The Footprinting Process
There are many steps in the footprinting process, each of which will yield a different type of information. Remember to log each piece of information that you gather no matter how insignificant it may seem at the time.
Using Search Engines
One of the first steps in the process of footprinting tends to be using a search engine. Search engines such as Google and Bing can easily provide a wealth of information that the client may have wished to have kept hidden or may have just plain forgotten about it. The same information may readily show up on a search engine results page (SERP). Using a search engine you can find a lot of information, some of it completely unexpected or something a defender never considers, such as technology platforms, employee details, login pages, intranet portals, and so on. A search can easily provide even more details such as names of security personnel, brand and type of firewall, and antivirus protection, and it is not unheard of to find network diagrams and other information. To use a search engine effectively for footprinting, always start with the basics. The very first step in gathering information is to begin with the company name. Enter the company name and take note of the results, as some interesting ones may appear.
Once you have gotten basic information from the search engine, it’s time to move in a little deeper and look for information relating to the URL.
If you need to find the external URL of a company, open the search engine of your choice, type the name of the target organization, and execute the search. Such a search will generally obtain for you the external and most visible URLs for a company and perhaps some of the lesser known ones. Knowing the internal URLs or hidden URLs can provide tremendous insight into the inner structure or layout of a company. However, tools are available that can provide more information than a standard search engine .
Location and Geography
Not to be overlooked or underestimated in value is any information pertaining to the physical location of offices and personnel. You should seek this information during the footprinting process because it can yield other key details that you may find useful in later stages, including physical penetrations. Additionally, knowing a company’s physical loca- tion can aid in dumpster diving, social engineering, and other efforts. To help you obtain physical location data, a range of useful and powerful tools are available. Thanks to the number of sources that gather information such as satellites and webcams, there is the potential for you as an attacker to gain substantial location data. Never underestimate the sheer number of sources available, including:
Google Earth This popular satellite imaging utility has been available since 2001 and since that time it has gotten better with access to more information and increasing amounts of other data. Also included in the utility is the ability to look at historical images of most locations, in some cases back over 20 years.
Google Maps Google Maps provides area information and similar data. Google Maps with Street View allows you to view businesses, houses, and other locations from the perspective of a car. Using this utility, many people have spotted things such as people, entrances, and even individuals working through the windows of a business.
Webcams These are very common, and they can provide information on locations or people. People Search Many websites offer information of public record that can be easily accessed by those willing to search for it. It is not uncommon to come across details such as phone numbers, house addresses, e-mail addresses, and other information depending on the website being accessed. Some really great examples of people search utilities are Spokeo, ZabaSearch, Wink, and Intelius.
Social Networking and Information Gathering
One of the best sources for information is social networking. Social networking has proven not only extremely prolific, but also incredibly useful as an information-gathering tool. A large number of people who use these services provide updates on a daily basis. You can learn not only what an individual is doing, but also all the relationships, both personal and professional, that they have.
Because of the openness and ease of information sharing on these sites, a savvy and determined attacker can locate details that ought not to be shared. In the past, I have found information such as project data, vacation information, working relationships, and location data. This information may be useful in a number of ways. For example, armed with personal data learned on social networking sites, an attacker can use social engineering to build a sense of trust.
Some popular social networking services that are worth scouring for information about your target may be the ones that you are already familiar with:
Facebook The largest social network on the planet boasts an extremely large user base with a large number of groups for sharing interests. Facebook is also used to share comments on a multitude of websites, making its reach even further.
Twitter Twitter has millions of users, many of whom post updates several times a day. Twitter offers little in the way of security, and those security features it does have are seldom used. Twitter users tend to post a lot of information with little or no thought to the value of what they are posting.
Google+ This is Google’s answer to the popular Facebook. Although the service has yet to see the widespread popularity of Facebook, there is a good deal of information present on the site that you can search and use.
LinkedIn One of my personal favorites for gathering information is LinkedIn. The site is a social networking platform for job seekers and as such it has employment history, contact information, skills, and names of those the person has worked with.
Working with E-mail
E-mail is one of the tools that a business relies on today to get its mission done. Without e-mail many businesses would have serious trouble functioning in anything approaching a normal manner. The contents of e-mail are staggering and can be extremely valuable to an attacker looking for more inside information. For a pen tester or an attacker, plenty of tools exist to work with e-mail.
One tool that is very useful for this purpose is PoliteMail ( www.politemail.com ), which is designed to create and track e-mail communication from within Microsoft Outlook. This utility can prove incredibly useful if you can obtain a list of e-mail addresses from the target organization. Once you have such a list, you can then send an e-mail to the list that contains a malicious link. Once the e-mail is opened, PoliteMail will inform you of the event for each and every individual. Another utility worth mentioning is WhoReadMe ( http://whoreadme.com ). This appli- cation lets you track e-mails and also provides information such as operating system, browser type, and ActiveX controls installed on the system.
Google Hacking
Up to this point you may have collected a lot of information from various sources, but now is the time to fine-tune those results and look deeper. One of the tools you used earlier, Google, has much more power than you’ve taken advantage of so far. Now is the time to unleash the power of Google through a process known as Google hacking.
Google hacking is not anything new and has been around for a long time; it just isn’t widely known by the public. The process involves using advanced operators to fine-tune your results to get what you want instead of being left at the whim of the search engine. With Google hacking it is possible to fine-tune results to obtain items such as passwords, certain file types, sensitive folders, logon portals, configuration data, and other data. Before you perform any Google hacking you need to be familiar with the operators that make it possible.
Gaining Network Information
An important step in footprinting is to gain information, where possible, about a target’s network. Fortunately there are plenty of tools available for this purpose, many of which you may already be familiar with.
Whois This utility helps you gain information about a domain name, including ownership information, IP information, netblock data, and other information where available. The utility is freely available in Linux and Unix and must be downloaded as a third-party add- on for Windows.
Tracert This utility is designed to follow the path of traffic from one point to another, including intermediate points in between. The utility provides information on the relative performance and latency between hops. Such information can be useful if a specific victim is targeted because it may reveal network information such as server names and related details. The utility is freely available for all OSs.
Social Engineering: The Art of Hacking Humans
Inside the system and working with it is the human being, which is frequently the easiest component to hack. Human beings tend to be, on average, fairly easy to obtain information from. Although Chapter 10, “Social Engineering,” delves into this topic in greater depth,
I want to introduce some basic techniques that can prove useful at this stage of information
gathering:
Eavesdropping This is the practice of covertly listening in on the conversations of others. It includes listening to conversations or just reading correspondence in the form of faxes or memos. Under the right conditions, you can glean a good amount of insider information using this technique.
Shoulder Surfing This is the act of standing behind a victim while they interact with a computer system or other medium while they are working with secret information. Using shoulder surfing allows you to gain passwords, account numbers, or other secrets.
Dumpster Diving This is one of the oldest means of social engineering, but it’s still an effective one. Going through a victim’s trash can easily yield bank accounts, phone records, source code, sticky notes, CDs, DVDs, and other similar items. All of this is potentially damaging information in the wrong hands.
