Tag Archives: ceh certification study guide

CEH Exam Module 3: Footprinting

We covered the first module. I skipped the second one since you can read that Law section in your study book or any other place. I may have a post about it later.

Foot printing is one of the most important step in hacking. You need to know what your targets are capable of. Do they have IDS? Do they have firewall? What are the firewall rules? Who is their system admin? What is his e-mail address? …

There are lots of sites that you can gather info. My favorites are google, archive.com, PiPl.

Foot Printing Tools

For your CEH exam you need to know bunch of foot printing tools. I cannot mention all of them here, but I will tell the most important ones.

Google: Google and hacking tool? Yes, google can be used as a hacking tool. However, you need to know how to make effective searches.

I.) Phrase search (“”): By putting double quotes around a set of words, you are telling Google to consider the exact words in that exact order without any change. This is useful if you need exact strings in your search.

II.) Search within a specific website (site:): Google allows you to specify that your search results must come from a given website. For example, the query nessus site:nytimes.com will return pages about nessus but only from nytimes.com. This can be very useful if you already know what site can give best info about your target.

III.) Terms you want to exclude (-)
Attaching a minus sign immediately before a word indicates that you do not want pages that contain this word to appear in your results. The minus sign should appear immediately before the word and should be preceded with a space. For example, in the query anti-virus software, the minus sign is used as a hyphen and will not be interpreted as an exclusion symbol; whereas the query anti-virus -software will search for the words ‘anti-virus’ but exclude references to software.

IV) Fill in the blanks (*): The *, or wildcard, is a little-known feature that can be very powerful. If you include * within a query, it tells Google to try to treat the star as a placeholder for any unknown term(s) and then find the best matches. For example, the search Google *  will give you results about many of Google’s products. Note that the * operator works only on whole words, not parts of words.

Whois: Whois important tools that can list very important information about the websites such as e-mail addresses, contact names, phones, expiration date of the websites. On your linux machine you can run whois domainName and get details of the domain. You can also use whois.com

Whatismyipaddress.com: This is a website that give details of a given IP.

Traceroute: With traceroute you can get some information about the network. Traceroute list the routers between you and the target. This can be really useful information if you lunch a networking attack against the router.

Nslookup/host/dig : All of these tools do same job: List ip addresses for a given domain name. It basically query.

For example, if you want to learn IP address of google.com, type

C:\Users\ismail nslookup google.com
Server:
Address:
Non-authoritative answer:
Name:    google.com
Addresses:  74.125.227.16
74.125.227.17
74.125.227.18
74.125.227.20
74.125.227.19

Dig has more capacity besides giving you IP address of a domain (that can be done by pinging the server right? ).

There is a good article at slicehost website that cover some details of dig.

robot.txt: The Robot Exclusion Standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a website which is otherwise publicly viewable. Robots are often used by search engines to categorize and archive web sites, or by webmasters to proofread source code. The standard is unrelated to, but can be used in conjunction with, Sitemaps, a robot inclusion standard for websites.

As an ethical hacker, you can check if the webserver has a robot.txt file by looking www.example.com/robot.txt Some system admins think disallowing search engines searching directories may have sensitive information is a security measure that prevent others see these directories in search results. HOWEVER, by listing your sensitive directories in robot.txt will just make hackers to focus on these directories and worse thing you already saying where to attack…

I would not recommend using robot.txt. Instead secure these important directories by encrypting, or using access control methods.

As an ethical hacker always check robot.txt because there are lots system admins who does not know security very well.

Summary

Foot printing is an important phase of hacking. In this phase, the goal is get as much as information about the target. This information will be critical part of the attack vectors that be used in the next phases.

There are much more tools than what I covered here. You need to know them for the CEH exam. I will also cover more in later.

Tip: Study active and passive foot printing, know the difference.