a website download software. The software allows you to download entire the target websites and download web pages to your local hard drive. After downloading
website, you can use SurfOffline as an offline browser and view downloaded web pages in it. If you prefer to view downloaded webpages in another browser, you can use the Export Wizard. SurfOffline's Export Wizard also allows you to copy downloaded websites to other computers in order to view them later and prepares websites for burning them to a CD or DVD.
J
F.4e View Projects
SurfOffline Professional 2.1 Unregistered trial version. You have 30 day(s) left
8rowver HHp
I ** 1 1 x
i L
O Promts
) Zi O H i >O ^ O Q j j
+ +
1m 1 : http:.'/w ww.j1 g g y t> ... 2: http7/www^u9gyb J: http--//w w w .;1>ggyb... * http,// w w w/uggyb. S : http://www.;u9g> -b...
Pfoywi
Loaded byt 0 0 0 0 0
vJ 1
BlackW idow
Source: http://softbvtelabs.com
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
BlackWidow is a website scanner for both experts and beginners. It scans websites (it's a site ripper). It can download an entire website or part of a website. It will build a site structure first, and then downloads. It allows you to choose what to download from the website.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
X l W M
ttrw og>
O o m H o ^ t
^ [() 0|V
'fj l t n g liw 1 a m U h jh
Q >
2J***' S * *
Welcome to Microsoft
*o*ucta
0 0
e *d
S*o^
Support
wy
W ebripper
Source: http://www.calluna-software.com WebRipper is an Internet scanner and downloader. It downloads massive amount of images, videos, audio, and executable documents from any website. WebRipper uses spider-technology to follow the links in all directions from the start-address. It filters out the interesting files, and adds them to the download-queue for downloading. You can restrict downloaded items by file type, minimum file, maximum file, and image size. All the downloaded links can also be restricted by keywords to avoid wasting your bandwidth.
W rt> Rppef 03 -Copyright (0 200S-2009 -Stm sonSoft
Ne M > T00H *dp
H!Ixl ^|%|
F < xsy3 M m fiwemgW SucceeAiMee fM ta
0 SamsonSoft
Seemedpage F<*rdpagee Sotte.n
Selected!*
Oowteed* | Sodtn | Stje Reojetfngheader ReojeCng header Regjecng healer Reaietfrg header Reje*rg header
WebRipper
The u ltim ate tool for wehsite ripping
001M8M4
0 12KES
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W e b site M ir r o r in g T ools
o
Website Ripper Copier
h ttp ://w w w . tensons.com
(Contd)
(EH
Urt.fi* | ttk.ul MmIm
PageNest
h ttp ://w w w .p a g e n e st. com
Teleport Pro
h ttp ://w w w . tenmax.com
Backstreet Browser
h ttp ://w w w . spadixbd. com
__ ,
GNU Wget
h ttp ://w w w .g n u .o rg
iMiser
http://internetresearchtool.com
I 2 A Z J
Hooeey Webprint
h ttp://w w w .hooeeyw ebprint.com
Offline Explorer Enterprise available at http://www.metaproducts.com 9 GNU Wget available at http://www.gnu.org Hooeey Webprint available at http://www.hooeeywebprint.com
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
Extract W ebsite Inform ation from ------- http:7/w w w . arch ive. org
E I
Archive is an Internet Archive W ayback Machine that allows you to visit archived versions of websites. This allows you to gather information on a company's web pages since their creation. As the website www.archive.org keeps track of web pages from the time of their inception, you can retrieve even information that has been removed from the target website.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
'.) wayback.arch1vc.org
: rosottcon
~ \ ~ ii \
Go Waytoackl
n i' '
!http://microsoft.com
J!" *
1 .h
3 9 10 11 18 12 13 14 19 JO < 2 1 7 15 22 13 20 27
7 8 14 15 2 1 22 28
9 1 16 17 23 24
ft
10
11
12 10 17 24 11 12 13 18 19 20 23 26 27 14 15 21 22 28 29 1 6 23 30
16 17
23 24 25 26 30 3 1 MAY 1 15 22 29 2 3 4
28 29
5 6 12 13 19 20 26 27
7 14 2 1 28 5 12 19 26 ft 7 8 < 16 2) 1 0 17 )4 11 18 25 10 17 11 12 13 1 1 20 75 26 27 U 21 15 22 16 23 14 31 28 15 22 29
9 10 111 16 23 30 17 24 31 18 26
1 0 1 1 1 2
16 171919 23 24252 30 31
13 14 15 20 21 ?2
27 28 29 3
24
2 29 30
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
a|
j 4|[b1 ^ rs
change http:Vww1 At.hotm ail.com http://www.miuoicftcom 2 0 1 2 0 7 1 8 1&2&22 http-7/w wwa^ne com'dowmloa 2 0 0 1 0 0 7 1fclS27 http:/ 'wrw.a1gne1 .com'fovn'1 1- 2 0 C S 1 0 C 71 5 7 4 4 :4 s Statu* Warning:whole content _ CK. mibafccrilRecSrect.on CK CK. pfcp6B2 Plugin proc... Last check 1 3 :1 4 2 0 1 2 0 7 1 8 16:2*33 2 0 0 8 1 0 0 7 15:4*30 2 0 0 8 1 0 0 71 5 :4 4 :4 9
WebSite- Watche
Hchpp r p jju w Scfp^rwhot*; VWo< EowpIo.kI ,
e.
S l a y In
Buy Now
Siionort
Im w c l (O MB)
f^ * ^ r * T 4 / 2 0 0 0 ^ 0 0 y X P A
Page
Tt
Analysw
http://aignes.com
Copyright by EG-Gllincil. All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting M ethodology
CEH
W H O IS Footprinting
DNS Footprinting
Email Footprinting
Network Footprinting Footprinting through Social Engineering Footprinting through Social Networking Sites
Competitive Intelligence
Footprinting M ethodology
So far we have discussed Footprinting through search engines and website footprinting, the two initial phases of footprinting methodology. Now we will discuss email footprinting.
W H O IS Footprinting
DNS Footprinting
Network Footprinting Footprinting through Social Engineering Footprinting through Social Networking Sites
This section describes how to track email communications, how to collect information from email headers, and email tracking tools.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
c El\
When the email was received and read Set messages to expire after a specified time GPS location and map of the recipient
Track PDF and other types of attachments Whether or not the recipient it visited any links sent to them
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
' ' Operating system: This reveals information about the type of operating system used by the recipient. The attacker can use this information to launch an attack by finding loopholes in that particular operating system. Q Forward email: W hether or not the email sent to you is forwarded to another person can be determined easily by using this tool.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Delivored-To: _ 0gmc1il.com The address from which Received: by 10.112.39.167 with SMTP id q7cj the message was sent Fri, 1 Jun 2012 21:24:01 - O T O O i f ^ Return-Path: < * - -erma@gmail.com> Received-SPF: pass (google.com: domain of designates 10.224.205.137 as permitted sender) clientip=10.224.205.1 377 Sender's mail server Authentication-Results:| m ^ g o o g ^ ^ ^ o m rrw ^l 10.224.205.137 as p e r m i ^ ? ? ^ SmtpTml^H fcm; dkim=pass header.i;_ * . . * rma@gmail.com Received: frommr.google.com ([10.224.205.137]) Date and time received !hY wir.h SMTP I r i fr^..n^8570qab.39.131 by the originator's IFri, 01 Jun 2Q12 21;24:QQ -0700 (PDT)I
email servers
d=gma11.com; 3=20120113; h-mime-version:in-reply-to: Authentication system ect:from:to :content-type; used by sender's bh=TGEIPb4ti7gfQG+ghh70kPj kx+Tt/iAClfl mail server bKyuZLTLfg2--QZX;cZKexlNnvRcnD/ + P4+Nkl ! 2P t 75MxDR8 bl PK3p J3Uf/CsaB7.Wr>TTOXI aKOAGrP3BOt 92MCZFxeUUQ9uwL/xHAI SnkoUTF.F.*KGqOC 0a9hD59D30Xl8KAC7ZmkblGzXmV4DlWf fCL894RaMBOU1*MzRwOWWIib95al I38cqt If P ZhrWFKh5xSnZXsE73xZPEYzp7yeeCeQuYHZNGslKxc07xQjeZuw+HWK/vR6xChDJapZ4 K5ZAfYZmkIkFX+VdLZqu7YGFzy60HcuP16y3/C2fXHVd3uY<nMT/yecvhCV080y7FKt6 /Kzw- MIME-Veraion: 1.0 Received; by 10.224.205.137 with SMTP id fq9; 1040318; Fri, 01 Jun 2012 21:24:00 -0700 (PDT) Received: by 10.229.230.79 with HTTP; Fri In-Reply-To: <CAOYWATTlzdDXE308D2rhiE4Ber l.com>
itify theme:
nO -EMJcgfgX+mUf jB tt2sy2dXA0mail.gmail .com> o; 1 LUTIONS ::: erma6gmail.com> \ I.com. )LUTIONS < Sender's full name r0yahoo.com>
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Delivered-To: 8 . ! gmail.com Received: by 10.112. 39". 167 with SMTP id q7csp4894121bk; Fri, 1 Jun 2012 21:24:01 -0700 (PDT) Return-Path: < - -erma@gmail.com> Received-SPF: pass (google.com: domain of 1enna0gmail.com designates 10.224.205.137 as permitted sender) client-ip=10.2 2 Authentication-Results:pnr7googl^^omJ 3pf-pa33 (google.com: domain of erma8gmail.com designates 10.224.205.137 as permitted senaerj smtp.mail3 - rmaggmail.com; dkim=pass header. i=; ?rma8gmail.com Received: f r o m m r . g o o g l e . c o m ([10.224.205.137]) hv in.??<!?05-137 win, s m t p in ^ , 0 ^ < ; 7 8 ; 7 0 ^ - <>.)*4 ) 177 ( n u m h o p s = 1); | F n , 01 Jun 2012 21:24:00 -0700 (PDT)! DKIM-Signature: v=l/l^^rsa-sha^^o/J c=relaxed/relaxed; d=gma i 1. com; ? 01 2011 h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=TGEIPb4ti7gfQG+ghh70kPjkx4Tt/iAClPPyWmNgYHc=; bKguZLTLfg2+QZXzZKexlNnvRcnD/+P4+Nk5NKSPtG7uHXDsfv/hGH46e2P+75MxDR8 blPK3eJ3Uf/CsaBZWDITOXLaKOAGrP3BOt92MCZFxeUUQ9uwL/xHALSnkeUIEEeKGqOC oa9hD59D3oXI8KAC7ZmkblGzXmV4DlWffCL894RaMB0UoMzRw0WWIib95alI38cqtlfP ZhrWFKh5xSnZXsE73xZPEYzp7yecCeQuYHZNGslKxc07xQjeZuw+HWK/vR6xChDJapZ4 K5 ZAf YZmkI kFX 4 VdLZqu 7 YGFzy 60 HcuPl6yS/C2 fXHVdsuYamMT/yecvhCVo80g7FKt 6 /KzwMIME-Version: 1.0 Received: by 10.224.205.137 with SMTP id fq9mr6704586qab.39.1338611040318; Fri, 01 Jun 2012 21:24:00 -0700 (PDT) Received: by 10.229.230.79 with HTTP; Fri, 1 Jun 2012 21:23:59 -0700 (PDT) In-Reply-To: <CAOYWATTlzdDXE3o8D2rhiE4Ber2MtV0uhro6r47Mu7c8ubp8Eg@mail.gmailcom> Referoflfiga^^^2iiJ^2Xlidfi2ia2fiiiJi^4^er2MtVOuhro6r+7Mu7c8ubp8Eg0mail.g m a i l .com> Date:|Sat, 7 Jun 201? 09:53:59 40530 1 Message-it: <(!:AMivoX'fl !1cf1 n'w!iW<i5zihNnO-EMJcgfgX+mUfjB_tt2sy2dXA0mail.g m a i l .com> S u b j e j ^ ^ i i _ _ _ j i * , _ 0 L U T I 0 N S ::: From:| ~ Mirza|< - -ermapgmail.com> To: iftsamaii.com, 1LUTI0NS < -* - - tions8gmail.com>, . . . e1 < tm aAk_er8yahoo.com>,
e e e e e e e e
Sender's mail server Data and time received by the originator's email servers Authentication system used by sender's mail server Data and time of message sent A unique number assigned by mr.google.com to identify the message Sender's full name Senders IP address The address from which the message was sent
The attacker can trace and collect all of this information by performing a detailed analysis of the complete email header.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
E m a il T r a c k in g T ools
Em ail Lookup - Free Em ail Tracker
Trace Email - Track Email
Email Header Analysis IP Address: 72.52.192 147 (ho8t.marhsttanrrediagro1 jp.con) IP Address Country: Unred States
ip
C EH
IP Address City Location: Lansing IP Address Region: Michigan IP Address Latitude: *2.7257. IP Address longtitude: -84.636
Organ i rat on: So jrcoDNS tmaii Lookup wap (sno w n ide)
Map
Email M e tric s
Satellite
w * W, ( f t
Lansing
E 03t Lansing
!!!!!!!! 1 1j!.!!! 1 m !1 1 1 !
