Instructor: Dr.

Avinash Srinivasan
Module-2 Chapter-2

ETHICAL HACKING AND

INTRUSION DETECTION/
FORENSICS

Chapter Objectives

Define active and passive Footprinting

Identify methods and procedures in information gathering

Understand the use of whois, ARIN, and nslookup

Describe DNS record types

Define and describe Google hacking

Use Google hacking in Footprinting

Vulnerability Research

Vulnerability Research: not part of Footprinting but an

essential background knowledge.

A vital step you need to learn and master.

You cannot effectively/successfully attack systems &

networks if you dont know what vulnerabilities are
already defined

Vulnerability research is covered in detail on the CEH exam

Vulnerability Research

Your ongoing vulnerability research is to:

keep track of the latest exploit news
any zero-day outbreaks in viruses and malware
what recommendations are being made to deal with
them.

Note: By the time it gets to the front page of USA Today

or Fox News, its probably been out in the wild for a
very long time.

Zero Day Vulnerability

An attack or exploit on a vulnerability that the vendor,

developer, system owner, and security community didnt
even know existed.

When exposed, developers have had no time (zero

days) to work on a fix we all know there is a security
flaw but theres not a whole lot we can do about it yet.

Vulnerability Research Resources

National Vulnerability Database (nvd.nist.gov)

Exploit-Database (exploit-db.com)
Securitytracker (www.securitytracker.com)
Securiteam (www.securiteam.com)
Secunia (www.secunia.com)
Hackerstorm Vulnerability Research Tool (www.hackerstorm.com)
HackerWatch (www.hackerwatch.org)
SecurityFocus (www.securityfocus.com)
Security Magazine (www.securitymagazine.com)
SC Magazine (www.scmagazine.com)
BlackHat (http://www.blackhat.com)

DarkReading (http://www.darkreading.com)

Exercise 2.1
Researching Vulnerabilities
Hacker-Storm Open Source Vulnerability Database (OSVDB)

Steps
1.

Create a folder on your C:\ drive named Hackerstorm (just to

store everything).

2.

Go to www.hackerstorm.com (takes you to http://

hackerstorm.co.uk) and click the Free Downloads tab at the top
(see Figure 3.1).

Figure 3.1

Steps
3.

Click OSVDB GUI download (see Figure 3.2), saving the file to the
Hackerstorm folder you created. Unzip the files to the folder.

4.

Click OSVDB current database download (see figure 3.2), save the
file to the Hackerstorm folder you created, and unzip the files to
the folder. Choose Yes to All when prompted about overwriting
files.

Figure 3.2
9

Note: it may take a few

minutes for it to load.

Steps
5.

In the C:\Hackerstorm folder, double-click the START.html file. The

home screen of the free OSVDB search screen appears (see
Figure 3.3).

Figure 3.3

10

Steps
6.

Click the OSVDB Search button at the bottom (see figure 3.4).
Scroll through the vendors on the left, choose Mozilla
Organization, and then click the View button.

NOTE: If you receive an error

message about potentially unsafe
operations within Adobe or
Internet Explorer -- access the
Adobe global security settings for
Flash Player and add the Hackerstorm folder you created earlier.

Figure 3.4
11

Steps
7.

On the next screen, click View All. Scroll through listed

vulnerabilities, and choose one of them by clicking it. By clicking
the Description, Solution, Details, References, and Credits buttons at
the bottom of the screen, you can view all sorts of information
about a particular vulnerability.

12

What is CSIRT?

You need to be aware of the agencies and organizations that

assist in IR and vulnerability/exploit analysis.

U.S. Computer Security Incident Response Team (CSIRT) is

one such team - www.csirt.org

CSIRT provides IR service to enable a reliable and trusted

single point of contact for reporting computer security
incidents worldwide.

It also provides IR services to any user, company, government

agency, or organization in partnership with DHS.
13

Footprinting

14

Overview

Process of gathering information on computer systems

and networks.

First step in information gathering provides a highlevel blueprint of the target system or network.

Gathering as much information as possible

usually easy-to-obtain, readily available information.

15

Overview

Two important questions:

1. What kind of information am I looking for?
2. How do I go about getting it?

16

Recon vs. Footprinting

Footprinting:
an effort to map out, at a high level, what the
landscape looks like.

Reconnaissance:
overall, over-arching term for gathering information
on targets.

17

Footprinting

Looking for any information that might give you some

insight into the target no matter how big or small.

