Foot Printing

http://www.whitepages.com

http://www.peekyou

http://www.intelius.com

http://www.peoplesmart

http://www.zabasearch.com

http://www.zoominfo

http://wink.com

http://www.anywho.com

https://www.peoplelookup.com

http://www.zabasearch.com

http://www.zoominfo.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Zoom Info is a business people directory using which you can find business contacts, people's professional profiles, biographies, work histories, affiliations, links to employee profiles with verified contact information, and more.

Wink People Search .E צ_ו

Source: http://wink.com

Wink People Search is a people search engine that provides information about people by name and location. It gives phone number, address, websites, photos, work, school, etc.

״ AnyWho Source: http://www.anywho.com

AnyWho is a website that helps you find information about people, their businesses, and their locations online. With the help of a phone number, you can get all the details of an individual.

People Lookup Source: https://www.peoplelookup.com

People Lookup is a people search engine that allows you to find, locate, and then connect with people. It also allows you to look up a phone number, search for cell numbers, find an address or phone number, and search for people in the US. This database uses information from public records.

123 People Search Source: http://www.123people.com

123 People Search is a people search tool that allows you to find information such as public records, phone numbers, addresses, images, videos, and email addresses.

PeekYou Source: http://www.peekyou.com

PeekYou is a people search engine that allows you to search for profiles and contact information of people in India and cities' top employers and schools. It allows you to search for the people with their names or usernames.

Intelius Source: http://www.intelius.com

Intelius is a public records business that provides information services. It allows you to search for the people in US with their name, address, phone number, or email address.

Module 02 Page 123

http://wink.com

http://www.anywho.com

https://www.peoplelookup.com

http://www.123people.com

http://www.peekyou.com

http://www.intelius.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

PeopleSmart Source: http://www.peoplesmart.com

People Smart is a people search service that allows you to find people's work information with their name, city, and state. In addition, it allows you to perform reverse phone lookups, email searches, searches by address, and county searches.

http://www.peoplesmart.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

W hitePages Source: http://www.whitepages.com

WhitePages is a people search engine that provides information about people by name and location. Using the phone number, you can find the person's address.

Module 02 Page 125

http://www.whitepages.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

CEHPeople Search on Social Networking Services

h ttp ://w w w . I inked in. com

Google♦ f t R30er Feoerer

nirtKtnn llweMfjailtofeiledewlwpeiewlkw

!3a׳■ י- » i *־ i n s

h ttps ://p lus, google, com

http ://ww w.facebook. com

h ttp ://tw itte r.com

People Search on Social Networking Services Searching for people on social networking websites is easy. Social networking services

are the online services, platforms, or sites that focus on facilitating the building of social networks or social relations among people. These websites provide information that is provided by users. Here, people are directly or indirectly related to each other by common interest, work location, or educational communities, etc.

Social networking sites allow people to share information quickly and effectively as these sites are updated in real time. It allows updating facts about upcoming or current events, recent announcements and invitations, and so on. Therefore, social networking sites prove to be a great platform for searching people and their related information. Through people searching on social networking services, you can gather critical information that will be helpful in performing social engineering or other kinds of attacks.

Many social networking sites allow visitors to search for people without registration; this makes people searching on social networking sites an easy task for you. You can search a person using name, email, or address. Some sites allow you to check whether an account is currently in use or not. This allows you to check the status of the person you are looking for.

Some of social networking services are as follows:

Module 02 Page 126

http://www.careerbuilder.com

http://www.facebook

http://twitter.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Facebook Source: http://www.facebook.com

Facebook allows you to search for people, their friends, colleagues, and people living around them and others with whom they are affiliated. In addition, you can also find their professional information such as their company or business, current location, phone number, email ID, photos, videos, etc. It allows you to search for people by username or email address.

Sear<* for people, places and tvig i□facebook Carmen f lectra About *

A na*<ra of «ha md-watt. Carman graw near C mamas, 900. and got hor •״ ! braak *htn a tcout for fwc* aponad har danang and a*ad har to cama and aud«on for

Carman *roto a bock. >to* toBaSaxv'wfvtftwat oubkihad by Random noma In +* book Carman convayi tm ascW irdifM ndngifontlnw M lfaN cor•

a•״ Carman * aiao the *ace of Ma* factor ,a brand that W t J aknoat 100 yaari ago and • •nwadataJY Mad to

aod1 י»י« moat baauHU facaa. Carman • par mm»10»1׳< .$•• . Mai factor *eahset her m Tv and pm

FIGURE 2.7: Facebook a social networking service to search for people across the world

Linkedln 1 J Source: http://www.linkedin.com

Linkedln is a social networking website for professional people. It allows you to find people by name, keyword, company, school, etc. Searching for people on Linkedln gives you information such as name, designation, name of company, current location, and education qualifications, but to use Linkedln you need to be registered with the site.

Twitter Source: http://twitter.com

Module 02 Page 127

http://www.facebook.com

http://www.linkedin.com

http://twitter.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Twitter is a social networking service that allows people to send and read text messages (tweets). Even unregistered users can read tweets on this site.

FIGURE 2.9: Twitter screenshot

Module 02 Page 128

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Google+ Source: https://plus.google.com

Google+ is a social networking site that aims to make sharing on the web more like sharing in real life. You can grab a lot of useful information about users from this site and use it to hack their systems.

FIGURE 2.10: Google+ screenshot

Module 02 Page 129

https://plus.google.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

CEHGather Information from Financial Services

Gather Information from Financial Services (>̂ j

Financial services such as Google Finance, Yahoo! Finance, and so on provide a lot of useful information such as the market value of a company's shares, company profile, competitor details, etc. The information offered varies from one service to the next. In order to avail themselves of services such as e-mail alerts and phone alerts, users need to register on the financial services. This gives an opportunity for an attacker to grab useful information for hacking.

Many financial firms rely on web access, performing transactions, and user access to their accounts. Attackers can obtain sensitive and private information of users using information theft, key loggers, etc. Attackers can even grab this information by implementing cybercrimes, and exploit it with the help of non-vulnerable threats (software design flaw example; breaking authentication mechanism).

The following are some of non-vulnerable threats:

Q Service flooding

Brute force attack

S Phishing

Module 02 Page 130

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

FIGURE 2.11: Examples of financial services website for gathering information

Module 02 Page 131

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

CEH Urtifwl ilhiul lUtbM

Footprinting through Job Sites

Look for these:

e Job requirements

6 Employee's profile A C © Hardware information £ H | © Software information

Exam ples of Job W ebsites » http://www.monster.com

« http://www.careerbuilder.com

« http://www.dice.com *

http://www.simplyhired.com ^

You can gather company's infrastructure details from job postings

position larorauTio■ Wr04 town niciK*

En:e־p 3« Applicators EngincerfCBA

Aboa Us־ Sanre ISfti. t * War J k B»c\v» Faraiy c£ ( nnpjwt h».־r h«t>rornuylmc bowmt toinlntp’-l'adin( *slutkm in even *wt of andlwrwflft

tvHikuk *vl fwrir* v t t arr>^< »c th* tcol< mvl tci-hiolosr' rtjtfhWp fcffli <are<ed V* o il if proivSnj. "S m rf of I ' 1 ז1*וין.״1ז> Fxrflm־r '

Wt eitaxi ths1aoe fe\el of service !0 our no* ■*witm* aisrt otr uivktuv V { otf« 0 inprttT. r taanrt and benefits, but out tbrtiztli it on timh iltuf We fosta• 1 cisual but h*d uoriar.fi mwcnrxctt. ottmizt fin

pati weafcepnfe apraantngticniwtha1

C0N1AU IMOMMAIMI

•AwnW ml <n|1|W« ׳o»* afplrahon <nAu׳(r<> for <v<fpo«»!f Vfcrtoti'rt US. Vfi-touA ייl»V< hi* it ant mit*l 1־.Tm n" יז*ןז* ««141**» F«<-k1afr 20!0 Mkl I'nrfvM Victim•* Nfirtotoft Sha*׳• Point Vf<־rn»r« Cnrm TUm \I«to«* CRM M il Smrt 200< m<1200S Tr«m FoaJatM 'fOt awl 2010. MniwA SCOM. ון1י\ז«ו»מןיו rinflopwl *4mn md 0f»n «1 nv׳omp־irtrH kv Ihf 1 '׳»־**• f nvk׳« .o* K K « M r« d bldb ?00B3a1r|u1n tla*g luuwtr tlg< oC Wfexknv1 «1vn 2COV2008 Actvr Oarv u•• MkanMMUjodndnctuitkaig (TCP IP ve14.DS'S <*kIDHCP! Mu-.; i*r>c ;ipmciLt *th. juJ *Haig wmU^ U n w u f NOciuvjH SQL 2303 aul :0)8 I 201) 1ucM î1« lyxcai. WiumA 5>Va1rP.«1. MkicxA CRM dul NLliomA SCOM Mu* 1״».c

Pj dc* C • aui Pov»c1 SbcB *.1 Iftiikj ■.!*» ladw■( mid Ndwuik iifiawaluc l>c>l co ״ ״. c'iocjcb. SQL etc xvl cr MCTS, MCSE ■a-Jido itgpcc ■1 Compute! Siiaicc u Network ttn—n; or <quvdcat«

Footprinting through Job Sites Attackers can gather valuable information about the operating system, software

versions, company's infrastructure details, and database schema of an organization, through footprinting various job sites using different techniques. Depending upon the posted requirements for job openings, attackers may be able to study the hardware, network-related information, and technologies used by the company. Most of the company's websites have a key employees list with their email addresses. This information may prove to be beneficial for an attacker. For example, if a company wants to hire a person for a Network Administration job, it posts the requirements related to that position.

Module 02 Page 132

http://www.monster.com

http://www.dice.com

http://www.simplyhired.com

http://www.indeed.com

http://www.usajobs.gov

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Network Administrator. Active Directory CIW*. Euhange

Design and vnpiemort Ik Iv k iI ukAooi on N ,gitfgiT.te « g — >_____________ Support fusing VWndows tmtaitucljrf VM OrtctofY 2003. SMS. SUS. C1»« SOL Sew. SOL Clusters. Ewhange 55. Eahange 2003. vn war*, vertas backip i0*wir«. h court and M«n securty. Master Recwery wivkm. RMO technologies. and FOrt̂ AN <*s* KMlorU■__________________

MD 17123M546706 42319173004

Boca Raton. FL 33417 J06 Mjfin IT/Sofcare Devolopmert

• 5 or more years espenence *wttig מ IT *nplemerAng and sgppodngiglobalbusntss

> Pnor nponorxt r supportng a global WladM l ttftW and Doma* tofrastoxture

Ê י mmik( ■npltfnonlng and supposing VM Dwlwy. Cfttr Metalrafne. SOL Server. SOL Cluster. DNS. DHCP. WHS. and Etthange 2003 m an Enterprise ecMronmert

VKy strong systems towweshoolng sMs י Eipenence m prowfcng 24-hour support to a gktoai erterpnse י

as part of an orvcal rotaton • Edectwe interpersonal sloiswdhfieabrtor to be persuasae • Otttf stalls Bulling Elect*■* Teams, Acton Onerted Peer

RtlaftonsMps, Customer Focus. Pnor% Setng, ProWwi SoMng, and Business Acumen1 Bachelor***•* Degree or equwalerteipenence

MCSE (2003) certtcafton a plus. Cdra Certtcafton a plus י

facebookE

FIGURE 2.12: Gathering information through Job websites

Usually attackers look for the following information:

• Job requirements

• Employee's profile

• Hardware information

• Software information

Examples of job websites include:

Q http //www. monster.com

Q http //www.careerbu ilder.com

S http //www.dice.com

a- ׳

4- ׳

4-CCD //www.simplvhired.com

S http //www.indeed.com

Q http //www. usajobs.gov

Module 02 Page 133

http://www.careerbu

http://www.dice.com

http://www.simplvhired.com

http://www.indeed.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Monitoring Target Using Alerts C EH

Examples of Alert ServicesAlerts are the content monitoring services that provide up-to-date information based

Monitoring Targets Using Alerts “ Alerts are the content monitoring services that provide automated up-to-date

information based on your preference, usually via email or SMS. In order to get alerts, you need to register on the website and you should submit either an email or phone number to the service. Attackers can gather this sensitive information from the alert services and use it for further processing of an attack.

I^jl Google Alerts Source: http://www.google.com/alerts

Google Alerts is a content monitoring service that automatically notifies users when new content from news, web, blogs, video, and/or discussion groups matches a set of search terms selected by the user and stored by the Google Alerts service.

Google Alerts aids in monitoring a developing news story and keeping current on a competitor or industry.

Module 02 Page 134

http://www.google.com/alerts

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance

27 new results •j Security News

Co og i• Alert • Security New*

Tkta lu ilo n i bkokad HiMyc■.

New»

Sinae Ra a 11 a Land Dtaflli-Bteftla AjiadalantrCiiclg N#Vf Yoric Time* BEIRUT Lebanon — The hilling on Wednesday of President Bashat al-Assads key security aides וזי a brazen bombog attack close to Mr Assads own residonce. called Trei into question the ability of a government that depends on an insular group of loyalists to

S t t «! ?ft tea t r

San Jose Mercury Mews Turr.s out < Mas 3s easy as using a rug to scale a ra20r *ire topped security fence at a small Utah arport in the rroddie cf night slipping past security bearding an idle empty S0-passeog?r SkyWest Aifhnes and rewng up the engines. He Clashed the ...

?tpnts m th!? . Kti-Stan fltASMiantr amMiia jmutma aost mi Reuters BEIRUT'AMMAN (Reuters) - Mystery surrounded the whereabouts of Syr an President Basha* 31- Assad cn Thursday a day after a oomoer killed and wounded his security cnefs anc rebels closed in on the centre of Damascus vowing to *liberate" the capital. 5 1 9 ?tpnts ?ח ».h? >

ftista Sira Laamra Inrcr Cirflg W a l Street Journal BEIRUT—Syrian rebels pierced the innermost circle 01 President Bashar a -Assads w ii st^«! regime wKh a bomb blast that kiled thiee high-lewl officials and raised questions about a — < the aMity of the courftry's security forces to sustain the embattled government Syna

Alerts

@yahoo com

Manage your alertsCREA TE A LERT

Google

Search query Security News

Result type Everything

How often Once a day

How many: Only the best results

Your email

FIGURE 2.13: Google Alert services screenshot

Yahoo! Alerts is available at http://alerts.yahoo.com and Giga Alert is available at http://www.gigaalert.com: these are two more examples of alert services.

http://alerts.yahoo.com

http://www.gigaalert.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Footprinting Methodology CEH

WHOIS Footprinting

DNS Footprinting

Network Footprinting

Footprinting through Social Engineering

Footprinting through Social Networking Sites

Footprinting through Search Engines

Website Footprinting

Email Footprinting

Competitive Intelligence

Footprinting using Google

Footprinting M ethodology So far, we have discussed the first step of footprinting methodology, i.e., footprinting

via search engines. Now we will discuss website footprinting. An organization's website is a first place where you can get sensitive information such as names and contact details of chief persons in the company, upcoming project details, and so on. This section covers the website footprinting concept, mirroring websites, the tools used for mirroring, and monitoring web updates.

Module 02 Page 136

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

W ebsite F o o tp rin tin g C EH

Information obtained from target's website enables an attacker to build a detailed map of website's structure and architecture

Browsing the target website may provide: - Software used and its version t Operating system used t: Sub-directories and parameters t Filename, path, database field name, or query - Scripting platform

Contact details and CMS details

Use Zaproxy, Burp Suite, Firebug, etc. to view headers that provide: w Connection status and content-type ~ Accept-Ranges - Last-Modified information t; X-Powered-By information

Web server in use and its version

W ebsite Footprinting It is possible for an attacker to build a detailed map of a website's structure and

architecture without IDS being triggered or without raising any sys admin suspicions. It can be accomplished either with the help of sophisticated footprinting tools or just with the basic tools that come along with the operating system, such as telnet and a browser.

Using the Netcraft tool you can gather website information such as IP address, registered name and address of the domain owner, domain name, host of the site, OS details, etc. But this tool may not give all these details for every site. In such cases, you should browse the target website.

Browsing the target website will provide you with the following information:

Q Software used and its version: You can find not only the software in use but also the version easily on the off-the-shelf software-based website.

Q Operating system used: Usually the operating system can also be determined.

9 Sub-directories and parameters: You can reveal the sub-directories and parameters by making a note of all the URLs while browsing the target website.

Module 02 Page 137

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Filename, path, database field name, or query: You should analyze anything after a query that looks like a filename, path, database field name, or query carefully to check whether it offers opportunities for SQL injection.

,Scripting platform: With the help of the script filename extensions such as .php, .asp י- .jsp, etc. you can easily determine the scripting platform that the target website is using.

S Contact details and CMS details: The contact pages usually offer details such as names, phone numbers, email addresses, and locations of admin or support people. You can use these details to perform a social engineering attack.

CMS software allows URL rewriting in order to disguise the script filename extensions. In this case, you need to put little more effort to determine the scripting platform.

Use Paros Proxy, Burp Suite, Firebug, etc. to view headers that provide:

Q Connection status and content-type

Q Accept-ranges

Q X-Powered-By information

Source: http://portswigger.net

The following is a screenshot of Burp Suite showing headers of packets in the information pane:

FIGURE 2.14: Burp Suite showing headers of packets in the information pane

Module 02 Page 138

http://portswigger.net

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

CEH Urt1fw4 ilh iul lUtbM

W ebsite F o o tp rin tin g (Cont’d)

Examining cookies may provide: 6 Software in use and its behavior © Scripting platforms used

Examining HTM L source provides:

9 Contact details of web developer or admin

9 Script type

W ebsite Footprinting (Cont’d) Examine the HTML source code. Follow the comments that are either created by the

CMS system or inserted manually. These comments may provide clues to help you understand what's running in the background. This may even provide contact details of the web admin or developer.

Observe all the links and image tags, in order to map the file system structure. This allows you to reveal the existence of hidden directories and files. Enter fake data to determine how the script works.

Module 02 Page 139

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

T T H V1ew « ju 1< ew w w jn 1<rc•. ץ

C ft © view sour״ , www.microsoft.com en-us/defaultaspx f t \ A I21 < 'DOCTYPC hriwi PUBLIC •—//W3C//DTD XHTML 1*0 Trtnsicififltl//CNa

s <html dir־"ltr" lang“״en• xml: lar.g“*er.■ xmlns“״http://www.w3.org/1999/xhtml• xmlns :b1~'urn:schemas-m1crosoft-com:mscom:b1 *>

« <headxt1tle> Microsoft Corporation: Software, Smartphones, Online, Saxes, Cloud

Computing, IT Business Technology, Downloads 0 </tltlexmeta http-equiv'X-UA-Cospatlble■ content•“IE-10* /xmeta http- equ1v”"C0ntent-Type” content~*text/html: charset“utf-8" /xmeta http- eq1״v*"X-UA-IE9-TextLaycutMetries* content”"snap-vert1cal* />

o ־ e n p t type״"text^avascr1pt*> var QosInitTime ■ <new Date()) •getTime () ;

9 var QosLoadTim* • •י; var QosPageUn • encodeURI (window, location); var QosBaseSrc • window.location.protocol ♦ new)) + י•oft.com/tran^_plxel.a3px?route*64DE^ctrl-9C5A4tzצe.micro//י Date()) .getTimezoneOffset () / 60) ♦ •tcot-Stqos.un■• ♦ QosPagetJri; document.write("clink rel”"3tylesheet■ type“*text/css• href•"' ♦ QosSuildUrl(•lnit‘) ♦ •"/>'); function QosBuildUn (n) (

14 var time » (new Date ()).getTuse () ; var cd - window.cookieDisabled; if (typeof cd “ *undefined*)

cd • 1; // Default to 1 (cookies disabled) if the wedcs script has not set it yet

return QosBaseSrc ♦ *ted•' • cd ♦ •tqos.ti■' ♦ QosInitTme ♦ •4ts■' ♦ time + ,*qos.tl“• ♦ QosLoadTlme ♦ •iqos.n•1 ♦ n;t»l } v

FIGURE 2.15: Screenshot showing Microsoft script works

Examine cookies set by the server to determine the software running and its behavior. You can also identify the script in platforms by observing sessions and other supporting cookies.