Po liteM ail ( h tt p :/ / w w w .p o lite m a il.c o m )
Em ail Lookup - Free Em ail Tracker (http://www.ipaddresslocation.org) Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
eM ailTrackerPro
Source: http://www.emailtrackerpro.com eMailTrackerPro is an email tracking tool that analyzes email headers and reveals information such as sender's geographical location, IP address, etc. It allows you to review the traces later by saving all past traces.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
n * v a n (o n * v y v * * ( t t * p o ^ n d o tftf) ntrtiiwHTmMn*(
n*r s M K TTmt*(
1 2 2 *
18087 385 80231 217 17 80231217 2 80 231 2006 80 231 91 X 80 231 1382
18( 82 14 17
1 ? . . STATIC
w l M(Ot01 1* .
I9MW| O Athrt tvKM (tkt port nctoM<A T*#f n no m wnw nm ! ontMt (t port
Ooitiim *
T e u r t a day J c fa tt * y in * . lo if ^ tM n o ia i U i ia it c r p t f d iM a
'KMMU w *
out of <M. 10| ttnuiw* drtabM OOJau
PoliteM ail
Source: http://www.politemail.com PoliteMail is an email tracking tool for Outlook. It tracks and provides complete details about who opened your mail and which document has been opened, as well as which links are being clicked and read. It offers mail merging, split testing, and full list management including segmenting. You can compose an email containing malicious links and send it to the employees of the target organization and keep track of your email. If the employee clicks on the link, he or she is infected and you will be notified. Thus, you can gain control over the system with the help of this tool.
NIC
W W W
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Email Lookup is an email tracking tool that determines the IP address of the sender by analyzing the email header. You can copy and paste the email header into this email tracking tool and start tracing email.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
IP A d d ress: 72.52.192.147 (host manhattanmed1 agroup.com) IP A d d ress Country: United States f e i IP Continent: North America IP A d d ress City Location: Lansng IP A d d ress Region: Michigan IP A d d ress Latitude: 42 7257, IP A d d ress Longtitude: -84 636 Organization: SourceDNS
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
E m a il T r a c k in g T ools
(Contd)
Read Notify
h tt p :/ / w w w . re ad notify, com
CEH
Pointofmail
h ttp :/ /w w w .p o in to fm ail. com
'
DidTheyReadlt
h tt p :/ / w w w . didtheyreadit. com
Trace Email
h ttp ://w h a tism yipaddress. com
WhoReadMe
h ttp ://w h o re a d m e . com
MSGTAG
h ttp :/ /w w w .m s g ta g .c o m
GetNotify
httn //iajiaj \ a jn t> \ o tify .c o m h ttp ://w ww .g e tn
Zendio
S '/
h ttp ://w w w .z e n d io .c o m
a
G-Lock Analytics
' m h ttp://glockanalytics.com
JJS>
C o p yrigh t b y
Read Notify
Source: http://www.readnotify.com
Read Notify provides an email tracking service. It notifies you when a tracked email is opened, re-opened, or forwarded. Read Notify tracking reports contain information such as complete delivery details, date and time of opening, geographic location of recipient, visualized map of location, IP address of the recipients, referrer details (i.e., if accessed via web email account etc.), etc.
DidTheyR eadlt
Source: http://www.didtheyreadit.com
DidTheyReadlt is an email tracking utility. In order to use this utility you need to sign up for an account. Then you need to add ".DidTheyReadlt.com" to the end of the recipient's e-mail address. For example, if you were sending an e-mail to ellen@aol.com, you'd just send it to ellen@aol.com.DidTheyReadlt.com instead, and your email would be tracked, ellen@aol.com would not see that you added .DidTheyReadlt.com to her email address. This utility tracks every email that you send invisibly, without alerting the recipient. If the user opens your mail, then it
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
informs you when your mail was opened, how long your email remained open, and the geographic location where your email was viewed.
TraceEm ail
Source: http://whatismyipaddress.com The TraceEmail tool attempts to locate the source IP address of an email based on the email headers. You just need to copy and paste the full headers of the target email into the Headers box and then click the Get Source button. It shows the email header analysis and results. This Email header analysis tool does not have the ability to detect forged emails headers. These forged email headers are common in malicious email and spam. This tool assumes all mail servers and email clients in the transmission path are trustworthy.
MSGTAG
Source: http://www.msgtag.com MSGTAG is Windows email tracking software that uses a read receipt technology to tell you when your emails are opened and when your emails are actually read. This software adds a small track and trace tag that is unique to each email you need delivery confirmation for. When the email is opened an email tracking code is sent to the MSGTAG email tracking system and an email read confirmation is delivered to you. MSGTAG will notify you when the message is read via an emailed confirmation, a pop-up message, or an SM S text message.
vSW, Zendio
Source: http://www.zendio.com Zendio, the email tracking software add-in for Outlook, notifies you once your recipient reads the email, so you can follow up, knowing when they read it and if they clicked on any links included in the email.
Pointofm ail
Source: http://www.pointofmail.com Pointofmail.com is a proof of receipt and reading service for email. It ensures read receipts, tracks attachments, and lets you modify or delete sent messages. tracking, email, and web and SM S text notifications. It provides detailed information about the recipient, full history of email reads and forwards, links and attachments
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
email header. It saves the email addresses of the successful sent mails as well as the failed mails to a text, CSV, TSV or Microsoft Excel file.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W hoReadMe
" 5 ource: http://whoreadme.com W hoReadM e is an email tracking tool. It is completely invisible to recipients. The recipients will have no idea that the emails sent to them are being tracked. The sender is notified every time the recipient opens the mail sent by the sender. It tracks information such as type of operating system and browser used, Active X Controls, CSS version, duration between the mails sent and read time, etc.
GetNotify
Source: http://www.getnotify.com GetNotify is an email tracking tool that sends notifications when the recipient opens and reads the mail. It sends notifications without the knowledge of recipient.
I r
* *
GLock A nalytics
Source: http://glockanalytics.com
G-Lock Analytics is an email tracking service. This allows you to know what happens to your emails after they are sent. This tool reports to you how many times the email was printed and forwarded.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting M ethodology
CEH
WHOIS Footprinting
DNS Footprinting
Email Footprinting
Network Footprinting Footprinting through Social Engineering Footprinting through Social Networking Sites
Competitive Intelligence
C o p yrigh t b y EG -G (IIIIC il. All Rights Reserved. Rep rod u ctio n is S trictly Prohibited.
Footprinting M ethodology
The next phase in footprinting methodology after email footprinting is competitive intelligence. Competitive intelligence is a process that gathers, analyzes, and distributes intelligence about products, customers, competitors, and technologies using the Internet. The information that is gathered can help managers and executives of a company make strategic decisions. This section is about competitive intelligence gathering and sources where you can get valuable information.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
2 3
-
10
C o p yrigh t b y
EG-G*ancil. All
Sources of Competitive Intelligence: Company websites and employment ads S Search engines, Internet, and online databases
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
e e e e e e e e
Press releases and annual reports Trade journals, conferences, and newspapers Patents and trademarks Social engineering employees Product catalogs and retail outlets Analyst and regulatory reports Customer and vendor interviews Agents, distributors, and suppliers
Competitive intelligence can be carried out by either employing people to search for the information or by utilizing a commercial database service, which incurs a lower cost than employing personnel to do the same thing.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
V is it T h e s e S it e s
------------------------------------------------
02. Hoovers
How did it develop? http://www.hoovers.com ______________________________________
03. LexisNexis
M 2) http://www.lexisnexis.com ---------------------------------
C om petitive In telligen ce When Did this Com pany Begin? How Did it D evelop?
Gathering competitor documents and records helps improve productivity and profitability and stimulate the growth. It helps determine the answers to the following: W hen did it begin? Through competitive intelligence, the history of a company can be collected, such as when a particular company was established. Sometimes, crucial information that isn't usually available for others can also be collected. How did it develop? It is very beneficial to know about how exactly a particular company has developed. W hat are the various strategies used by the company? Their advertisement policy, customer relationship management, etc. can be learned. W ho leads it? This information helps a company learn details of the leading person (decision maker) of the company. W here is it located?
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
The location of the company and information related to various branches and their operations can be collected through competitive intelligence. You can use this information gathered through competitive intelligence to build a hacking strategy. The following are information resource sites that help users gain competitive intelligence.
01
EDGAR
c 3 Source: http://www.sec.gov/edgar.shtml
All companies, foreign and domestic, are required to file registration statements, periodic reports, and other forms electronically through EDGAR. Anyone can view the EDGAR database freely through the Internet (web or FTP). All the documents that are filed with the commission by public companies may not be available on EDGAR.
Hoovers
M = I
= i
Source: http://www.hoovers.com
Hoovers is a business research company that provides complete details about companies and industries all over the world. Hoovers provides patented business-related information through Internet, data feeds, wireless devices, and co-branding agreements with other online services. It gives complete information about the organizations, industries, and people that drive the economy and also provide the tools for connecting to the right people, in order for getting business done.
L exisN exis
Source: http://www.lexisnexis.com LexisNexis is a global provider of content-enabled workflow solutions designed specifically for professionals in the legal, risk management, corporate, government, law enforcement, accounting, and academic markets. It maintains an electronic database through which you can get legal and public-records related information. Documents and records of legal, news, and business sources are made accessible to customers.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
^^^P^^^^^^^ompetitiv^ntelligenc^Site^^
Market Watch (http://www.marketwatch.com) The Wall Street Transcript ( http://www.twst.com) ^ \/ Lipper Marketplace ( http://www.lippermarketplace.com) Euromonitor ( http://www.euromonitor.com) J
M a rk e t^
fe rtM M
^ Fag an -^
Finder
S E C In fo
Search M
pm It o r
M M
to
The following are a few more examples of websites that are useful to gather valuable information about various companies and their plans through competitive intelligence:
MarketW atch
Source: http://www.marketwatch.com MarketWatch tracks the pulse of markets. The site provides business news, personal finance information, real-time commentary, and investment tools and data, with dedicated journalists generating hundreds of headlines, stories, videos, and market briefs a day.
Pi
The Wall Street Transcript is a website as well as paid subscription publication that publishes industry reports. It expresses the views of money managers and equity analysts of different industry sectors. Interviews with CEOs of companies are published.
Lipper M arketplace
Module 02 Page 170 Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Source: http://www.lippermarketplace.com Lipper Marketplace offers web-based solutions that are helpful for identifying the market of a company. Marketplace helps in qualifying prospects and provides the competitive intelligence needed for transforming these prospects into clients. Its solutions allow users to identify net flows and track institutional trends.
Ill'll
Euromonitor
Source: http://www.euromonitor.com
Euromonitor provides strategy research for consumer markets. It publishes reports on industries, consumers, and demographics. It provides market research and surveys focused on your organization's needs.
Fagan Finder
R
1 Source: http://www.faganfinder.com Fagan Finder is a collection of internet tools. It is a directory of blog sites, news sites, search engines, photo sharing sites, science and education sites, etc. Specialized tools such as Translation Wizard and URL info are available for finding information about various actions with a web page.
M
^ >
SEC Info
Source: http://www.secinfo.com
SEC Info offers the U.S. Securities and Exchange Commission (SEC) EDGAR database service on the web, with billions of links added to the SEC documents. It allows you to search by Name, Industry, and Business, SIC Code, Area Code, Accession Number, File Number, ClK, Topic, ZIP Code, etc.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Compete PRO
http://www.compete.com
Copernic Tracker
http://www.copernic.com
ABI/INFORM Global
http://www.proquest.com
SEMRush
http://www.semrush.com
Attention Meter
http://www.attentionmeter.com
as!
Jobltorlal
http://www.jobitorial.com
C om petitive In tellig en ce What Expert O pinions Say About the Com pany
Copernic Tracker
Source: http://www.copernic.com Copernic is website tracking software. It monitors a competitor's website continuously and acknowledges you content changes via an email, if any. The updated pages as well as the changes made in the site are highlighted for your convenience. You can even watch for specific keywords, to see the changes made on your competitor's sites.
SEMRush
Source: http://www.semrush.com SEMRush is a competitive keyword research tool. For any site, you can get a list of Google keywords and AdWords, as well as a competitors list in the organic and paid Google search results. SEMRush Necessary means for gaining in-depth knowledge about what competitors are advertising and their budget allocation to specific Internet marketing tactics are provided by
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Jokitorial
Source: http://www.iobitorial.com Jobitorial provides anonymous employee reviews posted for jobs at thousands of companies and allows you to review a company.
