INF 370 - INFORMATION SECURITY: LAB 1

Internet Footprinting Using LINUX and WINDOWS

Footprinting
Footprinting is the process of collecting information about an organization, its networks,
its address ranges, and the people who use them. Footprinting is usually completed via
available electronic resources. It is important for security administrators to know exactly
what an individual can find on the Internet regarding their organizations. The
information an organization maintains about itself should be properly organized,
professionally presented, and as secure as possible to defeat any social engineering and
hacking attempts.
The process of collecting information about an organization from publicly accessible
sources is called footprinting. This process includes both researching information from
printed resources as well as gathering facts that can be collected from online resources
and through social engineering efforts.
Another process that involves data collection is the scanning process. Scanning involves
the detection of functioning systems and an enumeration of the services being offered by
each system on a network segment. The modules and lab exercises in this chapter will
allow you to gain experience in footprinting as well as understanding the fundamental
aspects of TCP/IP addresses and port scanning using both Windows and Linux systems.
Learning Objectives for Lab 1
After completing the labs presented in this module, you should be able to:

Define footprinting and how it is accomplished

Identify a number of resources that can be used to footprint an organization

Search an organizations public Web pages and identify internal components

Determine the IP address range assigned to a particular organization

Identify host machines that are active within an organization

Overview
Web reconnaissance is a simple but effective method of collecting rudimentary
information about an organization. All Web browsers have the ability to display source
code, allowing users to not only view the Web pages in their intended format, but also to
look for hidden information. The kinds of information gathered during the footprinting
of an organizations networks and systems commonly include the names of Web
personnel, the names of additional servers, locations of script bins, and so on.

It generally provides only limited information, but occasionally it can uncover a valuable
clue about the organization and its systems. Web reconnaissance can be used to identify
the name of an organizations Webmaster or other member of the technical staff, either of
which is helpful in executing a social engineering ploy. Web reconnaissance is also a
good way to identify the domain names of related Web servers, which can then be used to
identify additional IP addresses for further reconnaissance activities.
Lab 1A-1: Gathering WHOIS Information with Windows/Linux
WHOIS is a service that allows you to look up peoples names on a remote server.
Whenever you need to find out more about a domain name, such as its IP address, who
the administrative contact is or other information, you can use the WHOIS utility to
determine points of contact (POCs), domain owners, and name servers. Many servers
respond to TCP queries on port 43 in a manner roughly analogous to the DDN NIC
WHOIS service described in RFC 954.
Using a Web Browser
1. Open the site: www.internic.net
2. Click Whois in the list of options
3. In the Whois text box, enter the following domain: course.com
4. Record the registrar for this domain name:
PSI-USA, INC. DBA DOMAIN ROBOT

5. Record the primary and secondary name servers for this domain name:
Primary: NS1.CENGAGE.NET; Secondary: NS2.CENGAGE.NET

6. What other useful information can you determine from this output?
The status (client transfer prohibited), when the domain expires, the referral URL
(http://www.psi-usa.info)

7. Repeat the steps above for aubg.bg and dir.bg (you need to find the regional registrar
for .bg domain)
8. Registrar:
register.bg
9. Primary and secondary name servers

ns.dir.aubg, ns2.dir.bg, ns.aubg.bg, ns1.aubg.bg

10. Other useful information:
Contacts of administration, technical staff, addresses, phones, e-mails etc.
Linux command line:Login linux.stud.aubg.bg and try whois command from the
command line.
Lab 1A-2: DNS Interrogating with Windows/Linux
The Domain Name System (DNS) is a general-purpose distributed, replicated, data query
service chiefly used on the Internet for translating hostnames into Internet addresses.
Also, DNS specifies the style of hostname used on the Internet, though such a name is
properly called a fully qualified domain name (FQDN). DNS can be configured to use a
sequence of name servers based on the domains in the name being searched until a match
is found.
A complete discussion of the Domain Name System is extremely complex and thus
beyond the scope of this lab. For a more detailed discussion refer to RFCs 1034 (Domain
NamesConcepts And Facilities) and 1035 (Domain NamesImplementation and
Specification).
One aspect that should be addressed here is the DNS zone transfer. A zone transfer is a
request, usually from a secondary master name server to a primary master name server,
that allows the secondary master to update its DNS database. Unless this process is
restricted, it can provide a very detailed set of information about an organizations
network to virtually anyone with the ability and desire to access it.

Usage
The standard method to conduct a DNS query uses nslookup, a UNIX-based utility
created by Andrew Cherenson to query Internet domain name servers. Its primary use is
identifying IP addresses corresponding to entered domain names and identifying domain
names corresponding to entered IP addresses. Using a set type= command, the utility
can be used to obtain additional information:
CNAMEThe canonical name for an alias
HINFOThe host CPU and operating system type
MINFOMailbox or mail list information
MXMail exchanger information
NSThe name server for the named zone
PTRThe hostname if the query is an Internet address, otherwise as a
pointer to other information
SOAThe domain's start-of-authority information

TXTText information
UINFOUser information
WKSSupported well-known services

Other types of information (ANY, AXFR, MB, MD, MF, and NULL) are described in
RFC 1035.
The basic command syntax is: nslookup [IP_address|host_name]
The Windows XP version of nslookup provides options, that can be found using the
help command at the prompt in interactive mode.
Linux supports many DNS lookup utilities: nslookup, host, dig.
1. Login linux.stud.aubg.bg and using nslookup find information about aubg.bg domain
(you may need to read man pages for a particular lookup utility).
2. Record the names for all mail exchangers for aubg.bg domain
mailstud.aubg.bg, mail.aubg.bg

3. Using host utility record the name of the alias for www.aubg.bg and its IP address:
83.143.248.40
ww1.aubg.bg

4. Compare information gathered about www.dir.bg using nslookup (with set

type=ANY), host and dig utilities:
Mail exchanger: mail.dir.bg
IP address: 194.145.63.12
Name of alias: dir.bg

Lessons Learned
It is troubling how much information is contained on DNS systems. Equally troubling is
the fact that an individual can query this information directly. Since the servers are
managed outside the organization, the organization has little say as to what they contain.
The servers frequently contain a substantial collection of information about the

organization, as extracted from the DNS registration, obtained from the registering
authority. This includes responsible individuals, phone numbers, addresses etc. It should
be obvious to all of us from the options available how much information we can extract.
As an individual determines from one DNS server information about another DNS server,
they can quickly shift to direct queries that server, finally moving to the authoritative
serve with the most information on the organization in question. Mail servers, internal
Name servers are all revealed to the query.