Hacking Exposed 6: Network Security Secrets & Solutions
Before the real fun for the hacker begins, three essential steps must be performed.
This chapter will discuss the first one: footprinting, the fine art of gathering
information. Footprinting is about scoping out your target of interest, understanding
everything there is to know about that target and how it interrelates with everything
around it, often without sending a single packet to your target. And because the direct
target of your efforts may be tightly shut down, you will want to understand your target’s
related or peripheral entities as well.
Let’s look at how physical theft is carried out. When thieves decide to rob a bank,
they don’t just walk in and start demanding money (not the high IQ ones, anyway).
Instead, they take great pains to gather information about the bank—the armored car
routes and delivery times, the security cameras and alarm triggers, the number of tellers
and escape exits, the money vault access paths and authorized personnel, and anything
else that will help in a successful attack.
The same requirement applies to successful cyber attackers. They must harvest a
wealth of information to execute a focused and surgical attack (one that won’t be readily
caught). As a result, attackers will gather as much information as possible about all
aspects of an organization’s security posture. In the end, and if done properly, hackers
end up with a unique footprint, or profile of their target’s Internet, remote access, intranet/
extranet, and business partner presence. By following a structured methodology,
attackers can systematically glean information from a multitude of sources to compile
this critical footprint of nearly any organization
WHAT IS FOOTPRINTING?
The systematic and methodical footprinting of an organization enables attackers to create
a near complete profile of an organization’s security posture. Using a combination of
tools and techniques coupled with a healthy dose of patience and mind-melding,
attackers can take an unknown entity and reduce it to a specific range of domain names,
network blocks, subnets, routers, and individual IP addresses of systems directly
connected to the Internet, as well as many other details pertaining to its security posture.
Although there are many types of footprinting techniques, they are primarily aimed at
discovering information related to the following environments: Internet, intranet, remote
access, and extranet. Table 1-1 lists these environments and the critical information an
attacker will try to identify.
Why Is Footprinting Necessary?
Footprinting is necessary for one basic reason: it gives you a picture of what the hacker
sees. And if you know what the hacker sees, you know what potential security exposures
you have in your environment. And when you know what exposures you have, you
know how to prevent exploitation.
Hackers are very good at one thing: getting inside your head, and you don’t even know
it. They are systematic and methodical in gathering all pieces of information related to
the technologies used in your environment. Without a sound methodology for performing
this type of reconnaissance yourself, you are likely to miss key pieces of information
related to a specific technology or organization—but trust me, the hacker won’t.
Be forewarned, however, footprinting is often the most arduous task of trying to
determine the security posture of an entity; and it tends to be the most boring for freshly
minted security professionals eager to cut their teeth on some test hacking. However,
footprinting is one of the most important steps and it must be performed accurately and
in a controlled fashion.
INTERNET FOOTPRINTING
Although many footprinting techniques are similar across technologies (Internet and
intranet), this chapter focuses on footprinting an organization’s connection(s) to the
Internet. Remote access is covered in detail in Chapter 6.
It is difficult to provide a step-by-step guide on footprinting because it is an activity
that may lead you down many-tentacled paths. However, this chapter delineates basic
steps that should allow you to complete a thorough footprinting analysis. Many of these
techniques can be applied to the other technologies mentioned earlier.
Step 1: Determine the Scope of Your Activities
The first item of business is to determine the scope of your footprinting activities. Are
you going to footprint the entire organization, or limit your activities to certain subsidiaries
or locations? What about business partner connections (extranets), or disaster-recovery
sites? Are there other relationships or considerations? In some cases, it may be a daunting
task to determine all the entities associated with an organization, let alone properly
secure them all. Unfortunately, hackers have no sympathy for our struggles. They exploit
our weaknesses in whatever forms they manifest themselves. You do not want hackers
to know more about your security posture than you do, so figure out every potential
crack in your armor!
Step 2: Get Proper Authorization
One thing hackers can usually disregard that you must pay particular attention to is
what we techies affectionately refer to as layers 8 and 9 of the seven-layer OSI Model—
Politics and Funding. These layers often find their way into our work one way or another,
but when it comes to authorization, they can be particularly tricky. Do you have
authorization to proceed with your activities? For that matter, what exactly are your
activities? Is the authorization from the right person(s)? Is it in writing? Are the target IP
addresses the right ones? Ask any penetration tester about the “get-out-of-jail-free card,”
and you’re sure to get a smile.
While the very nature of footprinting is to tread lightly (if at all) in discovering
publicly available target information, it is always a good idea to inform the powers that
be at your organization before taking on a footprinting exercise.