AttentionM eter
Source: http://www.attentionmeter.com AttentionMeter is a tool used for comparing any website you want (traffic) by using Alexa, Compete, and Quancast. It gives you a snapshot of traffic data as well as graphs from Alexa, Compete, and QuantCast.
ABI/INFORM Global
Source: http://www.proauest.com ABI/INFORM Global is a business database. ABI/INFORM Global offers the latest business and financial information for researchers at all levels. With ABI/INFORM determine business conditions, management techniques, Global, users can management business trends,
practice and theory, corporate strategy and tactics, and the competitive landscape.
IB
C om pete PRO
Source: http://www.compete.com It combines all the site,
Compete PRO provides an online competitive intelligence service. search, and referral analytics in a single product.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting M ethodology
C EH
WHOIS Footprinting
DNS Footprinting
Email Footprinting
Network Footprinting Footprinting through Social Engineering Footprinting through Social Networking Sites
Competitive Intelligence
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
- -
J_
construct proper queries, you can retrieve valuable data about a target company from the Google search results. Through Google hacking, an attacker tries to find websites that are vulnerable to numerous exploits and vulnerabilities. This can be accomplished with the help of Google hacking database (GHDB), a database of queries to identify sensitive data. Google operators help in finding required text and avoiding irrelevant data. Using advanced Google operators, attackers locate specific strings of text such as specific versions of vulnerable web applications. Some of the popular Google operators include: Q Q .Site: The .Site operator in Google helps to find only pages that belong to a specific URL. allinurl: This operator finds the required pages or websites by restricting the results containing all query terms. Q Inurl: This will restrict the results to only websites or pages that contain the query terms that you have specified in the URL of the website. allintitle: It restricts results to only web pages that contain all the query terms that you have specified.
Module 02 Page 175 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
intitle: It restricts results to only the web pages that contain the query term that you have specified. It will show only websites that mention the query term that you have used. Q Inanchor: It restricts results to pages containing the query term that you have specified in the anchor text on links to the page. Q Allinanchor: It restricts results to pages containing all query terms you specify in the anchor text on links to the page.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
EH
- Files containing passwords Q Q Sensitive directories Pages containing logon portals Pages containing network or vulnerability data Q Advisories and server vulnerabilities
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Presents some information that Google has about a particular web page
Restricts the results to those websites with all of the search keywords in the title
Restricts the results to documents containing the search keyword in the title
Restricts the results to those with all of the search keywords in the URL
Restricts the results to documents containing the search keyword in the URL
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Also note that when you combine link: with another advanced operator, Google may not return all the pages that match. The following queries should return lots of results, as you can see if you remove the -site: term in each of these queries. related: If you start your query with "related:", then Google displays websites similar to the site mentioned in the search query. Example: related:w w w .microsoft.com will provide the Google search engine results page with websites similar to microsoft.com. info: Info will present some information the corresponding web page. For instance, info:gothotel.com will show information about the national hotel directory GotHotel.com home page. Note: There must be no space between the info: and the web page URL. This functionality can also be obtained by typing the web page URL directly into a Google search box. site: If you include site: in your query, Google will restrict your search results to the site or domain you specify. For example, admissions site:w w w .Ise.ac.uk will show admissions information from London School of Economics' site and [peace site:gov ] will find pages about peace within the .gov domain. You can specify a domain with or without a period, e.g., either as .gov or gov. Note: Do not include a space between the "site:" and the domain. allintitle: If you start your query with allintitle:, Google restricts results to those containing all the query terms you specify in the title. For example, allintitle: detect plagiarism will return only documents that contain the words "detect" and "plagiarism" in the title. This functionality can also be obtained through the Advanced W eb Search page, under Occurrences. intitle: The query intitle: term restricts results to documents containing term in the title. For instance, flu shot intitle:help will return documents that mention the word "help" in their titles, and mention the words "flu" and "shot" anywhere in the document (title or not). Note: There must be no space between the intitle: and the following word. allinurl: If you start your query with allinurl:, Google restricts results to those containing all the query terms you specify in the URL. For example, allinurl: google faq will return only documents that contain the words "google" and "faq" in the URL, such as " www.google.com/help/faq.html." This functionality can also be obtained through the Advanced W eb Search page, under Occurrences. In URLs, words are often run together. They need not be run together when you're using allinurl. inurl: If you include inurl: in your query, Google will restrict the results to documents containing that word in the URL. For instance, inurkprint site:w w w .googleguide.com searches for pages on Google Guide in which the URL contains the word "print." It finds PDF files that are in the directory or folder named "print" on the Google Guide website. The query [ inurkhealthy eating ] will return
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
documents that mention the words "healthy" in their URL, and mention the word "eating" anywhere in the document. Note: There must be no space between the inurl: and the following word.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
f 1z .
_ E 5!
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
You
Search
Images
Documents
Calendar
Sites
Contacts
Maps
More
Search
Web Images ).taps
Videos
News Shopping More
intranet*/ 6 Jun 2012 Human Resources 201112 DeaAnes Faculty and Human Resources - *Personnel Specials! assignments by Ur* (OOC)...
mmmm
o rg r
Error Cookies are not enabled You must enable cookies before you can log n Please log in This section of the Human Resources *ebsite IS for UNC Health ...
Human Reiourcet I .
< Juau Tht Faculty Human Resources Taam aims to work acad*rrc haads managers and staff to nsur that human resources a*c and actMties translat# into...
/ h i
. Intranet.
w i h
> _ds php^_id41 The Human Resources oftce is responsible tor proa&nq vanous support services to all
FIGURE 2.28: Search engine showing results for given Google Advance Operator syntax
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
r 6HM Hadun far Our C MW( I www.rucicersforchar1ty.org/ndo. fiincton M1rrmaryfiK.it> 19 POOJCCTC ABOUT || C rtvwnadtmforchanty.org,0^rtr)/ lunrt1on tumm,vy&ca! 1/
- *
E S 2 ]
YouTtt
OHOO - r U c ld i fo r Charity
onoe
C*>9 s: P1 g cO'tOnng lopr porta* According a. Miaosoft Miuosoft (R) Outlook (TK) VJ*t! a rre4s * M * < osofr Ftrharo* Artwe Servrr C Application that t> veo you prvitc access to Ttus 1 U 1 * 1 0 (1 * 1 pe fa CokJfuson adrnr1mon. Although m01 m** are uirurM. t C1 s an Irdicator of a dtfau't into lito >nd Th* is die default tofin pa$e for ColdFojron. Aimoucft rraiv ot tnese are secured, rm is an ncicatcf of a d*fault insQllaton, and iray bo webmn is hen acrnrn irtar'ace fee Unix Coxes it 5 ! run or. propriataiy web co'vcv isterirg on tho CdajX port of 10090. 1 t*4 t* a typical login page. It h 1e1rflr Oetoaie * txg* for SQL ln}*ctJO v C om sac-f artld* at hOp:/'ww>v.govcrrrrKrvsc<ur1ty.or5/art)C lca/S ns a cypical login page, itfus ecentir becotn* a taro* for SQL injection. Con*c' 1 artjd* at j 1t> cd3/dnn/I0or.a j MJp://vrww.goverom tr5eunty. re/artjde5/S . VNC U fnwte-ccW 01ied Cwlttpp produa. i ?004- v^c rxK jc r< T > *n d 1no or rh (* conttcuraBon. rnro u nay rot be pre*4ntd with 3 password. Cven when (H- tart* eon n C C C .
OHDe - Hm W > *, Charity 0H0e S t Ad/tsenes ard ViJr^ranJrtes Tic Et l rpi<t PioducKart cortaioj m ultiple /uineratiltes, *hen cojM eotoited to allow an G P-odjctrart atC ackar to mat ur crdntjak or mounx other f atta Accorcare to1 http:j'/Avrw.M furtvff>cue.cor%'b1d/0<^7. cartar | rmSoSaareh wHabd*y 0 < 0 c/ im &Swc'i contdn a buftei oveiftow vulnfrafcilty which *Howan XttrkM to Advanced Guestbook v7.7 has an SQl !rjecnor rWKjutsttwok 'jrvrsc Jw ssthooW >oblcm which al 0*5 unauthomod acces*. Aaaourfiom thee, hit Admn then 00 we 2.2 pcv following VP-AS* (Virtual Programing ASP) has won V*-ASP Shopetng C art awarifo both in Vte US anti France. X is now mum
2 C O t03* XO*-
'
I. .,x t. j t
2C 04 5 -1 2 2004
C H W P tltifW t. .
[_
TH 11 the ftort page entry potnt to e "Miuo 7 1 k" . I lhsts the loan page for M icrosoft's Renote Deslax? Wb C ornocQ on, which a'lows rr x > tn ucart to |connect to (and optionally corttol) a u ser
in k tl.iM ta fla rm p / d e
ITw m ! ais Otim Metafiaine login ptxt^s. AU Kkw ran 11(0 (txxa tn prr.fl ti'e jnd nn 1* ncarur < setup! of thi* application to acce* the t
FIGURE 2.29: Screenshots showing Advisories and Vulnerabilities & pages containing login portals
Ethical Hacking and Countermeasures Copyright by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
G o o g le H a c k in g T ools
MetaGoofil
h tt p :/ / w w w . edge-security, com
CEH
Goolink Scanner
h tt p :/ / w w w . ghacks. n et
SiteDigger
h tt p :/ / w w w . m cafee.com
&
SearchDiggity
h tt p :/ / w w w . s tachliu. com
Google Hacks
h ttp ://cod e .g o ogle .co m
?&
Google HACK DB
h ttp ://w w w .se cp o in t.co m
BiLE Suite
h ttp ://w w w .s e ns e p os t.co m
Gooscan
h ttp :/ /w w w .d a rk n e t. org. uk
M etagoofil
Source: http://www.edge-securitv.com
Metagoofil is an information-gathering tool designed for extracting metadata of public documents (pdf, doc, xls, ppt, docx, pptx, xlsx) belonging to a target company. Metagoofil performs a search in Google to identify and download the documents to a local disk and then extracts the metadata with different libraries such as Hachoir, PdfMiner?, and others. With the results, it generates a report with usernames, software versions, and servers or machine names that may help penetration testers in the information gathering phase.
Goolink Scanner
Module 02 Page 185 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Source: http://www.ghacks.net The Goolink Scanner removes the cache from your searches, and collects and displays only vulnerable site's links. Thus, it allows you to find vulnerable sites wide open to Google and googlebots.
^ SiteD igger
Source: http://www.mcafee.com SiteDigger searches Google's cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on websites.
G oogle Hacks
* 4)
Source: http://code.google.com
Google Hacks is a compilation of carefully crafted Google searches that expose novel functionality from Google's search and map services. It allows you to view a timeline of your search results, view a map, search for music, search for books, and perform many other specific kinds of searches.
\\
BiLE Suite
Source: http://www.sensepost.com
BiLE stands for Bi-directional Link Extractor. The BiLE suite includes a couple of Perl scripts used in enumeration processes. Each Perl script has its own functionality. BiLE.pl is the first tool or Perl script in the collection. BiLE leans on Google and HTTrack to automate the collections to and from the target site, and then applies a simple statistical weighing algorithm to deduce which websites have the strongest relationships with the target site.
&
GM apCatcher
Source: http://code.google.com
GMapCatcher is an offline maps viewer. It displays maps from many providers such as: CloudMade, OpenStreetMap, Yahoo Maps, Bing Maps, Nokia Maps, and SkyVector. maps.py is a GUI program used to browse Google map. With the offline toggle button unchecked, it can download Google map tiles automatically. Once the file downloads, it resides on your hard disk. Thus, you don't need to download it again.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
SearchD iggity
- Source: http://www.stachliu.com
SearchDiggity is the primary attack tool of the Google Hacking Diggity Project. It is Stach & Liu's MS Windows GUI application that serves as a front-end to the most recent versions of Diggity tools such as GoogleDiggity, BingDiggity, Bing LinkFromDomainDiggity, CodeSearchDiggity, DLPDiggity, MalwareDiggity, PortScanDiggity, SHODANDiggity, BingBinaryMalwareSearch, and NotlnMyBackYard Diggity.
G oogle HACK DB
PHP
Source: http://www.secpoint.com
The attacker can also use the SecPoint Google HACK DB tool to determine sensitive information from the target site. This tool helps an attacker to extract files containing passwords, database files, clear text files, customer database files, etc.
