Footprinting and R econnaissance Module 02
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
Footprinting and R econnaissance Module 02
Ethical Hacking and Countermeasures v8 M o d u l e 02: Foot prin ting and Reconnaissance Exam 31 2- 50
Module 02 Page 92
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
Security News ABOUT US
PRODUCTS
N EW S
F aceb o o k a 'tre a s u re tro v e' o f P erso n ally Id e n tifia b le In fo rm ation
April 1a 2012
Facebook contains a "treasure trove" of personally identifiable information that hackers manage to get their hands on. A report by Imperva revealed that users' "general personal information" can often include a date of birth, home address and sometimes mother's maiden name, allowing hackers to access this and other websites and applications and create targeted spearphishing campaigns. It detailed a concept I call "friend-mapping", where an attacker can get further knowledge of a user’s circle of friends; having accessed their account and posing as a trusted friend, they can cause mayhem. This can include requesting the transfer of funds and extortion. Asked why Facebook is so important to hackers, Imperva senior security strategist Noa Bar-Yosef said: "People also add work friends on Facebook so a team leader can be identified and this can lead to corporate data being accessed, project work being discussed openly, while geo-location data can be detailed for military intelligence." "Hacktivism made up 58 per cent of attacks in the Verizon Data Breach Intelligence Report, and they are going after information on Facebook that can be used to humiliate a person. All types of attackers have their own techniques."
http://www.scmogazineuk.com
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
״
am ps
uii
Security ״־N ew s Facebook a ,treasure trove״of Personally Identifiable Information
Source: http://www.scmagazineuk.com Facebook contains a "treasure trove" of personally identifiable information that hackers manage to get their hands on. A report by Imperva revealed that users' "general personal information" can often include a date of birth, home address and sometimes mother's maiden name, allowing hackers to access this and other websites and applications and create targeted spearphishing campaigns. It detailed a concept I call "friend-mapping", where an attacker can get further knowledge of a user's circle of friends; having accessed their account and posing as a trusted friend, they can cause mayhem. This can include requesting the transfer of funds and extortion. Asked why Facebook is so important to hackers, Imperva senior security strategist Noa BarYosef said: ״People also add work friends on Facebook so a team leader can be identified and this can lead to corporate data being accessed, project work being discussed openly, while geolocation data can be detailed for military intelligence."
Module 02 Page 93
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
"Hacktivism made up 58 per cent of attacks in the Verizon Data Breach Intelligence Report, and they are going after information on Facebook that can be used to humiliate a person. All types of attackers have their own techniques." On how attackers get a password in the first place, Imperva claimed that different keyloggers are used, while phishing kits that create a fake Facebook login page have been seen, and a more primitive method is a brute force attack, where the attacker repeatedly attempts to guess the user's password. In more extreme cases, a Facebook adm inistrators rights can be accessed. Although it said that this requires more effort on the hacker side and is not as prevalent, it is the "holy grail" of attacks as it provides the hacker with data on all users. On protection, Bar-Yosef said the roll-out of SSL across the whole website, rather than just at the login page, was effective, but users still needed to opt into this.
By Dan Raywood http://www.scmagazine.com.au/Feature/265065,digitial-investigations-have-matured.aspx
Module 02 Page 94
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
M odule O bjectives J
Footprinting Terminology
J
WHOIS Footprinting
J
W hat Is Footprinting?
J
DNS Footprinting
J
Objectives of Footprinting
J
Network Footprinting
J
Footprinting Threats
J
Footprinting through Social Engineering
J
J
Website Footprinting
Footprinting through Social Networking Sites
W J
Email Footprinting
J
Footprinting Tools
J
Competitive Intelligence
J
Footprinting Countermeasures
J
Footprinting Using Google
J
Footprinting Pen Testing
CEH
Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
t t t f
M odule O bjectives This module will make you familiarize with the following: e
Footprinting Terminologies
©
WHOIS Footprinting
e
W hat Is Footprinting?
©
DNS Footprinting
©
Objectives of Footprinting
©
Network Footprinting
©
Footprinting Threats
©
Footprinting through Social
e
Footprinting through Search Engines
©
Website Footprinting
©
Email Footprinting
©
Footprinting Tools
©
Competitive Intelligence
©
Footprinting Countermeasures
©
Footprinting Using Google
©
Footprinting Pen Testing
Engineering
Module 02 Page 95
©
Footprinting through Social Networking Sites
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
M odule Flow Ethical hacking is legal hacking conducted by a penetration tester in order to evaluate the security of an IT infrastructure with the permission of an organization. The concept of ethical hacking cannot be explained or cannot be performed in a single step; therefore, it has been divided into several steps. Footprinting is the first step in ethical hacking, where an attacker tries to gather information about a target. To help you better understand footprinting, it has been distributed into various sections:
Xj
C
J
Module 02 Page 96
Footprinting Concepts
[|EJ
Footprinting Tools
Footprinting Threats
FootP rint'ng Countermeasures
Footprinting Methodology
Footprinting Penetration Testing
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
The Footprinting Concepts section familiarizes you with footprinting, footprinting terminology, why footprinting is necessary, and the objectives of footprinting.
Module 02 Page 97
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
Footprinting Term inology Open Source or Passive Information Gathering
CEH
Active Information Gathering
Collect information about a target from the publicly accessible sources
Gather information through social engineering on-site visits, interviews, and questionnaires
Anonymous Footprinting
Pseudonymous Footprinting
Gather information from sources where the author of the information cannot
Collect information that might be published under a different name in
be identified or traced
an attempt to preserve privacy
Organizational or Private Footprinting
Internet Footprinting
Collect information from an organization's web-based calendar and email services
Collect information about a target from the Internet
Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
00 ooo —
00
Footprinting Term inology
־
Before going deep into the concept, it is important to know the basic terminology used in footprinting. These terms help you understand the concept of footprinting and its structures.
