Module Objectives

This module introduces the reconnaissance phase of hacking to the reader. It details the aspect of footprinting. On completing this module, you will:

• Have an overview of the reconnaissance phase

• Be introduced to footprinting

• Be able to understand the generic information gathering methodology of hackers

• Gain insight about the implications that this phase present to the organization

• Learn about some of the tools used for the reconnaissance phase

• Be able to advocate countermeasures

The reader is urged to note that there is no 'one way' for hackers to approach a system. This is the basis behind stating that while countermeasures are suggested here, they are proposed in the light of the generic approach of hackers towards a system. There can be several hackers trying to target a system. The intent behind their activities cannot be foreknown and hence all activity must be treated as a threat.

Readers are advised to note that the focus of this course is not to teach the finer aspects of hacking, rather to emphasize on the vulnerability - threat - attack methods - tools - countermeasures threads of discussion.

Hence, we do not go into the diverse details on 'how to' hack, rather focusing the discussion on where you must look for vulnerabilities, what threat is posed by the vulnerability, what are the ways in which a cracker can exploit the vulnerability and what countermeasures should be advocated in the light of the threat. The objective of using tools here is to save on time and resources and defend resources in a proactive and efficient manner. It is assumed that readers possess good programming skills, and familiar with the various technical environments.

There are several tools available to the hacker and this list is ever evolving. This may range from simple code compilation software to source code text files available on the Internet. The point of emphasis is that it is in the interest of the organization to defend itself against vulnerabilities - known and unknown by adopting suitable methodology, tools and techniques to safeguard its assets.

Revisiting Reconnaissance

• Reconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack.

Let us begin by revisiting the discussion on reconnaissance in the last module. We have seen that it refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of attack prior to launching an attack.

The exact methodology that a hacker adopts while approaching a target can vary. Some may randomly select a target based on vulnerability that can be exploited. Some others may be trying their hand at a new technology or skill level. Others may be methodologically preparing to attack a particular target for any particular reason.

For the purpose of study, we will broadly group these activities under three primary phases to comprise the reconnaissance phase. Network enumeration and scanning will be treated individually in separate modules.

Throughout this module readers are provided with references that go into building stronger conceptual knowledge. It is desirable that readers use them for the stated purpose. Similarly, the tools used in this module are representative of the genre they belong to. They are cited here for their popularity and availability.

The core of this module is non- intrusive information gathering techniques. Here, no system is breached or accessed in order to retrieve information. The core dependency of this technique lies in the information dissemination policy and practices of the organization.

Defining Footprinting

• Footprinting is the blueprinting of the security profile of an organization, undertaken in a methodological manner.

• Footprinting is one of the three pre-attack phases. The others are scanning and enumeration.

• Footprinting results in a unique organization profile with respect to networks (Internet / Intranet / Extranet / Wireless) and systems involved.

Information warfare is not without its battle plans or surveillance techniques. In this context, a strategic map used in a battle would be a close analogy to a footprint. Note that through this course, we use the term 'organization' to represent a target system. This includes discussion pertaining to a single system as well.

To elaborate on the above definition; the term 'blueprinting' is used because completion of this activity results in a unique system profile of the organization. It is considered 'methodological' because critical information is sought based on a previous discovery.

There is no single methodology for footprinting, as a hacker can choose several routes to trace the information. However, this activity is essential as all crucial information needs to be gathered before the hacker can decide on the best possible course of action.

This listing may include more information depending on how various security aspects are addressed by the organization. Information gathered during the footprinting phase can be used as a springboard in narrowing down the attack methodology and also in assessing its merit.

One dubious aspect of the information gathering phase is that most of it can be sought within legal bindings and from publicly available information. It is to be noted that though the Internet originated from the efforts of the defense department and many of the protocols were established to serve the purpose of communicating information reliably, completely and dependably; the speed with which it would penetrate the common world was unpredicted, and so were the security concerns that would arise from the increased networked environment.