G ooscan
Source: http://www.darknet.org.uk Gooscan is a tool that automates queries against Google search appliances. These queries are designed to find potential vulnerabilities on web pages.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting M ethodology
C EH
WHOIS Footprinting
DNS Footprinting
Email Footprinting
Network Footprinting Footprinting through Social Engineering Footprinting through Social Networking Sites
Competitive Intelligence
Footprinting M ethodology
Gathering network-related information such as whois information of the target organization is very important when hacking a system. So, now we will discuss whois footprinting. Whois footprinting focuses on how to perform a whois lookup, analyzing the whois lookup results, and the tools to gather whois information.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W H O IS L o o k u p
Urtifi!
CEH
Ittiu l lUckw
WHOIS databases are maintained by Regional Internet Registries and contain the personal information of domain owners
W H O IS query returns:
e e Domain name details Contact details of domain owner Domain name servers 9 NetRange When a domain has been created
A RTN
tt Gather personal information that assists to perform social engineering 6 Gather other internal network details, etc.
)APNIC
a
j
RIPE
e
6
WHOIS Lookup
WHOIS is a query and response protocol used for querying databases that stores the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system. W HOIS databases are maintained by Regional Internet Registries and contain the personal information of domain owners. They maintain a record called a LOOKUP table that contains all the information associated with a particular network, domain, and host. Anyone can connect and query to this server to get information about particular networks, domains, and hosts. An attacker can send a query to the appropriate W HO IS server to obtain the information about the target domain name, contact details of its owner, expiry date, creation date, etc. The WHOIS sever will respond to the query with respective information. Then, the attacker can use this information to create a map of the organization network, trick domain owners with social engineering once he or she gets contact details, and then get internal details of the network.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
(citifwd
c EH
ttkKJl NMhw
1Stats
M yW h o .
Domain Dossier
0 domain whois record network whois record
domain or IP address [juggyboy.com Doza.n JLdm nistrator M icro ssft Corporation One M ic r0 3 a 2 t Way Rarinonri Hr. 93052 cs +1.4250826060 Fex; +1.4259267229 domainsgjmlcrosoff.ci lex in Kane: n ic r c s o f t . com Ee3 i3*rar Sane: Marl3cnicor.com R eg is trar W iols: wtiols.narttxmlcor.con R eg is trar Kcnepage: http://vw V.r13rircnLtcr.rcn &dxdr.13trative Contact: Dorain Administrator M icrosoft Corporation One M icrosoft Kay Reancna W A 9BOS2 0 DNS records service scan 30] traceroute JU
g n c ity m o u s[ lo gin|a c c c u n
Address lookup
addresses
US
tiorwa1nsfimicro90ft.c0m +1.42S8828080 Fox: 4L.42S9367329 Technical Contact. Zone Contact: msm H09tn*9t#r M icrosoft Corporation on M icro io tt Hay Rednond WA 98052 US m3nhstQmittoSOfl.com *1.4258828080 Tax: 11. 12S93"32S Createa on........................ : 1991-05-01. Expires on........................ : 2021-03-02. Reccrd la s t upaatea o n ..: 2011-03-14. Dosain servers in lis t e d order: ns3.1Ksrt.net n s4 .tu ft.n e t n sl.ttsrt.n e t ns3 net 03 r t
*h: -.1 server: vnon.ftetwor *solutions, cox R etercal URL: ftttp ://w * .n etw sfc J 01 u t1 0 ns.ccr,/enJJS/
N a!a# 3*rv*r: NS1#.W CRLONTC.COM NAM S*rvr: NS20.WCRLON1C.COM su cu a: ciicntiransrcrProni&Lted Opdated Date: 03-feb-2009 Creation Data: 1-Jul-200J Expiration Date: :6-01-2014 > la s t update of whola database: Thu, 1 Ju i 2012 0 4 9 : 3 : < OTC 4 Quened wt10is.network50lutions.rnm with juggyboy.rom ... Registrant:
M RM N K m mm
http://whois.domaintools.com h ttp://cen tralops. net/co
Copyright by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W h i m R e c o rd
Sit Profile
R e g is tra tio n
S e rv e r S ta ts
M y W h o is
Domain Dossier
| domain whois record
Registrant: Domain Administrator Microsoft Corporation One Microsoft Way Redirond WA 98052 US dpnainscXmcrosoflcom +1.4258828080 Fax: +1.425936329 Dosain !ia r . e : nicroaoft.com Registrar Mane: Martenonitor.com Registrar Whois: whois. !narlatonitor. can Registrar Honepage: http://www.marJancn1 tor.co1t Adsriaistrative Contact: Domain Adnlnistrator
Microsoft Corporation
9 J
u se r anonymous [ balance: 47 units lof in | account info
30]
PfJ11tr.fi ,!,Lit
Address lookup
canonical name juooyboy.com . aliases
addresses
Technical Contact, Zone Contact: MSN Hoatmaster Microsoft Corporation One Microsoft Way Redirond KA 98052 US m5nf1stQmitrosofl.com 1*4258828080 Fax: +1.4259367329 Created on : 1991-05-01. Expires on t 2021-05-02. Record :ast updated on..: 2011-08-14. Doaain servers i& listed order: ns5.nsft.net ns4.nsft.net nsl.nsft.net ns3.nsft.net ns2.nsft.net
> Last update of whois database: Thu, 19 Jul 2012 07:49:36 UTC < Queried whoib.networkbolutionb.coiii with , juggyboy.com' . . .
Registrant:
http://whois.domaintools.com
http://centralops.net/co
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
U rtffi * Ith K jl lU c k M
CEH
14 miacsoft.com
^ rwcney.de
E53
tt
Free SAS i ProXad 8, fuc de la ville T'Eveque 75006 Paris phone -33 173 50 20 00 fax * 3 3 173 50 25 0 1 hostmastcfC P ptoxad.nct Q free SAS i ProXad ruedel4v>llel"Evec|ue 75006 Pari* phone-33 173 50 20 00 fax: *33 173 502501 r.ojtmcitcricfo.od.nct ( | frmti1-q?0.ftM>.f1 [212.27.60.19] ( J ''**n:2-q2C.fr.ff [212.27.60.20]
r*at*d: 29/12/2006
V 1 r V M > L ite r
http://www.tamos, com
Copyright by EG-GaullCil. All Rights Reserved. Reproduction is Strictly Prohibited.
BC
SmartWhois is a useful network information utility that allows you to look up all the available information about an IP address, hostname, or domain, including country, state or province, city, name of the network provider, administrator, and technical support contact information. It also assists you in finding the owner of the domain, the owner's contact information, the owner of the IP address block, registered date of the domain, etc.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
> Q u ery
m
a t microsoft.com money.de
Q n jg jfcfr
88.1902S4.12
I 8,
phene: 33 I 73 50 20 00 fax: 33 1 73 50 25 01 h0 stmastergpf0xid.net Free SAS / ProXad I8 . rue de la ville I 'Eveque 75008 Paris phene 33 1 73 50 20 00 fax: 33 1 73 50 25 01
freensl-g20Jree.fr [212.27.60.19]
View source
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
Whois
h ttp ://to o ls . w hois.net
1 1
n
Better Whois
h ttp :/ / w w w . b etterw hois. com
%
m im r
=
DNSstuff
h tt p :/ / w w w . dnss tuff, com
pyy fc]
Whois Source
h tt p :/ / w w w . whois.sc
S'
Web Wiz
h tt p :/ / w w w . w ebw iz.co. u k/d om ain to ols /w hois-lookup.htm
WebToolHub
h tt p :/ / w w w . w ebtooll 1 w hois-lookup. aspx
Network-Tools.com
h ttp ://n e tw o rk -to o ls. com
Ultra Tools
h ttp s :/ /w w w .u ltra to o ls .co m /w h o is /h o m e
pp CountryWhois
---- Source: http://www.tamos.com CountryWhois is a utility for identifying the geographic location of an IP address. CountryWhois can be used to analyze server logs, check email address headers, identify online credit card fraud, or in any other instance where you need to quickly and accurately determine the country of origin by IP address.
Lan W hois
Source: http://lantricks.com LanWhols provides information about domains and addresses on the Internet. This program helps you determine who, where, and when the domain or site you are interested in was registered, and the information about those who support it now. This tool allows you to save your search result in the form of an archive to view it later. You can print and save the search result in HTML format.
Module 02 Page 194 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
t
j i^ t *
Batch IP Converter
Source: http://www.networkmost.com
Batch IP Converter is a network tool to work with IP addresses. It combines Domain-to-IP Converter, Batch Ping, Tracert, Whois, Website Scanner, and Connection Monitor into a single interface as well as an IP-to-Country Converter. It allows you to look up the IP address for a single or list of domain names and vice versa.
I r1 CallerIP
Source: http://www.callerippro.com CallerIP is basically IP and port monitoring software that displays the incoming and outgoing connection made to your computer. It also allows you to find the origin of all connecting IP addresses on the world map. The Whois reporting feature provides key information such as who an IP is registered to along with contact email addresses and phone numbers.
HotWhois
Source: http://www.tialsoft.com HotWhois is an IP tracking tool that can reveal valuable information, such as country, state, city, address, contact phone numbers, and email addresses of an IP provider. The query mechanism resorts to a variety of Regional Internet Registries, to obtain IP Whois information about IP address. With HotWhois you can make whois queries even if the registrar, supporting a particular domain, doesn't have the whois server itself.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
(W ) Active Who is
Source: http://www.johnru.com ActiveWhois is a network tool to find information about the owners of IP addresses or Internet domains. You can determine the country, personal and postal addresses of the owner, and/or users of IP addresses and domains.
W hoisThisD om ain
Source: http://www.nirsoft.net WhoisThisDomain is a domain registration lookup utility that allows you to get information about a registered domain. It automatically connects to the right WHOIS server and retrieves the W HOIS record of the domain. It supports both generic domains and country code domains.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
Whois
h ttp ://to o ls . w hois.net
1 1
n
Better Whois
h ttp :/ / w w w . b etterw hois. com
%
m im r =
DNSstuff
h tt p :/ / w w w . dnss tuff, com
Whois Source
h tt p :/ / w w w . whois.se
p yy
fc]
Web Wiz
h tt p :/ / w w w . w ebw iz.co. u k/d om ain to ols /w hois-lookup.htm
WebToolHub
h tt p :/ / w w w . w ebtooll 1 w hois-lookup. aspx
Network-Tools.com
h ttp ://n e tw o rk -to o ls. com
Ultra Tools
h ttp s :/ /w w w .u ltra to o ls .co m /w h o is /h o m e
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting M ethodology
CEH
WHOIS Footprinting
DNS Footprinting
Email Footprinting
Network Footprinting Footprinting through Social Engineering Footprinting through Social Networking Sites
Competitive Intelligence
Footprinting M ethodology
--The next phase in footprinting methodology is DNS footprinting. This section describes how to extract DNS information and the DNS interrogation tools.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
(rtifwd
CEH
0
ithiul UtkM
3 2
DNS records provide important information about location and type of servers
R e co rd Type A MX NS CNAME SOA SRV PTR RP HINFO TXT D e s c r ip t io n
Points to a host's IP address Points to domain's mail server Points to host's name server Canonical naming allows aliases to a host Indicate authority for domain Service records Maps IP address to a hostname Responsible person Host information record includes CPU type and OS Unstructured text records
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Q Q
CNAME - Canonical naming allows aliases to a host SOA - Indicate authority for domain Q Q SRV - Service records PTR - Maps IP address to a hostname RP - Responsible person HINFO - Host information record includes CPU type and OS
A few more examples of DNS interrogation tools to send a DNS query include: http://www.dnsstuff.com http://network-tools.com
Ethical Hacking and Countermeasures Copyright by EC-C0l1ncil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
(rtifwtf | EthKJi UckM
ueries, com) and the DNS (Domain Name System) allow to translate the domain name or the hostname in an IP Address 10 contact via the 1 3 ( *1 IP protocol. There are serveral types of queries, corresponding to all the Implemen table types of DNS records such as A record, MX. AAAA, CNAME and SOA.
microsoft.com
Class IN IN IN IN IN IN
Details FbUF6DbkE*Aw1 /v/i9xgDi3KVrllZus5v8L6tblQZkGrQrVQKJi8CjQbBtWt64ey4NJJv/j5J65PlggVYNabdQ v-spf1 Include: spf-a.mlcrosoft.com Include:_spf-b.mfcrosoft.com 1nclude:_spfc.mlcrosoft.com 1nclude:_spf-ssg a.microsoft.com ip4:l31.107.115.215 Ip4:131.107.115.214 ip4:205.248.106.64 ip4:205.248.106.30 ip4:205.248.106.32 *all 10 (nall.messaglng.mlcrosort.com J ! ns1.msft.net mbnhbt.n1iaosoft.com 2012071602 3C0 600 2419200 3600 64.4.11.37 65.55.58.701 $ ns5.msft.net ns2.msft.net ns1.msft.net $ ns3.msft.net $ ns4.msft.net yj}
http://www.dnsqueries. com
Copyright by EG-GtailCil. All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
This tool is very useful to perform a DNS query on any host. Each domain name (Fxample: dnsqueries.com) is structured in hosts (ex: www.dnsqu0 n 0 s.com) and the DNS (Domain Name System) allow ovorybody to translato tho domain namo or tho hostname in an IP Addross to contact via the TCP/IP protocol. There are server^ types of queries, corresponding to dll the implemen table types of DNS records such as A record, MX, AAAA, CNAME and SOA.
