HACKING
>>Reconnaissance
Investigate the target using publicly available information
Types: Low-Technology Reconnaissance, Searching the Web, Whois Databases, Using the DNS, and General Purpose Tools
>>Dumpster Diving
Going through an organization’s discarded documents to find sensitive information. Often, employees will throw out papers that reveal critical information (i.e. – old Post-It® notes with user ID’s and passwords).
>>Whois Databases
Whois databases contain information about the assignment of Internet addresses, domain names, registrars, and individual contacts. The InterNIC whois database is avaliable online at: www.internic.net/whois.html
If you are researching an organization without the .com, .net, or .org extensions (i.e. – international websites), try the Allwhois site at: www.allwhois.com/home.html
>>War Dialing
Dialing large pools of telephone numbers in an effort to find unprotected modems. Done with an automated tool, such as THC-Scan 2.0
>>Network Mapping
Windows 2000/NT and UNIX have tools that do this for us
Windows 2000/NT: tracert
UNIX: traceroute
Another network mapping tool: Cheops
cheops sequentially send arp messages to every IP address in the range.
Traceroute to every IP address that responds to the ARP message.
Port scanning>>>
UDP scans are more simplistic; if an ICMP port unreachable packet is received in response to a UDP packet, the port is closed, but as UDP packets are inherently unreliable, no response only means the port is probably open
If an attacker wishes to be more stealthy, there are more advanced scanners available such as nmap that are capable of a wider variety of TCP scans that are harder to detect. Nmap allows an option for a TCP SYN stealth scan in which the third message is not an ACK but a FIN that forces the TCP
connection to be closed before fully opening.
