Back to Subject
Practice MCQ

Unit 2 - Notes

INT244

Unit 2: Footprinting and Scanning

1. What is Footprinting?

Footprinting is the first phase of the ethical hacking and systems security testing process (often referred to as Reconnaissance). It involves gathering as much information as possible about a target network, system, or organization to identify various ways to intrude into the system.

Key Characteristics:

  • Passive vs. Active: It is primarily passive (gathering publicly available info), though it can involve active elements.
  • Goal: To create a detailed map or blueprint of the organization’s security posture.
  • Outcome: IP address ranges, namespace, employee information, phone numbers, facility information, and job information.

2. Threats Introduced by Footprinting

The information gathered during footprinting allows an attacker to identify vulnerabilities. If an attacker creates a comprehensive profile of the target, the following threats emerge:

  • Social Engineering Attacks: Using gathered employee names, roles, and contact details to manipulate staff into revealing credentials.
  • Network Mapping: Identifying network topology helps attackers focus on specific servers or firewalls.
  • System Vulnerability Exploitation: Knowing the OS version or software used (via job postings or metadata) allows attackers to prepare specific exploits (e.g., buffer overflows).
  • Denial of Service (DoS): Knowing the network range allows attackers to flood specific critical gateways.
  • Privacy Loss: Exposure of sensitive corporate or personal data.

3. The Footprinting Process

The footprinting process follows a methodical approach to ensure no data point is missed.

  1. Information Gathering: Collecting information from open sources (Internet, Whois, DNS).
  2. Determining the Network Range: Identifying the target’s public IP addresses and Subnet masks.
  3. Identifying Active Machines: Finding which systems are live (Ping sweeps).
  4. Finding Open Ports and Access Points: Identifying entry points to the network.
  5. OS Fingerprinting: Identifying the operating system to tailor attacks.
  6. Service Fingerprinting: Identifying specific services running on ports.
  7. Map the Network: Drawing the network topology.

4. Information Gathering Techniques

A. Using Search Engines

Search engines are the primary tool for passive reconnaissance.

  • Netcraft: Used to determine the operating system and web server software (e.g., Apache vs. IIS) used by a target domain.
  • Shodan: A search engine specifically for Internet-connected devices (IoT, webcams, SCADA systems).
  • Whois Lookups: Databases that query details regarding domain name registration (Registrar, Owner, Contact Email, Name Servers).

B. Google Hacking (Google Dorks)

Google Hacking involves using advanced operators in the Google search bar to locate specific strings of text within search results. Attackers use this to find vulnerable servers, passwords, or sensitive files.

Common Operators:

  • site: Restricts results to a specific domain.
  • filetype: Searches for specific file extensions (pdf, doc, xls).
  • intitle: Searches for text in the title of the page.
  • inurl: Searches for text in the URL.

Examples:

TEXT
# Find password lists in text files
filetype:txt "password" OR "login"

# Find directory listings (vulnerable server configuration)
intitle:"index of" "parent directory"

# Find sensitive government documents
site:gov filetype:xls "social security"

C. Social Networking

Attackers scour LinkedIn, Facebook, Twitter, and Instagram.

  • LinkedIn: Reveals organizational hierarchy, technologies used (via skill endorsements), and potential targets for spear-phishing (e.g., identifying the System Administrator).
  • Personal Sites: Reveals answers to security questions (mother's maiden name, pet's name, birth dates).

D. Financial Services

Financial data provides insight into the company's stability and technology stack.

  • EDGAR Database (SEC): Publicly traded companies file reports here. These may disclose mergers (integration chaos), software acquisitions, or key personnel changes.
  • Job Boards: Vacancy listings often reveal the exact antivirus, firewall brand, or OS version the company uses (e.g., "Looking for Administrator with Cisco ASA 5500 experience").

5. What is Scanning?

Scanning is the second phase of ethical hacking. While footprinting acts as reconnaissance (looking at the map), scanning involves probing the network to discover specific entry points. It is generally active and can trigger Intrusion Detection Systems (IDS).

Objectives of Scanning:

  1. Detect live systems running on the network.
  2. Discover which ports are open.
  3. Identify the Operating System (OS).
  4. Identify services and their versions.

6. Types of Scans

  1. Port Scanning: Sending packets to specific ports to determine if they are listening (Open), Closed, or Filtered (blocked by firewall).
  2. Network Scanning: Identify active hosts (IP addresses) on a network range.
  3. Vulnerability Scanning: Using automated tools to find known weaknesses in the software running on open ports.

