Reconnaissance Part 1: Footprinting Tutorial

Footprinting is the first phase of hacking. Here an attacker tries to gather as much information as possible about his target without necessarily coming in contact with it.It is the most important, but being technically less challenging, is also the most overlooked hacking phase. A superior penetration tester spends considerable amount of time profiling the target organization. Information procured in this phase is vital to subsequent phases of penetration testing.Footprinting itself houses a number of stages.

Though, there”s no fixed approach, the general flow of execution is this:
A)Website Searches

B) Google Hacking

C) WHOIS lookup

D) DNS Interrogation

A) Website Searches

Web embodies a wealth of information. Searching proper websites could provide an attacker with heaps of sensitive information pertaining to a target.

• The attacker usually commences with the target organization”s website. Sometimes organizations inadvertently publish sensitive information on their websites like technologies in use, security configuration details etc. The attacker also documents information like employee contact details, office locations, business partners etc.• Attacker then makes use of jobsites (monster.com), social networking sites (facebook, myspace, linkedin), newsgroups etc. Frequently, a lot of important information is available on these websites.

B)Google Hacking

Google hacking is the process of employing complex search engine queries to locate sensitive information.Because of various web server misconfigurations, sensitive information gets indexed by the search engines when spiders crawl them.The sensitive information may include:password files, confidential directories, logon portals, log files etc.More details regarding Google hacking can be found here.

C)Whois Lookup

Whois lookup involves finding additional information associated with a domain.Whois lookup consists of two steps:

• Finding the domain name registration information.

• Finding the IP address range.

Finding the domain name registration information

While registering a domain, the domain registrar gathers additional information about the registrant. This information is normally available for public access.The general steps are:

• Querying the InterNIC website to find the registrar associated with a domain. Normally InterNIC performs a Whois lookup and provides the result.

• The attacker then queries the domain registrar”s Whois database to get the registration information.

Finding the IP address range.

The attacker then needs to find the IP addresses associated with an organization. For this he queries the organization”s name against the Whois database of an appropriate Regional Internet Registry (RIR). There are five RIR each associated with a specific geographic location: APNIC (Asia-Pacific region), ARIN (North America), LACNIC (Latin America and Caribbean), RIPE (Europe, Central Asia, Middle East regions), AfriNIC (Africa).

D)Zone Transfer

Zone transfer is the process where a name server lists all of its DNS information in response to a query by some other computer.Zone transfer is essentially used by secondary name server to update its zone database by requesting information from the primary name server. Albeit, zone transfer should only be allowed from the primary name server to the secondary name server, because of not properly configuring them, some name servers allow zone transfers to external systems too. This represents a serious security hole as an attacker could query the authoritative name servers to harvest domains and I.P addresses associated with the target organization.To learn more about zone transfer read this article.

Footprinting Defences

1) Carefully evaluate the information before publishing it on the internet.

2) Perform various footprinting techniques against your organization and try to remove any sensitive details found.

3) Directory listings give away too much information than a visitor needs. Disabling it is always a good option.

4) You can prevent search engines from caching a webpage by employing the ‘noarchive’ meta tag.

5) Make use of the anonymous registration services to prevent leaking registration information.

6) Configure your name servers such that only primary name server accepts zone transfer requests, and that too, from only secondary and tertiary name servers.

7) Consider using split-DNS — an architecture, where internal and external DNS servers are run separately

Advertisements

Google Hacking: An Intro for beginners

Google hacking is the process of employing complex search engine queries to locate sensitive information.

Because of various web server mis-configurations, sensitive information gets indexed by the search engines when spiders crawl them.The sensitive information may include:password files, confidential directories, logon portals,log files etc.

BASIC SEARCH

The most basic search involves searching for the required terms via the Google’s web interface. E.g

    • hacker• ethical hacker

The important thing to note here is that Google searches are case insensitive. Whether you search for (ethical hacker) or (ETHICAL HACKER) or (EtHiCaL HaCkEr), it provides you the same number of results.google case insensitivity\r\n\r\ngoogle case insensitivity1

google case insensitivity2

PHRASE SEARCH

Phrase search involves enclosing the required terms in double-quotes. Google searches for all the words in the phrase in the “exact” order you provide them. This is very useful when you are searching for a specific thing and want to omit extraneous results. Case insensitivity is maintained in phrase search too. E.g.

