Scanning Methodology

As you’re probably aware by now, EC-Council is in love with methodology. Sure, in the real world you may not follow the steps blindly in order, but I don’t think that’s the point of listing something in a methodology format. A methodology—no matter how silly it may seem on a test or when you’re sitting there performing a real pen test—ensures you don’t miss anything and that all your bases are covered. In that regard, I guess it’s a lot like a preflight checklist, and this is EC-Council’s version of making sure your scanning flight goes smoothly. 

Just as the steps of the overall hacking process can blend into one another, though, keep in mind these steps are simply guidelines and not hard-and-fast rules to follow. When you’re on the job, situations and circumstances will occur that might force you to change the order of things. Sometimes the process of completing one phase will seamlessly blend directly into another. Don’t fret—just go with the flow and get your job done. EC-Council’s scanning methodology phases include the following steps: 

1.  Check for live systems. Something as simple as a ping can provide this. This gives you a list of what’s actually alive on your network subnet. 

2.  Check for open ports. Once you know which IP addresses are active, find what ports they’re listening on. 

3.  Scan beyond IDS. Sometimes your scanning efforts need to be altered to avoid those pesky intrusion detection systems. 

4.  Perform banner grabbing. Banner grabbing and OS fingerprinting will tell you what operating system is on the machines and which services they are running. 

5.  Scan for vulnerabilities. Perform a more focused look at the vulnerabilities these machines haven’t been patched for yet. 

6.  Draw network diagrams. A good network diagram will display all the logical and physical pathways to targets you might like. 

7.  Prepare proxies. This obscures your efforts to keep you hidden.  

This methodology has about as much to do with real life as I have to do with an Oscar nomination, but it’s a memorization effort you have to do. ECC didn’t intend it as much a step-by-step procedure as a checklist to make sure you get to everything you are supposed to during this phase. Despite which order you proceed in, if you hit all the steps, you’re probably going to be successful in your scanning efforts.

Network Footprinting | Footprinting Methods and Tools

Discovering and defining the network range can be another important footprinting step to consider. Knowing where the target’s IP addresses start and stop greatly limits the time you’ll need to spend figuring out specifics later—provided, of course, your target operates in their own IP range. If your objective happens to run services in a cloud (and rest easy, dear reader, we have another entire chapter dedicated to cloud upcoming), this may prove somewhat frustrating, but at least you’ll know what you’re up against. One of the easiest ways to see what range the organization owns or operates in—at least on a high level—is to make use of freely available registry information. 

For example, suppose you knew the IP address of a WWW server (easy enough to discover, as you just learned in the previous sections). If you simply enter that IP address in www.arin.net, the network range will be shown. Entering the IP address of www.mheducation.com (54.164.59.97) gives us the entire network range. In this case, the response displays a range owned and operated by Amazon services, indicating MH Education is making use of Amazon’s cloud services. ARIN also provides a lot of other useful information as well, including the administrative and technical point of contact (POC) for the IP range. In this case, the contacts displayed point us, again, to Amazon web services POC’s, letting us know MH Education is relying on Amazon’s security measures and controls (in part) to protect their resources.

Another tool available for network mapping is traceroute (or tracert hostname on Windows systems), which is a command-line tool that tracks a packet across the Internet and provides the route path and transit times. It accomplishes this by using ICMP ECHO packets (UDP datagrams in Linux versions) to report information on each “hop” (router) from the source to the destination. The TTL on each packet increments by one after each hop is hit and returns, ensuring the response comes back explicitly from that hop and returns its name and IP address. Using this, an ethical hacker can build a picture of the network. For example, consider a traceroute command output from my laptop here in Melbourne, Florida, to a local surf shop just down the road (names and IPs were changed to protect the innocent). 

DNS Basics | Footprinting Methods and Tools

Let take at least a couple of minutes to go over some basics—mainly because you’ll see this stuff on the CEH exam. The simplest explanation of DNS I can think of follows. DNS is made up of servers all over the world. Each server holds and manages the records for its own little corner of the globe, known in the DNS world as a namespace. Each of these records gives directions to or for a specific type of resource. Some records provide IP addresses for individual systems within your network, whereas others provide addresses for your e-mail servers. Some provide pointers to other DNS servers, which are designed to help people find what they’re looking for. 