[mcrosoftcom Type:
ANY 0 | Run toohT
Details FbUF6DbkE*Avvl/wi9xgDi8KVrllZus5v8L6tblQZkGrQ/VQKJi8CjQbBtWtE64ey4NJJvvj5J65PlggVYNabdQ- v=spf1 lnclude:_spf-a.mfcrosofLcom lndude:_spf a.microsoft.com ip4:l3l.107.115.215 ip4:l3 1.107.115.214 ip4:2G5.248.100.64 ip4:205.243.106.30 ip4:2D5.248.106.32 'all
10 mail.mes5aging.micro50ft.c0m
nsl.msft.netmsnhst.microsoft.com 2012071602 300 600 2419200 3600 64.4.11.37 s J 65.55.58.701 ns5.msft.net ns2.mstt.net $ ns1.msft.net !} ns3.msft.net r154.t1tsft.r1et
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
DNSWatch
____
h ttp :/ /w w w .d n s watch, info
myDNSTools
h ttp :/ /w w w .m y d n s tools.info
DomainTools
h ttp ://w w w .d o m a in to o ls.co m
ffjp s lli
Professional Toolset
h tt p :/ / w w w . dnsstuff. com
(0m
1 r v '- ,
DNS
h ttp ://e -d n s .o rg
DNS Records
h ttp ://n e t w o rk- tools.com
DNSData View
h ttp ://w w w .n irs o ft.n e t
DIG available at http://www.kloth.net myDNSTools available at http://www.mydnstools.info Professional Toolset available at http://www.dnsstuff.com DNS Records available at http://network-tools.com DNSData View available athttp://www.nirsoft.net
DNSWatch available at http://www.dnswatch.info DomainTools Pro available at http://www.domaintools.com DNS available at http://e-dns.org DNS Lookup Tool available at http://www.webwiz.co.uk
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting M ethodology
CEH
WHOIS Footprinting
DNS Footprinting
Email Footprinting
Network Footprinting Footprinting through Social Engineering Footprinting through Social Networking Sites
Competitive Intelligence
Footprinting M ethodology
The next step after retrieving the DNS information is to gather network-related information. So, now we will discuss network footprinting, a method of gathering networkrelated information. This section describes how to locate network range, determine the operating system, Traceroute, and the Traceroute tools.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
(citifw d IthKJI lU c k M
C EH
207.46.255.255
.0/16
J J
M IC R O S O F T -G L O B A L -N E T
NameServer: NameServer: RegDate: Updated: Ref: 207-46-0-0-1 OrgName: Orgld: Address: City: StateProv: PostalCode: Country: RegDate: Updated: Ref:
OrgAbuseHandle OrgAkuseName: OrgAbusePhone: OrgAbuseEmail: OrgAbuseRef:
NET-207-46-0-0-1 NET-207-0-0-0-0 Direct Assignment NS2.MSFT.NET NS4.MSFT.NET NS1.MSFT.NET NS5.MSFT.NET NS3.MSFT.NET 1997-03-31 2004-12-09 http://whois.arin.net/rest/net/NETMicrosoft Corp MS FT One Microsoft Way Redmond
WA
Attacker Network
+1-425-882-8080 abuse@hotmail.com
http://whois. arin. net/rest/poc/ABUSE231-ARIN Copyright by EG-Gtancil. All Rights Reserved. Reproduction is Strictly Prohibited.
information about the target organization such as what the organization does, who they work for, and what type of work they perform. The answers to these questions give you an idea about the internal structure of the target network. After gathering the aforementioned information, an attacker can proceed to find the network range of a target system. He or she can get more detailed information from the appropriate regional registry database regarding IP allocation and the nature of the allocation. An attacker can also determine the subnet mask of the domain. He or she can also trace the route between the system and the target system. Two popular traceroute tools are NeoTrace and Visual Route. Obtaining private IP addresses can be useful for an attacker. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private Internets: 10.0.0.0-10.255.255.255 (10/8 prefix), 172.16.0.0-172.31.255.255 (172.16/12 prefix), and 192.168.0.0-192.168.255.255 (192.168/16 prefix). The network range gives you an idea about how the network is, which machines in the networks are alive, and it helps to identify the network topology, access control device, and OS
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
used in the target network. To find the network range of the target network, enter the server IP address (that was gathered in W HO IS footprinting) in the ARIN whois database search tool or you can go to the ARIN website (https://www.arin.net/knowledge/rirs.html) and enter the server IP in the SEARCH Whois text box. You will get the network range of the target network. If the DNS servers are not set up correctly, the attacker has a good chance of obtaining a list of internal machines on the server. Also, sometimes if an attacker traces a route to a machine, he or she can get the internal IP address of the gateway, which might be useful.
N e tw o rk W h o is R e co rd
Queried whois.arin.net with "n 207.46.232.182", 207.46.0.0 - 207.46.255.255 NetRange: 207.46.0.0/16 CIDR: OriginAS: MICROSOFT-GLOBAL-NET NetName: NET-207-46-0-0-1 NetHandle: NET-207-0-0-0-0 Parent: Direct Assignment NetType: N S 2 .MSFT.NET NameServer: N S 4 .MSFT.NET NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS3.MSFT.NET NameServer: 1997-03-31 RegDate: 2004-12-09 Updated: http://whois.arin.net/rest/net/NETRef: 207-46-0-0-1 Microsoft Corp OrgName: MS FT Orgld: One Microsoft Way Address: Redmond City: WA StateProv: 98052 PostalCode: US Country: 1998-07-10 RegDate: 2009-11-10 Updated: http://whois.arin.net/rest/org/MSFT Ref: OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: ekbuse@hotmail.com OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE231-ARIN
You need to use more than one tool to obtain network information as sometimes a single tool is not capable of delivering the information you want.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved, Reproduction is Strictly Prohibited.
(itifwd
c EH
tUMJl N M hM
So far we have collected information about IP addresses, network ranges, server names, etc. of the target network. Now it's time to find out the OS running on the target network. The technique of obtaining information about the target network OS is called OS fingerprinting. The Netcraft tool will help you to find out the OS running on the target network. Let's see how Netcraft helps you deter,ome the OS of the target network. Open the http://news.netcraft.com site in your browser and type the domain name of your target network in the What's that site running? field (here we are considering the domain name "Microsoft.com"). It displays all the sites associated with that domain along with the operating system running on each site.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
r iE T C R ^ F T
* k B tx k O m i
Search W e b by Domain I
E'pbre 1.045.745 w#& z f t u s te d ty users ofth Naicrafl Toolbar | <contains 3 lookup! I a te conto.ns .nat eraft.com 3rd August 2012
ra e icp
f* FJf.-P F66IC P
F 5N G -P
Ft fclG-P f t 61C-P r s c ic p F5 eG-P F5 BIC-P F5 6IC P
MUOJWM8/7.5 M icr6s08-8 S/75 Micrc&jt IIS/7 ( Miaoao8-83/7 5 MCT0S08-8S// 5 Micrcs3MS/7 6 Micrc&o IIS/7 6 Ma080t-83f7.5 Mieroso8-8S/7 5 Microsoft IS/7.5
6 ( ( 8 1 3 3
55 55175 183 5555.176183 85 54 175183 56 52103 234 55 52 103234 55 52103 ?34 65 5 175 183
M ac** Cap Acre** Cap! UrcsCap Macao Cap MCTCSJtCCfp U creot Ccrp Were5 Cap M acsX Cap Mercs* Cap M a cs* Cap
18-May-2012
14-May-2012 10Apr-2012
1 2 -Apf-2012
18-Uar-?01? 11 Mar-2012
a e
a a a 1 a a 1
(U
Mac; Uptime -the Dm* since taat rcboct !3explained I* fAO S8e MMvvpasspMtco-n w w w >encarU.com asxovev com *MMvcaigeiAteem mado com rriacsoCcgma mtreso* iu rrtjrjf hcrro rmcratol com c9lm acao 8 .com * mw 12:2:1 r*1 nKrc*08c0m wwwmsncemlw catccant wwwoficccom eSkenMcracallMm Mogi t#<hntcm
w wminuoaot c o m !
(1M 1) 2*120*24:13 OS v/!1o*3 Sr. a 2C C 8 J ? ! ! < FSBCP wnoows s*rrtf 2 W8 inrrow* Pf&C-P Server M1ac30C-fS/7 5
Awaoe 60 52 48 46 41 39 38 38 3 33 32
Uax 129 56 91 81
reoG-f*
vvnooftS Str.fr ?K8 UKTOOT
1
1
& 0 F
UtCTCSOM S/7 Q MacsoC-IS/7 5 Uiereaol IS/7 Macao** 2/7: MCTC90MS/7 5 U*<reco*-IS/7 5 Macao IS/7 5 W lC T C SO f-M IP*/l2 0 Mac*0MS/7 5
5. m*d.microsoft com 67. ce-m 1:ro*oftxom social technec.microscft.ccm 'tswara.nnicroioft.coni w m w pde8m ten*eftcom
sootennbar 1998 microsoft con> november 1998 microsoft corp august 2008 august 2009 may 2007 august 2008 nevember 2001 m hatma! fabuary 1999 fsbuary 3003 microsoft carp microsoft carp microsoft corp microsoft mtted
1 1
6
39 50 84
8. 9.
66
77
10. ! o d midr'.mKroM/t.io^i 11 } 12. *d0<updta.nKr#t.<0m 13. n ffdit 14. IS. soarch.mKroscft.ccm c#r1
*6
52
a a a a a a a
20 20
20 95 36 24 92 32 20 79
ItKTCMUt^f
Macao-l2/7 5 MaS0M3//S MacsoS-IS/7 5 Mtacto IS/7 6
0
185 110 20 45 ?4 36 51 !
rsoG-r
F6AC4P WV40s 8wva 2CC3 DM) nCral* F5BC P >
UatMHVTS
MOCHOUSM 0 u>ae sol 1V7 Macao S/7 0 MOC30MS/7 3
november 2008 dltal river Ireland ltd. december 2010 microsoft corp october 00 microsoft corp
FIGURE 2.33: Netcraft showing the operating system that is in use by Microsoft
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
Use SHODAN search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters.
Papular Search Querios: RuggotiConi oyposod via lolnot Wired: http:Mww.w1rcc.c0fn1l1rcaccvcy2u12;tMruggodcom-IncMooti (-ull Oiscloctrc: http:/soc,.-
D e v e lo p e r API
2 Ond out how 10 accc33 the Qhodan ilHtalMSH with P/lhon. Pw1 ot Ruby
Le a r n M o r e
G e lrnorc oat cf ycur 5cjcfc3
and find * mfnmaton >**1 rww)
Fo l l o w M e
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
* SHODAN
Search
Services
HTTP HTTP Alternate FTP SNMP UPnP 6,692.080 164,711 13.543 9,022 6.392
Error
66.77.20.147 W in d o w s XP B 1 zn e w s2 4 .co m
HTTP 1.0 403 Forbidden Content-Length 218 Content Type: texthtml Server Microsoft-IIS 6.0 IISExport: This web site was exported usmg US Export v4J X-Powered-By: ASP.NET Date: Tue? 25 Sep 2012 01:53:00 GMT
Top Countries
United States China United Kingdom Germany Canada 3,352,389 506,298 362,793 247,985 246,968
www.net.cn)
112.127.180.133 HiChina W e b Solu tio n s (B e rin g ) L im ite d
HTTP 1.0 200 OK Content-Type: texthtml Last-Modified Wed. 22 Jun 2011 10:28:46 GMT Accept-Ranges: bytes ETag: "083b42ac730ccl:0"
Top Cities
Englewood Beijing Columbus Dallas Seoul 170,677 111,663 107,163 90.899 86,213
Server. Microsoft-IIS 7.5 X-Powered-By ASP NET X-UA-Compatible E-EmulateIE7 Date: Tue, 25 Sep 2012 01:53:02 GMT Content Length: 5304
Top Organizations
Verio Web Hosting 97,784 HiChina Web Solutions ... 52,629 Ecommerce Corporation 43,967 GoDaddy.com, LLC 33,234 Comcast Business Commu... 32,203
HTTP 1.0403 Forbidden Content-Length: 1409 Content-Type: texthtml Server Microsoft-IIS 6.0 X-Powered-By ASP NET Date: Tue, 25 Sep 2012 01:59:20 GMT
Added on 25 092012
II
IIS7
110.142.89.161
HTTP 1.0 200 OK Content-Type: texthtml Last-Modified: Sat, 20 Nov 2010 03:13:31 GMT Accept-Ranges: bytes ETag: 3a24cbe860S8cbl:0 Server Microsoft-IIS 7.5 X-Powered-By: ASP NET Date: Tue, 25 Sep 2012 01:52:50 GMT
T e ls tr a In te rn e t
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved, Reproduction is Strictly Prohibited.
