Footprinting is the process by which an attacker tries to learn as much as he can about the target. Think of it as reconnaissance. An intelligent attacker would try to learn as much as he could so that a more focused and direct attack could be made against the target. For example, if he discovers that the target is running Windows 98, it would be useless to try attacks that only work against Windows 2000 machines. Being able to complete the footprinting process in a quick and accurate manner is an indication of a skilled attacker. The footprinting process typically involves the following basic steps:
1. |
Host identification |
2. |
Open ports |
3. |
Running services and their versions |
4. |
Operating system identification |
Host identification is the act of determining whether a host is actually present at an IP address. A home machine might be configured with a static address, but if the machine isn't powered on, the host identification process would indicate that no host resides at that IP address. Therefore, the goal of this step is to determine if a live machine exists at the given IP address. The most basic way to determine if an address has a live machine behind it is to ping it. Ping is actually an acronym for Packet INternet Groper. It is named after the sound that a sonar makes, inspired by the principle of echo location. Ping utilizes Internet Control Message Protocol (ICMP), which allows for the generation of error messages, test packets, and informational messages related to IP. When you ping a machine, a packet of data is sent to the supplied IP address. If you receive a response, some sort of device is alive at that address. If not, the machine is either turned off or unreachable because of network congestion or because of some network filtering or security device. Filtering rules or security devices such as firewalls can protect a computer from being found by dropping incoming ping packets. The ping command is available by default on almost all of the common operating systems that one might find in a home environment. On a Windows-based computer, we can issue the ping command against a known IP address or name to see if it is alive, as shown in Listing 10.1.
C:>ping 192.168.4.1 Pinging 192.168.4.1 with 32 bytes of data: Reply from 192.168.4.1: bytes=32 time<10ms TTL=64 Reply from 192.168.4.1: bytes=32 time<10ms TTL=64 Reply from 192.168.4.1: bytes=32 time<10ms TTL=64 Reply from 192.168.4.1: bytes=32 time<10ms TTL=64 Ping statistics for 192.168.4.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms |
In Listing 10.1, we see four replies from the computer located at IP address 192.168.4.1. We now know that this computer is alive and available for further investigation. In Listing 10.2, we ping the address 192.168.4.4.
C:>ping 192.168.4.4 Pinging 192.168.4.4 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 192.168.4.4: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms |
In this listing, we receive a Request timed out message from the ping command. This indicates that in all likelihood, no live machine is at that address. Note that some firewalls and hosts can be configured not to respond to pings, so this method of determining live hosts is not always accurate. In the case of the typical home user, however, this is rarely done. As we will see in Chapter 11, “Securing Your Standalone PC: Broadband Connections,” many products are available to protect the home user's computer with additional features that the operating system does not have.
If we did not know the IP address of the computer, but knew its name, we could ping the computer by name to determine if it were alive. A real address on the Internet that we can use is Yahoo! In Listing 10.3, we ping the Yahoo! Web site to see whether it is alive.
C:>ping www.yahoo.com Pinging www.yahoo.akadns.net [64.58.76.225] with 32 bytes of data: Reply from 64.58.76.225: bytes=32 time=90ms TTL=241 Reply from 64.58.76.225: bytes=32 time=91ms TTL=241 Reply from 64.58.76.225: bytes=32 time=90ms TTL=241 Reply from 64.58.76.225: bytes=32 time=80ms TTL=241 Ping statistics for 64.58.76.225: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 80ms, Maximum = 91ms, Average = 87ms |
Listing 10.3 shows us that the DNS server translates the name www.yahoo.com into an IP address (64.58.76.225). When the computer knows the IP address, it can ping the address; in this case, we see that the address is alive.
Ping is an extremely useful utility. The basic function of determining if a computer is alive is valuable in troubleshooting your Internet connection. If you have ever dialed up your ISP, tried to surf the Internet, and found that nothing was happening, you could easily open a DOS window and ping an address such as Yahoo! or Netscape. The odds of Yahoo! or Netscape being unavailable are slim. If you are not getting a response from these addresses, you can tell that traffic is not going out from or coming back into your computer, and you can begin your search for the problem with some valuable information. If you are trying to surf your favorite Web site but nothing is coming up in the browser window, you can ping the Web site address to see if it is alive.
