CEH Master - Chapter 2 : Footprinting & Reconnaissance

CEH Master - Chapter 2 : Footprinting & Reconnaissance

FOOTPRINTING
Information Gathering Process

Competitive Intelligence
Nslookup and DNSstuff
Finding the Target’s IP Address
DNS Records
Traceroute
Email Tracking
What is a Web Spider?


RECONNAISSANCE

FOOTPRINTING

The first step in the attack process is gathering information about the target from publicly available data on the internet. This can be done using online applications like Whois, Domain Check or tools installed on the computer like DNS Walk, DNS Enum. This process is called footprinting or leaving a footprint. With the information gathered through footprinting, a hacker can guess the owner of the targeted website domain, the IP address of the target, the DNS servers resolving the domain name, etc.

In addition to technical methods, there are non-technical but equally effective methods called Social Engineering that we will discuss in the next section. With various methods, a skilled hacker can compile quite a lot of useful information to serve their actual attack steps later. And in the role of a security expert or ethical hacker, we need to clearly understand the concept of footprinting as well as how to implement it to see what information about the organization is published too much on the internet, thereby proposing timely and accurate handling solutions.

The tools that strongly support the footprinting process are search engines like Yahoo, Bing but most useful is Google Search. Through these applications, hackers can search for a lot of information related to a target website from publicly posted content on the internet to secret information like password storage files if not strictly authorized. This method is called Google Hacking (learn more about Google hacking at http://www.exploit-db.com/google-dorks/).

Here are some commonly used options for advanced search with Google:

  • Site: Searching with the option “site:domainname.com” will give results directly related to the website. For example, searching for information related to the CEHMASTER ORG website using the syntax “site:cehmaster.org” as shown in Figure 2.1:

[Figure 2.1 – Finding information related to a website]

  • Filetype: Only search for results related to a specific topic or file format. For example, to search for pdf documents related to the CEH topic, we search with the syntax “filetype:pdf ceh” as shown in Figure 2.2.

[Figure 2.2 – Searching by content and file format]

  • Link: Search for information linked to the website you want to find, for example “link:cehmaster.org” will display websites with content related to the cehmaster.org domain.
  • Intitle: Search for information based on the title of the webpage. This search method will give results focused on the topic of interest. For example, if you want to search for documents related to “ethical hacking”, type “intitle:ethical hacking” into Google.
  • Inurl: Search for all websites containing the specified url phrase in the inurl option like “inurl:wp-content/plugins/age-verification/age-verification.php”.

Websites linked to cehmaster.org

Information Gathering Process

To conduct information gathering scientifically, you need to follow a diagram as follows:

  1. Search from information sources.
  2. Identify network address ranges.
  3. Identify active machines
  4. Find open ports or access points of the target.
  5. Probe the target’s operating system.
  6. Find services running on open ports.
  7. Map the network.

Among the seven steps above, steps 1 and 2 are the footprinting process, the remaining steps belong to the scanning and enumeration stages. Next we will analyze in detail the above steps and the technical operations that need to be carried out. In the first phase, you need to take advantage of resources published on the internet.

Information to search for: □ Domain name. □ Location.
□ Contact information (phone/email)

Information sources: □ Open source: Open resources are public data such as business yellow pages, phone directories. □ Whois: Database of domain name owners. □ Nslookup: Information about domain name resolution servers.

Tools: □ Sam Spade (www.samspade.org): This is an online tool that includes utilities such as Whois, nslookup and traceroute. Because it is an online application, in some cases it may not be able to connect due to website maintenance or network connection, so we should use the samspade utility installed directly on the computer for better results or use other websites with similar functions like www.network-tool.com.

