Snooping the Stack
by ThinkT4nk (thinkt4nk@cyberarmy.com)
Any and all successful and intelligent hacks begin at the most basic levels.
However boring and sometimes monotonous these "chores" may seem, they really embody the differences between the "elite" and the "script kiddie." These chores, when combined, offer the hacker an expansive knowledge of the system or network in question. This knowledge will later prove absolutely indispensable.
These chores are most commonly known as "snooping" or "footprinting." Snooping refers to the process of obtaining information about the target system for later reference during the actual hack. Snooping implies that the hacker has a genuine interest in network/systems security and isn't searching for the (forgive me for the cliche) "easy way out."
In this article I'll outline snooping from the very basic to the very complex. As I begin overviewing some of the more complex parts of snooping, you may notice that I begin to ignore Windoze. I've added assistance to Windoze users in the form of a sort of footnote. I assure you this is completely intentional. If you ever have the intention of becoming a serious hacker, you must be operating from a *NIX box.
The free-source world has provided many tools for hackers like us. After all, who created Linux? Hackers!! Windoze is for those who are fascinated with mind-numbing images and complete ease of use. Linux was created by hackers for hackers. It offers Internet connectivity a networking capabilities that are unchallenged in the world of computing today. With all of that said, let's get snooping!
First we need to identify our target through system profiling. We need to establish a goal. Good questions to ask yourself are "Why am I hacking this system?" and "Where should I be concentrating my efforts?" These questions are absolutely necessary when snooping or you'll soon be lost in a wealth of information about a system that you still don't understand and can't piece together. Believe me!
After we've established a good focal point for our attacks we need to find out exactly how many domains are associated with our target system. We do this by simply commanding a WHOIS query from your *NIX shell in this form:
This will show the domains that are most closely related to the organization and will help point you in the right direction to more clearly identify your target domain. You Windoze users can use: www.websitez.com
Now we need to figure out exactly what DNS (domain name system server) is handling the feature we'd most like to disable or tamper with.
For this, we'll simply execute a WHOIS query from our shell again in this fashion:
$ whois 2600.com Domain Name: 2600.COM Registry Domain ID: 2781441_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.networksolutions.com Registrar URL: http://networksolutions.com Updated Date: 2020-12-07T07:52:23Z Creation Date: 1994-02-03T05:00:00Z Registry Expiry Date: 2026-02-04T05:00:00Z Registrar: Network Solutions, LLC Registrar IANA ID: 2 Registrar Abuse Contact Email: domain.operations@web.com Registrar Abuse Contact Phone: +1.8777228662 Domain Status: ok https://icann.org/epp#ok Name Server: NS1.HE.NET Name Server: PHALSE.2600.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2024-08-29T00:50:28Z <<< For more information on Whois status codes, please visit https://icann.org/epp NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: 2600.COM Registry Domain ID: 2781441_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.networksolutions.com Registrar URL: http://networksolutions.com Updated Date: 2020-12-07T07:52:51Z Creation Date: 1994-02-03T05:00:00Z Registrar Registration Expiration Date: 2026-02-04T05:00:00Z Registrar: Network Solutions, LLC Registrar IANA ID: 2 Reseller: Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: Registrant Name: 2600 Magazine Registrant Organization: 2600 Magazine Registrant Street: PO BOX 848 Registrant City: MIDDLE ISLAND Registrant State/Province: NY Registrant Postal Code: 11953-0848 Registrant Country: US Registrant Phone: +1.6317512600 Registrant Phone Ext: Registrant Fax: +1.7032650070 Registrant Fax Ext: Registrant Email: emmanuel@2600.COM Registry Admin ID: Admin Name: Goldstein, Emmanuel Admin Organization: Admin Street: PO BOX 848 Admin City: MIDDLE ISLAND Admin State/Province: NY Admin Postal Code: 11953-0848 Admin Country: US Admin Phone: +1.6317512600 Admin Phone Ext: Admin Fax: +1.6317512600 Admin Fax Ext: Admin Email: emmanuel@2600.COM Registry Tech ID: Tech Name: Goldstein, Emmanuel Tech Organization: Tech Street: PO BOX 848 Tech City: MIDDLE ISLAND Tech State/Province: NY Tech Postal Code: 11953-0848 Tech Country: US Tech Phone: +1.6317512600 Tech Phone Ext: Tech Fax: +1.6317512600 Tech Fax Ext: Tech Email: emmanuel@2600.COM Name Server: PHALSE.2600.COM Name Server: NS1.HE.NET DNSSEC: unsigned Registrar Abuse Contact Email: domain.operations@web.com Registrar Abuse Contact Phone: +1.8777228662 URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2024-08-29T00:50:47Z <<< For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en The data in Networksolutions.com's WHOIS database is provided to you by Networksolutions.com for information purposes only, that is, to assist you in obtaining information about or related to a domain name registration record. Networksolutions.com makes this information available "as is," and does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone; or (2) enable high volume, automated, electronic processes that apply to Networksolutions.com (or its systems). The compilation, repackaging, dissemination or other use of this data is expressly prohibited without the prior written consent of Networksolutions.com. Networksolutions.com reserves the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en.The results should give you a very good amount of information including administrative contact information, the hosting company's information, and the primary, secondary, and tertiary DNS's associated with the domain, respectively.
