Footprinting FAQ-v0.1
   _______________________________________________________________________________________________________________________
   
   Maintained by By tag                                                                              Tuesday October 24th,
   2000
   Long Island Underground Networks
   http://liun.hektik.org
   
   The following is a list of questions that are frequently asked about Foot Printing.
   To contribute to the FAQ please send all questions, comments, suggestions to contagis@yahoo.com
   
   Introduction
     * What is footprinting?
     * What can I find footprinting?
     * What good does it do me?
     * Where do I start?
     * Ok I did what you said and wrote everything down now what?
     * References
     * Appendixes
       
   What is footprinting?
   
          The best description I have found for footprinting was from the book "Hacking Exposed"(1). "The systematic
   footprinting of an organization's security posture. By using a combination of tools and tech-niques, attackers can take
   an unknown quantity (Widget Company's Internet connection) and reduce it to a specific range of domain names, network
   blocks, and individual IP addresses of systems directly connected to the Internet. While there are many types of
   footprinting techniques, they are primarily aimed at discovering information related to these technologies: Internet,
   intranet, remote access, and extranet."
   
   What can I find footprinting?
   
          Depending on the size of the company or organization that you are footprinting will determine the amount of
   information you find out about it. The majority of the information will include IP addresses, operating system types,
   port numbers and services, phone numbers either to dialups to internal networks or just a voice mail system, and even
   some times you will find logins on a website while they may not be for the system your looking for, they are a good
   start. Routing tables are also good because they will let you know what other IP ranges you need to scan and what
   routers control information between internal and external systems. E-mail addresses and a simple link to another site
   can all aid you in exploiting the target.
   
   What good does it do me?
   
           Well thats easy, why would you waste your time attempting to access a system or network when you can make it
   easy on yourself by gathering all the information you need, and simply going after systems which are vulnerable. I
   don't think you would want to be scanning a complete subnet of VMS machines and at the same time looking for Net-BIOS.
   All and all it will save you time and make it much easier for you to gain access to the network. In some cases as I
   said you can even find logins, and dialups right on the website of the company.
   
   Where do I start?
   
          To start off first ask yourself this question is this company or organization so big I have to target my
   footprint to a specifc area? Or is this the ISP down the block that has under a dozen servers and nodes? I will compare
   large and small like this. A large university can be completly footprinted but its not practical to do so. A large
   university will most often have complete subdomains for areas of study like, math.something.edu, cs.something.edu etc.
   In that case its up to you as to how much time you want to spend gathering information. A small university can be
   completely footprinted in easily under a day. Once you decide which way your going to approach this the first thing you
   should do is gather information about your targets domain.Be sure to log all this too. Also this is not the order in
   which you have to do things in. I just numbered them to make it easier to read.
    1. Run a whois on the target domain
    2. Check if host -l reveals anything if so run host -l -v -t any something.com
    3. If you get a refused query then use nmap or another port scanner to ping sweep the IP of the domain. Then DNS any
       other IP that responds to the ping and if you see something that may be another subnet ping sweep that too.
    4. Use nmap to check for services on all the hosts and also check the OS
    5. Check for links on target site that point to other computers on the company subnet
    6. Gather all e-mail addresses found on the site that are for people who work for the company
    7. On the companies webiste veiw the HTML source and look for comments and other information such as where directories
       are and what the names are.
    8. If the target has a search engine for their site run words like these threw it, dialin, dial-in, dialup, dial-up,
       modem, phone number, login, userid, access, internal. You may say isn't dialin and dial-in the same well from
       persoanl experience it can mean the diffrence between getting back 0 results and getting back links to pages with
       dialups to internal systems.
    9. Also see if they have a company phone directory online
   10. If you see on your targets site them talking about working with another company or something write down the name of
       the other company.
   11. Go to search engines and enter the targets name and see what other sites link to them if there is another company
       working with your target make note of it.
   12. Run the targets name threw usenet search engines.
       
   Ok I did what you said and wrote everything down now what?
   
          Now I will go over exploiting the information. All the information has some type of value, it just all depends
   on what other information you got and how you plan to access the target.
    1. Whois will give you phone numbers, e-mail addresses, locations, and other contact information. If your good at
       social engineering then this will help you allot.
    2. Running host -l or host -l -v -t any will let you gather IPs which you should then scan looking for services on
       each host and also checking to see what each hosts operating system is. From there you can determine what computers
       are vulnerable to what exploits.
    3. E-mail addresses help becaue you can spoof mail and attempt to get private information or you can simply mail
       someone a trojan in the event you cant get in you most likely will never have to do this.
    4. By viewing HTML you can get an idea of directory structure and from there you can see if manipulating the URL will
       alow you to get the entire directory index and view files you would normaly not have access to.
    5. If you run words like dialin and login threw a companies search engine and get a phone number or login you can
       either gain access to a system or even having the dialin is fine since you have some phone numbers and will
       possibly get more later. Social engineering is best for finding logins to internal networks, but you should know
       who is who in the company before calling anyone. For instance if you want to break into a bank a copy of the
       quarterly report is always a good thing to have.
    6. A company phone directory is good just so you can write down important phone numbers for later use if you plan to
       social engineer anyone.
    7. If you see on your targets site that they are working with another company for whatever reasons. Keeping track of
       this other company will be good, because if you can get into your target directly maybe you can get in a diffrent
       route. In this case threw this other company. If you exploit this other company you can attempt to sniff a login
       onto you original targets network. This is whats known as exploiting the weakest links. Just because your target is
       secure doesn't mean everyone they work with is. If you do this my favorite command is grep telnet
       /home/*/.bash_history or whatever works on the given system.
    8. By running your targets name threw search engines you can find out about more companies working with them possibly
       which can give you more areas to exploits if needed.
    9. Running the targets name threw usenet is like a grab bag you never know what you will find which is why its a good
       idea to do it. Maybe one of their administrators needed help configuring NIS or something. Either way its a good
       idea to do it.
       
   References
   
       Hacking Exposed Network Security Secrets & Solutions
       By. Stuart Mcclure, Joel Scambray, and George Kurtz
       ISBN: 0-07-212127-0
   
   Appendixes
   
       Search engines
          Altavista   Find sites that link to your target
           Yahoo      Same as above
           Dogpile    Search multiple search engines
           Google     Google Search Engine
           SEC         Get detailed information about the company and its associates
          ARIN       American Registry for Internet Numbers
   
       Scanners
          nmap
           ISS
           Cybercop
           Winfingerprint
   
       Exploits
          Technotronic
           BugTraq
   
       Information Retrieval    Names, Addresses, E-mail addresses, phone numbers etc...
           http://people.yahoo.com
           http://www.anywho.com