What is Footprinting, Fingerprinting Enumeration &

SNMP Enumeration ?? what are the various

Attack Methods | Softwares and tools
Defining Footprinting
• Footprinting is the blueprinting of the security profile of an organization, undertaken in a
methodological manner.
• Footprinting is one of the three pre-attack phases. The others are scanning and
enumeration.
• Footprinting results in a unique organization profile with respect to networks (Internet /
Intranet / Extranet / Wireless) and systems involved.
For Full Article VISIT HERE

Footprinting - Attack Methods

The attacker may choose to source the information from:

• A web page (save it offline, e.g. using offline browser such as Teleport pro
• Yahoo or other directories. (Tifny is a comprehensive search tool for USENET
newsgroups.
• Multiple search engines (All-in-One, Dogpile), groups.google.com is a great resource for
searching large numbers of news group archives without having to use a tool.
• Using advanced search (e.g. AltaVista),
• Search on publicly trade companies (e.g. EDGAR).
• Dumpster diving (To retrieve documents that have been carelessly disposed)
• Physical access (False ID, temporary/contract employees, unauthorized access etc)
For Full Article VISIT HERE

Active Stack Fingerprinting: This technique is called OS fingerprinting

• Fingerprinting is done to determine the remote OS
• Allows attacker to leave smaller footprint and have greater chance to succeed
• Based on the fact that various OS vendors implement the TCP stack differently
• Specially crafted packets sent to remote OS and response is noted. This is compared
with a database to determine the OS
For Full Article VISIT HERE

Passive Fingerprinting
• Passive fingerprinting is also based on the differential implantation of the stack and the
various ways an OS responds to it.
• However, instead of relying on scanning the target host, passive fingerprinting captures
packets from the target host and study it for tell tale signs that can reveal the OS.
• Passive fingerprinting is less accurate than active fingerprinting.
For Full Article VISIT HERE

What is Enumeration ???

• If acquisition and non intrusive probing have not turned up any results, then an attacker
will next turn to identifying valid user accounts or poorly protected resource shares.
• Enumeration involves active connections to systems and directed queries.
• The type of information enumerated by intruders:
 Network resources and shares
Users and groups
Applications and banners

For Full Article VISIT HERE

To get the list of Enumeration Softwares and Tools VISIT HERE

SNMP Enumeration
• SNMP is simple. Managers send requests to agents, and the agents send back replies.
• The requests and replies refer to variables accessible to agent software.
• Managers can also send requests to set values for certain variables.
For Full Article VISIT HERE

SNMP Enumeration Countermeasures

Countermeasure Do not install the management and monitoring windows component if it is not
going to be used. In case it is required ensure that only legally authorized persons have access to
it else, it might turn into an obvious backdoor. Edit the Registry to permit only approved access to
the SNMP community Name.

For Full Article VISIT HERE

To get the list of Enumeration Softwares and Tools VISIT HERE

Too lazy to say Thanks or comment here? Why not too lazy to read my post?? If you like
this post and want us to post similar articles, Pls give us a feedback and leave a comment
here.

What is Footprinting
Defining Footprinting

• Footprinting is the blueprinting of the security profile of an organization, undertaken in a

methodological manner.
• Footprinting is one of the three pre-attack phases. The others are scanning and
enumeration.
• Footprinting results in a unique organization profile with respect to networks (Internet /
Intranet / Extranet / Wireless) and systems involved.

There is no single methodology for footprinting, as a hacker can choose several routes to trace
the information. Footprinting therefore, needs to be carried out precisely and in an organized
manner. The information unveiled at various network levels can include details of domain name,
network blocks, network services and applications, system architecture, intrusion detection
systems, specific IP addresses, access control mechanisms and related lists, phone numbers,
contact addresses, authentication mechanisms and system enumeration.

The information gathering activity can be broadly divided into seven phases:

• The attacker would first unearth initial information (such as domain name),
 • locate the network range of the target system (using tools such as Nslookup,
whois etc),
• ascertain the active machines (for instance by pinging the machine),
• discover open ports or access points (using tools such as port scanners),
• detect operating systems (for instance querying with telnet),
• uncover services on ports and
• ultimately map the network.

This not only speeds up the real attack process, but also aids in helping the attacker prepare
better for covering his tracks and thereby leave a smaller or minimal footprint.