Cook* * ar*d site data X

Sit• Locally stored data Remove $0 SeercH toofc*et

0d«yM<u11(y.«Kn J (oobn A 100bcttbuy.com 2 coobes

N«mc _utmx Content. 1928742&2.1342446822.1.1 utmcv a lOOmoney -*jtmccn־

(r«ferr*l)futmcmd=refen*l|utmcct־ 'lendmg/moneyde•!• >««■»*>

Dom#«n .100bettbuy.com y P*h / Send for Aity krnd of connection Accrv.4>teto script Yet Created Mondey. Ju»y 161 2012 &S3̂ 1 AM Expires: Mondey. Jjnu.ry U. 2013 *5341 PM

Remove

www.tOObestbuy.com 1 cookie

www.100nests.com 1 cootoe

125rf.com }co«bet

www.l23d.com 2 cootaes. local storage v

FIGURE 2.16: Showing details about the software running in a system by examining cookies

Module 02 Page 140

http://www.microsoft.com

http://www.w3.org/1999/xhtml%e2%80%a2

http://www.tOObestbuy.com

http://www.100nests.com

http://www.l23d.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

M irro r in g E n tire W ebsite C E H

Mirrored Website

Original Website

1־ ך Mirroring an Entire W ebsite Website mirroring is the process of creating an exact replica of the original website.

This can be done with the help of web mirroring tools. These tools allow you to download a website to a local directory, recursively building all directories, HTML, images, flash, videos and other files from the server to your computer.

Website mirroring has the following benefits:

Q It is helpful for offline site browsing.

Website mirroring helps in creating a backup site for the original one.

Q A website clone can be created.

Q Website mirroring is useful to test the site at the time of website design and development.

Q It is possible to distribute to multiple servers instead of using only one server.

J Mirroring an entire website onto the local system enables an attacker to dissect and identify vulnerabilities; it also assists in finding directory structure and other valuable information without multiple requests to web server

J Web mirroring tools allow you to download a website to a local directory, building recursively all directories, HTML, images, flash, videos, and other files from the server to your computer

Module 02 Page 141

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Original Website Mirrored Website

FIGURE 2.17: JuggyBoy's Original and Mirrored website

Module 02 Page 142

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

W ebsite M ir ro r in g Tools CEH

W ebsite Mirroring Tools

HTTrack is an offline browser utility. It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link- structure. Open a page of the "mirrored" website in your browser, browse the site from link to link, and you can view the site as if you were online. HTTrack can also update an existing mirrored site, and resume interrupted downloads.

Module 02 Page 143

http://www.httrack.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

ד פ [Site mirroring in progress (2/2.10165 bytes) - [FR.wt1ttי

Wormetion BvletMvwj 992*6 lr*u •canred 2/2 Tim• 221 FiMwKUn ו Tmnrfer rat• oe/> (5e9&/») 0 Act** comeacr* 2 6*0n 0

W Actons

File Preference* Mirrcx Log Window Help S jy lo<«̂» Mi si. N

8) i. p I B i ■

*Wffltwircom " cont4»w«con <©

FIGURE 2.18: HTTrack Web Site Copier Screenshot

SurfOffline Source: http://www.surfoffline.com

SurfOffline is a website download software. The software allows you to download entire websites and download web pages to your local hard drive. After downloading the target website, you can use SurfOffline as an offline browser and view downloaded web pages in it. If you prefer to view downloaded webpages in another browser, you can use the Export Wizard. SurfOffline's Export Wizard also allows you to copy downloaded websites to other computers in order to view them later and prepares websites for burning them to a CD or DVD.

J SurfOffline Professional 2.1 Unregistered trial version. You have 30 day(s) left I ** 1 ° 1 x F.4e View Projects 8rowver HHp

iL £) Zi O Hi> O ^ OQjj $ JuggyboyQ uestion the Rules

+ +

O Promts <5 New Project

1m Pfoywi Set Loaded byt« Sutus1: http:.׳'/www.j1»ggyt>... 0 0 Connoting 2: http7/wwŵ u9gyb— 0 0 Connoting J: http--//www.;1>ggyb... 0 0 Connecting * http, // www /uggyb. 0 0 Connecting S: http://www.;u9g>-b... 0 0 Connecting v J

■ __________>*»*mg. 0 10*6*4 11 Queued S1 (1 <tem(*) rem**\1rKj) Downloading picture http־.//ww 1

FIGURE 2.19: SurfOffline screenshot

BlackWidow Source: http://softbvtelabs.com

Module 02 Page 144

http://www.surfoffline.com

http://www.;u9g%3e-b

http://softbvtelabs.com

BlackWidow is a website scanner for both experts and beginners. It scans websites (it's a site ripper). It can download an entire website or part of a website. It will build a site structure first, and then downloads. It allows you to choose what to download from the website.

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance

Module 02 Page 145

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

X l« W M 1» MaowACotporjBon Scftmn. V iw lcto n n O rtnr G m v Claud Co״ cw tn j It t«trw«og>OomHôt ״ י ^ »■ — [()»■ 0|V»» Q»>» 2J***'״ S ’**■ 'fj l« « tn g liw 1a• m U h jh

Welcome to Microsoft *o*ucta 00» « e *d1 S * o ^ » Support •wy

FIGURE 2.20: SurfOffline screenshot

Webripper Source: http://www.calluna-software.com

WebRipper is an Internet scanner and downloader. It downloads massive amount of images, videos, audio, and executable documents from any website. WebRipper uses spider-technology to follow the links in all directions from the start-address. It filters out the interesting files, and adds them to the download-queue for downloading.

You can restrict downloaded items by file type, minimum file, maximum file, and image size. All the downloaded links can also be restricted by keywords to avoid wasting your bandwidth.

Wrt>R»ppef 03 - Copyright (0 200S-2009 - StmsonSoft

0 SamsonSoft Ne M> T00H *dp

F<xsy3Mm fiwemgW•• SucceeAiMee fM ta Seemed page• F<*rdpagee Sotte.n □ H ■!►Ixl ^|%| ®

WebRipper The u ltim ate tool for wehsite ripping

Selected!*

^ Tarqolod [www !uqqyboy com)634782117892930200 Oowteed* | Sodtn | | Log \ St«je זמגצי Reojetfng header “Cp W • ccrr, *petixTctr png ReojeCng header ■Cp 1״wti pjyoy cot n. conrw.מי מי f Regjecng healer Ĉp WwfjgyK-y comvjxwwonShewe* e. Reaietfrg header tip /»w« pgsftcy car. ltd Re«je*rg header KJp/A״ww,jgg»boy ccmHee. arter>c*rtag»

001M8M4 0 12KES

FIGURE 2.21: Webripper screenshot

Module 02 Page 146

http://www.calluna-software.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

W ebsite M ir ro r in g Tools (EH (Cont’d) Urt.fi•* | ttk.ul MmIm

PageNest http ://ww w.pagenest. com

Website Ripper Copiero hן ttp ://w w w . tensons.com

Backstreet Browser h ttp ://w w w . spadixbd. com

Teleport Pro h ttp ://w w w . tenmax.com

,__ Offline Explorer Enterprise http://www.metaproducts.com

GNU Wget http ://w w w .gnu.org

Portable Offline Browser h ttp ://w w w .metaproducts.com

Proxy Offline Browser http://www.proxy-offline-browser.com

« Hooeey Webprint I 2 A Z ־ J http://www.hooeeywebprint.com

iMiser http://internetresearchtool.com

W ebsite Mirroring Tools (Cont’d) In addition to the website mirroring tools mentioned previously, a few more well-

known tools are mentioned as follows:

9 Webiste Ripper Copier available at http://www.tensons.com

£ Teleport Pro available at http://www.tenmax.com

Q Proxy Offline Browser available at http://www.proxy-offline-browser.com

Q iMiser available at http://internetresearchtool.com

0 Backstreet Browser available at http://www.spadixbd.com

9 GNU Wget available at http://www.gnu.org

Hooeey Webprint available at http://www.hooeeywebprint.com

Module 02 Page 147

http://www.pagenest

http://www.gnu.org

http://www.proxy-offline-browser.com

http://www.hooeeywebprint.com

http://internetresearchtool.com

http://www.tensons.com

http://www.tenmax.com

http://www.proxy-offline-browser.com

http://internetresearchtool.com

http://www.pagenest.com

http://www.spadixbd.com

http://www.hooeeywebprint.com

http://www.gnu.org

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Extract W ebsite Information fromE I ------- http:7/www. archive. org Archive is an Internet Archive Wayback Machine that allows you to visit archived versions of websites. This allows you to gather information on a company's web pages since their creation. As the website www.archive.org keeps track of web pages from the time of their inception, you can retrieve even information that has been removed from the target website.

Module 02 Page 148

http://www.archive.org

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

~ כ ~ \ ii \

Go Waytoackl

rosottcon: ־ C '.) wayback.arch1vc.org »־־

J!" * http://microsoft.com! י ■י ' 'n i

13 14 15 16

20 21 22 23

27‘ 28 29 30

10 11 12 1נ 20 19 19 17

27 »2 25 24

10 11 12

17 18 19

24 23 26

14 15 16

31 22 23

28 29 30

ft 7 t 9 10 11 12

13 14 15 ־5 17 18 19

26 25 24 23 22 21 20

51 •3 29 58 27

10 11 12 13 U 15 16

17 1• 1® 20 21 22 23

24 75 26 27 2• 29 30

3 7 8 9 1•

13 14 15 16 17

20 21 22 23 24

27 28

5 ft 7 8 < 10 11

12 13 14 15 16 17 18

19 20 21 ?2 2) )4 25

26 27 28 29 3«

1».h

9 10 11 12 13 14 15

16 17 18 19 JO <21 22

23 24 25 26 ׳7 28 29

30 31 MAY

1 2 3 4 5 6 7

• 9 10 111 12 13 14

15 16 17 18 19 20 21

22 23 24 26 26 27 28

29 30 31

FIGURE 2.22: Internet Archive Wayback Machine screenshot

Module 02 Page 149

http://microsoft.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Monitoring Web Updates Using Website Watcher

Website Watcher automatically checks web pages for updates and changes

WebSite-Watcher 2012 <12_2> .cockmartcwsw. 28 days available [ 11* goot/narks £h«ck Took Jcnpt Qptions Jftew tJelp Byy Now

change Statu* Last check Warning: whole content _ 13:14

2012-07-18 1&2&22 CK. mibafccril RecSrect.on 2012-07-18 16:2*33 200®-10-07 1fclS27 CK 2008-10-07 15:4*30 20CS-10-C7 15744:4s CK. pfcp6B2 Plugin proc... 2008-10-07 15:44:49

a| ם j 4|[b1̂ rs Sign In http:Vww1At.hotmail.com fAcrosoft Corporation: Software ... http://www.miuoicft com WebS4e-Watcher - Download http-7/www a^ne com'dowmloa— WebSrte-Watcher - Support Forum http:/׳'«wrw.a1gne1.com'fo»v»n'11-

e . S l a y I nWebSite- Watche

Hchpp r p j j u w Scfp^rwhot*; VWo< EowpIo.kI■, Buy Now Siionort

D ow nload W rb S ite -W a lc tw r

W ebSite Wrtt< h e r 4.4? 21-hit• 00ג•

ID ow loai | (4.3 MS) Im w cl (O MB)

»f̂ *«̂ r»*T4/2000̂00yXPA׳«• V»fc1an H.rfcyy

If yo*J insta■ • «*׳*»or. 40 ״ot unanata■ your •ju sting copy oI WebS«*-W*tch«r - just install 0

Page T«t Analysw

http://aignes.com

Monitoring Web Updates Using W ebsite Watcher Source: http://www.aignes.com

Website Watcher is used to keep track of websites for updates and automatic changes. When an update or change occurs, Website Watcher automatically detects and saves the last two versions onto your disk, and highlights changes in the text. It is a useful tool for monitoring sites to gain competitive advantage.

Benefits:

Frequent manual checking of updates is not required. Website Watcher can automatically detect and notify users of updates:

Q It allows you to know what your competitors are doing by scanning your competitors׳ websites

Module 02 Page 150

http://www.miuoicft

http://aignes.com

http://www.aignes.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

FIGURE 2.23: Website watcher monitoring web updates

Module 02 Page 151

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Footprinting Methodology CEH

WHOIS Footprinting

DNS Footprinting

Network Footprinting

Footprinting through Social Engineering

Footprinting through Social Networking Sites

Footprinting through Search Engines

Website Footprinting

Email Footprinting

Competitive Intelligence

Footprinting using Google

Footprinting M ethodology So far we have discussed Footprinting through search engines and website footprinting,

the two initial phases of footprinting methodology. Now we will discuss email footprinting.

WHOIS Footprinting

DNS Footprinting

Network Footprinting

Footprinting through Social Engineering

Footprinting through Social Networking Sites

This section describes how to track email communications, how to collect information from email headers, and email tracking tools.

Module 02 Page 152

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Tracking Email Communications c(•ttifwtf 1 Ellt»K4l Nm\hat

J Attacker tracks email to gather information about the physical location of an individual to perform social engineering that in turn may help in mapping target organization's network

J Email tracking is a method to monitor and spy on the delivered emails to the intended recipient

When the email was received and read

GPS location and map of the recipient

Time spent on reading the emails

it to them

Set messages to expire after a specified time

Track PDF and other types of attachments

Whether or not the recipient

visited any links sent

Tracking Email Com munications Email tracking is a method that helps you to monitor as well as to track the emails of a

particular user. This kind of tracking is possible through digitally time stamped records to reveal the time and date a particular email was received or opened by the target. A lot of email tracking tools are readily available in the market, using which you can collect information such as IP addresses, mail servers, and service provider from which the mail was sent. Attackers can use this information to build the hacking strategy. Examples of email tracking tools include: eMailTrackerPro and Paraben E-mail Examiner.

By using email tracking tools you can gather the following information about the victim:

Geolocation: Estimates and displays the location of the recipient on the map and may even calculate distance from your location.

Read duration: The duration of time spent by the recipient on reading the mail sent by -׳ the sender.

.Proxy detection: Provides information about the type of server used by the recipient -׳

Q Links: Allows you to check whether the links sent to the recipient through email have been checked or not.

Module 02 Page 153

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

' ' Operating system: This reveals information about the type of operating system used by the recipient. The attacker can use this information to launch an attack by finding loopholes in that particular operating system.

Q Forward email: Whether or not the email sent to you is forwarded to another person can be determined easily by using this tool.

Module 02 Page 154

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

CEHC ollecting Information from Email Header

designates 10.224.205.137 as permitted־

fcm; dkim=pass

The address from which the message was sent

number assigned .google.com to

itify theme:

Date and time received by the originator's

email servers

Delivored-To: - _ 0gmc1il.com Received: by 10.112.39.167 with SMTP id q7cj

Fri, 1 Jun 2012 21:24:01 - O T O O i f ^ Return-Path: < ״*• - [email protected]> Received-SPF: pass (google.com: domain of sender) client־ip=10.224.205.1 377 Authentication-Results: |m^goog^^^om^ 10.224.205.137 as p e r m i ^ ? ? ^ header. i«;_ •»«-*.. * [email protected] Received: frommr.google.com ([10.224.205.137])

!hY wir.h SMTP Iri fr»^..n^8570qab.39.131 I Fri, 01 Jun 2Q12 21;24:QQ -0700 (PDT)I —

Sender's mail serverrrwl SmtpTml^H

ect:from:to

75MxDR8־t2־P!

Authentication system used by sender's

mail server

d=gma11.com; 3=20120113; h-mime-version:in-reply-to: :content-type;

bh=TGEIPb4ti7gfQG+ghh70kPj kx+Tt/iAClfl b־KyuZLTLfg2-»-QZX;cZKexlNnvRcnD/ + P4+Nkl

A unique l.com> j b m

bl PK3p J3Uf/CsaB7.Wr>TTOXI״aKOAGrP3BOt 92MCZFxeUUQ9uwL/xHAI״SnkoUTF.F.*»KGqOC 0a9hD59D30Xl8KAC7ZmkblGzXmV4DlWf fCL894RaMBOU1*MzRwOWWIib95al I38cqt If P ZhrWFKh5xSnZXsE73xZPEYzp7yeeCeQuYHZNGslKxc07xQjeZuw+HWK/vR6xChDJapZ4 K5ZAfYZmkIkFX+VdLZqu7YGFzy60HcuP16y3/C2fXHVd3uY<״nMT/yecvhCV080y7FKt6 /Kzw-■

MIME-Veraion: 1.0 Received; by 10.224.205.137 with SMTP id fq9; Fri, 01 Jun 2012 21:24:00 -0700 (PDT)

Received: by 10.229.230.79 with HTTP; Fri In-Reply-To: <CAOYWATTlzdDXE308D2rhiE4Ber Referaaa Date

1040318;

nO’-EMJcgfgX+mUf jB tt2sy2dXA0mail. gmail .com> 1LUTIONS : : :

■erma6gmail.com> ץ r0yahoo.com>Sender's full name

»f aranrai • ( f anYMftTT 1 rrinytr Infi n? rh i F df ■

ubj ן——ן o;

\ I . com. > LUTIONS( ־

C ollecting Information from Email Headers An email header is the information that travels with every email. It contains the

details of the sender, routing information, date, subject, and recipient. The process of viewing the email header varies with different mail programs.

Commonly used email programs:

e Outlook 2000-2003

e Outlook 2007

The following is a screenshot of a sample email header.

Module 02 Page 155

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Delivered-To: 8 .-»-»» ■«» !»«׳gmail.com Received: by 10.112. 39". 167 with SMTP id q7csp4894121bk;

Fri, 1 Jun 2012 21:24:01 -0700 (PDT) Return-Path: < »•-— [email protected]> Received-SPF: pass (google.com: domain of ■ 1enna0gmail.com designates 10.224.205.137 as permitted sender) client-ip=10. 2 2 Authentication-Results: pnr7googl^^om»J 3pf-pa33 (google.com: domain of erma8gmail.com designates 10.224.205.137 as permitted senaerj smtp.mail3 - ׳־־rmaggmail.com; dkim=pass header. i=; ?rma8gmail.com Received: frommr.google.com ([10.224.205.137])

hv in.??<!■?05-137 win, s m t p in ^,0^<;78»;70^- ו(וו*»ררו.><ר4(177ר (numhops = 1); |Fn, 01 Jun 2012 21:24:00 -0700 (PDT)!

DKIM-Signature: v=l/l^^rsa-sha^^o/J c=relaxed/relaxed; d=gma i 1. com; ? 01 2011 h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type;

bh=TGEIPb4ti7gfQG+ghh70kPjkx4Tt/iAClPPyWmNgYHc=; b־KguZLTLfg2+QZXzZKexlNnvRcnD/+P4+Nk5NKSPtG7uHXDsfv/hGH46e2P+75MxDR8 blPK3eJ3Uf/CsaBZWDITOXLaKOAGrP3BOt92MCZFxeUUQ9uwL/xHALSnkeUIEEeKGqOC oa9hD59D3oXI8KAC7ZmkblGzXmV4DlWffCL894RaMB0UoMzRw0WWIib95alI38cqtlfP ZhrWFKh5xSnZXsE73xZPEYzp7yecCeQuYHZNGslKxc07xQjeZuw+HWK/vR6xChDJapZ4 K5 ZAf YZmkI kFX4־VdLZqu7YGFzy60HcuPl6yS/C2 fXHVdsuYamMT/yecvhCVo80g7FKt 6 /Kzw-

MIME-Version: 1.0 Received: by 10.224.205.137 with SMTP id fq9mr6704586qab.39.1338611040318; Fri, 01 Jun 2012 21:24:00 -0700 (PDT)

Received: by 10.229.230.79 with HTTP; Fri, 1 Jun 2012 21:23:59 -0700 (PDT) In-Reply-To: <[email protected]•com> Referoflfiga^^£^2iiJ^2Xlidfi2£ia2fiiiJi^4^er2MtVOuhro6r+7Mu7c8ubp8Eg0mail. gmail. com> Date:|Sat, 7 Jun 201? 09:53:59 40530 1 Message-it: <(!:AMivoX'fl!1cf£1־n£'w!iW<i5zihNnO-EMJcgfgX+mUfjB_tt2sy2dXA0mail.gmail.com> S u b j e j ^ ^ i i ״ _ _ _ji*,_0LUTI0NS ::: From:| ■ ■ ~ Mirza|< ״- • -ermapgmail.com> To: iftsamaii.com,

• 1LUTI0NS < • • -* - - ־ •tions8gmail.com>, — ... ■ ■ e ,<aAk_er8yahoo.com■׳ tm> ־1

FIGURE 2.24: Email header screenshot

This email header contains the following information:

e Sender's mail server e Data and time received by the originator's email servers e Authentication system used by sender's mail server e Data and time of message sent e A unique number assigned by mr.google.com to identify the message e Sender's full name e Senders IP address e The address from which the message was sent

The attacker can trace and collect all of this information by performing a detailed analysis of the complete email header.