Information Gathering Methodology

3. Ascertain active machines

4. Discover open ports / access points

5. Detect operating systems

6. Uncover services on ports

7. Map the Network

This module details footprinting, which includes the first two phases listed above. Footprinting is considered to be an exacting phase and is intended to give the attacker an assessment of the target system. It also serves in eliminating several possible hacking techniques and allows the attacker to choose the best fit to achieve access to the system. This not only speeds up the real attack process, but also aids in helping the attacker prepare better for covering his tracks and thereby leave a smaller or minimal footprint.

Footprinting is required to ensure that isolated information repositories that are critical to the attack are not overlooked or left undiscovered. Footprinting merely comprises on aspect of the entire information gathering process, but is considered one of the most important stages of a mature hack.

In the following pages we will discuss some of the possible ways of footprinting, the implications they pose to the target systems and the countermeasures that can be adopted.

Adam browsed through the targetcompany site. He had already researched well for his job application and had the company's annual reports , press releases, brochures etc. He decided to search the web for postings on message boards , discussion groups and even checked partner sites. He came across some interesting information that would normally be unavailable.

The next day he dropped at the coffee shop and chatted with a group of insiders. One of them did not seem happy with his work and vented his opinion regarding his employer often. He also seemed to like the attention being paid to his comments.

Unearthing Initial Information

Commonly includes :

• Domain name lookup

• Locations

• Contacts (Telephone / mail)

Information Sources :

• Open source

• Whois

• Nslookup

Hacking Tool :

• Sam Spade

It is increasingly clear that several enterprises are positioning their websites to represent their corporate image globally. Often these websites are the starting point of the information gathering phase.

Typing the company name in any search engine can retrieve its domain name (such as targetcompany.com). The categories of information that can be available from open sources include general information about the target, employee information, business information, information sourced from newsgroups such as postings about systems themselves ), links to company/personal web sites and HTML source code.

Apart from surfing the site for contact information (such as phone numbers, email addresses, human contact information, recent mergers and acquisitions, partners , alliances etc) the attacker can lookup the domain name with a whois client and also do an Nslookup.

Note the information on the other websites hosted and the name server details, which can be further queried to obtain information.

Some whois clients also provide a reverse query. Here, a known IP can be traced back to its domain. The authoritative resource for whois databases are:

For historical reasons, the ARIN Whois Database is generally the starting point for searches. If an address is outside of ARIN's region, then that database will provide a reference to either APNIC or RIPE NCC. www.allwhois.co m is also considered a comprehensive whois interface.

Readers are encouraged to read the RFCs and standards related to the discussion. Readers may refer to std/std13 - Internet standard for Domain Names - Concepts and Facilities and RFCs 1034, 1035.

Whois

  whois -h hostname identifier  e.g. whois -h whois.arin.net <query string> 

In order to obtain a more specific response, the query can be conducted using flags. Many of these flags can be specified together to determine a specific output. The syntax requirement is that flags be separated from each other and from the search term by a space.

Flags can be categorized under query types and only one flag may be used from a query type.

• Query-by-record-type:

  n Network address space

  a Autonomous systems

  p Points of contact

  o Organizations

  c End- user customers

• Query-by-attribute:

  @<domain name> Searches for matches by the domain-portion of an e-mail address

  ! <handle> Searches for matches by handle or id

  . <name> Searches for matches by name

  Searches that retrieve a single record will display the full record. Searches that retrieve more than one record will be displayed in list output.

• Display flags:

  + Shows detailed (aka 'full' output) display for EACH match

  - Shows summary only (aka 'list' output), even if single match returned

  However, the + flag cannot be used with the record hierarchy sub query.

• Record hierarchy:

  Records in the WHOIS database have hierarchical relationships with other records.

  < Displays the record related up the hierarchy. For a network, displays the supernet, or parent network in detailed (full) format.

