This post is a continuation of the tools and techniques used during the Ethical Hacking Reconnaissance phase. In the previous post I highlighted the passive footprinting techniques. In this post I will discuss the active footprinting techniques.
Active footprinting involves the use of tools and techniques that can aid you in gathering more information about your target. Unlike passive footprinting where the process never ‘touches’ the target, active footprinting involves tasks that may be logged by the target’s systems so being stealth is key.
Stealth – Remaining undetected
There are a number of ways to hide your originating IP address. The objective of taking this extra step in the ethical hacking process is to remain undetected to ensure you are not detected or your IP blocked by any defensive security systems in place. Information redirection can be used to mask your true identity where total anonymity is not possible. Below are a few examples
Limiting your connections by IP
Most Intrusion Detection Systems (IDS) only raise an alert when a threshold breach which is usually when the number of connections from one IP is over the threshold set. If you are able to limit the number of connections you are making to a system during your active footprinting scans, you will likely not be detected an automated IDS.
Spoofing your IP Address
Most tools give you the option to spoof your IP address. nmap which is one the tools to use during active footprinting has this capability when you specify an -S switch and follow that with a fictitious IP address. For example, nmap -S 126.96.36.199 -sn <target IP range> will run a ping sweep on a target IP range and traffic that is logged by the target will look like it is originating from the IP address 188.8.131.52.
Tor & Proxychains
Routing your traffic through Tor and using proxychains is another method of remaining stealthy during an ethical hacking exercise. Like address spoofing this technique masks your real IP address. It also routes your traffic through the Tor network which aids in keeping you anonymous. To utilize this method, you will need to install Tor (apt-get install tor) and proxychains (apt-get install proxychains). To run an nmap scan via this method. First check that tor is running by simply typing tor in a terminal window and then simply put proxychains before the command e.g. proxychains nmap -sn <target IP range>.
Utilizing a VPN during an ethical hacking exercise is an additional method to mask your true IP address and remaining anonymous. VPN service providers have nodes in multiple locations so you can connect to a server in South America and scan a target in Europe for example. The target will log the IP as originating from South America and would need to approach the VPN service provider for details on who made the connection. As VPN service providers build their business on anonymity, they are very hesitant to divulge user identities and many do not keep logs for this very reason.
Active Footprinting Tools
Now that we have covered the topic of anonymity let us move onto active footprinting. There are multiple scanning tools that ‘actively’ interrogate the target systems. Identifying the services the target is running is part of the next step, in this step we are only scanning to identify the scope of the target which we will then scan and enumerate in the next two phases.
In this post I will cover four tools. The nmap ping sweep, the traceroute tool, masscan ping sweep and the Data Miner chrome plugin from data-miner.io.
nmap Ping Sweep
During the passive footprinting phase we should have identified the IP ranges of our target. We now need to perform an active scan of the identified ranges to detect live devices on the network range. nmap has been the de facto network scanning tool for many years. You can read all about it at nmap’s official site. Of course it can do much more than merely scan for live hosts but during the active footprinting phase that is all we want to do.
The ‘ping sweep’ command for nmap is:
nmap -sn <IP Range>
An example of the output is shown in the image below.
traceroute is a network utility tool which comes bundled with most operating systems. The traceroute tool ‘traces the route’ from your IP to the IP of the end host you specify. It is particularly useful in identifying routers, firewalls and gateways which exists between you and your target.
To run a traceroute command on a Linux based system simply type:
traceroute <Fully Qualified Domain Name> or <IP Address>
As you can see in the example below there are 15 ‘hops’ between the machine running the traceroute command and the target. As an ethical hacker it is important to take note of these as they are an important part of the target footprint.
masscan is similar to nmap but it is much faster. As per its GitHub repository it is capable of sending out 10 million packets per second. To run a ‘ping sweep’ using masscan simply type:
masscan –range <IP Range> — ping
An example of the output is shown below.
A target’s public website is filled with useful and pertinent information which needs to be collected and analyzed during an ethical hacking exercise. The larger the target the larger its website and one often needs a tool to help you collect and categorize all the information. A great tool to use is Data Miner which is a Google Chrome extension you can install. It comes with two generic recipes, one collects all the email addresses on a website and the other collects all the links. The image below shows the extension installed and examples of the generic recipes.
You are also able to create your own ‘data scraping recipes’ by installing the Recipe Creator. Below is the output of a scrape I performed on this website.
You can also export all of this information to a CSV file as shown below.
As you can see there are many tools and methods to use during the active footprinting phase of an ethical hacking exercise. It is important to remember during this phase you are actively ‘touching’ your target so stealth is key. As with passive footprinting, the more information you collect the better. Your ultimate goal is to understand the entire ‘footprint’ of your target. You will use this information to scan and enumerate your target which are the next steps of reconnaissance phase.