This article is all about different information-gathering techniques
on the network. It is the most essential and important task of
attackers. Knowing the opponents and their interests can be valuable.
Here I am going to show you which are the different ways and techniques
one can do the network information/intelligence gathering.
INTRODUCTION
Let’s think of any thrilling movie theft. What do robbers do before
they break into the bank or anything else? They gather information. They
collect each and every bit of information about the bank system, alarm
methodology, CCTV interface, the guards’ changing time, and a list of
weapons that the guards have. After gathering information they make
plans and attack or rob the bank. Assume they don’t have this
information and they rob the bank directly. What will happen? You will
find that they are caught by the police.
The same scenario can also be applied in the information security
world. Before attacking or testing something, a hacker/tester needs to
find information about his/her target. This target can be a network, web
application, organization, or person. In our world, finding information
is also called footprinting or doxing. Also, the word “reconnaissance”
can be used sometimes.
The map below shows the juicy areas in which attackers might
be interested. It shows that all those areas will be definitely tested
by hackers in order to find vulnerabilities.
Before starting to footprint anything, we need to keep in mind what
or who our target is. Is it a small firm? An entire big organization? Or
only a single intranet within a company?
Techniques of Intelligence Gathering
-
Information Available in Air
There is much information that is publicly available, but no one
knows about it. We need to find a technique to find which information is
available in the air without any authentication. A list of types of
such information follows:
-
Archived data of firm
-
Company website (web pages)
-
Privacy policy used in the application
-
Security policy used in the application
-
Client information
-
Testimonials/Reviews
-
Exact location detail
-
Employee information (location, contact, area of Interest, etc.)
In older days, Company Webpages used to
provide valuable information about their security policy and
configuration directly to the client side. Moreover, checking HTML
source code for the comments section is very handy and useful trick.
Things which are not actually made for the public are easily available
via HTML comment tags, which contain ! , — , < .
If you want to download a full website and see the source of each
page, there are two utilities for Linux and Windows machine. They are
wget (for Linux) and teleport tool. These tools have limitations. They
don’t find “hidden” files and folders for attackers. So attackers use
the OWASP Dirbuster tool. It tries to find the hidden files on the
server that are not usually listed in the Google index. There may be an
authentication setup in many cases, here Dirbuster can perform a brute
force attack and can get the hidden files. But that process is usually
not preferred by hackers due to its noisy behavior. Here is the picture
of its interface.
Make sure to check related organizations. For example, if any
IT outsourcing company is there, it’s very common to find related
organizations about it. Make sure to check their blogs and press
releases. You will find many other companies and persons posting
comments and giving reviews. That’s how we can find more related
organizations. Also use a Google query, as shown below. You know the
company website so the Google query will be like this:
related: www.chintangurjar1990.com
Google will list all other organizations that are related to
the chintangurjar1990.com company. This information can sometimes be
used as a social networking attack, which can be done directly or
indirectly.
Never forget what physical information can reveal. It’s very
useful information from an attacker’s view point. After getting an exact
physical location an attacker has various weapons of attacking target
the organization. First, she/he can perform dumpster diving, that is,
checking rubbish or waste papers and posts dropped from the
organization. That material can reveal id numbers, employee names,
client names, and much more. One can also perform social engineering
attacks on security guards and employees in order to reveal more
information. All these non-technical are known as no-tech hacking. This
information can reveal unauthorized entries into the company. The best
weapon for this information is Google Earth.
Google Maps is also a great source for information gathering. An
attacker can utilize the street view option and can actually see the
streets of physical location. Surprisingly, a very unique feature of
Google is that it also collects the WI-Fi information for nearby
locations. You might have seen Google cars nearby your area that
collects the information about all Wi-Fi networks nearby you along with
its MAC address. See the image below to recognize it.
Employee details are also very good information to have in your
database as a hacker or an attacker. Most organizations generally use
first name followed by the domain name. For example, if my organization
name is www.chintangurjar1990.com and my name is Chintan Gurjar, then
the company would probably choose chintan@chintangurjar1990.com as my email id. One can often predict this, but the harvester
tool can also be used to find out a company’s employee information.
That tool provides names of all employees working within the company and
their email ids as well. Images below show the use of the harvester
tool in all nix systems.
Hackers/attackers use this information as usernames in order to
gain access to any authorized network, router, etc. Hackers may use
below sources listed below to find phone numbers, physical addresses of
any employees:
-
www.phonenumbers.com
-
www.411.com
-
www.yellowpages.com
With a phone number, one can also use social engineering techniques. Other information can be found from websites such as these:
-
www.ussearch.com
-
www.zabasearch.com
-
www.pipl.com
Never forget to check an employee’s information on social
networking websites, where people may share their feelings, emotions,
best friends, enemies, thinking style, likes, dislikes, bank details,
etc. Those things can be very valuable targets for attackers. I don’t
need to give any list of social network websites, as you know them
already. In addition, people’s technical interests and their resumes or
career activities can be found on Linkedin.com, Dice.com, Jigsaw.com,
Careerbuilder.com, etc.
Sometimes a company organizes seminar, workshops, and other
events. An attacker can attend these events in order to meet
organizations and to check a company’s reputation and influence. One can
perform social engineering attacks on those employees.
Sometimes some information is removed from websites for security reasons, so it’s always good to check the Archived Information of
any website. Who knows, you may get some information that doesn’t exist
now on the original website. To check that information you should go to
www.archive.org. There is a
“Wayback Machine” where you can input the URL of a website and check
year by year to see how the website has grown up and developed. Here is
the information how to use it.
There is a new good search engine named SHODAN. SHODAN is
described as “Google for Hackers.” It finds the systems in the world
that don’t have proper secure mechanisms for authenticity and
authorization. It can scan your home network to SCADA systems as well.