  > Displays the record(s) related down the hierarchy. For a network, displays the subdelegation(s), or subnets, below the network, in summary (list) format. For an organization or customer, displays the resource(s) registered to that organization or customer, in summary (list) format.

• Wild card queries:

  WHOIS supports wild card queries. Append the query with an asterisk (*). This can also be used in combination with any flags defined above.

Let us take a look at a query for Google. Results of querying whois at internic.net for domain name google.com

Results of querying whois at internic.net for registrar ALLDOMAINS.COM INC

Results of querying whois at internic.net for nameserver NS2. GOOGLE. COM

As seen above, a normal query will result in contact information, name of ISP, name servers -that can be resolved further into specific IP address. Let us take a look at what information can be stored with the registrar. This is for the reader to know what goes into a domain name system.

When we talk about a specific RR, we assume it has the following:

• Owner - which is the domain name where the RR is found.

• Type - This is an encoded 16 bit value that specifies the type of the resource in this resource record. Types refer to abstract resources.

  A	a host address
  CNAME	identifies the canonical name of an alias
  HINFO	identifies the CPU and OS used by a host
  MX	identifies a mail exchange for the domain.
  NS	the authoritative name server for the domain
  PTR space	a pointer to another part of the domain name
  SOA	identifies the start of a zone of authority

• Class - This is an encoded 16 bit value which identifies a protocol family or instance of a protocol.

  IN	the Internet system
  CH	the Chaos system

• TTL - This is the time to live of the RR. The TTL describes how long a RR can be cached before it should be discarded.

• RDATA - which is the type and sometimes class dependent data which describes the resource:

  A	For the IN class, a 32 bit IP address For the CH class, a domain name followed by a 16 bit octal Chaos address.
  CNAME	A domain name.
  MX	A 16 bit preference value followed by a host name willing to act as a mail exchange for the owner domain.
  NS	A host name.
  PTR	A domain name.
  SOA	Several fields.

As seen above, the information stored can be useful to gather further information of the particular target domain. To summarize, there are five types of queries that can be carried out on a whois database.

• Registrar - Displays specific registrar information and associated whois servers. This query gives information on potential domains matching the target.

• Organizational - Displays all information related to a particular organization. This query can list all known instances associated with the particular target and the number of domains associated with the organization.

• Domain - Displays all information related to a particular domain. A domain query arises from information gathered from an organizational query. Using a domain query, the attacker can find the company's address, domain name; administrator and his/her phone number, and the system's domain servers.

• Network - Displays all information related to a particular network of a single IP address. Network enumeration can help ascertain the network block assigned or allotted to the domain.

• Point of Contact (POC) - Displays all information related to a specific person, typically the administrative contacts. Also known as query by 'handle'.

Nslookup

• Nslookup is a program to query Internet domain name servers. Displays information that can be used to diagnose Domain Name System (DNS) infrastructure.

• Helps find additional IP addresses if authoritative DNS is known from whois.

• MX record reveals the IP of the mail server.

• Both Unix and Windows come with a Nslookup client.

• Third party clients are also available - E.g. Sam Spade

Nslookup is a valuable tool for querying DNS information for host name resolution. It is bundled with both UNIX and windows operating systems and can be accessed at the command prompt. When Nslookup is run, it shows the host name and IP address of the DNS server that is configured for the local system, and then display a command prompt for further queries. This is the interactive mode. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain.

When an IP address or host name is appended to the Nslookup command, it acts in the passive mode. Non-interactive mode is used to print just the name and requested information for a host or domain.

 $ nslookup Default Server: cracker.com Address: 10.11.122.133       Server 10.12.133.144 Default Server: ns.targetcompany.com Address 10.12.133.144       set type=any       ls -d target.com systemA     1DINA 10.12.133.147             1DINHINFO "Exchange MailServer"             1DINMX 10 mail1 geekL       1DINA 10.12.133.151             1DINTXT "RH6.0" 

The above information was retrieved using the Nslookup interface at http://www.zoneedit.com/lookup.html . Let us take a look at what can be done with Nslookup in an interactive mode. Given below is a listing of the various switches. This has been taken from a windows client.

