iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
Passive Footprinting/Information Gathering
  • Xin
    Posts: 3,251
    Passive Footprinting/Information Gathering

    What is it?

    Footprinting enables attackers to create a complete profile of an organisations security. It is the art of getting as much information as possible on the structure and security of a company.

    Passive Information Gathering involves publically known information and no intrusion into the target server. The target has no knowledge of this attack

    What you need to Find

    [list]
    [*]Domain Names[/*:m][/list:u]
    [list]
    [*]Network Blocks and Subnets[/*:m][/list:u]
    [list]
    [*]IP Addresses[/*:m][/list:u]
    [list]
    [*]TCP and UDP Services running [/*:m][/list:u]
    [list]
    [*]Operating System[/*:m][/list:u]
    [list]
    [*]Intrusion Detection Systems (IDSs)[/*:m][/list:u]
    [list]
    [*]Routing tables, and SNMP Information[/*:m][/list:u]
    [list]
    [*]Network Protocols (IP, IPX, DecNET)[/*:m][/list:u]
    [list]
    [*]DNS Hostnames[/*:m][/list:u]
    [list]
    [*]Internal Domain names[/*:m][/list:u]
    [list]
    [*]Access Control Mechanisms[/*:m][/list:u]
    [list]
    [*]Analog/digital telephone numbers[/*:m][/list:u]
    [list]
    [*]Authentication mechanisms[/*:m][/list:u]
    [list]
    [*]VPNs[/*:m][/list:u]
    [list]
    [*]Connection details, (type of connections, origin, destination[/*:m][/list:u]
    [list]
    [*]Security Staff[/*:m][/list:u]
    [list]
    [*]Internal computers [/*:m][/list:u]

    Step 1: Getting Publicly Availabe Information

    What are we looking for?

    [list]
    [*]Company Webpages[/*:m][/list:u]
    [list]
    [*]Partner Sites (Suppliers, partners, rivals, etc)[/*:m][/list:u]
    [list]
    [*]Location details, (HQ, outlets, opening/closing times)[/*:m][/list:u]
    [list]
    [*]Employee details (phone numbers, names, emails, personal info, and relation to the organisation[/*:m][/list:u]
    [list]
    [*]Events in the organisation (Mergers, layoffs, growth, moving location)[/*:m][/list:u]
    [list]
    [*]Security policys. (data handling etc)[/*:m][/list:u]
    [list]
    [*]Archived Information[/*:m][/list:u]
    [list]
    [*]Annoyed Employees (good for social engineering)[/*:m][/list:u]

    Company WebPages

    Looking through the webpages will give you a lot of information about the organisation. Including employees, locations, security info, partner sites and more.

    For faster website crawling, view the site in offline mode, if you are using unix, use:
    Wget (http://www.gnu.org/software/wget/wget.html)
    and enter into a konsole:
    wget http://www.targetsite.com/

    If you are using windows download:
    Teleport Pro (http://tenmax.com)

    These programs download the whole site enabling you to view the pages faster without loading times. Also the admins will not view suspicious logs of you crawling their website.

    While crawling the website, look in the html source for any other clues, looking in the HTML comments is often very useful as the website coders leave lots of comment tags explaining each bit of code, it may also show if its using a CMS that may give you an easy way in if its vulnerable.

    Remember to check all other hostnames such as
    [list]
    [*]https://[/*:m][/list:u]
    [list]
    [*]ftp://[/*:m][/list:u]
    [list]
    [*]
    smb://[/*:m][/list:u]
    [list]
    [*]www1[/*:m][/list:u]
    [list]
    [*]www2[/*:m][/list:u]
    [list]
    [*]web[/*:m][/list:u]
    [list]
    [*]web1[/*:m][/list:u]
    [list]
    [*]
    test[/*:m][/list:u]
    [list]
    [*]test 1[/*:m][/list:u]
    [list]
    [*]mail.*[/*:m][/list:u]
    [list]
    [*]server.*[/*:m][/list:u]
    [list]
    [*]svr.*[/*:m][/list:u]
    [list]
    [*]ftp.*[/*:m][/list:u]
    [list]
    [*]
    smb.*[/*:m][/list:u]
    [list]
    [*]
    vpn.*[/*:m][/list:u]
    [list]
    [*]
    outlook.*[/*:m][/list:u]

    This will give you a valuable insight into whether there mail systems, ftp, or vpns running on the website that could give you remote access.