Module 02 Page 156

http://www.ipaddresslocation.org

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

C EHE m a il T ra c k in g Tools Email Lookup - Free Email Tracker Trace Email - Track Email

Email Header Analysis

IP Address: 72.52.192 147 (ho8t.marhsttanrrediagro1jp.con) IP Address Country: Unred States i p continent north America IP Address City Location: Lansing IP Address Region: Michigan IP Address Latitude: *2.7257. IP Address longtitude: -84.636 Organ i rat on: So jrcoDNS

tmaii Lookup wap (snownide)

Map Satellite

Bath Charter Township

W,Oard w * י ־ - ( f t E03tLansing Lansing

IVac dfcta 82012 Gooole - Terms of Use Report a map eI־

Email M etrics

!5MH • (105* » UOt 1«M>

!!!!!!!! 11 j!.!!! 1 m ! 111! Email Lookup - Free Email Tracker (http://www.ipaddresslocation.org)

PoliteM ail (h ttp :/ /w w w .p o lite m a il.c o m )

Email Tracking Tools Email tracking tools allow you to track an email and extract information such as

sender identity, mail server, sender's IP address, etc. You can use the extracted information to attack the target organization's systems by sending malicious emails. Numerous email tracking tools are readily available in the market.

The following are a few commonly used email tracking tools:

eMailTrackerPro Source: http://www.emailtrackerpro.com

eMailTrackerPro is an email tracking tool that analyzes email headers and reveals information such as sender's geographical location, IP address, etc. It allows you to review the traces later by saving all past traces.

Module 02 Page 157

http://www.politemail.com

http://www.emailtrackerpro.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

«M*fTrKtfT*o v9Qh Advanced {(Woiv Trul a»y 3 of M

• n*r» s M KTT» mt*•( n*van( on ז*» vyv•**• (tt* pô ndotftf)• ntrtiiwHTmMn*( I9MW| OA thrt tvKM• (tkt port nctoM<A

■ T*#f • n no m wnw nm ■! ontMt (t»» port «

Ooitiim *

ד1 ? ז «י. גנ י. STATIC w l M(Ot01 1׳ ׳ * . !•A <00 !cor• ו W.V-WjmHi MUU Mt Mjrrfe* Mt

level WTM to n i i mMS3 ״*» (frt*e*l *2 2 ICC״•; W INItoM * * M 3 mi *$-2tC««1 I W 4 SH■•<♦21c«*2SV» *!>*»■«»» mM O w <: 2 k m h »•״ «•&*• ( m m »׳v*h

12»2ג* «עב 18)82 14 17 385 18087

17 217 80231 2 80231217

80 231 2006 80 231 91 X 80 231 1382

a day J c fatt *yin*. lo if^ tM n o ia iU i ia itc r p t fd iM a

•w * out of <M«. 10| « ttnuiw* drtabM OOJau

Teu •rt 'KM MU

FIGURE 2.25: eMailTrackerPro showing geographical location of sender

PoliteM ail Source: http://www.politemail.com

PoliteMail is an email tracking tool for Outlook. It tracks and provides complete details about who opened your mail and which document has been opened, as well as which links are being clicked and read. It offers mail merging, split testing, and full list management including segmenting. You can compose an email containing malicious links and send it to the employees of the target organization and keep track of your email. If the employee clicks on the link, he or she is infected and you will be notified. Thus, you can gain control over the system with the help of this tool.

FIGURE 2.26: Politemail screenshot

Email Lookup - Free Email Tracker W W W

Source: http://www.ipaddresslocation.org

NIC

Module 02 Page 158

http://www.politemail.com

http://www.ipaddresslocation.org

Email Lookup is an email tracking tool that determines the IP address of the sender by analyzing the email header. You can copy and paste the email header into this email tracking tool and start tracing email.

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance

Module 02 Page 159

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Email Lookup - Free Email Tracker Trace Email • Track Email

Em ail H eader A n a lys is

IP Address: 72.52.192.147 (host manhattanmed1agroup.com) IP Address Country: United States f e i IP Continent: North America IP Address City Location: Lansng IP Address Region: Michigan IP Address Latitude: 42 7257, IP Address Longtitude: -84 636 Organization: SourceDNS

Email Lookup Map (show/hide)

FIGURE 2.27: Email Lookup Screenshot

Module 02 Page 160

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

CEHE m a il T ra c k in g Tools (Cont’d)

Pointofmail http ://w w w .p o in to fm ail. com

Read Notify h ttp :/ /w w w . re ad notify, com

Super Email Marketing Software http://w w w .bulk-em ail-m arketing-softw are.net

' — ■

WhoReadMe http ://w hore adm e . com

GetNotify httn■ //iajiaj\aj nt>\http ://w w w .ge tn otify .co m

Trace Email http ://w hatism yipaddress. com

MSGTAG h ttp ://w w w .m sgta g .co m

Zendio G-Lock Analytics S '/ http ://w w w .zen dio .com ' m http://glockanalytics.com

JJS> a —

Email Tracking Tools (Cont’d)

M Read Notify --- Source: http://www.readnotify.com

Read Notify provides an email tracking service. It notifies you when a tracked email is opened, re-opened, or forwarded. Read Notify tracking reports contain information such as complete delivery details, date and time of opening, geographic location of recipient, visualized map of location, IP address of the recipients, referrer details (i.e., if accessed via web email account etc.), etc.

^ DidTheyReadlt Source: http://www.didtheyreadit.com

DidTheyReadlt is an email tracking utility. In order to use this utility you need to sign up for an account. Then you need to add ".DidTheyReadlt.com" to the end of the recipient's e-mail address. For example, if you were sending an e-mail to [email protected], you'd just send it to [email protected] instead, and your email would be tracked, [email protected] would not see that you added .DidTheyReadlt.com to her email address. This utility tracks every email that you send invisibly, without alerting the recipient. If the user opens your mail, then it

Module 02 Page 161

http://www.pointofm

http://www.bulk-email-marketing-software.net

http://glockanalytics.com

http://whoreadme

http://www.getnotify.com

http://whatism

http://www.msgtag.com

http://www.zendio.com

http://www.readnotify.com

http://www.didtheyreadit.com

http://whatismyipaddress.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

informs you when your mail was opened, how long your email remained open, and the geographic location where your email was viewed.

TraceEmail Source: http://whatismyipaddress.com

The TraceEmail tool attempts to locate the source IP address of an email based on the email headers. You just need to copy and paste the full headers of the target email into the Headers box and then click the Get Source button. It shows the email header analysis and results.

This Email header analysis tool does not have the ability to detect forged emails headers. These forged email headers are common in malicious email and spam. This tool assumes all mail servers and email clients in the transmission path are trustworthy.

MSGTAG Source: http://www.msgtag.com

MSGTAG is Windows email tracking software that uses a read receipt technology to tell you when your emails are opened and when your emails are actually read. This software adds a small track and trace tag that is unique to each email you need delivery confirmation for. When the email is opened an email tracking code is sent to the MSGTAG email tracking system and an email read confirmation is delivered to you. MSGTAG will notify you when the message is read

via an emailed confirmation, a pop-up message, or an SMS text message.

vSW, Zendio Source: http://www.zendio.com

Zendio, the email tracking software add-in for Outlook, notifies you once your recipient reads the email, so you can follow up, knowing when they read it and if they clicked on any links included in the email.

Pointofmail Source: http://www.pointofmail.com

Pointofmail.com is a proof of receipt and reading service for email. It ensures read receipts, tracks attachments, and lets you modify or delete sent messages. It provides detailed information about the recipient, full history of email reads and forwards, links and attachments tracking, email, and web and SMS text notifications.

3 Super Email M יו arketing Software Source: http://www.bulk-email-marketing-software.net

Super Email Marketing Software is a professional and standalone bulk mailer program. It has the ability to send mails to a list of addresses. It supports both text as well as HTML formatted emails. All duplicate email addresses are removed automatically by using this application. Each mail is sent individually to the recipient so that the recipient can only see his or her email in the

http://www.msgtag.com

http://www.zendio.com

http://www.pointofmail.com

http://www.bulk-email-marketing-software.net

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

email header. It saves the email addresses of the successful sent mails as well as the failed mails to a text, CSV, TSV or Microsoft Excel file.

Module 02 Page 163

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

WhoReadMe "5 ©׳ ource: http://whoreadme.com

WhoReadMe is an email tracking tool. It is completely invisible to recipients. The recipients will have no idea that the emails sent to them are being tracked. The sender is notified every time the recipient opens the mail sent by the sender. It tracks information such as type of operating system and browser used, Active X Controls, CSS version, duration between the mails sent and read time, etc.

GetNotify Source: http://www.getnotify.com

GetNotify is an email tracking tool that sends notifications when the recipient opens and reads the mail. It sends notifications without the knowledge of recipient.

I r G־Lock Analytics * י—׳ *י—׳ Source: http://glockanalytics.com

G-Lock Analytics is an email tracking service. This allows you to know what happens to your emails after they are sent. This tool reports to you how many times the email was printed and forwarded.

Module 02 Page 164

http://whoreadme.com

http://www.getnotify.com

http://glockanalytics.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Footprinting Methodology CEH

WHOIS Footprinting

DNS Footprinting

Network Footprinting

Footprinting through Social Engineering

Footprinting through Social Networking Sites

Footprinting through Search Engines

Website Footprinting

Email Footprinting

Competitive Intelligence

Footprinting using Google

Footprinting M ethodology The next phase in footprinting methodology after email footprinting is competitive

intelligence.

Competitive intelligence is a process that gathers, analyzes, and distributes intelligence about products, customers, competitors, and technologies using the Internet. The information that is gathered can help managers and executives of a company make strategic decisions. This section is about competitive intelligence gathering and sources where you can get valuable information.

Module 02 Page 165

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Competitive Intelligence Gathering

J Competitive intelligence is the process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources such as the Internet

J Competitive intelligence is non-interfering and subtle in nature

Sources of Competitive Intelligence ♦

1 Company websites and employment ads 6 Social engineering employees ׳

7 Product catalogues and retail outlets

Analyst and regulatory reports

Customer and vendor interviews

1 0 Agents, distributors, and suppliers

2 Search engines, Internet, and online databases

3 Press releases and annual reports

- Trade journals, conferences, and newspaper

5 Patent and trademarks

Com petitive Intelligence Gathering Various tools are readily available in the market for the purpose of competitive

intelligence gathering.

Acquisition of information about products, competitors, and technologies of a company using the Internet is defined as competitive intelligence. Competitive intelligence is not just about analyzing competitors but also analyzing their products, customers, suppliers, etc. that impact the organization. It is non-interfering and subtle in nature compared to the direct intellectual property theft carried out through hacking or industrial espionage. It mainly concentrates on the external business environment. It gathers information ethically and legally instead of gathering it secretly. According to Cl professionals, if the intelligence information gathered is not useful, then it is not called intelligence. Competitive intelligence is performed for determining:

Q What the competitors are doing

Q How competitors are positioning their products and services

Sources of Competitive Intelligence:

Company websites and employment ads

S Search engines, Internet, and online databases

Module 02 Page 166

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

e Press releases and annual reports

e Trade journals, conferences, and newspapers

e Patents and trademarks

e Social engineering employees

e Product catalogs and retail outlets

e Analyst and regulatory reports

e Customer and vendor interviews

e Agents, distributors, and suppliers

Competitive intelligence can be carried out by either employing people to search for the information or by utilizing a commercial database service, which incurs a lower cost than employing personnel to do the same thing.

Module 02 Page 167

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

C EHC om petitive In te lligen ce - W hen Did th is Com pany B egin? How Did it D evelop?

V is it T h e s e S ite s ♦------------------------------------------------

01. EDGAR Database

http://www.sec.gov/edgar.shtml ♦---------------------------------

02. Hoovers

How did it http://www.hoovers.com develop? «______________________________________

03. LexisNexis M ■ 2 ) http://www.lexisnexis.com

♦--------------------------------- 04. Business Wire

^ K > http://www.businesswire.com

When did it begin?

Competitive Intelligence ־ When Did this Company Begin? How Did it Develop?

Gathering competitor documents and records helps improve productivity and profitability and stimulate the growth. It helps determine the answers to the following:

When did it begin?

Through competitive intelligence, the history of a company can be collected, such as when a particular company was established. Sometimes, crucial information that isn't usually available for others can also be collected.

How did it develop?

It is very beneficial to know about how exactly a particular company has developed. What are the various strategies used by the company? Their advertisement policy, customer relationship management, etc. can be learned.

Who leads it?

This information helps a company learn details of the leading person (decision maker) of the company.

Where is it located?

Module 02 Page 168

http://www.sec.gov/edgar.shtml

http://www.hoovers.com

http://www.lexisnexis.com

http://www.businesswire.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

The location of the company and information related to various branches and their operations can be collected through competitive intelligence.

You can use this information gathered through competitive intelligence to build a hacking strategy.

The following are information resource sites that help users gain competitive intelligence.

EDGAR 01 c—3 Source: http://www.sec.gov/edgar.shtml

All companies, foreign and domestic, are required to file registration statements, periodic reports, and other forms electronically through EDGAR. Anyone can view the EDGAR database freely through the Internet (web or FTP). All the documents that are filed with the commission by public companies may not be available on EDGAR.

Hoovers M = I = ־־ i Source: http://www.hoovers.com

Hoovers is a business research company that provides complete details about companies and industries all over the world. Hoovers provides patented business-related information through Internet, data feeds, wireless devices, and co-branding agreements with other online services. It gives complete information about the organizations, industries, and people that drive the economy and also provide the tools for connecting to the right people, in order for getting business done.

LexisNexis Source: http://www.lexisnexis.com

LexisNexis is a global provider of content-enabled workflow solutions designed specifically for professionals in the legal, risk management, corporate, government, law enforcement, accounting, and academic markets. It maintains an electronic database through which you can get legal and public-records related information. Documents and records of legal, news, and business sources are made accessible to customers.

Business Wire Source: http://www.businesswire.com

Business Wire is a company that focuses on press release distribution and regulatory disclosure. Full text news releases, photos, and other multimedia content from thousands of companies and organizations are distributed by this company across the globe to journalists, news media, financial markets, investors, information website, databases, and general audiences. This company has its own patented electronic network through which it releases its news.

Module 02 Page 169

http://www.sec.gov/edgar.shtml

http://www.hoovers.com

http://www.lexisnexis.com

http://www.businesswire.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Competitive Intelligence - What Are the Company's Plans? cfertMM

^^^P^^^^^^^ompetitiv^ntelligenc^Site^^™ ך

I tUROMONMOR

M a r k e t ^Market Watch (http://www.marketwatch.com)

The Wall Street Transcript (http://www.twst.com) J t w s t . c o m

^ Lipper Marketplace (http://www.lippermarketplace.com) upper marketplace

\ / Euromonitor (http://www.euromonitor.com)

sy'' Fagan Finder (http://www.faganfinder.com)

SEC Info (http://www.secinfo.com)

^Fagan-^ FinderJ

S E C In fo

The Search Monitor (http://www.thesearchmonitor.com) S e a r c h M p m I t o r

Com petitive Intelligence ־ What Are the Company's M M to Plans? The following are a few more examples of websites that are useful to gather valuable information about various companies and their plans through competitive intelligence:

MarketWatch Source: http://www.marketwatch.com

MarketWatch tracks the pulse of markets. The site provides business news, personal finance information, real-time commentary, and investment tools and data, with dedicated journalists generating hundreds of headlines, stories, videos, and market briefs a day.

The Wall Street Transcript Source: http://www.twst.com

SfliPi The Wall Street Transcript is a website as well as paid subscription publication that publishes industry reports. It expresses the views of money managers and equity analysts of different industry sectors. Interviews with CEOs of companies are published.

Lipper M arketplace

Module 02 Page 170

http://www.marketwatch.com

http://www.twst.com

http://www.lippermarketplace.com

http://www.euromonitor.com

http://www.faganfinder.com

http://www.secinfo.com

http://www.thesearchmonitor.com

http://www.marketwatch.com

http://www.twst.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Source: http://www.lippermarketplace.com

Lipper Marketplace offers web-based solutions that are helpful for identifying the market of a company. Marketplace helps in qualifying prospects and provides the competitive intelligence needed for transforming these prospects into clients. Its solutions allow users to identify net flows and track institutional trends.

Euromonitor Source: http://www.euromonitor.com

■ Ill'll■

Euromonitor provides strategy research for consumer markets. It publishes reports on industries, consumers, and demographics. It provides market research and surveys focused on your organization's needs.

Fagan Finder R

1 Source: http://www.faganfinder.com

Fagan Finder is a collection of internet tools. It is a directory of blog sites, news sites, search engines, photo sharing sites, science and education sites, etc. Specialized tools such as Translation Wizard and URL info are available for finding information about various actions with a web page.

M SEC Info ^ Source: http://www.secinfo.com ׳—<

SEC Info offers the U.S. Securities and Exchange Commission (SEC) EDGAR database service on the web, with billions of links added to the SEC documents. It allows you to search by Name, Industry, and Business, SIC Code, Area Code, Accession Number, File Number, ClK, Topic, ZIP Code, etc.

The Search Monitor Source: http://www.thesearchmonitor.com

The Search Monitor provides real-time competitive intelligence to monitor a number of things. It allows you to monitor market share, page rank, ad copy, landing pages, and the budget of your competitors. With the trademark monitor, you can monitor the buzz about yours as well as your competitor's brand and with the affiliate monitor; you can watch monitor ad and landing page copy.

Module 02 Page 171

http://www.lippermarketplace.com

http://www.euromonitor.com

http://www.faganfinder.com

http://www.secinfo.com

http://www.thesearchmonitor.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

CEHCompetitive Intelligence - What Expert Opinions Say About the Company

Copernic Tracker http://www.copernic.com

Compete PRO™ http://www.compete.com

SEMRush http://www.semrush.com

as! http://www.jobitorial.comJobltorlal

ABI/INFORM Global http://www.proquest.com

Attention Meter http://www.attentionmeter.com

Com petitive Intelligence ־ What Expert Opinions Say About the Company

Copernic Tracker Source: http://www.copernic.com

Copernic is website tracking software. It monitors a competitor's website continuously and acknowledges you content changes via an email, if any. The updated pages as well as the changes made in the site are highlighted for your convenience. You can even watch for specific keywords, to see the changes made on your competitor's sites.

SEMRush Source: http://www.semrush.com

SEMRush is a competitive keyword research tool. For any site, you can get a list of Google keywords and AdWords, as well as a competitors list in the organic and paid Google search results. Necessary means for gaining in-depth knowledge about what competitors are advertising and their budget allocation to specific Internet marketing tactics are provided by SEMRush

Module 02 Page 172

http://www.copernic.com

http://www.compete.com

http://www.semrush.com

http://www.jobitorial.com

http://www.proquest.com

http://www.attentionmeter.com

http://www.copernic.com

http://www.semrush.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Jokitorial Source: http://www.iobitorial.com

Jobitorial provides anonymous employee reviews posted for jobs at thousands of companies and allows you to review a company.

AttentionMeter Source: http://www.attentionmeter.com

AttentionMeter is a tool used for comparing any website you want (traffic) by using Alexa, Compete, and Quancast. It gives you a snapshot of traffic data as well as graphs from Alexa, Compete, and QuantCast.