In addition to this, the attacker can use dig and host command to obtain more information on UNIX systems.

The Domain Name System (DNS) namespace is divided into zones, each of which stores name information about one or more DNS domains. Therefore for each DNS domain name in eluded in a zone, the zone becomes a storage database for a single DNS domain name and is the authoritative source for information.

To check zone transfer, specify exact IP addresses from where zone transfers may be allowed. The firewall must be configured to check TCP port 53 (which unlike UDP port 53 is used for zone transfers instead of DNS queries) access. Another best practice is to use more than one DNS - or the split DNS approach where one DNS caters to the external interface and the other to the internal interface. This will let the internal DNS act like a proxy server and check leaking of information from external queries.

Readers are urged to get their DNS concepts clear by going through RFC 1912, "Common DNS Operational and Configuration Errors", RFC 2182, "Selection and Operation of Secondary DNS Servers", and RFC 2219, "Use of DNS Aliases for Network Services"

Scenario

Adam knows that targetcompany is based at NJ. However, he decides to check it up. He runs a whois from an online whois client and notes the domain information. He takes down the email ids and phone numbers. He also discerns the domain server IPs and does an interactive Nslookup.

• Ideally. what extent of information should be revealed to Adam during this quest?

• Are there any other means of gaining information? Can he use the information at hand in order to obtain critical information?

• What are the implications for the target company? Can he cause harm to targetcompany at this stage?

Let us take a look at Adam's information quest again. Whois and Nslookup are common tools available to any person and there are several web interfaces where the nature of query required can be as simple as a domain name, to generate IP addresses and even do a reverse DNS lookup. The information gathered at this stage is very well within the legal limits.

• Ideally, Adam should have obtained information that the target company has found essential to be posted on a public database.

Locate the Network Range

Commonly includes:

• Finding the range of IP addresses

• Discerning the subnet mask

Information Sources :

• ARIN (American Registry of Internet Numbers)

• Traceroute

Hacking Tool :

• NeoTrace

• Visual Route

After gathering information from open source, the attacker can proceed to find the network range of the target system. He can get more detailed information from the from the appropriate regional registry database regarding IP allocation and nature of allocation. He can also discern the subnet mask of the domain.

ARIN

• ARIN allows search on the whois database to locate information on networks autonomous system numbers (ASNs), network-related handles and other related point of contact (POC).

• ARIN whois allows querying the IP address to help find information on the strategy used for subnet addressing.

The ARIN page also has a set of additional tools and links to other sites such as RWhois.net. ARIN would be a good starting point for information gathering as the information retrieved is more elaborate than a standard Whois lookup.

The purpose of discussing information gathering - and footprinting in particular - is that this is the information that both the hacker and the systems administrator can gather in a non-intrusive manner. All the approaches discussed so far are completely passive (with the exception of traceroute, as it can be detected ) and undetectable by the target organization. The information gathered during this phase will be used continuously throughout the penetration test.

Doing a footprinting for an organization can help its systems administrator know what nature of information lies outside the organization and the potential threat it can pose to the organization. He can take preventive measures to see that these are not used as a means of exploit and increase user awareness regarding the use of information assets.

Up to date domain contact information is important not only for addressing administration issues but can also be used by security personnel on other networks to warn of pending attacks or active compromises. By not revealing essential information, more harm can be done.

Screenshot: ARIN Whois Output

Let us take a look at the ARIN output for a whois on google.com Note the difference from the standard whois query result where the NetRange was not given. The query has resulted in obtaining the real address of Google, the network range, date of registration / updation and additional contact information.

Search results for: 216.239.34.10

In this case, we look up 216.239.33.25 which is the IP of smtp1.google.com

The query gives the following result.

Note that the IP actually points to .arpa domain. Further, we also retrieve more information on the name servers.

