Transcript Footprint

Footprinting
Richard Newman
“If you know the enemy and know yourself, you need not fear the result of
a hundred battles.
If you know yourself but not the enemy, for every victory gained you will
also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every
battle.” - Sun Tzu
Why Footprinting?
- Publicly available info
–
–
Hard to prevent all of it from being available
Many legitimate searches mask recon efforts
- Obtain potential target list
- Obtain info for social engineering attacks
–
–
Spear phishing
Tech help calls
- Determine relationships with other entities
Internet Footprinting
1. Determine scope
–
Be thorough and systematic
2. Get proper authorization
–
Written, from right person(s), detail what is allowed
3. Public info
–
Related organizations, personnel, current events, policies, etc.
4. Whois and DNS
–
Admin info, domain/subdomain names, IP addresses
5. DNS Interrogation
–
Mapping host names to IP addresses, internal IP addresses, etc.
6. Network reconnaissance
–
Network topology, access paths
Public Information - 1
Popularity = 9, Simplicity = 9, Impact = 2 => Risk = 7
1. Company web pages
–
–
–
–
–
–
Include other likely suspects (www1, web, test, etc.)
Review HTML source – may be best done off-line
Wget (gnu) – Unix/Linux; Teleport Pro (tenmax) – Windows
DirBuster (OWASP) – hidden files/directories
Remote access (Outlook Web Access, WebConnect, ...)
VPNs – get vendor, version number, assistance contact info
2. Related organizations
–
–
Outsourced web development, e.g.
Aggregated data
Public Information - 2
3. Location info
–
–
–
–
–
Physical access
Social engineering hints
Wireless networks
MAC addrs from Google street car shodanhq.com/research/geomac
Dumpster diving
4. Employee info
–
–
–
–
–
–
One username -> better guesses at other user names
Phone number -> physical address
Personal info (social media, blackbookonline.info, etc.)
Employee directories (paid service)
Resumes (monster.com, etc.) and job postings (more details)
Disgruntled employees
Public Information - 3
5. Current Events
–
–
–
–
–
Company provided info
Trade rags, bulletin boards, etc.
SEC for publicly traded companies (EDGAR db at sec.gov)
Times of change (mergers, acquisitions, etc.) open holes
Times of plenty (rapid growth – mundane stuff lags)
6. Archived info
–
–
–
WayBack machine (archive.org)
Cached google (etc.) pages
May change to remove revealing info
7. Search Engines and Data Relationships
–
–
–
–
–
Special searches for remote access, misconfiguration, etc.
Google Hacking Database hackersforcharity.org
Athena 2.0 (snakeoillabs.com), SiteDigger 2.0 (foundstone.com)
Metadata search (FOCA – informatica64.com/foca)
SHODAN (shodanhq.com)
Public Information - 4
Countermeasures
- think carefully about what you must reveal and what not
- educate employees
- monitor related organizations
See RFC 2196 Site Security Handbook
faqs.org/rfcs/rfc2196.html
Whois and DNS Enum - 1
Popularity = 9, Simplicity = 9, Impact = 3 => Risk = 7
1. ICANN/IANA
–
–
–
ASO – address supporting organization
GNSO – generic names supporting organization
CCNSO – Country code domain name supporting organization
2. ASO distributes IP ranges to Regional Internet Registries
–
–
–
–
–
APNIC
ARIN
LACNIC
RIPE
AfriNIC
Whois and DNS Enum - 2
3. Domain-related searches
–
–
–
–
–
Registry
Registrar
Registrant
Whois.iana.org, www.uwhois.com, internic.net/whois.html, etc.
SuperScan, NetScan Tools
4. IP-related searches
–
Search at registrar's site to get right registrar, etc.
Countermeasures
–
–
–
–
Pseudonym for admin (see “LA Confidential”)
Phone number outside of company block (maybe 800 number)
Pay extra for unlisted domain
Require good authentication for updates (registry hijacking prevention)