ABI/INFORM Global Source: http://www.proauest.com

ABI/INFORM Global is a business database. ABI/INFORM Global offers the latest business and financial information for researchers at all levels. With ABI/INFORM Global, users can determine business conditions, management techniques, business trends, management practice and theory, corporate strategy and tactics, and the competitive landscape.

Compete PRO Source: http://www.compete.comIB

Compete PRO provides an online competitive intelligence service. It combines all the site, search, and referral analytics in a single product.

Module 02 Page 173

http://www.iobitorial.com

http://www.attentionmeter.com

http://www.proauest.com

http://www.compete.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Footprinting Methodology C E H

WHOIS Footprinting

DNS Footprinting

Network Footprinting

Footprinting through Social Engineering

Footprinting through Social Networking Sites

Footprinting through Search \ Engines

Website Footprinting

Email Footprinting

Competitive Intelligence

Footprinting using Google

Footprinting M ethodology

Footprinting using Google Though Google is a search engine, the process of footprinting using Google is not

similar to the process of footprinting through search engines. Footprinting using Google deals with gathering information by Google hacking. Google hacking is a hacking technique to locate specific strings of text within search results using an advanced operator in Google search engine. Google will filter for excessive use of advanced search operators and will drop the requests with the help of an Intrusion Prevention System

Module 02 Page 174

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Footprint Using Google Hacking Techniques

- - י י

r~j Footprinting using Google Hacking Techniques J_

Google hacking refers to the art of creating complex search engine queries. If you can construct proper queries, you can retrieve valuable data about a target company from the Google search results. Through Google hacking, an attacker tries to find websites that are vulnerable to numerous exploits and vulnerabilities. This can be accomplished with the help of Google hacking database (GHDB), a database of queries to identify sensitive data. Google operators help in finding required text and avoiding irrelevant data. Using advanced Google operators, attackers locate specific strings of text such as specific versions of vulnerable web applications.

Some of the popular Google operators include:

Q .Site: The .Site operator in Google helps to find only pages that belong to a specific URL.

Q allinurl: This operator finds the required pages or websites by restricting the results containing all query terms.

Q Inurl: This will restrict the results to only websites or pages that contain the query terms that you have specified in the URL of the website.

Module 02 Page 175

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

intitle: It restricts results to only the web pages that contain the query term that you have specified. It will show only websites that mention the query term that you have used.

Q Inanchor: It restricts results to pages containing the query term that you have specified in the anchor text on links to the page.

Q Allinanchor: It restricts results to pages containing all query terms you specify in the anchor text on links to the page.

Module 02 Page 176

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

EHWhat a Hacker can do with Google Hacking?

Error messages that contain sensitive information

Files containing passwords

Attacker gathers:

Advisories and server vulnerabilities

Pages containing network or vulnerability data

Pages containing logon portals

What Can a Hacker Do with Google Hacking? — If the target website is vulnerable to Google hacking, then the attacker can find the

following with the help of queries in Google hacking database:

Q Error messages that contain sensitive information

Files containing passwords י-

Q Sensitive directories

Q Pages containing logon portals

Pages containing network or vulnerability data

Q Advisories and server vulnerabilities

Module 02 Page 177

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

CEH

V ׳

Google Advance Search Operators

Google supports several advanced operators that help in m odifying the search

Displays the web pages stored in the Google cache

Lists web pages that have links to the specified web page

Lists web pages that are similar to a specified web page

Presents some information that Google has about a particular web page

Restricts the results to those websites in the given domain

i t Restricts the results to those websites with all of the search keywords in the title

Restricts the results to documents containing the search keyword in the title

Restricts the results to those with all of the search keywords in the URL

Restricts the results to documents containing the search keyword in the URL

[cache:]

[link:]

[related:]

[info:]

[site:]

[allintitle:]

[intitle:]

[allinurl:]

[inurl:]

G oogle Advance Search Operators Source: http://www.googleguide.com

Cache: The CACHE query displays Google's cached version of a web page, instead of the current version of the page.

Example:

cache: www.eff.org will show Google's cached version of the Electronic Frontier Foundation home page.

Note: Do not put a space between cache: and the URL (web address).

link: Link lists web pages that have links to the specified web page. For example, to find pages that point to Google Guide's home page, enter:

link: www.googleguide.com

Note: According to Google's documentation, "you cannot combine a link: search with a regular keyword search."

Module 02 Page 178

http://www.googleguide.com

http://www.eff.org

http://www.googleguide.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Also note that when you combine link: with another advanced operator, Google may not return all the pages that match. The following queries should return lots of results, as you can see if you remove the -site: term in each of these queries. related: If you start your query with "related:", then Google displays websites similar to the site mentioned in the search query. Example: related:www.microsoft.com will provide the Google search engine results page with websites similar to microsoft.com. info: Info will present some information the corresponding web page. For instance, info:gothotel.com will show information about the national hotel directory GotHotel.com home page. Note: There must be no space between the info: and the web page URL. This functionality can also be obtained by typing the web page URL directly into a Google search box. site: If you include site: in your query, Google will restrict your search results to the site or domain you specify. For example, admissions site:www.Ise.ac.uk will show admissions information from London School of Economics' site and [peace site:gov ] will find pages about peace within the .gov domain. You can specify a domain with or without a period, e.g., either as .gov or gov. Note: Do not include a space between the "site:" and the domain. allintitle: If you start your query with allintitle:, Google restricts results to those containing all the query terms you specify in the title. For example, allintitle: detect plagiarism will return only documents that contain the words "detect" and "plagiarism" in the title. This functionality can also be obtained through the Advanced Web Search page, under Occurrences. intitle: The query intitle: term restricts results to documents containing term in the title. For instance, flu shot intitle:help will return documents that mention the word "help" in their titles, and mention the words "flu" and "shot" anywhere in the document (title or not). Note: There must be no space between the intitle: and the following word. allinurl: If you start your query with allinurl:, Google restricts results to those containing all the query terms you specify in the URL. For example, allinurl: google faq will return only documents that contain the words "google" and "faq" in the URL, such as "www.google.com/help/faq.html." This functionality can also be obtained through the Advanced Web Search page, under Occurrences. In URLs, words are often run together. They need not be run together when you're using allinurl. inurl: If you include inurl: in your query, Google will restrict the results to documents containing that word in the URL. For instance, inurkprint site:www.googleguide.com searches for pages on Google Guide in which the URL contains the word "print." It finds PDF files that are in the directory or folder named "print" on the Google Guide website. The query [ inurkhealthy eating ] will return

Module 02 Page 179

http://www.microsoft.com

http://www.Ise.ac.uk

http://www.google.com/help/faq.html

http://www.googleguide.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

documents that mention the words "healthy" in their URL, and mention the word "eating" anywhere in the document.

Note: There must be no space between the inurl: and the following word.

Module 02 Page 180

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Finding Resources Using Google f ״ _ Advance Operator 1z . E 5!

Finding Resources using Google Advance Operator By using the Google Advance Operator syntax [ i n t i t l e : i n t r a n e t i n u r l : i n t r a n e t

+ i n t e x t ״ : human r e s o u r c e s ״ ] : the attacker can find private information of a target company as well as sensitive information about the employees of that particular company. The information gathered by the attackers can be used to perform social engineering attacks. Google will filter for excessive use of advanced search operators and will drop the requests with the help of an Intrusion Prevention System.

The following screenshot shows a Google search engine results page displaying the results of the previously mentioned query:

Module 02 Page 181

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance

♦You Search Images Mail Documents Calendar Sites Contacts Maps More ־

(inCitke intranet inurt intranet ♦intext 'human resource^

About ?3 800 rest*s (0 16 secondSearch

Humaj3LS«Purc»» Human Resource* Intranet > Department 01 Human Resources

14 Jun 2012- Human Resources — Hom« > Department of Human Resources > Human Resources Intranet Human Resources Intranet...

Web

Images

).taps

intranet*/ 6 Jun 2012 Human Resources 201112׳ DeaAnes m Faculty and Human Resources

—- *Personnel Specials! assignments by Ur* (OOC)...

• ■mmmm •— orgr Error Cookies are not enabled You must enable cookies before you can log n Please log in This section of the Human Resources *ebsite IS for UNC Health ...

Intr»n»t Benefits (or Human Resource Management v - *״•־■ /krtrantt benefesforJwmin-resource-manage

3 Nov 2010 - Tags enterpnse 2 0 enterprise coiaboratwn human resources intranet 2 0 intranets social crm Intranet Benefit for Human Resowce...

Videos

News

Shopping

Show search tools

Human Reiourcet I . . Intranet. Ju au/hi>♦ י־ -

Tht Faculty Human Resources Taam aims to work wih acad*rr»c haads managers and staff to •nsur• that human resources a*«c• and actMties translat# into...

Intranet Human Retourcet. intranet personnel/perps him

Human Resources Employee Benefts and Resources Ag Leam provides education serwees for — • • contractors.״.

> • - _ds php^_id«41 The Human Resources oftce is responsible tor proa&nq vanous support services to all

FIGURE 2.28: Search engine showing results for given Google Advance Operator syntax

Module 02 Page 182

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

CEHGoogle Hacking Tool: Google Hacking Database (GHDB)

Pages Containing Login PortalsAdvisories andVulnerabilrt.es

Google Hacking Tool: Google Hacking Database (GHDB)

Source: http://www.hackersforcharity.org

The Google Hacking database (GHDB) is a database of queries that identify sensitive data. GHDB is an HTML/JavaScript wrapper application that uses advanced JavaScript techniques to scrape information from Johnny's Google Hacking Database without the need for hosted server-side scripts. The Google Hacking Database exposes known issues with software that run websites. There are some bugs that expose information that might not warrant public reading.

Module 02 Page 183

http://www.hackersforcharity.org

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

- * r ■ 6HM • Hadun far Our׳ • «- C rtv׳wnadtmforchanty.org,0 r̂tr)/׳ lunrt1on־tumm,vy&ca! 1/

OHOO - rU c ld i fo r Charity

onoe C*€>9 s: P1g« cO'tOnng lopr porta*

According a. Miaosoft ־Miuosoft (R) Outlook (TK) VJ*t! a rre4s * ג M*<׳־osofr Ftrharo* Artwe Servrr C Application that t>veo you prvitc access to Ttus 1» U1* 10(1*1 p»e« fa CokJfuson adrnr1«mon. Although m»01 «׳ m•** are uirurM. t C1« s an Irdicator of a dtfau't into lito־> »nd Th* is die default tofin pa$e for ColdFojron. Aimoucft rraiv ot tnese are secured, rm is an • ncicatcf of a d *fault insQllaton, and iray bo

webmn is ג hen acrnrn irtar'ace fee Unix Coxes it propriataiy web co'vcv isterirg on tho C ג .run or ־ !5

CdajX port of 10090. 1t*4 t* a typical login page. It h» 1e1«rflr Oetoaie * txg* for SQL ln}*ctJO׳v Comsac-f artld* at C hOp:/'ww>v.govcrrrrKrvsc<ur1ty.or5/art)Clca/S n»s » a cypical login page, itfus ■ecentir becotn* a taro* for SQL injection. Con*«c'«1 artjd* at C j MJp://vrww.goveromtr«5e«unty.©re/artjde5/S . VNC U a f«nwte-cc»W01ied Cwlttpp produa.

’ r<T>*nd1no or rh(* conttcuraBon. rn׳ro» u«« nay . rot be pre*4nt«d with 3 password. Cven when CHWPtltifWt.■. ־ [_ TH» 11 the ftort page entry potnt to e "Miuo 71 k" .

I lhsts the loan page for Microsoft's Renote Deslax? W«b Cor«nocQon, which a'lows r«r־x>tn ucart to ׳ | connect to (and optionally corttol) a user

ITwm! ais Otim Metafiaine login ptxt̂ s. AU״Kkw» ran 11(0 (txxa tn prr.fl• ג ti'e jnd nn 1*• ncarur• < setup! of thi* application to acce*• the »t»

(H-» ווו tart* eon n

I»«. ״,־״׳.״״xt. j 1t>cd3/־dnn/I0or־.a

i?004- ־v^c rxKjc

inktl.i’Mtaflarmp/de asp

' •nttteftqjo

C I www.rucicersforchar1ty.org/ndo. ׳fiincton M1rrmaryfiK.it> 19

E S 2 ] YouTtt•MW( POOJCCTC ABOUT ||

HACKERS FOR CHARITY.ORC

OHDe - Hm W > Charity ,*־׳׳

0H0e S״«« t Ad/tsenes ard ViJr r̂anJrtes

2COt- 03*•־ P-odjctrart

Tic E»t׳ l־rpi<t PioducKart cortaioj multiple /uineratiltes, *hen cojM eotoited to allow an atCackar to mat u««r cr«d«ntjak or mounx other atta

Gf '

XO*- rmSoSaareh wH«abd*y

Accor care to 1http:j'/Avrw.Mfurtvff>cue.cor%'b1d/0<̂ 7. cartar | ׳0>0גז c/ im&Swc'i contdn a buftei oveiftow

vulnfrafcilty which *How an XttrkM to כ j t

2C04 •5-12

rWKjutsttwok 'jrv»r«־sc JwssthooW 2.2 pcv«

Advanced Guestbook v7.7 has an SQl !rjecnor >oblcm which al 0*5 unauthomod acces*. Aaaourfiom thee, hit ־Admn־ then 00 wefollowing

2004 V*-ASP Shopetng Cart VP-AS* (Virtual Progra׳ming ASP) has won awarifo both in Vte US anti France. X is now m um

FIGURE 2.29: Screenshots showing Advisories and Vulnerabilities & pages containing login portals

http://www.rucicersforchar1ty.org/ndo

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

CEHG oog le H ack in g Tools

SearchDiggity h ttp :/ /w w w . s tachliu. com&

?& Google HACK DBhttp://w w w .secpoint.com

Gooscan h ttp ://w w w .d a rk n e t. org. uk

MetaGoofil h ttp :/ /w w w . edge-security, com

SiteDigger h ttp :/ /w w w . mcafee.com

Goolink Scanner h ttp :/ /w w w . ghacks. net

Google Hacks http://code.google.com

BiLE Suite http://w w w .sensepost.com

Google Hacking Tools Besides the Google Hacking Database (GHDB) tool featured previously, there are

some other tools that can help you with Google hacking. There are a few more Google hacking tools mentioned as follows. Using these tools, attackers can gather advisories and server vulnerabilities, error message information that may reveal attack paths, sensitive files, directories, logon portals, etc.

M etagoofil Source: http://www.edge-securitv.com

ג Metagoofil is an information-gathering tool designed for extracting metadata of public documents (pdf, doc, xls, ppt, docx, pptx, xlsx) belonging to a target company.

Metagoofil performs a search in Google to identify and download the documents to a local disk and then extracts the metadata with different libraries such as Hachoir, PdfMiner?, and others. With the results, it generates a report with usernames, software versions, and servers or machine names that may help penetration testers in the information gathering phase.

Goolink Scanner

Module 02 Page 185

http://www.secpoint.com

http://www.darknet

http://www.edge-securitv.com

http://code.google.com

http://www.sensepost.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Source: http://www.ghacks.net

The Goolink Scanner removes the cache from your searches, and collects and displays only vulnerable site's links. Thus, it allows you to find vulnerable sites wide open to Google and googlebots.

SiteDigger י̂־ Source: http://www.mcafee.com

SiteDigger searches Google's cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on websites.

Google Hacks £ * 4 )

Source: http://code.google.com

Google Hacks is a compilation of carefully crafted Google searches that expose novel functionality from Google's search and map services. It allows you to view a timeline of your search results, view a map, search for music, search for books, and perform many other specific kinds of searches.

\ \ BiLE Suite Source: http://www.sensepost.com

BiLE stands for Bi-directional Link Extractor. The BiLE suite includes a couple of Perl scripts used in enumeration processes. Each Perl script has its own functionality. BiLE.pl is the first tool or Perl script in the collection. BiLE leans on Google and HTTrack to automate the collections to and from the target site, and then applies a simple statistical weighing algorithm to deduce which websites have the strongest relationships with the target site.

Google Hack Honeypot Source: http://ghh.sourceforge.net

Google Hack Honeypot is the reaction to a new type of malicious web traffic: search engine hackers. It is designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources. GHH implements the honeypot theory to provide additional security to your web presence.

GMapCatcher& Source: http://code.google.com GMapCatcher is an offline maps viewer. It displays maps from many providers such as: CloudMade, OpenStreetMap, Yahoo Maps, Bing Maps, Nokia Maps, and SkyVector. maps.py is a GUI program used to browse Google map. With the offline toggle button unchecked, it can download Google map tiles automatically. Once the file downloads, it resides on your hard disk. Thus, you don't need to download it again.

Module 02 Page 186

http://www.ghacks.net

http://www.mcafee.com

http://code.google.com

http://www.sensepost.com

http://ghh.sourceforge.net

http://code.google.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

SearchDiggity Source: http://www.stachliu.com נ -

SearchDiggity is the primary attack tool of the Google Hacking Diggity Project. It is Stach & Liu's MS Windows GUI application that serves as a front-end to the most recent versions of Diggity tools such as GoogleDiggity, BingDiggity, Bing LinkFromDomainDiggity, CodeSearchDiggity, DLPDiggity, MalwareDiggity, PortScanDiggity, SHODANDiggity, BingBinaryMalwareSearch, and NotlnMyBackYard Diggity.

Google HACK DB Source: http://www.secpoint.comPHP

The attacker can also use the SecPoint Google HACK DB tool to determine sensitive information from the target site. This tool helps an attacker to extract files containing passwords, database files, clear text files, customer database files, etc.

Gooscan Source: http://www.darknet.org.uk

Gooscan is a tool that automates queries against Google search appliances. These queries are designed to find potential vulnerabilities on web pages.

Module 02 Page 187

http://www.stachliu.com

http://www.secpoint.com

http://www.darknet.org.uk

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Footprinting Methodology C E H

WHOIS Footprinting

DNS Footprinting

Network Footprinting

Footprinting through Social Engineering

Footprinting through Social Networking Sites

Footprinting through Search Engines

Website Footprinting

Email Footprinting

Competitive Intelligence

Footprinting using Google

Footprinting M ethodology Gathering network-related information such as whois information of the target

organization is very important when hacking a system. So, now we will discuss whois footprinting.

Whois footprinting focuses on how to perform a whois lookup, analyzing the whois lookup results, and the tools to gather whois information.

Module 02 Page 188

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

W HOIS L ookup CEH Urtifi•! Ittiu l lUckw

WHOIS databases are maintained by Regional Internet Registries and contain the personal information of domain owners

Regional Internet Registries (RIRs)

a f r i A R T N

RIPEa

£ )APNIC

Inform ation obtained from W H O IS d atab ase a ssists an a tta c k e r to:

« Create detailed map of organizational network

tt Gather personal information that assists to perform social engineering

6 Gather other internal network details, etc.

WHOIS query returns: e Domain name details e Contact details of domain

owner Domain name servers

9 NetRange When a domain has been created

e Expiry records 6 Records last updated

WHOIS Lookup WHOIS is a query and response protocol used for querying databases that stores the

registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system. WHOIS databases are maintained by Regional Internet Registries and contain the personal information of domain owners. They maintain a record called a LOOKUP table that contains all the information associated with a particular network, domain, and host. Anyone can connect and query to this server to get information about particular networks, domains, and hosts.

An attacker can send a query to the appropriate WHOIS server to obtain the information about the target domain name, contact details of its owner, expiry date, creation date, etc. The WHOIS sever will respond to the query with respective information. Then, the attacker can use this information to create a map of the organization network, trick domain owners with social engineering once he or she gets contact details, and then get internal details of the network.