T raceroute
Traceroute programs work on the concept of ICMP protocol and use the TTL field in the header of ICMP packets to discover the routers on the path to a target host
IP Source
ICMP Echo request
CEH
Router Hop
TTL = 1
Router Hop
Router Hop
Destination Host
Traceroute
Finding the route of the target host is necessary to test against man-inthemiddle attacks and other relative attacks. Therefore, you need to find the route of the target host in the network. This can be accomplished with the help of the Traceroute utility provided with most operating systems. It allows you to trace the path or route through which the target host packets travel in the network. Traceroute uses the ICM P protocol concept and TTL (Time to Live) field of IP header to find the path of the target host in the network. The Traceroute utility can detail the path IP packets travel between two systems. It can trace the number of routers the packets travel through, the round trip time duration in transiting between two routers, and, if the routers have DNS entries, the names of the routers and their network affiliation, as well as the geographic location. It works by exploiting a feature of the Internet Protocol called Time To Live (TTL). The TTL field is interpreted to indicate the maximum number of routers a packet may transit. Each router that handles a packet will decrement the TTL count field in the ICMP header by one. When the count reaches zero, the packet will be discarded and an error message will be transmitted to the originator of the packet.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
It sends out a packet destined for the destination specified. It sets the TTL field in the packet to one. The first router in the path receives the packet, decrements the TTL value by one, and if the resulting TTL value is 0, it discards the packet and sends a message back to the originating host to inform it that the packet has been discarded. It records the IP address and DNS name of that router, and sends out another packet with a TTL value of two. This packet makes it through the first router, then times-out at the next router in the path. This second router also sends an error message back to the originating host. Traceroute continues to do this, and records the IP address and name of each router until a packet finally reaches the target host or until it decides that the host is unreachable. In the process, it records the time it took for each packet to travel round trip to each router. Finally, when it reaches the destination, the normal ICMP ping response will be send to the sender. Thus, this utility helps to reveal the IP addresses of the intermediate hops in the route of the target host from the source.
IP Source
ICMP Echo request
Router Hop
TTl = 1
Router Hop
Router Hop
Destination Host
..............................
......................................................................................................................'
a a a a
H TSTSW S
A A A
- .............................
ICMP error message ICMP Echo request A M i A A A A A A " 1
H I ::::
A
ICMP Echo Reply
A A A A
How to use the tracert command Go to the command prompt and type the t r a c e r t command along with destination IP address or domain name as follows:
C:\>tracert 216.239.36.10
7 609 ms
iarl-so-3-2-0.Thamesside.cw.net
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
8 1622 ms 9 10 11 12 2498 ms
2377 ms 968 ms
2061 ms 593 ms
eqixva-google-gige.google.com 216.239.48.193
[206.223.115.21]
Trace complete.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
T ra c e r o u te A n a ly s is
Attackers conduct traceroute to extract information about: network topology, trusted routers, and firewall locations For example: after running several traceroutes, an attacker might obtain the following information:
& a traceroute 1.10.10.20, second to last hop is 1.10.10.1 traceroute 1 10.20.10, third to last hop is 1.10.10.1 traceroute 1 10.20.10, second to last hop is 1.10.10.50 traceroute 1 10.20.15, third to last hop is 1.10.10.1 traceroute 1 10.20.15, second to last hop is 1.10.10.50
By putting this information together, attackers can draw the network diagram
n o
ED
I I I I I I I I I I I I I I I I I I I I
1.10. 10.20 Bastion Host 1.10.20.10 Web Server
Hacker 1.10.20.
Mail Server
1.10.20.50
Firewall
Traceroute A nalysis
s W e have seen how the Traceroute utility helps you to find out the IP addresses of intermediate devices such as routers, firewalls, etc. present between source and destination. You can draw the network topology diagram by analyzing the Traceroute results. After running several traceroutes, you will be able to find out the location of a particular hop in the target network. Let's consider the following traceroute results obtained:
9 9 traceroute 1.10.10.20, second to last hop is 1.10.10.1 traceroute 1.10.20.10 1.10.20.10. third to last hop is 1.10.10.1 traceroute 1.10.20.10 traceroute 1.10.20.15 traceroute 1.10.20.15 second to last hop is 1.10.10.50 third to last hop is 1.10.10.1 second to last hop is 1.10.10.50
By analyzing these results, an attacker can draw the network diagram of the target network as follows:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
1.10.20.10
W e b S e rv e r
DMZ ZONE
Hacker Internet
........
1.10.10.1
Router
1.10.10.50
F ire w a ll
1.10.20.50
F ire w a ll
1.10.20.15
M a il S e r v e r
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Path Analyzer Pro and VisualRoute 2010 are the two tools similar to Traceroute intended to traceroute the target host in a network.
<
Source: http://www.pathanalyzer.com
Path Analyzer Pro is a graphical-user-interface-based trace routing tool that shows you the route from source to destination graphically. It also provides information such as the hop number, its IP address, hostname, ASN, network name, % loss, latency, avg. latency, and std. dev. about each hop in the path. You can also map the location of the IP address in the network with this tool. It allows you to detect filters, stateful firewalls, and other anomalies automatically in the network.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
VisualRoute 2010
Source: http://www.visualroute.com This is another graphical-user-based tracing tool that displays hop-by-hop analysis. It enables you to identify the geographical location of the routers, servers, and other IP devices. It is able to provide the tracing information in three forms: as an overall analysis, in a data table, and as a geographical view of the routing. The data table contains information such as hop number, IP address, node name, geographical location, etc. about each hop in the route. Features: 9 9 ^ 9 9 9 9 9 Hop-by-hop traceroutes Reverse tracing Historical analysis Packet loss reporting Reverse DNS Ping plotting Port probing Firefox and IE plugin
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Tools
H * 4 p v ttp: 1 1
v.n-K T0 0 ftaH
I1 c t P M
? f
? \ o < M o .
oO
Ana ttformftori ^ h< k and 61 q Kgre to movt this vkwf /V Analysis in goneral thr* rout is reasonablyquick, withhop* !*ponding ^ on arerage within 122ms However, all hops after hop 10 in network ]Network for 207 46 47 1 8 )* respond particularly *lowly RTT 116 3m*/296m*
9
To Location Network RTT Firewall Port Probe Packet loss www microsoft com (65 55 57 80) Redmond. WA. USA Microsoft Corp // Not responding to pings Open to http requests on port 80 Running *enter Micro*o(WIS/7 5 Responded in 9543ms AH
1*
Packet Loss 36 l%/100% Route length At least 17 hops Alternate 4 hop(*) hare alternate route* (Hop{*)12.13.14 & 15)
routes?
OTitteioale to wwwmkio%oHxon\
You are on day l of a 15 day trial. For purchase information dick hare or enter a license key. Your database is 338 days out of date dick here to update.
Ikst time use Spe<l Offer ? flkfc h flt IgMtMlglfliBBt Ofl VbmBglite'l 1 tttiflflil * Hours Only!
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
T ra c e r o u te T ools
(Contd)
CEH
Magic NetTrace
h ttp ://w w w . tialsoft.com
p^j
Network Pinger
h ttp ://w w w . networkpinger. com
GEOSpider
1^1 |rl
0!
3D Traceroute
h ttp ://w w w .d 3 tr.d e
vTrace
h ttp ://v tra c e .p l
AnalogX HyperTrace
h ttp ://w w w . analogx. com
Si
Ping Plotter
imot
V4V
h ttp ://w w w .p in g plotter, com
GEOSpider available at http://www.oreware.com vTrace available at http://vtrace.pl Q Q 0 Q Q Trout available at http://www.mcafee.com Roadkil's Trace Route available at http://www.roadkil.net Magic NetTrace available at http://www.tialsoft.com 3D Traceroute available at http://www.d3tr.de AnalogX HyperTrace available at http://www.analogx.com Network Systems Traceroute available at http://www.net.princeton.edu Ping Plotter available at http://www.pingplotter.com
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting M ethodology
CEH
WHOIS Footprinting
DNS Footprinting
Email Footprinting
Network Footprinting Footprinting through Social Engineering Footprinting through Social Networking Sites
Competitive Intelligence
s Footprinting M ethodology
So far we have discussed various techniques of gathering information either with the help of online resources or tools. Now we will discuss footprinting through social engineering, the art of grabbing information from people by manipulating them. This section covers the social engineering concept and techniques used to gather information.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
r E ll
!z
0
Social engineering is the art of convincing people to reveal confidential information Social engineers depend on the fact that people are unaware of their valuable information and are careless about protecting it
r \ 4 1 r*
0
Social engineers attempt to gather: Credit card details and social security number & User names and passwords S Other personal information Security products in use Operating systems and software versions Network layout information IP addresses and names of servers S S S S
0
Social engineers use these techniques: Eavesdropping Shoulder surfing Dumpster diving Impersonation on social networking sites a
S S S
m
0 0
Copyright by EG-G(HIICil. All Rights Reserved. Reproduction Is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C ollect Inform ation Using Eavesdropping, Shoulder Surfing, and Dum pster D iving
f CU
[j
Eavesdropping
Eavesdropping is unauthorized listening of conversations or reading of messages It is interception of any form of communication such as audio, video, or written
S houlder Surfing
& Shoulder surfing is the procedure where the attackers look over the user's shoulder to gain critical information Attackers gather information such as passwords, personal identification number, account numbers, credit card information, etc.
D u m p ster Diving
Dumpster diving is looking for treasure in someone else's trash It involves collection of phone bills, contact information, financial information, operations related information, etc. from the target company's trash bins, printer trash bins, user desk for sticky notes, etc.
C ollect Inform ation u sin g Eavesdropping, Shoulder Surfing, and D um pster D iving
As mentioned previously eavesdropping, shoulder surfing, and dumpster driving are the three techniques used to collect information from people using social engineering. Let's discuss these social engineering techniques to understand how they can be performed to obtain confidential information.
Eavesdropping
Eavesdropping is the act of secretly listening to the conversations of people over a phone or videoconference without their consent. It also includes reading secret messages from communication media such as instant messaging or fax transmissions. Thus, it is basically the act of intercepting communication without the consent of the communicating parties. The attacker gains confidential information by tapping the phone conversation, and intercepting audio, video, or written communication.
Shoulder Surfing
With this technique, an attacker stands behind the victim and secretly observes the
victim's activities on the computer such keystrokes while entering usernames, passwords, etc.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
This technique is commonly used to gain passwords, PINs, security codes, account numbers, credit card information, and similar data. It can be performed in a crowded place as it is relatively easy to stand behind the victim without his or her knowledge.
D um pster D iving
This technique is also known as trashing, where the attacker looks for information in the target company's dumpster. The attacker may gain vital information such as phone bills, contact information, financial information, operations-related information, printouts of source codes, printouts of sensitive information, etc. from the target company's trash bins, printer trash bins, and sticky notes at users' desks, etc. The obtained information can be helpful for the attacker to commit attacks.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting M ethodology
WHOIS Footprinting
DNS Footprinting
Email Footprinting
Network Footprinting Footprinting through Social Engineering Footprinting through Social Networking Sites
Competitive Intelligence
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
IV
social networking sites and then use the false employees to give up their sensitive information
Employees may post personal information such as date of birth, educational and employment backgrounds, spouses names, etc. and information about their company such as potential clients and business partners, trade secrets of business, websites, company's upcoming news, mergers, acquisitions, etc.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
accounts on the sites. To obtain more information about the target, attackers may create a fake account and use social engineering to lure the victim to reveal more information. For example, the attacker can send a friend request to the target person from the fake account; if the victim accepts the request, then the attacker can access even the restricted pages of the target person on that website. Thus, social networking sites prove to be a valuable information resource for attackers.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
What Users Do
Organizations Do
Attacker Gets
Maintain profile
User surveys.*
Connect to friends, chatting Share photos and videos Play games, join groups
Promote products
Product profile
....
