 So, hello, welcome to the security dev room again and we are here to hear about the footprinting. Please welcome Jose. Good morning. Good morning and thank you for coming. And well, my name is Jose Manuel Ortega, I'm from Spain. This talk is oriented to many security auditors, pen testers in general, interesting in footprinting tools and other tools for obtaining information from servers and domains and so on. These are the main points I will talk, I will make an introduction to information gathering, what is information gathering and the footprinting tools we have for testing for this information from servers. Later we will comment other tools like MAP and NMAScripts for obtaining information in a more active mode way from the servers. Well, where we are using a server, a domain, a site, these are the main phases that we have for obtaining the information or testing a server. We have the first analysis phase. In this phase, the target is obtain or analyze or pull information that is available in Internet in general and the information that server returns. In this phase, we can use tools like HWIS, NSULOOKUP, sharing and general, enumeration tools and so on. The second phase is the scanning. In this phase, we can check vulnerabilities for specific targets. The idea in this phase is analyze the ports that are open in a specific server, domain or site. And the last phase, when we have all information, the last phase is try to exploit the vulnerabilities that we have for. In this phase, we can use tools like buffer overflows, techniques like buffer overflows, spoofing, password root kids and so on. In this style, I will center in the field phase, in the analysis phase where the target is obtain all the information about our target. What is information gathering? Information gathering basically is a process where we can extract all information about... In this phase, the objective of this phase is gather all information, name, address, system, types, operating system and so on. In this phase, all information, the objective of this information is obtain this information in a passive way, in a non-intrusive mode. Well, there are other phases similar to footprint printing, fingerprint printing is like footprint printing but oriented to obtain, for example, the topology of network operating system service that run in a specific server or system. The sniffing, classical sniffing for recollect network traffic and scanning. I will center later in this phase with commenting the main map tool. Well, the main tools that I will comment are available in Kalilinus, Kalilinusia distribution oriented to pentesting. In this tool, in this distribution, we can find Maltego, Nmap, Recording EG, Sparta for scanning ports. The map is a graphical version of Nmap. Well, I recommend all these tools. Well, the first thing that we can do for testing, for obtaining information is use classical Jewish online tools. The Jewish command, basically what it does is provides more information about the specific domain. It retours API address, the new servers and basically with these tools, with online, for example, with NetCraft, we can obtain all information related with servers, domain servers for a specific domain. There are other tools, online tools like Jewish and the Jewish command that is available in all operating systems. In this case, we are obtaining information about the registered name of the domain and more information about the domain. Also, we have the host command. The host command provides, for example, information about the IP address in versions 4 and 6 and provides also the mail server of the domain. There are more tools, online tools that we can use in freeway. Network tools, we can execute commands over a specific target or domain. We can execute ping, target root and so on. There are more tools like tollbooks and, for example, these tools called Roptex, is similar to the others, but the difference is that provides information in a graphical way. It provides the same information, but we can see the relations between the domains and the Jewish server information. Another of the commands that we can use is lookup. This command provides information about the host machine, basically. With the parameter, we can list all associated records for a specific domain. Basically, with the lookup, we can use the search by IP address or domain, depending on what we need. It resolves the reverse lookup. Other tools that we have in Unisystems and in some Linux distributions are DIG and Dinis Resolvers. Dinis Resolvers is a graphical application that retours the Dinis servers for a specific domain. We can see that the tools, for example, the authorities servers are the servers that hold the information about the Dinis servers and resorts all the Dinis requests. We have more tools like the Dinis map that retours more information about a specific domain. Dinis Enum also provides more information for this topic. Dinis Recon, for example, provides information related to the server, is using Dinis for securing the Dinis server. It retours information about the keys of the Dinis server. The Dinis server, the functionality provides what is called a zone transfer. The question at this point is, what does one provide security against Dinisian integration? The idea is to restrict the zone transfers only to authority servers. For example, the best practice at this point is to restrict the zone transfers only to IP addresses that we can control in our network. The idea is to review the file configuration that is in the path atcs.bin.name.com.local. In this file, we can configure the IP