What information constitutes sensitive information? What information -- if found uncontrolled and unprotected --...
can be used to hack a system? A single piece of information standing alone may not have any value to a hacker. However, collections of small tidbits of data about a target can eventually result in an attack plan focused on single or multiple vulnerabilities.
This tip will discuss the concept of footprinting and how the basic technique could be used to help security teams ascertain if public information could be used to gain unauthorized access or perform cyberattacks.
What does a malicious hacker do?
There are five different phases of a cyberattack. The classic approach is shown in Figure 1 below from the Ethical Hacking and Countermeasures course delivered by the EC-Council.
The five distinct phases include:
- Reconnaissance: This is where the attacker gathers information about a target using active or passive means. Something like finding a network diagram on the street or in a dumpster is a form of passive reconnaissance.
- Scanning: In this phase, the attacker begins to actively probe the target for vulnerabilities that can be exploited. Physical scanning includes checking doorknobs to see if they are locked, walking down fences, etc. Cyberscanning includes Nmap, Nessus scans, etc.
- Gaining access: If a vulnerability is detected, the attacker can exploit it and gain access into the system.
- Maintaining access: Once attackers gains access, they can usually maintain access to complete the purpose of the entry.
- Clearing tracks: Removing evidence of the entry.
What is footprinting?
As noted above, the first step in this attack process is reconnaissance. Here the attacker wants to gather as much information as possible about a target prior to actually launching the attack.
The exact approach taken by the attacker while approaching a target may vary between individuals. Some simply try the first vulnerability identified -- such as an unlocked door to a house -- and make the attack. Some attackers are more sophisticated and will take time to gather large quantities of information about the target before making the next move.
The reconnaissance can be either active or passive. An active reconnaissance can be readily detected by the target organization, like a rattling doorknob or someone lurking outside the fence line, for example. A passive reconnaissance is a quiet means of collecting information with minimal or no detectable indication to the target.
Footprinting is a form of reconnaissance. According to the EC-Council in its Certified Ethical Hacking course, footprinting is: "the blueprinting of the security profile of an organization undertaken in a methodological manner. Footprinting is one of the three pre-attack phases. The others are scanning and enumeration."
The term blueprinting is used because compilation of the data collected results in a unique system profile of the organization.
The process is methodological because critical information is based on a recipe-like approach, and information is sought and collected based on a previous discovery.
Key points to consider for footprinting are:
- There is no single methodology or checklist for footprinting.
- Footprinting needs to be carried out precisely and in an organized manner to be effective -- especially for cyberattacks and/or complex systems and environments.
- An attacker will spend 90% of the time in profiling an organization and will spend 10% of that time launching the attack.
- Footprinting results in a unique organization profile with respect to networks (Internet, intranet, extranet, wireless) and systems involved.
- Most information captured during the footprinting process can be sought and collected within legal boundaries.
Open source footprinting
This is the easiest, safest and most legal way to find information about a company and its physical and cyber assets. This activity usually involves time accessing the Internet and browsing for WHOIS IP address schemes, Shodan for industrial control systems, etc. Also, physical access to data, such as dumpster diving, can provide useful information.
Some examples of how to collect information about the target include:
- View the company website and all associated links. Look for contact information, phone numbers, email addresses, partners, alliances, etc.
- If publicly traded, look up company information in databases, such as EDGAR or Dunn and Bradstreet.
- View data on the company using Whois, an example of which is included below. Another location to capture corporate data is from whois.icann.org from the Internet Corporation for Assigned Names and Numbers (ICANN)
- Company URL: By going to an Internet search engine, such as Google, for example.
- Internal URL: Usually, internal URLs are private and only used by employees or internal contractors. These addresses are often not revealed outside the company. However, in footprinting you can guess the internal URLs and exploit them. For example, look at approaches to change the URL from http://www.xcompany.com to http://intranet.xcompany.com or https://owa.xcompany.com for email.
- Internet Archive: A little-known website is the Internet Archive, where, by using the WayBack Machine, you can enter a website and in most cases find a collection of archived webpages. An attacker can use this to locate historical information, as well as identify changes to webpages. In some cases, when webpage discipline was more insecure, some of the older webpages have information valuable to the attacker.
