Posted on by

Network footprinting for beginners

Hello, aspiring Ethical Hackers. In our previous blogpost Footprinting Guide, you learnt about different types of Footprinting that is performed by hackers and pen testers to gather information about their target. One of the important types of footprinting is Network Footprinting.

What is Network Footprinting?

It is gathering information about the target’s network like ranges of IP addresses used by the target organization, IP address blocks etc. This Footprinting can be considered as a last step before making initial contact with the target using network scanning. This also allows attackers to map the target network.

How to perform Network Footprinting?

Information like range of IP addresses can and their subnet masks can be found out from the Regional Internet Registries (RIR’s) and some other sites given below.

  1. Whois.arin.net – ARIN whois search
  2. Apnic.net/about-apnic/whois_search (APNIC)
  3. AFRINIC whois
  4. LACNIC whois
  5. RIPE whois search
  6. Bgp.he.net.

Apart for these, there is also a tool called Samspade that can be used to perform this footprinting.

traceroute and tracert

Traceroute and tracert are computer network diagnostic commands that display possible route (or path), the packets take to reach their intended target on network. These commands utilize the TTL field in the header of ICMP packets to discover the routes on the path of a target network or system.

That’s all in gathering information about Network.

Posted on by

Email analysis for beginners

Hello, aspiring Ethical Hackers. In our previous blogpost, you have learnt what is footprinting and various methods to perform footprinting. One such type of Footprinting is Email Footprinting or Email analysis.

What is Email Footprinting?

Email analysis is gathering information from emails. This can be done in two ways. Email Tracing and Email Tracking.

Email Tracking: Email tracking is done when we send an email to a target and then track them.   
Email Tracing: Email racing is performed on an email that we receive from our target.   

This article deals with Email tracing.

What information does Email Footprinting reveal?

Email Footprinting can reveal information like

  1. Email address of the sender.
  2. Name of the sender.
  3. IP address of the sender
  4. Posts active sender
  5. Geo location
  6. Mail server
  7. Mail server authentication system being used etc. and much more information that can be useful in a pen test.

How to perform Email Footprintig?

Email Footprinting can be performed either manually or using tools or other online sources. For this blogpost, let’s focus on manual analysis as automated tools can be used by script kiddies too. To perform email footprinting, we need to view the header of the received email. How to view the header of any email? Let’s see an example of a mail received on Gmail. Go to your Inbox and open a mail.

Go to the vertical dots (move button) at the top right of the email and click on it.

Click on “show original”.

This should show you the entire Email headers of the mail.

Let’s learn about each header.

Delivered To: Email address to whom the mail has been delivered.

Received: This header indicates all the SMTP servers through which this email has passed through before reaching to your Inbox. This contains server’s IP address, SMTPID etc.

X-Google-SMTP-source: shows the transferring email using a Gmail SMTP server. If this header is present then it means this was transferred by GMAIL SMTP server.

X-Received-BY: This header indicates the last visited SMTP server before reaching your Inbox. It contains Server IP address, SMTP ID of the visited server and Date & time when the email was received by the SMTP server.

ARC-Seal, ARC-Message-Signature, ARC-Authentication-Results: ARC stands for Authenticated Receiver Chain (ARC). This is used to preserve email authentication results and to verify the identity of email intermediaries that forward a manage to its final destination (i.e. your Inbox).

Smtp-mailfrom: You can see the IP address of the sender of the email.

Return-Path: This is the path specified to go when email is bounced or not sent.

Received SPF:  SPF stands for Sender Policy Framework. This is used to prevent sender address forgery. It SPF is set to PASS, the Email source is valid, if it is softfail, it is likely the email source is fake and if it is having value Fail, source is invalid.

This is how Email analysis is performed.

Posted on by

Heartbleed vulnerability explained

Hello, aspiring Ethical Hackers. In this blogpost, you will learn about Heartbleed vulnerability. This bug was publicly disclosed in 2014 and is rated as one of the most critical security vulnerabilities of the last decade.

What is Heartbleed bug?

Heartbleed is a buffer overread vulnerability that exists in an implementation of an extension in OpenSSL cryptography library. This OpenSSL library is widely used in Transport Layer Security (TLS) protocol. The name of the extension which is used in this OpenSSL library is heartbeat. Hence the name of the bug. Heartbleed can be exploited even if vulnerable OpenSSL is not running as a TLS server or client. In a buffer-over-read vulnerability, more data can be read than usually allowed. See how SSL/TLS works. By exploiting this vulnerability, the private key of the SSL certificate can be read.

Practical Walkthrough

Let’s see how this works. For demonstrating this, I will be using a Vulhub lab to setup a vulnerable instance of heartbleed as shown below.