Module 02 Page 189

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

WHOIS Lookup Result Analysis c(citifwd EHttkKJl NMhw

Domain Dossier investioate domain3 and IP addresses domain or IP address [juggyboy.com

0 domain whois record 0 DNS records □ traceroute network whois record □ service scan J U

30]gncitymous [ log in | acccun

1 juggyfaoy.c

Address lookup canonical name j 1»00vhoy.com.

aliases addresses —• t

Domain Whois record Queried wt10ivintt>rnk:.nt*t with "doi

Doaaia Noses JUGGYBOY.COM Registrar: NETWORK 30LOTTOUS, LLC. *h: -.1 server: vnon.ftetwor *solutions, cox Retercal URL: ftttp ://w *.netw sfcJ01u t10ns.ccr,/enJJS/ N’a!a# 3*rv*r: NS1#.WCRLONTC.COM NAM S*rv»r: NS20.WCRLON1C.COM sucua: ciicntiransrcrProni&Lted Opdated Date: 03-feb-2009 Creation Data: 1«-Jul-200J Expiration Date: :6-01-2014ר

»> last update of whola database: Thu, 1• Ju i 2012 0 49 : 3 OTC 4 >ל:

Quened wt10is.network50lutions.rnm with juggyboy.rom ...

Registrant:

«M« RMNK m mm

1 Stats My Who.WHoia Record

Doza.n JLdmnistrator M icrossft Corporation One M ic r03a2 t Way Rarinonri Hr. 93052

cs +1.4250826060 Fex; +1.4259267229domainsgjmlcrosoff.ci

lex״ in Kane: n ic rcso ft. com

Ee3i3*rar Sane: Marl3cnicor.com Registrar Wiols: wtiols.narttxmlcor.con Registrar Kcnepage: http://vwV.r13rircnLtcr.rcn

&dxdr.13trative Contact: Dorain Administrator Microsoft Corporation One Microsoft Kay Reancna WA 9BOS2

US tiorwa1nsfimicro90ft.c0m +1.42S8828080 Fox: 4L.42S9367329

Technical Contact. Zone Contact: msm H09tn*9t#r Microsoft Corporation on• M icroiott Hay Rednond WA 98052

US m3nhstQmittoSOfl.com *1.4258828080 Tax: 11. •12S93€"32S

Createa on........................ : 1991-05-01. Expires on........................ : 2021-03-02. Reccrd la s t upaatea on ..: 2011-03-14.

Dosain servers in lis te d order:

ns3.1Ksrt.net ns4.tuft.net nsl.ttsrt.net

net 03 rt

ns3

h ttp://cen tralops. net/co

http://whois.domaintools.com

WHOIS Lookup Result Analysis A whois lookup can be performed using Whois services such as

http://whois.domaintools.com or http://centralops.net/co. Here you can see the result analysis of a Whois lookup obtained with the two mentioned Whois services. Both these services allow you to perform w whois lookup by entering the target's domain or IP address. The domaintools.com service provides whois information such as registrant information, email, administrative contact information, created and expiry date, a list of domain servers, etc. The Domain Dossier available at http://centralops.net/co/ gives the address lookup, domain Whois record, network whois record, and DNS records information.

Module 02 Page 190

http://vwV.r13rircnLtcr.rcn

http://whois.domaintools.com

http://centralops.net/co

http://centralops.net/co/

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Domain Dossier Investigate domains and IP addresses domain or !P address ]ug9yCoy.com |

2 domain whois record 0 DNS records □ traceroute network whois record D service scan 9° J •׳

30] PfJ11tr.fi ,!,Lit

u ser anonymous [ balance: 47 units

lof in | account info

Address lookup canonical name juooyboy.com.

aliases

addresses 6

Domain Whois record Queried whois.internic.net with "dom juggyboy.com״...

Dcxein Name: JUGGYBOY.COM Registrar: NETWORK SOLUTIONS, LLC. ¥hois Server: whois.netvforlfsolutions.cojn R e fe r ra l URL: http://www.networkaclutions.coin/en US/ Vane Server: HS19.WORLDNIC.COM !7*2* S e rv a r : HS20.WORLDNIC.COM S ta tu s : c licn tT ra n s fe rF ro h ib ite d Updated Date: 03-feb-2009 Creation Data: 16-JU1-2002 Ex p ira t io n Date: 16-j j׳ 1-2014

»> Last update of whois database: Thu, 19 Jul 2012 07:49:36 UTC <« Queried whoib.networkbolutionb.coiii with ,juggyboy.com'‘... Registrant:

W h i m R e c o rd Sit• Profile R e g istra tio n S e rver S tats My W hois

Registrant: Domain Administrator Microsoft Corporation One Microsoft Way Redirond WA 98052 US dpnainscXmcrosoflcom +1.4258828080 Fax: +1.425936329ל

Dosain !iar.e: nicroaoft.com

Registrar Mane: Martenonitor.com Registrar Whois: whois. !narlatoni tor. can Registrar Honepage: http://www.marJancn1tor.co1t

Adsriaistrative Contact: Domain Adnlnistrator Microsoft Corporation One Microsoft Way Redmoad WA 98052 US d0mains@m1cf0 s0ft.c0m +1.4258828080 Fax: 4-1.425936329ל

Technical Contact, Zone Contact: MSN Hoatmaster Microsoft Corporation One Microsoft Way Redirond KA 98052 US m5nf1stQmitrosofl.com ♦1*4258828080 Fax: +1.4259367329

Created on : 1991-05-01. Expires on t 2021-05-02. Record :ast updated on..: 2011-08-14.

Doaain servers i& listed order:

ns5.nsft.net ns4.nsft.net nsl.nsft.net ns3.nsft.net ns2.nsft.net

http://centralops.net/cohttp://whois.domaintools.com

FIGURE 2.30: Whois services screenshots

Module 02 Page 191

http://www.networkaclutions.coin/en

http://www.marJancn1tor.co1t

http://whois.domaintools.com

http://centralops.net/co

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

WHOIS Lookup Tool: SmartWhois CEH Urtffi•* IthKjl lUckM

SmartWhois - Evaluation Version Fie Query Edit Y!r/» Settings Help

P. host crdcrran: -J nncr050ft.c<

tt Free SAS i ProXad 8, fuc de la ville T'Eveque 75006 Paris

phone -33 1 73 50 20 00 fax *■33 1 73 50 25 01 hostmastcfCPptoxad.nct

Q free SAS i ProXad ruedel4v>llel"Evec|ue

75006 Pari*

phone-33 173 50 20 00 fax: *33 1 73 502501 r.ojtmcitcri’cfo.od.nct

( | frmti1-q?0.ftM>.f1 [212.27.60.19] ( ® J ''**n:2-q2C.fr««.ff [212.27.60.20]

r*at*d: 29/12/2006 Updated: 17/02/2004 Source: whois.nic.fr

I J c"up Completed at 19-07-2012 12:4*01 PM

Processing ם me 1.6$ seconds V1r«VM> Liter

14 miacsoft.com ^ rwcney.de

» E 5 3

http://www. tamos, com

BC WHOIS Lookup Tool: SmartWhois Source: http://www.tarnos.com

SmartWhois is a useful network information utility that allows you to look up all the available information about an IP address, hostname, or domain, including country, state or province, city, name of the network provider, administrator, and technical support contact information. It also assists you in finding the owner of the domain, the owner's contact information, the owner of the IP address block, registered date of the domain, etc.

Module 02 Page 192

http://www.networksolutions.com

http://www.tarnos.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

V « Query <£־׳

SmaitWhois ־ Evaluation Version File Query Edit View Settings Help

IP, host or domain: Q micro soft com m

Qnjgjfcfr

88.1902S4.12

Free SAS/ ProXad I 8, rue de 10 ville I 'Evcquc

75008 Paris

phene: ♦33 I 73 50 20 00 fax: ♦33 1 73 50 25 01 h0stmastergpf0xid.net

Free SAS / ProXad I 8. rue de la ville I 'Eveque

75008 Paris

phene ♦ 33 1 73 50 20 00 fax: ♦33 1 73 50 25 01

freensl-g20Jree.fr [212.27.60.19] 1 freens2-g20Jree.fr[212.27.60.20]

Google Page Rank: 7 1 Alexa Traffic Rank: 11,330

Created: 29/12/2008 Updated: 17/02/2004 Source: whois.nic.fr

Completed at 19*07-2012 12:44:01 PM Processing time: 1.63 seconds

View source

at microsoft.com money.de

FIGURE 2.31: SmartWhois screenshot

Module 02 Page 193

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

WHOIS Lookup Online Tools C E H

Whois http ://to ols. whois.net

Network Solutions Whois http://w w w .netw orksolutions.com

WebToolHub h ttp :/ /w w w . webtooll 1 • whois-lookup. aspx

Ultra Tools https://w w w .ultratools.com /w hois/hom e

% DNSstuff mimr h ttp :/ /w w w . dnss tuff, com

־ ■ = ־

S '

Network-Tools.com http ://netw ork-tools. com

SmartWhois http://sm a rtw hois. com

ה־ז Better Whois1 1 n http ://w w w . betterwhois. com

m Whois Sourcepyy h ttp :/ /w w w . whois.sc

Web Wiz h ttp :/ /w w w . webwiz.co. uk/dom ain־ tools/whois-lookup.htm

§fc]

WHOIS Lookup Tools Similar to SmartWhois, there are numerous tools available in the market to retrieve

Whois information. A few are mentioned as follows:

pp CountryWhois ----Source: http://www.tamos.com

CountryWhois is a utility for identifying the geographic location of an IP address. CountryWhois can be used to analyze server logs, check email address headers, identify online credit card fraud, or in any other instance where you need to quickly and accurately determine the country of origin by IP address.

Lan Whois Source: http://lantricks.com

LanWhols provides information about domains and addresses on the Internet. This program helps you determine who, where, and when the domain or site you are interested in was registered, and the information about those who support it now. This tool allows you to save your search result in the form of an archive to view it later. You can print and save the search result in HTML format.

Module 02 Page 194

http://tools

https://www.ultratools.com/whois/home

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

P t Batch IP Converter ■j î t *

Source: http://www.networkmost.com

Batch IP Converter is a network tool to work with IP addresses. It combines Domain-to-IP Converter, Batch Ping, Tracert, Whois, Website Scanner, and Connection Monitor into a single interface as well as an IP-to-Country Converter. It allows you to look up the IP address for a single or list of domain names and vice versa.

I r1־ CallerIP Source: http://www.callerippro.com

CallerIP is basically IP and port monitoring software that displays the incoming and outgoing connection made to your computer. It also allows you to find the origin of all connecting IP addresses on the world map. The Whois reporting feature provides key information such as who an IP is registered to along with contact email addresses and phone numbers.

®1— Whois Lookup M ׳ ultiple Addresses Source: http://www.sobolsoft.com

This software offers a solution for users who want to look up ownership details for one or more IP addresses. Users can simply enter IP addresses or load them from a file. There are three options for lookup sites: whois.domaintools.com, whois-search.com, and whois.arin.net. The user can set a delay period between lookups, to avoid lockouts from these websites. The resulting list shows the IP addresses and details of each. It also allows you to save results to a text file.

W hois Analyzer Pro Source: http://www.whoisanalvzer.com

This tool allows you to access information about a registered domain worldwide; you can view the domain owner name, domain name, and contact details of domain owner. It also helps in finding the location of a specific domain. You can also submit multiple queries with this tool simultaneously. This tool gives you the ability to print or save the result of the query in HTML format.

HotWhois Source: http://www.tialsoft.com

HotWhois is an IP tracking tool that can reveal valuable information, such as country, state, city, address, contact phone numbers, and email addresses of an IP provider. The query mechanism resorts to a variety of Regional Internet Registries, to obtain IP Whois information about IP address. With HotWhois you can make whois queries even if the registrar, supporting a particular domain, doesn't have the whois server itself.

Module 02 Page 195

http://www.networkmost.com

http://www.callerippro.com

http://www.sobolsoft.com

http://www.whoisanalvzer.com

http://www.tialsoft.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Whois 2010 Pro Source: http://lapshins.com

Whois 2010 PRO is network information software that allows you to look up all the available information about a domain name, including country, state or province, city, administrator, and technical support contact information.

(W) Active Who is Source: http://www.johnru.com

ActiveWhois is a network tool to find information about the owners of IP addresses or Internet domains. You can determine the country, personal and postal addresses of the owner, and/or users of IP addresses and domains.

W hoisThisDomain Source: http://www.nirsoft.net

WhoisThisDomain is a domain registration lookup utility that allows you to get information about a registered domain. It automatically connects to the right WHOIS server and retrieves the WHOIS record of the domain. It supports both generic domains and country code domains.

Module 02 Page 196

http://lapshins.com

http://www.johnru.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

WHOIS Lookup Online Tools C E H

Whois http ://to ols. whois.net

SmartWhois http://sm a rtw hois. com

% DNSstuff mimr h ttp :/ /w w w . dnss tuff, com

־ ■ = ־

ה־ז Better Whois1 1 n http ://w w w . betterwhois. com

Network Solutions Whois http://w w w .netw orksolutions.comc

m Whois Source p y y h ttp :/ /w w w . whois.se

WebToolHub h ttp :/ /w w w . webtooll 1 • whois-lookup. aspx

Web Wiz h ttp :/ /w w w . webwiz.co. uk/dom ain־ tools/whois-lookup.htm

§fc]

Ultra Tools https://w w w .ultratools.com /w hois/hom e

Network-Tools.com http ://netw ork-tools. com

WHOIS Lookup Online Tools In addition to the Whois lookup tools mentioned so far, a few online Whois lookup tools

are listed as follows:

Q SmartWhois available at http://smartwhois.com

Q Better Whois available at http://www.betterwhois.com

O Whois Source available at http://www.whois.se

Q Web Wiz available at http://www.webwiz.co.uk/domain-tools/whois-lookup.htm

Q Network-Tools.com available at http://network-tools.com

Q Whois available at http://tools.whois.net

Q Network Solutions Whois available at http://www.networksolutions.com

S WebToolHub available at http://www.webtoolhub.com/tn561381-whois-lookup.aspx

Q Ultra Tools available at https://www.ultratools.com/whois/home

Module 02 Page 197

http://tools

http://smartwhois

http://www.networksolutions.com

https://www.ultratools.com/whois/home

http://network-tools

http://smartwhois.com

http://www.betterwhois.com

http://www.whois.se

http://www.webwiz.co.uk/domain-tools/whois-lookup.htm

http://tools.whois.net

http://www.networksolutions.com

http://www.webtoolhub.com/tn561381-whois-lookup.aspx

https://www.ultratools.com/whois/home

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Footprinting Methodology CEH

WHOIS Footprinting

DNS Footprinting

Network Footprinting

Footprinting through Social Engineering

Footprinting through Social Networking Sites

Footprinting through Search Engines

Website Footprinting

Email Footprinting

Competitive Intelligence

Footprinting using Google

Footprinting M ethodology --- The next phase in footprinting methodology is DNS footprinting.

This section describes how to extract DNS information and the DNS interrogation tools.

Module 02 Page 198

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Extracting DNS Inform ation CEH (•rtifwd ithiul •UtkM

0 0 Attacker can gather DNS information to determine key hosts in

3 2the network and can perform social engineering attacks 0 0

DNS Interrogation Tools

DNS records provide important information about location and type of servers

R e co rd T yp e D e s c r ip tio n

A Points to a host's IP address

MX Points to domain's mail server

NS Points to host's name server

CNAME Canonical naming allows aliases to a host

SOA Indicate authority for domain

SRV Service records

PTR Maps IP address to a hostname

RP Responsible person

HINFO Host information record includes CPU type and OS

TXT Unstructured text records

Extracting DNS Information DNS footprinting allows you to obtain information about DNS zone data. This DNS

zone data includes DNS domain names, computer names, IP addresses, and much more about a particular network. The attacker performs DNS footprinting on the target network in order to obtain the information about DNS. He or she then uses the gathered DNS information to determine key hosts in the network and then performs social engineering attacks to gather more information.

DNS footprinting can be performed using DNS interrogation tools such as www.DNSstuff.com. By using www.DNSstuff.com, it is possible to extract DNS information about IP addresses, mail server extensions, DNS lookups, Whois lookups, etc. If you want information about a target company, it is possible to extract its range of IP addresses utilizing the IP routing lookup of DNS stuff. If the target network allows unknown, unauthorized users to transfer DNS zone data, then it is easy for you to obtain the information about DNS with the help of the DNS interrogation tool.

Once you send the query using the DNS interrogation tool to the DNS server, the server will respond to you with a record structure that contains information about the target DNS. DNS records provide important information about location and type of servers.

Q A - Points to a host's IP address

Module 02 Page 199

http://www.DNSstuff.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Q MX ־ Points to domain's mail server

Q NS - Points to host's name server

Q SRV - Service records

Q PTR - Maps IP address to a hostname

A few more examples of DNS interrogation tools to send a DNS query include:

Module 02 Page 200

http://www.dnsqueries.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Extracting DNS Inform ation CEH (Cont’d) (•rtifwtf | EthKJi ■UckM

^ Perform DNS query

microsoft.com

This tool is very useful to perform a DNS query on any host. Each domain name (Example: dnsqueries.com) is structured in hosts (ex:

Q ueries, com) and the DNS (Domain Name System) allow to translate the domain name or the hostname in an IP Address 10 contact via the 1 (3 *1 IP protocol. There are serveral types of queries, corresponding to all the Implemen table types of DNS records such as A record, MX. AAAA, CNAME and SOA.

Results for checks on microsoft.com Host TTL Class lype Details

microsoft.com !J 3381 IN TXT FbUF6DbkE*Aw1 /v/i9xgDi3KVrllZus5v8L6tblQZkGrQ׳rVQKJi8CjQbBtWt£64ey4NJJv/j5J65PlggVYNabdQ—

microsoft.com 3381 IN TXT v-spf1 Include: spf-a.mlcrosoft.com Include :_spf-b.mfcrosoft.com 1nclude:_spf־c.mlcrosoft.com 1nclude:_spf-ssg• a.microsoft.com ip4:l31.107.115.215 Ip4:131.107.115.214 ip4:205.248.106.64 ip4:205.248.106.30 ip4:205.248.106.32 *all

mlcrosoft.com ^ 3381 IN MX 10 (nall.messaglng.mlcrosort.com !J 111ic1ubuft.com J 3381 IN SOA ns1.msft.net mbnhbt.n1iaosoft.com 2012071602 3C0 600 2419200 3600 microsoft.com 3381 IN A 64.4.11.37 microsoft.com 3381 IN A 65.55.58.701 $ microsoft.com 'J 141531 IN NS ns5.msft.net microsoft.com 141531 IN NS ns2.msft.net microsoft.com ^ 141531 IN NS ns1.msft.net $ microsoft.com $ 141531 IN NS ns3.msft.net $ microsoft.com $ 141531 IN NS ns4.msft.net yj}

http://www.dnsqueries. com

Extracting DNS Information (Cont’d) Source: http://www.dnsqueries.com

Perform DNS query available at http://www.dnsqueries.com is a tool that allows you to perform a DNS query on any host. Each domain name (example: dnsqueries.com) is structured in hosts (ex: www.dnsqueries.com) and the DNS (Domain Name System) allows anyone to translate the domain name or the hostname in an IP address to contact via the TCP/IP protocol. There are several types of queries, corresponding to all the implementable types of DNS records such as a record, MX, AAAA, CNAME, and SOA.

Now let's see how the DNS interrogation tool retrieves information about the DNS. Go to the browser and type http://www.dnsqueries.com and press Enter. The DNS query's homesite will be displayed in the browser.

Enter the domain name of your interest in the Perform DNS query's HostName field (here we are entering Microsoft.com) and click the Run tool button; the DNS information for Microsoft.com will be displayed as shown in the following figure.

Module 02 Page 201

http://www.dnsqueries

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Q Perform DNS query

Hostflame: [mcrosoftcom

Type: ANY 0 | Run toohT

This tool is very useful to perform a DNS query on any host. Each domain name (Fxample: dnsqueries.com) is structured in hosts (ex: www.dnsqu0n0s.com) and the DNS (Domain Name System) allow ovorybody to translato tho domain namo or tho hostname in an IP Addross to contact via the TCP/IP protocol. There are server^ types of queries, corresponding to dll the implemen table types of DNS records such as A record, MX, AAAA, CNAME and SO A.