Traceroute

• Traceroute works by exploiting a feature of the Internet Protocol called TTL, or Time To Live.

• Traceroute reveals the path IP packets travel between two systems by sending out consecutive UDP packets with ever-increasing TTLs .

• As each router processes a IP packet, it decrements the TTL. When the TTL reaches zero, it sends back a "TTL exceeded" message (using ICMP) to the originator.

• Routers with DNS entries reveal the name of routers, network affiliation and geographic location.

The best way to find the route to the target systems is to use the traceroute utility provided with most operating systems. Traceroute utility can detail the path IP packets travel between two systems. It can trace the number of routers the packets travel through, the time duration in transiting between two routers, and, if the routers have DNS entries, the names of the routers and their network affiliation and geographic location. This is a great deal of information for an attacker if he can exploit them for his attack.

Traceroute works by exploiting a feature of the Internet Protocol called TTL, or Time To Live. The TTL field is interpreted to indicate the maximum number of routers a packet may transit. Each router that handles a packet will decrement the TTL count field in the ICMP header by 1. When the count reaches zero, the packet will be discarded and an error message will be transmitted to the originator of the packet.

Let us see what a tracert 216.239.36.10 command at the command prompt for windows results in.

 C:\>tracert 216.239.36.10 

 Tracing route to ns3.google.com [216.239.36.10] over a maximum of 30 hops: 

 1  1262 ms   186 ms   124 ms  195.229.252.10 

 2  2796 ms  3061 ms  3436 ms  195.229.252.130 

 3   155 ms   217 ms   155 ms  195.229.252.114 

 4  2171 ms  1405 ms  1530 ms  194.170.2.57 

 5  2685 ms  1280 ms   655 ms  dxb-emix-ra.ge6303.emix.ae [195.229.31.99] 

 6   202 ms   530 ms   999 ms  dxb-emix-rb.so100.emix.ae [195.229.0.230] 

 7   609 ms  1124 ms  1748 ms  iar1-so-3-2-0.Thamesside.cw.net [166.63.214.65] 

 8  1622 ms  2377 ms  2061 ms  eqixva-google-gige.google.com [206.223.115.21] 

 9  2498 ms   968 ms   593 ms  216.239.48.193 

 10  3546 ms  3686 ms  3030 ms  216.239.48.89 

 11  1806 ms  1529 ms   812 ms  216.33.98.154 

 12  1108 ms  1683 ms  2062 ms  ns3.google.com [216.239.36.10] 

 Trace complete. 

While this is what a simple traceroute might result in, there are web interfaces where a more detailed traceroute can be done and more information obtained. One such interface is available at http://www.opus1.com Take a look at the same traceroute query done on the same IP.

 traceroute to 216.239.36.10 (216.239.36.10), 30 hops max, 40 byte packets 

 1 manny.Firewall.Opusl.COM (192.245.12.95) [AS22772/AS3908/AS6373/AS5650] Postmaster@Opus1.COM  4.883 ms 

 2  Opus-GW (207.182.35.49) [AS22772/AS6373] Postmaster@Opus1.COM 14.648 ms 

 3  66.62.80.165 (66.62.80.165) [AS6983] root@in-tch@com.80.62.66.in- addr.arpa  18.554 ms 

 4  laxl-core-02.tamerica.net (66.62.5.194) [AS6983] root@in- tch@com.5.62.66.in-addr.arpa  47.849 ms 

 5  slcl-core-01.tamerica.net (66.62.3.6) [AS6983] root@in- tch@com.3.62.66.in-addr.arpa  48.825 ms 

 6  slcl-core-02.tamerica.net (66.62.3.33) [AS6983] root@in- 

 tch@com.3.62.66.in-addr.arpa 50.778 ms 

 7  denl-core-01.tamerica.net (66.62.3.22) [AS6983] root@in- tch@com.3.62.66.in-addr.arpa  49.801 ms 

