CHAPTER Reconnaissance: Information Gathering for the ...

1 CHAPTERAll-in-1 /CEH certified ethical hacker Exam Guide / Walker / 229-43 Reconnaissance: Information Gathering for the ethical HackerIn this CHAPTER you will learn about Defining footprinting Describing the Information - Gathering methodology Understanding the use of whois, ARIN, and nslookup Describing DNS record types Defining and describing Google hacking Using Google hackingHave you ever read The Art of War by Sun Tzu? If you haven t, let me warn you: It s not something you re liable to snuggle up on the bed with and read breathlessly, wondering how it s going to end. It is, though, a masterpiece of insight into military strategy that is as applicable today as it was when it was written by the Chinese general a couple of thousand years ago.

2 I m not sure if, when he wrote it, Sun Tzu had any idea that his book would have this kind of staying power, but the fact that it is, to this day, still con-sidered mandatory reading for military leaders shows that he knew a thing or two about waging war. And because our chosen field in Information technology is, in effect, a battlefield, what better resource to turn to?Two (or several) thousand years ago, moving an army out across any distance at all was a time-consuming and very costly endeavor. In addition to all the associated costs food, support personnel, and so on if the journey was long and the timeframe short, the army could very well wind up arriving too tired to actually engage in the battle.

3 And as we all know, you can t call a timeout in war for a water break. Sun Tzu s answer to this was intelligence. He had a firm belief that if you put as much time and effort into learning everything you could about your enemy as you did actually fighting them, your victory was as good as ensured. In Sun Tzu s time, this intelligence was gathered manually, using spies on foot to watch, listen, and report back on what the enemy was doing and thinking. Sun Tzu said spies were as important to an army as water. 538/5/11 5:59 PM8/5/11 5:59 PMCEH certified ethical hacker All-in-One Exam Guide54 All-in-1 /CEH certified ethical hacker Exam Guide / Walker / 229-4In the virtual battlefield we find ourselves in, Sun Tzu s assertions are just as valid.

4 You want to be successful as an ethical hacker ? Then you d better learn how to gather Information about your targets before you ever even try to attack them. This CHAPTER is all about the tools and techniques to do that. And for those of you who relish the thought of spy-versus-spy and espionage, although most of this is done through virtual means, you can still employ human spies and good old legwork to get it done. First, though, we should take at least a few moments to make sure we know just what attack vectors and vulnerabilities are out ResearchI know what some of you out there are saying already. I can virtually hear you now, screaming at the pages and telling me that vulnerability research isn t a part of foot-printing (which we ll define in a minute).

5 And, frankly, I ll agree with you; you re right, it s definitely not part of footprinting as it is defined in CEH. However, I have two main goals in this book: to help you pass the test and to help you actually become an ethical hacker . Passing a test demonstrates knowledge. Applying it day in and day out is an-other thing altogether. This section isn t about running vulnerability scanners against machines you ve already footprinted that comes later on as a separate step. This is about keeping abreast of current, relevant knowledge that will make you an effective those of you who picked this book up and are just now getting involved in ethical hacking, vulnerability research is a vital step you need to learn and master.

6 After all, how can you get ready to attack systems and networks if you don t know what vul-nerabilities are already defined? Additionally, I just believe this is the perfect time to talk about the subject. For everyone reading this book, vulnerability research is covered in detail on the exam, so pay close already touched on vulnerability research a little bit in CHAPTER 1, and we ll definitely brush up on it some more in CHAPTER 11, but we need to spend at least a little bit of time going over it right here. Much of vulnerability research is simply remaining aware of what is out there for your use.

7 In all seriousness, vulnerability research is a nonstop endeavor that many entities have taken it upon themselves to do. Therefore, because the proverbial wheel has already been invented, just roll with it. However, keep in mind that even though all this work is already being done for you, it s still your re-sponsibility to keep on top of it. Most of your vulnerability research will come down to a lot of reading, most of it from websites. What you ll be doing in your ongoing research is keeping track of the latest exploit news, any zero-day outbreaks in viruses and malware, and what recom-mendations are being made to deal with them.

8 Sure, keep up with the news and read what s going on but just remember, by the time it gets to the front page of USA Today or , it s probably already been out in the wild for a long, long 548/5/11 5:59 PM8/5/11 5:59 PMChapter 3: Reconnaissance: Information Gathering for the ethical Hacker55 All-in-1 /CEH certified ethical hacker Exam Guide / Walker / 229-4 For example, Adobe had a few serious vulnerabilities come about in 2010, and the company didn t come out with an update or patch for quite some time. The recom-mended fix action required some manual intervention on the administrator s part, and many folks simply didn t do it they just sat around waiting for a patch from Adobe.

9 It was literally a month before I ever saw this mentioned in a legit newspaper, and even then it was just a blip, buried far below the latest expos on some starlet heading back to rehab. A smart ethical hacker who knew what to look for could attempt to exploit it, and reading just a few websites would be all you d need to do to have a leg up on the competition. Here are a few of the sites to keep in your favorites list: National Vulnerability Database ( ) Exploit-Database ( ) Securitytracker ( ) Securiteam ( ) Secunia ( ) Hackerstorm Vulnerability Research Tool ( ) HackerWatch ( ) SecurityFocus ( ) Security Magazine ( ) SC Magazine ( )Other sources you may consider are in how can I put this the seedy side of the Internet.

10 These are sites and boards where code, ideas, tools, and more are exchanged between people looking for vulnerabilities in any and every thing you can think of. I considered putting a list together here, but decided against it. I don t want you getting yourself in trouble in your efforts to find things out there that might not have been shouted from the virtual rooftops yet. My best advice to you in this regard is to find someone who has been in security for a while, and ask him to take you under his wing. He will keep you from going somewhere you ll regret down the road. Remember, a lot of people out there doing vulnerability research aren t just unethical, they re criminal.