Competitive Intelligence

Competitive intelligence is a method of gathering information from internet sources about a company or organization. Competitive intelligence can be a product or a process such as data collection and analysis actions, information verification. As I think, the word “intelligence” gives a sense of something thoughtful, intellectual but we really just need to think a little deeper about something, especially when gathering information to meet this criterion. For example, when searching on a job recruitment page and seeing a competitor or target looking to recruit employees with Cisco firewall administration skills, or the ability to operate Kaspersky antivirus systems, we can imagine the products and services that this organization uses. For hackers, they can save more time because when deploying malicious code they will focus on bypassing or circumventing applications like KAV…

The tools commonly used for the Footprinting – Competitive Intelligence process are:

□ Whois (http://www.whois.net) □ ARIN (https://www.arin.net)
□ Nslookup (http://network-tools.com/nslook) □ Neo Trace □ VisualRoute Trace
□ Smart Whois □ Visual Lookout □ eMailTrackerPro

Whois is an offline tool (like SmartWhois) or online utility like www.whois.net used to gather information related to a domain name including where the website is hosted, name and contact address of the administrator, IP address and DNS servers. The online Whois tools are listed in Figure 2.3:

[Figure 2.3 – Online Whois tools]

Here is a search result for information about the domain cehmaster.org with Whois and Smart Whois in Figure 2.4:

WHOIS OUTPUT FOR WWW.CEHMASTER.ORG Domain ID:D81180127-LROR Domain Name:CEHMASTER.ORG Created On:14-Dec-2001 10:13:06 UTC Sponsoring Registrar:Tucows Inc. (R11-LROR) Status:OK Registrant ID:tuTv2ItRZBMNd4lA Registrant Name: John Smith Registrant Organization:CEHMASTER ORG Registrant Street1:123 Main Street Registrant City:New York Registrant State/Province:NY
Registrant Postal Code:10001 Registrant Country:US Registrant Phone:+1.2125551234 Registrant Phone Ext.: Registrant FAX:+1.2125555678 Registrant FAX Ext.: Registrant Email:info@cehmaster.org Admin ID:tus9DYvpp5mrbLNd Admin Name: Jane Doe Admin Organization:CEHMASTER ORG Admin Street1:123 Main Street Admin City:New York Admin State/Province:NY … Tech Email:tech@cehmaster.org Name Server: ns1.cehmaster.org Name Server: ns2.cehmaster.org

[Figure 2.4 – Search results with SmartWhois]

The Whois database is divided into 4 main regions:

  • ARIN (North America and sub-Saharan Africa)
  • APNIC (Asia Pacific)
  • LACNIC (Southern and Central America and Caribbean)
  • RIPE NCC (Europe and northern Africa)

Usually the ARIN Whois database will be searched first. If information about a website is not found in ARIN, this information may be stored in the APNIC, LACNIC or RIPE NCC database. You can use www.allwhois.com to search for information across all databases belonging to different regions. In addition to websites specializing in providing Whois services, there are many tools in Figure 2.5 that can meet this requirement.

[Figure 2.5 – Whois tools mentioned in CEH]

Nslookup and DNSstuff

Nslookup is an Internet domain name query program for servers. The results obtained from Nslookup can be used by hackers to simulate the DNS structure of an organization, search for additional information about internal computers or MX record information of mail servers. Windows and Linux/Unix systems all have the nslookup tool included as shown in the illustration.

In addition to searching for information about internet domain names of servers, nslookup is also a useful tool for the process of diagnosing, troubleshooting and handling network problems related to domain name resolution, user internet access or checking Active Directory system after installation.

The following example is the result of using the nslookup tool on Linux/Unix for the server cracker.com:

$ nslookup Default Server: cracker.com Address: 10.11.122.133 Server 10.12.133.144 Default Server: ns.targetcompany.com Address 10.12.133.144 set type=any ls -d target.com systemA 1DINA 10.12.133.147 1DINHINFO “Exchange MailServer” 1DINMX 10 mail1 geekL 1DINA 10.12.133.151 1DINTXT “RH6.0”

Besides nslookup, you can use the online application dnsstuff at www.dnsstuff.com to search for information related to the dns records of a website, as Figure 2.6 illustrates the search results related to http://www.cehmaster.org

[Figure 2.6 – DNS Lookup]

Finding the Target’s IP Address

Any ethical hacker needs to master how to determine the IP address or address range of the target website through ARIN or Internet Assigned Numbers Authority (IANA) databases. In addition, we can determine the geographic location of the above IP address or how many hops are needed to access this target. To do this, use traceroute, visualroute with very clear results as shown in Figure 2.7.