 8  denl-edge-01.tamerica.net (66.62.4.3) [AS6983] root@in- tch@com.4.62.66.in-addr.arpa 50.778 ms 

 9  den-core-01.tamerica.net (205.171.4.177) [AS209/AS3909] dns- admin@qwestip.net 48.825 ms 

 10  den-core-03.tamerica.net (205.171.16.14) [AS209/AS3909] dns- admin@qwestip.net 49.802 ms 

 11  iar2-so-2-3-0.Denver.cw.net (208.172.173.89) [AS3561] hostmaster@cw.net 49.801 ms 

 12  acr2.Denver.cw.net (208.172.162.62) [AS3561] hostmaster@cw.net 51.754 ms 

 13  agr3-loopback.Washington.cw.net (206.24.226.103) [AS3561] hostmaster@cw.net 97.650 ms 

 14  dcrl-so-6-2-0.Washington.cw.net (206.24.238.57) [AS3561] hostmaster@cw.net 97.650 ms 

 15  bhrl-pos-0-0.Sterlingldc2.cw.net (206.24.238.34) [AS3561] hostmaster@cw.net 100.579 ms 

 16  216.33.98.154 (216.33.98.154) [AS3967] hostmaster@exodus.net 101.556 ms 

 17  209.225.34.218 (209.225.34.218) [AS3967] hostmaster@exodus.net.34.225.209.in-addr.arpa  101.556 ms 

 18  216.239.48.94 (216.239.48.94) [AS15169] dns-admin@google.com 108.391 ms 

Tool: NeoTrace (Now McAfee Visual Trace)

In the screenshot shown above, we have done a traceroute for www.google.com The 3.20 version had node view, map view and list view. Note that the DNS entries have been retrieved for the various nodes and the map view allows the user to see relatively easily if a particular system is based geographically where it claims to be.

There are many ICMP error messages that can be generated. One of these messages is ICMP port unreachable (since ports exist in TCP or UDP). However, the port unreachable message must be distinguished from such messages generated from different applications - such as from a packet filtering device.

Tool: VisualRoute Trace

VisualRoute delivers the functionality of key Internet "ping," "whois," and "traceroute" tools, in a visually integrated package. In addition, VisualRoute has the ability to identify the geographical location of routers, servers, and other IP devices. This is valuable information for identifying the source of network intrusions and Internet abusers. It helps in establishing the identify of the originating network, the web software that a server is running, detecting routing loops and identifying hosts that have the ICMP TTL bug.

VisualRoute's traceroute provides three types of data: an overall analysis, a data table, and a geographical view of the routing. The analysis is a brief description in of the number of hops, areas where problems occurred, and the type of Web server software running at the destination site. The data table lists information for each hop, including the IP address, node name, geographical location and the major Internet backbone where each server resides.

The World map gives a graphical representation of the actual path of an Internet connection. Users can zoom in/out and move the map around to position it as desired. A mouse click on a server or network name opens a pop-up window with the whois information including name, telephone and email address, providing instant contact information for problem reporting.

The screenshot above shows traceroute done to www.google.com VisualRoute can be downloaded at http://www.visualware.com/download/index.html#visualroute ^[1]

Tool: SmartWhois

Unlike standard Whois utilities, SmartWhois can find the information about a computer located in any part of the world, intelligently querying the right database and delivering all the related records in a short time. The program can retrieve information from more than 20 servers all over the world. SmartWhois can also save obtained information to an archive file. This is particularly useful in tracking incidents and incident handling. It allows users to load this archive the next time the program is launched and add more information to it. Thus, the list is updated on a regular basis. This feature allows building and maintaining a user defined database of IP addresses and hosting names. Alternatively, users can also load a list of IP addresses as a text file and have SmartWhois process the whole list. SmartWhois is available for download at www.tamos.com SmartWhois is capable of performing both IP address/hostname and domain name queries. TamoSoft, Inc. also hosts a tools interface at http://all-nettools.com/tools1.htm where a compilation of all the utilities discussed above are given. SmartWhois also has a visual interface that allows easier comprehension of the query.