    • “hacker”• “ethical hacker”

There are certain common words like “a”, “and”, “the”, “for” etc. which Google ignores in basic search. These words are called stop words. Stop words, when used in the phrase search are not excluded by Google.

ADVANCED SEARCH

Google wildcard

Google treats asterisk (*) as a placeholder for any unknown term(s) and tries to find the best match(es) for it. It can be used both in basic as well as phrase search, but you have to separate it by a space from the preceding and succeeding words; e.g:

    • you can * multiple *Here, Google will try to find best match(es) for the wildcard.

Excluding words from search: the minus sign (-)

Sometimes you want to exclude pages containing certain words from the search result. You can do this by prefacing the minus (-) sign to the unwanted word. The minus sign should be preceded with a space and should be placed immediately before the unwanted term.A search such as (ethical hacker -cracker) will return pages containing ethical hacker but excluding the term cracker.If you want to exclude multiple terms, you can do so by placing the minus sign before each term. E.g

    • ethical hacker -cracker -blackhat• computer virus -antivirus -antispyware

Searching as is: the plus sign (+)

Sometimes you want to include stop words in your search. One way to do this is by using them in a phrase search i.e enclosing them in double quotes. Another way is to place a plus (+) sign before the stop word. The plus sign tells Google to include the word succeeding it. Similar to the minus sign, the plus sign should be placed immediately before the word you want included and should be preceded by a space.E.g

    • +this +is +a test
    From this example, you can see that there”s no limit to the number of plus sign you can use in a query.

Google”s Boolean operators

Google allows you to use three Boolean operators: AND, OR and NOT

    • If you want to search for pages containing the terms;”google”, ”hacking” and ”tutorial”, you can construct your query as:-
      • google AND hacking AND tutorial
      • The query (google | microsoft) returns all pages containing either Google or Microsoft or both.
  • The AND operator

    AND operator is used to search multiple terms.E.g

    Watch the above query carefully and you will see that it is just the basic Google query. Google includes the AND operator by default; you do not have to use it.

    The NOT operator

    The NOT operator is used to exclude words from a search.The NOT operator is not supported by Google. Instead, Google uses the minus sign to exclude terms.

    The OR operator

    The default Google search employs AND operation. You can override this functionality using the OR operator. The OR operator (OR is used in all caps) tells Google to locate either one of several words.                    You can use the pipe symbol (|) instead of OR to perform OR operation.E.g

Query string length limit

Neglecting the stop words, you can search only up to 32 words in a single Google query. Google ignores any words after the first 32 words (excluding stop words) and returns a message.Word limit message

153,000,000 Results!..really?

Though Google claims to find thousands – or millions – of results for any query, it lets you view only the first 1,000 results. If you try to go beyond the first thousand results, Google displays an error message.Result limit message

ADVANCED OPERATORS

Google provides a myriad of additional operators to enhance your search (or hacking!) experience.We will cover some of the most useful operators here.

All the advanced Google operators have the syntax- operator:search_term(s)

• There should not be any space between the operator, the colon and the search term.

• The search term can be a single term or a phrase.

Searching within a domain: site operator

Syntax: site:Domain

This is perhaps the most useful Google operator for reconnaissance. The site operator is used to limit search to a particular domain. E.g

    • site:ethicalhacker.net
    This will return pages only from ethicalhacker.net
    • site:sans.org training
    This will search only ”sans.org” for the term ”training”.

You can also exclude results from specific subdomains with the help of minus operator. E.g

    • site:sans.org training -site:www.sans.org
    This will search ”sans.org” for the term ”training” but omits results from the subdomain ”www”

Searching the title: intitle and allintitle operators

Syntax: intitle:search_term

Syntax: allintitle:search_term(s)

The intitle operator is used to search the title of the pages. E.g\r\n

    • intitle:”google hacking”
    This will list all the pages with ”google hacking” somewhere in their title.
    It can also be combined with the site operator to limit search to a specific domain; e.g
    • site:ethicalhacker.net intitle:”google hacking”

Locating directory listings

One of the most sinister uses of the intitle operator is in locating directory listings. Directory listings include the phrase “index of” in their title. So, we can search for (intitle:”index of”) or (intitle:index.of) to locate all the directory listings indexed by Google.

