Footprinting and Scanning
- "Do I Know This Already?" Quiz
- Foundation Topics: Overview of the Seven-Step Information-Gathering Process
- Information Gathering
- Determining the Network Range
- Identifying Active Machines
- Finding Open Ports and Access Points
- OS Fingerprinting
- Fingerprinting Services
- Mapping the Network Attack Surface
- Summary
- Exam Preparation Tasks
- Review All Key Topics
- Define Key Terms
- Exercises
- Review Questions
- Suggested Reading and Resources
In this sample chapter from Certified Ethical Hacker (CEH) Version 10 Cert Guide, 3rd Edition, you will review a number of general mechanisms individuals can attempt to passively gain information about an organization without alerting the organization.
This chapter is from the book
This chapter is from the book
This chapter is from the book
This chapter covers the following topics:
The Seven-Step Information-Gathering Process: The process of accumulating data about a specific network environment, usually for the purpose of completing the footprinting process, mapping the attack surface, and finding ways to intrude into the environment.
Identifying Active Machines: The identification of active machines is accomplished by means of ping sweeps and port scans. Both aid in an analysis of understanding whether the machine is actively connected to the network and reachable.
OS Fingerprinting: Fingerprinting can be categorized as either active or passive. Active fingerprinting is more accurate but also more easily detected. Passive fingerprinting is the act of identifying systems without injecting traffic or packets into the network.
Mapping the Network Attack Surface: After all details of a network and its operations have been recorded, the attacker can then identify vulnerabilities that could possibly allow access or act as an entry point.
This chapter introduces you to two of the most important pre-attack phases: footprinting and scanning. Although these steps don’t constitute breaking in, they occur at the point at which a hacker or ethical hacker will start to get information. The goal here is to discover what a hacker or other malicious user can uncover about the organization, its technical infrastructure, locations, employees, policies, security stance, and financial situation. Just as most hardened criminals don’t rob a jewelry store without preplanning, elite hackers and cybercriminals won’t attack a network before they understand what they are up against. Even script kiddies will do some pre-attack reconnaissance as they look for a target of opportunity. For example, think of how a burglar walks around a building to look for entry points.
This chapter begins by looking at a number of general mechanisms individuals can attempt to passively gain information about an organization without alerting the organization. This chapter also discusses interactive scanning techniques and reviews their benefits. Note in this context, the goal of scanning is to discover open ports and applications. This chapter concludes with attack surface mapping techniques.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 3-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”
Table 3-1 “Do I Know This Already?” Section-to-Question Mapping
Foundation Topics Section |
Questions |
Overview of the Seven-Step Information Gathering Process |
1, 4, 6 |
Determining the Network Range |
5 |
Identifying Active Machines |
2, 3 |
Finding Open Ports and Access Points |
10 |
Fingerprinting Services |
7 |
Mapping the Network Attack Surface |
8, 9 |
1. Where should an ethical hacker start the information-gathering process?
a. Interview with company
b. Dumpster diving
c. Company’s website
d. Interview employees
2. What is the common Windows and Linux tool that is used for port scanning?
a. Hping
b. Amap
c. Nmap
d. SuperScan
3. What does the Nmap -sT switch do?
a. UDP scan
b. ICMP scan
c. TCP full connect scan
d. TCP ACK scan
4. Which of the following would be considered outside the scope of footprinting and information gathering?
a. Finding physical addresses
b. Attacking targets
c. Identifying potential targets
d. Reviewing company website
5. During a security assessment you are asked to help with a footprinting activity. Which of the following might be used to determine network range?
a. ARIN
b. DIG
c. Traceroute
d. Ping host
6. You have been asked to gather some specific information during a penetration test. The “intitle” string is used for what activity?
a. Traceroute
b. Google search
c. Website query
d. Host scanning
7. During a footprinting exercise, you have been asked to gather information from APNIC and LACNIC. What are these examples of?
a. IPv6 options
b. DHCP servers
c. DNS servers
d. RIRs
8. CNAMEs are associated with which of the following?
a. ARP
b. DNS
c. DHCP
d. Google hacking
9. LoriotPro is used for which of the following?
a. Active OS fingerprinting
b. Passive OS fingerprinting
c. Mapping
d. Traceroute
10. What scan is also known as a zombie scan?
a. IDLE scan
b. SYN scan
c. FIN scan
d. Stealth scan