!,n'nVn'nVI
Open Source or P assive Information G athering Open source or passive information gathering is the easiest way to collect information
about the target organization. It refers to the process of gathering information from the open sources, i.e., publicly available sources. This requires no direct contact with the target organization. Open sources may include newspapers, television, social networking sites, blogs, etc. Using these, you can gather information such as network boundaries, IP address reachable via the Internet, operating systems, web server software used by the target network, TCP and UDP services in each system, access control mechanisms, system architecture, intrusion detection systems, and so on.
Active Information Gathering In active information gathering, process attackers mainly focus on the employees of
Module 02 Page 98
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
the target organization. Attackers try to extract information from the employees by conducting social engineering: on-site visits, interviews, questionnaires, etc.
Anonym ous Footprinting This refers to the process of collecting information from sources anonymously so that your efforts cannot be traced back to you.
ftista Sira Laamra Inrcr Cirflg
W a l Street Journal BEIRUT—Syrian rebels pierced the innermost circle 01 President Bashar a -Assads regime wKh a bomb blast that kiled thiee high-lewl officials and raised questions about the aMity of the courftry's security forces to sustain the embattled government Syna
w ii st^«! a—<
FIGURE 2.13: Google Alert services screenshot
Yahoo!
Alerts
is available
at
http://alerts.yahoo.com
and
Giga
Alert
is available
at
http://www.gigaalert.com: these are two more examples of alert services.
Module 02 Page 135
Ethical Hacking and Countermeasures Copyright © by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
Footprinting M ethodology
Footprinting through Search
CEH
W H O IS Footprinting
Engines Website Footprinting
DNS Footprinting
Email Footprinting
Network Footprinting
Competitive Intelligence
Footprinting through Social Engineering
Footprinting using Google
Footprinting through Social Networking Sites
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting M ethodology So far, we have discussed the first step of footprinting methodology, i.e., footprinting via search engines. Now we will discuss website footprinting. An organization's website is a first place where you can get sensitive information such as names and contact details of chief persons in the company, upcoming project details, and so on. This section covers the website footprinting concept, mirroring websites, the tools used for mirroring, and monitoring web updates.
Module 02 Page 136
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
W e b site F o o tp rin tin g
C EH
Information obtained from target's website enables an attacker to build a detailed m ap of w ebsite's structure and architecture
Browsing the target website may provide: -
Software used and its version
t
Operating system used
t:
Sub-directories and parameters
t
Filename, path, database field name, or query
-
Scripting platform Contact details and CMS details
Use Zaproxy, Burp Suite, Firebug, etc. to view headers that provide: w Connection status and content-type ~
Accept-Ranges
-
Last-Modified information
t;
X-Powered-By information Web server in use and its version
W ebsite Footprinting It is possible for an attacker to build a detailed map of a website's structure and architecture without IDS being triggered or without raising any sys admin suspicions. It can be accomplished either with the help of sophisticated footprinting tools or just with the basic tools that come along with the operating system, such as telnet and a browser. Using the Netcraft tool you can gather website information such as IP address, registered name and address of the domain owner, domain name, host of the site, OS details, etc. But this tool may not give all these details for every site. In such cases, you should browse the target website. Browsing the target website will provide you with the following information: Q
Software used and its version: You can find not only the software in use but also the version easily on the off-the-shelf software-based website.
Q
Operating system used: Usually the operating system can also be determined.
9
Sub-directories and parameters: You can reveal the sub-directories and parameters by making a note of all the URLs while browsing the target website.
Module 02 Page 137
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
Filename, path, database field name, or query: You should analyze anything after a query that looks like a filename, path, database field name, or query carefully to check whether it offers opportunities for SQL injection. - יScripting platform: With the help of the script filename extensions such as .php, .asp, .jsp, etc. you can easily determine the scripting platform that the target website is using. S
Contact details and CMS details: The contact pages usually offer details such as names, phone numbers, email addresses, and locations of admin or support people. You can use these details to perform a social engineering attack. CMS software allows URL rewriting in order to disguise the script filename extensions. In this case, you need to put little more effort to determine the scripting platform.
Use Paros Proxy, Burp Suite, Firebug, etc. to view headers that provide: Q
Connection status and content-type
Q
Accept-ranges
©
Last-Modified information
Q
X-Powered-By information
© W eb server in use and its version Source: http://portswigger.net The following is a screenshot of Burp Suite showing headers of packets in the information pane:
FIGURE 2.14: Burp Suite showing headers of packets in the information pane
Module 02 Page 138
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
W e b site F o o tp rin tin g (Cont’d)
Examining H TM L source provides:
CEH
Urt1fw4
ilh iu l lUtbM
Examining cookies may provide:
© Comments in the source code
6 Software in use and its behavior
9 Contact details of web developer or admin
© Scripting platforms used
© File system structure 9 Script type
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W ebsite Footprinting (Cont’d) Examine the HTML source code. Follow the comments that are either created by the CMS system or inserted manually. These comments may provide clues to help you understand what's running in the background. This may even provide contact details of the web admin or developer. Observe all the links and image tags, in order to map the file system structure. This allows you to reveal the existence of hidden directories and files. Enter fake data to determine how the script works.
Module 02 Page 139
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
T V1 ew « j u 1< e w w w jn 1... 2: http7/www^u9gyb— J: http--//www.;1>ggyb... * http,// www/uggyb. S: http://www.;u9g>-b...
