Information Gathering – First Step of Hacking

INTRODUCTION

 Footprinting is an ethical hacking process of gathering information about the target and its environment.

This is a pre-attack stage and maximum efforts are deployed to ensure that the operations conducted are executed under stealth and target can’t trace back you. Footprinting is a first and the important step because after this a penetration tester knows how the hacker sees this network.

Good information gathering can make the difference between a successful pentest and one that has failed to provide maximum benefit to the client.

It includes

  • Registration details of the website, contact details.
  • Email harvesting,
  • Finding out the target IP address and determine network range
  • Identify active machine, DNS record , subdomains.
  • Operating system fingerprinting.
  • Finding login pages, sensitive directory
  • Find out any known vulnerability for that particular version.

WHOIS Database Lookup

WHOIS allows us to access information about the target including Registration Detail, IP address, contact information containing the address, Email ID, phone number. It also also displays domain owner and domain registrar.

https://secur1tyadvisory.files.wordpress.com/2015/07/1-whois1.jpg?w=473&h=285Figure: WHOIS

WHOIS Lookup Websites:

Email Harvesting

The theharvester tool available in Kali-Linux is an e-mail accounts, username, and hostname/ subdomains gathering tool.

As an example, if you want to find e-mail addresses and hostnames for a target domain using Google, following is the appropriate command:

 #./theHarvester.py -d targetdomain -l 100 -b google

https://secur1tyadvisory.files.wordpress.com/2015/07/emailll.jpg?w=430&h=285Figure: Email Harvesting

Email harvesting can be used by hackers to carry out a phishing campaign against an entire organization. This is one aspect of how emails can be misused. Computer users, who are often unaware of phishing attacks can fall victim and end up loosing confidential information to the hackers.

 Search Engines Hacking

Marking a search query against your target in search engines (Google, Yahoo & Bing etc.) can also reveal great amount of information if used properly. Google Advance search or Google Hacking can help to locate more detailed information like company policies, employee’s details & online hidden pages etc. Google Hacking Database is a database of queries that identify sensitive information.

https://secur1tyadvisory.files.wordpress.com/2015/07/goo.png?w=406&h=285

Traceroute

Traceroute is using UDP or ICMP ECHO to send out the packet with a Time To Live (TTL)  of one, and incrementing it until reaching the target, the tcptraceroute is using TCP SYN to send out the packet to the target.

tcptraceroute will receive a SYN/ACK packet if the port is open, and it will receive a RST packet if the port is closed.

https://secur1tyadvisory.files.wordpress.com/2015/07/traceroute.jpg?w=404&h=285Figure:Traceroute

After route number 17, we are no longer able to get the route information. Usually this           is because our traceroute is being blocked by a filtering device.

 DNS Reconnaissance

We can interact with a DNS server using various DNS clients such as host, nslookup, dig,etc.

nslookup is a computer program used in Windows and Unix to query Domain Name System(DNS) servers to find DNS details, including IP addresses of a particular computer, MX records for a domain and the NS servers of a domain. The name nslookup means “name server lookup”.

https://secur1tyadvisory.files.wordpress.com/2015/07/nslookup.png?w=700Figure: Nslookup

The above image explains that we connected to local server and asked to resolve a record for us. The server responded with the IP address of the victim.

Before going ahead try to understand some DNS records. For more details please visit https://en.wikipedia.org/wiki/List_of_DNS_record_types

– A – Points to host  IP address
– MX – Points to domain mail server.
– NS- Points to host name server
– CNAME-Canonical naming allowing aliases to host.
– SOA- Indicate authority for domain.
– SRV-Service Record.
– PTR-Maps IP address to hostname.
– RP-Responsible Person.
– INFO- Host Information.

In order to retrieve mail server information we can use the following commands

https://secur1tyadvisory.files.wordpress.com/2015/07/12.jpg?w=700Figure: Nslookup query for mail server

While gathering information can divided into 3 main techniques:-

  1. Forward lookup bruteforce
  2. Reverse lookup bruteforce
  3. Verifying  SPF Record
  4. Zone transfers

1. Forward lookup bruteforce

The main idea behind this technique is to guess correct valid server names of organization. We can try this using the host command. The output gave us an IP address of the server.

https://secur1tyadvisory.files.wordpress.com/2015/07/fww.jpg?w=700Figure: Forward lookup

2. Reverse lookup bruteforce

This is a technique which is reverse to forward lookup bruteforce, in this case victim’s IP address is known and we need to find the server names and other information pertaining to the organization.

https://secur1tyadvisory.files.wordpress.com/2015/07/rv1.jpg?w=700Figure: Reverse lookup

3. Verifying  SPF Record

An SPF record is a TXT record that is part of a domain’s DNS zone file. The TXT record specifies a list of authorized host names/IP addresses that mail can originate from for a given domain name.

https://secur1tyadvisory.files.wordpress.com/2015/07/spf.png?w=700Figure: Verifying spf record

The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.

4. Zone transfers

DNS Zone Transfer is generally used for DNS database replications and backups. The security problem with DNS zone transfer is that it can be used to decipher the topology of a company’s network. Specifically when a user is trying to perform a zone transfer it sends a DNS query to list all DNS information like name servers, host names, MX and CNAME records, zone serial number, Time to live records etc. Due to the amount of information that can be obtained DNS zone transfer cannot be easily found in nowadays.

https://secur1tyadvisory.files.wordpress.com/2015/07/name.jpg?w=700Figure: Query for name server

The above image shows the how to get the dns server names.

https://secur1tyadvisory.files.wordpress.com/2015/07/name-2.jpg?w=669&h=285Figure: Zone Transfer Failed

As the response to our query is been failed thus we can say that zone transfer is configured properly

 CONCLUSION

Hopefully this article has demonstrated some of the ways in which passive reconnaissance can be useful as part of your security testing activities. It’s obviously not a replacement for active testing and only scratches the surface when it comes to discovering vulnerabilities but it can certainly provide some valuable information to help scope your testing efforts.

 REFERENCES

[1] https://en.wikipedia.org/wiki/List_of_DNS_record_types
[2] http://www.pearsonitcertification.com/articles/article.aspx?p=472323&seqNum=5
[3] http://www.hackersforcharity.org/ghdb

Advertisements

4 thoughts on “Information Gathering – First Step of Hacking

  1. I know this if off topic but I’m looking into starting my own weblog and was wondering what all is needed to
    get set up? I’m assuming having a blog like yours would cost
    a pretty penny? I’m not very web smart so I’m not 100% positive.
    Any tips or advice would be greatly appreciated. Appreciate it

    Like

  2. Great items from you, man. I have consider your stuff prior to and you are simply too great.
    I really like what you have bought here, really like what you’re stating and the
    way in which by which you assert it. You make it enjoyable
    and you continue to take care of to keep it smart.
    I cant wait to read far more from you. This is really a great website.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s