Basic Hack Techniques - Part I

**** Foot Printing **** Dear all, to meet the need to learn in hacking and security, fantomas311 has compiled a set of "Basic hacking" articles and hacking related articles system to introduce to you. Please advise those who want to learn to hack a fast food way, you should not read this article! Because I didn't post hacking lessons to you, I just post according to the "hack how" motto. Read, think and make with your hands and minds !!

Before hackers really started, they had to take three basic steps: printing imprints (foot printing), scanning and attendance (enumeration). This article covers imprinting techniques and related issues.

** What is imprinting? **

Imprinting is the use of tools and techniques to get the first basic information about an organization or a web site that wants to attack (in this article temporarily called victim). An imprinted system of an organization allows hackers to see the security (security) of the organization.

** Why print imprints? **

Foot Printing makes it possible to identify all records and capture basic (sometimes quite important) information about victim

** Imprinting technique **

There are many different imprinting techniques, this article will describe the steps to help you complete a thorough imprint analysis.

* Step 1: Set the scope of activities:

This step simply tells you what you want to hack (a company, a server or just a personal web .). For beginners, you should carefully read and record the information provided to you by the website (information about it, such as phone number, webmaster mail, address .). There are times when this information is "golden key" for you :)

Interesting items include:

1. Locations
2. Related companies or entities
3. Connections or news are available
4. Security languages ​​specify the security mechanisms that have been set up (fire wall configuration, for example).
5. Phone numbers, contact names and Email .

In addition, you can also review HTML source code to find loopholes in programming, besides, annotations are in HTML tags like : D).

After researching the website, you find more information that provides additional clues about the status of the organization and its security situation (in the press, on the NET news, for example). Search engines are the key for you. Here are a few search engines:

1. http://google.com :)
2. http://sec.gov
3. http://cyberarmy.com
4. Http://deja.com
5. http://networksolution.com
6. http://dogpile.com
7. http://astalavista.com
8. http://ipswich.com
9. http://arin.net/whois/
10. http://ferretsoft.com

Okie, let's take the first step in Hack !! B)

* Step 2: Network attendance

In this step, the first is to identify the domains and networks that are related to victim. To do this, retrieve data of network solution (www.networksolution.com) and American Registry for Internet Number (www.arin.net).

Some types of queries:

Organizational: All information related to a specific organization

+ Domain: ---------------------------------- domain -------

+ Network: ----------------------------------- network or IP

Point of contact: ------------------------- 1 specific person (admin)

* Step 3: Query DNS:

After identifying the domains of the victim organization, you can start the DNS query. If DNS is precariously configured, we can uncover information about the organization. One of the most serious misconfiguration an administrator can make is to allow untrusted internet users to transfer the DNS (zone transfer) domain. This problem may indicate the host name, hidden IPs . in general, the information you want to hide!

Providing an internal IP address for an untrusted user on the internet is like providing a map of your home to a thief !! Here, maybe you have a "Zone transfer - how?" Question. Please, this is another matter, maybe I'll mention in another article of mine to avoid diluting the article :). Finish step 3 here!

* Step 4: Scout the network

After having a map in hand, this is a "real intrusion" phase to determine the potential route of network access (roughly understood as a scout to identify the paths before proceeding to rob ah! To do this, please introduce the trace route program (ftp: //ftp.ec.lbl/traceroute.tar.z) included in most versions of Unix & WinNT.

In WinNT, it's called tracert. Trace route is a diagnostic tool written by Van Jacobson to allow viewing the route that an IP packet will follow from one server to another. If you don't know the Unix commands, you can use Visual Route (http://www.visualroute.com) to perform this tracerouting process. Visual route's interface looks cool and easy to use. But it doesn't work well with large networks.

In addition, you can perform a more sophisticated technique called "scanning the firewall protocol" (mentioned in Basic hacking II - Scanning of fantomas311).

So the first step of hacking into a system is done. Now, after you have completed the above steps, you (I only say those who have done the above steps) may wonder: "What does that work?", "What to do next?" "What information does this work for?", "Is it necessary to take this step?". Many questions too! But please let yourself answer it! I only answer 1 question! The next step of the hacking process - theoretically - is Scanning. The Scanning process will be covered in the next fantomas311 article: "Basic Hacking part II - Scanning" :)

Hope this article makes you happy!