Initial Information:

Commonly includes:

• Domain name lookup

• Locations
• Contacts (Telephone / mail)

Information Sources:

• Open source
• Whois
• Nslookup

Hacking Tool:

• Sam Spade

Open Source Footprinting is the easiest and safest way to go about finding information about a
company. Information that is available to the public, such as phone numbers, addresses, etc.
Performing whois requests, searching through DNS tables are other forms of open source
footprinting. Most of this information is fairly easy to get, and within legal limits. One easy way to
check for sensitive information is to check the HTML source code of the website to look for links,
comments, Meta tags etc

Footprinting - Attack Methods

Attack Methods

The attacker may choose to source the information from:

• A web page (save it offline, e.g. using offline browser such as Teleport pro
• Yahoo or other directories. (Tifny is a comprehensive search tool for USENET
newsgroups.
• Multiple search engines (All-in-One, Dogpile), groups.google.com is a great resource for
searching large numbers of news group archives without having to use a tool.
 • Using advanced search (e.g. AltaVista),
• Search on publicly trade companies (e.g. EDGAR).
• Dumpster diving (To retrieve documents that have been carelessly disposed)
• Physical access (False ID, temporary/contract employees, unauthorized access etc)

There are four RIRs, each maintaining a whois database holding details of IP address
registrations in their regions. The RIR whois databases are located at:

• ARIN (North America and sub-Saharan Africa)

• APNIC (Asia Pacific region)
• LACNIC (Southern and Central America and Caribbean)
• RIPE NCC (Europe and northern Africa)

Tools There are tools available to aid a whois lookup. Some of them are Sam Spade
(downloadable from www.samspade.org). Smart Whois (downloadable
from www.tamos.com). Netscan (downloadable
from www.netscantools.com) and GTWhois (Windows XP compatible)
(www.geektools.com) etc.

---

Amarjit Singh

Passive Fingerprinting
• Passive fingerprinting is also based on the differential implantation of the stack and the
various ways an OS responds to it.
• However, instead of relying on scanning the target host, passive fingerprinting captures
packets from the target host and study it for tell tale signs that can reveal the OS.
• Passive fingerprinting is less accurate than active fingerprinting.

Like active fingerprinting, passive fingerprinting is also based on the differential implantation of
the stack and the various ways an OS responds to it. However, instead of relying on scanning the
target host, passive fingerprinting captures packets from the target host and study it for tell tale
signs that can reveal the OS.

Note The four areas that are typically noted to determine the operating system are:

TTL - What the operating system sets the Time To Live on the outbound packet
Window Size - What the operating system sets the Window Size at.

DF - Does the operating system set the Don't Fragment bit?

TOS - Does the operating system set the Type of Service, and if so, at what?

Passive fingerprinting need not be fully accurate nor does it have to be limited to these four
signatures. However, by looking at several signatures and combining the information, the
accuracy can be improved upon. The following is the analysis of a sniffed packet dissected by
Lance Spitzner in his paper on passive fingerprinting (http://www.honeynet.org/papers/finger/)

04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604

TCP TTL:45 TOS:oxo ID:56257
***F**A* Seq: 0x9DD90553
Ack: 0xE3C65D7Win: 0x7D78

Based on the 4 criteria, the following is identified:

TTL: 45

Window Size: 0x7D78 (or 32120 in decimal)

DF: The Don't Fragment bit is set

TOS: 0x0

This information is then compared to a database of signatures. Considering the TTL used by the
remote host, it is seen from the sniffer trace that the TTL is set at 45. This indicates that it went
through 19 hops to get to the target, so the original TTL must have been set at 64. Based on this
TTL, it appears that the packet was sent from a Linux or FreeBSD box, (however, more system
signatures need to be added to the database). This TTL is confirmed by doing a traceroute to the
remote host.

The next step is to compare the Window size. The Window Size is another effective tool,
specifically what Window Size is used and how often the size changes. In the above signature, it
is set at 0x7D78, a default Window Size commonly used by Linux. Also, Linux, FreeBSD, and
Solaris tend to maintain the same Window Size throughout a session. However, Cisco routers
and Microsoft Windows/NT Window Sizes are constantly changing. The Window Size is more
accurate if measured after the initial three -way handshake (due to TCP slow start).