User support Social engineering
........................
i Platform/technology ' : information
Recruitment
Creates events
Type of business
n
Copyright by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
information about them and to get connected with others. The profile generally contains information such as name, contact information (mobile number, email ID), friends' information, information about family members, their interests, activities, etc. People usually connect to friends and chat with them. Attackers can gather sensitive information through their chats. Social networking sites also allow people to share photos and videos with their friends. If the people don't set their privacy settings for their albums, then attackers can see the pictures and videos shared by the victim. Users may join groups to plays games or to share their views and interests. Attackers can grab information about a victim's interests by tracking their groups and then can trap the victim to reveal more information. Users may create events to notify other users of group about upcoming occasions. With these events, attackers can reveal the victim's activities. Like individuals, organizations also use social networking sites to connect with people, promote their products, and to gather feedback about their products or services, etc. The
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
activities of an organization on the social networking sites and the respective information that an attacker can grab are as follows: W h at Organizations Do User surveys Promote products User support Background check to hire employees W h at Attacker Gets Business strategies Product profile Social engineering Type of business
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Middle East
1 7 4 , 5 8 6 , 6 8 0 V/ V 1 7 4 , 5 8 6 , 6 8 0 '-
N. A m e ric i^ J^
1 8 , 2 4 1 , 0 8 0
STk ,'%
Latin Am erica
1 4 1 , 6 1 2 , 2 2 0
845
r\ * 100 o O
&
million monthly active users billion connections
250
W
1 of every 5 of all page views minutes time spent per visit
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
About
The Otooal John legend Facebook Page. John legend new song *Tonght now on !Tires hQpe/flh7&Ton0tf Biography
Basic Info
O U H flM facrbook Cm t u a/M John legend CALL (713) 502-8008 Hornet01 ItK O fd ljW General Manager SpmgfieU. O M GOOOMusc-Sony/Cotnta TheArftsi* Orgaruabon
Recordng artist, concert performer and tNantfropst John legend hat won nne Grammy *ward* and wa* named one ofTwemagaane * 100mo*trAjenftal
lurched ha career as a sesson player and vocabt, corrbutrg to bestsekng reardngi by lairyn H i, Ak>a Key*. Jay 2and CanyeWest before recordng hs own irfcrofcen chan of Top 10aborts Get lifted (2004), Once Agai ...Sea Mo* Artists We Also Idee Estde, vaughn Anthony, Kanye West. Good M\j k
* Carre( location
Contact Info
Webute http://www johrtegend com http://www.d10wmecanpegn.org
About CreMe an Ad C ette a Page Developer* Careers Privacy Cootoes -Term! H e fc >
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Urtifwd
CEH
ilhiul lUtbM
A
Twee* to M ine Rooney Tiveets *1 im > g t j Pau' WcCartnej
j Q W a y n a B o c n c y
Tweeta FOIW iina
1a 1
= /
vm m m
9
cant tele.e aTheReaKC3fifKrtoano'a* c*f*nnjr *H 0 R8 8 p#ct he don* * 0 mjc'i the couWy > ct4o1C01r JR o y m p c s
465
million accounts
350
K1:
76%
55%
sH op e paulm e n tr? 9 I
Wayne Rooney 3wsyr<J4v,, I Great riotoryof Brrtr aiiesiy. D tl'eient 1 1 r lib.o ooon UfC'B
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Wayne Rooney O
wayneRooney
haps/wwu. / a c e b o o i c . e o m .^ ayntMoon*i/
hnp offc*a*aynafonay 00m
Follow
A-
d
T w e e t to W a yn e R o o n ey
4,635.170
V / e e tS M
No repliH
QWayneRooney
T w e e ts
a
m
j
P ie rs M o rg an
:-. .:;j
l s ti < 0 qute understand why me he! we have to hear everythrg FRENCH first7 Utter* ndicutous solympicceremony =K**!K ty Wayne Rooney Expand
P m ills vtrStacAV s
rw vcni ayca
U W
3 M
cant befteve . TheReaUVC3 a not part of this ceremony NoResped he done so much 4 the country Imao= London20l2 *Olympics Rtfwwwd ty Wayna Rooney
E x p a n d
2012 Tw*ta About Halp Tam* Privacy Btog Statu A Ad *< *ft B 1
H
a
Karl Hyde * v . H y i ayneRooney themchaelowen becks to bght a footba and ' bet I straight r to the Olympic stadum torch GO Ratweatad by Wayna Rooney
Va> oonvorMbon Ian H ich o lls , .* Ja r
R Yes the beaoes Hope paul me a Sflgng later Representing Kerpool Best band ever
.i > *Rooney
Wayne Rooney vaynaRooeey , Great history of brtar already Different to any other ceremony i have seen before
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
G otackla S t> c *
Chris Stone
Pn.jr h i : U.1 .j. itv B-. 1 FWi; u rn
B P
C*rwl Pro g m m tn M n n n j> f Mfrclacfc*Ban k0 .Ijium (SH .*m p t0 y*d ) # S Pwl *M dotOp!!**" PtyKt$ * Sv&oc K *XA BankEtra* P re 9 tsm r 1 0M anigwa MABjn* tu:c < 0 .1(>! ^ i P > r 1 > w n ti *XA tPxx!r *cnttVtX tnttto* &C w lfi tni *!*?nt'ilo* fa1r*11!1n )pNft'ImiKonminMOm C onpjnyW 6tM
4 , in* FT Y s - -
new members join every second
is i a ^
2,447
employees located around the world
$522 million
revenue for 2 0 1 1
2 million companies
have Linkedin company pages
C o llectin g L in k e d in In fo rm atio n
Similar to Facebook and Twitter, Linkedin is another social networking site for professionals. It allows people to create and manage their professional profile and identity. It allows its users to build and engage with their professional network. Hence, this can be a great information resource for the attacker. The attacker may get information such as current employment details, past employment details, education details, contact details, and much more about the target person. The attacker can collect all this information with the footprinting process.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Linked 03 A c c o u n t
Horn* ProM Contacts
bmc m**1
Group Job inbox CoflipanM Non Mon
Chris Stone
Programme Manager at Deutsche Bank Belgium
Brussels Area Be*yum Management Consumg
Se e expanded
Connect Send InMari Save Chns's F Current Programme Manager at Deutsche Bank Belgium Director and Consultant * Program Management Solutions spl (Se It employed) Head of Operations Projects & Support Investment Omsk*! at AXA Bank Europe Programme Manage* at AXA Bank Europe Outsourcing Programme & Procurement Manager at AXA BekpumO Mil Henot-Watt Institute of Chartered Secretaries and Adnw*st/ators 3 people have recommended Chns
Past
500 connections Websites Company Webs4e Public Protoe http //be knkedn comWcsstone
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
tm
900 Sec
8 2 9 ,4 4 0 I Videos uploaded
,G E E
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Redirect URL
Enter any URL you want the target to redirect to
Open the URL in this field and keep checking for target's IP
kKprs41: http Ifwmi nyiptesi corr/img ph3^d=zuibg1f?8.'dr=viww gruil con&rd =yatoc c>rr&
Link ID Ideujbg1f2
IP 85.93.218.204
Proxy NO
Refer NO
http://www.myiptest.com
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Link for person: http //www myiptest com/1mg php7id=zdeujbq1f2&rdr=www gmail com&rdr=yahoo com& Redirect URL: http# www gmail com Link (or you: http //www myiptest com/staticpages/index php/how-about-you?id=zdeujbg1f2&showjp:
Link ID zdeujbglf2
IP 85.93.218.204
Proxy NO
Refer NO
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting Concepts
Footprinting Threats
Footprinting Methodology
Footprinting Countermeasures
Footprinting Tools
M odule Flow
Footprinting can be performed f: with the help of tools. Many organizations offer tools
that make information gathering an easy job. These tools ensure the maximum
Footprinting Concepts
|w |
Footprinting Tools
Footprinting Threats
Footprinting Countermeasures
CD
Footprinting Methodology
vtv
This section describes tools intended for grabbing information from various sources.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
r V 1 ^ 0 O 0 9 o q o on ~
9
&
'3
r *
wm Internet Domain
o :J ^ O Wc
< o Or
Personal Information
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Setting Window
http ://www. domoinpunch.1
maintaining multiple domain names. It supports the display of additional data (expiry and creation dates, name server information), tagging domains, secondary whois lookups (for thin model whois TLDs like COM, NET, TV). The following is a screenshot of the Domain Name Analyzer Pro tool showing domain name information:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
T Z 0''
C * (C
Output
! 1 S M d rt M D oium
_ Mrtc 0*H t 9
ttS S M T O I
A
ittu1
loolu* 0ou SM n
VWw
mctosofttom
u p tn ctm l
W DoalootupAt WTMJtMSJSPM
M1211*2i * Ml
1
CO*
VMiDoicom
cwtMhKftetca U|Rm<*k1
Mi.1n.1S2J(
m n M .W
C O T
cert1 fiedtwckef.com
/ B ar D o m a a i
me dflman certfo^artec.com resot.es to an ip Address [202.7S.S4.101]. So t is m ost H cely not avaiafeie for reparation unless your ISP, -j Unknow il networt adm m rt&atof or youlux setic the local netm oA to resohe al host nam es.
. < ft i)phtS
t H yp h n *te I you war* the hois data nstead ths guck O N S basedcheck.
Y o um ay use the iop Seangs and toaMe the Mranae Wtms loota** option
fc f e n d 901
j j InAuctc
W W WD o
0 2
t [NAttO 01I I W
1fc
nuu
* U S MO
Mat V I
D * * J
D o m a i n N a m e In fo rm a t io n
FIGURE 2.46: Domain Name Analyzer Pro software showing Domain Name Information
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Extract targeted company contact data (email, phone, fax) from web for responsible b2b communication Extract URL, meta tag (title, description, keyword) for website promotion, search directory creation, web research
Ethical Hacking and Countermeasures Copyright by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.
Job 0
1 16 |
1bp.