7. Family Tree of Scans

The "Family Tree" refers to the different methodologies used to check ports, largely manipulated by TCP flags.

A. TCP Connect Scan (Full Open Scan)

  • Mechanism: Completes the 3-way handshake (SYN SYN/ACK ACK).
  • Pros: Reliable; does not require root privileges.
  • Cons: Very noisy; easily logged by firewalls because the connection is completed.

B. Stealth Scan (Half-open / SYN Scan)

  • Mechanism: Sends SYN. If target replies SYN/ACK, the scanner sends RST (Reset) instead of ACK.
  • Pros: The connection is never fully established, often bypassing basic logging.
  • Cons: Requires root privileges to craft raw packets.

C. Inverse TCP Flag Scans

These scans use flag configurations that "should not" occur to elicit a response from compliant systems.

  1. Xmas Scan: Sets FIN, URG, and PUSH flags (lights up like a Christmas tree).
    • Open Port: No response.
    • Closed Port: Sends RST.
  2. FIN Scan: Sends only the FIN flag.
  3. NULL Scan: Sends a packet with NO flags set.
    • Note: These usually work on Unix-based systems but fail on Windows (which ignores RFC compliance for these flags).

D. ACK Flag Probe

  • Mechanism: Sends an ACK packet.
  • Goal: Used to map firewall rulesets. It determines if a port is "filtered" or "unfiltered" rather than open/closed.

8. OS Fingerprinting

OS Fingerprinting is the method of determining the operating system of a remote computer.

A. Active Fingerprinting

  • Method: Sending specially crafted packets to the target and analyzing the response. Different OSs implement the TCP/IP stack slightly differently.
  • Parameters analyzed:
    • TTL (Time to Live): E.g., Linux often defaults to 64, Windows to 128.
    • TCP Window Size.
    • DF (Don't Fragment) bit.
  • Tool: Nmap (Command: nmap -O <target>)

B. Passive Fingerprinting

  • Method: Sniffing network traffic without sending packets. The scanner analyzes packet headers from normal traffic flowing from the target.
  • Tool: p0f.
  • Stealth: Higher than active fingerprinting as no new traffic is generated.

9. Vulnerability Scanning

Vulnerability scanning identifies known security weaknesses in local or remote systems.

  • Process: The scanner has a database of known vulnerabilities (CVEs). It probes open ports, checks service versions, and compares them against the database.
  • Types:
    • Authenticated Scan: The scanner logs in as a user. It finds missing patches, weak passwords, and configuration errors.
    • Unauthenticated Scan: The scanner looks from the outside, mimicking a hacker.
  • Tools: Nessus, OpenVAS, Qualys.
  • Output: A report classifying risks as Critical, High, Medium, or Low.

10. Using Proxies

Attackers use proxies to hide their actual IP address during scanning to avoid detection and legal repercussions.

Proxy Servers

An intermediary server that forwards requests. The target sees the Proxy’s IP, not the attacker's.

Proxy Chaining

Using multiple proxies in a sequence to make tracing the source significantly harder.

  • Path: Attacker Proxy A Proxy B Proxy C Target.

TOR (The Onion Router)

A specialized network that directs traffic through a free, worldwide, volunteer overlay network to conceal a user's location and usage.

Why use Proxies in Scanning?

  1. Anonymity: Evade IP blacklisting.
  2. Bypass Restrictions: Access content restricted to certain geographic regions.
  3. Fragmenting: Splitting scanning loads across different IPs to avoid triggering rate-limiting thresholds on firewalls.

11. Countermeasures

Against Footprinting

  • Limit Information Leakage: minimize sensitive info in job postings and press releases.
  • Configure Web Servers: Disable directory listings and remove default pages.
  • Education: Train employees on social engineering and social media privacy.
  • Split DNS: Use separate internal and external DNS servers to hide internal naming conventions.

Against Scanning

  • Firewalls: Configure State Packet Inspection (SPI) to drop unsolicited scan packets (e.g., Xmas, NULL).
  • IDS/IPS: Deploy Intrusion Detection Systems (like Snort) to recognize and block port scan signatures.
  • Banner Grabbing Defense: Change default banner messages on services (e.g., change "Apache 2.4.41" to "Web Server").
  • Close Unused Ports: Hardening servers by disabling any service not required for business function.