Port numbers are always important in discussing anything network-wise. When it comes to DNS, 53 is your number. Name lookups generally use UDP, whereas zone transfers use TCP.  

Big, huge servers might handle a namespace as big as the top-level domain “.com,” whereas another server further down the line holds all the records for “mheducation.com.” The beauty of this system is that each server only has to worry about the name records for its own portion of the namespace and to know how to contact the server “above” it in the chain for the top-level namespace the client is asking about. The entire system looks like an inverted tree, and you can see how a request for a particular resource can easily be routed correctly to the appropriate server. For example, the server for anyname.com in the third level holds and manages all the records for that namespace, so anyone looking for a resource (such as their website) could ask that server for an address. 

DNS Footprinting | Footprinting Methods and Tools

I hate getting lost. Now, I’m not saying I’m always the calmest driver and that I don’t complain (loudly) about circumstances and other drivers on the road, but I can honestly say nothing puts me on edge like not knowing where I’m going while driving, especially when the directions given to me don’t include the road names. I’m certain you know what I’m talking about—directions that say, “Turn by the yellow sign next to the drugstore and then go down half a mile and turn right onto the road beside the walrus-hide factory. You can’t miss it.” Inevitably I do wind up missing it, and cursing ensues.

Thankfully, negotiating the Internet isn’t reliant on crazed directions. The road signs we have in place to get to our favorite haunts are all part of the Domain Naming System (DNS), and they make navigation easy. DNS, as you’re no doubt already aware, provides a name-to-IP-address (and vice versa) mapping service, allowing us to type in a name for a resource as opposed to its address. This also provides a wealth of footprinting information for the ethical hacker—so long as you know how to use it.   

Although DNS records are easy to obtain and generally designed to be freely available, this passive footprinting can still get you in trouble. A computer manager named David Ritz was successfully prosecuted in 2008 for querying a DNS server. It was truly a ridiculous ruling, but the point remains that legality and right versus wrong seem always in the eye of the beholder—so be careful. 

Website and E-mail Footprinting

Website and e-mail footprinting may require a little more effort and technical knowledge, but it’s worth it (not to mention EC-Council has devoted two entire slide show sections to the material, so you know it’s gonna be good). Analyzing a website from afar can show all sorts of potentially interesting information, such as software in use, OS, filenames, paths, and contact details. Using tools such as Burp Suite, Firebug, and Website Informer allows you to grab headers and cookies, and learn connection status, content type, and web server information. Heck, pulling the HTML code itself can provide useful intel. You might be surprised what you can find in those “hidden” fields, and some of the comments thrown about in the code may prove handy. A review of cookies might even show you software or scripting methods in use. E-mail headers provide more information than you might think, and are easy enough to grab and examine. And tracking e-mail? Hey, it’s not only useful for information, it’s just downright fun.

Although it doesn’t seem all that passive, web mirroring is a great method for footprinting. Copying a website directly to your system (“mirroring” it) can definitely help speed things along. Having a local copy to play with lets you dive deeper into the structure and ask things like “What’s this directory for over here?” and “I wonder if this site is vulnerable to fill-in-chosen-vulnerability without alerting the target organization.” Tools for accomplishing this are many and varied, and while the following list isn’t representative of every web mirroring tool out there, it’s a good start: 

•  HTTrack (www.httrack.com) 

•  Black Widow (http://softbytelabs.com) 

•  WebRipper (www.calluna-software.com) 

•  Teleport Pro (www.tenmax.com) 

•  GNU Wget (www.gnu.org) 

•  Backstreet Browser (http://spadixbd.com)  

Although it’s great to have a local, current copy of your target website to peruse, let’s not forget that we can learn from history too. Information relevant to your efforts may have been posted on a site at some point in the past but has since been updated or removed. EC-Council absolutely loves this as an information-gathering source, and you are certain to see www.archive.org and Google Cache queried somewhere on your exam.

Google Hacking | Footprinting Methods and Tools

A useful tactic in footprinting a target was popularized mainly in late 2004 by a guy named Johnny Long, who was part of an IT security team at his job. While performing pen tests and ethical hacking, he started paying attention to how the search strings worked in Google. The search engine has always had additional operators designed to allow you to fine-tune your search string. What Mr. Long did was simply apply that logic for a more nefarious purpose. 

