Assess what information is available publicly and what information should not be in the public domain for that organization.

The first phase of hacking is the foot printing phase, which is designed to passively gain information about a target. In this lab, you will identify a target organization with an Internet website and perform data gathering and foot printing for the site using Internet search tools. You will collect public domain information about the organization’s website by making use of Google hacking techniques, downloading the Sam Spade reconnaissance-gathering tool, and using lookup and tracert, similar DOS command tools packages with Microsoft® Windows. You also will research public domain sites such as IANA’s WHO IS tool to obtain public domain information about the targeted website. Finally, you will record the information you uncover in a research paper, describing how this information can make an organization vulnerable to hackers.

The purpose of this lab is to share common techniques used by both black- and white-hat hackers to expose vulnerabilities. As such, you should recognize that as with any hacking activity, it may take several tries to uncover a truly vulnerable organization. Many organizations closely monitor their websites for any activity that might indicate hacking. Know too, that Google hacking does not work on every site on the Internet and that sometimes the best results come from smaller, local companies that are less likely to employ effective monitoring.

This lab is a paper-based design lab and does not require use of the Virtual Security Cloud Lab (VSCL). To successfully complete the deliverables for this lab, you will need access to a text editor or word processor, such as Microsoft® Word. For some labs, you may also need access to a graphics line drawing application, such as Visio or PowerPoint.

Note:

If you don’t have a word processor or graphics package, use OpenOffice on the student landing vWorkstation for your lab deliverables and to answer the lab assessment questions. To capture screenshots, press Prt Sc > MSPAINT, paste into a text document, and save the document in the Security_Strategies folder (C:\Security_ Strategies\) using the File Transfer function.

Learning Objectives and Outcomes

Upon completing this lab, you will be able to:

 

• Perform live data gathering and foot printing of a targeted organization and its website
• Gather valuable public domain information about the targeted organization and its website
• Assess what information is available publicly and what information should not be in the public domain for that organization.
• Perform Google hacking research to identify known user logons and passwords and other website vulnerabilities
• Write a summary of findings reconnaissance report describing the data gathered and footprint information collected in the public domain for a targeted organization

 

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

 

1. Hacking Lab #3 Data Gathering and Footprinting Research Report;
2. Lab Assessment Questions & Answers for Lab #3.

 

Hands-On Steps

 

1. This lab begins at a workstation with Internet access. Double-click any Internet browser icon on your desktop to open the application.
2. Select a target organization with an e-commerce website. You can target an organization with which you are already familiar, or use the browser’s search tool to identify a potential target organization.
3. In a new text document, create a Hacking Lab #3 Data Gathering and Footprinting Research Report.

You will follow the steps in this lab to complete the research report as if you were gathering information for a potential attack. You will be responsible for determining what to document in this report.

Note:

The next steps will guide you through the steps you will take to capture data that might be useful in performing a potential attack on a corporate website. You will be directed to select a company to investigate via Google, including attempting to browse password or admin directories on their web server.

4. In your browser’s address box, type google.com to open the Google search tool.
5. Using Google as your search engine, locate the following information and record it in your text document:

• Name of the target organization
• Domain name and extension (domain.ext) for the target organization (for example, target.com)
• URLs for the e-commerce website and any social networking sites
• Physical address of each location used by the target company; use Google map to locate those buildings
• Names of officers (for example, CEO, president, and CIO) at the organization
• Number of employees at each physical location
• Business partners or clients of the organization Select a company that has a simple enough organizational structure that you can attempt to document all of the information requested in that step. If you were to choose a large company, like Cisco for example, it would be very difficult to find all of their physical office locations or even estimate how many employees they have. Selecting a smaller company will make this more feasible. Remember that the objective of this step is to see how much you can learn about an organization simply by Googling it—you might be surprised at how much you can find, but do not be overwhelmed if there are some components of that lab step that you can’t find responses for.

Note:

The next steps will attempt Google hacking commands on your chosen organization’s website. Recognize that some organizations block directory browsing on their web server, in which case, you’ll be redirected to basic Google search results about your chosen organization.