Pfoywi
■ __________ >*»*mg. 0
Set 0 0 0 0 0 10*6*4 11
+
Loaded byt« 0 0 0 0 0 Queued S1
Sutus Connoting Connoting Connecting Connecting Connecting
vJ
(1 »
t«trw «og>
OomHo^t
״
י
2J***' ״S ’**■
U h jh
Welcome to Microsoft *o*ucta
00
» « e *d
1
S*o^»
Support
•wy
FIGURE 2.20: SurfOffline screenshot
W ebripper Source: http://www.calluna-software.com WebRipper is an Internet scanner and downloader. It downloads massive amount of images, videos, audio, and executable documents from any website. WebRipper uses spider-technology to follow the links in all directions from the start-address. It filters out the interesting files, and adds them to the download-queue for downloading. You can restrict downloaded items by file type, minimum file, maximum file, and image size. All the downloaded links can also be restricted by keywords to avoid wasting your bandwidth. Wrt>R»ppef 03 -Copyright (0 200S-2009 -StmsonSoft Ne M>
T00H *dp
0 SamsonSoft
□ H■!►Ixl ^|%| ® F Received-SPF: pass (google.com: domain of ■ 1enna0gmail.com designates 10.224.205.137 as permitted sender) client-ip=10.2 2 Authentication-Results:pnr7googl^^om»J 3pf-pa33 (google.com: domain of erma8gmail.com designates 10.224.205.137 as permitted senaerj smtp.mail3 - ׳־־rmaggmail.com; dkim=pass header. i=; ?rma8gmail.com Received: f r o m m r . g o o g l e . c o m ([10.224.205.137]) hv in.??ר.ו)וו*«ררו4 )177 ( רn u m h o p s = 1); | F n , 01 Jun 2012 21:24:00 -0700 (PDT)! DKIM-Signature: v=l/l^^rsa-sha^^o/J c=relaxed/relaxed; d=gma i 1. com; ? 01 2011 h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=TGEIPb4ti7gfQG+ghh70kPjkx4Tt/iAClPPyWmNgYHc=; b־KguZLTLfg2+QZXzZKexlNnvRcnD/+P4+Nk5NKSPtG7uHXDsfv/hGH46e2P+75MxDR8 blPK3eJ3Uf/CsaBZWDITOXLaKOAGrP3BOt92MCZFxeUUQ9uwL/xHALSnkeUIEEeKGqOC oa9hD59D3oXI8KAC7ZmkblGzXmV4DlWffCL894RaMB0UoMzRw0WWIib95alI38cqtlfP ZhrWFKh5xSnZXsE73xZPEYzp7yecCeQuYHZNGslKxc07xQjeZuw+HWK/vR6xChDJapZ4 K5 ZAf YZmkI kFX 4־VdLZqu 7 YGFzy 60 HcuPl6yS/C2 fXHVdsuYamMT/yecvhCVo80g7FKt 6 /KzwMIME-Version: 1.0 Received: by 10.224.205.137 with SMTP id fq9mr6704586qab.39.1338611040318; Fri, 01 Jun 2012 21:24:00 -0700 (PDT) Received: by 10.229.230.79 with HTTP; Fri, 1 Jun 2012 21:23:59 -0700 (PDT) In-Reply-To: Referoflfiga^^£^2iiJ^2Xlidfi2£ia2fiiiJi^4^er2MtVOuhro6r+7Mu7c8ubp8Eg0mail.g m a i l .com> Date:|Sat, 7 Jun 201? 09:53:59 40530 1 Message-it: To: iftsamaii.com, • 1LUTI0NS < ••-* - - ־ •tions8gmail.com>, — ... ■ ■ e 1< ־tm ■׳aAk_er8yahoo.com>,
FIGURE 2.24: Email header screenshot
This email header contains the following information:
e e e e e e e e
Sender's mail server Data and time received by the originator's email servers Authentication system used by sender's mail server Data and time of message sent A unique number assigned by mr.google.com to identify the message Sender's full name Senders IP address The address from which the message was sent
The attacker can trace and collect all of this information by performing a detailed analysis of the complete email header.
Module 02 Page 156
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
E m a il T r a c k in g T ools
C EH
Em ail Lookup - Free Em ail Tracker Trace Email - Track Email Email Header Analysis IP Address: 72.52.192 147 (ho8t.marhsttanrrediagro1jp.con) IP Address Country: Unred States ip
con tinen t north America
IP Address City Location: Lansing IP Address Region: Michigan IP Address Latitude: *2.7257. IP Address longtitude: -84.636 Organ i rat on: So jrcoDNS tmaii Lookup wap (sno w n ide)
Map
Satellite
Bath Charter Township
Email M e tric s
O ard !5MH •
(105* »
UO t
1«M>
־-
w *י W, ( f t
Lansing
E 03t Lansing
/
I־
!!!!!!!! 11j!.!!! 1m ! 111! Po liteM ail ( h tt p :/ / w w w .p o lite m a il.c o m )
IVac dfcta 82012 Gooole - Terms of Use Report a map e
Em ail Lookup - Free Em ail Tracker (http://www.ipaddresslocation.org) Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
Em ail Tracking Tools Email tracking tools allow you to track an email and extract information such as sender identity, mail server, sender's IP address, etc. You can use the extracted information to attack the target organization's systems by sending malicious emails. Numerous email tracking tools are readily available in the market. The following are a few commonly used email tracking tools:
eM ailTrackerPro Source: http://www.emailtrackerpro.com eMailTrackerPro is an email tracking tool that analyzes email headers and reveals information such as sender's geographical location, IP address, etc. It allows you to review the traces later by saving all past traces.
Module 02 Page 157
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
«M*fTrKtfT*o v9Qh Advanced {(Woiv Trul a»y 3 of M
• n*r» s M KTT»mt*•(
n*van(on»*זvyv•**•(tt* po^ndotftf) • ntrtiiwHTmMn*( 18( 82 14 17
12«2*»עבג 18087 385 80231 217 17 80231217 2 80 231 2006 80 231 91 X 80 231 1382
1 ז ? ד. ג נ »י. יSTATIC
w l M(Ot01 1* ׳ ׳.
