Introduction
Gathering passive information is known as Footprinting and is part of the Reconnaissance phase
of the attack.
Footprinting is something that occurs every day. It is common practice among businesses to gain intelligence
information about their competition. Businesses will also hire outside firms to footprint their own firm to discover
what type of reputation they are displaying.
Information Gathering
Initial Information
The first steps of footprinting the TOE (Target of Evaluation) is to gain information about their footprint. This
can be accomplished with a wide range of public resources such as Internet searches, social engineering sites and
business lookups. For the attacker, the goal is to learn as much as they can about their target in this step.
It is important to note that the importance of the data collected is the goal. The goal itself is to merely gather
as much information available about the intended target. Once the information is gathered, the attacker can then
sort through the information determining what may or may not be of importance and useful in the attack.
The Network Range
The attacker needs to find out what the external access to the target is. Running a whois in the target's domain
might may reveal some important information about the target. Zone walking may unveils internal records if zone is
not configured properly. Running traceroutes might reveal additional information.
Finding Active Machines
After the range of IP addresses have been determined, the attacker will want to find out what hosts are reachable
and responsive. Domain joined hosts will have either a Class B or Class C address. The attacker will be careful
not to exploit any host vulnerability that is not a target unless information gathered reveals there is a connection
between this host and the target.
Finding Open Ports and Access Points
Once any responsive hosts are found, the attacker will search out any options for access.
Traceroutes the attacker can make should show where most of the firewalls are located. Traffic filters will affect
any results of any port scan made.
What the attacker is looking for are what ports are open and which ones are reachable from the point of the scan. If
the host is not reachable, it might be necessary to gain access to a better network position to gain access.
Finding the Operation System
From the list of accessible ports it can be determined by clues found as to what the operation system is running on
the target's hosts.
This step is valuable as it would make no sense to scan a host not knowing what operating system that host was
running. For example, if an open port 80 is a web service, and the operation system is Linux, then the software
running the HTTP protocol most likely is going to be Apache.
Finding Running Services on Ports
After determining the OS, this will be the next step taken. Services are not restricted to a particular port as
services can be on any port the administrator wishes them to be. Verifying the services on ports involves
both making sure the expected service is actually there and identifying what is listening on less known ports.
An attacker may Telnet into a port and press 'Enter' a couple of times. Sometimes this may result in nothing. They
may enter a slash or some other special character. This may get some response, perhaps an interaction with a
honey-pot. If it is a honey-pot, the attacker will leave immediately.
The most common way to determine if a service on an accessible port is actually expected is known as
Banner Grabbing. This often reveals information about the service which can help in determining the
operating system as well.
Mapping the Network
The attacker will now take all of the information gathered and then organizes it. It is documented, diagrams are
drawn, lists are made and notes organized.
DNS and Regional Internet Registrars
A record is kept when a domain is purchased of the owner and their contact information. It is a violation of the
ICANN (Internet Corporation of Assigned Names and Numbers) TOS to have incorrect information in this directory. If
discovered,forfeiture of the domain could occur.
The whois record contains important contact information about the company and an attacker can use this information
to their benefit.
Using Whois
Whois is somewhat like the "white pages" of the Internet. When a domain is purchased, the owner of the domain's
information is kept on record.
The zone file is a text file containing informational records about how to contact hosts within a domain.
To find this information, look for the "NS record" within the whois document. This represents the "Name Server"
for the zone, the IP address and contact persons.
The SOA
The Start of Authority (SOA) is the best place to obtain information about a domain. Here is an example and what
the fields mean.
example.com IN SOA ns.lab.com (210158752 485922 5625 2158744 6350
210158752 - the serial number
485922 - the refresh rate
5625 - the retry timer
2158744 - the expiry timer
6350 - the time to live in cache
The serial number increments by one every time the zone is updated. The secondary DNS server
checks the serial number to see if an update is needed. The attacker can compromise the primary server because
this is where the zone file is always managed.
The refresh time is how often the secondary looks for an update.
The retry timer is how often the secondary will wait for an update providing the primary did
not respond to the last response.
The expiry timer is how long the secondary server will tolorate not hearing from the primary
before it considers the zone to be dead.
The time to live is the amount of time this record should remain in the cache of other servers
that remember these records.
How Attackers View DNS
Every registered host in a domain is represented by an information record in a zone file. A client application
like a browser has the ability to call a resolver when it needs the necessary DNS information to complete
the connection.
The resolver already knows the information it needs is located in one of two places, the host file or in the cache.
In the host file, static entries of hosts names and IP address mappings are kept. An attacker that target the
clients often require the host file because it is the first place the resolver will search.
Rewriting the host file is a common technique used by malware. Another technique used is to poison the cache.
The resolver will learn information and keep it in memory for a short period of time, however what it remembers
can be incorrect if given information that it didn't ask for.
If the resolver cannot find an answer locally, it much reach out to a DNS server. If the local server has the
answer and responds back, fine. If not, the server needs to request help.
There are two ways help can be obtained. One is called recursive query. This is where the resolver asks
one server and if unknown asks another server, and if unknown asks another server and so on. The second method is
the iterative query. If the resolver wants to know how to reach the domain www.example.com, it will ask
from the top down starting from one of the 13 root servers that run the DNS worldwide.
If an attacker wants to attack a network, they usually poison the DNS cache as this is the most direct way to harm
the system. Zone transfer information is valuable to the attacker because it save them days or more of work. Most
DNS servers are not vulnerable to entire zone transfers but it is easy to try.