It doesn’t matter because the interface is web-based or network-based.
It has the ability to scan every system.
Apart from these, there are many Google queries that can reveal
all configuration information even in a clear text. The best resource
for that is GHDB
(Google Hacking Database). The source of this database is provided in
the reference. Here is an example of a Google query which discloses the
configuration of a web server.
Now that you have the information, what if someone asks you to
relate all this information? The attacker won’t be happy to have only
piece of information. She/he needs to relate all that information in
order to find a weak link or a loophole. The tool Maltego is
an intelligence-gathering tool. It gathers the data and correlates it.
It has a very nice way of graphically representing all the data it
gathers. There are various features of Maltego. People who work in
forensic investigation often use this tool to find correlation of
targets with his/her sources. Here, the term “target” has a very broad
meaning. The target can be any device, location, infrastructure, person,
or social network. The example below shows a sample scan of this
website. The use of this tool is mentioned in the references.
Up to here, this was all about publicly available information. Now
the technical stuff starts. First, we will find the domain’s
information, along with its administrator information and registration,
etc. To do this, we need to find check WHOIS databases. We will start
looking up our domain information with whois.iana.org website.
As we can see from the above picture, by just giving the domain IP
a whole bunch of information about the website is displayed. It reveals
the domain, organization, name server details, fax number, phone
number, and much more detail. Sometimes we may able to see the
administrator’s detail as well, including his/her name, address, and
contact information. That might useful for social engineering and
success authorization of any entry point. We can find the same
information using terminal as well in all nix systems, as shown below:
As you can see here, we have simply used the “whois” command and
the network address for which we want to get information, followed by
the “–h” option and the source of the information; “–h” stands for the
host from we want to the information on our target. There are certain
tools that can provide the same information. Those tools are SuperScan,
NetScan, and SamSpade. The use of some of these tools is described in
the picture below.
Identifying the network is not everything. We also need to identify the path of the network that it uses to reach our end. Which are the world’s routers from which it gets bounced to us? By doing this we can design the network topology. However, the number of routers and their names will be different in every attempt. It won’t be the same for all time. To fulfill this task, we can apply the tracerouting technique. It uses the TTL field in the IP packet. Each router has to decrease the TTL field at the time of leaving packet. Thus the TTL field becomes one hop counter. Thus how we can discover the exact path of an IP address or domain. The procedure is shown below:
Windows Use
We can do the same thing in Linux with traceroute
command. We can also use SamSpade if we want a little bit of a graphical
representation of data. As for the result, we can see that 1 to 14 are
called hops. The packet is transferred from one hop to these several
hops without being blocked. In most of the scenarios, the hop before the
last hop is usually a firewall, IDS & IPS. It can also be a
packet-filtering mechanism.
This is a normal router and our process has succeeded within a
few seconds. Some firms are aware of these kinds of tests from the
client side. That is why they keep complex routers such as Cisco’s
latest routers, which work sometime as load balancers. These kinds of
complex routers have ACLs (access control lists). If it is enabled, then
one cannot do tracerouting and other common testing from the client
side. In that case, one can still find the data by sending our packet
with a port 53, DNS. So our command will be a traceroute as follows:
traceroute –p 53 resources.infosecinstitute.com
After checking out Tracerouting another important thing to interrogate is DNS Enumeration.
That is the most important part of network intelligence gathering.
Generally, this DNS is used to map host names to IP addresses and vice
versa. DNS must be configured securely otherwise someone can get each
and every bit of information about the complete organization via the
zone information. Zone Transfer is the most common and
the potential vulnerability lies in a misconfigured server. That can
disclose valuable information to the target.
If this vulnerability exists in the server, it allows a 2nd
server to update itself from its primary server. That is why attackers
only perform zone transfers on secondary servers. Thus, many servers
give all of a zone’s information to anyone who asks it.
Performing zone transfer can be done by the simple method shown below:
First of all, you need to have your target’s primary and secondary DNS servers. To see that, we can give the following command:
dig infosecinstitute.com
The result is shown below:
Now we will apply our zone transfer on the 2nd server over our primary server. The command is as follows:
dig @NS1.PAIRNIC.COM NS2.PAIRNIC.COM axfr
If you are lucky, you will see whole zone’s list in front of
you. How one can find any juicy information from any of that? If you
receive a message that the query was refused or something like that
shown in the below picture, it means zones are configured in the proper
manner to disallow transferring zones to authenticated users.
Another method for performing or checking zone transfer is to check with the Host Command which is shown as below:
host –l –v –t any chintangurjar1990.com
Here we used 3 options “l,” “v,” and “t.” The most essential
and important option is “l.” It stands for “listing.” The L option lists
every host lying within the domain by using AXFR. “t” stands for the query type and “v” stands for verbose mode, which gives verbose output.
One of the best tools for performing zone transfers along with DNS enumeration is dnsrecon. Use of this tool is shown below. If you are lucky and you get zone transfer, it will look like the picture below:
If the security of network configuration is good, then it will probably look like below. You will get a message that Zone Transfer Failed! Other tools such as dnsmap, dnsenum, and fierce can also help you to transfer a zone along with DNS enumeration.
With the Fierce tool, you can also check the same. The command to use this tool is shown below:
fierce –dns chintangurjar1990.com
Finding information about the target’s MX records (Mail Exchange Server Records)
can be the great source of determining IDS, IPS, and a firewall placed
there. It’s a common tradition that the mail exchange server is also
configured on the same network where the original firewall is placed. MX
records can be checked via dig command as shown in below picture.
Summary
Thus we can see how attackers can do network information
gathering by using various tools and techniques. These are some basic
and widely available tools and methods I have shown; however, new tools
are launched week by week. Next time I will focus on “Scanning the Network Part” after collecting this information.
References