Results for checks on m1crosoft.com Host TTL Class Type Details

microsoft.com 3381 IN TXT FbUF6DbkE*Avvl/wi9xgDi8KVrllZus5v8L6tblQZkGrQ/׳VQKJi8CjQbBtWtE64ey4NJJvvj5J65PlggVYNabdQ-־

micr030ft.c0m 3381 IN TXT b.mfcrosoft.com lnclude:_spf-c.mlcrosoft.com lndude:_spf-ssg־ -v=spf1 lnclude:_spf-a.mfcrosofLcom lndude:_spf

a.microsoft.com ip4:l3l.107.115.215 ip4:l31 .107.115.214 ip4:2G5.248.100.64 ip4:205.243.106.30 ip4:2D5.248.106.32 'all

microsoft.com 3381 IN MX 10 mail.mes5aging.micro50ft.c0m microsoft.com ^ 3381 IN SOA nsl.msft.netmsnhst.microsoft.com 2012071602 300 600 2419200 3600 microsoft.com 3381 IN A 64.4.11.37 s J microsoft.com 3381 IN A 65.55.58.701 microsoft.com ^ 141531 IN NS ns5.msft.net microsott.com ^ 141531 IN NS ns2.mstt.net $ microsoft.com CJ 141531 IN NS ns1.msft.net !£} microsoft.com Q 141531 IN NS ns3.msft.net n1icr050ft.c0m ^ 141531 IN NS r154.t1tsft.r1et

FIGURE 2.32: Screenshot showing DNS information for Microsoft.com

Module 02 Page 202

http://www.dnsqu0n0s.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

DNS In te r ro g a tio n Tools CEH

DNSWatch ____ נ h ttp ://w w w .d n s watch, info

DIG h ttp ://w w w .k lo th .n e tA

DomainTools http ://w w w .dom ain too ls.com

myDNSTools h ttp ://w w w .m yd n s tools.info

ffjp Professional Toolset 1rv '- , DNS s l l i h ttp :/ /w w w . dnsstuff. com (0m http://e-dns.org

DNS Lookup Tool h ttp :/ /w w w . webwiz. co. uk

DNS Records http ://n et w ork- tools.com

DNS Query Utility h ttp :/ /w w w . webmas ter- toolki t. comח DNSData Viewh ttp ://w w w .n irso ft.ne t

DNS Interrogation Tools A few more well-known DNS interrogation tools are listed as follows:

DIG available at http://www.kloth.net

myDNSTools available at http://www.mydnstools.info

Professional Toolset available at http://www.dnsstuff.com

DNS Records available at http://network-tools.com

DNSData View available athttp://www.nirsoft.net

DNSWatch available at http://www.dnswatch.info

DomainTools Pro available at http://www.domaintools.com

DNS available at http://e-dns.org

DNS Lookup Tool available at http://www.webwiz.co.uk

DNS Query Utility available at http://www.webmaster-toolkit.com

Module 02 Page 203

http://www.dns

http://www.kloth.net

http://www.domaintools.com

http://www.mydnstools.info

http://www.kloth.net

http://www.domaintools.com

http://www.dnswatch.info

http://e-dns.org

http://www.webwiz.co.uk

http://www.webmaster-toolkit.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Footprinting Methodology CEH

WHOIS Footprinting

DNS Footprinting *ך

Network Footprinting

Footprinting through Social Engineering

Footprinting through Social Networking Sites

Footprinting through Search Engines

Website Footprinting

Email Footprinting

Competitive Intelligence

Footprinting M ethodology The next step after retrieving the DNS information is to gather network-related

information. So, now we will discuss network footprinting, a method of gathering network- related information.

This section describes how to locate network range, determine the operating system, Traceroute, and the Traceroute tools.

Module 02 Page 204

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Locate the N etw ork R ange C (citifwd

EH IthKJI lUckM

Network Whois Record Queried whois.arin.net with "n 207.46.232.182"...

207.46.255.255. 0 . 0 .0/16

207.46 207.46

NetRange: CIDR: OriginAS: NetName: NetHandle: Parent: NetType: NameServer: NameServer: NameServer: NameServer: NameServer: RegDate: Updated: Ref: 207-46-0-0-1 OrgName: Orgld: Address: City: StateProv: PostalCode: Country: RegDate: Updated: Ref: OrgAbuseHandle OrgAkuseName: OrgAbusePhone: OrgAbuseEmail: OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE231-ARIN

M IC R O SO FT-G LO B A L-N ET NET-207-46-0-0-1 NET-207-0-0-0-0 Direct Assignment NS2.MSFT.NET NS4.MSFT.NET NS1.MSFT.NET NS5.MSFT.NET NS3.MSFT.NET 1997-03-31 2004-12-09 http://whois.arin.net/rest/net/NET-

Microsoft Corp MS FT One Microsoft Way Redmond WA 98052 US 1998-07-10 2009-11-10 http://whois.arin.net/rest/org/MSFT ABUSE231-ARIN Abuse +1-425-882-8080 [email protected]

J Network range information obtained assists an attacker to create a map of the target's network

J Find the range of IP addresses using ARIN whois database search tool

J You can find the range of IP addresses and the subnet mask used by the target organization from Regional Internet Registry (RIR)

Attacker

Network

־« Locate the Network Rangeנ-ז To perform network footprinting, you need to gather basic and important

information about the target organization such as what the organization does, who they work for, and what type of work they perform. The answers to these questions give you an idea about the internal structure of the target network.

After gathering the aforementioned information, an attacker can proceed to find the network range of a target system. He or she can get more detailed information from the appropriate regional registry database regarding IP allocation and the nature of the allocation. An attacker can also determine the subnet mask of the domain. He or she can also trace the route between the system and the target system. Two popular traceroute tools are NeoTrace and Visual Route.

Obtaining private IP addresses can be useful for an attacker. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private Internets: 10.0.0.0-10.255.255.255 (10/8 prefix), 172.16.0.0-172.31.255.255 (172.16/12 prefix), and 192.168.0.0-192.168.255.255 (192.168/16 prefix).

The network range gives you an idea about how the network is, which machines in the networks are alive, and it helps to identify the network topology, access control device, and OS

Module 02 Page 205

http://whois.arin.net/rest/poc/ABUSE231-ARIN

http://whois.arin.net/rest/net/NET-

http://whois.arin.net/rest/org/MSFT

https://www.arin.net/knowledge/rirs.html

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

used in the target network. To find the network range of the target network, enter the server IP address (that was gathered in WHOIS footprinting) in the ARIN whois database search tool or you can go to the ARIN website (https://www.arin.net/knowledge/rirs.html) and enter the server IP in the SEARCH Whois text box. You will get the network range of the target network. If the DNS servers are not set up correctly, the attacker has a good chance of obtaining a list of internal machines on the server. Also, sometimes if an attacker traces a route to a machine, he or she can get the internal IP address of the gateway, which might be useful.

N e tw o rk W hois Record

Queried whois.arin.net with "n 207.46.232.182", 207.46.0.0 - 207.46.255.255 207.46.0.0/16

MICROSOFT-GLOBAL-NET NET-207-46-0-0-1 NET-207-0-0-0-0 Direct Assignment NS2.MSFT.NET NS4.MSFT.NET NS1.MSFT.NET NS5.MSFT.NET NS3.MSFT.NET 1997-03-31 2004-12-09 http://whois.arin.net/rest/net/NET-

Microsoft Corp MS FT One Microsoft Way Redmond WA 98052 US 1998-07-10 2009-11-10 http://whois.arin.net/rest/org/MSFT

OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: [email protected] OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE231-ARIN

You need to use more than one tool to obtain network information as sometimes a single tool is not capable of delivering the information you want.

Module 02 Page 206

http://whois.arin.net/rest/net/NET-

http://whois.arin.net/rest/org/MSFT

http://whois.arin.net/rest/poc/ABUSE231-ARIN

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Determine the Operating System c (•itifwd

EH tUMJl NMhM

Use the Netcraft tool to determine the OSes in use by the target organization

\ Determ ine the Operating System Source: http://news.netcraft.com

So far we have collected information about IP addresses, network ranges, server names, etc. of the target network. Now it's time to find out the OS running on the target network. The technique of obtaining information about the target network OS is called OS fingerprinting. The Netcraft tool will help you to find out the OS running on the target network.

Let's see how Netcraft helps you deter,ome the OS of the target network.

Open the http://news.netcraft.com site in your browser and type the domain name of your target network in the What's that site running? field (here we are considering the domain name "Microsoft.com"). It displays all the sites associated with that domain along with the operating system running on each site.

Module 02 Page 207

http://news.netcraft.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

OS, W»b Server asd Mosang Mi כ lory for wlnOovvs./ricrosoft.coa(

kB tx kO m i* M ac** Cap

!Acre** Cap U«rcs»«Cap Macao• Cap MCTCSJtCCfp U creot Ccrp

Cap 5 •ג Were M acsX Cap Mercs* Cap M acs* Cap

M 55 175 113 MW 175183 6( (£8133 55 55175 183 5555.176183 85 54 175183 56 52103 234 55 52 103234 55 52103 ?34 65 5€ 175 183

I8-JUI-20I2 14• Jul-901? Jun 2012 י 8 14-Ju1-2012׳ 18-May-2012 14-M ay-2012 Apr-2012 12-Apf-2012 ־10 18-Uar-?01? 11 Mar-2012

MUOJWM 8/7.5 Micr6s08-8S/7 5 Micrc&jt IIS/7 ( Miaoao8-83/7 5 MCT0S08-8S// 5 Micrcs3MS/7 6 Micrc&o• IIS/7 6 Ma080t-83f7.5 Mieroso8-8S/7 5 Microsoft IS/7.5

raeic-p f* FJf.-P F6 6IC P F5 NG-P Ft fclG-P f t 61C-P rsc ic p F5 e»G-P F5 BIC-P F5 6ICP

(1M 1) 2*120*24:13 Server

M1ac30C-fS/7 5 &0F UtCTCSOMS/7 Q MacsoC-IS/7 5 Uiereaol IS/7 £ Macao** 2/7: MCTC90MS/7 5 U*<reco*-IS/7 5 Macao• IS/7 5 WlCTCSOf-M־ IP*/׳l2 0 Mac*0MS/7 5 ItKTCMUt f̂ Macao«-l2/7 5 Ma«S0M3//S MacsoS-IS/7 5 Mtacto• IS/7 6 UatMHVTS MOCHOUSM 0 u>ae sol 1V7 « Macao• ■S/7 0 MOC30MS/7 3

OS v/!1«o*3 S»r.־a 2CC8 reoG-f* vvnooftS Str.fr ?K8 UKTOOT

FSBCP wnoows s*rrtf 2W8 inrrow* Pf&C-P rsoG-r

F6AC4P WV»40«s 8 wva 2CC3

DM) n«C«r al*» F5BC P

Mac; Uptime - the Dm* since taat rcboct !3 explained I* ®»«f AO S8e Awaoe Uax

MMvvpasspMtco-n 60 129 www> encarU.com 52 56 J asxovev com 48 91 *MMvcaigeiAteem 46 81 ? mado com 41 £6 ! rriacsoCcgma 39 39 mtreso* iu 38 50 ! rrtjrjf• hcrro rmcratol com 38 84 c9lm acao8.com 3® 66 < * mw 12:2:1 r*1 33 77 n׳Krc*08c0m 32 *6 wwwmsncemlw 20 52 catccant 20 £0 wwwoficccom 20 185 eSkenMcracallMm 95 110 Mogi t#<hn«tc«m 36 20 wwm inuoaot com! 24 45 ! lemincom 92 ?4 men cep 32 36 LVECOU 20 51 msaccm 79 8ו >

r i E T C R ^ F T

Search Web by Domain I E'pbre 1.045.745 w#& z f t u s ted ty users ofth• Naicrafl Toolbar 3rd August 2012

• יי״י• • • ׳ ׳ ״

contains »>ב 3

|I lookup!

a te conto.ns .nat eraft.com

Results for microsoft 1 Found 2 5 2 s ite s

S i te S ite R eport First s e e n N etb lock O S

1. w .xn:f5J0f:.:«r1 a august 1995 microsoft corp otrix netscaler 1 2. :u»p ertm t050 ׳ ft.t0״׳ e octobar 1997 microsoft corp unicnown 1 3. f'ecs'tfO T a august 1999 mieroseft corp otrix n■tacit— 1 4. «*nd9M.Tkf*f«ft.tem a juo• 1998 microsoft corp w rioon * * 2 0 0 8 ־♦%־ 1 5. m*d־».microsoft com a sootennbar 1998 microsoft con> otrix netscaler 1 6- ce-m1:ro*oftxom £1 november 1998 microsoft corp unoow n

7. social technec.microscft.ccm a august 2008 microsoft corp citnx netscaler 1 8. ■'tswara.nnicroioft.coni a august 2009 microsoft •mtted WrCovys se •■.«■2008 ־

9. wm w pde8»m ten*eftcom £1 may 2007 *״ r fiw . « >«0 ׳ 2כ « 10. ! • o d midr'.mKroM/t.io^i (U august 2008 otrix *atacaler

11■ } • a nevember 2001 m» hatma•! ctrix nstscal•' 12. *»«d0»<«upd»ta.׳nKr©«©#t.<0m a fabuary 1999 microsoft carp - r S o *״ S*'v«r 2009 13. nffdit• c#׳r1 a fsbuary 3003 microsoft carp wr«<M1 ■••var ?90S 14. a november ?008 alcama! technologies Inn* IS. soarch.mKroscft.ccm a January 1997 K im i! international ה v Unux 16. ***(.mKroioftstor• co'T a november 2008 d«ltal river Ireland ltd. f3 b io-c 17. og«r.־rteroicHoo mo.com a december 2010 microsoft corp w rcov• so ZJOJ ־♦.״ IB. Mer.mKr0B0ft.c0m a october ג00כ microsoft corp w rcova s« \־ e •־־ 200

FIGURE 2.33: Netcraft showing the operating system that is in use by Microsoft

Module 02 Page 208

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Determ ine the Operating System (Cont’d)

((IL* SHODAN Search Engine Source: http://www.shodanha.com *“׳׳'־״'

Use SHODAN search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters.

Ex p o s e O nline D evices . W eb c a m s . Ro u ters. POWER PLANTS. IPHONES. W IND TURBINES. REFRIGERATORS. VOIP PHONES.

Take a To u r Fr ee S io n U p

Papular Search Querios: RuggotiConi oyposod via lolnot Wired: http:Mww.w1rcc.c0fn1l1rcaccvcy2u12;tM׳ruggodcom-IncMooti (-ull Oiscloctrc: http:/soc,.-

Fo l l o w M eLe a r n M o r e Gel rnorc oat cf ycur 5cj־cf־c3 and find •*־ mfnmaton >**1 rww)©U D evelo per API2 ■ Ond out how 10 accc33 the Qhodan ilHtalMSH with P/lhon. Pw1 ot Ruby

FIGURE 2.34: SHODAN Search Engine screenshot

Module 02 Page 209

http://www.shodanha.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

* SHODAN Search

HTTP 1.0 403 Forbidden Content-Length 218 Content •Type: texthtml Server Microsoft-IIS 6.0 IISExport: This web site was exported usmg US Export v4J X-Powered-By: ASP.NET Date: Tue? 25 Sep 2012 01:53:00 GMT

Error 66.77.20.147 W in d o w s XP B1znews24.com Added on 25 09 2012 S § Arington

clients2.bn24.com

www.net.cn) HTTP 1.0 200 OK Content-Type: texthtml Last-Modified Wed. 22 Jun 2011 10:28:46 GMT Accept-Ranges: bytes ETag: "083b42ac730ccl:0" Server. Microsoft-IIS 7.5 X-Powered-By ASP NET X-UA-Compatible E-EmulateIE7 Date: Tue, 25 Sep 2012 01:53:02 GMT Content •Length: 5304

112.127.180.133 HiChina W e b Solutions (B e rin g ) L im ited Added on 25 092012 H Chaoyang

The page must be viewed over a secure channel HTTP 1.0403 Forbidden Content-Length: 1409 Content-Type: texthtml Server Microsoft-IIS 6.0 X-Powered-By ASP NET Date: Tue, 25 Sep 2012 01:59:20 GMT

HTTP 1.0 200 OK Content-Type: texthtml Last-Modified: Sat, 20 Nov 2010 03:13:31 GMT Accept-Ranges: bytes ETag: “3a24cbe860S8cbl:0״ Server Microsoft-IIS 7.5 X-Powered-By: ASP NET Date: Tue, 25 Sep 2012 01:52:50 GMT

41.216.174.82 W in d o w s XP V D T Co m m u n ic a tio n s Lim ited Added on 25 092012 I I

IIS7 110.142.89.161 T e ls tra In te rn e t Added on 25 09 2012 efl Wentworth Fals

Services HTTP 6,692.080 HTTP Alternate 164,711 FTP 13.543 SNMP 9,022 UPnP 6.392

Top Countries United States 3,352,389 China 506,298 United Kingdom 362,793 Germany 247,985 Canada 246,968

Top Cities Englewood 170,677 Beijing 111,663 Columbus 107,163 Dallas 90.899 Seoul 86,213

Top Organizations Verio Web Hosting 97,784 HiChina Web Solutions ... 52,629 Ecommerce Corporation 43,967 GoDaddy.com, LLC 33,234 Comcast Business Commu...

32,203

FIGURE 2.35: SHODAN screenshot

Module 02 Page 210

http://www.net.cn

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

CEHTraceroute Traceroute programs work on the concept of ICMP protocol and use the TTL field in the header of ICMP packets to discover the routers on the path to a target host

IP Source Router Hop Router Hop Router Hop Destination Host

ICMP Echo request TTL = 1

Traceroute Finding the route of the target host is necessary to test against man-in־the־middle

attacks and other relative attacks. Therefore, you need to find the route of the target host in the network. This can be accomplished with the help of the Traceroute utility provided with most operating systems. It allows you to trace the path or route through which the target host packets travel in the network.

Traceroute uses the ICMP protocol concept and TTL (Time to Live) field of IP header to find the path of the target host in the network.

The Traceroute utility can detail the path IP packets travel between two systems. It can trace the number of routers the packets travel through, the round trip time duration in transiting between two routers, and, if the routers have DNS entries, the names of the routers and their network affiliation, as well as the geographic location. It works by exploiting a feature of the Internet Protocol called Time To Live (TTL). The TTL field is interpreted to indicate the maximum number of routers a packet may transit. Each router that handles a packet will decrement the TTL count field in the ICMP header by one. When the count reaches zero, the packet will be discarded and an error message will be transmitted to the originator of the packet.

Module 02 Page 211

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

It sends out a packet destined for the destination specified. It sets the TTL field in the packet to one. The first router in the path receives the packet, decrements the TTL value by one, and if the resulting TTL value is 0, it discards the packet and sends a message back to the originating host to inform it that the packet has been discarded. It records the IP address and DNS name of that router, and sends out another packet with a TTL value of two. This packet makes it through the first router, then times-out at the next router in the path. This second router also sends an error message back to the originating host. Traceroute continues to do this, and records the IP address and name of each router until a packet finally reaches the target host or until it decides that the host is unreachable. In the process, it records the time it took for each packet to travel round trip to each router. Finally, when it reaches the destination, the normal ICMP ping response will be send to the sender. Thus, this utility helps to reveal the IP addresses of the intermediate hops in the route of the target host from the source.

IP Source Router Hop Router Hop Router Hop Destination Host

ICMP Echo request TTl = 1 .............................. « ...................................................................................................................... '

a a a a H T S T S W S A A A A

••א-

ICMP error message

ICMP Echo request

A A A A A" — 1 ־ Mi A A .............................י■■■■■■■■■■■

ICMP error message

ICMP Echo request

A A A A | I

ICMP error message

ICMP Echo request

H I : : : : A ICMP Echo Reply

FIGURE 2.36: Working of Traceroute program

How to use the tracert command

Go to the command prompt and type the t r a c e r t command along with destination IP address or domain name as follows: C:\>tracert 216.239.36.10 Tracing route to ns3.google.com [216.239.36.10] over a maximum of 30 hops:

1 1262 ms 186 ms 124 ms 195.229.252.10 2 2796 ms 3061 ms 3436 ms 195.229.252.130 3 155 ms 217 ms 155 ms 195.229.252.114 4 2171 ms 1405 ms 1530 ms 194.170.2.57 5 2685 ms 1280 ms 655 ms dxb-emix-ra.ge6303.emix.ae [195.229.31.99] 6 202 ms 530 ms 999 ms dxb-emix-rb.solOO.emix.ae [195.229.0.230] 7 609 ms 1124 ms 1748 ms iarl-so-3-2-0.Thamesside.cw.net [166.63.214.65]

Module 02 Page 212

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

8 1622 ms 2377 ms 2061 ms eqixva-google-gige.google.com [206.223.115.21] 9 2498 ms 968 ms 593 ms 216.239.48.193 10 3546 ms 3686 ms 3030 ms 216.239.48.89 11 1806 ms 1529 ms 812 ms 216.33.98.154 12 1108 ms 1683 ms 2062 ms ns3.google.com [216.239.36.10]

Trace complete.