    Site Digging

    Download
    SiteDigger (http://www.foundstone.com/us/resources/proddesc/sitedigger.html)

    This tool is amazing for finding inprobably set up .htaccess pages, it crawls the site for:
    [list]
    [*]Backup Files[/*:m][/list:u]
    [list]
    [*]File system pages (index of */)[/*:m][/list:u]
    [list]
    [*]Databases[/*:m][/list:u]
    [list]
    [*]Password files[/*:m][/list:u]
    [list]
    [*]Username files[/*:m][/list:u]
    [list]
    [*]Email lists[/*:m][/list:u]

    This could be an easy way in to any site, completely disabling the need for IDS if you find a password file.

    Related Organisations


    Partner sites are invaluable for finding more information about the organisation. Look for testimonials, reviews and any other information they may give on it. The partner site may hold the personal information of the organisation that could be freely available.

    Another important thing is look for the website coder/cms, for example if you find that the organisation uses "Leet CMS 1.2.6" and you check their site and see a headline saying "Leet CMS 1.2.6 Vulnerable to Remote File Inclusion Please Patch to 1.2.7" this could give you an easy way into the server.

    Location Details

    Location details can open up many more vulnerabilities and type of attack. For example social engineering:
    [list]
    [*]You may go shoulder surfing in their offices pretending to look for someone, but looking if people are typing in passwords.[/*:m][/list:u]
    [list]
    [*]You could pose as the network security/maintenance guy, and if you are good enough you could get physical access to the servers, which is then game over.[/*:m][/list:u]
    [list]
    [*]You could bribe the employees for passwords, or pretend to be the ISP asking for passwords.[/*:m][/list:u]

    The possibilities for Social Engineering are endless.

    Location Details can also give you the opportunity to go "Dumpster-Diving" where you fish through their bins looking for any information that may include password lists, personal information, invoices, checks, anything that hasnt been properly disposed of or shreaded.

    If you get the address of the organisation you can use
    Google Maps(http://maps.google.co.uk/)
    Or
    Google Earth(http://earth.google.co.uk/)

    This can give you an idea of the size and scale of the organisation, also the newly added Street View is a great tool for surveillance on the location without even having to leave your house, you can see where their bins are, any thing that may let you break into the organisation.

    Employee Details

    Information on the employees may lead to opportunitys to social engineer the workers, to gain vital information like passwords and security info.

    You can "Dox" the employees using
    http://www.phonenumber.com
    http://www.411.com
    http://yellowpages.com
    http://www.whitepages.com/person
    http://www.zabasearch.com/
    http://www.google.com/search?hl=en&pb=r&.../city/etc.
    http://www.foo.com/
    http://www.lookuppeople.co.uk
    http://www.usaphonelookup.com/
    http://phonenumbers.addresses.com/phone.php
    http://www.whitepages.com/reverse-lookup
    http://www.abika.com

    Getting information such as emails, could allow you to revert their email and if the organisation has a "forgot your password" option this could give you access to their account, you could also social engineer these employees using the information you have got. Other great places to look for info are the social networking sites such as
    http://www.facebook.com
    http://myspace.com
    http://bebo.com
    http://twitter.com
    http://www.familysearch.org/
    http://www.genesreunited.co.uk/
    http://www.ancestry.co.uk

    If you know the location and the company runs a Wireless network you could go wardriving and attempt to crack into the network, which could enable you to compromise the network, if they are running WEP this will be an easy job for a hacker.

    Another common thing in companies is the passwords for the computers is stuck on a sticky note on the computer, ( i know it is for the businesses i have worked in!), this can give easy access to the systems.


    Events

    Current events in the business can be of great interest to Hackers, such as mergers, acquisitions, scandals, layoffs, hiring, reorganisation, outssourcing, temporary contractors, opendays, and buying new equipment.
    For example when you have rapid hiring, or hiring temporary workers, the workers may not know if the guy fiddling with the computer is the new techy the boss employed or a hacker trying to install a rootkit on the server.
    This is simillar to mergers, you may not know who actually works for you as you have never seen them before.