An example of a computer that is alive but does not respond to a ping request is Microsoft. We know that their main Web site, www.microsoft.com, is alive because we can bring it up in a Web browser. However, if we try to ping it, as in Listing 10.4, we get the Request timed out response. Microsoft uses filtering rules to block ping requests.
C:>ping www.microsoft.com Pinging www.microsoft.akadns.net [207.46.197.102] with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 207.46.197.102: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms |
When a live host is discovered, the next step is to determine what ports are open on the machine. A port is a software characteristic of the machine, not a physical one. Every network-based service provided by a computer (Web, mail, FTP, and so on) runs on a specific port number. If a host that is connected to the network is performing some sort of function that requires network interaction, open ports will exist on the host. For example, telnet servers listen at port 23, and Web servers listen on port 80. Although services have assigned numbers, no rule prevents Web servers from using a different port number. By examining open ports on a machine, we can determine what services are probably running.
One of the easiest tools to use in determining open ports is Fscan available from Foundstone (http://www.foundstone.com). Fscan works on all flavors of Microsoft Windows and is freely available. Listing 10.5 shows a port scan of a machine located at IP address 192.168.4.2.
C:>fscan 192.168.4.2 FScan v1.12 - Command line port scanner. Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com No ports provided - using default lists: TCP: 21,25,43,53,70,79,80,110,111,113,115,119,135,139,389,443,1080,1433 UDP: 49,53,69,135,137,138,161,162,513,514,515,520,31337,32780 Scan started at Mon Aug 20 07:40:27 2001 192.168.4.2 21/tcp 192.168.4.2 25/tcp 192.168.4.2 80/tcp 192.168.4.2 135/tcp 192.168.4.2 139/tcp 192.168.4.2 443/tcp 192.168.4.2 135/udp 192.168.4.2 137/udp 192.168.4.2 138/udp Scan finished at Mon Aug 20 07:40:29 2001 Time taken: 32 ports in 2.674 secs (11.97 ports/sec) |
In this case, we see that 192.168.4.2 is alive and that it has Transmission Control Protocol (TCP) ports 21, 25, 80, 135, 139, and 443 open. It also shows that User Datagram Protocol (UDP) ports 135, 137, and 138 are open. Ports can either be open on the TCP or UDP protocol. Each protocol provides various services and running functions that can be contacted. The majority of services we will be dealing with are TCP based. TCP is the most common transport layer protocol used on Ethernet and the Internet. TCP is a more robust communication protocol that allows for reliable connection, whereas UDP is a connectionless protocol without transmission guarantees.
After the attacker has determined open ports numbers, he needs to associate them with actual services. Two methods of identifying a service are by the port number and by the actual banner information that can be retrieved using a port scan. We can match up ports to typical information that is usually found on that port. For example, we know that in most cases, a Web server runs on port 80. If we see this port open in our port scan, we can gain further information by grabbing the banner. We can also use Fscan to grab banners, as shown in Listing 10.6.
C:fscan -b 192.168.4.2
FScan v1.12 - Command line port scanner.
Copyright 2000 (c) by Foundstone, Inc.
http://www.foundstone.com
No ports provided - using default lists:
TCP: 21,25,43,53,70,79,80,110,111,113,115,119,135,139,389,443,1080,1433
UDP: 49,53,69,135,137,138,161,162,513,514,515,520,31337,32780
Scan started at Sun Sep 16 13:07:24 2001
192.168.4.2 139/tcp
[83][00][00][01][8F]
192.168.4.2 80/tcp
HTTP/1.1 400 Bad Request[0D][0A]Server: Microsoft-IIS/5.0[0D][0A] Date: Sun,
16 Sep 2001 20:07:25 GMT[0D][0A] Content-Type: text/html[0D][0A]
Content-Length:
192.168.4.2 21/tcp
220 kraa Microsoft FTP Service (Version 5.0).[0D][0A]
192.168.4.2 135/tcp
192.168.4.2 443/tcp
192.168.4.2 135/udp
192.168.4.2 137/udp
192.168.4.2 138/udp
192.168.4.2 520/udp
Scan finished at Sun Sep 16 13:07:31 2001
Time taken: 32 ports in 7.321 secs (4.37 ports/sec)
|
We see that the banner for the Web server running on port 80 says Microsoft-IIS/5.0. In most cases, that will be an accurate determination that the Web server is running Microsoft IIS 5.0. It is possible for a knowledgeable system administrator to change the banner to say something else, giving false output, but most consumers and businesses do not do this. This same analysis can be performed for all open ports found and all banner information available. Table 10.1 lists common ports and their service names that you will find on many systems that can be a potential problem.