The period (.) in ”index.of” is the wildcard for single character.

You can also use this operator to search for password files; as,

    • intitle:Index.of etc shadow
    This will search for UNIX /etc/shadow password files

The allintitle is also used to match the title of a webpage, but it searches for all the words that follow it. E.g

    • allintitle:penetration testing
    This query will search for webpages with the words ”penetration” and ”testing”. Notice that unlike the intitle operator it does not require multiple words to be enclosed in quotes.

Similar to the intitle operator, the allintitle operator can also be used to discover index directories. This operator does not gel well with other advanced operators; consequently, you should use the intitle operator instead.

Searching the URL: inurl and allinurl operator Syntax: inurl:search_term                                                                                                   Syntax: allinurl:search_term(s)

The inurl operator is used to locate URLs containing the search term.E.g

    • inurl:hacker This will list all the URLs containing the term ”hacker”.

The inurl: operator can also be combined with the site operator to search URLs associated with a specific domain. It can also be utilized to discover vulnerable scripts if the script names are included in the URL.

Akin to the inurl operator, allinurl is also used to match the URL of a webpage, but it searches for all the words following it. The allinurl operator also does not combine well with other advanced operators and its use should be refrained.

Searching for a specific file type: filetype and ext operators Syntax: filetype:type_of_file Syntax: ext:type_of_file

Google supports two operators to search for a specific type of file based on the file extension: filetype and ext. You can use either of the two operators.E.g

    • filetype:pdf “google hacking”                                                                                  • ext:pdf “google hacking” This will list all the .pdf files comprising the term ‘google hacking’

You can use both these operators together with the site operator to search for specific type of files in a particular domain.E.g

    • site:sans.org ext:doc training This will search ”sans.org” for all the Microsoft word document files comprising the term ”training”.

Links to a URL: link operator Syntax: link:URL

The link operator is used to find all the webpages that have links to the specified URL. E.g

    •                                                                                       • link:www.ethicalhacker.net

Viewing modified pages: cache operator Syntax: cache:URL

Whenever Googlebot crawls a webpage, it caches a snapshot of that page. This cached version could be very useful if that page is recently deleted or inaccessible owing to other internet problems. If the page is deleted, you can view its cached version which is stored in Google”s server.

Every result that Google hands you over for your query, it also provides a link to the cached version of that page. You can browse the cached version via the cached link below the snippet for that result.

Cache link

Another way to view the cached page is via the Google cache operator. E.g

    • cache:ethicalhacker.net This will show you the cached version of the page when Googlebot last crawled it. The current version of the page could be different than the cached version.

Google cache could be very useful for an attacker if the website has modified their original content. It helps to view the old content of the page.

Google cache can also be employed to use Google as a proxy!. This, and more advanced tricks will be covered in separate article.

GOOGLE HACKING DEFENSES

Disable directory listings Directory listings give away too much information than a visitor needs. Disabling it is always a good option.

Noindex your confidential files Web crawlers can be forbidden from crawling a webpage using the ”noindex” meta tag or by putting that URL in the /robots.txt file.                                              Note that /robots.txt is publicly available; it shouldn”t be used for hiding information as it can be viewed by anyone.

Noarchive to forbid caching You can prevent search engines from caching a webpage by employing the ”noarchive” meta tag.

Employ Google-fu against your own site You could perform these advanced searches against your website to discover any vulnerabilities.

Additionally, you can make use of automated tools like Wikto and Sitedigger which will thoroughly scan your site.

Removing an indexed page\r\nIf your confidential page has already been indexed by Google, you van remove it via Google”s URL removal tool.

ADDITIONAL RESOURCES

• Johnny “ihackstuff” Long maintains a Google Hacking Database– a list of numerous advanced Google queries which can be used to discover vulnerable targets.

• Johnny Long is also the author of Google Hacking for Penetration Testers which is a must for any serious Google hacker.

• SANS institute maintains a very handy Google cheat sheet

DNS Interrogation: Zone Transfer Tutorial

Zone transfer is the process where a name server lists all of its DNS information.

Zone transfer is essentially used by secondary name server to update its zone database by requesting information from the primary name server. Albeit zone transfer should only be allowed from the primary name server to the secondary name server, because of not properly configuring them, some name servers allow zone transfers to external systems too. This represents a serious security hole as an attacker could query the authoritative name servers to harvest domains and I.P addresses associated with the target organization.