6. In the Google search box, type site: domain.ext index of /password and press Search, using the domain name and extension you recorded in step 5.

This type of query in Google will return information about the target organization’s Web server or applications, including any of the following:

• A traversable directory structure that allows you to see sensitive files or configuration information by browsing the directory structure
• A vulnerable Web-based application or applications that allow cross-site scripting
• A vulnerable Web-based application that allows SQL injection using a UNION statement or similar exploit

7. In your text document, record any useful information you find using this Google hacking query. You may choose to make a screen capture of the data and paste it into your text document.

Note:

To capture the screen, press the Ctrl and prtsc keys together, and then use Ctrl + V to paste the image into a Word or other word processor document.

8. In the Google search box, type site: domain.ext index of +passwd and press Search.
9. In your text document, record any useful information you find using this Google hacking query. You may choose to make a screen capture of the data and paste it into your text document.
10. In the Google search box, type site: domain.ext index of /admin and press Search.
11. In your text document, record any useful information you find using this Google hacking query. You may choose to make a screen capture of the data and paste it into your text document.
12. In the Google search box, type inurl: domain.ext /admin and press Search.
13. In your text document, record any useful information you find using this Google hacking query. You may choose to make a screen capture of the data and paste it into your text document.

Note:

If you were unable to find a vulnerable website with the Google hacking searches in the previous set of steps, the next steps see how Google hacking could work in a general sense. You can do this by simply repeating steps 6-13 without the “site: domain.ext” portion of the search query. For example, repeat step 6 as: In the Google search box, type index of /password and press Search.

In addition, two new steps follow that search a company’s URL for administrative folders or intranet content. You will still need to sift through the Google search results to find a website that has directory browsing open, but you should be able to find a few that will let you access and click through their web server’s directory structure. Remember to record your findings with a screen capture and a description of the importance of that finding.

14. In the Google search box, type intitle:intranet inurl:intranet+intext:”human resources” and press Search.

This query searches for human resources pages with an intranet site, which might reveal information intended only for a company’s employees.

15. In your text document, record any useful information you find using this Google hacking query. You may choose to make a screen capture of the data and paste it into your text document.
16. In the Google search box, type intitle:index of inurl: “/admin/*” and press Search.

This query searches for any website that has an index page and then looks for a folder called admin.

17. In your text document, record any useful information you find using this Google hacking query. You may choose to make a screen capture of the data and paste it into your text document.

Note:

The next steps will use the WHOIS Service will return information about the registered owner of the website, usually a registry service, such as Verisign or Public Interest Registry, and even IP addresses.

18. In your browser’s address box, type http://www.iana.org/cgi-bin/whois to open the Internet Assigned Numbers Authority Website.
19. On the IANA WHO IS Service homepage, type domain.ext and press Submit.

The WHO IS Service will return information about the registered owner of the website, usually a registry service, such as Verisign or Public Interest Registry.

20. In your text document, record the URL found in the refer section of the results of your WHOIS search. If your search results include information about the target company, instead of the registry service, skip to step 23.
21. In your browser’s address box, type the URL found in the refer section to open the registry service’s website and follow the onscreen instructions to open the registry service’s WHOIS page.
22. On the registry service’s WHOIS page, type domain.ext and press Submit.

The registry service will return information about the domain’s owner, including contact names, numbers, and addresses, and the names of associated servers.

23. In your text document, record any useful information you find using this query. You may choose to make a screen capture of the data and paste it into your text document.

Note:

The next steps will use the Sam Spade utility to gather DNS server information by crawling vulnerable websites to get email addresses and links to other web servers. If you do not have a Windows workstation, or cannot install the Sam Spade utility, skip to step 30.

24. In your browser’s address box, type http://www.pcworld.com/product/947049/sam-spade.html to find the download page for the Sam Spade utility.
25. Click the Sam Spade link in the search results area of the Web page.
26. Click the Download Now button.
27. Follow the onscreen instructions to install Sam Spade on your Windows workstation.