!•A Last update of whois database: Thu, 19 Jul 2012 07:49:36 UTC < « Queried whoib.networkbolutionb.coiii with ,juggyboy.com'‘...
Doaain servers i& listed order:
Registrant:
ns5.nsft.net ns4.nsft.net nsl.nsft.net ns3.nsft.net ns2.nsft.net
http://whois.domaintools.com
http://centralops.net/co
FIGURE 2.30: Whois services screenshots
Module 02 Page 191
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
WHOIS Lookup Tool: SmartWhois
CEH
Urtffi•* IthKjl lUckM
SmartWhois - Evaluation Version Fie Query Edit Y!r/» Settings Help
P. host crdcrran: -J nncr050ft.c<
14 miacsoft.com ^
rwcney.de
»E53
tt Free SAS i ProXad 8, fuc de la ville T'Eveque 75006 Paris phone -33 173 50 20 00 fax *■33 173 50 25 01 hostmastcfCPptoxad.nct Q
free SAS i ProXad ruedel4v>llel"Evec|ue 75006 Pari* phone-33 173 50 20 00 fax: *33 173 502501 r.ojtmcitcri’cfo.od.nct
( | frmti1-q?0.ftM>.f1 [212.27.60.19] ( ® J ''**n:2-q2C.fr««.ff [212.27.60.20]
r*at*d: 29/12/2006
IJ u c" Updated: p 17/02/2004 Source: whois.nic.fr Completed at 19-07-2012 12:4*01 PM Processing םme 1.6$ seconds
V1r«VM>Liter
http://www.tamos, com Copyright © by EG-GaullCil. All Rights Reserved. Reproduction is Strictly Prohibited.
BC
WHOIS Lookup Tool: SmartWhois Source: http://www.tarnos.com
SmartWhois is a useful network information utility that allows you to look up all the available information about an IP address, hostname, or domain, including country, state or province, city, name of the network provider, administrator, and technical support contact information. It also assists you in finding the owner of the domain, the owner's contact information, the owner of the IP address block, registered date of the domain, etc.
Module 02 Page 192
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
SmaitWhois ־Evaluation Version File
Q u ery
Edit
V iew
Settings
H elp
IP, host or domain: Q micro soft com
V
־׳£> Q u ery »
m a t microsoft.com money.de
Qnjgjfcfr 88.1902S4.12
Free SAS/ ProXad rue de 10ville I 'Evcquc 75008 Paris
I 8,
phene: ♦33 I 73 50 20 00 fax: ♦33 1 73 50 25 01 h0 stmastergpf0xid.net Free SAS / ProXad I 8. rue de la ville I 'Eveque 75008 Paris phene ♦33 1 73 50 20 00 fax: ♦33 1 73 50 25 01
freensl-g20Jree.fr [212.27.60.19]
1freens2-g20Jree.fr[212.27.60.20] Google Page Rank: 7
1Alexa Traffic Rank: 11,330 Created: 29/12/2008 Updated: 17/02/2004 Source: whois.nic.fr Completed at 19*07-2012 12:44:01 PM Processing time: 1.63 seconds
View source
FIGURE 2.31: SmartWhois screenshot
Module 02 Page 193
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
WHOIS Lookup O nline Tools
ה־ז 1 1 n
SmartWhois
Whois
h ttp ://sm a rtw h o is. com
h ttp ://to o ls . w hois.net
%
Better Whois
mimr
h ttp :/ / w w w . b etterw hois. com
C EH
DNSstuff h tt p :/ / w w w . dnss tuff, com
־ = ■־
m
pyy §fc]
Whois Source
S'
h tt p :/ / w w w . whois.sc
Network Solutions Whois h ttp ://w w w .n e tw o rk so lu tio n s.co m
Web Wiz
WebToolHub
h tt p :/ / w w w . w ebw iz.co. u k/d om ain ־ to ols /w hois-lookup.htm
h tt p :/ / w w w . w ebtooll 1 •w hois-lookup. aspx
Network-Tools.com
Ultra Tools
h ttp ://n e tw o rk -to o ls. com
h ttp s :/ /w w w .u ltra to o ls .co m /w h o is /h o m e
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
WHOIS Lookup Tools Similar to SmartWhois, there are numerous tools available in the market to retrieve Whois information. A few are mentioned as follows:
pp CountryWhois ---- Source: http://www.tamos.com CountryWhois is a utility for identifying the geographic location of an IP address. CountryWhois can be used to analyze server logs, check email address headers, identify online credit card fraud, or in any other instance where you need to quickly and accurately determine the country of origin by IP address.
Lan W hois Source: http://lantricks.com LanWhols provides information about domains and addresses on the Internet. This program helps you determine who, where, and when the domain or site you are interested in was registered, and the information about those who support it now. This tool allows you to save your search result in the form of an archive to view it later. You can print and save the search result in HTML format. Module 02 Page 194
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
P
t
Exam 312-50 Certified Ethical Hacker
Batch IP Converter
■j i^ t *
Source: http://www.networkmost.com Batch IP Converter is a network tool to work with IP addresses. It combines Domain-to-IP Converter, Batch Ping, Tracert, Whois, Website Scanner, and Connection Monitor into a single interface as well as an IP-to-Country Converter. It allows you to look up the IP address for a single or list of domain names and vice versa.
I r1 ־CallerIP Source: http://www.callerippro.com CallerIP is basically IP and port monitoring software that displays the incoming and outgoing connection made to your computer. It also allows you to find the origin of all connecting IP addresses on the world map. The Whois reporting feature provides key information such as who an IP is registered to along with contact email addresses and phone numbers.
