Scanning Methodology

As you’re probably aware by now, EC-Council is in love with methodology. Sure, in the real world you may not follow the steps blindly in order, but I don’t think that’s the point of listing something in a methodology format. A methodology—no matter how silly it may seem on a test or when you’re sitting there performing a real pen test—ensures you don’t miss anything and that all your bases are covered. In that regard, I guess it’s a lot like a preflight checklist, and this is EC-Council’s version of making sure your scanning flight goes smoothly. 

Just as the steps of the overall hacking process can blend into one another, though, keep in mind these steps are simply guidelines and not hard-and-fast rules to follow. When you’re on the job, situations and circumstances will occur that might force you to change the order of things. Sometimes the process of completing one phase will seamlessly blend directly into another. Don’t fret—just go with the flow and get your job done. EC-Council’s scanning methodology phases include the following steps: 

1.  Check for live systems. Something as simple as a ping can provide this. This gives you a list of what’s actually alive on your network subnet. 

2.  Check for open ports. Once you know which IP addresses are active, find what ports they’re listening on. 

3.  Scan beyond IDS. Sometimes your scanning efforts need to be altered to avoid those pesky intrusion detection systems. 

4.  Perform banner grabbing. Banner grabbing and OS fingerprinting will tell you what operating system is on the machines and which services they are running. 

5.  Scan for vulnerabilities. Perform a more focused look at the vulnerabilities these machines haven’t been patched for yet. 

6.  Draw network diagrams. A good network diagram will display all the logical and physical pathways to targets you might like. 

7.  Prepare proxies. This obscures your efforts to keep you hidden.  

This methodology has about as much to do with real life as I have to do with an Oscar nomination, but it’s a memorization effort you have to do. ECC didn’t intend it as much a step-by-step procedure as a checklist to make sure you get to everything you are supposed to during this phase. Despite which order you proceed in, if you hit all the steps, you’re probably going to be successful in your scanning efforts.

Network Footprinting | Footprinting Methods and Tools

Discovering and defining the network range can be another important footprinting step to consider. Knowing where the target’s IP addresses start and stop greatly limits the time you’ll need to spend figuring out specifics later—provided, of course, your target operates in their own IP range. If your objective happens to run services in a cloud (and rest easy, dear reader, we have another entire chapter dedicated to cloud upcoming), this may prove somewhat frustrating, but at least you’ll know what you’re up against. One of the easiest ways to see what range the organization owns or operates in—at least on a high level—is to make use of freely available registry information. 

For example, suppose you knew the IP address of a WWW server (easy enough to discover, as you just learned in the previous sections). If you simply enter that IP address in www.arin.net, the network range will be shown. Entering the IP address of www.mheducation.com (54.164.59.97) gives us the entire network range. In this case, the response displays a range owned and operated by Amazon services, indicating MH Education is making use of Amazon’s cloud services. ARIN also provides a lot of other useful information as well, including the administrative and technical point of contact (POC) for the IP range. In this case, the contacts displayed point us, again, to Amazon web services POC’s, letting us know MH Education is relying on Amazon’s security measures and controls (in part) to protect their resources.

Another tool available for network mapping is traceroute (or tracert hostname on Windows systems), which is a command-line tool that tracks a packet across the Internet and provides the route path and transit times. It accomplishes this by using ICMP ECHO packets (UDP datagrams in Linux versions) to report information on each “hop” (router) from the source to the destination. The TTL on each packet increments by one after each hop is hit and returns, ensuring the response comes back explicitly from that hop and returns its name and IP address. Using this, an ethical hacker can build a picture of the network. For example, consider a traceroute command output from my laptop here in Melbourne, Florida, to a local surf shop just down the road (names and IPs were changed to protect the innocent). 

DNS Basics | Footprinting Methods and Tools

Let take at least a couple of minutes to go over some basics—mainly because you’ll see this stuff on the CEH exam. The simplest explanation of DNS I can think of follows. DNS is made up of servers all over the world. Each server holds and manages the records for its own little corner of the globe, known in the DNS world as a namespace. Each of these records gives directions to or for a specific type of resource. Some records provide IP addresses for individual systems within your network, whereas others provide addresses for your e-mail servers. Some provide pointers to other DNS servers, which are designed to help people find what they’re looking for. 