[Figure 2.7 – Search results with 3D Traceroute application]

DNS Record Types

To be able to access a website or computer through domain names like cehmaster.org or machine names like www.certmaster.org, our computer needs to convert these easy-to-remember names into IP addresses. This work is done by DNS servers and the mapping information between an easy-to-remember name and an IP address is called a DNS record. Here are the records on the DNS server:

¹ A (address)— This record links a hostname with an IP address. ¹ SOA (Start of Authority)— Identifies the DNS server responsible for resolution ¹ CNAME (canonical name)— Provides an alias name. ¹ MX (mail exchange)— Identifies the domain’s email server. ¹ SRV (service)—Identifies servers providing services such as Active Directory
¹ PTR (pointer)— Links an IP address with a hostname ¹ NS (name server)— Identifies other domain name servers

Using Traceroute in the Footprinting Process

Traceroute is a tool that traces packets during transmission to a target, can be used on both Windows and Linux operating systems. Traceroute operates by sending Internet Control Message Protocol (ICMP) signals to stations (hops) that can be routers or gateways on the route that the packet travels until it reaches the destination station. When a router responds with an ICMP ECHO Reply signal, the Time To Live (TTL) value decreases by one, indicating how many hops are needed to reach the destination.

One of the obstacles in the traceroute process is when the packet’s lifetime expires (displayed by asterisks). This happens when routers or firewalls block the return signals (ICMP), but through this hackers also know what protection systems are in the entire route to the target.

Tools

There are quite a few tools that can perform traceroute work and display geographic information related to IP addresses, or domain name owners of websites such as Visual Router, 3D Trace applications introduced in the section above. In addition, on Windows systems you can use the tracert command to probe the route to the target as Figure 2.8 illustrates using tracert with the domain name www.yahoo.com

[Figure 2.8 – Tracert utility on Windows]

What is Email Tracking?

As the name suggests, Email tracking is programs that allow senders to check whether their sent email has been read or not or even deleted, forwarded, or changed. Most email tracking applications will attach an additional domain to the email address like readnotify.com. Or a small image file is attached to the letter without the recipient’s knowledge and when the recipient takes actions as mentioned above, this image will connect back to the server to notify the sender about the actions that occurred.

Tools

Applications commonly used to track recipient actions in email transactions include Email Tracking Pro, MailTracking.Com… Figure 2.9 lists some popular tools introduced in CEH from previous versions to the latest current version CEH v12:

[Figure 2.9 – Some Email Tracking tools]

Web Spider

Spammers are very interested in users’ email addresses, so they often use tools to collect email addresses related to a domain name on the internet. Such applications are called Web Spiders like MetaGoofil or some email address collection applications pre-installed on famous security toolkits from a long time ago like Back Track 5 or the latest replacement version currently Kali Linux 2022.

To prevent this, website administrators often place a robots.txt file in the root directory of the website containing a list of protected directories that are not allowed to be retrieved by automated programs like google bot, yahoo bot and web spiders.

RECONNAISSANCE

Reconnaissance is a term originating from the military environment as seen on the IRS logo, and you will see quite a few terms from this environment applied to information security issues such as DMZ, Spy. The reconnaissance process is the activity of probing the opponent or enemy by advanced espionage methods with stealth aircraft, satellites to common methods such as using spies embedded in enemy ranks, using scouts to gather information about the opponent. In the computer network attack and attack testing environment, the reconnaissance process is applied to gather information about the target to be attacked to identify operating mechanisms, when and where through observing the habits and behaviors of the target so that hackers can come up with effective attack solutions.

You will easily imagine reconnaissance with a real-life situation, that is when thieves want to break into a house or company to steal property, they often take time to carefully observe and study the habits of the homeowner such as travel schedules, as well as daily activities in life and business so that they can bring a whole truck to steal belongings without the owner’s knowledge because they are busy going on vacation or business trips while surrounding residents think that the owner is delivering goods as usual.

Or a similar attack around 2005/2006 occurred at an airport in the Netherlands, causing the check-in process to be delayed for nearly 5 hours. In this situation, hackers had carefully monitored the server maintenance activities of the above airport and identified the partner company performing the work along with the maintenance time. Then the hackers disguised themselves as maintenance staff with logos, uniforms as well as sophisticated forms of activity to the extent that they deceived security personnel and easily infiltrated the server room. When infiltrated, the hackers removed all hard drives of important servers and took them out. This is an example of very effective use of reconnaissance for the attack process, but it also shows that the above airport lacked strict control in equipment management. Because one of the principles of information security is that when subjects from untrusted areas enter and exit strictly protected areas like MDZ (used to place servers), security personnel need to check their bags to detect any fraudulent actions or not.

