Information Gathering – First Step of Hacking

INTRODUCTION

 Footprinting is an ethical hacking process of gathering information about the target and its environment.

This is a pre-attack stage and maximum efforts are deployed to ensure that the operations conducted are executed under stealth and target can’t trace back you. Footprinting is a first and the important step because after this a penetration tester knows how the hacker sees this network.

Good information gathering can make the difference between a successful pentest and one that has failed to provide maximum benefit to the client.

It includes

  • Registration details of the website, contact details.
  • Email harvesting,
  • Finding out the target IP address and determine network range
  • Identify active machine, DNS record , subdomains.
  • Operating system fingerprinting.
  • Finding login pages, sensitive directory
  • Find out any known vulnerability for that particular version.

WHOIS Database Lookup

WHOIS allows us to access information about the target including Registration Detail, IP address, contact information containing the address, Email ID, phone number. It also also displays domain owner and domain registrar.

https://secur1tyadvisory.files.wordpress.com/2015/07/1-whois1.jpg?w=473&h=285Figure: WHOIS

WHOIS Lookup Websites:

Email Harvesting

The theharvester tool available in Kali-Linux is an e-mail accounts, username, and hostname/ subdomains gathering tool.

As an example, if you want to find e-mail addresses and hostnames for a target domain using Google, following is the appropriate command:

 #./theHarvester.py -d targetdomain -l 100 -b google

https://secur1tyadvisory.files.wordpress.com/2015/07/emailll.jpg?w=430&h=285Figure: Email Harvesting

Email harvesting can be used by hackers to carry out a phishing campaign against an entire organization. This is one aspect of how emails can be misused. Computer users, who are often unaware of phishing attacks can fall victim and end up loosing confidential information to the hackers.

 Search Engines Hacking

Marking a search query against your target in search engines (Google, Yahoo & Bing etc.) can also reveal great amount of information if used properly. Google Advance search or Google Hacking can help to locate more detailed information like company policies, employee’s details & online hidden pages etc. Google Hacking Database is a database of queries that identify sensitive information.

https://secur1tyadvisory.files.wordpress.com/2015/07/goo.png?w=406&h=285

Traceroute

Traceroute is using UDP or ICMP ECHO to send out the packet with a Time To Live (TTL)  of one, and incrementing it until reaching the target, the tcptraceroute is using TCP SYN to send out the packet to the target.

tcptraceroute will receive a SYN/ACK packet if the port is open, and it will receive a RST packet if the port is closed.

https://secur1tyadvisory.files.wordpress.com/2015/07/traceroute.jpg?w=404&h=285Figure:Traceroute

After route number 17, we are no longer able to get the route information. Usually this           is because our traceroute is being blocked by a filtering device.

 DNS Reconnaissance

We can interact with a DNS server using various DNS clients such as host, nslookup, dig,etc.

nslookup is a computer program used in Windows and Unix to query Domain Name System(DNS) servers to find DNS details, including IP addresses of a particular computer, MX records for a domain and the NS servers of a domain. The name nslookup means “name server lookup”.

https://secur1tyadvisory.files.wordpress.com/2015/07/nslookup.png?w=700Figure: Nslookup

The above image explains that we connected to local server and asked to resolve a record for us. The server responded with the IP address of the victim.

Before going ahead try to understand some DNS records. For more details please visit https://en.wikipedia.org/wiki/List_of_DNS_record_types

– A – Points to host  IP address
– MX – Points to domain mail server.
– NS- Points to host name server
– CNAME-Canonical naming allowing aliases to host.
– SOA- Indicate authority for domain.
– SRV-Service Record.
– PTR-Maps IP address to hostname.
– RP-Responsible Person.
– INFO- Host Information.

In order to retrieve mail server information we can use the following commands

https://secur1tyadvisory.files.wordpress.com/2015/07/12.jpg?w=700Figure: Nslookup query for mail server

While gathering information can divided into 3 main techniques:-

  1. Forward lookup bruteforce
  2. Reverse lookup bruteforce
  3. Verifying  SPF Record
  4. Zone transfers

1. Forward lookup bruteforce

The main idea behind this technique is to guess correct valid server names of organization. We can try this using the host command. The output gave us an IP address of the server.

https://secur1tyadvisory.files.wordpress.com/2015/07/fww.jpg?w=700Figure: Forward lookup

2. Reverse lookup bruteforce

This is a technique which is reverse to forward lookup bruteforce, in this case victim’s IP address is known and we need to find the server names and other information pertaining to the organization.

https://secur1tyadvisory.files.wordpress.com/2015/07/rv1.jpg?w=700Figure: Reverse lookup

3. Verifying  SPF Record

An SPF record is a TXT record that is part of a domain’s DNS zone file. The TXT record specifies a list of authorized host names/IP addresses that mail can originate from for a given domain name.

https://secur1tyadvisory.files.wordpress.com/2015/07/spf.png?w=700Figure: Verifying spf record

The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.

4. Zone transfers

DNS Zone Transfer is generally used for DNS database replications and backups. The security problem with DNS zone transfer is that it can be used to decipher the topology of a company’s network. Specifically when a user is trying to perform a zone transfer it sends a DNS query to list all DNS information like name servers, host names, MX and CNAME records, zone serial number, Time to live records etc. Due to the amount of information that can be obtained DNS zone transfer cannot be easily found in nowadays.

https://secur1tyadvisory.files.wordpress.com/2015/07/name.jpg?w=700Figure: Query for name server

The above image shows the how to get the dns server names.

https://secur1tyadvisory.files.wordpress.com/2015/07/name-2.jpg?w=669&h=285Figure: Zone Transfer Failed

As the response to our query is been failed thus we can say that zone transfer is configured properly

 CONCLUSION

Hopefully this article has demonstrated some of the ways in which passive reconnaissance can be useful as part of your security testing activities. It’s obviously not a replacement for active testing and only scratches the surface when it comes to discovering vulnerabilities but it can certainly provide some valuable information to help scope your testing efforts.

 REFERENCES

[1] https://en.wikipedia.org/wiki/List_of_DNS_record_types
[2] http://www.pearsonitcertification.com/articles/article.aspx?p=472323&seqNum=5
[3] http://www.hackersforcharity.org/ghdb