Footprinting Tools

There are many tools for footprinting. Following lists out a few popular tools:

• NeoTrace - diagnostic and investigative tool. It traces network path access internet
• VisualRoute - graphical tool that determines where and how traffic is flowing on the route between desired destination and the user trying to access, by providing a geographical map of the route and the performance on each portion of that route.
• SmartWhois - network information utility that allows user to find all the information available about an IP address, host or domain name. (www.tamos.com)
  
• VisualLookout - real time TCP/IP monitor that can help detect intrusions that have crosed the firewall. It is basically an IDS tools
  
• VisualRoute Mail Tracker - part of VisualRoute that can track a spoofed mail or even ordinary mail.
• eMailTrackerPro - analyzes email header and provides the IP address of the machine that sent the email.
  

Locate Network Range

To find the network range, attacker can get more detailed information from the appropriate regional registry database. They can also trace the route between his system and the target system.
There are many traceroute tools and two of the popular tools are NeoTrace and Visual Route. Some other tools are based on POC input of the various ISP/NSP router and thus it is possible that the information shown on these tools may not be entirely correct. It is always a good practice to check more than on registry.
IF the DNS servers are not set up correctly, the attack may be able to obtaining the list of internal machine. And if attacker traceroute to a machine, he can also get internal IP of the gateway which can be of use.
ARIN allows search on the whois database to locate information on network autonomous system numbers (ASNs), network related handles and other related point of contact. ARIN also has a set of additional tools and links to other sites such as RWhois.net.
Up to this moment the information gathering activities are completely passive (with exception of traceroute which can be detected) and undetectable by the target organization. Doing footprinting help administrator know what information lies outside the organization and potential threat it can pose to the organization.

Traceroute
Traceroute works by exploited a feature in Internet Protocol called Time To Live (TTL). TTL is interpreted to indicate the maximum number of routers a packet may transit. Each router handle a packet will decrement TTL count in ICMP header by 1. When the count reach zero, the packet will be discarded and an error message will be transmitted to the originator.
Traceroute send out a packet destined for the target. It sets the TTL to 1. The first router receives the packet, decrement TTL by 1 and if the result is 0, it discards the packet and send a message back to the originator to inform it that the packet is discarded. Traceroute record the IP address and DNS name, if any, of the router, then send out packet with TTL = 2. This packet make it through first router and then is discarded by second router. The second router send a message back to the originator. Traceroute repeatly do this and record the IP address as the packet route through the network to reach the destination, or until the host is unreachable. Traceroute also record the time it took for each packet to travel round trip to each router.

NsLookup

Nslookup is a valuable tool for query DNS information for host name resolution. It is bundled with both UNIX and windows operating systems and can be run at command prompt.
Nslookup allows query DNS other than the default one by type "server" (where is the host name of the server you want to use for future lookups). A zone transfer can be done if the security is lax. Following is an example:
> nslookup Default Server: ntsysa06.corp.root Address: 10.87.122.146
> server 10.2.202.1
Default Server: dns-286-cns-02.corp.com
Address: 10.2.202.1
> set type=any
> ls -d target.com
systemA 1DINA 10.12.133.147
geekL 1DINA 10.12.133.151
Nslookup employs the domain name delegation method when used on the local domain. That means, making query for "systemA.targetcompany.com" failed will go one level up to find "targetcompany.com". To query host outside domain, a fully qualified domain name (FQDN) must be typed.
Nslookup interface at http://www.zoneedit.com/lookup.html provide an interactive mode.
In addition, the attacker can use dig and host command to obtain more information on UNIX system.
The DNS namespaces is divided into zones. For each DNS domain name included in a zone, the zone becomes a storage database for a single DNS domain name and is the authoritative source.
At basic level, an attacker can try to obtain more information by using various Nslookup switch.
At higher level, an attacker can attempt a zone transfer at DNS level, which can have drastic implication.
To defense the target, inappropriate queries must be refused by the system.
To check zone transfer, specify exact IP addresses from where zone transfers may be allowed. The firewall must be configured to check TCP port 53 (which unlike UDP port 53 is used for zone transfers instead of DNS queries) access. Another best practice is to use more than one DNS or the split DNS approach where one DNS caters to the external interface and the other to the internal interface. This will let the internal DNS act like a proxy server and check leaking of information from external queries.
Check out DNS concept from RFC 1912 Common DNS Operational and Configuration Errors, RFC 2182 Section and Operation of Secondary DNS Server, RFC 2219 Use of DNS Aliases for Network Services.