Suppose, for example, instead of just looking for a web page on boat repair or searching for an image of a cartoon cat, you decided to tell the search engine, “Hey, do you think you can look for any systems that are using Remote Desktop Web Connection?” Or how about, “Can you please show me any MySQL history pages so I can try to lift a password or two?” Amazingly enough, search engines can do just that for you, and more. The term this practice has become known by is Google hacking. 

Google hacking involves manipulating a search string with additional specific operators to search for vulnerabilities. Table below describes advanced operators for Google hack search strings. 

Innumerable websites are available to help you with Google hack strings. For example, from the Google Hacking Database (a site operated by Mr. Johnny Long and Hackers for Charity, www.hackersforcharity.org/ghdb/), try this string from wherever you are right now:

Basically we’re telling Google to go look for web pages that have TSWEB in the URL (indicating a remote access connection page), and you want to see only those that are running the default HTML page (default installs are common in a host of different areas and usually make things a lot easier for an attacker). I think you may be surprised by the results—I even saw one page where an admin had edited the text to include the logon information.

And if Google hacking weren’t easy enough, there are a variety of tools to make it even more powerful. Tools such as SiteDigger (www.mcafee.com) use Google hack searches and other methods to dig up all sorts of information and vulnerabilities. MetaGoofil (www.edge-security.com) uses Google hacks and cache to find unbelievable amounts of information hidden in the meta tags of publicly available documents. Find the browser and search engine of your choice and look for “Google hack tools.” You’ll find more than a few available for play.

Another note on Google hacking: it’s not as easy to pull off as it once was. Google, for reasons I will avoid discussing here because it angers me to no end, has decided it needs to police search results to prevent folks from using the search engine as it was intended to be used. As you can see from Figure below, and probably from your own Google hacking attempts in learning this opportunity, Google will, from time to time, throw up a CAPTCHA if it believes you’re a “bot” or trying to use the search engine for

Search Engines | Footprinting Methods and Tools

When I was a kid and someone asked me how to do something I’d never done, to define something I’d never heard of, or to comment on some historical happening I spaced out on during school, I had no recourse. Back then you simply had to say, “I don’t know.” If it were really important you went to the library and tried to find it in a book (GASP! The HORROR!). Today when I’m asked something, I do what everyone else does—I Google it. Just yesterday somebody asked me about the diet of sandhill cranes (they’re gigantic, beautiful birds, are always wandering through my backyard, and if I had to guess my first thought on their diet of choice would be small children and household pets). Twenty years ago I wouldn’t have a clue what a sandhill crane was, much less what they ate. Today, given 5 minutes and a browser, I sound like an ornithologist, with a minor in sandhill crane foodstuffs. 

Pen testing and hacking are no different. Want to learn how to use a tool? Go to YouTube and somebody has a video on it. Want to define the difference between BIA and MTD? Go to your favorite search engine and type it in. Need a good study guide for CEH? Type it in and—voilà—here you are….

Search engines can provide a treasure trove of information for footprinting and, if used properly, won’t alert anyone you’re looking at them. Mapping and location-specific information, including drive-by pictures of the company exterior and overhead shots, are so commonplace now people don’t think of them as footprinting opportunities. However, Google Earth, Google Maps, and Bing Maps can provide location information and, depending on when the pictures were taken, can show all sorts of potentially interesting intelligence. Even personal information—like residential addresses and phone numbers of employees—are oftentimes easy enough to find using sites such as Linkedin.com and Pipl.com. A really cool tool along these same lines is Netcraft (www.netcraft.com). Fire it up and take a look at all the goodies you can find. Restricted URLs, not intended for public disclosure, might just show up and provide some juicy tidbits. If they’re really sloppy (or sometimes even if they’re not), Netcraft output can show you the operating system (OS) on the box too. 

While we’re on the subject of using websites to uncover information, don’t neglect the innumerable options available to you—all of which are free and perfectly legal. Social networking sites can provide all sorts of information. Sites such as Linkedin (www.linkedin.com)—where professionals build relationships with peers—can be a great place to profile for attacks later. Facebook and Twitter are also great sources of information, especially when the company has had layoffs or other personnel problems recently—disgruntled former employees are always good for some relevant company dirt. And, just for some real fun, check out http://en.wikipedia.org/wiki/Robin_Sage to see just how powerful social networking can be for determined hackers.