Most systems use the DF bit set, so this is of limited value. However, this does make it easier to
identify the few systems that do not use the DF flag (such as SCO or OpenBSD). TOS is also of
limited value. This seems to be more session based then operating system. In other words, it's
not so much the operating system that determines the TOS, but the protocol used. Therefore,
based on the information above, specifically TTL and Window size, one can compare the results
to the database of signatures and with a degree of confidence determine the OS (in this case,
Linux kernel 2.2.x).

Threat Passive fingerprinting can be used for several other purposes. It can be used by
crackers as 'stealthy' fingerprinting. For example, to determine the Operating System of a
'potential victim', such as a web server, one only needs to request a webpage from the server,
and then analyze the sniffer traces. This bypasses the need for using an active tool that can be
detected by various IDS systems. Also, Passive Fingerprinting may be used to identify remote
 proxy firewalls. Since proxy firewalls rebuild connection for clients, it may be possible to ID the
proxy firewalls based on the signatures we have discussed. Organizations can use Passive
Fingerprinting to identify 'rogue' systems on their network. These would be systems that are not
authorized on the network.

---
Amarjit Singh

Monday, April 6, 2009

Passive Fingerprinting
• Passive fingerprinting is also based on the differential implantation of the stack and the
various ways an OS responds to it.
• However, instead of relying on scanning the target host, passive fingerprinting captures
packets from the target host and study it for tell tale signs that can reveal the OS.
• Passive fingerprinting is less accurate than active fingerprinting.

Like active fingerprinting, passive fingerprinting is also based on the differential implantation of
the stack and the various ways an OS responds to it. However, instead of relying on scanning the
target host, passive fingerprinting captures packets from the target host and study it for tell tale
signs that can reveal the OS.

Note The four areas that are typically noted to determine the operating system are:

TTL - What the operating system sets the Time To Live on the outbound packet

Window Size - What the operating system sets the Window Size at.

DF - Does the operating system set the Don't Fragment bit?

TOS - Does the operating system set the Type of Service, and if so, at what?

Passive fingerprinting need not be fully accurate nor does it have to be limited to these four
signatures. However, by looking at several signatures and combining the information, the
accuracy can be improved upon. The following is the analysis of a sniffed packet dissected by
Lance Spitzner in his paper on passive fingerprinting (http://www.honeynet.org/papers/finger/)

04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604

TCP TTL:45 TOS:oxo ID:56257
***F**A* Seq: 0x9DD90553
Ack: 0xE3C65D7Win: 0x7D78

Based on the 4 criteria, the following is identified:

TTL: 45

Window Size: 0x7D78 (or 32120 in decimal)

DF: The Don't Fragment bit is set

TOS: 0x0

This information is then compared to a database of signatures. Considering the TTL used by the
remote host, it is seen from the sniffer trace that the TTL is set at 45. This indicates that it went
through 19 hops to get to the target, so the original TTL must have been set at 64. Based on this
TTL, it appears that the packet was sent from a Linux or FreeBSD box, (however, more system
signatures need to be added to the database). This TTL is confirmed by doing a traceroute to the
remote host.

The next step is to compare the Window size. The Window Size is another effective tool,
specifically what Window Size is used and how often the size changes. In the above signature, it
is set at 0x7D78, a default Window Size commonly used by Linux. Also, Linux, FreeBSD, and
Solaris tend to maintain the same Window Size throughout a session. However, Cisco routers
and Microsoft Windows/NT Window Sizes are constantly changing. The Window Size is more
accurate if measured after the initial three -way handshake (due to TCP slow start).

Most systems use the DF bit set, so this is of limited value. However, this does make it easier to
identify the few systems that do not use the DF flag (such as SCO or OpenBSD). TOS is also of
limited value. This seems to be more session based then operating system. In other words, it's
not so much the operating system that determines the TOS, but the protocol used. Therefore,
based on the information above, specifically TTL and Window size, one can compare the results
to the database of signatures and with a degree of confidence determine the OS (in this case,
Linux kernel 2.2.x).

Threat Passive fingerprinting can be used for several other purposes. It can be used by
crackers as 'stealthy' fingerprinting. For example, to determine the Operating System of a
'potential victim', such as a web server, one only needs to request a webpage from the server,
and then analyze the sniffer traces. This bypasses the need for using an active tool that can be
detected by various IDS systems. Also, Passive Fingerprinting may be used to identify remote
proxy firewalls. Since proxy firewalls rebuild connection for clients, it may be possible to ID the
proxy firewalls based on the signatures we have discussed. Organizations can use Passive
Fingerprinting to identify 'rogue' systems on their network. These would be systems that are not
authorized on the network.