    If there are scandals and layoffs, employees maybe annoyed and may give out passwords to the logins to you if you asked nicely.

    Opendays may also give you the opportunity to sneak around and try plant a RAT in the systems.

    If you find out there is a new IDS being installed or new computers, you may get the chance to hack it while the security is down, in the transition period between deleting the old one and installing the new one.

    Security Policies

    These pages can sometimes give away the protection businesses use, for example "This company is protected by Easy Firewall Systems" or "We run the latest protection software to protect you!

    Archived Information

    This could give access to information from the website that has been removed for security reasons, but has been stored in archives across the web, common places to look are
    http://www.archive.org
    http://www.thememoryhole.org
    http://www.google.com

    Archive and memory hole give archives of information about the world, the site maybe in there, and google hhas cached pages of the site that may not have been updated.

    Annoyed Employees

    Employees can get annoyed from being fired or treated badly, these are the most easy to social engineer and the most likely to give out sensitive information, by having all the employees added as a friend on Facebook (on a fake account) you can read their wall to look for any signs of displeasure at their job.


    Whois

    Whois is a great tool for getting information on the hosting of the server. It can tell you where its hosted, by who and a lot more. There are many free whois tools to use across the web and software.
    Whois lookups can show
    Registrant Names, Addresses, emails, DNS Server names, IP Addresses, hosts and more.
    For online whois sites navigate to:
    http://www.whois.net/
    http://whois.domaintools.com/
    http://who.is/
    http://www.whois.com/
    http://www.dnsstuff.com/
    http://www.whois-search.com/
    http://www.nic.uk/other/whois/

    There are a lot more, but these are some of the main ones. To lookup a site simply enter the ip or domain name for example,
    Enter into the lookup field
    hackforums.net

    The result would be:
    Domain Name: HACKFORUMS.NET
    Registrar: MONIKER

    Registrant [2341726]:
            Moniker Privacy Services 
            Moniker Privacy Services
            20 SW 27th Ave.
            Suite 201
            Pompano Beach
            FL
            33069
            US

    Administrative Contact [2341726]:
            Moniker Privacy Services 
            Moniker Privacy Services
            20 SW 27th Ave.
            Suite 201
            Pompano Beach
            FL
            33069
            US
            Phone: +1.9549848445 begin_of_the_skype_highlighting              +1.9549848445      end_of_the_skype_highlighting
            Fax:   +1.9549699155

    Billing Contact [2341726]:
            Moniker Privacy Services 
            Moniker Privacy Services
            20 SW 27th Ave.
            Suite 201
            Pompano Beach
            FL
            33069
            US
            Phone: +1.9549848445 begin_of_the_skype_highlighting              +1.9549848445      end_of_the_skype_highlighting
            Fax:   +1.9549699155

    Technical Contact [2341726]:
            Moniker Privacy Services 
            Moniker Privacy Services
            20 SW 27th Ave.
            Suite 201
            Pompano Beach
            FL
            33069
            US
            Phone: +1.9549848445 begin_of_the_skype_highlighting              +1.9549848445      end_of_the_skype_highlighting
            Fax:   +1.9549699155

    Domain servers in listed order:

            CORE.BOLCHAT.ORG
            NS1.ZANMO.COM         69.162.82.250
            NS2.GLOBALNET.BA

            Record created on:        2005-09-27 14:18:41.0
            Database last updated on: 2010-04-09 16:19:11.037
            Domain Expires on:        2011-09-27 14:18:41.0


    Which is very useful information such as name servers and phone numbers.

    We can also do whois via the command line in Unix
    bash$ whois hackforums.net -h whois.iana.org

    This will get simillar results, but is easier using the command line.
    help you in your footprinting.
    To do this download
    SamSpade (http://www.samspade.org)
    SuperScan (http://www.foundstone.com)
    NetScan Tools Pro (http://www.nwpsw.com)

    Reverse IP

    This is essential to finding out other sites on the server if its a shared server, if its dedicated it may lead to another site containing the database backups! If not reverse ip enables you to list all the sites hosted on the server therefore you could target these sites, if they are more vulnerable and root the server to gain access to your target site.

