Network Footprinting | Footprinting Methods and Tools

Discovering and defining the network range can be another important footprinting step to consider. Knowing where the target’s IP addresses start and stop greatly limits the time you’ll need to spend figuring out specifics later—provided, of course, your target operates in their own IP range. If your objective happens to run services in a cloud (and rest easy, dear reader, we have another entire chapter dedicated to cloud upcoming), this may prove somewhat frustrating, but at least you’ll know what you’re up against. One of the easiest ways to see what range the organization owns or operates in—at least on a high level—is to make use of freely available registry information. 

For example, suppose you knew the IP address of a WWW server (easy enough to discover, as you just learned in the previous sections). If you simply enter that IP address in www.arin.net, the network range will be shown. Entering the IP address of www.mheducation.com (54.164.59.97) gives us the entire network range. In this case, the response displays a range owned and operated by Amazon services, indicating MH Education is making use of Amazon’s cloud services. ARIN also provides a lot of other useful information as well, including the administrative and technical point of contact (POC) for the IP range. In this case, the contacts displayed point us, again, to Amazon web services POC’s, letting us know MH Education is relying on Amazon’s security measures and controls (in part) to protect their resources.

Another tool available for network mapping is traceroute (or tracert hostname on Windows systems), which is a command-line tool that tracks a packet across the Internet and provides the route path and transit times. It accomplishes this by using ICMP ECHO packets (UDP datagrams in Linux versions) to report information on each “hop” (router) from the source to the destination. The TTL on each packet increments by one after each hop is hit and returns, ensuring the response comes back explicitly from that hop and returns its name and IP address. Using this, an ethical hacker can build a picture of the network. For example, consider a traceroute command output from my laptop here in Melbourne, Florida, to a local surf shop just down the road (names and IPs were changed to protect the innocent). 

Gathering Network and Host Information—Scanning

After the reconnaissance and information-gathering stages have been completed, scanning is performed. It is important that the information-gathering stage be as complete as possible to identify the best location and targets to scan. During scanning, the hacker continues to gather information regarding the network and its individual host systems. Information such as IP addresses, operating system, services, and installed applications can help the hacker determine which type of exploit to use in hacking a system.

Scanning is the process of locating systems that are alive and responding on the network. Ethical hackers use scanning to identify target systems' IP addresses. Scanning is also used to determine whether a system is on the network and available. Scanning tools are used to gather information about a system such as IP addresses, the operating system, and services running on the target computer.

Table 1 lists the three types of scanning.

Table 1: Types of scanning 

Scanning type	Purpose
Port scanning	Determines open ports and services
Network scanning	Identifies IP addresses on a given network or subnet
Vulnerability scanning	Discovers presence of known weaknesses on target systems

• Port Scanning Port scanning is the process of identifying open and available TCP/IP ports on a system. Port-scanning tools enable a hacker to learn about the services available on a given system. Each service or application on a machine is associated with a well-known port number. Port Numbers are divided into three ranges:

• Well-Known Ports: 0-1023
• Registered Ports: 1024-49151
• Dynamic Ports: 49152-65535

For example, a port-scanning tool that identifies port 80 as open indicates a web server is running on that system. Hackers need to be familiar with well-known port numbers.

Common Port Numbers

On Windows systems, well-known port numbers are located in the C:\windows\system32\drivers\etc\services file. Services is a hidden file. To view it, show hidden files in Windows Explorer, and double-click the filename to open it with Notepad. The CEH exam expects you to know the well-known port numbers for common applications; familiarize yourself with the port numbers for the following applications:

• FTP, 21
• Telnet, 23
• HTTP, 80
• SMTP, 25
• POP3, 110
• HTTPS, 443

The following list contains additional port numbers not necessarily on the CEH exam but useful for real-world penetration testing:

• Global Catalog Server (TCP), 3269 and 3268
• LDAP Server (TCP/UDP), 389
• LDAP SSL (TCP/UDP), 636
• IPsec ISAKMP (UDP), 500
• NAT-T (UDP), 4500
• RPC (TCP), 135
• ASP.NET Session State (TCP), 42424
• NetBIOS Datagram Service (UDP), 137 and 138
• NetBIOS Session Service (TCP), 139
• DHCP Server (UDP), 67
• LDAP Server (TCP/UDP), 389
• SMB (TCP), 445
• RPC (TCP), 135
• DNS (TCP/UDP), 53
• IMAP (TCP), 143
• IMAP over SSL (TCP), 993
• POP3 (TCP), 110
• POP3 over SSL (TCP), 995
• RPC (TCP), 135
• RPC over HTTPS (TCP), 443 or 80
• SMTP (TCP/UDP), 25

• 
  
  Network Scanning Network scanning is a procedure for identifying active hosts on a network, either to attack them or as a network security assessment. Hosts are identified by their individual IP addresses. Network-scanning tools attempt to identify all the live or responding hosts on the network and their corresponding IP addresses.
• Vulnerability Scanning Vulnerability scanning is the process of proactively identifying the vulnerabilities of computer systems on a network. Generally, a vulnerability scanner first identifies the operating system and version number, including service packs that may be installed. Then, the scanner identifies weaknesses or vulnerabilities in the operating system. During the later attack phase, a hacker can exploit those weaknesses in order to gain access to the system.
  Although scanning can quickly identify which hosts are listening and active on a network, it is also a quick way to be identified by an intrusion detection system (IDS). Scanning tools probe TCP/IP ports looking for open ports and IP addresses, and these probes can be recognized by most security intrusion detection tools. Network and vulnerability scanning can usually be detected as well, because the scanner must interact with the target system over the network.
  Depending on the type of scanning application and the speed of the scan, an IDS will detect the scanning and flag it as an IDS event. Some of the tools for scanning have different modes to attempt to defeat an IDS and are more likely to be able to scan undetected. As a CEH it is your job to gather as much information as possible and try and remain undetected.