®1— ׳W hois Lookup M ultiple A ddresses Source: http://www.sobolsoft.com This software offers a solution for users who want to look up ownership details for one or more IP addresses. Users can simply enter IP addresses or load them from a file. There are three options for lookup sites: whois.domaintools.com, whois-search.com, and whois.arin.net. The user can set a delay period between lookups, to avoid lockouts from these websites. The resulting list shows the IP addresses and details of each. It also allows you to save results to a text file.
W hois Analyzer Pro Source: http://www.whoisanalvzer.com This tool allows you to access information about a registered domain worldwide; you can view the domain owner name, domain name, and contact details of domain owner. It also helps in finding the location of a specific domain. You can also submit multiple queries with this tool simultaneously. This tool gives you the ability to print or save the result of the query in HTML format.
HotWhois Source: http://www.tialsoft.com HotWhois is an IP tracking tool that can reveal valuable information, such as country, state, city, address, contact phone numbers, and email addresses of an IP provider. The query mechanism resorts to a variety of Regional Internet Registries, to obtain IP Whois information about IP address. With HotWhois you can make whois queries even if the registrar, supporting a particular domain, doesn't have the whois server itself.
Module 02 Page 195
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
W hois 2010 Pro Source: http://lapshins.com Whois 2010 PRO is network information software that allows you to look up all the available information about a domain name, including country, state or province, city, administrator, and technical support contact information.
(W) Active Who is Source: http://www.johnru.com ActiveWhois is a network tool to find information about the owners of IP addresses or Internet domains. You can determine the country, personal and postal addresses of the owner, and/or users of IP addresses and domains.
W hoisThisD om ain Source: http://www.nirsoft.net WhoisThisDomain is a domain registration lookup utility that allows you to get information about a registered domain. It automatically connects to the right WHOIS server and retrieves the W HOIS record of the domain. It supports both generic domains and country code domains.
Module 02 Page 196
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
WHOIS Lookup O nline Tools
ה־ז 1 1 n
SmartWhois
Whois
h ttp ://sm a rtw h o is. com
h ttp ://to o ls . w hois.net
%
Better Whois h ttp :/ / w w w . b etterw hois. com
m im r
C EH
DNSstuff h tt p :/ / w w w . dnss tuff, com
־ = ■־
m
Whois Source
Network Solutions Whois
p yy
h tt p :/ / w w w . whois.se
§fc]
Web Wiz
WebToolHub
h tt p :/ / w w w . w ebw iz.co. u k/d om ain ־ to ols /w hois-lookup.htm
h tt p :/ / w w w . w ebtooll
c
h ttp ://w w w .n e tw o rk so lu tio n s.co m
1 •w hois-lookup. aspx
Network-Tools.com
Ultra Tools
h ttp ://n e tw o rk -to o ls. com
h ttp s :/ /w w w .u ltra to o ls .co m /w h o is /h o m e
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
WHOIS Lookup O nline Tools In addition to the Whois lookup tools mentioned so far, a few online Whois lookup tools are listed as follows: Q
SmartWhois available at http://smartwhois.com
Q
Better Whois available at http://www.betterwhois.com
O
Whois Source available at http://www.whois.se
Q
W eb Wiz available at http://www.webwiz.co.uk/domain-tools/whois-lookup.htm
Q
Network-Tools.com available at http://network-tools.com
Q
Whois available at http://tools.whois.net
©
DNSstuff available at http://www.dnsstuff.com
Q
Network Solutions Whois available at http://www.networksolutions.com
S
WebToolHub available at http://www.webtoolhub.com/tn561381-whois-lookup.aspx
Q
Ultra Tools available at https://www.ultratools.com/whois/home
Module 02 Page 197
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
Footprinting M ethodology
Footprinting through Search Engines
WHOIS Footprinting
Website Footprinting
DNS Footprinting
Email Footprinting
Network Footprinting
Competitive Intelligence
Footprinting through Social Engineering
Footprinting using Google
Footprinting through Social Networking Sites
CEH
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting M ethodology ---
The next phase in footprinting methodology is DNS footprinting.
This section describes how to extract DNS information and the DNS interrogation tools.
Module 02 Page 198
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
Extracting DNS Inform ation
CEH
(•rtifwd
0
ithiul •UtkM
0 Attacker can gather DNS information to determine key hosts in the network and can perform social engineering attacks
0
3 2
0
DNS records provide important information about location and type of servers R e co rd Type A
D e s c r ip t io n
Points to domain's mail server
NS
Points to host's name server
SOA
©
http://network-tools.com
Indicate authority for domain Service records
PTR
Maps IP address to a hostname
RP
Responsible person
TXT
http://www.dnsstuff.com
Canonical naming allows aliases to a host
SRV
HINFO
© Points to a host's IP address
MX
CNAME
DNS In te rro g a tio n Tools
Host information record includes CPU type and OS Unstructured text records
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Extracting DNS Inform ation DNS footprinting allows you to obtain information about DNS zone data. This DNS zone data includes DNS domain names, computer names, IP addresses, and much more about a particular network. The attacker performs DNS footprinting on the target network in order to obtain the information about DNS. He or she then uses the gathered DNS information to determine key hosts in the network and then performs social engineering attacks to gather more information. DNS footprinting can be performed using DNS interrogation tools such as www.DNSstuff.com. By using www.DNSstuff.com, it is possible to extract DNS information about IP addresses, mail server extensions, DNS lookups, Whois lookups, etc. If you want information about a target company, it is possible to extract its range of IP addresses utilizing the IP routing lookup of DNS stuff. If the target network allows unknown, unauthorized users to transfer DNS zone data, then it is easy for you to obtain the information about DNS with the help of the DNS interrogation tool. Once you send the query using the DNS interrogation tool to the DNS server, the server will respond to you with a record structure that contains information about the target DNS. DNS records provide important information about location and type of servers. Q
A - Points to a host's IP address
Module 02 Page 199
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Q
MX ־Points to domain's mail server
Q
NS - Points to host's name server
Exam 312-50 Certified Ethical Hacker
© CNAME - Canonical naming allows aliases to a host © SOA - Indicate authority for domain Q
SRV - Service records
Q
PTR - Maps IP address to a hostname
©
RP - Responsible person
©
HINFO - Host information record includes CPU type and OS
A few more examples of DNS interrogation tools to send a DNS query include: ©
http://www.dnsstuff.com
©
http://network-tools.com
Module 02 Page 200
Ethical Hacking and Countermeasures Copyright © by EC-C0l1ncil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
Extracting DNS Inform ation (Cont’d) This tool is very useful to perform a DNS query on any host. Each domain
^ Perform DNS query
name (Example: dnsqueries.com ) is structured in hosts (ex:
ueries, com) and the DNS (Domain Name System) allow to translate the domain name or the hostname in an IP Address 10 contact via the 1 3( *1 IP protocol. There are serveral types of queries, corresponding to all the Implemen table types of DNS records such as A record, MX. AAAA, CNAME and SOA.
