Lost universe of Programing

USERNAME :- Forum Post:-114
HomePortalGalleryRegisterLog in



Go down 

Number of posts : 160
Age : 33
Location : Lucknow
Job/hobbies : Software Engeener
What U like To do ? : Because Its Rock with me.
Registration date : 2008-01-06

PostSubject: SCANNING AND FOOTPRINTING 1   SCANNING AND FOOTPRINTING      1 I_icon_minitime2/10/2008, 2:21 am

Quote :
Footprinting and Scanning is the first basis of hacking. Information gathering has many phases like profiling your target. Whois, ARIN can reveal public information of a domain that can be leveraged further. Traceroute and mail tracking can be used to target specific IP and later for spoofing. Nslookup can reveal specific users and zone transfers can compromise DNS security. Footprinting is necessary to systematically and methodically ensure that all pieces of information related to the aforementioned technologies are identified.

Without a sound methodology for performing this type of reconnaissance, you are likely to miss key pieces of information related to a specific technology or organization. Footprinting is often the most arduous task of trying to determine the security posture of an entity; however, it is one of the most important.

Footprinting must be performed accurately and in a controlled fashion. This is the reconnaissance step before anything is done. Tools like Nmap will be deployed to scan the target and get any available information possible. Information warfare is not without its battle plans or surveillance techniques. In this context, a strategic map used in a battle would be a close analogy to a footprint.

Note that through this course, we use the term 'organization' to represent a target system. This includes discussion pertaining to a single system as well. Footprinting therefore, needs to be carried out precisely and in an organized manner. The information unveiled at various network levels can include details of domain name, network blocks, network services and applications, system architecture, intrusion detection systems, specific IP addresses, access control mechanisms and related lists, phone numbers, contact addresses, authentication mechanisms and system enumeration. This listing may include more information depending on how various security aspects are addressed by the organization.

Information gathered during the Footprinting phase can be used as a springboard in narrowing down the attack methodology and also in assessing its merit. One dubious aspect of the information gathering phase is that most of it can be sought within legal bindings and from publicly available information. It is to be noted that though the Internet originated from the efforts of the defense department and many of the protocols were established to serve the purpose of communicating information reliably, completely and dependably; the speed with which it would penetrate the common world was unpredicted, and so were the security concerns that would arise from the increased networked environment.

One of the best Hack Tool to gather information is Google! Google Hacking if most popular among Ethical Hackers and Black Hat Hackers. When using scanning tools the purpose is to detect 'live' systems on target network. Discovering services running/ listening on target systems. Understanding port scanning techniques. Identifying TCP and UDP services running on target network.
Discovering the operating system. Understanding active and passive fingerprinting. Automated discovery tools.
There are various scan types - SYN, FIN, Connect, ACK, RPC, Inverse Mapping, FTP Bounce, Idle Host etc. The use of a particular scan type depends on the objective at hand. Port Scanning is one of the most popular reconnaissance techniques used by hackers to discover services that can be compromised.
A potential target computer runs many 'services' that listen at 'well-known' 'ports'. By scanning which ports are available on the victim, the hacker finds potential vulnerabilities that can be exploited. Scan techniques can be differentiated broadly into Vanilla, Strobe, Stealth, FTP Bounce, Fragmented Packets, Sweep and UDP Scans. One of the primary activities that an attacker undertakes while attempting to penetrate the system is to compile an inventory of open ports using any of the port scanning techniques. On completion, this list helps the attacker identify various services that are running on the target system using a RFC compliant port list (discussed before under the services file). This allows further strategizing leading to system compromise. Port numbers are 16-bit unsigned numbers and can be broadly classified into three categories. Port 0-1023 is "well known ports", 1024 - 49151 are "registered ports" and 49152 - 65535 is "dynamic or private ports". Port scanning usually means scanning for TCP ports, which being a stateful protocol - based on acknowledgement, gives good feedback to the attacker. One problem with port scanning is that it is effortlessly logged by the services listening at the scanned ports.
This is because they detect an incoming connection, but do not receive any data, thereby generating an application error log. UDP, or connection-less (without acknowledgement) traffic, responds in a different manner. In order to scan for UDP ports, the attacker generally sends empty UDP datagram at the port. If the port is listening, the service will send back an error message or ignore the incoming datagram. If the port is closed, then the operating system sends back an "ICM P Port Unreachable" message. Here, by the method of exclusion, the attacker can find open ports.
Usually UDP ports are high end ports. Port scanning techniques can be broadly differentiated into open scan, half-open scan and stealth scan. There are other techniques such as ICMP echo and FTP bounce, and these are covered under sweeps and miscellaneous scans. How does an attacker decide on which scan to adopt? Well, this depends largely on the knowledge gained by the attacker during his reconnaissance regarding the type of network topology, IDS and other logging features present on the system. Predictably, an attacker would like to keep his actions undetected. One important aspect of information gathering is documentation. Most people don't like paperwork, but it's a requirement that can't be ignored. The best way to get off to a good start is to develop a systematic method to profile a target and record the results. Create a matrix with fields to record domain name, IP address, DNS servers, employee information, email addresses, IP address range, open ports, and banner details.


""-(`v)-"HACKER OF HEART"-(`v)-"
Back to top Go down
View user profile http://aspx.forumotion.com
Back to top 
Page 1 of 1

Permissions in this forum:You cannot reply to topics in this forum
Lost universe of Programing :: --=| TUTORIALS |=-- :: ETHICAL HACKING & NETWORKING-
Jump to: