chapter 3 footprinting

Footprinting Keamanan Jaringan D3 Teknik Telekomunikasi

Footprinting • Definition: the gathering of information

about a potential system or network • a.k.a. fingerprinting

• Attacker’s point of view • Identify potential target systems • Identify which types of attacks may be useful on

target systems

• Defender’s point of view • Know available tools • May be able to tell if system is being footprinted,

be more prepared for possible attack • Vulnerability analysis: know what information

you’re giving away, what weaknesses you have

Information to Gather

• System (Local or Remote) • IP Address, Name and Domain

• Operating System • Type (Windows, Linux, Solaris, Mac)

• Version (98/NT/2000/2003/XP/Vista/7, Redhat, Fedora, SuSe, Ubuntu, OS X)

• Usernames (and their passwords)

• File structure

• Open Ports (what services/programs are running on the system)

Information to Gather (2)

• Networks / Enterprises • System information for all hosts

• Network topology • Gateways

• Firewalls

• Overall topology

• Network traffic information

• Specialized servers • Web, Database, FTP, Email, etc.

Defender Perspective

• Identify information you’re giving away

• Identify weaknesses in systems/network

• Know when systems/network is being probed

• Identify source of probe

• Develop awareness of threat

• Construct audit trail of activity

Tools - Linux • Some basic Linux tools - lower level

utilities • Local System

• hostname

• ifconfig

• who, last

• Remote Systems • ping

• traceroute

• nslookup, dig

• whois

• arp, netstat (also local system)

Tools – Linux (2)

• Other utilities

• wireshark (packet sniffing)

• nmap (port scanning) - more later

• Ubuntu Linux

• Go to System / Administration / Network Tools – get interface to collection of tools: ping, netstat, traceroute, port scan, nslookup, finger, whois

Tools - Windows

• Windows

• Sam Spade (collected network tools)

• Wireshark (packet sniffer)

• Command line tools

• ipconfig

• Many others…

• Determine host name of current system

• Usage: hostname

• E.g. hostname

localhost.localdomain // default

• E.g. hostname

• Configure network interface

• Tells current IP numbers for host system

• Usage: ifconfig

• E.g. ifconfig // command alone: display status

eth0 Link encap: Ethernet

HWaddr 00:0C:29:CD:F6:D3

inet addr: . . .

lo Link encap: Local


inet addr: . . .

• Basic tool to show users on current system

• Useful for identifying unusual activity (e.g. activity by newly created accounts or inactive accounts)

• Usage: who • E.g. who

root tty1 Jan 9 12:46

paul tty2 Jan 9 12:52

last • Show last N users on system

• Default: since last cycling of file

• -N: last N lines

• Useful for identifying unusual activity in recent past

• Usage: last [-n] • E.g. last -3

wagnerpj pts/1 Sat Feb 5 15:40 still logged in

flinstf pts/0 Sat Feb 5 15:38 still logged in

rubbleb pts/0 Sat Feb 5 14:38 - 15:25 (00:46)

ping • Potential Uses

• Is system online? • Through response

• Gather name information • Through DNS

• Tentatively Identify operating system • Based on TTL (packet Time To Live) on each packet line • TTL = number of hops allowed to get to system • 64 is Linux default, 128 is Windows default (but can be


• Notes • Uses ICMP packets

• Often blocked on many hosts; more useful within network

• Usage: ping system • E.g. ping • E.g. ping localhost

traceroute • Potential Uses

• Determine physical location of machine • Gather network information (gateway, other

internal systems) • Find system that’s dropping your packets –

evidence of a firewall

• Notes • Can use UDP or ICMP packets • Results often limited by firewalls • Several GUI-based traceroute utilities available • Usage: traceroute system

• E.g. traceroute

traceroute example - Success C:\Users\Temp>tracert

Tracing route to []

over a maximum of 30 hops:

1 1 ms <1 ms <1 ms

2 6 ms 6 ms 4 ms

3 7 ms 3 ms 2 ms

4 3 ms 1 ms 1 ms

Trace complete.


traceroute example - blocked C:\Users\Temp>tracert

Tracing route to []

over a maximum of 30 hops:

1 1 ms 1 ms 2 ms

2 5 ms 2 ms 2 ms

3 4 ms 9 ms 3 ms

4 * * * Request timed out.