Port | Description |
---|---|
TCP PORTS | |
11 | SYSTAT |
15 | Unassigned (was netstat) |
21 | FTP |
22 | SSH |
23 | Telnet |
25 | SMTP |
43 | nickname |
53 | DNS |
66 | Oracle SQL*NET |
79 | Finger |
80 | HTTP |
88 | Kerberos |
109 | POP2 |
110 | POP3 |
111 | sunrpc/rpcbind |
118 | SQLServ |
119 | NNTP |
135 | EPMAP |
139 | NETBIOS |
143 | IMAP2 |
150 | SQL-NET |
156 | SQLServ |
256 | RAP |
389 | LDAP |
396 | NetWare-IP |
427 | Svrloc |
443 | HTTPS |
455 | Creativepartnr |
465 | SMTPS |
512 | print / exec |
513 | Login |
514 | Shell |
515 | Printer |
524 | NCP |
593 | HTTP-RPC-EPMAP |
1024 | Reserved |
1080 | Socks |
1313 | bmc_patroldb |
1352 | Lotus Notes |
1433 | MS-SQL-S |
1494 | Citrix-ICA |
1498 | Sybase |
1524 | Ingres |
1541 | RDS2 |
1542 | gridgen-elmd |
1723 | PPTP |
2000 | Callbook |
2001 | Dc |
2003 | GNU Finger |
2049 | SUN NFS |
2301 | Compaq HTTP |
2447 | OpenView |
2766 | Compaq |
2998 | iss.net |
3268 | msft-gc |
3300 | SAP |
3306 | MYSQL |
3389 | Remote Display MS |
4045 | NFS - lockd |
5631 | PCAnywhere |
5632 | PCAnywhere |
5800 | VNC |
6000 | X-Windows |
10000 | Netscape Administration Server |
32771 | WinRoute |
UDP PORTS | |
53 | DNS |
69 | TFTP |
135 | EPMAP |
137 | NETBIOS |
161 | SNMP |
256 | RAP |
500 | ISAKMP |
2049 | SUN NFS |
After the attacker has determined the running services and ports on a machine, he needs to identify the operating system. Identification of the operating system allows for a more surgical attack. The simplest form of operating system identification is banner grabbing. Banner grabbing is merely viewing the message that appears when connecting to a service. A banner might give the attacker information on the operating system, type of host, and version of the application running on it. As shown in Listing 10.6, we can determine that the operating system is a Microsoft flavor. Another example of operating system identification via banner grabbing can be seen using FTP banners. Listing 10.7 shows an FTP banner.
220 server1 FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36EST 2000) ready. |
By looking at the banners, we can surmise that this particular server is running wu-ftp version 2.6. We can also guess that this is a Unix machine because that is the typical platform on which wu-ftp runs. FTP runs on port 21. Other ports can be used to identify the operating system. The Telnet function usually has banner information that can let you know what the target system is running. In Listing 10.8, we see that one system is running Red Hat Linux and the other is a Cisco device. The mail port also gives us information, as shown in this listing.
Telnet on a Red Hat Linux machine (port 23): Red Hat Linux release 6.2 (Zoot) Kernel 2.3.99-pre9 on an i686 login: A telnet login for Cisco devices (port 23): User Access Verification Username: ... A mail prompt running on port 25: 220 server2 ESMTP Sendmail AIX4.2/UCB 8.7; Tue, 24 Jul 2001 13:27:03-0500 (CDT) |
This last machine in the example is running Sendmail, a popular mail program on the Unix platform. Notice that according to the banner, the operating system is AIX (IBM's version of Unix). After these pieces of information are gathered, the attacker should have a pretty good sense of what he is up against. At this point, the question in his mind becomes: Are any vulnerabilities associated with the services that are running on these machines?