ECCouncil CEH V9 312-50 – FootPrinting – Reconnaissance and Information Gathering Part 2

  1. DNS Databases

Okay, so the next thing we want to talk about is the DNS server itself and more specifically the record types that it holds because they do hold a bit of information. I briefly went through some of them, but we’re going to go ahead and elaborate on them just a little bit more. Now as you can see here, the host record or the A record, which is what you’ll typically see in a DMs, a DNS dump is it maps a domain name to an IP address. The reverse lookup record maps an IP address to a domain. If you’ve ever done a trace route, which we’ll see in a couple of slides, it goes out, has a domain and looks up the IP address of that domain at its DNS server.

The name server identifies the server name for a delegated zone. Now in reality, there is not one server on the Internet that knows it all. It’s just simply too big. So the DNS database contains a hierarchical database of portions of the Internet. So we have our root servers that are at the root of the Internet and if I’m not mistaken, there’s like 16 of them.

Then from the root servers we have our top level domains that will be like our. com servers. Then we move down to the server that we are going to host or ISP is going to host. That is where our name server would hold. Now, depending upon fault tolerance or depending upon whether you are looking to have speed or efficiency, you may place the name servers in different locations. Maybe you want the Internet Service provider to hold all of them.

Maybe you want to hold one of them and they hold another one. Or you could hold all of them. It doesn’t make any difference, but you have to have at least two. I talked a little bit about the SOA record but I didn’t really explain what it is. It’s called the start of authority. And the way that I like to explain it, I’ll pick somebody out in class, let’s call him David. And we said David basically knows everything there is to know about Microsoft Windows. We would say that David is an authority on this subject, wouldn’t we? Just like David is an authority on Microsoft Windows.

The start of authority is always the person who knows everything about a particular domain. So when we go to look up a particular record, www as an example, Microsoft. com, we’re going to go to the Microsoft. com DNS server and it’s going to reply yes I have it, or no I don’t. If it replies from an SOA record, we know there is nobody else that has it.

Not one of the secondary’s has it because everything transfers from the primary, which is the SOA. Now you’re getting the better idea of how important that So record actually is. The service Locator or SRV, what we use to kind of link things together in a lot of our X 500 or active directory types systems. The mail record and the mail server record as well. Thanks.

  1. Traceroute Operation

Okay, guys, so the next thing we want to talk about is Trace Route or Trace RT, depending upon which operating system you’re using. Trace route is used to determine the path that’s taken through a network to get to the target machine. In other words, the path the packet takes to get through the network to the target. And so when you look for this Trace route, typically used to determine where congestion is, because it measures an amount of time for each one as it goes through. But what’s important to understand is that there is a field in the IP header of every packet called the TTL field. TTL stands for Time to live. If I were to set that TTL value to one, every router that you go through, it’s subtracted by one. So when it goes through this router, the TTL is subtracted by one. Now it’s a TTL of zero. An ICMP, which is typically what we know is a ping packet time exceeded, is sent back to the source host with the IP address of this router’s interface. Then we send out another packet setting that TTL to two. It goes through this router, then it goes through this router. Now it’s again set to zero. That ICMP packet is sent through here with this IP address as its source.

So when we see the Trace route come out on our screen and it starts giving us information, but it gives it a little bit slowly, now you have a better idea of what actually is happening. So here lastly, the TTL is set to three. Now it’s set to two, now it’s set to one, and then zero when it gets to the destination host. So it goes through each one of these on the Internet so that you’re able to identify where the packet came from and where the congestion might be.

Now, Traceroute is typically considered to be a diagnostic tool using ICMP like Ping, which many relies on the time to live field. This program attempts to trace the route. An IP would go through the Internet. Of course, we’ll start our probes with a TTL of one, increase it by one till we get to the port unreachable or the TCP is reset, which means we got to the host or hit a maximum. It typically will default to 30 hops. But I’ve seen TTLs that are set all the way up to 254, but generally you don’t see them that high. If you have to go through that many hops on the Internet to get to your destination, well, you got bigger problems anyway. Three probes by default are set at each TTL setting, and a line is printed showing the TTL address of the gateway and the round trip time of each probe. The address can be followed by additional information when requested. If the probe answers come from different gateways, then the address of each responding system will be printed. If there is no response within 5 seconds, which is the default.