Q
CEH (•rtifwtf | EthKJi ■UckM
microsoft.com
Results for checks on microsoft.com Host
TTL
Class
lype
Details
microsoft.com J!
3381
IN
TXT
microsoft.com
3381
IN
TXT
mlcrosoft.com ^
3381
IN
MX
v-spf1 Include: spf-a.mlcrosoft.com Include:_spf-b.mfcrosoft.com 1nclude:_spf־c.mlcrosoft.com 1nclude:_spf-ssg• a.microsoft.com ip4:l31.107.115.215 Ip4:131.107.115.214 ip4:205.248.106.64 ip4:205.248.106.30 ip4:205.248.106.32 *all 10 (nall.messaglng.mlcrosort.com J!
111ic 1ubuft.com
3381
IN
SOA
ns1.msft.net mbnhbt.n1iaosoft.com 2012071602 3C0 600 2419200 3600
microsoft.com
3381
IN
A
64.4.11.37
microsoft.com
3381
IN
A
65.55.58.701 $
microsoft.com J'
141531 IN
NS
ns5.msft.net
microsoft.com
141531 IN
NS
ns2.msft.net
microsoft.com ^
141531 IN
NS
ns1.msft.net $
microsoft.com $
141531 IN
NS
ns3.msft.net $
microsoft.com $
141531 IN
NS
ns4.msft.net yj}
J
FbUF6DbkE*Aw1 /v/i9xgDi3KVrllZus5v8L6tblQZkGrQ׳rVQKJi8CjQbBtWt£64ey4NJJv/j5J65PlggVYNabdQ—
http://www.dnsqueries. com Copyright © by EG-GtailCil. All Rights Reserved. Reproduction is Strictly Prohibited.
Extracting DNS Inform ation (Cont’d) Source: http://www.dnsqueries.com Perform DNS query available at http://www.dnsqueries.com is a tool that allows you to perform a DNS query on any host. Each domain name (example: dnsqueries.com) is structured in hosts (ex: www.dnsqueries.com) and the DNS (Domain Name System) allows anyone to translate the domain name or the hostname in an IP address to contact via the TCP/IP protocol. There are several types of queries, corresponding to all the implementable types of DNS records such as a record, MX, AAAA, CNAME, and SOA. Now let's see how the DNS interrogation tool retrieves information about the DNS. Go to the browser and type http://www.dnsqueries.com and press Enter. The DNS query's homesite will be displayed in the browser. Enter the domain name of your interest in the Perform DNS query's HostName field (here we are entering
Microsoft.com) and click the
Run tool
button; the
DNS information for
Microsoft.com will be displayed as shown in the following figure.
Module 02 Page 201
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
This tool is very useful to perform a DNS query on any host. Each domain name (Fxample: dnsqueries.com) is structured in hosts (ex: www.dnsqu0 n 0 s.com) and the DNS (Domain Name System) allow ovorybody to translato tho domain namo or tho hostname in an IP Addross to contact via the TCP/IP protocol. There are server^ types of queries, corresponding to dll the implemen table types of DNS records such as A record, MX, AAAA, CNAME and SOA.