Trace Route Summary In the above article I mentioned traceroute. So what is Traceroute? Please see the following article:

What is traceroute?

Traceroute is a program that allows you to identify packets of packets from your computer to the target system on the Internet. An example of Traceroute! What can Traceroute do? Please see the following example that will be clear!

C: windows> tracert 203.94.12.54
Tracing route to 203.94.12.54 over a maximum of 30 hops
1 abc.netzero.com (232.61.41.251) 2 ms 1 ms 1 ms
2 xyz.Netzero.com (232.61.41.0) 5 ms 5 ms 5 ms
3 232.61.41.10 (232.61.41.251) 9 ms 11 ms 13 ms
4 we21.spectranet.com (196.01.83.12) 535 ms 549 ms 513 ms
5 isp.net.ny (196.23.0.0) 562 ms 596 ms 600 ms
6 196.23.0.25 (196.23.0.25) 1195 ms1204 ms
7 backbone.isp.ny (198.87.12.11) 1208 ms1216 ms1233 ms
8 asianet.com (202.12.32.10) 1210 ms1239 ms1211 ms
9 south.asinet.com (202.10.10.10) 1069 ms1087 ms1122 ms
10 backbone.vsnl.net.in (203.98.46.01) 1064 ms1109 ms1061 ms
11 newdelhi-01.backbone.vsnl.net.in (203.102.46.01) 1185 ms1146 ms1203 ms
12 newdelhi-00.backbone.vsnl.net.in (203.102.46.02) ms1159 ms1073 ms
13 mtnl.net.in (203.194.56.00) 1052 ms 642 ms 658 ms

I need to know the path from my computer to a host on the Internet with the ip address is 203.94.12.54. I need to tracert to it! As you can see above, packets from the machine I want to reach 203.94.12.54 must go through 13 hops (links) on the network. This is the path of packets: Netzero (ISP has sent data) -> Spectranet (a Backbone Provider) -> New York ISP -> New York Backbone -> Asia -> South Asia -> India Backbone -> New Delhi Backbone -> another router in New Delhi Backbone -> New Delhi ISP.

So, the host has ip address 203.94.12.54 located in New Delhi, India, South Asia! You can also telnet to 203.94.12.54 on port 13 to determine the GMT time by which you can know the location of this host (requires that a host of 203.94.12.54 must run the datetime daemon and be properly configured about time)!

How does Traceroute work?

First of all, you need to know about ICMP, TTL and how routers work!

ICMP basic knowledge - Internet Control Message Protocol.

ICMP is used to report errors that occur during the transmission of data packets on the network. ICMP is a transport layer - Transpoort Layer! Floor application HTTP FTP Telnet Finger SSH DNS

POP3 / IMAP SMTP Gopher BGP
Time / NTP Whois TACACS + SSL DNS SNMP RIP
RADIUS Archie
Traceroute tftp Ping
Shipping floor
TCP
UDP
ICMP
OSPF
Internet floor
IP
ARP
Ethernet / 802.3 Token Ring (802.5) SNAP / 802.2 X.25 FDDI ISDN
Frame Relay SMDS Wireless ATM (WAP, CDPD, 802.11)
DDS Fiber Channel / DS0 / T-carrier / E-carrier SONET / SDH DWDM
PPP HDLC SLIP / CSLIP xDSL Cable Modem (DOCSIS)

All ICMP messages are shipped with IP datagrams. Each ICMP message wrapped in the IP datagram will look like this:

+ --------------------- + ------------------------- +
| IP Header (20 bytes) | ICMP message (32 bytes) |
+ --------------------- + ------------------------- +
The following is the structure of an IMCP message: (refer to RFC792 for more!)
0 7 8 15 16 31
+ ----------------- + ----------------- + ------------- ---- +
| Type (0 or 8) | Code (0) | 16-bit Checksum |
+ ----------------- + ----------------- + ------------- ---- +
| Indentifier | sequence number |
+ ----------------- + ----------------- + ------------- ---- +
| |
| Optional Data (content depends on Type and Code) |
| |
+ ------------------------------------------------- ---- +

The type field has 15 different values, depending on the specific ICMP error message type. For example, type = 3 to specify "Destination unreachable" error message!

The code = sub-error field is used to determine the exact error. For example, type = 3 and code = 0 means "Network Unreachable"; if type = 3, code = 1 means "Host Unreachable" .