Port numbers are always important in discussing anything network-wise. When it comes to DNS, 53 is your number. Name lookups generally use UDP, whereas zone transfers use TCP.  

Big, huge servers might handle a namespace as big as the top-level domain “.com,” whereas another server further down the line holds all the records for “mheducation.com.” The beauty of this system is that each server only has to worry about the name records for its own portion of the namespace and to know how to contact the server “above” it in the chain for the top-level namespace the client is asking about. The entire system looks like an inverted tree, and you can see how a request for a particular resource can easily be routed correctly to the appropriate server. For example, the server for anyname.com in the third level holds and manages all the records for that namespace, so anyone looking for a resource (such as their website) could ask that server for an address. 

DNS Footprinting | Footprinting Methods and Tools

I hate getting lost. Now, I’m not saying I’m always the calmest driver and that I don’t complain (loudly) about circumstances and other drivers on the road, but I can honestly say nothing puts me on edge like not knowing where I’m going while driving, especially when the directions given to me don’t include the road names. I’m certain you know what I’m talking about—directions that say, “Turn by the yellow sign next to the drugstore and then go down half a mile and turn right onto the road beside the walrus-hide factory. You can’t miss it.” Inevitably I do wind up missing it, and cursing ensues.

Thankfully, negotiating the Internet isn’t reliant on crazed directions. The road signs we have in place to get to our favorite haunts are all part of the Domain Naming System (DNS), and they make navigation easy. DNS, as you’re no doubt already aware, provides a name-to-IP-address (and vice versa) mapping service, allowing us to type in a name for a resource as opposed to its address. This also provides a wealth of footprinting information for the ethical hacker—so long as you know how to use it.   

Although DNS records are easy to obtain and generally designed to be freely available, this passive footprinting can still get you in trouble. A computer manager named David Ritz was successfully prosecuted in 2008 for querying a DNS server. It was truly a ridiculous ruling, but the point remains that legality and right versus wrong seem always in the eye of the beholder—so be careful. 

Website and E-mail Footprinting

Website and e-mail footprinting may require a little more effort and technical knowledge, but it’s worth it (not to mention EC-Council has devoted two entire slide show sections to the material, so you know it’s gonna be good). Analyzing a website from afar can show all sorts of potentially interesting information, such as software in use, OS, filenames, paths, and contact details. Using tools such as Burp Suite, Firebug, and Website Informer allows you to grab headers and cookies, and learn connection status, content type, and web server information. Heck, pulling the HTML code itself can provide useful intel. You might be surprised what you can find in those “hidden” fields, and some of the comments thrown about in the code may prove handy. A review of cookies might even show you software or scripting methods in use. E-mail headers provide more information than you might think, and are easy enough to grab and examine. And tracking e-mail? Hey, it’s not only useful for information, it’s just downright fun.

Although it doesn’t seem all that passive, web mirroring is a great method for footprinting. Copying a website directly to your system (“mirroring” it) can definitely help speed things along. Having a local copy to play with lets you dive deeper into the structure and ask things like “What’s this directory for over here?” and “I wonder if this site is vulnerable to fill-in-chosen-vulnerability without alerting the target organization.” Tools for accomplishing this are many and varied, and while the following list isn’t representative of every web mirroring tool out there, it’s a good start: 

•  HTTrack (www.httrack.com) 

•  Black Widow (http://softbytelabs.com) 

•  WebRipper (www.calluna-software.com) 

•  Teleport Pro (www.tenmax.com) 

•  GNU Wget (www.gnu.org) 

•  Backstreet Browser (http://spadixbd.com)  

Although it’s great to have a local, current copy of your target website to peruse, let’s not forget that we can learn from history too. Information relevant to your efforts may have been posted on a site at some point in the past but has since been updated or removed. EC-Council absolutely loves this as an information-gathering source, and you are certain to see www.archive.org and Google Cache queried somewhere on your exam.

Google Hacking | Footprinting Methods and Tools

A useful tactic in footprinting a target was popularized mainly in late 2004 by a guy named Johnny Long, who was part of an IT security team at his job. While performing pen tests and ethical hacking, he started paying attention to how the search strings worked in Google. The search engine has always had additional operators designed to allow you to fine-tune your search string. What Mr. Long did was simply apply that logic for a more nefarious purpose. 