- People Search: This assists the attacker in collecting and gathering personal information on corporate executives, network administrators, etc. Websites like Intellius.com can help the attacker. Even if you find the home address of an executive under analysis, you can then use such tools as Zillow to examine their home via satellite view, as well as personal information posted on the site.
- Google Earth: Google Earth allows the attacker to gain views of the physical facility to be attacked. Below are some examples of photos of an anonymous substation that show what can be captured for footprinting without even visiting the site.
- Job postings and want ads: Another form of footprinting is through want ads and job postings for the company being targeted. Attackers can identify the company's infrastructure through these postings. By reviewing the job postings, you can ascertain information about the software, hardware, industrial controls and other network-related information. For instance, if a company wants to hire a network administrator or server administrator, the requirements for the position may have substantial information useful for the attack development.
An example of a job posting that could reveal some possible attack pathways and vulnerabilities is shown below:
- Competitive intelligence gathering: This is the process of gathering information about a company from resources on the Internet and in libraries. This can be done using a variety of techniques and databases, such as EDGAR, Dunn & Bradstreet, the local Business Journal databases, etc. A list of 50 different competitive intelligence techniques is listed at Competia.
- SHODAN: Shodan is a search engine that lets you find specific types of computers on the Internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata the server sends back to the client.This can be information about the server software, what options the service supports, a welcome message or anything else that the client can find out before interacting with the server.
Shodan is an effective way of identifying Internet-facing industrial control systems that are vulnerable to attack. Essentially this is a Google search engine for industrial controls vulnerabilities.
- Social engineering: Social engineering is a term of art that describes a nontechnical kind of intrusion that relies heavily on human interaction -- and the willingness of humans to help each other -- and often involves tricking other people to break normal security procedures. One must be careful to avoid being detected as a potential hacker/intruder. However, this technique to footprint a company has been successfully performed by such individuals as Kevin Mitnick and Ira Winkler.
As a concept, footprinting can be used by attackers or defenders. For attackers, it is a way to gather information about a potential victim. This can be done passively or quietly, and in many cases, can be done within legal means. The information gathered can be from the Internet or even trashcans. Overall, any tidbit gathered about a company and used with other tidbits can lead to substantial information and a sense of the vulnerabilities and weaknesses of a target that can be exploited. However, if defenders also do their own exploration of their company's footprint, they can also identify vulnerabilities, weaknesses and issues to correct to foil the attacker. This practice can be used by attackers and defenders and it can especially help defending security teams plug holes or track and limit the amount of data in the public domain.
About the Author:
Ernie is a highly experienced and seasoned technical consultant, author, speaker, strategist and thought-leader with extensive experience in the power utility industry, critical infrastructure protection/information security domain, industrial controls security, cybercrime and cyberwarfare areas. His primary emphasis is on project and business development involving cyber- and physical security of industrial controls, smart grid, energy supply, and oil/gas/electric systems and facilities with special expertise on industrial controls and NERC Critical Infrastructure Protection (NERC CIP) standards. Hayden holds certifications as a Global Industrial Cyber Security Professional (GICSP), Certified Information Systems Security Professional (CISSP), and Certified Ethical Hacker (CEH). Hayden is an executive consultant at Securicon, LLC, has held roles as Global Managing Principal – Critical Infrastructure/Industrial Controls Security at Verizon, held information security officer/manager positions at the Port of Seattle, Group Health Cooperative (Seattle), ALSTOM ESCA and Seattle City Light. In 2012 Ernie was named a "Smart Grid Pioneer" by Smart Grid Todayand published an article on Microgrid security in Jesse Berst's Smart Grid News. Ernie is a frequent author of blogs, opinion pieces and whitepapers. He has been cited in the Financial Times, Boston Globe, Energy Biz Magazine and Puget Sound Business Journal. Many of his articles have been posted to such forums as Energy Central, Public Utility Fortnightly "SPARK," and his own blog on Infrastructure Security.
Check out this penetration testing reconnaissance tutorial on footprinting and more
Learn more about social engineering and its evolving threat to IT