Important findings include:

high-level network architecture (routers and servers)
applications and websites (public facing?)
physical security measures

18

Footprinting Types

Footprinting is categorized into two broad types:

1. Passive Footprinting
2. Active Footprinting

19

Passive Footprinting

Can be undertaken without communicating with the

machines.

It is all about the publicly accessible information

youre gathering.

20

Passive Footprinting

Methods include, but are not limited to:

1. gathering of competitive intelligence
2. using search engines
3. perusing social media sites
4. dumpster diving
5. gaining network ranges
6. looking up job posting Career Builder, Monster
Note:The Computer Fraud and Abuse Act (1986)
makes conspiracy to commit hacking a crime.

21

Wayback Machine

Available at Archive.org that keeps snapshots of sites

from days gone by, allowing you to go back in time to
search for lost information.

22

Archive.org

23

Web Mirroring Tools

Copy websites directly to your system

helps speed things

Some popular tools include:

HTTrack (www.httrack.com)
Black Widow (http://softbytelabs.com)
WebRipper (www.calluna-software.com)
Teleport Pro (www.tenmax.com)
GNU Wget (www.gnu.org)
Backstreet Browser (http://spadixbd.com)

24

Passive Footprinting Using Email

You can get great detail from an email.

Well known attack vector:

send a bogus e-mail to the target
use the feedback to identify future attack vector

You can also use e-mail tracking tools

built into email applications
external and third-party apps

25

Email Header- Example

26

Sample CEH Question

Identify the address of the true originator.

27

Other Popular Email Tracking Tools

1.
2.
3.
4.
5.

Read Notify
WhoReadMe
MSGTAG
Trace Email
Zendio

28

Exercise 2.2
Using MailTracker to Footprint E-mail

Exercise 2.2 Steps

1.

Got to www.mailtracking.com and register for an account.

create an e-mail account on a free provider to use for this test

2.

Log in to www.mailtracking.com

3.

Open your e-mail application and send an e-mail to a friend,

appending .mailtracking.com to the end of the address

4.

Ex: sending to [email protected] would look like [email protected]

Go back to mailtracking.com (Refresh Display). The e-mail you sent

should appear in the list. After it is opened, you can click the e-mail
and review header information and details of its path to the
recipient.

30

mailtracking.com

31

Received and Read

32

Forwarded

33

Summary

34

Other Competitive Intelligence Tools

1.
2.
3.
4.
5.
6.

Google Alerts
Yahoo! Site Explorer
SEO for Firefox
SpyFu
Quarkbase
DomainTools.com

35

Active Footprinting

Requires attacker to touch the device or the network.

Example: running a scan against an IP you find on the

network

36

Active Footprinting

Active Footprinting:
requires attacker to touch the device or the network.
Example: running a scan against an IP you find on the
network

Note: When it comes to the footprinting stage of hacking, the

vast majority of your activity will be passive in nature.

37

Footprinting with DNS

38

DNS Basics

Domain Naming Service/System

Provides name-to-IP-address (and vice versa) mapping

service

Makes possible for us to type a name for a resource

rather than its address.

Provides a wealth of footprinting information for the EH

so long as you know how to use it.

39

Dangers of DNS Query

While DNS records are easy to obtain and generally

designed to be freely available, this passive footprinting
can still get you in trouble.

David Ritz (computer manager)- successfully prosecuted

in 2008 for querying a DNS server.

Was the ruling fair?

One can only speculate

40

DNS Port Numbers

Port numbers are always important in discussing

anything network-wise.

When it comes to DNS, 53 is your number.

Name Lookups UDP port 53
Zone Transfers TCP port 53

41

DNS Namespace

DNS system is made up of servers all over the world.

Each server holds and manages the records for its own
little corner of the world known as a namespace.

42

DNS Records

DNS Record:
Gives directions to or for a specific type of resource
Can provide
IP add. for individual systems within your network
addresses for your e-mail servers
pointers to other DNS servers

43

The DNS System

44

45

DNS Record Types

46

DNS Zone Transfer

Authoritative Server (SOA):

Maintains and manages DNS records for your
namespace.
Shares them with your other DNS servers (name
servers) so your clients can perform lookups and
name resolutions.

47

DNS Zone Transfer

Zone Transfer: the process of replicating all DNS records is

known as a zone transfer.

Administrators need to be very careful about which IP

addresses are actually allowed to perform a zone
transfer.

Most administrators restrict a zone transfer to a small

list of name servers inside their network.

48

Zone Transfer: Illustrative Example

http://www.ibiblio.org/gdunc/netone/ms_netency/netencyhtml/c0Z613788.htm

49

Note

When it comes to DNS: Important to remember that

there are two real servers in play within your system:
1. Name resolvers simply answer requests.
2. Authoritative servers which hold the records for a
given namespace, given from an administrative
source, and answer accordingly.