An Asterisk is printed for that probe. Now, do you remember on the last section we talked about the Asterisk being printed as a firewall? People don’t tend to want you to know where their firewall is at, what the IP address of it is. And so that’s what you’ll see a lot of times with Trace route. Here’s a screenshot of what it looks like. In this example, the Linux Trace route command is used to determine the path taken to get to a Yahoo server. And so we typed in Traceroute yahoo. com. It starts out and it hits Ms home me net home router.

Okay, went through a couple of those. Then we went and hit the service provider because that’s the first public IP address. Then hop through here. You can see how long it’s taking to hop through. Remember we talked about the three probes, three different values here then. And this all takes a certain amount of time. And so when you’re starting to do the Trace route, it’s going to paint this a little more slowly. It’s also going to attempt to look up the domain name of this as well. That’s what that reverse record does. So if we only have an IP address, it couldn’t find that PTR record in that particular domain. As we go all the way through, we end up getting to Yahoo’s server.

The last thing I want to talk about real quickly are various tools that are on the Internet that we can use to form this function. Typically we want to look for stars. Typically we want to try and find out where the firewall is and those types of things. This tool right here is called Opus Internet Services. Here I could enter in CNN. com, trace that puppy, and it’s going to come from Opus dot com’s IP address all the way out to CNN. CNN, as you imagine, hit their firewall and it ended up being stars. But what went in to CNN blogs was not my IP address, but opus. Com’s IP address.

  1. InstructorDemonstration: Online Tools

Okay, so the next couple of things that we want to briefly discuss are other online tools that we might be able to use. Remember, if we want to be stealthy, we don’t want to use a tool on our own machine. We want to use a tool on somebody else’s machine to put their IP address into the log. So this particular company in Germany, Dirkloss De, has a number of different tools on here. And the reason why they have it here in Germany is because for a while there, it was illegal to own hacking tools. Well, that meant that anyone who was an ethical hacker couldn’t even try and hack themselves. So they found an error of their ways and changed that law around. But be that as it may, these hacking tools are out here and online and very easy to use. Some other tools that we could use, this happens to not be an online tool, but it’s something called Neo Trace.

If we want to be able to trace the packet all the way through the Internet visually, this might be very helpful for us. So actually, this probably should have been in the trace route portion, because that’s really what it’s doing. It’s tracing that packet visually. And it’s very, very interesting to see how sometimes it hops around the world before it actually comes back to you. Other online tools would be the Edgar database.

Now, I mentioned the Edgar database previously in another lecture, but the Edgar database is specific because it deals with the security and exchange commissions. So more specifically, acquisitions and mergers. Now, think about it. When one company merges with the other, the one company that takes over the other has to bring the other into the fold. When I worked at the mortgage company, that was a lot of my job. They would send me out, and I was maybe going up to Kansas City, and I had to get this particular company that we bought merged into ours. I would call back to the CEO and tell them we were using OSPF and they were using EIGRP. And I was trying to explain that my CEO my CEO would tell you, tim talking Friday, let’s get to it. I didn’t have enough time to do the job correctly. They were more interested in talking to them, and this is generally the case. So during an acquisition or a merger, the company that is being acquired is oftentimes at a much lower security stature. Looking there in America, we’d look in the Edgar database. If we look at it in Britain, we’d look in the company’s house database. Likewise, we can also use a number of people search tools. If we got that domain name, who is information? And we were looking for the gentleman at SMU or Bruce Malinki, I think was the other one that was in there.

We could plug these in and find out other information about them, where they’re from, all kinds of stuff about them. Use that in social engineering tools. If I needed to have the CEO get out of his office, for example, I could very easily call up, I found out he has two children and what elementary school they go to. I could call up posing as the hospital and say, this is such and such hospital. Your two daughters were in an accident. We need you to come down here. Now, any father would drop everything and go right down to that hospital. Maybe a cruel way of doing it, but definitely a way of getting that person out of the office. Another one could be Google Maps.

Now, you might say, well, why would we be interested in Google maps? You would be interested because of social engineering. Even if you’re on the other side of the world, you’re on the telephone trying to make them think you know something about the company. You could go down to the street view in Google and say, oh, you know that Starbucks that’s on the corner there? I’m sitting over there now, but I can come over in just a bit.