---
Amarjit Singh

What is Enumeration ???

 If acquisition and non intrusive probing have not turned up any results, then an attacker will
next turn to identifying valid user accounts or poorly protected resource shares.

 Enumeration involves active connections to systems and directed queries.

 The type of information enumerated by intruders:

• Network resources and shares

 • Users and groups
• Applications and banners
The objective of the attacker will be to identify valid user accounts or groups where he
can remain inconspicuous once he has compromised the system. Enumeration involves
active connections being made to the target system, or subjecting it to directed queries
made to a system. Normally, an alert and secure system will log such attempts. Often the
information gathered is what the target might have made public - such as a DNS address.
However, it is possible that the attacker stumbles upon a remote IPC share such as the
IPC$ in windows, that can be probed with a null session and shares and accounts
enumerated.
Concept On ascertaining the security posture of the target, the attacker can turn this
information to this advantage by exploiting some resource sharing protocol or
compromising an account. The type of information enumerated by hackers can
be loosely grouped into the following categories:

1. Network resources and shares

2. Users and Groups
3. Applications and Banners

---

Enumeration Tools
Hacking Tool: Enum

Enum is a console-based Win32 information enumeration utility.

Using null sessions, enum can retrieve user lists, machine lists, share lists, name lists, group and
membership lists, password and LSA policy information.

enum is also capable of rudimentary brute force dictionary attack on individual accounts.

enum is a tool written by Jordan Fitter to enumerate, using null and user sessions, Win NT/2000
information. enum is a console-based Win32 information enumeration utility. Using null sessions,
enum can retrieve userlists, machine lists, sharelists, namelists, group and member lists,
password and LSA policy information. enum is also capable of a rudimentary brute force
dictionary attack on individual accounts.

Hacking tool: Userinfo

• Userinfo is a little function that retrieves all available information about any known user
from any NT/Win2k system that you can hit 139 on.
 • Specifically calling the NetUserGetInfo API call at Level 3, Userinfo returns standard info
like
• SID and Primary group
• logon restrictions and smart card requirements
• special group information
• pw expiration information and pw age
• This application works as a null user, even if the RA set to 1 to specifically deny
anonymous enumeration.

Hacking Tool: GetAcct

GetAcct sidesteps "RestrictAnonymous=1" and acquires account information on Windows

NT/2000 machines. Input the IP address or NetBIOS name of a target computer in the "Remote
Computer" column. Input the number of 1000 or more in the "End of RID" column. The RID is
user's relative identifier by which the Security Account Manager gives it when the user is created.
Therefore, it is input as 1100, if there are 100 users.

GetAcct shows the information that leaks by opening an anonymous login and showing the
following information:

• An enumeration of user IDs,

• account names and full names
• Password age
• User groups the user is a member of
• Account type
• Whether the account is disabled or locked
• Password policies
• Last logon time, Number of logons
• Bad password count
• Quotas

---

Amarjit Singh

SNMP Enumeration
SNMP is simple. Managers send requests to agents, and the agents send back replies.

The requests and replies refer to variables accessible to agent software.

Managers can also send requests to set values for certain variables.

Traps let the manager know that something significant has happened at the agent's end of things:
 ---a reboot

---an interface failure,

---or that something else that is potentially bad has happened.

Enumerating NT users via SNMP protocol is easy using snmputil

SNMP consists primarily of two objects: a manager and an agent. An agent consists of a piece of
software embedded in a machine. SNMP agents exist for almost any piece of equipment.
However, the installed agent doesn't do anything for the machine until queried by the manager.
This is separate program that a network manager runs on their own computer that queries the
agent (across the network) for information.

The default community string that provides the monitoring or read capability is often "public". The
default management or write community string is often "private". The SNMP exploit takes
advantage of these default community strings to allow an attacker to gain information about a
device using the read community string "public", and the attacker can change a systems
configuration using the write community string "private".