Before we get into the methods of conducting zone transfer, we have to know what a zone is.

The domain namespace is designed in a tree like fashion with root at the top and top-level domains as its children nodes (first-level nodes). These top-level domains could be further divided into sub-domains which, in-turn, could be divided further into more sub-domains.

Domain namespace contains a lot of information which is distributed among many computers called DNS servers. Each of these servers is authoritative for a large or a small domain i.e the servers are arranged in the same hierarchy as the names.

DNS Server Hierarchy
DNS Hierarchy

The information for which a server is responsible is called a zone. When we assign an authoritative name server to a domain — say, xyz.net — the domain becomes a zone for that name server. If a subdomain is created for xyz.net, the new subdomain could either be managed by the same name server, in which case it becomes a part of the original zone:xyz.net; or, the name server could delegate away authority for that subdomain to some other name server, in which case the subdomain acts as zone for that new name server.

For example, consider the figure below, here, three subdomains — et1.xyz.net, et2.xyz.net and et3.xyz.net — are created from the domain xyz.net. Domains xyz.net, et1.xyz.net and et2.xyz.net are managed by the same name server and are collectively part of the zone- xyz.net. Here, zone and domain are separate; the zone xyz.net houses three domains: xyz.net, et1.xyz.net and et2.xyz.net

DNS zones
DNS zones

The third domain — et3.xyz.net — is delegated to some other name server and acts as a zone for that domain. Here, the zone and the domain refer to the same thing.

It is imperative to note that a single name server can have multiple zones. For instance, if the name server was authoritative for domains: xyz.net, abc.net and pqr.net, there would have been three zones: xyz.net, abc.net and pqr.net respectively. The name server stores information pertaining to all the zones in a zone file.

Prior to conducting a zone transfer, we need to know the authoritative name server for that domain.This information can be obtained very easily by performing a WHOIS lookup of the target website which gives us a list of name servers arranged in the order– primary, secondary, tertiary(rarely exists), etc.

Next, we look at some of the methods to perform zone transfer.

Zone Transfer in Windows. In Windows, zone transfer can be conducted via the nslookup command. The nslookup command is present in both Windows and Unix and is instrumental in performing zone transfer. However, in the recent versions of Linux, its zone transfer functionality has been whisked off. To perform zone transfer in Linux we have to make use of the dig command.

Steps to perform zone transfer:

a) C:\>nslookup

b) > server [authoritative name server's I.P address or name]

c) > set type=any

d) > ls -d [domain] or > ls -d [domain] > [filename]

Significance of each command.

C:\>nslookup

This command starts nslookup in interactive mode.

> server [authoritative name server’s I.P address or name]

This command sets our default server to the authoritative name server.

> set type=any

This sets the query type to any. There are various DNS records like: Address record(A), Host information record(HINFO), Mail exchange record(MX) etc; setting the query type to any species that we are interested in any kind of DNS record.

> ls -d [domain]
or
> ls -d [domain] > [filename]

ls command is used to list addresses in domain. The -d option species that we want to list all types of records. If a zone transfer is allowed, this command will return all data pertaining to that domain (i.e perform zone transfer 😀 )

Zone Transfer in Unix
In Unix, to perform zone transfer, we make use of the dig (domain information groper) command. We can conduct either a full or an incremental zone transfer.

Full Zone Transfer
Syntax:
<code>$ dig @[authoritative name server IP] [domain] -t AXFR</code>

This command will set the query type to AXFR and perform a zone transfer for the given domain.

Incremental Zone Transfer
Syntax:
<code>$ dig @[authoritative name server IP] [domain] -t IXFR=[N]</code>

This command will conduct a zone transfer for a given domain, pulling all the changes made to the zone since the serial number in the zone’s SOA record was equal to some value N.

External Tools for Conducting zone transfer
There is plethora of tools which could help with zone transfer–Sampspade, maltego, necrosoft dig, to name just a few.

Additionally, you could also employ websites like Network-Tools and DNSstuff for this purpose.

DNS Interrogation Defenses
a) Configure your name servers such that only primary accepts zone transfer requests, and that too, from only secondary and tertiary name servers.

b) Consider using split-DNS — an architectue, where internal and external DNS servers are sun separately.