Today, learning and practicing for the information gathering phase is quite convenient with online experimental models like TryHackMe or local labs running on virtual machines compatible with EC Council’s CEH v12 content built by CEHMASTER ORG. To update new information, please visit the website www.cehmaster.org

Conclusion

Through this chapter, we have learned about important pre-attack steps: Footprinting and Reconnaissance along with powerful tools commonly used for the information gathering process. In the role of a network security expert, you need to perform the following operations to prevent footprinting attacks:

Configure routers or firewalls not to respond to probing programs like Ping by blocking ICMP ECHO Request/Reply signals Turn off unused protocols on the web server. Control service ports with strict rules on the firewall. Deploy an IDS (intrusion detection system) to alert administrators when suspicious actions occur. Carefully control information before publishing on the internet.
Perform footprinting on your own system to detect sensitive information. Prevent search applications from caching web pages. Turn off directory browsing, separate internal domains from domains used for public purposes.

Practical Exercises

The general practical exercises follow some of the content of the CEH EC Council program. The exercises may change and be supplemented according to each version. In the latest version CEH v12, you will see additional exercises including red flags on CyberQ.

Introduction Ping Lab NsLookup Path Analyzer Pro Email Tracking Pro WinHTrack Firebug SmartWhois Web Data Extractor

Let’s go through each of these practical exercises in detail:

Introduction

In this section, we’ll introduce you to the hands-on labs that are part of the CEH (Certified Ethical Hacker) course. These labs are designed to give you practical experience with the tools and techniques used in ethical hacking and information security.

Ping Lab

The Ping Lab is designed to familiarize you with the basic network diagnostic tool ‘ping’. You’ll learn how to use ping to test network connectivity, measure round-trip time, and identify potential network issues.

Exercise:

  1. Open a command prompt on your Windows machine or terminal on Linux/Mac.
  2. Use the ping command to test connectivity to www.cehmaster.org
  3. Analyze the results, noting the round-trip time and any packet loss.
  4. Try pinging different websites and compare the results.
  5. Use ping with different options (like -t for continuous ping or -n to specify the number of packets) and observe the differences.

NsLookup

The NsLookup lab will teach you how to use the nslookup command-line tool to query Domain Name System (DNS) servers to obtain domain name or IP address mapping information.

Exercise:

  1. Open a command prompt or terminal.
  2. Use nslookup to find the IP address of www.cehmaster.org
  3. Try reverse DNS lookup by using nslookup with an IP address.
  4. Use nslookup to find mail servers (MX records) for cehmaster.org
  5. Experiment with different record types (A, CNAME, NS, etc.)

Path Analyzer Pro

In this lab, you’ll use Path Analyzer Pro, a powerful network diagnostic and security tool that combines ping, traceroute, and whois lookups into a single interface.

Exercise:

  1. Install Path Analyzer Pro on your system.
  2. Use it to trace the route to www.cehmaster.org
  3. Analyze the hop-by-hop information provided.
  4. Use the tool’s Whois lookup feature to gather information about cehmaster.org
  5. Compare the results with those obtained from command-line tools.

Email Tracking Pro

This lab introduces you to email tracking techniques using Email Tracking Pro software.

Exercise:

  1. Set up Email Tracking Pro on your system.
  2. Create a test email with tracking enabled.
  3. Send the email to a test account.
  4. Monitor the email’s activity (opens, forwards, etc.) using the software.
  5. Analyze the data collected and discuss potential privacy implications.

WinHTrack

WinHTrack is a website copier that allows you to download a website from the Internet to a local directory. This lab will help you understand how such tools can be used for information gathering.

Exercise:

  1. Install WinHTrack on your Windows machine.
  2. Use it to download the public pages of www.cehmaster.org
  3. Analyze the directory structure and files downloaded.
  4. Discuss the potential security implications of this capability.

Firebug

Firebug is a web development tool that allows you to inspect HTML, modify style and layout in real-time, and debug JavaScript. In this context, it’s used for information gathering.

Exercise:

  1. Install the Firebug add-on for your browser.
  2. Visit www.cehmaster.org and open Firebug.
  3. Inspect the HTML structure of the page.
  4. Look for any hidden comments or metadata in the source code.
  5. Analyze the network requests made by the page.