SNMPutil example

The security threat comes from Windows 2000 servers and workstations having SNMP support
enabled and failing to change the default read-only community string 'Public'. However, changing
this does not exempt it from attackers sniffing it from the network or to subjecting it to a dictionary
or brute force attack. This may not seem troublesome but the Windows 2000 SNMP variables
contain a wealth of information for the sniffing cracker. Some of the tables that are available when
one has READ access to the SNMP tree in a Windows 2000 box are listed below:

Interface Table - This table identifies all boxes with multiple interfaces, plus useful details like
their IP and MAC addresses.

Route Table and ARP Table - With access to these tables, a cracker can quickly build an
accurate picture of a network and continue its search for vulnerabilities.

TCP Table and UDP Table - These will show which TCP and UDP ports are actively used, and
on which ports services are listening for new clients.

Device Table and Storage Table - Knowing what hardware is attached to a Windows 2000
machine gives crackers clues about what kind of machine it is dealing with.

Process Table and Software Table - Knowing what software are installed and what software is
running (DNS server, DHCP server) gives away details about how to attack the system. They
even show which service packs have been installed (and missing patches)
User Table - Knowing which user names are valid on a machine makes it much easier to guess
passwords and gain access to a system.

Share Table - If the cracker knows what shares are exported and used by a Windows machine, it
can lead to a serious security compromise.

Here, we will look at an SNMP utility called SNMPutil.exe which is a part of the Windows 2000
resource kit. Let us take a look at what we can discover with it from the command line prompt.

In this output, the variable is called 1.3.6.1.2.1.1.2.0, and we 'get' its value, which turns out to be
1. The variable name (1.3.6.1.2.1.1.2.0) is called an object identifier or OID. An alternative to this
is found in the second line of the output shown here. The 'interfaces.ifNumber.o' is the same OID,
but is more easily readable. The second and third arguments to SNMPUTIL designate the host to
which the SNMP request will be sent (210.212.69.129), and community (authentication string or
password) to use (public). The 'public' community is the default when SNMP support is installed
on a Windows 2000 host, and it allows the user to read all variables present. Since even the
number of interfaces in a host is sensitive data, the threat is evident. Let us look at some of the
other variables that might be of interest to an attacker and a security professional.

IpForwarding (1.3.6.1.2.1.4.1.0) - Is the host forwarding? This is not a good sign for a
workstation.

IcmpInRedirects (1.3.6.1.2.1.5.7) - Is the host redirecting icmp messages?

TcpOutRsts (1.3.6.1.2.1.6.15) - A counter indicating the number of RSTs send by the box. This
counter will increase rapidly when port-scanned.

UdpNoPorts (1.3.6.1.2.1.7.2) - A counter indicating traffic to ports where no service was present.
Also a possible port-scan signal.

SNMP walk automates the whole process of getting the variables and can be redirected to an
output file. To summarize, Snmputil can reveal details about services that are running, share
names, share paths, any comments on shares, usernames and domain names etc.

SNMP Enumeration Countermeasures

Simplest way to prevent such activity is to remove the SNMP agent or turn off the SNMP service.

If shutting off SNMP is not an option, then change the default 'public' community name.

Implement the Group Policy security option called Additional restrictions for anonymous
connections.
Access to null session pipes and null session shares, and IPSec filtering should also be
restricted.

---
Amarjit Singh

SNMP Enumeration Countermeasures

Countermeasure Do not install the management and monitoring windows component if it is not
going to be used. In case it is required ensure that only legally authorized persons have access to
it else, it might turn into an obvious backdoor. Edit the Registry to permit only approved access to
the SNMP community Name.

Countermeasure Change 'community' to properly configured ones - preferably with private

community names (not the default "public"). Where possible, restrict access to SNMP agent. By
restriction, we mean allowing SNMP requests from only specific addresses. Additionally, these
requests should be restricted to read-only wherever possible. All these configurations can be
done by changing the properties of the 'SNMP Service' (Start/Administrative Tools/Services).

Countermeasure Authenticate/Encrypt using IPSEC - SNMP (V1) may not have adequate
authentication and encryption facilities built in but this is where IPSec can come to the rescue.
IPSec policies can be defined in the monitored systems and management stations so that all
SNMP traffic is authenticated and/or encrypted.

Coutermeasure Collect Traps - If SNMP is enabled, monitor the Windows 2000 event logs.
Effective auditing can actually raise the level of security

---
Amarjitn Singh