50

SOA Record Format

Source Host
Host name of the SOA server.
Contact Email
E-mail add. of the person responsible for the zone file.
Serial Number
Revision number of the zone file.
Increments each time the zone file changes.
Refresh Time
Amount of time a secondary DNS server will wait
before asking for updates.

51

SOA Record

Retry Time
Amount of time a secondary server will wait to retry
if zone transfer fails.
Expire time
Maximum amount of time a secondary server will
spend trying to complete a zone transfer.
TTL (Time to Live)
Has the minimum TTL for all records in the zone.
If not updated by a zone transfer, they will perish.

52

Illustrative Example
1.

2.
3.

4.

Attacker poisons the DNS cache and

changes valid www.securetoday.net
to www.securetodat.net which he
controls.
Victim enter website
www.securetoday.net in the browser.
Victims computer queries the
poisoned DNS which is resolved to
the fake website
www.securetodat.net.
User unaware of what happened
thinks he is on the correct website.

http://www.securetoday.net/tag/dns-spoofing/

53

Exercise 2.3
Demonstrating DNS Attack Results

54

Exercise Overview

Before system checks its own cache or a local DNS

server, it looks, by default, in a file called hosts for a
defined entry.
We shall use the hosts file built into Windows to
demonstrate DNS poisoning attack.
See how easy it is for a target machine to be redirected
to a site it did not intend to go to:
if the entries on the local name server had been
changed the same way, the user would see the same
results.

55

Steps
1.

Open the browser of your choice and go to www.google.com.

a. The DNS entry for this site is now in your cache.
b. You can view it by typing: ipconfig /displaydns.
c. Type: ipconfig /flushdns to clear all entries.
d. Close your browser.

2.

Use Explorer and navigate to:

C:\Windows\System32\drivers\etc

3.

If you happen to be using a 64-bit version of Win XP or 7, try:

C:\Windows\SysWOW64\System32\Drivers\etc.

Note: location is bound to change depends on OS you are using/targeting.

56

Steps
3.
4.

5.

Open the hosts file in Notepad and save a copy before you begin.
In the hosts file, enter 209.191.122.70 www.google.com
underneath the last line in the file
a. The last line will show 127.0.0.1 or ::1, or both
b. Save the file and exit.
Open a new browser session and try to access www.google.com.
a. Your browser displays Yahoo!s search engine this time.
b. Updating the hosts file provided a pointer to Yahoo!s address,
which preempted the lookup for Google.

Note: Be sure to clear the entry you added to the hosts file. In case
something goes wrong, you have a backup that you made earlier.

57

DNS Footprinting Tools

whois

nslookup

dig

58

ICANN manages IP address allocation & a host of other

things.

When companies and individuals get their IP addresses

(ranges), they need to make it available to the world via DNS.

Done through one of any number of domain name

registrants worldwide:
www.networksolutions.com
www.godaddy.com
www.register.com

59

Additionally, five Regional Internet Registries (RIRs)

provide overall management of the public IP address
space within a given geographic region.
RIRs represent a wealth of information for you in
Footprinting
Visit RIR and input target domain name and youll get
all sorts of information including:
networks range
organization name
name server details
origination dates,
60

Regional Internet Registries (RIRs)

ARIN (American Registry for Internet Numbers)

North and South America as well as sub-Saharan Africa

APNIC (Asia-Pacific Network Information Center)

Asia and Pacific

RIPE (Rseaux IP Europens) NCC

Europe, Middle East, and parts of Central Asia/Northern Africa. If
youre wondering, the name is French.
LACNIC (Latin America and Caribbean Network
Information Center)
Latin America and the Caribbean

AfriNIC (African Network Information Center)

Africa

61

62

whois

Same as finding information about a domain from RIR

website
Originally started in Unix
Has become ubiquitous in operating systems
everywhere
Queries the registries (RIRs) and returns all sorts of
information, including
domain ownership
addresses (ranges)
locations
phone numbers

63

Exercise

Use your favorite search engine and look up whois.

Youll get literally millions of hits. Below is what I got

64

Your search would have returned www.whois.sc. Open

the site and type in mcgraw-hill.com (site for
McGraw-Hill publisher).

Notice the administrative, technical, and registrant

contact information displayed, and how nicely McGrawHill ensured they were listed as a business name instead
of an individual.

Notice the three main DNS servers for the namespace

listed at the bottom.
65

66