----Footprinting: an Introduction----
By Niels (aka Ch4r) | nielsosky@gmail.com | http://binaryuniverse.net/
| Copy Info |
This tutorial may be redistributed and hosted on other servers as long
as it remains completely unchanged and full credit is given where due.
| Shouts |
Shouts to Subby, Ic3D4ne, mu/~w/tiger, Oropix, Edit, Zugg, Cryptic_Override,
dlab, ScM, and anyone else that I forgot.
| Introduction |
Footprinting is the art of gathering information on a specific host or
network, and is an essential step in attacking a box, and even more
essential when it comes to social engineering. This tutorial aims to
familiarize you, the reader, with the basics of footprinting. Of
course, there is room to learn more once you've read this, but
hopefully this provides a clear introduction. This tutorial is written
from the perspective of a Slackware Linux user, but the same
techniques can be applied on Windows systems. If you have any feedback
related specifically to this tutorial, please drop me an email. If you
have a question about footprinting in general, it would be better that
you post it on some forums, such as the Binary Universe forums
(http://binaryuniverse.net/forums). Having said that, let's get started!
| Basics |
It's important to realize that everyday tools that you may not even
have thought about using can be used for footprinting. One of the most
basic footprinting techniques is simply having a look around the
server's website if you are attacking a server. It will include
information such as phone numbers, email addresses and possibly other
information that could be considered sensitive and could help you
considerably if you are planning a social engineering attack. More such
information could quite possibly be found on Google.
It's also worth the relatively small amount of time it takes to look
through the source code for comments that could be of use (assuming
your target has a site).
| Portscanning and OS Fingerprinting |
Another very useful tool when footprinting is nmap, which can be
downloaded from http://insecure.org/nmap. This will cover two of nmap's
useful features: portscanning and OS fingerprinting.
Before portscanning can be understood, one must understand the concept
of ports. All connections made to other hosts, whether it's for HTTP,
IRC, IM, or any other service runs on a predefined port. For example,
when you connect to the website http://binaryuniverse.net, you attempt
to connect to the server that Binary Universe is hosted on. If the host
that the domain binaryuniverse.net points to had a HTTP server such as
Apache or IIS listening for connections on port 80, the connection is
successful and the Binary Universe website can be viewed. Otherwise,
you'll get one of those ugly "the connection was refused when
attempting to contact http://binaryuniverse.net" messages.
Now back to the concept of portscanning -- portscanning is when the
attacker uses a tool called a portscanner and scans a host ot find
which ports are open. This is useful because the attacker can tell
which services the host is running that could lead to successfully
penetrating to system. To scan a host using nmap, simply use the nmap
command. For example:
bash-2.05b$ nmap example.com
...
...
Interesting ports on example.com:
...
PORT
STATE SERVICE
21/tcp
open
ftp
22/tcp
open
ssh
25/tcp
open
smtp
80/tcp
open
http
110/tcp
open
pop3
3306/tcp
open
mysql
6666/tcp
open
irc-serv
Information that is not as important is replaced with .... From this
portscan, one can safely say that the target is running SSH and FTP
which could prove useful in rooting the box; an SMTP server, if you
want to mess around with spoofed emails; HTTP, which means this machine
has a web server installed; a POP3 server, which we can do nothing
with; MySQL, which won't be extremely useful; and an IRC server, which
will not prove extremely useful either.
As mentioned previously, NMAP can also be used for OS fingerprinting.
OS fingerprinting is simply finding out what operating system a
specific host is running. This is accomplished in NMAP via the -O flag.
Eg:
nmap -O 127.0.0.1
Note that this will also do a plain ol' portscan as well, but at the
end it will add something about the OS the target is running and the
uptime. If you don't feel like using NMAP for OS fingerprinting, you
can also use Netcraft, an online tool for OS fingerprinting. Simply go
to http://netcraft.net, and find the box on the left that says
""Webserver search" then, in smaller letters below, "What's that site
running?". This will return not only the OS, but also the HTTP server
that the site is using (eg Linux and Apache).
Another method of figuring out what web server a given website is
running is by intentionally requesting a page that doesn't exist. Most
likely the error 404 (page not found) page will be something like this:
------------------------------------------------------
Not Found
The requested URL /gregdfefdsgvsf was not found on this server
Apache/1.3.33 Server at theleetexamplesiteforthetut.com Port 80
------------------------------------------------------
You see the bottom part of the 404 page? That tells us what web server,
and what version of that web server the site is running.
However, you may want to attempt to penetrate a service other than the
web server, such as SSH or FTP, and you will need to find out what
server the target is using. To do this, one should simply Telnet to the
port of the service. Look carefully at the text that pops up after the
connection is established, and you may notice something along the lines
of:
LeetFTPd v5.08
This conveniently informs the attacker that the host is running
LeetFRPd v5.08 as the FTP server. Of course LeetFTPd is a made up name,
and it won't say exactly that word for word -- it'll have the name of
the real FTP server the site's running.
| WHOIS |
WHOIS is yet another relatively useful tool for fingerprinting. It
allows you to find information about a given domain. I usually use
http://geektools.com or http://nic.com whne performing a WHOIS. Browse
to one of those or another site offering WHOIS, and simply enter the IP
or hostname of the host you are fingerprinting, and hit enter. You'll
get something similar to this:
---------------------------------
Checking
server [whois.crsnic.net]
Checking server [whois.opensrs.net]
Results:
Registrant:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
US
Domain name: MICROSOFT.COM
Administrative Contact:
Administrator, Domain domains@microsoft.com
One Microsoft Way
Redmond, WA 98052
US
+1.4258828080
Technical Contact:
Hostmaster, MSN msnhst@microsoft.com
One Microsoft Way
Redmond, WA 98052
US
+1.4258828080
Registration Service Provider:
DBMS VeriSign, dbms-support@verisign.com
800-579-2848 x4
Please contact DBMS VeriSign for domain updates, DNS/Nameserver
changes, and general domain support questions.
Registrar of Record: TUCOWS, INC.
Record last updated on 27-Jan-2005.
Record expires on 03-May-2014.
Record created on 02-May-1991.
Domain servers in listed order:
NS5.MSFT.NET 207.46.138.20
NS3.MSFT.NET 213.199.144.151
NS2.MSFT.NET 64.4.25.30
NS4.MSFT.NET 207.46.66.75
NS1.MSFT.NET 207.46.245.230
Domain status: REGISTRAR-LOCK
---------------------------------
Of course, your target will most likely be a company smaller than
Microsoft, in which case the WHOIS will give you the name and contact
info of whoever decided to register the domain, which can be quite
useful; especially when social engineering.
| The End |
Yeah. The End. Hope you enjoyed it, found it helpful, and all that
stuff.
Binary Universe
http://binaryuniverse.net
http://binaryuniverse.net/forums
irc.binaryshadow.org #binaryuniverse