Lab Exercise 1:

Footprinting and reconnaissance

Footprinting a Target Network
The objective of this lab is to extract information about the target organization, but is not limited to:

IP address and range associated with the target.

Purpose, functioning and size of organization.

People and contacts at the target

Types of OS, network topologies, firewalls (hardware or software), remote access (SSH or VPN)

Task 1: Open Source Information Gathering using Windows Command line Utilities
1. Find IP address for http://www.certifiedhacker.com
2. Run cmd and ping www.certifiedhacker.com in command prompt
3. Note down the websites IP. You may also get information on Ping Statistics (packets sent,
packets received, packets lost and Approximate round up time)
4. Now find the max frame size on network. In cmd type ping www.certifiedhacker.com f l 1500
and then 1300. Observer the max packet size is less than 1500 but more than 1300. Now try
different values until you find the max frame size. (Hint: size is in between 1460-1480)
5. (The frame size will differ depending upon the target network)
6. Now find out when TTL expires. Every frame on the network has TTL defined. If TTl reaches 0,
the router discards the packet. In cmd type ping www.certifiedhacker.com i 3 (this sets TTL to
3, max you can set it to 255)
7. We will now use the ping command to emulate a traceroute
8. Find traceroute from your PC to www.certifiedhacker.com using the tracert command (tracert
www.certifiedhacker.com )
9. Minimize the cmd above and launch a new cmd and type ping www.certifiedhacker.com i 2 n
1. The only difference is that we are setting the TTL to two in an attempt to check the lifespan
on the packet.
10. Then again change TTL to 3,4,515 and observer the difference in packet loss, until the reply
from destination host from ping and tracert are same.
11. Make a note of all IP addresses from which you receive the reply during the ping to emulate the
tracert.
12. Launch a new command prompt, type nslookup. In interactive mode, type set type=a. This
configures nslookup to query for the IP address of a given domain.
13. Type the target domain www.certifiedhacker.com . This resolves the IP address and displays the
result.
 14. The first two lines in the result specifies the default server hosted on the local machine. If the
response is coming from your local machines server but not the server that legitimately hosts
the domain www.certifiedhacker.com , it is considered to be a non-authoritative answer. You
need to obtain the domains authoritative name server.
15. Type set type=cname
16. The CNAME lookup is done directly against the domains authoritative name server and lists the
CNAME record for a domain.
17. This returns the domains authoritative name server, along with the mail server address.
18. Now that you have obtained the authoritative name server, now determine the IP address of
the name server. Issue the command set type=a and type the primary name server that is
displayed in the step above.
19. The authoritative name server stores the records associated with the domain. So, if an attacker
can determine the authoritative name server (primary name server) and obtain its associated IP
address, he/she might attempt to exploit the server to perform attacks which include DoS,
DDoS, URL Redirection and so on.

Document all IP addresses, reply request IP addresses, TTLs, DNS server names and other DNS
information.

Task 2: Gathering Personal Information Using People Search Services

1. In the browser, type pipl.com

2. To begin the search, enter the details of the person you want to search for in the Name, Email,
Username or Phone field and click the Search icon.
3. Pipl returns the search results with name you have entered (e.g career, education, phone
number, social websites accounts.)
4. To learn the places where the person visited, click any link in the Places section.

Analyze and document all the results discovered in the lab exercise.

Task 3: Collecting Information about a Target using Firebug

Firebug is an add-on tool for Mozilla Firefox which displays information like directory structure, internal
URLs, cookies, session IDs, etc.

1. Launch Firefox and type https://addons.mozilla.org/en-US/firefox/addon/firebug and press

enter.
2. The firebug add-on webpage appears. Click Add to Firefox. The add-on begins to download. On
completion a software installation dialog box appears. Click Install Now.
3. On successful installation an extension pop-up appears stating the firebug has been successfully
installed. The firebug add-on appears on the right side of the Navigation toolbar.
 4. Enter the URL of the target website in the address bar. Click the Firebug add-on the top right
corner of the navigation toolbar to enable the Firebug control panel which appears at the lower
end of the screen. Click the Console tab, and from the Firebug panels menu bar click Enable.
Refresh the page.
5. Click the Warnings tab under the console section. Under this tab, Firebug displays all the issues
related to the security of the website architecture. You can view the results in all other tabs
under Console Section, which might return useful information related to the website/web
application.
6. Click the HTML tab in the Firebug UI. The HTML section contains two tags: head and body, which
contains scripts and texts that might reveal the build of the website.
7. The head and body tags contain information related to the authentication of the username and
password fields such as the types of the input that is to be given in fields, which allows attacker
to narrow down exploitation techniques.
8. Expand nodes and scripts written to develop the webpage.
9. Refer to tabs such as Style, Computed, Layout etc.
10. The CSS and Script tabs also display the HTML and Java scripts that were used to design the
webpage. Attackers could use these scripts to build a similar (cloned) website which could be
used to server malicious purposes such as harvesting the data entered in specific fields.
11. Explore other tabs as well: find the server name and web application framework used to
develop the website and its version.
12. Click the Cookies tab in Firebug panel and click Enable.
13. Refresh the page. Observe the cookies related to current session. Attacker can use sniffing
techniques to steal the cookies and manipulate them, thereby hijacking the session of an
authenticated user without the need of entering legitimate credentials.
14. By gaining information described in the lab, an attacker can obtain the script related to a
webpage, identify the server-side technologies and manipulate the cookies, which allow them to
perfrom fraudulent activities such as entering the web applications, cloning a webpage,
hijacking a session, stealing database information, etc.

Collect information like internal URLs, cookie details, directory structure, session IDs etc for different
websites using Firebug.