If you do not have a Windows workstation or cannot install the Sam Spade utility, skip to step 25.

28. Once installed, click Tools from the Sam Spade menu and test each of the tools that come with this tool on the target organization.
29. In your text document, record all of the data uncovered by the Sam Spade tools.

Note:

If you were unable to install the Sam Spade utility, the next steps will use two tools native to Microsoft Windows to uncover similar information.

30. Click the Windows Start button.
31. Select Run from the menu.

If you do not have Run on the menu, type cmd in the Search programs and files box on the menu and press Enter. Click cmd.exe in the resulting programs list and skip to step 33.

32. Type cmd in the dialog box and click OK.
33. In the Windows Command Prompt window, type nslookup and press Enter to open the tool.
34. At the command prompt, type set type=any and press Enter to instruct the tool to return any information it uncovers.
35. At the command prompt, type domain.ext and press Enter to perform the nslookup search on your target organization.
36. In your text document, record all of the data uncovered by the nslookup tool. You may choose to make a screen capture of the data and paste it into your text document.
37. At the command prompt, type tracert domain.ext and press Enter to perform a trace route search on your target organization.
38. In your text document, record all of the data uncovered by the tracert tool. You may choose to make a screen capture of the data and paste it into your text document.
39. In your text document, draft a Social Networking section that will describe how you will use the information you gathered during this lab, and the information you would still need to obtain to plan an attack using social engineering tactics.
40. Submit the text document to your instructor as a deliverable for this lab.

 

Evaluation Criteria and Rubrics

The following are the evaluation criteria and rubrics for Lab #3 that the students must perform:

 

1. Was the student able to perform live data gathering and footprinting of a targeted organization and its website? – [20%]
2. Was the student able to gather valuable public domain information about the targeted organization and its website? – [20%]
3. Was the student able to assess what information is available publicly and what information should not be in the public domain for that organization? – [20%]
4. Was the student able to perform Google hacking research to identify useful known user logons and passwords and other website vulnerabilities? – [20%]
5. Was the student able to write a summary of findings reconnaissance report describing the data gathered and footprint information collected in the public domain for a targeted organization? – [20%]

 

LAB #3 – ASSESSMENT WORKSHEET

Perform Data Gathering and Foot printing on a Targeted Website

Course Name and Number:

_____________________________________________________

Student Name:

_____________________________________________________

Instructor Name:

_____________________________________________________

Lab Due Date:

Overview

The first phase of hacking is the foot printing phase, which is designed to passively gain information about a target. In this lab, you identified a target organization with an Internet website and performed data gathering and foot printing for the site using Internet search tools. You collected public domain information about the organization’s website by making use of Google hacking techniques, downloading the Sam Spade reconnaissance-gathering tool, and using lookup and tracert, similar DOS command tools packages with Microsoft® Windows. You also researched public domain sites such as IANA’s WHOIS tool to obtain public domain information about the targeted website. Finally, you recorded the information you uncovered in a research paper, describing how this information can make an organization vulnerable to hackers.

Lab Assessment Questions & Answers

 

1. Which reconnaissance tool comes with Microsoft® Windows that can provide reconnaissance-gathering data and can be initiated from the DOS command prompt? What useful information does this query provide?
2. What information can you obtain by using the WHO IS tool? Is the IANA tool the only one you encountered during your research?
3. Besides those covered in this lab, what other functions did you discover are possible with the Sam Spade utility?
4. What is the purpose of the tracert command? What useful information does the trace route tool provide? How can this information be used to attack the targeted website?
5. How many different WHO IS profiles are pre-loaded in the Sam Spade utility?
6. Is Sam Spade an intrusive tool? What is your perspective on the use of a freeware utility such as Sam Spade?
7. What do you think companies and organizations should do with regard to access to WHOIS information in the public domain?
8. What icon or function in Sam Spade downloads the entire HTML code of the targeted website?
9. How can you estimate the number of employees who work in an organization’s remote office or facility?
10. What is the goal when trying to use a search engine for data gathering or footprinting?
11. What is Google hacking?