Module 2 V 3 0 ppt by tienson22


									                                         Ethical Hacking

                                         Module II


                            Adam is furious. He had applied for the network
                            engineer job at He believes
                            that he was rejected unfairly. He has a good track
                            record, but the economic slowdown has seen many
                            layoffs including his. He is frustrated – he needs a
                            job and feels he has been wronged. Late in the
                            evening he decides that he will prove his mettle.

       ¤ What   do you think Adam would do?
       ¤ Where    would he start and how would he go about it?
       ¤ Are   there any tools that can help him in his effort?
       ¤Can    he cause harm to
       ¤ As a security professional, where can you lay checkpoints and how
       can you deploy countermeasures?
       Module Objectives

       ¤     Overview of the Reconnaissance Phase
       ¤     Introducing Footprinting
       ¤     Understanding the information gathering
             methodology of hackers
       ¤     Comprehending the Implications
       ¤     Learning some of the tools used for
             reconnaissance phase
       ¤     Deploying countermeasures


       Revisiting Reconnaissance

                                                     ¤   Reconnaissance refers to
                                                         the preparatory phase
                                                         where an attacker seeks
                                    Tracks               to gather as much
                                                         information as possible
                                                         about a target of
                                                         evaluation prior to
                                       Maintaining       launching an attack.
                                                     ¤   It involves network
                                                         scanning either external
                          Access                         or internal without

       Defining Footprinting

       ¤     Footprinting is the blueprinting of the security
             profile of an organization, undertaken in a
             methodological manner.
       ¤     Footprinting is one of the three pre-attack
             phases. The others are scanning and
       ¤     Footprinting results in a unique organization
             profile with respect to networks (Internet /
             Intranet / Extranet / Wireless) and systems


       Information Gathering Methodology

       ¤     Unearth initial information
       ¤     Locate the network range
       ¤     Ascertain active machines
       ¤     Discover open ports / access points
       ¤     Detect operating systems
       ¤     Uncover services on ports
       ¤     Map the Network

       Unearthing Initial Information

       ¤Commonly  includes:
       ¤Domain name lookup
       ¤Contacts (Telephone /
       ¤Information Sources:
       ¤Open source
       ¤Hacking          Tool:
       ¤Sam Spade


                                                   targetcompany (targetcompany-DOM)
                                                   # Street Address
                                                   City, Province
                                                   State, Pin, Country
                                                   Domain Name: targetcompany.COM

                                    Administrative Contact:
                                      Surname, Name (SNIDNo-ORG)
                                      targetcompany (targetcompany-DOM) # Street Address
                                       City, Province, State, Pin, Country
                                       Telephone: XXXXX Fax XXXXX
                                    Technical Contact:
                                      Surname, Name (SNIDNo-ORG)
                                      targetcompany (targetcompany-DOM) # Street Address
                                       City, Province, State, Pin, Country
                                      Telephone: XXXXX Fax XXXXX

             Domain servers in listed order:
                 NS1.WEBHOST.COM           XXX.XXX.XXX.XXX
                 NS2.WEBHOST.COM           XXX.XXX.XXX.XXX


       ¤ Nslookup is a program to query Internet
         domain name servers. Displays information
         that can be used to diagnose Domain Name
         System (DNS) infrastructure.
       ¤ Helps find additional IP addresses if
         authoritative DNS is known from whois.
       ¤ MX record reveals the IP of the mail server.
       ¤ Both Unix and Windows come with a Nslookup
       ¤ Third party clients are also available – E.g. Sam

       Scenario (contd.)

                        Adam knows that targetcompany is based at NJ.
                        However, he decides to check it up. He runs a
                        whois from an online whois client and notes the
                        domain information. He takes down the email ids
                        and phone numbers. He also discerns the domain
                        server IPs and does an interactive Nslookup.

