|
|||||||
|
|||||||
 |
|
 |
|
|
*FOOTPRINTING / SCANNING*
Before there is an attack on a target machine, a hacker must go through a stage known as footprinting. This is when a hacker will find as much as he or she can about a network or a specific machine on a network to determine it's weakpoints. In some cases, the target machine will be the final target, or it is simply targeted to be used as a stepping stone. Such machines are used to hide the hacker's identity (the target will log this machine's IP address instead of the hackers IP) and/or because they have better access to the target from this machine (the machine is on the network behind a firewall). There are a number of ways to gather information about a network. An obvious way to find out something about your target is to consult their website. Although you certainly won't find a layout of their network, you may find some information that may be helpful. Reading the page source may help as some designers may put in comments with information about the server or links. Another way to gain information is to consult services such as the ARIN database and Network Solutions, which offer whois lookups (descriptions of the domain; also known as domain queries) and the SEC database (gives information on companies). After having found as much information as possible this way, it is time to try a more active search. Occassionally, a network's DNS server will be configured to allow zone transfers. UNIX commands such as nslookup or host on such servers may result in a display of hostnames and IP addresses of machines on the network. Although this is not critical information to the hacker, it can potentially make his job easier and save him a lot of time. This is especially true if the hostnames are descriptive of the machines they represent (ex. router.anet.com). A hacker will also try a traceroute to the target machine and to other machines in the network to find out what machines are inbetween his location and the target, and to get a better idea of the layout of the network. This can be useful to see if the target is behind a firewall and to possibly determine the best method of entry. After finding out as much as possible about a target network, the hacker will scan the network to determine what machines are up, what kind of operating system they have, and what services they have running. This is done using ping sweeps and portscans. A ping sweep involves pinging a list of IP addresses and recording the responses. Those that respond indicate a running computer. Following a ping scan, a hacker will do a portscan on the active machines to determine which services are running, i.e., which ports are open. Each service listens on a port, telnet for example is typically associated with 23, finger with 79, http with 80, rwho with 513, etc. There are many tools available on the internet that automate these processes. Nmap (Network Mapper), by Fyodor, is a very popular tool for such network scanning, which also offers OS detection. OS detection is important because it gives the hacker an idea of what exploits he can use to his advantage, as they vary depending on the operating system. Once it is determined which services are running on which operating system, the hacker can try to utilize any of the known exploits for the services and OS to his advantage. There are tools freely available that enable the hacker to take advantage of many known exploits.
|
|
|
|
[Index] [Introduction] [Attack] [Detection / Recovery] [Prevention] [Conclusion] [Credits] |