1 1 1 1 1 , 1 1
1 20 12 0 1 1 1 2 0 1 2 0 1 1 1 2 0 12 0 1 1
12-01 2011 P0< *if ro Key
http //oeitfiedhacke hftp//oe1tfiedhacke http //ce tfiedhacke http//ce tifiedhacke IV .tD f // tficdhacke h rtp r //ce tfiedhad-.e HU//os tficdhacke tfiedhacke N.t//osilificdhacke tficdhacke http: //cei tfiedhacke h*t>.//cc1 lficdhackc tficdhacke http //esi tfiedhacke hf.t>7/o=1lficdhacke tficdhacke htlp //ceitfiedhacko H U M 08 tfiedhacke Iv.tp//cs tfiodhacke hr.io//on tfiedhacke http //oo tfiedhacko tfiedhacke http //c3 tfiedhacke hf(n//05 tfiedhacke Iv.tp//cc tficdhackc hrtp/Zotfiedhacke Iv.tp//co tficdhackc k*tp//c1tfiedhacke Iv.tp //coitfiedhackc tficdhackc 1Vtp//0il tfiedhacke tficdhacke Utp//&e1tfiodhotko http //0*1tliedhacke 1 l.tu //us tficdhacke http// ttiodhaoko 1r.to//c1tfimdliacke help //c#1 tfidhok Hta //coiUipdhacko
h :b/ / c e i
N .ID / / 0 3
*sT<*rr Hot! Title Domai Pao* 12 G G 1 com,0nlr< Onlne Booking: I # booking, hotel Drihe Ecckr http://califcdo c 39498 rrn/flnlr< f rlhf* Booking Hot bccking. kclel rirwEcckr h p/ , c c conw'Onlrt Onlne Booking: Prr booking, Hotel Drihe Ecckr http://califcdo c 5 G G 3 corn/P-folirP-Folc hrp * . c 9307 corn/'P-foli: F Tolc htip://1 califcdo : 8531 con> yP fofc P-Folc M ip7;catieda c 10049 cora/P-folfcPFolc http, ^cahfccho c ccn Keal I Frole^onal R ea ltie s eUa e. 1ea= > ote>nxIFWT!://cai1fa c 3683 3089 corn/Real I FioIcsb13 l Real E; =c:Idc. ic< j ^0fc;^3evdF htpV/ccthfccfo c com/Real I Ftole^malRaIE<ra etta,rea:>ote?tonalFhep://C11f<ia c 4352 5767 com/Real I Ftotessbnal Real E: 15 3 estae. tea ^ofcjiwnalFhUp://calif edo c 5789 conWReallFTole^malRaalEuaa ettae, rea 3 ote^xial F Wcp:'/c1fcfa c 10147 com/RecicYcu coircav-PecSonckeywd A shat desaihtlp.//califcdo c 10081 com/'RecipYou coTpary -Fee Soto keyword A *Hat deiai http://C6fhf<f a c 5762 con/Recic Ycu corpdrv-AtcSonetev-iod A :fa ! de:c1ihUD.//cef1 ife1 a c 9635 com/Fleci;: Ycu ODrpa-y FeeS0 n9 kyw dA skat dosaihtfp:/ ccri1fcd 1 a c 5828 com/Recic You corparp Ccr Son- key!ad A *tort desai hip c 9366 oont/RecipYcu oorpary Fee Sons kcycrd A ska dosa1htfp:/ cahfcdo c 9594 com/RecinYcu corpary -Pet Son- keypad A ?*cii daciiKtrp //ceiiife+a c 8397 oorn/RecipYou ooirpary Fee Sons keyMad \ ska dosai Mp:/ cerlifed o c 10804 conWRecir Ycu aiTf-ary -Pec Son keyword A ?ha de?aihrcr/;ceriliecto c 1271G oom/'Rcoif Ycu covpary Pee Sone keypad A :ha desaihttp://ca!ifcclo c 8862 corWRedp Y a j eoTpary F Son keyword A *km dMcrih(1 f1 /;c(M(ta c 13274 com /Socia Unite Togclhe1 ijEl.cyvcd,orp A beef 0:|hltp://ca1 ifcdo c 12451 corn/Red(:Yaj conrpary Fer Son* kpywrd A 1kcil deiaihltp/,eeMectA c 1409 oom/Socia h*p://ca1ifc<Jo c corVSona Unite 1ogethei it k ejvw-11: or p A t*el n*K (*Mip/;eM#eto c 16239 12143 ccm/Socia Unite -1ogethci i>Ckeyv*adi. w p A btef oe1 . 1 1 ( U p '/!ahfaJ o t cont/Soci*Unite 1ogethei1: fc > vc13:. 0p A b< 4f 0f :f hp ,chf< *.* c 16259 5227 U t '/cahfaJo t corWTuibc I ndo Under tho I ro M p ' ccfhfc>o 0 8693 ht'(j.//Leftfe1 J 0 c 2963 coru/Unde Under the Tie 5932 oora/Und* Undo! the I r# Mtp:/;cMch c 7909 com/RcoitYcu --1_a 1 -MerSone keypad A tkad*!a 1Wp:/CW<*-di con 11584
1 2 0 12 0 1 1 2 0 1 2 0 1 1 9 4 6 4 1 1 2 0 1 2 0 1 1 1 2 0 1 2 0 1 1 1 2 0 1 2 0 1 1 1 2 0 1 2 0 1 1 1 2 0 1 2 0 1 1 1 2 0 1 2 0 1 1 1 2 0 1 2 0 1 1 1 2 0 1 2 0 1 1 1 2 0 1 2 0 1 1 1 2 0 12 0 1 1 1 2 0 1 2 0 1 1 1 2 0 12 0 1 1 1 2 0 1 2 0 1 1
12 01 2011
1 2 0 1 2 0 1 1 1 2 0 12 0 1 1 1 2 0 1 2 0 1 1
12 01 2011 12 01 2011
1 2 0 1 2 0 1 1
1 2 0 1 2 0 1 1 1 2 0 12 0 1 1 1 2 0 1 2 0 1 1 1 2 1L 0 1 1 1 2 0 1 A ll 1 2 0 1 2 0 1 1
12-01 All I
0 0 1 1
1 2 0 1 2 0 1 1
12 -010 1 011^
l.,/tahfaJo c
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Netmask
http ://w w w .ph en o elit-us.o rg
NetScanTools Pro
h ttp://w w w .netscantools.com
Binging
h ttp ://w w w .b lu e in fy . com
Tctrace
http://w w w .ph en o elit-us.o rg
Spiderzilla
http ://sp id erzilla .m o/d ev.org
Sam Spade
h ttp://w w w .m ajorgeeks.com
ifi
DNS DIGGER
http://w w w .dnsdigger.com
Robtex
n <^KPj
h ttp ://w w w .rob te x.co m
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
(EH
SpiderFoot
http://w w w .bin a ryp oo l.com
CallerIP
http://w w w .calleripp ro .com
ActiveWhois
h ttp ://w w w .joh n ru .co m
Zaba Search
h ttp://w w w .zabasearch. com
m
Ww
yoName
http://yonam e.com
GeoTrace
j
h ttp ://w w w .n a b b e r.o rg
(? W
Ping-Probe
http://w w w .ping-probe.com
DomainHostingView
h ttp ://w w w .n irs o ft.n e t
SpiderFoot available at http://www.binarypool.com 0 Q Q CallerIP available at http://www.callerippro.com Zaba Search available at http://www.zabasearch.com GeoTrace available at http://www.nabber.org DomainHostingView available at http://www.nirsoft.net
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
So far we have discussed the importance of footprinting, various ways in which footprinting can be performed, and the tools that can be used for footprinting. Now we will discuss the countermeasures to be applied in order to avoid sensitive information disclosure.
Footprinting Concepts
IHJ
Footprinting Tools
Footprinting Threats
footprinting Countermeasures
C L)
Footprinting Methodology
% ((
Ethical Hacking and Countermeasures Copyright by EC-C0UllCil All Rights Reserved. Reproduction is Strictly Prohibited.
UrttfM
CEH
itfciui IUck
Use an IDS that can be configured to refuse suspicious traffic and pick up footprinting patterns
Evaluate and limit the amount of information available before publishing it on the website/ Internet and disable the unnecessary services
Prevent search engines from caching a web page and use anonymous registration services
Enforce security policies to regulate the information that employees can reveal to third parties
&
F o o tp rin tin g C o u n te rm e a su re s
Footprinting countermeasures are the measures or actions taken to counter or offset information disclosure. A few footprinting countermeasures are listed as follows: y 9 Q Configure routers to restrict the responses to footprinting requests. Lock the ports with suitable firewall configuration. Evaluate and limit the amount of information available before publishing it on website/Internet and disable the unnecessary services. Prevent search engines from caching a webpage and use anonymous registration services. Configure web servers to avoid information leakage and disable unwanted protocols. Q Use an IDS that can be configured to refuse suspicious traffic and pick up footprinting patterns. Q Q Perform footprinting techniques and remove any sensitive information found. Enforce security policies to regulate the information that employees can reveal tothird parties. the
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
So far we discussed all the necessary techniques and tools to test the security of a system or network. Now it is the time to put all those techniques into practice. Testing the security of a system or network using similar techniques as that of an attacker with adequate permissions is known as penetration testing. The penetration test should be conducted to check whether an attacker is able to reveal sensitive information in response to footprinting attempts.
*j Footprinting Concepts
| !!J!
Footprinting Tools
Footprinting Threats
FootPrint'ng Countermeasures
Q O
Footprinting Methodology
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Penetration testing is an evaluation method of system or network security. In this evaluation method, the pen tester acts as a malicious outsider and simulates an attack to find the security loopholes.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
0
Footprinting pen test is used to determine organization's publicly available information on the Internet such as network architecture, operating systems, applications, and users The tester attempts to gather as much information as possible about the target organization from the Internet and other publicly accessible sources
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
Get proper authorization and define the scope of the assessment Footprint search engines such as Google, Yahoo! Search, Ask, Bing, Dogpile, etc. to gather target organization's information such as employee details, login pages, intranet portals, etc. that helps in performing social engineering and other types of advanced system attacks Perform website footprinting using tools such as HTTrack Web Site Copier, BlackWidow, Webripper, etc. to build a detailed map of website's structure and architecture
Define the scope of the assessment J Use search engines such as Google, Yahoo! Search, Bing, etc.
>
' y
!1 n
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Footprint search engines such as Google, Yahoo! Search, Ask, Bing, Dogpile, etc. to gather the target organization's information such as employee details, login pages, intranet portals, etc. that can help in performing social engineering and other types of advanced system attacks.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
^
Urt.fi* | ttk.ul Nm Im
Perform email footprinting V Gather competitive intelligence y Perform Google hacking V Perform W HOIS footprinting
Perform email footprinting using tools such as eMailTrackerPro, PoliteMail, Email Lookup - Free Email Tracker, etc. to gather information about the physical location of an individual to perform social engineering that in turn may help in mapping target organization's network Gather competitive intelligence using tools such as Hoovers, LexisNexis, Business Wire, etc. Perform Google hacking using tools such as GHDB, MetaGoofil, SiteDigger, etc. Perform WHOIS footprinting using tools such as WHOIS Lookup, SmartWhois, etc. to create detailed map of organizational network, to gather personal information that assists to perform social engineering, and to gather other internal network details, etc.
;....
I ....
I ....
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Perform the WHOIS footprinting technique to extract information about particular domains. You can get information such as domain name, IP address, domain owner name, registrant name, and their contact details including phone numbers, email IDs, etc. Tools such as SmartWhois, CountryWhois, Whois Pro, and ActiveWhois will help you to extract this information. You can use this information to perform social engineering to obtain more information.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Peforrr DNS f ODtp-'rt'ng Lsng tio s ;s DIG, NsLcon.jp, DHS Records, etc. to sete'Tne hey hosts 'n the ret *w< and peform socia erj'ree-'rj attacks
Perform DN5 footprinting
to o s S J SS DIG, MSLookup etc.
se to o s
s j
? i
as Path
Peform r.etwo<footpr'rt'ns using too such as Path Ana yzer Pro. VisualRoute 20 10, N etw oA Pinger, etc. to c eate a ra p of the ta'get's netwo<
np erertsa>c'a engmeering techniques such as eavesdropping dodder surf ng and dumpster diving that fray help to gathe r o e critka nfonration aboLtthe taget otganaibon Gathe taget organ 2at on enp oyees inforat or. fron the' pesara p*0F es on social netwo-icng stes stchas Facebook, Linkedln, Tvitter, Google*, Pinterest, etc.thatisssttopefarr s 3cia eng'rvee'ing
J
fey
Perform DNS footprinting using tools such as DIG, NsLookup, DNS Records, etc. to determine key hosts in the network and perform social engineering attacks. Resolve the domain name to learn about its IP address, DNS records, etc.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
EH
Information obtained through people search g ^ ^ Date of birth: Contact details: Email ID: Photos: Others: Information obtained through Google T Advisories and server vulnerabilities: Error messages that contain sensitive information: A i Files containing passwords: Pages containing network or vulnerability data: Others:
j igp Scripting platforms used: W ? Contact details: 0 CMS details: Others: Information obtained through email footprinting H IP address: GPS location: Authentication system used by mail server: Others:
Information obtained through competitive intelligence H Financial details: Project plans: Others:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Pen Te stin g R e p o rt
Inform ation ob&ined through search engines
|J Employee details Login pages Intranet portals: 0 ^ Technology platforms: Others: Q Q
f Q
IPwMreu:
GPS location: Authentication system used by m ai serv er Others:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
E5 !
1
ft
m %
m
Personal information: Financial information: Operating environment: User names and passwords: Network layout information: IP addresses and names of servers: Others:
5$
ft
Type of servers: Others: Information obtained through social networking sites B a Personal profiles: Work related information: News and potential partners of the target company: Educational and employment backgrounds: Others: Copyright by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. 1
Information obtained through network footprinting Range of IP addresses: Subnet mask used by the target organization:
^
Others:
Financial inform ation: Operating environm ent: U sernam es and passwords: Network layout information: IP a d d re sse s and names of servers: O thers:
ft ra
s;
ft
**
Personal p ro fies: W ort related information: N ew s and potertiai partners of th e target company: Educational and em ploym ent background.
^
^
a
*A
O thers:
FIGURE 2.49: Pen Testing Report showing information obtained through footprinting and social engineering
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le S u m m a ry
| 0
Footprinting is the process of collecting as much information as possible about a target network, for identifying various ways to intrude into an organization's network system It reduces attacker's attack area to specific range of IP address, networks, domain names, remote access, etc. Attackers use search engines to extract information about a target Information obtained from target's website enables an attacker to build a detailed map of website's structure and architecture Competitive intelligence is the process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources such as the Internet DNS records provide important information about location and type of servers Attackers conduct traceroute to extract information about: network topology, trusted routers, and firewall locations Attackers gather sensitive information through social engineering on social networking websites such as Facebook, MySpace, Linkedln, Twitter, Pinterest, Google+, etc.
M odule S u m m ary
Footprinting refers to uncovering and collecting as much information as possible about a target of attack. Q It reduces attacker's attack area to specific range of IP address, networks, domain names, remote access, etc. Attackers use search engines to extract information about a target. Information obtained from target's website enables an attacker to build a detailed map of website's structure and architecture. Q Competitive intelligence is the process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources such as the Internet. Q Q DNS records provide important information about location and type of servers. Attackers conduct traceroute to extract information about: network topology, trusted routers, and firewall locations. W Attackers gather sensitive information through social engineering on social networking websites such as Facebook, MySpace, Linkedln, Twitter, Pinterest, Google+, etc.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.