- Footprinting is the blueprinting of the security profile of an organization, undertaken in a methodological manner.
- Footprinting is one of the three pre-attack phases. The others are scanning and enumeration.
- Footprinting results in a unique organization profile with respect to networks (Internet / Intranet / Extranet / Wireless) and systems involved.
Footprinting – Attack Methods
The attacker may choose to source the information from:
- A web page (save it offline, e.g. using offline browser such as Teleport pro
- Yahoo or other directories. (Tifny is a comprehensive search tool for USENET newsgroups.
- Multiple search engines (All-in-One, Dogpile), groups.google.com is a great resource for searching large numbers of news group archives without having to use a tool.
- Using advanced search (e.g. AltaVista),
- Search on publicly trade companies (e.g. EDGAR).
- Dumpster diving (To retrieve documents that have been carelessly disposed)
- Physical access (False ID, temporary/contract employees, unauthorized access etc)
Active Stack Fingerprinting: This technique is called OS fingerprinting
- Fingerprinting is done to determine the remote OS
- Allows attacker to leave smaller footprint and have greater chance to succeed
- Based on the fact that various OS vendors implement the TCP stack differently
- Specially crafted packets sent to remote OS and response is noted. This is compared with a database to determine the OS
- Passive fingerprinting is also based on the differential implantation of the stack and the various ways an OS responds to it.
- However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host and study it for tell tale signs that can reveal the OS.
- Passive fingerprinting is less accurate than active fingerprinting.
What is Enumeration ???
- If acquisition and non intrusive probing have not turned up any results, then an attacker will next turn to identifying valid user accounts or poorly protected resource shares.
- Enumeration involves active connections to systems and directed queries.
- The type of information enumerated by intruders:
Network resources and shares
Users and groups
Applications and banners
- SNMP is simple. Managers send requests to agents, and the agents send back replies.
- The requests and replies refer to variables accessible to agent software.
- Managers can also send requests to set values for certain variables.
SNMP Enumeration Countermeasures
Do not install the management and monitoring windows component if it is not going to be used. In case it is required ensure that only legally authorized persons have access to it else, it might turn into an obvious backdoor. Edit the Registry to permit only approved access to the SNMP community Name.