Active Footprinting

When it comes to active footprinting, per EC-Council, we’re really talking about social engineering, human interaction, and anything that requires the hacker to interact with the organization. In short, whereas passive measures take advantage of publicly available information that won’t (usually) ring any alarm bells, active footprinting involves exposing your information gathering to discovery. For example, you can scrub through DNS usually without anyone noticing a thing, but if you were to walk up to an employee and start asking them questions about the organization’s infrastructure, somebody is going to notice.

Social engineering has all sorts of definitions, but it basically comes down to convincing people to reveal sensitive information, sometimes without even realizing they’re doing it. There are millions of methods for doing this, and it can sometimes get really confusing. From the standpoint of active footprinting, the social engineering methods you should be concerned about involve human interaction. If you’re calling an employee or meeting an employee face to face for a conversation, you’re practicing active footprinting.

This may seem easy to understand, but it can get confusing in a hurry. For example, I just finished telling you social media is a great way to uncover information passively, but surely you’re aware you can use some of these social sites in an active manner. What if you openly use Facebook connections to query for information? Or what if you tweet a question to someone? Both of those examples could be considered active in nature, so be forewarned.

Passive Footprinting

Before starting this section, I got to wondering about why passive footprinting seems so confusing to most folks. During practice exams and whatnot in a class I recently sat through, there were a few questions missed by most folks concerning passive footprinting. It may have to do with the term passive (a quick “define passive” web search shows the term denotes inactivity, nonparticipation, and a downright refusal to react in the face of aggression). Or it may have to do with some folks just overthinking the question. I think it probably has more to do with people dragging common sense and real-world experience into the exam room with them, which is really difficult to let go of. In any case, let’s try to set the record straight by defining exactly what passive footprinting is and, ideally, what it is not.

CEH study materials that seems contrary to real life. Many of us who have performed this sort of work know dang good and well what can and cannot get you caught, and we bristle when someone tells us that, for instance, dumpster diving is a passive activity. Therefore, do yourself a favor and just stick with the terms and definitions for your exam. Afterward, you can join the rest of us in mocking it. For now, memorize, trust, and go forth.  

Passive footprinting as defined by EC-Council has nothing to do with a lack of effort and even less to do with the manner in which you go about it (using a computer network or not). In fact, in many ways it takes a lot more effort to be an effective passive footprinter than an active one. Passive footprinting is all about the publicly accessible information you’re gathering and not so much about how you’re going about getting it. Methods include, but are not limited to, gathering of competitive intelligence, using search engines, perusing social media sites, participating in the ever-popular dumpster dive, gaining network ranges, and raiding DNS for information. As you can see, some of these methods can definitely ring bells for anyone paying attention and don’t seem very passive to common-sense-minded people anywhere, much less in our profession. But you’re going to have to get over that feeling rising up in you about passive versus active footprinting and just accept this for what it is—or be prepared to miss a few questions on the exam. 

Passive information gathering definitely contains the pursuit and acquisition of competitive intelligence, and because it’s a direct objective within CEH and you’ll definitely see it on the exam, we’re going to spend a little time defining it here. Competitive intelligence refers to the information gathered by a business entity about its competitors’ customers, products, and marketing. Most of this information is readily available and can be acquired through different means. Not only is it legal for companies to pull and analyze this information, it’s expected behavior. You’re simply not doing your job in the business world if you’re not keeping up with what the competition is doing. Simultaneously, that same information is valuable to you as an ethical hacker, and there are more than a few methods to gain competitive intelligence.

The company’s own website is a great place to start. Think about it: what do people want on their company’s website? They want to provide as much information as possible to show potential customers what they have and what they can offer. Sometimes, though, this information becomes information overload. Just some of the open source information you can gather from almost any company on its site includes company history, directory listings, current and future plans, and technical information. Directory listings become useful in social engineering, and you’d probably be surprised how much technical information businesses will keep on their sites. Designed to put customers at ease, sometimes sites inadvertently give hackers a leg up by providing details on the technical capabilities and makeup of their network. 