       ¤ Ideally.what extent of information should be revealed to Adam
       during this quest?
       ¤ Are there any other means of gaining information? Can he use the
       information at hand in order to obtain critical information?
       ¤What  are the implications for the target company? Can he cause
       harm to targetcompany at this stage?
       Locate the Network Range

       ¤Commonly      includes:
       ¤Finding    the range of IP
       ¤Discerning    the subnet mask
       ¤Information      Sources:
       ¤ARIN   (American Registry of
       Internet Numbers)

       ¤Hacking      Tool:

       ¤Visual   Route


       ¤     ARIN allows search on
             the whois database to
             locate information on
             networks autonomous
             system numbers (ASNs),
             network-related handles
             and other related point
             of contact (POC).
       ¤     ARIN whois allows
             querying the IP address
             to help find information
             on the strategy used for
             subnet addressing.

       Screenshot: ARIN Whois Output



       ¤     Traceroute works by exploiting a feature of the Internet
             Protocol called TTL, or Time To Live.
       ¤     Traceroute reveals the path IP packets travel between
             two systems by sending out consecutive UDP packets
             with ever-increasing TTLs .
       ¤     As each router processes a IP packet, it decrements the
             TTL. When the TTL reaches zero, it sends back a "TTL
             exceeded" message (using ICMP) to the originator.
       ¤     Routers with DNS entries reveal the name of routers,
             network affiliation and geographic location.
       Tool: NeoTrace (Now McAfee Visual Trace)

             NeoTrace shows the
             traceroute output
             visually – map view,
             node view and IP view


       Tool: VisualRoute Trace

       Tool: SmartWhois
                          SmartWhois is a useful network
                          information utility that allows you to find
                          out all available information about an IP
                          address, host name, or domain, including
                          country, state or province, city, name of
                          the network provider, administrator and
                          technical support contact information

                                       Unlike standard Whois
                                       utilities, SmartWhois can
                                       find the information about a
                                       computer located in any part
                                       of the world, intelligently
                                       querying the right database
                                       and delivering all the related
                                       records within a few seconds.

       Scenario (contd.)

                    Adam makes a few searches and gets some
                    internal contact information. He calls the
                    receptionist and informs her that the HR had
                    asked him to get in touch with a specific IT division
                    personnel. It’s lunch hour, and he says he’ d rather
                    mail to the person concerned than disturb him. He
                    checks up the mail id on newsgroups and stumbles
                    on an IP recording. He traces the IP destination.

       ¤ What preventive measures can you suggest to check the
         availability of sensitive information?
       ¤ What are the implications for the target company? Can
         he cause harm to targetcompany at this stage?
       ¤ What do you think he can do with the information he
         has obtained?
       Tool: VisualLookout

                         VisualLookout provides high level
                         views as well as detailed and
                         historical views that provide traffic
                         information in real-time or on a
                         historical basis.
                         In addition the user can request a
                         "connections" window for any
                         server, which provides a real-time
                         view of all the active network
                         connections showing
                         ¤who is connected,
                         ¤what service is being used,
                         ¤whether the connection is
                         inbound or outbound, and
                         ¤how many connections are
                         active and how long they have
                         been connected.


       Tool: VisualRoute Mail Tracker

       Screenshot: VisualRoute Mail Tracker


       Tool: eMailTrackerPro

                         eMailTrackerPro is the e-mail
                         analysis tool that enables analysis
                         of an e-mail and its headers
                         automatically and provides
                         graphical results
       Tool: Mail Tracking (

                                                  Mail Tracking is a
                                                  tracking service that
                                                  allows the user to track
                                                  when his mail was
                                                  read, for how long and
                                                  how many times. It
                                                  also records forwards
                                                  and passing of
                                                  sensitive information
                                                  (MS Office format)


       ¤     Information gathering phase can be categorized broadly
             into seven phases.
       ¤     Footprinting renders a unique security profile of a
             target system.
       ¤     Whois, ARIN can reveal public information of a domain
             that can be leveraged further.
       ¤     Traceroute and mail tracking can be used to target
             specific IP and later for IP spoofing.
       ¤     Nslookup can reveal specific users and zone transfers
             can compromise DNS security.


To top