Once the vulnerable instance is ready, I start Metasploit & load the heartbleed module.

I set the IP address and execute the module.

The module is by default set to scan for the vulnerability and it does exactly that. Apart from this action, this module has other actions.

For example, the “dump” action dumps the content of the memory.

When we set the action to “key”, the private key of the SSL server gets dumped.

Real World Examples

At the time of public disclosure of heartbleed, almost 17% of total web servers were found vulnerable to heartbleed, including Google, Yahoo, DropBox, Facebook etc. Here are some Real-world examples of the exploitation of the heartbleed bug.

Mumsnet:

Mumsnet is a parenting site in United Kingdom. Cyber thieves have obtained passwords and personal messages from Mumsnet by exploiting heatbleed in 2014. Mumsnet has over 1.5 million registered members and there is no idea how many details got hacked.

Canada Revenue Agency:

Social Insurance members of over 900 taxpayers were stolen from Canada Revenue Agency by exploiting heartbleed bug within a 6 hours period on 8 April 2014.

Mitigation and Prevention

The bug was fixed by updating to the latest version of OpenSSL version 1.0.1-9. This version adds bounds check to prevent buffer over read.

Posted on by

DNS footprinting for beginners

Hello, aspiring Ethical Hackers. In our previous blogpost of Footprinting guide, you learnt about various techniques of Footprinting. In this blogpost, you will learn about DNS Footprinting which is one of the techniques of Footprinting. But first, what is DNS? DNS stands for Domain Name Service. In simple terms, DNS is like translation service between humans & browsers. Why do I say so?

Let me explain you. You open a browser and type a domain name (ex:hackercool.com) to visit a website. Web browsers have no idea about this domain name or for that matter any domain name because web browsers communicate with servers through Internet Protocol addresses. Then how web browsers take you to the website you want. Thanks to DNS (Domain Name Service) translates domain names to IP addresses. Lean more about how DNS works here.

What is DNS Footprinting?

DNS Footprinting is a technique in which attackers gather DNS information about the target system. A DNS server stores information such as DNS domain names, computer names, IP addresses and other network related information. It also has some records that are important. Here are the types of records a DNS server can have.

How does it help in Pentesting?

DNS Footprinting can reveal other information about server related to the network and in some cases expose entire Zone data. DNS Footprinting is very simple. Let’s show you two tools popular for DNS footprinting. The first tool is nslookup. Here’s how to use nslookup to query about a domain.

We can even query for a specific type of record using nslookup. Let’s query specifically for “NS” and “MX” records.

There is another tool named DIG that can be used for DNS lookup.

This tool can also be used to query for a specific type of records as shown below.

Posted on by

Google Hacking for beginners – Part 1

Hello, aspiring Ethical Hackers. In our previous blogpost on Footprinting, you learnt that hackers gather information about their targets using search engines. In this blogpost you will learn about Google Hacking or Google Dorking. Who doesn’t know what Google is. Just for this article’s sake, let me define what it is. Google is the most popular Search Engine that provides answers for anything we want, almost anything. Just a click away.

Google is already an awesome search engine but to make the search engine more precise it has some advanced operators. In other words, searching with some special operators allows Google to provide exact information we want. These are known as Google Dorks. The basic syntax of a Google Dork is,

Operator : term to search or URL

Ex: intitle:hackercool

Some of the important Google operators are.

  • intitle
  • allintitle
  • inurl
  • related
  • allintext
  • cache
  • define
  • allinurl
  • intext
  • site

Let’s learn about each of them in detail.

1. intitle

This query will return all the webpages which have term “hackercool” in the title of the webpage.

2. allintitle

Same as “intitle” but will show pages containing all the multiple keywords specified.

3. inurl

The “inurl” query returns all the webpages containing the specified keywords in their URL.

4. allinurl

Same as “inurl” but can be used to search for multiple keywords in the URL.

5. define

The “define” query can be used to search for a definition of any keyword you specify.  For example, let’s search for the definition of hackercoolmagazine.

6. related

The “related” dork of Google is used to search for a website similar to the site you specify.

For example, in the above image, we search for sites related to Facebook and Google has returned similar networking sites like Twitter, Pinterest, LinkedIN. Note that this google dorks only takes websites as keywords.

7. cache

The cache query returns the latest cached version of the website Google has stored. This dork too needs website as keyword.

8. intext

The “intext” query returns all the webpages having like specified “text” in their content.

9. allintext

The “allintext” query is same as “intext” but can be used to search webpages having multiple keywords in their content.

10. site

The “site” query is useful in limiting your search to a particular website.

Read Part 2 of Google Hacking.