SmartWhois

SmartWhois is a tool for retrieving information about IP addresses, host names, and domains.

Exercise:

  1. Install SmartWhois on your system.
  2. Use it to look up information about cehmaster.org
  3. Compare the results with those obtained from online Whois services.
  4. Look up information for several IP addresses and analyze the results.

Web Data Extractor

Web Data Extractor is a tool used to extract various types of data from websites, including email addresses, phone numbers, and URLs.

Exercise:

  1. Install Web Data Extractor on your system.
  2. Use it to extract data from www.cehmaster.org
  3. Analyze the types of data that can be extracted.
  4. Discuss the potential uses of this data for both legitimate and malicious purposes.
  5. Consider ways to protect sensitive data from such extraction methods.

These hands-on exercises will give you practical experience with many of the tools and techniques used in the information gathering phase of ethical hacking. Remember to always practice ethical hacking techniques responsibly and only on systems you have permission to test.

As you work through these labs, consider the following questions:

  • How could the information gathered be used by a malicious actor?
  • What steps can organizations take to protect against these information gathering techniques?
  • How do these tools and techniques contribute to the overall process of ethical hacking?

By completing these exercises, you’ll gain valuable hands-on experience that will complement your theoretical knowledge of ethical hacking concepts. This practical knowledge is crucial for becoming a skilled and responsible ethical hacker.

In addition to the general exercises outlined above, CEHMASTER ORG has developed a series of specialized labs to further enhance your practical skills in ethical hacking. These labs are designed to simulate real-world scenarios and provide hands-on experience with the latest tools and techniques used in the field.

Advanced Footprinting Lab

This lab focuses on advanced footprinting techniques using a combination of open-source intelligence (OSINT) tools and custom scripts.

Exercise:

  1. Use TheHarvester to gather email addresses and subdomains related to cehmaster.org
  2. Employ Maltego to create a visual map of the target organization’s online presence
  3. Utilize Recon-ng to automate the information gathering process
  4. Analyze social media profiles using OSINT techniques to build a comprehensive profile of the target organization

Network Mapping Lab

In this lab, you’ll learn how to map out a target network using various scanning and enumeration tools.

Exercise:

  1. Use Nmap to perform a comprehensive scan of the provided virtual network
  2. Employ Zenmap (GUI version of Nmap) to visualize the network topology
  3. Use Angry IP Scanner to quickly identify live hosts on the network
  4. Create a detailed network map including identified services and potential vulnerabilities

Wireless Security Assessment Lab

This lab focuses on assessing the security of wireless networks, a critical skill for modern ethical hackers.

Exercise:

  1. Set up a wireless network using the provided virtual router
  2. Use Aircrack-ng suite to capture and analyze wireless traffic
  3. Attempt to crack WEP and WPA/WPA2 encrypted networks
  4. Discuss methods to secure wireless networks against common attacks

Web Application Penetration Testing Lab

In this advanced lab, you’ll learn how to identify and exploit common web application vulnerabilities.

Exercise:

  1. Use OWASP ZAP to perform an automated scan of a vulnerable web application
  2. Manually test for SQL injection vulnerabilities
  3. Exploit a cross-site scripting (XSS) vulnerability
  4. Attempt to bypass authentication mechanisms
  5. Document your findings in a professional penetration testing report

Social Engineering Simulation

This unique lab simulates various social engineering scenarios to help you understand and defend against these non-technical attack vectors.

Exercise:

  1. Craft a phishing email campaign using the skills learned in the Email Tracking Pro lab
  2. Attempt to gather sensitive information through a simulated phone call (vishing)
  3. Create a fake social media profile for information gathering
  4. Discuss ethical considerations and legal implications of social engineering techniques

Cryptography and Steganography Lab

This lab introduces you to the world of hidden information, both through encryption and steganography.

Exercise:

  1. Use OpenSSL to create and manage digital certificates
  2. Employ various encryption tools to secure sensitive data
  3. Hide information within image and audio files using steganography tools
  4. Attempt to detect and extract hidden information from provided files

Malware Analysis Lab

In this advanced lab, you’ll gain hands-on experience analyzing malicious software in a safe, controlled environment.