  1. Spokeo – No Refuge for the Wealthy

Okay, let’s talk about a few tools. One of them called Spokyo. And I have on this side no refuge for the wealthy because virtually everyone in America is on here. It really makes you think when you start off by looking at this kind of stuff, how much information we’re leaving on the Internet. And I challenge you to go out to Spokyo and put in your name and maybe your state if you’re in the US. Or perhaps you know somebody in the US. The name of somebody, and you could find out a tremendous amount of information on that person. Spokyo is a people search website that aggregates data from a lot of online and offline sources. Phone directories, social networks, photo albums, marketing surveys, all kinds of stuff. They’re supposedly buy this. In reality, they are buying it, but they are also selling it. That’s how the Internet works, folks. The Internet works. There’s two things that you need to understand about the Internet. You typically go on the Internet because you are looking for something or you are the product. What do you mean, Tim? I am the product.

Think about it. You are the product. And I’m going to prove that to you here in just a second when I show you how much information is already gathered on you. So this aggregated data has in the past included demographic data, social profiles, estimated property, and wealth values. A lot of the data collected by Spokio is publicly accessible for its original sources, according to the site. It does not originate the data and buys it from somebody else. That may be true. The information originates from people that provide public information, even if a person isn’t on Twitter or Facebook. And I’m not sure I’ll believe all that, but okay, that’s what they say.

Let’s go ahead and take a look. And I just tried to think of somebody that I could search for. And this was a guy that was my old roommate in college. All right. And his name was Randall Allen. I just put in Randall Allen. I know he lives in Missouri somewhere. All right, so let’s see if we can try and find him. Randall Allen, let’s see, probably okay, I know that he had a son named Nicholas, and I know his mother’s name was Helen and his wife’s name was Lisa.

So this has got to be him. Now you can see it’s going to tell me what street he lives on. It’s going to give me any of his social profiles, contact information, any court records. Like, for example, I know he’s probably still married to Lisa because there’s no court records showing that. Because a court record he had a divorce or something like that. I haven’t talked to this guy in 15 years, probably location, history, all the places he’s been to before. There’s a huge amount of information that’s available here. Before you stop on this, I want to show you something that’s going to be a little bit difficult for you to swallow. I opened up my browser and I’m going to install a little add on into Firefox called Ghostry.

Go ahead and install this. It’s downloaded. All right, so I’m going to start up Ghostry, and you can see it’s showing me how many robots are detected on this particular site. Let’s go out to a site that maybe you think you might be gathering our information. Let’s just go out to CNN. com just for grins and giggles. Okay, so each one of these trackers is starting to rise. Now, as we click on a particular area, let’s say Bill O’Reilly, for example, it might determine I’m a Republican, perhaps. Or this Eli Manning over here might determine that I’m a football fan. You kind of get the idea of what’s actually going on. Eli Manning I’ve done nothing wrong. A number of different things. As I click through these, it’s gathering that information that it aggregates. And this is used to sell you stuff. Folks, if you think the Internet is free because they just like the way you look, I’m afraid to bust your bubble. That’s not the reason for it. They want your information. Absolutely. Now you understand why I say you are the product. We already have 22 trackers on here. It’s going to tell me all the people who are tracking me. Now, if you don’t think this is somebody that they’re selling that information to and what I click, you got another thing to learn. There’s no free lunch, folks. This is how the Internet works.

  1. Netcraft, DoaminsbyProxy, Countermeasures

Well guys, believe it or not, we’re just about done with this particular section. Got just a couple more things to talk about. We’ll round it up with some footprinting countermeasures and then we’re absolutely done. The next thing I want to talk about is a web server information tool and it gives away a lot of information. It’s called net craft. It’s often referred to as what’s this site running? Well, the tool can give you a report on the operating system provider, the uptime of the destination web server. Now think about that for just a second. Let’s say, for example, I went out to some website and I see that the web server has been up for let’s say, a year. What does that tell you about the patch level of that server? It probably hasn’t been patched in a year either. Although it doesn’t record all sites on the Internet, there’s usually information can be valuable for evaluating server exploits. Security vulnerabilities tend to be dependent on the software vendor and its version. Blind probing could lead to further requests of being denied or a system temporarily taken offline.

So they may lock you out based on their IDs or their firewall. Knowing the web server details greatly increases the efficiency of any attack. If an attacker can attack a target exploits, the chances of successful cracking prior to detection increase significantly. That’s what this whole chapter has been about. Footprinting knowing the blueprint before we start the attack. Script kidney can also leverage canned or newly discovered exploits to do more damage faster than targeting exploits. Remember at the very first of this we were talking about the time when a patch is released until the patch is actually patched. So if we look at the version of the web server we might find out that this is vulnerable to that and decide we’re going to attack it.