    Reverse IP can be done very easily over the internet by just typing in the domain name or IP Address into the lookup field. Some good sites to use are:

    http://www.domaintools.com/reverse-ip/
    http://www.ip-adress.com/reverse_ip/
    http://remote.12dt.com/
    http://www.yougetsignal.com/tools/web-s ... eb-server/
    http://whois.webhosting.info/
    http://www.ipchecking.com/
    http://www.iwebtool.com/reverse_ip
    http://www.linkvendor.com/seo-tools/dom ... om-ip.html

    Entering the IP or hostname will get a result simillar to:
     Enter an IP address or domain name into the form below and click \"Look Up\" to get a list of domains hosted on the same IP address.

    IP Address/Hostname:
    Example: 192.168.% or 64.233.161.104

    There are 40 domains hosted on this IP address.
    Here are a few of them:

       1. 360moddingftw.com
       2. Crasyn.info
       3. Darkcipher.info
       4. 37 more...


    TraceRoute

    Traceroot is a useful tool for viewing the path your packets took to get to the server, showing each host it hops to and from. It is very useful for identifying Access Control Devices such as Firewalls, to see if it blocks the packets from passing through.

    To do this if you are using Unix type:
    bash$ traceroute targetsite.com

    The result you would get is:

     1     3 ms     3 ms     3 ms  WL.cable.hiddenmedia.net [192.168.2.1]
     2    12 ms    11 ms    11 ms  w00t-cmts-03-lback-20.network.hiddenmedia.net [my hidden ip]
     3    15 ms    14 ms    16 ms  hiddenhost.net
    [hiddenip]
     4    17 ms    15 ms    16 ms  hiddenhost.net[hiddenip]
     5    19 ms    19 ms    19 ms  hiddenhost.net[hiddenip]
     6    18 ms    19 ms    19 ms  hiddenhost1.3.net[hiddenip]
     7    69 ms    71 ms    71 ms  ldn-b2-link.telia.net [213.248.100.97]
     8    71 ms    88 ms   101 ms  ldn-bb1-link.telia.net [80.91.247.24]
     9   149 ms   147 ms   147 ms  ash-bb1-link.telia.net [213.248.65.98]
    10   163 ms   165 ms   163 ms  atl-bb1-link.telia.net [213.248.80.142]
    11   183 ms   183 ms   220 ms  dls-bb1-link.telia.net [80.91.248.213]
    12   185 ms   184 ms   183 ms  limestone-ic-135964-dls-bb1.c.telia.net [213.248
    74.222]
    13   186 ms   187 ms   185 ms  po3.bdr1.core2.dllstx2.dallas-idc.com [74.63.203
    14]
    14   185 ms   187 ms   186 ms  ge0-2.vl204.cr02-36.dllstx2.dallas-idc.com [74.6
    .204.206]
    15   183 ms   183 ms   181 ms  www.hackforums.net [69.162.82.251]


    I hid some of the hosts closer to my ip to try protect my ip. As you can see you can view the route the packets take to get to hackforums and the time it took. iF you see that it gets blocked half way you can tell there is a firewall there.

    To do this in windows you type:
    c:/tracert hackforums.net

    You would get simillar results..
     1     3 ms     3 ms     3 ms  WL.cable.hiddenmedia.net [192.168.2.1]
     2    12 ms    11 ms    11 ms  w00t-cmts-03-lback-20.network.hiddenmedia.net [my hidden ip]
     3    15 ms    14 ms    16 ms  hiddenhost.net
    [hiddenip]
     4    17 ms    15 ms    16 ms  hiddenhost.net[hiddenip]
     5    19 ms    19 ms    19 ms  hiddenhost.net[hiddenip]
     6    18 ms    19 ms    19 ms  hiddenhost1.3.net[hiddenip]
     7    69 ms    71 ms    71 ms  ldn-b2-link.telia.net [213.248.100.97]
     8    71 ms    88 ms   101 ms  ldn-bb1-link.telia.net [80.91.247.24]
     9   149 ms   147 ms   147 ms  ash-bb1-link.telia.net [213.248.65.98]
    10   163 ms   165 ms   163 ms  atl-bb1-link.telia.net [213.248.80.142]
    11   183 ms   183 ms   220 ms  dls-bb1-link.telia.net [80.91.248.213]
    12   185 ms   184 ms   183 ms  limestone-ic-135964-dls-bb1.c.telia.net [213.248
    74.222]
    13   186 ms   187 ms   185 ms  po3.bdr1.core2.dllstx2.dallas-idc.com [74.63.203
    14]
    14   185 ms   187 ms   186 ms  ge0-2.vl204.cr02-36.dllstx2.dallas-idc.com [74.6
    .204.206]
    15   183 ms   183 ms   181 ms  www.hackforums.net [69.162.82.251]


