This is the first article on the upcomming series on Information Gathering.
In penetration testing, gathering as much information about our target is the first step.
Information gathering or footprinting is of two types namely passive reconnaissance and active reconnaissance.
In passive reconnaissance we gather information without actually interacting with the target sytems.
Gathering publicly available information about a company from the internet is passive reconnaissance.
Whereas active reconnaissance requires interaction with target’s systems.
Port scanning is an example of active reconaissance.
It is advised to be careful when conducting active reconnaissance on an organization because it is illegal in most countries without approval.
Although there are no hard and fast rules in penetration testing but it is recommended to follow a certain methodology.
In theory footprinting or informaton gathering is divided into seven steps.
The steps along with the best tools to perform them are:
Step Title Active/Passive Common Tools
1 Information gathering Passive Netcraft, Whois, Nslookup
2 Determining network range Passive traceart, APNIC, ARIN
3 Identify active machines Active Ping, traceroute, Angry IP scanner
4 Finding open ports Active Nmap, Zenmap, war dialers
5 OS fingerprinting Active/passive Nmap, ettercap, Nessus,
6 Fingerprinting services Active FTP, Netcat, SSH, vulnerablity scanners
7 Mapping the network Active scapy , traceroute,visualroute
Gathering initial information abut the target is the very first step in the footprinting process.
Collecting different domain names associated with the target company, name servers, IP addresses etc is the goal here.
A visit to the company’s website can provide us with a lot of useful information.
For example a recent news at their website might say that they have upgraded their systems to windows 2012 and installed cisco switches.
They have 4 nodes of access to the internet which provides robust connectivity.
This itself provides us with a lot of informaton like the servers they run about the switches and the number of nodes to target fo a DDOS attack.
Also checking out similliar websites set up by disgruntled ex-employees can give valuable insights about the company
There are also tools for finding out more relevant information.
One of the most useful tools in the arsenal is netcraft.
Netcraft is a UK based website that basically tracks and collects details about almost every website on the internet.
Here is the link www.netcraft.com .
A quick search about any website provides us with a host of useful information.
Here is an example of the results of Hackeroyale.com.
Clicking on the site report provides us with detailed information about the website.
Google dorks are also useful when trying to extract information about a website.
Determining network range
After getting the necessary information about like names, email addresses , name severs and IP addresses we now need to determine the network range or the subnet mask.
An ip address consists of two parts namely network portion and host portion, devices on the same network have same network portion but different host portions.
A subnetmask is used to identify which part of an ip is networkand which is host.
Ok now lets discuss about the tools to find out the network ranges.
The easiest way to find the network range is to use the ARIN whois search.
The link is www.arin.net .
Here is the result for hackeroyale’s ip.
Identifying active machines
Next step is identifying the active machine in the target network.
A simple ping command can help us identify the active machines but it takes a lot of time identifying each machine individually.
we need to conduct a ping sweep for this.
There are several programs for conducting a ping sweep but the one I recommend is angry ipscanner.
Here is the download link http://angryip.org/download
We just need to put in the ip range and it identifies all the active machines.
There are a host of other features like open port scanner, web detect, mac vendor detection, mac adresses fetcher etc.
For now we will concern ourselves with the indentification of active machines.
Finding open ports and OS fingerprinting
After finding out the network range and the list of active machines,we can proceed further to identify the open ports and access points along with the OS the devices are running.
The process of identification of the OS is called OS fingerprinting.
There are two types of fingerprinting, active and passive but for convenience here we will discuss active fingerprintng with nmap.
One of the most common and useful port scanning tools is nmap, although it is not the only one.
Here is the download link https://nmap.org/download.html.
Nmap is the most popular portscanning tool out there.
It can perform a wide array of scans like TCP intense scan plus UDP port scan, TCP stealth scan, OS fingerprinting etc and can also load custom scripts.
Nmap also allows us to customize the speed of the scans.
Below is the example of nmap command with -h or help option to review some of its many switches.
C:\nmap-4.5>nmap -h Nmap 4.5 Usage: nmap [Scan Type(s)] [Options] <host or net list> Some Common Scan Types ('*' options require root privileges) * -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users) * -sU UDP port scan -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sV Version scan probes open ports determining service and app names/versions -sR/-I RPC/Identd scan (use with other scan types) Some Common Options (none are required, most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p <range> ports to scan. Example range: '1-1024,1080,6666,31337' -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended Use twice for greater effect. -P0 Don't ping hosts (needed to scan www.microsoft.com and others) * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -6 scans via IPv6 rather than IPv4 -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile> -iL <inputfile> Get targets from file; Use '-' for stdin * -S <your_IP>/-e <devicename> Specify source address or network interface --interactive Go into interactive mode (then press h for help) --win_help Windows-specific features Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
When using nmap for scanning, it displays all the open, closed or filtered ports along with the service name and protocol.
In order to use nmap, we use the nmap command along with the preferred switch and the ip address.
We can also scan a range of ip adresses.
An example of its usage is given below along with the -sS switch for a stealthy TCP scan and -O option for OS identification.
C:\nmap-4.5>nmap -sS - O 192.168.16.10 Starting nmap V. 4.5 by [email protected] ( www.insecure.org/nmap/ ) Interesting ports on (10.4.0.5): (The 1514 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 1032/tcp open iad3 1521/tcp open ncube-lm 1526/tcp open pdap-np 1723/tcp open pptp TCP Sequence Prediction: Class=trivial time dependency Difficulty=2 (Trivial joke) Remote operating system guess: Windows NT4 / Win95 / Win98 Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
Here we can see that the device has 9 open ports along with their respective services and that it is a windows machine.
In some of our previous scans, the we saw some of the ports and the services associated were open.
If we only knew which ports were open, the respective services could be easily displayed by banner grabbing.
Banners can be easily grabbed by simpy by using telnet or FTP.
These are inbuilt in windows and linux systems.
By simply telnetting into the port we could see which type of service and vesrion of the software the device is running.
This is a very crucial information as some of these services can be easily exploited if they are not updated or they run an older version of the software.
C:\>telnet 192.168.16.10 80 HTTP/1.1 400 Bad Request Server: Microsoft-IIS/5.0 Date: Fri, 07 Jun 2017 22:22:04 GMT Content-Type: text/html Content-Length: 87 <html><head><title>Error</title></head><body>The parameter is incorrect. </body> </html> Connection to host lost
Here we can see the machine is running n IIS 5.0 server.
Also one of the easiest way of banner grabbing is by using netcat which is also called the swiss army knife of hacking.
Netcat is available for both windows and linux.
If you are using windows command line then typing nc -v -n IP_Address Port should do the trick.
More about netcat for reconaissance and pentesting in the next articles of the series.
Mapping the network
Now we can finally map the network to provide us with the blueprint of the company.
We can use good old fashioned traceroute or a more graphical an interactive tool.
One such tool is visualroute.
Here is the download link http://www.visualroute.com/download.html.
Visualroute is graphical tool for mapping a network.
It visually show the route a packet has taken over the internet.
It also shows the geolocations of the points the packets have been through which is very convenient and running it a couple of times can give us a pretty good idea if two systems are on the same network.
This was only an introduction to information gathering.
There are far more powerful tools which performs the functions of multiple tools simultaneously and almost automates the entire process.
Some of these tools will be elaborated and their usage discussed in details in our next articles in the series.
Till then happy hunting.