Module 02 Page 213

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

T ra c e ro u te A n a ly s is

Attackers conduct traceroute to extract information about: network topology, trusted routers, and firewall locations For example: after running several traceroutes, an attacker might obtain the following information: » traceroute 1.10.10.20, second to last hop is 1.10.10.1

EDno

10.20.10, third to last hop is 1.10.10.1 10.20.10, second to last hop is 1.10.10.50 10.20.15, third to last hop is 1.10.10.1 10.20.15, second to last hop is 1.10.10.50

» traceroute 1 & traceroute 1 » traceroute 1 a traceroute 1

J By putting this information together, attackers can draw the network diagram

I I I I I I I I I I I I I I I I I I I I 1.10.20.10 Web Server

1.10.10.20 Bastion Host

1.10.20.50 Firewall

1.10.20. Mail Server

Hacker

Traceroute Analysis s־־־ We have seen how the Traceroute utility helps you to find out the IP addresses of intermediate devices such as routers, firewalls, etc. present between source and destination. You can draw the network topology diagram by analyzing the Traceroute results. After running several traceroutes, you will be able to find out the location of a particular hop in the target network. Let's consider the following traceroute results obtained:

9 traceroute 1.10.10.20, second to last hop is 1.10.10.1 9 traceroute 1.10.20.10. third to last hop is 1.10.10.1

second to last hop is 1.10.10.50 third to last hop is 1.10.10.1 second to last hop is 1.10.10.50

traceroute 1.10.20.10 traceroute 1.10.20.10 traceroute 1.10.20.15 traceroute 1.10.20.15

By analyzing these results, an attacker can draw the network diagram of the target network as follows:

Module 02 Page 214

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

1.10.20.10 W e b S erve r

DMZ ZONE

1.10.20.50 F ire w a ll1.10.20.15

M a il S e rve r

1.10.10.50 F ire w a ll

1.10.10.1 Router

§ ........ Internet

FIGURE 2.37: Diagrammatical representation of the target network

Hacker

Module 02 Page 215

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Path Analyzer Pro and VisualRoute 2010 are the two tools similar to Traceroute intended to traceroute the target host in a network.

Path Analyzer Pro Source: http://www.pathanalyzer.com<

Path Analyzer Pro is a graphical-user-interface-based trace routing tool that shows you the route from source to destination graphically. It also provides information such as the hop number, its IP address, hostname, ASN, network name, % loss, latency, avg. latency, and std. dev. about each hop in the path. You can also map the location of the IP address in the network with this tool. It allows you to detect filters, stateful firewalls, and other anomalies automatically in the network.

Module 02 Page 216

http://www.pathanalyzer.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

VisualRoute 2010 Source: http://www.visualroute.com

This is another graphical-user-based tracing tool that displays hop-by-hop analysis. It enables you to identify the geographical location of the routers, servers, and other IP devices. It is able to provide the tracing information in three forms: as an overall analysis, in a data table, and as a geographical view of the routing. The data table contains information such as hop number, IP address, node name, geographical location, etc. about each hop in the route.

Features:

9 Hop-by-hop traceroutes

9 Reverse tracing

^ Historical analysis

9 Packet loss reporting

9 Reverse DNS

9 Ping plotting

9 Port probing

9 Firefox and IE plugin

Module 02 Page 217

http://www.visualroute.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Business Edition • Tnal day 1 of IS ־ s-VisualRoute 2010־ •0 v I1« c t PM ״ ? f More loolv . y swvw 1\ stoppedv».n-KT0«0ftaH

Frfe Ed* Options View M*p1 Tools H*4p v ►ttp :11thorn MyCompute*

Ana• ttformftori ן ĥ<k and 61»q Kgre to movt this vkwf /V Analysis in goneral thr* rout• is reasonably quick, with hop* !♦*ponding ^

on arerage within 122ms However, all hops after hop 10 in network ]Network for 207 46 47 18)* respond particularly *lowly

RTT 116 3m*/296m* ■ ״1־*״ ■

Packet Loss 36 l%/100%

Route length At least 17 hops Alternate 4 hop(*) hare alternate route* (Hop{*) 12.13.14 & 15)

?routes ״

^ WWW m*cf0*0« com (65 55 57 80)£ f|_

O M.m A lo o t s , i Run once

@ T ik « o u I • to w w w j1iK10to n .c o m ״ז9י

To www microsoft com (65 55 57 80) Location Redmond. WA. USA Network Microsoft Corp RTT • /•/•

Firewall Not responding to pings Open to http requests on port 80

Port Probe Running *enter Micro*o(WIS/7 5 Responded in 9543ms

Packet loss AH

OTitteioale to wwwmkio%oHxon\

You are on day l of a 15 day trial. For purchase information dick hare or enter a license key.

Your database is 338 days out of date dick here to update.

Ikst time use Spe<»»l Offer ? flkfc hflt IgMtMlglfliBBt Ofl VbmBglite'l 1 tttiflflil * Hours Only!

FIGURE 2.39: VisualRoute 2010 screenshot

Module 02 Page 218

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

CEH

3D Traceroute http ://w w w .d3 tr.de

AnalogX HyperTrace h ttp ://w w w . analogx. com

Ping Plotter http ://w w w .p ing plotter, com

T ra c e ro u te Tools (Cont’d)

Magic NetTrace h ttp ://w w w . tialsoft.com

Network Systems Traceroute http://www.net.princeton.edu

imot V4V

Network Pinger h ttp ://w w w . networkpinger. com

vTrace http ://v trace.p l

Roadkil's Trace Route h ttp ://w w w . roadkil. net

p^j

GEOSpider 1̂ 1 |rl h ttp ://w w w . ore ware, com

S i

Traceroute Tools (Cont’d) A few more traceroute tools similar to Path Analyzer Pro and VisualRoute 2010 are

listed as follows:

Q Trout available at http://www.mcafee.com

Q Roadkil's Trace Route available at http://www.roadkil.net

0 3D Traceroute available at http://www.d3tr.de

Q AnalogX HyperTrace available at http://www.analogx.com

Q Ping Plotter available at http://www.pingplotter.com

Module 02 Page 219

http://www.net.princeton.edu

http://vtrace.pl

http://www.networkpinger.com

http://www.oreware.com

http://vtrace.pl

http://www.mcafee.com

http://www.roadkil.net

http://www.tialsoft.com

http://www.d3tr.de

http://www.analogx.com

http://www.net.princeton.edu

http://www.pingplotter.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Footprinting M ethodology CEH

WHOIS Footprinting

DNS Footprinting

Network Footprinting

Footprinting through Social Engineering

Footprinting through Social Networking Sites

Footprinting through Search Engines

Website Footprinting

Email Footprinting

Competitive Intelligence

Footprinting using Google

s Footprinting M ethodology So far we have discussed various techniques of gathering information either with the

help of online resources or tools. Now we will discuss footprinting through social engineering, the art of grabbing information from people by manipulating them.

This section covers the social engineering concept and techniques used to gather information.

Module 02 Page 220

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Footprinting through Social r E ll Engineering ! z E

0 J Social engineering is the art of convincing people to reveal confidential n 0 information

r \ 4 1 r* J Social engineers depend on the fact that people are unaware of their

valuable information and are careless about protecting it 0

00 Social engineers use these techniques: S Eavesdropping S Shoulder surfing S Dumpster diving S Impersonation on social networking

sites a

m 00

00 Social engineers attempt to gather: Credit card details and social security ה

number & User names and passwords S Other personal information - Security products in use S Operating systems and software

versions S Network layout information S IP addresses and names of servers

Footprinting through Social Engineering Social engineering is a totally non-technical process in which an attacker tricks a

person and obtains confidential information about the target in such a way that the target is unaware of the fact that someone is stealing his or her confidential information. The attacker actually plays a cunning game with the target to obtain confidential information. The attacker takes advantage of the helping nature of people and their weakness to provide confidential information.

To perform social engineering, you first need to gain the confidence of an authorized user and then trick him or her into revealing confidential information. The basic goal of social engineering is to obtain required confidential information and then use that information for hacking attempts such as gaining unauthorized access to the system, identity theft, industrial espionage, network intrusion, commit frauds, etc. The information obtained through social engineering may include credit card details, social security numbers, usernames and passwords, other personal information, operating systems and software versions, IP addresses, names of servers, network layout information, and much more. Social engineers use this information to hack a system or to commit fraud.

Social engineering can be performed in many ways such as eavesdropping, shoulder surfing, dumpster diving, impersonation on social networking sites, and so on.

Module 02 Page 221

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Collect Information Using Eavesdropping, f C U Shoulder Surfing, and Dumpster Diving ™ [j

Dum pster Diving

6 Dumpster diving is looking for treasure in someone else's trash

« It involves collection of phone bills, contact information, financial information, operations related information, etc. from the target company's trash bins, printer trash bins, user desk for sticky notes, etc.

Shoulder Surfing

& Shoulder surfing is the procedure where the attackers look over the user's shoulder to gain critical information

» Attackers gather information such as passwords, personal identification number, account numbers, credit card information, etc.

Eavesdropping

Eavesdropping is unauthorized listening of conversations or reading of messages It is interception of any form of communication such as audio, video, or written

Collect Information using Eavesdropping, Shoulder Surfing, and Dumpster Diving

As mentioned previously eavesdropping, shoulder surfing, and dumpster driving are the three techniques used to collect information from people using social engineering. Let's discuss these social engineering techniques to understand how they can be performed to obtain confidential information.

Eavesdropping Eavesdropping is the act of secretly listening to the conversations of people over a

phone or videoconference without their consent. It also includes reading secret messages from communication media such as instant messaging or fax transmissions. Thus, it is basically the act of intercepting communication without the consent of the communicating parties. The attacker gains confidential information by tapping the phone conversation, and intercepting audio, video, or written communication.

י Shoulder Surfing

—«—- With this technique, an attacker stands behind the victim and secretly observes the victim's activities on the computer such keystrokes while entering usernames, passwords, etc.

Module 02 Page 222

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

This technique is commonly used to gain passwords, PINs, security codes, account numbers, credit card information, and similar data. It can be performed in a crowded place as it is relatively easy to stand behind the victim without his or her knowledge.

Dumpster Diving This technique is also known as trashing, where the attacker looks for information in

the target company's dumpster. The attacker may gain vital information such as phone bills, contact information, financial information, operations-related information, printouts of source codes, printouts of sensitive information, etc. from the target company's trash bins, printer trash bins, and sticky notes at users' desks, etc. The obtained information can be helpful for the attacker to commit attacks.

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Footprinting Methodology

WHOIS Footprinting

DNS Footprinting

Network Footprinting

Footprinting through Social Engineering

Footprinting through Social Networking Sites

Footprinting through Search Engines

Website Footprinting

Email Footprinting

Competitive Intelligence

Footprinting using Google

Footprin ting M ethodology Though footprinting through social networking sites sounds similar to footprinting

through social engineering, there are some differences between the two methods. In footprinting through social engineering, the attacker tricks people into revealing information whereas in footprinting through social networking sites, the attacker gathers information available on social networking sites. Attackers can even use social networking sites as a medium to perform social engineering attacks.

This section explains how and what information can be collected from social networking sites by means of social engineering.

Module 02 Page 224

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Collect Inform ation through Social Engineering on Social Networking Sites

Attackers gather sensitive information through social engineering on social networking websites such as Facebook, MySpace, Linkedln, Twitter, Pinterest, Google+, etc.

Attackers create a fake profile on social networking sites and then use the false identity to lure the employees to give up their sensitive information

I V

Employees may post personal information such as date of birth, educational and employment backgrounds, spouses names, etc. and information about their company such as potential clients and business partners, trade secrets of business, websites, company's upcoming news, mergers, acquisitions, etc.

Using the details of an employee of the target organization, an attacker can compromise a secured facility§

C ollect In form ation th rough Social E ng ineering on Social N etw orking Sites

Social networking sites are the online services, platforms, or sites that allow people to connect with each other and to build social relations among people. The use of social networking sites is increasing rapidly. Examples of social networking sites include Facebook, MySpace, Linkedln, Twitter, Pinterest, Google+, and so on. Each social networking site has its own purpose and features. One site may be intended to connect friends, family, etc. and another may be intended to share professional profiles, etc. These social networking sites are open to everyone. Attackers may take advantage of these to grab sensitive information from users either by browsing through users' public profiles or by creating a fake profile and tricking user to believe him or her as a genuine user. These sites allow people to stay connected with others, to maintain professional profiles, and to share the information with others. On social networking sites, people may post information such as date of birth, educational information, employment backgrounds, spouse's names, etc. and companies may post information such as potential partners, websites, and upcoming news about the company.

For an attacker, these social networking sites can be great sources to find information about the target person or the company. These sites help an attacker to collect only the information uploaded by the person or the company. Attackers can easily access public pages of these

Module 02 Page 225

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

accounts on the sites. To obtain more information about the target, attackers may create a fake account and use social engineering to lure the victim to reveal more information. For example, the attacker can send a friend request to the target person from the fake account; if the victim accepts the request, then the attacker can access even the restricted pages of the target person on that website. Thus, social networking sites prove to be a valuable information resource for attackers.

Module 02 Page 226

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

CEHInformation Available on Social Networking Sites

Attacker GetsOrganizations Do

User surveys .* Business strategies J I

Promote products * Product profile ....

Business strategies

Social engineering ........................

i Platform/technology '־: information

Type of business

User support

Recruitment

Background check to hire employees

What Users Do

Maintain profile

Connect to friends, chatting

Share photos and videos

i n

Play games, join groups

Creates events

What Attacker Gets

Contact info, location, etc.

Friends list, jk friends info, etc. A.

Identity of a family members

In form ation A vailable on Social N etw orking Sites So far, we have discussed how an attacker can grab information from social

networking sites; now we will discuss what information an attacker can get from social networking sites.

People usually maintain profiles on social networking sites in order to provide basic information about them and to get connected with others. The profile generally contains information such as name, contact information (mobile number, email ID), friends' information, information about family members, their interests, activities, etc. People usually connect to friends and chat with them. Attackers can gather sensitive information through their chats. Social networking sites also allow people to share photos and videos with their friends. If the people don't set their privacy settings for their albums, then attackers can see the pictures and videos shared by the victim. Users may join groups to plays games or to share their views and interests. Attackers can grab information about a victim's interests by tracking their groups and then can trap the victim to reveal more information. Users may create events to notify other users of group about upcoming occasions. With these events, attackers can reveal the victim's activities. Like individuals, organizations also use social networking sites to connect with people, promote their products, and to gather feedback about their products or services, etc. The

Module 02 Page 227

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

activities of an organization on the social networking sites and the respective information that an attacker can grab are as follows:

What Organizations Do What Attacker Gets

User surveys Business strategies

Promote products Product profile

User support Social engineering

Background check to hire employees

Type of business

TABLE 2.1: What organizations Do and What Attacker Gets

Module 02 Page 228

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Collecting Facebook Information C EH Facebook is a Treasure-trove for Attackers

Europe 223,376,640 _

V 174,586,680-'■׳ STk ׳־%', » 1 Middle East 18,241,080N. A m e ric i^ J^ 174,586,680 V/

Latin America 141,612,220

using Facebook all over the worldNumber of user

minutes time spent per visit

1 of every 5 of all page views

845 , 100 r\ *ייo O & M 250 W

million monthly billion million photos active users connections uploaded daily

C ollecting Facebook Inform ation Facebook is one of the world's largest social networking sites, having more than 845

million monthly active users all over the world. It allows people to create their personal profile, add friends, exchange instant messages, create or join various groups or communities, and much more. An attacker can grab all the information provided by the victim on Facebook. To grab information from Facebook, the attacker should have an active account. The attacker should login to his/her account, and search for either the target person or organization profile. Browsing the target person's profile may reveal a lot of useful information such as phone number, email ID, friend information, educational details, professional details, his interests, photos, and much more. The attacker can use this information for further hacking planning, such as social engineering, to reveal more information about the target.

Module 02 Page 229

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

About Basic Info The Otooal John legend Facebook Page. John legend new song *Tonght’ now on !Tires hQpe/£flh7&Ton0tf facrbook

O U H flM

Biography

Recordng artist, concert performer and tNantfropst John legend hat won nne Grammy *ward* and wa* named one ofTwemagaane * 100mo*trAjenftal

C m t u a / M

John legend CALL »€ (713) 502-8008

מג -lurched ha career as a sesson player and vocabt, corrbutrg to best ו sekng reardngi by lairyn H i, Ak>a Key*. Jay ■2 and •Canye West before recordng hs own irfcrofcen chan of Top 10 aborts •• Get lifted (2004), Once Agai ...Sea Mo*

Hornet 0—1

ItK O fd ljW

SpmgfieU. OM

GOOOMusc-Sony/Cotnt»a

Artists We Also Idee General TheArftsi* Orgaruabon

Estde, vaughn Anthony, Kanye West. Good M\j k Manager

י * ״ ״ Steve Wonder, Ne-Yo, AJ Green, Jeff Buddey

Carre•( location

New York

Contact Info

Webute http://www johrtegend com http://www.d10wmecanpegn.org

http:/,*www ״״yspace cow'jyyrtegend http://www. y0u%i)eccm/)0hr*egend

Crcabve Artets Agency

Facebook C 2012 • Engtah (US) About CreMe an Ad Cette a Page Developer* Careers ־ Privacy Cootoes - Term! Hefc>

FIGURE 2.40: Facebook screenshot

Module 02 Page 230

http://www.d10wmecanpegn.org

http://www.myiptest.com/staticpages/index.php/how-about-you

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

CEH Urtifwd ilhiul lUtbM

C ollecting Twitter Inform ation

Wayne Rooney C» wayneR00ney׳~

A Tiveets *1 im>

g t j Pau' WcCartnej 1a /-־•= 1

1811 donl 0ut9 ur«Je18l8rd w*tjr 1־׳e Mi w« have 10 he*־ eve-ryttmj in french Hit? ut»׳ty rdcjom

cant tele.e aTheReaKC3 fifKrtoano'a* c*f*n®njr *H0R88p#ct he don* *0 mjc'i « the couWy >־ ct4־o1C01r •oympcs

’•Jcov»*An<»VtfvJ

s Hope paulme n tr?»9I

a JR

K1:

ט *

Twee* to M ine Rooney j QWaynaBocncy

Tweeta

FOIWiina

v m m m

Wayne Rooney 3wsyr<־»J4»v,,־ I Great riotory of Brrt»r aiiesiy. Dtl'eient 11 r lib.o ooon UfC'B

Japan 29.9 million

r'es with largest^ 9

350 W million tweets a day

465 million accounts

Q55%#76% Twitter users access the platform via their mobile

Twitter users now post status updates

— C ollecting Tw itter In form ation Twitter is another popular social networking site used by people to send and read

text-based messages. It allows you to follow your friends, experts, favorite celebrities, etc. This site also can be a great source for an attacker to get information about the target person. This is helpful in extracting information such as personal information, friend information, activities of the target posted as tweets, whom the target is following, the followers of the user, photos uploaded, etc. The attacker may get meaningful information from the target user's tweets.

Module 02 Page 231

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance

* Follow A -

940 ,. ' f f !