Scenario

Adam makes a few searches and gets some internal contact information. He calls the receptionist and informs her that the HR had asked him to get in touch with a specific IT division personnel. It's lunch hour , and he says he'd rather mail to the person concerned than disturb him. He checks up the mail id on newsgroups and stumbles on an IP recording. He traces the IP destination.

• What preventive measures can you suggest to check the availability of sensitive information?

• What are the implications for the target company? Can he cause harm to targetcompany at this stage?

• What do you think he can do with the information he has obtained?

Adam may even ask some of his new friends for their email ID on the pretext of sending across an interesting read. There are several resources on the topic of social engineering, but it needs to be remembered that hackers are creative people who can come up with more than one way of getting information. Let us assume that Adam is in possession of some inside information and that he has bypassed the firewall. Is there any means of detecting his action?

An oft repeated hacker advice is to target the system during business hours as the log files would be overwhelming and probably the intrusion would go undetected. IP Spoofing is the technique used by attackers to gain access to a network by sending messages to a computer with an IP address indicating that the message is coming from a trusted host.

To engage in IP spoofing, an attacker must first find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host. As routers only use the "destination IP" address in order to forward packets through the Internet, but ignore the "source IP" address which is only used by the destination machine when it responds back to the source. These attacks exploit applications that use authentication based on IP addresses.

Tool: VisualLookout

VisualLookout provides high level views as well as detailed and historical views that provide traffic information in real-time or on a historical basis.

In addition the user can request a "connections" window for any server, which provides a real-time view of all the active network connections showing

• who is connected,

• what service is being used,

• whether the connection is inbound or outbound, and

• how many connections are active and how long they have been connected.

Tool: VisualRoute Mail Tracker

E-mail spoofing is a security concern that most organizations face. This is often part of a social engineering tactic employed by attackers. Sometimes, even passwords are easily obtained, if user awareness of the consequences is not there. The reason why this is a sought after information is because SMTP (Simple Mail Transfer Protocol) lacks authentication and hence spoofing is easy.

Screenshot: VisualRoute Mail Tracker

In the screenshot above, we can see the various IP addresses in the concerned domain, the time zone, the network involved as well as the location. An attacker can search for vulnerable hosts on the same network or if on the same network, can initiate a DOS attack to the target machine and use the target IP (when the target dies) to spoof his way to additional resources.

Readers who are interested in reading a real scenario may refer to the 'Bunratty Attack' by Vince Gallo. It shows how he created covert channels using valid mapi email. A copy of the presentation is available at http://chi-publishing.com/isb/backissues/ISB 2001/ISB0605/ISB0605VG.pdf

It demonstrates how one can use a valid application (in this case mapi email) to covertly communicate with and even remotely control a system on an otherwise protected network. All traffic appears to be valid email.

The other tool that can analyze email headers is eMailTrackerPro, which is discussed next.

Tool: eMailTrackerPro

An email spoofer may just be trying to cause trouble or discredit the person being spoofed by sending some truly vile message to the recipient. The built-in location database tracks e- mails to a country or region of the world. eMailTrackerPro also provides hyperlink integration with VisualRoute.

Example: Received: from BBB (dns-name [ip-address]) by AAA ...

For tracking purposes, we are most interested in the from and by tokens in the Received header field. Where: name is the name the computer has named itself. dns-name is the reverse dns lookup on the ip-address. ip-address is the ip-address of the computer used to connect to the mail server that generated this Received header line. The ip-address is important for tracking purposes.

Summary

• Information gathering phase can be categorized broadly into seven phases.

• Footprinting renders a unique security profile of a target system.

• Whois, ARIN can reveal public information of a domain that can be leveraged further.

• Traceroute and mail tracking can be used to target specific IP and later for spoofing.

• Nslookup can reveal specific users and zone transfers can compromise DNS security.