5 * * * Request timed out.

Trace complete.


Visual Traceroute Example

Page 18: Chapter 3 footprinting


• Potential Uses • Queries nicname/whois servers for Internet

registration information

• Can gather contacts, names, geographic information, servers, … - useful for social engineering attacks

• Notes • Usage: whois domain

• e.g. whois

whois example - wildcards • whois

Your search has matched multiple domains.

Below are the domains you matched (up to 100). For specific

information on one of these domains, please search on that domain.









nslookup • Potential Uses

• Query internet name servers

• Find name for IP address, and vice versa

• Notes • Now deprecated – generally use dig

• Sometimes useful when dig fails

• Usage • nslookup xxxxxxx // name or IP addr.

• E.g. nslookup

• E.g. dig

• Potential Uses

• Domain Name Service (DNS) lookup utility

• Associate name with IP address and vice versa

• Notes

• Many command options

• General usage: dig <somehost>

• E.g. dig

• E.g. dig

• Tracks addresses, interfaces accessed by system

• Possible uses

• Find systems that your system has recently talked to

• Notes

• arp // display names

• arp –n // display numeric addresses

• Shows connections, routing information, statistics

• Possible uses • find systems that your system has recently

talked to, find recently used ports

• Notes • Many flags

• netstat // open sockets, etc. • netstat –s // summary statistics • netstat – r // routing tables • netstat – p // programs • netstat – l // listening sockets

Windows Tools

• Sam Spade

• “swiss army knife” of footprinting

• Has most of the Linux tools

• Plus other functionality

• Usage

• Start application

• Fill in name or IP address

• Choose option desired in menus

Packet Sniffers

• Definition: Hardware or software that can display network traffic packet information

• Usage • Network traffic analysis

• Example packet sniffers • tcpdump (command line, Linux)

• wireshark (GUI interface, Linux, Windows – open source)

• others…

Limitations – Packet Sniffing • Packet sniffers only catch what they can see

• Users attached to hub – can see everything

• Users attached to switch – only see own traffic

• Wireless – wireless access point is like hub

• Need to be able to put your network interface card (NIC) in “promiscuous” mode to be able to process all traffic, not just traffic for/from itself • NIC must support

• Need privilege (e.g. root in Linux)

OSI Network Protocol

• Layer 7 – Application (incl. app. content)

• Layer 6 – Presentation

• Layer 5 – Session

• Layer 4 – Transport (incl. protocol, port)

• Layer 3 – Network (incl. source, dest)

• Layer 2 – Data Link

• Layer 1 – Physical

wireshark • Created as tool to examine network problems in


• Various contributors added pieces; released 1998

• Name change (2007): ethereal -> wireshark

• Works with other packet filter formats

• Information


• Demonstration

Using wireshark

• Ubuntu – Applications / Internet / Wireshark (as root) • Enter your administrative account pw: user

• Capture/Interfaces/eth0:, Start

• Capture window shows accumulated totals for different types of packets

• Stop – packets now displayed

• Top window – packet summary • Can sort by column – source, destination, protocol are useful

• Middle window – packet breakdown • Click on + icons for detail at each packet level

• Bottom window – packet content

Wireshark capture analysis • Can save a session to a capture file

• Can reopen file later for further analysis

• Open capture file • Ubuntu: /home/user/Support/MOBILEcapture.cap

• W2K3: C:\Support\MOBILEcapture.cap

• Identify and follow different TCP streams • Select TCP packet, Analyze/Follow TCP Stream

• MOBILEcapture.cap has http, https, ftp, ssh streams

• Any interesting information out there? • HINT: follow stream on an ftp packet

Related Tool

• Hunt

• TCP sniffer

• Watch and reset connections

• Hijack sessions

• Spoof MAC address

• Spoof DNS name

Related Tool

• EtherPEG – image capture on network


Summary • Basic tools can generate much information

• Remember principle of accumulating information

• Attacker will build on smaller pieces to get bigger pieces

• Message to defenders: don’t give away any information if you can avoid it