Later we'll be looking at the DNS entries to decide where to focus our attack. Windoze lusers can use a number of online tools to achieve the same goal. My personal favorite online package is Sam Spade which can be accessed at: SamSpade.org
Next we'll be working towards getting a better defined structure or map of the system in question. One of the best ways to get a good geographical idea of the system is to execute a DNS zone transfer. If the admin of the system is brain-dead enough not to disable this feature, a hacker may update the zone database from the primary master. This means that you may be able to enumerate a pretty fair description of exactly which box is where.
Use the AXFR command from your shell to update the zone database and then use the axfrcat command to read the database records. You might learn a lot about this system! Windoze users may choose to use Sam Spade to achieve the same results.
Now we'll need to map out network structure and possible paths into our target network. We can use traceroute which can be found at ftp.ee.lbl.gov/traceroute.tar.gz and is included in the Windoze package most often.
With this tool we can identify the path of communication set by the network as well as identify packet-filtering routers, firewalls, etc. Use the traceroute command followed by the domain to display the results of the packets' journeys. We can assume that if the network has a firewall or router that the hop before the destination domain is the border router for the entire organization.
Remember though that there may be multiple routing paths. If you get asterisks, it means that the firewall is blocking the path of the packets you're sending. Use the -s option in this fashion to dodge this:
You can also use VisualRoute if you are so graphically inclined.
VisualRoute provides a pretty accurate representation of the network path geographically (as in globally). Now we move on to bigger and better things. We've determined to some degree the way the system is structured and possibly where firewalls and packet-filtering routers may be located. Now we'll figure out exactly which features are open for exploitation.
We'll be using fping and gping (Windows GPing) to go about doing this. You can use these tools in this manner:
In this case we're scanning the subnet of: 206.69.34.*
You have to make sure that you use quite a wide range of Class Ds when scanning the subnet.
UNIX scanning should be done with Nmap (undeniably): www.insecure.org/nmap For Windoze lusers there are a few relatively decent tools out there: Pinger, SolarWinds, WS_Ping Pro Pack, or NetScanTools.
I'll quickly outline the basics of network scanning. Network scanning works by sending out data "packets" called ICMP packets (at the basic level) to each of the subnets to determine if the IP address is "open" and "listening." Each tool determines whether the IP address is open in its own fashion. I'll explain the different methods a little later.
Some networks will block ICMP packets for obvious security reasons through packet-filtering routers or firewalls. We *NIX users can use Nmap which offers TCP scans as well as ICMP scans. You may initiate the TCP scan with the -PT option and a port (try 80).
Now that we've decided which domains and IP addresses are open for communication, we need to determine which TCP and UDP "features" or applications are running on our target IP, what versions of these applications are running, and what Operating System (OS) is running. We can figure this out by executing a "port scan." Port scanning works in the different ways that network scanning does.
The most common scanning technique is what is called the TCP connect scan. The TCP connect scan operates by sending a SYN packet to the system. The system responds with a SYN-ACK packet and the scanner in turn responds with an ACK packet. This technique is most common and is very easily detectable.
The second most common scanning technique is what is called TCP SYN scanning or "half-open scanning." With half-open scanning a full connection isn't made. Instead, it completes a two-way handshake with a SYN packet and a SYN-ACK packet (if the port is listening) or an RST/ACK packet (if the port isn't listening). This method is a little more uberer and is most probably not logged.
The other scanning methods include TCP FIN scanning, TCP X-mas tree scanning, UDP scanning, and others. I won't really go into these but you can email me about them if you're very curious. (Don't worry, I won't bite. Not for being interested anyway.)
There are a few stellar tools out there for port scanning including udp-scan which is found in SAINT, NetCat, and PortPro and PortScan for Windoze (www.securityfocus.com).
We'll be using Nmap because it's absolutely positively the greatest thing to come along for hackers' use and abuse since coffee. Nmap offers a wide variety of TCP and UDP options when scanning.
For SYN scanning use the -sS option followed by the IP address. You can "fragment" packets (not as easily detectable by routers) with the -f option.
Network scanning is achieved with the -sF option followed by the IP range. We can also send decoy packets to the system with the -D option which follows the IP address. How elite can this get?
'Nuff said.
Now we really really need to identify the operating systems that are supporting the target system as well as the applications. We can identify some tell-tale signatures of operating systems with a little determination and homework because vendors interpret specific RFC guidelines differently when writing TCP/IP stack design.
For instance, the operating system is probably Windows NT if ports 139 and 135 are open. If 139 is open but not 135, the system is probably Windows 95/98. If many applications are run, it's probably some flavor of UNIX. Some tell-tale open port signs of a *NIX box include the Berkeley r-commands (512-514), NFS (2049), portmapper (111), and really high port numbers (like over 32000 or so).
Stack snooping is a powerful technique that will allow you to determine each host's operating system with a good degree of probability. For more on TCP/IP stack design refer to: www.insecure.org/nmap/nmap-fingerprinting-article.html
Stack snooping includes many many complicated methods of operating system enumeration such as FIN probing, bogus flag probing, ISN sampling, ACK value discretion, ICMP error message echoing integrity, TOS (type of service), TCP options, etc.
Nmap employs all of these techniques with the -O option. Make sure to specify the port (normally -p80). Remember to update your Nmap operating system signatures on a regular basis (www.insecure.org/cgi-bin/nmap-submit.cgi)
There are a couple of other tools that I like to use in addition to nmap that make life a little easier at times (not always). QueSO only does OS detection but does a good job. Cheops is an awesome program that provides a graphical representation of OS enumeration (www.marko.net/cheops).
Well, now you should have as much information as you'll ever get from your *cough* victim *cough*.
Have fun and always remember that snooping is what separates the elite from the kiddies.