WHOIS

Several operating system provide a WHOIS utility. To conduct query from the command line the format is:
whois -h hostname identifier (e.g. whois -h whois.aim.net )
Command flag can be added to obtain more specific information. Flags can be categorized under query type and only one flag may be used from a query type.

• Query-by-record-type
• n Network address space
• a Autonomous systems
• p Point of contact
• o Organizations
• c End-user customers
• Query-by-attribute
• @ Search for matches by the domain-portion of an email address
• ! Search for matches by handle or id
• . Search for matches by name
• Display flags
• + Show details (aka "full") but cannot be used with the record hierarchy sub query
  
• - Show summary (aka "list")
• Record hierarchy
• <>
• > Display record related down the hierarchy. For network, display subdelegation or subnet, below the network
• Wild card queries
• WHOIS supports wild card queries. Append the query with *. This can be used in combination with any flag define above

There are five types of queries that can be carried out on a WHOIS database.

• Registrar - This gives information on potential domains matching the target.
• Organizational - This lists all known instances associated with the particular target and the number of domain associated with the organization.
• Domain - This can be used to find the company address, domain name, administrator and his/her phone number, and the system's domain servers.
• Network - This gives all information related to a particular network of a single IP address. Network enumeration can help ascertain the network block assigned or allotted to the domain.
• Point of Contact (POC) - Display all information related to a specific person, typically administrative contacts. Also known as query by "handle".

If the organization is a high security company, it can opt to register a domain in the name of a third party, as long as they agree to accept responsibility.

SmartWhois
SmartWhois is a network information utility that allow available information about an IP address, hostname or domain name, including country, state or province etc.
SmartWhois is available for download at www.tamos.com.

Unearthing Initial Information

Open source footprinting
Perform whois request, searching thorough DNS tables are other forms of open source footprinting. Most of the information is fairly easy to get and within legal limits. One easy way to check for sensitive information is to check the HTML source code of the website to look for links comments, Meta tags etc.
The attack can choose to source information from:

• A web page (save it offline, e.g. using offline browser such as Teleport pro at http://www.tenmax.com/teleprot/pro/home.htm )
• Yahoo or other directories (Tifny is a comprehensive search tool for USENET newsgrops)
• Multiple search engines (All-in-one, Dogpile), groups.google.com is a great resource for searching large number of news groups archives without having to use a tool
• Using advanced search (e.g. AltaVista where revers links can be unearthed to vulnerabile sites)
• Search on publicly trade companies (e.g. EDGAR)
• Dumpster diving (to retrieve document that is carelessly disposed)
• Physical access (False ID, temporary/contract employee etc)

Apart from surfing the site, the attacker can use whois or nslookup to collect information. www.allwhois.com is considered a comprehensive whois interface.
There are tools available to aid whois:

• Sam Spade
• Smart Whois
• Netscan

Reader is encouraged to read RFC 1034, 1035 and standards std/std13 - Internet standard for Domain Name.

Footprinting

Footprinting is the blueprinting of the security profile of an organization undertaken in methodological manner.
The information unveil at various network level can include details of domain name, network blocks, network services and applications, system architecture, intrusion detection systems, specific IP address, access control mechanisms and related lists, phone numbers, contract addresses, authentication mechanisms and system enumeration.
Information gathering activity can be broadly divided into seven phases:

1. Unearth initial information
2. Locate network information
3. Ascertain active machine
4. Discover open ports /access ports
5. Detect operating system
6. Uncover services on ports
7. Map the networks

Footprinting includes the first two phases listed above. Footprinting is required to ensure that isolated information repositories that are critical are not overlook or left undiscovered.

Deliverables

In the final phase of evaluation the ethical hacking report with the results of hacking activities, vulnerabilities found and recommendation given to avoid exploit. The objective should be to bring into effect of permanent security solution rather than temporary patch. If social engineering testing has exposed problems report should address this issue with specific recommendation to raise awareness of the people concerned. The report must include specific recommendation on how to close the vulnerability and keep them closed.
Usually, the ethical hacking report is delivered in hard copy and soft copy destroyed for security reason. For instance, if this report is accessed by the wrong people or people with wrong intension, it can have catastrophic consequence. One of common example is that the report is use by corporate espionage, the cracker can use the information to break into the system. However for long term client, the ethical hacker might need the information for further investigation. In this case the organization can stored it in encrypted form in an offline system with very limited access. Hard copy should be stored in a safe with all copy numbered.
There are certain issues to be considered in delivering report, such as who would receive the report, and how the sensitive report would be conveyed. The ethical hacker would have ongoing responsibility to ensure the safety of all information they retain, so in some cases all information is destroyed at the end of the contract.