Several websites make great sources for competitive intelligence. Information on company origins and how it developed over the years can be found in places like the EDGAR Database (www.sec.gov/edgar.shtml), Hoovers (www.hoovers.com), LexisNexis (www.lexisnexis.com) and Business Wire (www.businesswire.com). If you’re interested in company plans and financials, the following list provides some great resources: 

•  SEC Info (www.secinfo.com) 

•  Experian (www.experian.com) 

•  Market Watch (www.marketwatch.com) 

•  Wall Street Monitor (www.twst.com) 

•  Euromonitor (www.euromonitor.com) 

CEH Hacker Attack Types

Another area for memorization in our stroll through this introduction concerns the various types of attacks a hacker could attempt. Most of these are fairly easy to identify and seem, at times, fairly silly to even categorize. After all, do you care what the attack type is called if it works for you? For this exam, EC-Council broadly defines all these attack types in four categories.

•  Operating system (OS) attacks   Generally speaking, these attacks target the common mistake many people make when installing operating systems—accepting and leaving all the defaults. Administrator accounts with no passwords, all ports left open, and guest accounts (the list could go on forever) are examples of settings the installer may forget about. Additionally, operating systems are never released fully secure—they can’t be, if you ever plan on releasing them within a timeframe of actual use—so the potential for an old vulnerability in newly installed operating systems is always a plus for the ethical hacker.

•  Application-level attacks   These are attacks on the actual programming code and software logic of an application. Although most people are cognizant of securing their OS and network, it’s amazing how often they discount the applications running on their OS and network. Many applications on a network aren’t tested for vulnerabilities as part of their creation and, as such, have many vulnerabilities built into them. Applications on a network are a gold mine for most hackers.

•  Shrink-wrap code attacks   These attacks take advantage of the built-in code and scripts most off-the-shelf applications come with. The old refrain “Why reinvent the wheel?” is often used to describe this attack type. Why spend time writing code to attack something when you can buy it already “shrink-wrapped”? These scripts and code pieces are designed to make installation and administration easier but can lead to vulnerabilities if not managed appropriately.

•  Misconfiguration attacks   These attacks take advantage of systems that are, on purpose or by accident, not configured appropriately for security. Remember the triangle earlier and the maxim “As security increases, ease of use and functionality decrease”? This type of attack takes advantage of the administrator who simply wants to make things as easy as possible for the users. Perhaps to do so, the admin will leave security settings at the lowest possible level, enable every service, and open all firewall ports. It’s easier for the users but creates another gold mine for the hacker.

Hacker Classifications: The Hats

You can categorize a hacker in countless ways, but the “hat” system seems to have stood the test of time. I don’t know if that’s because hackers like Western movies or we’re all just fascinated with cowboy fashion, but it’s definitely something you’ll see over and over again on your exam. The hacking community in general can be categorized into three separate classifications: the good, the bad, and the undecided. In the world of IT security, this designation is given as a hat color and should be fairly easy for you to keep track of.  

• White hats   Considered the good guys, these are the ethical hackers, hired by a customer for the specific goal of testing and improving security or for other defensive purposes. White hats are well respected and don’t use their knowledge and skills without prior consent. White hats are also known as security analysts. 

• Black hats   Considered the bad guys, these are the crackers, illegally using their skills for either personal gain or malicious intent. They seek to steal (copy) or destroy data and to deny access to resources and systems. Black hats do not ask for permission or consent.

• Gray hats   The hardest group to categorize, these hackers are neither good nor bad. Generally speaking, there are two subsets of gray hats—those who are simply curious about hacking tools and techniques and those who feel like it’s their duty, with or without customer permission, to demonstrate security flaws in systems. In either case, hacking without a customer’s explicit permission and direction is usually a crime.  

While we’re on the subject, another subset of this community uses its skills and talents to put forward a cause or a political agenda. These people hack servers, deface websites, create viruses, and generally wreak all sorts of havoc in cyberspace under the assumption that their actions will force some societal change or shed light on something they feel to be a political injustice. It’s not some new anomaly in human nature—people have been protesting things since the dawn of time—it has just moved from picket signs and marches to bits and bytes. In general, regardless of the intentions, acts of “hactivism” are usually illegal in nature. 

Another class of hacker borders on the insane. Some hackers are so driven, so intent on completing their task, they are willing to risk everything to pull it off. Whereas we, as ethical hackers, won’t touch anything until we’re given express consent to do so, these hackers are much like hactivists and feel that their reason for hacking outweighs any potential punishment.

Even willing to risk jail time for their activities, so- called suicide hackers are the truly scary monsters in the closet. These guys work in a scorched-earth mentality and do not care about their own safety or freedom, not to mention anyone else’s.