119*

4,635.170

Wayne Rooney O ®wayneRooney haps/wwu. /acebooic.eom. ̂ ’ayntMoon*i/

1V / e e t S M No repliH Paul McCartney i . i :: י ■:-*y Nearly tome ptc twtter coaVSOCTlllW 0 D tM M d by W iyfl• Rooney

P ie rs M organ :♦-.־ .:•;j • l sti < צ0וח qute understand why me he! we have to hear everythrg מ FRENCH first7 Utter* ndicutous solympicceremony □ =K*«*!K ty Wayne Rooney Expand

P m ills vtrStacAV s cant befteve . TheReaUVC3 a not part of this ceremony London20l2= ״NoResped he done so much 4 the country Imao־ *Olympics ש Rtfwwwd ty Wayna Rooney Expand Wayne Rooney .», -•R::׳ «,

, Becks smie on the boat was so funny

v .H y i*״״ ׳Karl Hyde •'•ayneRooney themchaelowen becks to bght a footba■ and

bet I straight r to the Olympic stadum torch■ GO Ratweatad by Wayna Rooney

• V«a> oonvorMbon

*ScouseAndProud Rar—atad by Wayna Rooney ש

• v*■ oon»ar»at«n

Wayne Rooney «R «•׳׳:■: > Yes the beaoes Hope paul me a Sflgng later Representing ן Kerpool Best band ever

T w eet to W ayne Rooney

QWayneRooney

T w eets

FoSowing

Foiowers

Favortes

rwvcni ■׳■ayca

U W j 3 M About Halp Ta׳m* Privacy• 2012 Tw*ta»

Btog Statu• A Ad »*< ד ־ *♦ft B1

Wayne Rooney . i > ■*Rooney Ur bean Funny ן

Expand

Wayne Rooney vaynaRooeey , Great history of brtar already Different to any other ceremony i

have seen before

FIGURE 2.41: Twitter showing user's tweets

Module 02 Page 232

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Collecting Linkedin Information

lintedE).

• Go tack la S«t>c*

Chris Stone Pn.jr hi ■״יי׳:■ U ׳.׳1׳ .j.׳ itv י־•■ B-. 1• FWi; urn

B P “ ״־ C*rwl Progmmtn• Mnnnj>f M frclacfc* Bank 0■.Ijium

(S«H.*mpt0y*d) • •#•יי ״ •S Pwl ׳*MdotOp!!**"• PtyKt$ * Sv&oc K *XA BankEtra*•

Pre9tsm׳r10 Manigw a MA Bjn* tu׳:c< 0.1 »«(•>! ̂ i P>««r»1>wn ti *XA

tPxx!r *cnttVtX tnttto* & C w lfi tni *!*?•nt'ilo׳*

fa1r»»*11!1n )pNft'ImiKonminMOm

Conpjny W«6tM

0 » isi a ^ ■4 , in* FT

Y - ■ s - ־ • - - 2 million companies have Linkedin company pages

$522 million revenue for 2 0 1 1

2,447 employees located around the world

2 new members join every second

C ollecting L inked in Inform ation Similar to Facebook and Twitter, Linkedin is another social networking site for

professionals. It allows people to create and manage their professional profile and identity. It allows its users to build and engage with their professional network. Hence, this can be a great information resource for the attacker. The attacker may get information such as current employment details, past employment details, education details, contact details, and much more about the target person. The attacker can collect all this information with the footprinting process.

Module 02 Page 233

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Linked 03• Account bmc m**1׳ Horn* ProM• Contacts Group• Job■ inbox CoflipanM Non Mon

€ Go back 10 Soarch Results

See expanded

Connect Send InMari Save Chns's F

Chris Stone Programme Manager at Deutsche Bank Belgium Brussels Area Be*yum Management Consu»mg

Current Programme Manager at Deutsche Bank Belgium Direct or and Consultant * Program Management Solutions sp»l (Se It em ployed)

Past Head of Operations Projects & Support Investment Omsk*! at AXA Bank Europe Programme Manage* at AXA Bank Europe Outsourcing Programme & Procurement Manager at AXA BekpumO Mil••

Education Henot-Watt Institute of Chartered Secretaries and Adnw*st/ators

Recommendations 3 people have recommended Chns Connections 500• connections

Websites Company Webs4e Public Protoe http //be knkedn comWcsstone

FIGURE 2.42: Linkedln showing user's professional profile and identity

Module 02 Page 234

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Collecting Youtube Information I CEH

3 rd Most visited website tm « 900 Average time users spend according to Alexa Sec on YouTube every day

8 2 9 ,4 4 0 I Videos uploaded ,G E E

Q) 1] C ollecting YouTube Inform ation YouTube is a website that allows you to upload, view, and share videos all over the

world. The attacker can search for the videos related to the target and may collect information from them.

FIGURE 2.43: Youtube showing videos related to target

Module 02 Page 235

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

C EHTracking Users on Social Networking Sites J Users may use fake identities on social networking sites. Attackers use tools such as Get

Someones IP or IP-GRABBER to track users' real identity

J Steps to get someone's IP address through chat on Facebook using Get Someones IP tool:

Link for you

Open the URL in this field and keep checking for target's IP

Redirect URL

Enter any URL you want the target to redirect to

Link for Person

Copy the generated link of this field and send it to the target via chat to get IP address

Link ID IP Proxy Refer Dateffime

Ideujbg1f2 85.93.218.204 NO NO 2012-08-06 1 3:04 44

kKp«rs4«1: http Ifwmi nyiptesi corr/img ph3̂ d=z«uibg1f?8.'dr=viww gruil con&rd־=yatoc c>rr&

toe you: מזי >N*ww myiptest corvstatKpages/ndex prp«'׳to<«f-aboutyou'*d=zc»Mbj1G&shw* ip

http://www.myiptest.com

T rack ing Users on Social N etw orking Sites ̂ In order to protect themselves from Internet fraud and attacks, people with little

knowledge about Internet crimes may use fake identities on social networking sites. In such cases, you will not get exact information about the target user. So to determine the real identity of the target user, you can use tools such as Get Someone's IP or IP-GRABBER to track users' real identities.

If you want to trace the identity of particular user, then do the following:

• Open your web browser, paste the URL, and press Enter: http://www.myiptest.com/staticpages/index.php/how-about-you

• Notice the three fields at the bottom of the web page, namely Link for person, Redirect URL: http://, and Link for you.

• To get real IP address of the target, copy the generated link of the Link for person field and send it to the target via chat.

• Enter any URL you want the target to redirect to in the Redirect link: http:// field.

• Open the URL present in the Link for you field in another window, to monitor the target's IP address details and additional details.

Module 02 Page 236

http://www.myiptest

http://www.myiptest.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Link for person: http //www myiptest com/1 mg php7id=zdeujbq1f2&rdr=www gmail com&rdr=yahoo com&

Redirect URL: http# www gmail com

Link (or you: http //www myiptest com/staticpages/index php/how-about-you?id=zdeujbg1f2&showjp:

Link ID IP Proxy Refer Dateffime

zdeujbglf2 85.93.218.204 NO NO 2012-08-06 13:04:44

FIGURE 2.44: Tracing identity of user's

Module 02 Page 237

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Footprinting Methodology

Footprinting Concepts

Footprinting Threats

Footprinting Counter- measures

Footprinting Penetration

Testing

Footprinting Tools

־ 1 M odule Flow Footprinting can be f:

that make information gathering an easy job. These tools ensure the maximum Footprinting can be performed with the help of tools. Many organizations offer tools

ף Footprinting Concepts |w־| Footprinting Tools

Footprinting Threats Footprinting Countermeasures

CD Footprinting Methodology vtv Footprinting Penetration Testing

This section describes tools intended for grabbing information from various sources.

Module 02 Page 238

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Footprinting Tool: Maltego

Footprin ting Tool: M altego Source: http://paterva.com

Maltego is an open source intelligence and forensics application. It can be used for the information gathering phase of all security-related work. Maltego is a platform developed to deliver a clear threat picture to the environment that an organization owns and operates. It can be used to determine the relationships and real-world links between people, social networks, companies, organizations, websites, Internet infrastructure (domains, DNS names, Netblocks, IP addresses), phrases, affiliations, documents, and files.

'3־

■ r ־ V 1̂ & -י ° ° 0 O 0 9 o 9 <

o ‘ : J r * ^ O W c

Or״

— -

I ך ! — M

--------| | |

w m Personal InformationInternet Domain

FIGURE 2.45: Maltego showing Internet Domain and personal information

Module 02 Page 239

http://paterva.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Footprinting Tool: Dom ain Nam e Analyzer Pro CEH

Setting Window

http ://www. domoinpunch.1

Footprin ting Tool: D om ain N am e A nalyzer Pro Source: http://www.domainpunch.com

Domain Name Analyzer Professional is Windows software for finding, managing, and maintaining multiple domain names. It supports the display of additional data (expiry and creation dates, name server information), tagging domains, secondary whois lookups (for thin model whois TLDs like COM, NET, TV).

The following is a screenshot of the Domain Name Analyzer Pro tool showing domain name information:

Module 02 Page 240

http://www.domainpunch.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

T Z 0''Testdpng • Domain Name Analyze׳ Pro Output׳־*»C־

A1 ! נ נ ■C)ו Doium מ it»tu1 ׳ loolu* 0o«u VWw

_ Mrtc 0*Ht« «׳ SMdrt M ז1פ

CO*

COT

WDoalootupAt WTMJtMSJSPM

9 ttSSM TO I

Mi.1n.1S2J(

S M n

uptnctmlmctosofttom VMiDoicom cwtMhKftetca■ U|Rm<*k1 m nM .W M1211*2׳i * « Ml

/ Bar Domaaicert1fiedtwckef.com

me dflman certfô artec.com resot.es to an ip Address [202.7S.S4.101].

So t is most Hcely not avaiafeie for reparation unless your ISP, -j Unknowil networt admmrt&atof or you lux setic the local netmoA to resohe al host names.

You may use the iop Seangs and toaMe the ־Mranae Wtms loota**‘ option I you war* the •hois data nstead ths guck ONS based check.

ft i)ph»t«S< . t Hyph«n*te

WWW Do״ 901»fc fend

j״ j InAuctc 02 NctoAuc

400*99* •J I j Unt»99«dl•

■t [׳NAttO 01I IW 1fc nuu * U S M O • • Mat V I « D *״ * J *

Dom ain N a m e Information

FIGURE 2.46: Domain Name Analyzer Pro software showing Domain Name Information

Module 02 Page 241

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

CEHFootprinting Tool :Web Data Extractor J Extract targeted company contact data (email, phone, fax) from web for responsible b2b communication

J Extract URL, meta tag (title, description, keyword) for website promotion, search directory creation, web research

Footprin ting Tool: W eb D ata Extractor Source: http://www.webextractor.com

Web Data Extractor is a data extractor tool. It extracts targeted company contact data (email, phone, and fax) from the web, extracts the URL and meta tag (title, desc, keyword) for website promotion, searches directory creation, etc. The following is a screenshot of the Web Data Extractor showing meta tags:

Module 02 Page 242

http://www.webextractor.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Web Data Extractor 83

1 e e 1 Job• 0 1 16 | Cur tpeed 1 bp. I £t«t SlO£ I Avjj stm6 11111,11

E׳le yiew Uelp

m & ^£dr np»r>

Domai Pao* P0<׳* i«f ׳ro Key 12 01 2011 12-01 ■2011 12-01 2011 12-01 •2011 12-01 2011 12-01-2011 12-01-2011 12-01-2011 12-01-2011 12-01-2011 12-01-2011 12-01-2011 12-01-2011 12-01-2011 12-01-2011 12-01 2011 12-01-2011 12-01 2011 12-01-2011 12 01 2011 12-01-2011 12-01 2011 12-01 •2011 12 01 2011 12-01 •2011 12 01 2011 12-01 •2011 12-01 2011 12-01 •All I 12-01 •2011 12 □1 L011 12-01 2011 12-01 • A l l 12-01-2011

12GG1 39498 5GG3 9307 85319464 10049 3683 3089 4352 5767 5789 10147 10081 5762 9635 5828 9366 9594 8397 10804 1271G 8862 13274 12451 1409 16239 12143 16259 5227 8693 2963 5932 7909

sT<*rr Hot!Title־*־ com,0nlr< Onlne Booking: I # booking, hotel Drihe Ecckr http://calif cd־o c rrn/flnlr< f rlhf* Booking׳ Hot bccking. kclel □rirwEcckr h»־p / , c c conw'Onlrt Onlne Booking: Prr booking, Hotel Drihe Ecckr http://calif cd־o c corn/P-folirP-Folc hrp ־ ־*« .» c corn/'P-foli: F Tolc htip://1califcd־o : con>yP־fofc P-Folc Mip7;catieda c cora/P-folfc P־Folc http, ̂ cahfccho c ccn׳Keal I Frole^onal Realties eUa e.1ea=>־ote>nx«IFWT!://cai1f€«±a c corn/Real I FioIcs»b13־l Real E; ̂ c:Idc. ic<j כ=ו 0fc;^3evdF htpV/ccthfccfo c com/Real I Ftole^malR»aIE<r»a etta€,rea:>ote?tonalFhep://C«11f€<i־a c com/Real I Ftotessbnal Real E: 153 estae. tea ̂ ofcjiwnalFhUp://calif ed־o c conWReallFTole^malRaalEuaa ettae, rea 3־ote^xial F Wcp:'/c«1׳f€cf־a c com/RecicYcu coircav-PecSonckeywd A shat desaihtlp.//calif cd־o c com/'Recip You coTpary - Fee Soto keyword A *Hat deiai http://C6fhf€<f־a c con/Recic Ycu corpdrv-AtcSonetev-iod A :fa ! de:c1ihUD.//cef1ife1±a c com/Fleci;: Ycu ODrpa-y FeeS0n9kywdAskat dosaihtfp:/׳ccri1fcd1־a c com/Recic You corparp ־ Ccr Son- key ״!ad A *tort desai hip c oont/Recip Ycu oorpary Fee Sons kcy׳«crd A ska• dosa1htfp:/׳cahfcd־o c com/RecinYcu corpary - Pet Son- keypad A ?*־cii daciiKtrp //ceiiife+a c oorn/RecipYou ooirpary Fee Sons key Mad \ ska• dosai M‘p:/׳cerlifed־o c conWRecir Ycu aiTf-ary - Pec Son• keyword A ?ha• de?aihrcr/;ceriliecto c oom/'Rcoif Ycu covpary Pee Sone keypad A :ha• desaihttp://ca!ifccl־o c corWRedp Y a j eoTpary • F« Son• keyword A *km dMcrih(1f1׳/;c«(M«(ta c com/׳Socia Unite Togclhe1ijEl.cyv»cd»,orp A beef 0«:«|hltp://ca1ifcd־o c corn/Red(:Yaj conrpary • Fer Son* kpywrd A 1kcil deiaihltp־/,ee»Mect־A c oom/Socia h»*p://ca1ifc<J־o c corVSona Unite • 1 ogethei it k • ejvw-11: or p A t*el n*K־*( Mip׳/;e«M#eto c ccm/Socia Unite -1 ogethci i> C keyv*a di. w p A btef oe1.11( U p '/!■ahfaJ o t cont/Soci*Unite • 1 ogethei1: fc • ♦>v»c13:. 0» p A b<4f 0»f :■f h»׳p ׳,c«»hf«<*־.* c corWT uibc I U t '/cahfaJo t

M׳p ccfhfc>±o 0׳' ht'(j.//Leftfe1J 0 c Mtp:/;c«M«ch» c

l. ,/tahfaJ o c

ndo Under tho I ro י׳וזז0011 coru/Unde Under the Tie oora/Und* Undo! the I r# com/RcoitYcu -•-1 ויי_a 1

http //oeitfiedhacke hftp//oe1 http //ce http//ce IV.tDf //» hrtpr //ce HU//os h:b //cei N.t» //osilificdhacke http: //cei h*t>.//cc1lficdhackc http //esi hf.t>7/o=1lficdhacke htlp //cei H U M 08 Iv.tp //cs hr.io //on http //oo N.ID //03 http //c»3 hf(n//05 Iv.tp //cc hrtp/Zo־• Iv.tp //co k*tp//c®1 Iv.tp //coitfiedhackc 1Vtp//0il Utp//&e1tfiodhotko http //0*1 1 l.tu //us http//בכי 1r.to //c»1 help //c#1tfi»dh«ok• Hta //coiUipdhacko

tfiedhacke tfiedhacke tifiedhacke tficdhacke tfiedhad-.e tficdhacke tfiedhacke tficdhacke tfiedhacke tficdhacke tfiedhacke tficdhacke tfiedhacko tfiedhacke tfiodhacke tfiedhacke tfiedhacko tfiedhacke tfiedhacke tfiedhacke tficdhackc tfiedhacke tficdhackc tfiedhacke tficdhackc tfiedhacke tficdhacke tliedhacke tficdhacke ttiodhaoko tfimdliacke

C«W€<*-di co«n 11584 12-010 1 011̂/׳:MerSone keypad A tka»d*!a1Wp-׳ ־

FIGURE 2.47: Web Data Extractor showing meta tags

http://calif

http://C6fhf%e2%82%ac%3cf%d6%bea

http://ca!ifccl%d6%beo

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Additional Footprinting Tools CEH

Netmask http://www.phenoelit-us.org

Binging http ://w w w .b lue in fy . com

Spiderzilla http://spiderzilla .m o/dev. org

» Sam Spade http://www.majorgeeks.com

Robtex n < ^ K P j http ://ww w.robtex.com

Prefix Whols cc L U h ttp ://pwhois.org

NetScanTools Pro http://www.netscantools.com

Tctrace http://www.phenoelit-us.org

Autonomous System Scanner(ASS) http://www.phenoelit-us.org

DNS DIGGER http://www.dnsdigger.comi f i

A dditional Footprin ting Tools In addition to the footprinting tools mentioned previously, a few more tools are listed

as follows:

Prefix Whols available at http://pwhois.org י-

S NetScanTools Pro available at http://www.netscantools.com

Q Tctrace available at http://www.phenoelit-us.org

Q Autonomous System Scanner (ASS) available at http://www.phenoelit-us.org

£ DNS DIGGER available at http://www.dnsdigger.com

O Netmask available at http://www.phenoelit-us.org

S Binging available at http://www.blueinfy.com

Q Spiderzilla available at http://spiderzilla.mozdev.org

S Sam Spade available at http://www.majorgeeks.com

S Robtex available at http://www.robtex.com

Module 02 Page 244

http://spiderzilla.mo/dev

http://www.blueinfy

http://www.majorgeeks.com

http://www.robtex.com

http://pwhois.org

http://www.netscantools.com

http://www.netscantools.com

http://www.dnsdigger.com

http://pwhois.org

http://www.dnsdigger.com

http://spiderzilla.mozdev.org

http://www.blueinfy.com

http://www.majorgeeks.com

http://www.robtex.com

Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures Footprinting and Reconnaissance

Additional Footprinting Tools (EH (C ont’d)

§ Dig Web Interface http://www.digwebinterface.com

ץ ■ SpiderFoot http://www.binarypool.com

Domain Research Tool http://www.domainresearchtool.com

CallerIP http://www.callerippro.com

ActiveWhois http ://ww w.johnru.com

Zaba Search http://www.zabasearch. com

m yoName Ww http://yoname.com

GeoTrace j http ://ww w.nabber.org

( ? W Ping-Probe http://www.ping-probe.com

DomainHostingView http ://w w w .n irsoft.ne t

A dditional Footprin ting Tools (C ont’d) Additional footprinting tools that are helpful in gathering information about the target

person or organization are listed as follows:

Q Domain Research Tool available at http://www.domainresearchtool.com

Q ActiveWhois available at http://www.johnru.com

Q yoName available at http://yoname.com

6 Ping-Probe available at http://www.ping-probe.com

0 CallerIP available at http://www.callerippro.com

Q Zaba Search available at http://www.zabasearch.com

Q GeoTrace available at http://www.nabber.org

DomainHostingView available at http://www.nirsoft.net

Module 02 Page 245

http://www.digwebinterface.com

http://www.binarypool.com

http://www.domainresearchtool.com

http://www.callerippro.com

http://www.johnru.com

http://www.zabasearch

http://yoname.com

http://www.nabber.org

http://www.ping-probe.com

http://www.digwebinterface.com

http://www.domainresearchtool.com

http://www.johnru.com

http://yoname.com

http://www.ping-probe.com

http://www.binarypool.com

http://www.callerippro.com

http://www.zabasearch.com

http://www.nabber.org