    If you want to use traceroute online you can use this sites, it shows a more easier to use GUI. However this doesnt traceroute from your box, it traceroutes from the website so you will get different results.

    Websites for this are:
    http://www.geektools.com/traceroute.php
    http://network-tools.com/

    Alternatively if you want to use GUI software there are many tools to do this with such as:
    Cain(http://www.oxid.it)
    TcpTraceroute(http://michael.toren.net/code)
    VisualRoute(http://www.visual-route.com)
    NMap(http://nmap.org)
    Xin
  • uruharazetsu
    Posts: 34
    cool guide .. thanks it helps a lot!
  • GameOver
    Posts: 675
    excellent work Xinapse!

    Very helpful! Congratulations!
  • Xin
    Posts: 3,251
    Thanks it took me a whole day to write
    Xin
  • lonleycrow
    Posts: 24
    Wow thanks a lot for this guide
    very helpfull for me
  • Bursihido
    Posts: 406
    good job :)


    ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
  • Xin
    Posts: 3,251
    Glad you liked it mate :)
    Xin
  • Sh3llc0d3
    Posts: 1,910
    lol thanks in advance :)

    EDIT: Well worth the time it took to write :) defo bookmarking
  • Xin
    Posts: 3,251
    Thanks, this guide took me a full day :),
    Xin
  • WhyteLinux
    Posts: 9
    Thank You.


    Do these tags only work for the original poster?

    The only bad thing I can think about the hide tags would be thread necroing...
  • killowner
    Posts: 5
    Thank You Very Much :)
  • h4ckingURLife
    Posts: 125
    Thanks in advance.

    Nice guide mate.
  • Xin
    Posts: 3,251
    Glad you liked it guys took me ages :)
    Xin
  • rx-
    Posts: 169
    This is simple perl banner grabber for port 80 i made, its really just the basic stuff, but it can be modified ( i can do banner grabber for more services and mass one too, if you want, just let me know :))

    #!/usr/bin/perl -w
    use strict;
    use LWP;

    my $url = \"http://www.\".$ARGV[0];

    my $browser = LWP::UserAgent->new->get($url);

    print $url.\" \".$browser->header(\"Server\"), \"\n\";
  • x3n0n
    Posts: 110
    Thx for this ;)
  • Xin
    Posts: 3,251
    Nice banner grabber i was looking for one of them! cant remember what for now :S was a while back
    Xin
  • rx-
    Posts: 169
    thanks xinapse :)
  • SilvaRizla
    Posts: 2
    I'll have a quick look, see what your method is...

    What exactly have you footprinted there? Nothing to not very much. You still have a lot of learning to do
  • Xin
    Posts: 3,251
    said:


    I'll have a quick look, see what your method is...

    What exactly have you footprinted there? Nothing to not very much. You still have a lot of learning to do



    Id like to see your techniques then
    Xin
  • SilvaRizla
    Posts: 2
    said:


    said:


    I'll have a quick look, see what your method is...

    What exactly have you footprinted there? Nothing to not very much. You still have a lot of learning to do



    Id like to see your techniques then


    That maybe so, but you're not going to. Learn how to use nmap for a start.
  • Xin
    Posts: 3,251
    said:


    said:


    said:


    I'll have a quick look, see what your method is...

    What exactly have you footprinted there? Nothing to not very much. You still have a lot of learning to do



    Id like to see your techniques then


    That maybe so, but you're not going to. Learn how to use nmap for a start.


    Haha dude are you serious? thats all you could come up with, now let me see.........
    1. Nmap anyone can use so your not some leet hax0r with it, and btw i do use it.
    2. Nmap doesnt come into footprinting, it is scanning, and or enumeration. That is why that isnt in here
    Xin
Add a Comment