Exercise:

  1. Set up a secure malware analysis environment using virtual machines
  2. Perform static analysis on provided malware samples using tools like PEStudio
  3. Conduct dynamic analysis using sandboxing tools like Cuckoo Sandbox
  4. Document your findings and discuss potential mitigation strategies

Cloud Security Lab

As more organizations move to the cloud, understanding cloud security is crucial for ethical hackers.

Exercise:

  1. Set up a basic cloud environment using AWS or Azure free tier
  2. Perform a security assessment of the cloud configuration
  3. Attempt to exploit common cloud misconfigurations
  4. Implement security best practices and verify their effectiveness

IoT Security Lab

This cutting-edge lab focuses on the security implications of the Internet of Things (IoT).

Exercise:

  1. Set up a simulated IoT environment using Raspberry Pi devices
  2. Perform network scans to identify IoT devices
  3. Attempt to exploit common IoT vulnerabilities
  4. Discuss strategies for securing IoT devices and networks

These advanced labs provided by CEHMASTER ORG are designed to give you a comprehensive, hands-on understanding of modern ethical hacking techniques. They cover a wide range of topics, from traditional network security to emerging fields like IoT and cloud security.

As you work through these labs, remember to approach each exercise with an ethical mindset. The goal is not just to learn how to exploit vulnerabilities, but to understand how systems can be better secured against potential threats.

CEHMASTER ORG recommends completing these labs in a controlled, legal environment. Never attempt to use these techniques on systems or networks without explicit permission, as doing so could be illegal and unethical.

By mastering the skills taught in these labs, you’ll be well-prepared to tackle real-world ethical hacking challenges and contribute to improving the overall security posture of organizations.

Remember, ethical hacking is an ever-evolving field. Stay curious, keep learning, and always strive to use your skills responsibly and ethically.

Scenario: The CEHMASTER ORG Security Audit

Sarah, a newly certified ethical hacker from CEHMASTER ORG, has been hired by a mid-sized e-commerce company, GlobalShop, to perform a comprehensive security audit. The company has recently experienced some suspicious activities and wants to ensure their systems are secure. Sarah decides to use the skills she learned from CEHMASTER ORG to conduct a thorough assessment.

Day 1: Footprinting and Reconnaissance Sarah begins with open-source intelligence gathering. Using tools like TheHarvester and Maltego, she maps out GlobalShop’s online presence, discovering several subdomains and employee email addresses. Through social media analysis, she identifies key personnel and potential social engineering targets.

Day 2: Network Mapping Using Nmap and Zenmap, Sarah scans GlobalShop’s network, identifying live hosts, open ports, and running services. She discovers an unusually high number of open ports on several servers, which raises a red flag.

Day 3: Wireless Security Assessment Sarah sets up a wireless sniffer near GlobalShop’s office. Using Aircrack-ng, she captures wireless traffic and identifies that the company is still using WEP encryption on one of their access points – a significant vulnerability.

Day 4: Web Application Testing Sarah uses OWASP ZAP to scan GlobalShop’s e-commerce platform. She identifies several critical vulnerabilities, including an SQL injection flaw and cross-site scripting (XSS) vulnerabilities.

Day 5: Social Engineering Simulation With permission from GlobalShop’s management, Sarah conducts a simulated phishing campaign. She crafts convincing emails using information gathered earlier and sends them to employees. The results show that 30% of the staff are susceptible to phishing attacks.

Day 6-7: Advanced Analysis Sarah performs malware analysis on some suspicious files found on GlobalShop’s network. She also assesses their cloud infrastructure and IoT devices used in their warehouses, finding several misconfigurations and outdated firmware.

Conclusion: Sarah compiles her findings into a comprehensive report for GlobalShop’s management. Her assessment reveals several critical vulnerabilities that could have led to significant data breaches. She provides detailed recommendations for addressing each issue, including employee training programs, system updates, and infrastructure changes.

Thanks to Sarah’s thorough audit using the skills and tools she learned from CEHMASTER ORG, GlobalShop can now take concrete steps to improve their security posture and protect their business and customers from potential cyber threats.

This scenario illustrates how the various skills and tools covered in the CEHMASTER ORG curriculum can be applied in a real-world security audit, demonstrating the practical value of ethical hacking skills.

返回博客