Suppose, for example, instead of just looking for a web page on boat repair or searching for an image of a cartoon cat, you decided to tell the search engine, “Hey, do you think you can look for any systems that are using Remote Desktop Web Connection?” Or how about, “Can you please show me any MySQL history pages so I can try to lift a password or two?” Amazingly enough, search engines can do just that for you, and more. The term this practice has become known by is Google hacking. 

Google hacking involves manipulating a search string with additional specific operators to search for vulnerabilities. Table below describes advanced operators for Google hack search strings. 

Innumerable websites are available to help you with Google hack strings. For example, from the Google Hacking Database (a site operated by Mr. Johnny Long and Hackers for Charity, www.hackersforcharity.org/ghdb/), try this string from wherever you are right now:

Basically we’re telling Google to go look for web pages that have TSWEB in the URL (indicating a remote access connection page), and you want to see only those that are running the default HTML page (default installs are common in a host of different areas and usually make things a lot easier for an attacker). I think you may be surprised by the results—I even saw one page where an admin had edited the text to include the logon information.

And if Google hacking weren’t easy enough, there are a variety of tools to make it even more powerful. Tools such as SiteDigger (www.mcafee.com) use Google hack searches and other methods to dig up all sorts of information and vulnerabilities. MetaGoofil (www.edge-security.com) uses Google hacks and cache to find unbelievable amounts of information hidden in the meta tags of publicly available documents. Find the browser and search engine of your choice and look for “Google hack tools.” You’ll find more than a few available for play.

Another note on Google hacking: it’s not as easy to pull off as it once was. Google, for reasons I will avoid discussing here because it angers me to no end, has decided it needs to police search results to prevent folks from using the search engine as it was intended to be used. As you can see from Figure below, and probably from your own Google hacking attempts in learning this opportunity, Google will, from time to time, throw up a CAPTCHA if it believes you’re a “bot” or trying to use the search engine for

Search Engines | Footprinting Methods and Tools

When I was a kid and someone asked me how to do something I’d never done, to define something I’d never heard of, or to comment on some historical happening I spaced out on during school, I had no recourse. Back then you simply had to say, “I don’t know.” If it were really important you went to the library and tried to find it in a book (GASP! The HORROR!). Today when I’m asked something, I do what everyone else does—I Google it. Just yesterday somebody asked me about the diet of sandhill cranes (they’re gigantic, beautiful birds, are always wandering through my backyard, and if I had to guess my first thought on their diet of choice would be small children and household pets). Twenty years ago I wouldn’t have a clue what a sandhill crane was, much less what they ate. Today, given 5 minutes and a browser, I sound like an ornithologist, with a minor in sandhill crane foodstuffs. 

Pen testing and hacking are no different. Want to learn how to use a tool? Go to YouTube and somebody has a video on it. Want to define the difference between BIA and MTD? Go to your favorite search engine and type it in. Need a good study guide for CEH? Type it in and—voilà—here you are….

Search engines can provide a treasure trove of information for footprinting and, if used properly, won’t alert anyone you’re looking at them. Mapping and location-specific information, including drive-by pictures of the company exterior and overhead shots, are so commonplace now people don’t think of them as footprinting opportunities. However, Google Earth, Google Maps, and Bing Maps can provide location information and, depending on when the pictures were taken, can show all sorts of potentially interesting intelligence. Even personal information—like residential addresses and phone numbers of employees—are oftentimes easy enough to find using sites such as Linkedin.com and Pipl.com. A really cool tool along these same lines is Netcraft (www.netcraft.com). Fire it up and take a look at all the goodies you can find. Restricted URLs, not intended for public disclosure, might just show up and provide some juicy tidbits. If they’re really sloppy (or sometimes even if they’re not), Netcraft output can show you the operating system (OS) on the box too. 

While we’re on the subject of using websites to uncover information, don’t neglect the innumerable options available to you—all of which are free and perfectly legal. Social networking sites can provide all sorts of information. Sites such as Linkedin (www.linkedin.com)—where professionals build relationships with peers—can be a great place to profile for attacks later. Facebook and Twitter are also great sources of information, especially when the company has had layoffs or other personnel problems recently—disgruntled former employees are always good for some relevant company dirt. And, just for some real fun, check out http://en.wikipedia.org/wiki/Robin_Sage to see just how powerful social networking can be for determined hackers.