Q Perform DNS query Hostflame:
[mcrosoftcom Type: ANY
0
|
Run toohT
Results for checks on m1crosoft.com Host
TTL
Class Type
Details
microsoft.com
3381
IN
TXT
FbUF6DbkE*Avvl/wi9xgDi8KVrllZus5v8L6tblQZkGrQ/׳VQKJi8CjQbBtWtE64ey4NJJvvj5J65PlggVYNabdQ-־
micr030ft.c0m
3381
IN
TXT
v=spf1 lnclude:_spf-a.mfcrosofLcom lndude:_spf־ a.microsoft.com ip4:l3l.107.115.215 ip4:l31.107.115.214 ip4:2G5.248.100.64 ip4:205.243.106.30 ip4:2D5.248.106.32 'all
microsoft.com
3381
IN
MX
10 mail.mes5aging.micro50ft.c0m
microsoft.com ^
3381
IN
SOA
nsl.msft.netmsnhst.microsoft.com 2012071602 300 600 2419200 3600
microsoft.com
3381
IN
A
64.4.11.37 s J
microsoft.com
3381
IN
A
65.55.58.701
microsoft.com ^
141531 IN
NS
ns5.msft.net
microsott.com ^
ns2.mstt.net $
141531 IN
NS
microsoft.com CJ
141531 IN
NS
microsoft.com Q
141531 IN
NS
ns3.msft.net
n1icr050ft.c0m ^
141531 IN
NS
r154.t1tsft.r1et
b.mfcrosoft.com lnclude:_spf-c.mlcrosoft.com lndude:_spf-ssg
ns1.msft.net !£}
FIGURE 2.32: Screenshot showing DNS information for Microsoft.com
Module 02 Page 202
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
DNS I n te r r o g a tio n T ools A
ffjp s lli
ח
DIG
CEH
DNSWatch ____ נ
h ttp :/ /w w w .k lo th .n e t
h ttp :/ /w w w .d n s watch, info
myDNSTools
DomainTools
h ttp :/ /w w w .m y d n s tools.info
h ttp ://w w w .d o m a in to o ls.co m
Professional Toolset
1rv '- ,
(0m
h tt p :/ / w w w . dnsstuff. com
DNS h ttp ://e -d n s .o rg
DNS Records
DNS Lookup Tool
h ttp ://n e t w o rk- tools.com
h tt p :/ / w w w . w e b w iz. co. uk
DNSData View
DNS Query Utility
h ttp ://w w w .n irs o ft.n e t
h tt p :/ / w w w . w ebm as ter- toolki t. com
Copyright © by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
DNS Interrogation Tools A few more well-known DNS interrogation tools are listed as follows:
© DIG available at http://www.kloth.net © myDNSTools available at http://www.mydnstools.info © Professional Toolset available at http://www.dnsstuff.com © DNS Records available at http://network-tools.com © DNSData View available athttp://www.nirsoft.net ©
DNSWatch available at http://www.dnswatch.info
©
DomainTools Pro available at http://www.domaintools.com
©
DNS available at http://e-dns.org
©
DNS Lookup Tool available at http://www.webwiz.co.uk
© DNS Query Utility available at http://www.webmaster-toolkit.com
Module 02 Page 203
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
Footprinting M ethodology
Footprinting through Search Engines
CEH
WHOIS Footprinting
Website Footprinting
*ך
DNS Footprinting
Email Footprinting
Network Footprinting
Competitive Intelligence
Footprinting through Social Engineering Footprinting through Social Networking Sites
Copyright © by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
Footprinting M ethodology The next step after retrieving the DNS information is to gather network-related information. So, now we will discuss network footprinting, a method of gathering networkrelated information. This section describes how to locate network range, determine the operating system, Traceroute, and the Traceroute tools.
Module 02 Page 204
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
L ocate th e N etw ork R an g e J
Network Whois Record
Network range information obtained assists an attacker to create a map of the target's network
J
Queried whois.arin.net with "n 207.46.232.182"... 207.46 207.46
NetRange: CIDR: OriginAS: N e tName: NetHandle: Parent: N e tType: NameServer: NameServer: NameServer:
Find the range of IP addresses using ARIN whois database search tool
J
C EH
(citifwd IthKJI lUckM
You can find the range of IP addresses and the subnet mask used by the target organization from Regional Internet
NET-207-46-0-0-1 NET-207-0-0-0-0 Direct Assignment NS2.MSFT.NET NS4.MSFT.NET NS1.MSFT.NET NS5.MSFT.NET NS3.MSFT.NET 1997-03-31 2004-12-09 http://whois.arin.net/rest/net/NETMicrosoft Corp MS FT One Microsoft Way Redmond WA
OrgAbuseHandle OrgAkuseName: OrgAbusePhone: OrgAbuseEmail: OrgAbuseRef:
Attacker Network
207.46.255.255
.0/16
M IC R O S O F T -G L O B A L -N E T
NameServer: NameServer: RegDate: Updated: Ref: 207-46-0-0-1 OrgName: Orgld: Address: City: StateProv: PostalCode: Country: RegDate: Updated: Ref:
Registry (RIR)
.0.0
98052 US 1998-07-10 2009-11-10 http://whois.arin.net/rest/org/MSFT ABUSE231-ARIN Abuse
+1-425-882-8080
[email protected]
http://whois.arin.net/rest/poc/ABUSE231-ARIN Copyright © by EG-Gtancil. All Rights Reserved. Reproduction is Strictly Prohibited.
»־
Locate the Network Range
ז-נ
To
perform
network
footprinting,
you
need
to
gather
basic
and
important
information about the target organization such as what the organization does, who they work for, and what type of work they perform. The answers to these questions give you an idea about the internal structure of the target network. After gathering the aforementioned information, an attacker can proceed to find the network range of a target system. He or she can get more detailed information from the appropriate regional registry database regarding IP allocation and the nature of the allocation. An attacker can also determine the subnet mask of the domain. He or she can also trace the route between the system and the target system. Two popular traceroute tools are NeoTrace and Visual Route. Obtaining private IP addresses can be useful for an attacker. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private Internets:
10.0.0.0-10.255.255.255
(10/8
prefix),
172.16.0.0-172.31.255.255
(172.16/12
prefix), and 192.168.0.0-192.168.255.255 (192.168/16 prefix). The network range gives you an idea about how the network is, which machines in the networks are alive, and it helps to identify the network topology, access control device, and OS
Module 02 Page 205
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
used in the target network. To find the network range of the target network, enter the server IP address (that was gathered in W HO IS footprinting) in the ARIN whois database search tool or you can go to the ARIN website (https://www.arin.net/knowledge/rirs.html) and enter the server IP in the SEARCH Whois text box. You will get the network range of the target network. If the DNS servers are not set up correctly, the attacker has a good chance of obtaining a list of internal machines on the server. Also, sometimes if an attacker traces a route to a machine, he or she can get the internal IP address of the gateway, which might be useful.