TTL - Time to Live. TTL is an 8-bit field in the IP header (please review the structure of IP header!). TTL is the time when a packet exists on the network before it is ignored. The sender of the data will determine a previous TTL value, usually between 32 and> 64. This value will be reduced once once transferred via a network router. When this value is 0, this datagram will be ignored and the ICMP protocol will report an error to the sender. This will prevent this datagram from entering an endless loop through the routers. Each router when receiving an IP datagram will reduce the TTL value of this datagram to one. Most routers do not retain this datagram for more than 1 second before transferring this datagram. So the TTL value can be treated as hop (counter) = the number of routers that this datagram has just passed. When the router receives a datagram with a TTL field of 0 or 1, it will not forward this datagram. Instead, it ignores this datagram and sends an "Time Exceeded" ICMP message back to the person who sent this datagram! Because the ICMP message that the router sends back to the sender has the source address - source address is the ip address of this router so the sender can know the IP address of this router!

The way of traceroute!

Traceroute sends an IP datagram with TTL = 1 to the target system. The first router to receive this datagram will reduce the TTL value by one -> TTL = 0 and this router will ignore this datagram (don't send it again!) And send an ICMP error message with the source IP address of it comes to you. So the router can determine the IP address of the first router! After that, the traceroute will send a new datagram with the value TTL = 2 (1 + 1 = 2) to the target system. The first router will reduce the value of a TTL -> TTL = 1 (2-1 = 1) and transfer this datagram to the second router.

The second router receiving the datagram with TTL = 1 will reduce TTL = 0. If I see TTL = 0, it will not move this datagram. Router 2 will send you an ICMP error message with the source ip address as its ip address (router 2). So the traceroute on the machine will know the second router that the datagram has passed. Traceroute will continue to send another datagram with TTL = 3 (2 + 1 = 3) and repeat the process until the datagram reaches the target system!

If now the IP datagram has reached the destination, TTL = 1. The destination host will ignore this datagram and it will not send an "Time Exceeded" ICMP error message. So you will not be able to know if you have reached your destination yet ?! Traceroute uses another mechanism as follows: Traceroute sends UDP datagrams to the destination host on UDP ports with large numbers (> 30000). The reason it chooses ports is great because there are usually no applications listening at these ports. When the destination host receives this UDP datagram, it sends back an ICMP error message "Port Unreachable" (not reaching the port) for traceroute. Now, traceroute can distinguish the difference between ICMP error message "Time Exceeded" with "Port Unreachable" to know if it has reached the destination or not ?!

Note: ICMP error message "Time Exceeded" has type = 1 and code = 0; ICMP eror message "Port Unreachable" has type = 3 and code = 3

Summary: traceroute sends UDP datagrams to the destination host with a TTL value of 1 and is incremented each time to determine which routers the datagrams went through. Each router sends back an "Time Exceeded" ICMP message. The target system will return for traceroute an ICMP message "Port Unreachable". Traceroute relies on this difference to determine if the destination has arrived yet ?!

Final example!

host2 # traceroute xyz.com traceroute to xyz.com (202.xx.12.34), 30 hops max, 40 bytes packets

1 isp.net (202.xy.34.12) 20ms 10ms 10ms 2

xyz.com (202.xx.12.34) 130ms 130ms 130ms

The first line indicates the hostname and IP address of the target system. This line also tells us the TTL value of <= 30 and the size of the datagram is 40 bytes (20-bytes IP Header + 8-bytes UDP Header + 12-bytes user data).

The second line indicates that the first router that received the datagram is 202.xy.34.12, the value of TTL when sent to this router is 1. This router sends back the program traceroute an ICMP message error "Time Exceeded". Traceroute will forward one datagram to the target system.

The third line, xyz.com (202.xx.12.34) received a TTL datagram with 1 = (the first router dropped one before - TTL = 2-1 = 1). However, xyz.com is not a router, it sends back for traceroute an ICMP error message "Port Unreachable". Upon receiving this ICMP message, traceroute will know that it has reached the target xyz.com system and ends the task here. In case the router does not respond after 5 seconds, the traceroute will print a "*" asterisk (unknown) and continue sending another datagram to the destination host!

See more:

1. Basic hacking techniques - Part 2
2. Basic hacking techniques - Part 3
3. Here's how I hack 40 websites in 7 minutes

Author: Fantomas311 - Vietnam Security