Gathering passive information is known as Footprinting and is part of the Reconnaissance phase of the attack.

Footprinting is something that occurs every day. It is common practice among businesses to gain intelligence information about their competition. Businesses will also hire outside firms to footprint their own firm to discover what type of reputation they are displaying.

Information Gathering

Initial Information

The first steps of footprinting the TOE (Target of Evaluation) is to gain information about their footprint. This can be accomplished with a wide range of public resources such as Internet searches, social engineering sites and business lookups. For the attacker, the goal is to learn as much as they can about their target in this step.

It is important to note that the importance of the data collected is the goal. The goal itself is to merely gather as much information available about the intended target. Once the information is gathered, the attacker can then sort through the information determining what may or may not be of importance and useful in the attack.

The Network Range

The attacker needs to find out what the external access to the target is. Running a whois in the target's domain might may reveal some important information about the target. Zone walking may unveils internal records if zone is not configured properly. Running traceroutes might reveal additional information.

Finding Active Machines

After the range of IP addresses have been determined, the attacker will want to find out what hosts are reachable and responsive. Domain joined hosts will have either a Class B or Class C address. The attacker will be careful not to exploit any host vulnerability that is not a target unless information gathered reveals there is a connection between this host and the target.

Finding Open Ports and Access Points

Once any responsive hosts are found, the attacker will search out any options for access.

Traceroutes the attacker can make should show where most of the firewalls are located. Traffic filters will affect any results of any port scan made.

What the attacker is looking for are what ports are open and which ones are reachable from the point of the scan. If the host is not reachable, it might be necessary to gain access to a better network position to gain access.

Finding the Operation System

From the list of accessible ports it can be determined by clues found as to what the operation system is running on the target's hosts.

This step is valuable as it would make no sense to scan a host not knowing what operating system that host was running. For example, if an open port 80 is a web service, and the operation system is Linux, then the software running the HTTP protocol most likely is going to be Apache.

Finding Running Services on Ports

After determining the OS, this will be the next step taken. Services are not restricted to a particular port as services can be on any port the administrator wishes them to be. Verifying the services on ports involves both making sure the expected service is actually there and identifying what is listening on less known ports.

An attacker may Telnet into a port and press 'Enter' a couple of times. Sometimes this may result in nothing. They may enter a slash or some other special character. This may get some response, perhaps an interaction with a honey-pot. If it is a honey-pot, the attacker will leave immediately.

The most common way to determine if a service on an accessible port is actually expected is known as Banner Grabbing. This often reveals information about the service which can help in determining the operating system as well.

Mapping the Network

The attacker will now take all of the information gathered and then organizes it. It is documented, diagrams are drawn, lists are made and notes organized.

DNS and Regional Internet Registrars

A record is kept when a domain is purchased of the owner and their contact information. It is a violation of the ICANN (Internet Corporation of Assigned Names and Numbers) TOS to have incorrect information in this directory. If discovered,forfeiture of the domain could occur.

The whois record contains important contact information about the company and an attacker can use this information to their benefit.

Using Whois

Whois is somewhat like the "white pages" of the Internet. When a domain is purchased, the owner of the domain's information is kept on record.

The zone file is a text file containing informational records about how to contact hosts within a domain. To find this information, look for the "NS record" within the whois document. This represents the "Name Server" for the zone, the IP address and contact persons.


The Start of Authority (SOA) is the best place to obtain information about a domain. Here is an example and what the fields mean. IN SOA (210158752 485922 5625 2158744 6350

210158752 - the serial number
485922 - the refresh rate
5625 - the retry timer
2158744 - the expiry timer
6350 - the time to live in cache

The serial number increments by one every time the zone is updated. The secondary DNS server checks the serial number to see if an update is needed. The attacker can compromise the primary server because this is where the zone file is always managed.

The refresh time is how often the secondary looks for an update.

The retry timer is how often the secondary will wait for an update providing the primary did not respond to the last response.

The expiry timer is how long the secondary server will tolorate not hearing from the primary before it considers the zone to be dead.

The time to live is the amount of time this record should remain in the cache of other servers that remember these records.

How Attackers View DNS

Every registered host in a domain is represented by an information record in a zone file. A client application like a browser has the ability to call a resolver when it needs the necessary DNS information to complete the connection.

The resolver already knows the information it needs is located in one of two places, the host file or in the cache. In the host file, static entries of hosts names and IP address mappings are kept. An attacker that target the clients often require the host file because it is the first place the resolver will search.

Rewriting the host file is a common technique used by malware. Another technique used is to poison the cache. The resolver will learn information and keep it in memory for a short period of time, however what it remembers can be incorrect if given information that it didn't ask for.

If the resolver cannot find an answer locally, it much reach out to a DNS server. If the local server has the answer and responds back, fine. If not, the server needs to request help.

There are two ways help can be obtained. One is called recursive query. This is where the resolver asks one server and if unknown asks another server, and if unknown asks another server and so on. The second method is the iterative query. If the resolver wants to know how to reach the domain, it will ask from the top down starting from one of the 13 root servers that run the DNS worldwide.

If an attacker wants to attack a network, they usually poison the DNS cache as this is the most direct way to harm the system. Zone transfer information is valuable to the attacker because it save them days or more of work. Most DNS servers are not vulnerable to entire zone transfers but it is easy to try.