N e tw o rk W h o is R e co rd Queried whois.arin.net with "n 207.46.232.182", 207.46.0.0 - 207.46.255.255 NetRange: 207.46.0.0/16 CIDR: OriginAS: MICROSOFT-GLOBAL-NET NetName: NET-207-46-0-0-1 NetHandle: NET-207-0-0-0-0 Parent: Direct Assignment NetType: N S 2 .MSFT.NET NameServer: N S 4 .MSFT.NET NameServer: NS1.MSFT.NET NameServer: NS5.MSFT.NET NameServer: NS3.MSFT.NET NameServer: 1997-03-31 RegDate: 2004-12-09 Updated: http://whois.arin.net/rest/net/NETRef: 207-46-0-0-1 Microsoft Corp OrgName: MS FT Orgld: One Microsoft Way Address: Redmond City: WA StateProv: 98052 PostalCode: US Country: 1998-07-10 RegDate: 2009-11-10 Updated: http://whois.arin.net/rest/org/MSFT Ref: OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail:
[email protected] OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE231-ARIN
You need to use more than one tool to obtain network information as sometimes a single tool is not capable of delivering the information you want.
Module 02 Page 206
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved, Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
D eterm ine the Operating System
c EH
(•itifwd
tUMJl NMhM
Use the Netcraft tool to determine the OSes in use by the target organization
Copyright © by EC-CaHCil. All Rights Reserved. Reproduction is Strictly Prohibited.
\
D eterm ine the Operating System Source: http://news.netcraft.com
So far we have collected information about IP addresses, network ranges, server names, etc. of the target network. Now it's time to find out the OS running on the target network. The technique of obtaining information about the target network OS is called OS fingerprinting. The Netcraft tool will help you to find out the OS running on the target network. Let's see how Netcraft helps you deter,ome the OS of the target network. Open the http://news.netcraft.com site in your browser and type the domain name of your target network in the What's that site running? field (here we are considering the domain name "Microsoft.com"). It displays all the sites associated with that domain along with the operating system running on each site.
Module 02 Page 207
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
OS, W»b Server asd MosangMiכlory for wlnOovvs./ricrosoft.coa(
r iE T C R ^ F T *k B t x k O m i
raeic-p
Search W e b by Domain I
3rd August 2012
E'pbre 1.045.745 w#& z f t u s te d ty users ofth• Naicrafl Toolbar • • • יי״י• ״ ׳ ׳ |
3
lookup!
I
«encarU.com asxovev com *MMvcaigeiAteem
52 48 46
56 91 81
mado com
41
£6
!
rriacsoCcgma mtreso* iu rrtjrjf• hcrro rmcratol com
39 38 38
39 50 84
!
c9lm acao 8.com
3®
66
<
* mw 12:2:1 r*1 n׳Krc*08c0m wwwmsncemlw
33 32
77
20 20 20 95 36 24 92 32 20
45 ?4 36 51
!
79
8ו
>
K im i! international הv Unux
wwminuoaot com!
wr«! ^ i P>««r»1>wn ti *XA tPxx!r *cnttVtX tnttto* &C w lfi tni *!*?•nt'ilo*׳ fa1r»»*11!1n )pNft'ImiKonminMOm ConpjnyW«6tM
0
» isi a ^
■ 4 , in* FT Y- -•־ ■s - -
2
new members join every second
2,447
$522 million
2 million companies
employees located around the world
revenue for 2 0 1 1
have Linkedin company pages
Copyright © by EG-G1IIIIC1I. All Rights Reserved. Reproduction is Strictly Prohibited.
C o llectin g L in k e d in In fo rm atio n Similar to Facebook and Twitter, Linkedin is another social networking site for professionals. It allows people to create and manage their professional profile and identity. It allows its users to build and engage with their professional network. Hence, this can be a great information resource for the attacker. The attacker may get information such as current employment details, past employment details, education details, contact details, and much more about the target person. The attacker can collect all this information with the footprinting process.
Module 02 Page 233
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
Linked 03• Account Horn*
ProM•
bmc m**1 ׳
Contacts
Group•
Job■
inbox
CoflipanM
Non
Mon
€ Go back 10 Soarch Results
Chris Stone
Se e expanded
Programme Manager at Deutsche Bank Belgium Brussels Area Be*yum Management Consu»mg Connect Send InMari Save Chns's F Current
Past
Education Recommendations
Programme Manager at Deutsche Bank Belgium Director and Consultant * Program Management Solutions sp»l (Se It employed) Head of Operations Projects & Support Investment Omsk*! at AXA Bank Europe Programme Manage* at AXA Bank Europe Outsourcing Programme & Procurement Manager at AXA BekpumO Mil•• Henot-Watt Institute of Chartered Secretaries and Adnw*st/ators 3 people have recommended Chns
Connections
500• connections Websites Company Webs4e Public Protoe http //be knkedn comWcsstone
FIGURE 2.42: Linkedln showing user's professional profile and identity
Module 02 Page 234
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
C ollecting Youtube Inform ation I CEH 3 rd
Most visited website according to Alexa
8 2 9 ,4 4 0 I Videos uploaded
tm
« 900 Sec
Average time users spend on YouTube every day
,G E E
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
Q) 1] C o llectin g Y ouTube In fo rm a tio n YouTube is a website that allows you to upload, view, and share videos all over the world. The attacker can search for the videos related to the target and may collect information from them.
FIGURE 2.43: Youtube showing videos related to target
Module 02 Page 235
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
Tracking Users on Social Networking Sites
CEH
J
Users may use fake identities on social networking sites. Attackers use tools such as Get Someones IP or IP-GRABBER to track users' real identity
J
Steps to get someone's IP address through chat on Facebook using Get Someones IP tool: © Go to h t t p : / / w w w .m yiptest. c o m /s ta tic p a g e s / in d e x .p h p /h o w -a b o u t-y o u © Three fields exist:
Link for Person Copy the generated link of this field and send it to the target via chat to get IP address
Link for you
Redirect URL Enter any URL you want
Open the URL in this field and keep checking for
the target to redirect to
kKp«rs4«1: http Ifwmi nyiptesi corr/img ph3^d=z«uibg1f?8.'dr=viww gruil con&rd=־yatoc c>rr&
toeyou: > מזיN*ww myiptest corvstatKpages/ndex prp«'׳to