So let’s go ahead and take a look. Now I’ve already went out to a website and using net craft and I of course went to my old favorite SMU and I want you to take a look at some of the information that’s on here. It was first seen on the Internet in 1995 and most schools they’re going to be real popular on the Internet. I would have expected it to be before then. It’s giving us a lot of information. The reverse DNS that’s being used, it’s name server, its primary name server. Remember, we already determined it was pony CIS smu. edu. It went out and detected which one has the SOA record. Notice also here is a little bit of a history here. All right, we’ve got a Windows 2003 server, okay, that’s a little bit old in my opinion. A Citrix Netscator maybe doing load balancing or some other things on that. It’s looking at security information on the policy block list. Let me explain to you a particular record that’s of importance to a lot of people.

It’s called the Sender policy framework. Record or the SPF record in the DNS. If you don’t have an SPF record, I can easily Spoof anyone I want to and there is no way of determining without a lot of digging that that person didn’t send an email. Let’s say, for example, I wanted to send out an email as the president of this university, if they didn’t have an SPF record in their DNS, I could easily do that and for all practical purposes it will look exactly like the email that came from the president of the university. Maybe he authorizes me to go in and look at his servers. If I am going to be that person coming in to look at it and I want to plant some malware or something like that, it gives me a lot of informational. Web trackers, the site technology we’re being used, we know that it’s ASP. Net. They’re using JavaScript. Well, who’s not using JavaScript? They’re using Bootstrap, and Bootstrap basically allows you to put it on different devices, if you will. Some statistics they’re using, the character encoding they’re using. As you can see, this gives me a lot of information. The next thing I want to talk about is something called Domains by Proxy. We have talked a little bit, actually quite a bit about the who is information.

There is a way to protect the who is information. Giving you some ideas on protecting the who is information by simply naming it more ambiguously. We said to use hostmaster@smu. com or the main public telephone number. We can go even further than that. First off, you need to understand you can’t just name the person on their Mickey Mouse or Donald Duck or something like that, because as soon as the registrar finds out you’re doing that, they will disconnect you and it may take you three or four days to get reconnected again. Think of that if you’re an online ecommerce business or something, you just simply can’t take that chance. The problem is we need to be as accurate as we can so that an individual that needs to get a hold of us can do so. But we can also put up a little bit of a harder time for them to get right through. So we don’t have the social engineers banging down our door either.

Enter domainsbyproxy. com this is generally a service that you purchase when you purchase your domain name. For example, I like to explain this as the firewall administrator. If you want to open up a portal in the firewall before they even finish the sentence, it’s no, I need you to open up a port and no, I didn’t even finish, it was still going to be no. That’s kind of the position you need to take on a firewall administrator. Well that’s basically what Domains by Proxy does. When you query the who is information, they basically send out the information saying that this is locked up by Domains by Proxy. And if you ask domain by proxy, their answer is going to be no. The default is don’t give out any information. Now they have to with a court order. Well, that’s fine.

If they need to get a hold of me with a court order, I have no problem with that. But just any Tom, Dick, and Harry cannot get a hold of me on the Internet. This service generally cost about $7 or so a year, and I tell you, it’s definitely worth it. Finally, let’s talk about the countermeasures. We’ll wrap this up. Sanitize our DNS registration and contact information to be as generic as possible. For example, the It director main company telephone number, tech support@acme. com. Better yet, you could use hover. com to mask who is information for free. They actually offer a free service for that. Have two DNS servers one internal, one external. The external DNS server should contain only resource records of the DMZ, anything that’s not inside of your private network. For additional safety, don’t allow zone transfers to any IP address only to your DNS server.

Regularly scan the search engines to see if links to your private services are available terminal, server, Outlook, web access, VPN, those kinds of things. Consider carefully crafting job postings to reveal less about the It infrastructure. More than likely, you’re going to want to use Monster. com. And don’t even tell them who the company is. After they’ve gotten their resume and you’ve checked them out, well, then we’ll discuss who we are. Be aware of possible leakage of information due to disgruntled employees, especially during layoffs and mergers. Use Google apps that can use a catch all email or a web service that has an email catcher and utilize that for a user ID. This is usually a problem because I can send you an email, and if it bounces back, I know that person doesn’t exist in your organization. But if it doesn’t bounce back, I might be able to assume it does using an email catcher. Anything at such and such domain will come to one particular person.

Avoid cross level linking for critical assets, encrypt passwords, and protect sensitive information. All of this is important information. Educate employees about various social engineering tricks and risks. The only way that you’re going to be able to stop something from happening is to make them aware of it. And I would suggest doing this on a lecture of some kind that you provide them on a security lecture at the company.

img