address for allowing the Dinis zone transfers in our server. Another tool, well, I'm coming with other tools, for example, the Habester. The Habester allows recovered information about a specific domain. We can recover information about emails, subdomains. This is a tool developed in Python. In an easy way, we can extract information about our domain, email address, searching in the main search engines like Google, Bing, Twitter, LinkedIn, Yahoo, and so on. If we want to recover subdomains in a more easy way, we have, for example, the app.hackertarget.com. We can pass as parameter the domain we want to extract subdomains. In an easy way, we can get this information with our register, without doing more than doing this request. Another interesting tool that I'm going to comment on now is Maltego. Maltego is oriented also for printing tasks. Maltego has, basically, four levels for obtaining this information. For example, if we want to obtain basic information gathering, we have level one. If we want to moderate amount of information gathering, we have level two. If we want to more intensive and more complete information gathering, we have level three. For example, in this script capture, we can see that with Maltego, in a graphical way, we can extract email addresses, subdomains, files and documents for a specific domain. All this information is recovered with what is called a transform. Maltego transforms are all the way for obtaining this information. Also, we have Shodan. Shodan is a very useful tool for obtaining a first view of what the server has. The posts, service that are open, and so on. Also, we have other tools like Thensys. Thensys is like Shodan, provides more information about a specific server. Its retours, you can see the certificates of the server, the location of the server, and so on. Another tool oriented to this task is Mr. Locker. Mr. Locker has the particularity that you can search in the IP version 6 space and you can get information from version 6 addresses. Well, for getting more information from servers, for example, Web Archive, it provides, from 1996, all sites, the historical information of a specific site. In this screen capture, we can see the fears for the inside in 2001. The other tools, interesting tools for food printing like Sparice Food. With Sparice Food, we can obtain more information about a specific domain. Finally, commenting until now, I comment the tools that we analyze our target in a passive way. Now, I'm commenting tools for active food printing. That is Analyze, Deposit, Open, Service that are ruining the servers, Vulnerabilities, and so on. The classical tool for this task is NMAP. NMAP basically is a port scanner that supports different scanning techniques. It has the capacity for detecting operating systems on remote hosts, and it has another interesting features like NMAP Script Engine for detecting vulnerabilities in a specific port. For example, later we will see an example. The graphical version of NMAP is called NMAP for scanner. We can use this tool without learning any command from NMAP. Also, we can obtain, for example, the topology of a network. For example, if we secute the traffic route with NMAP, we can obtain the topology. What are the hosts that we are passing for the packets and so on? NMAP provides an interesting parameter for obtaining specific information. For example, we can execute the who is command with NMAP for obtaining the same information that we have with the classical who is command. Also, we can, for example, detect the operating system with a specific parameter. We can force to NMAP to discover the operating system. In this script capture, we can see that it not retours only one operating system. What it does is guessing an operating system with a percentage. And it retours all operating systems that can be possible in this machine. Also provides other techniques, for example, to obtain the bunny grabbing. The bunny grabbing, basically, we can obtain the information about servers, the version of the server, the operating system, and the application that are running in the machine. Finally, the last tool I will comment is NMAP script engine. Basically, NMAP script engine are simpler scripts to automate the classical network's tasks, for example. It will want to detect vulnerabilities in a specific port. It will want to make a specific task for network discovery or network detection or vulnerability exploitation. We can use this script for these tasks. These scripts are written in Lua programming language. And with these scripts, we can find the scripts in the root, share, and NMAP scripts. There are a lot of scripts. In this script capture, we can see that, for example, we can obtain the service. One minute. We can obtain more information about the specific service with the HTTP and NMAP, for example. We can obtain other services that are available in this, that are listening in a specific port. And another task, basically, is, for example, for detecting, obtaining tables from databases. And finally, for example, we can find vulnerabilities with NMAP with specific scripts that are available in the NMAP script engine. And the last point where we analyze all information, the next step is introducing the vulnerability scanner. We can use, for example, OpenVas, that is open source, or Arachny vulnerability scanner that are also open source. These are tools for the next step, where we have all information about our target. Detect vulnerabilities, for example, the next step is using this tool. And finally, like links and reference, books related with this topic. Thank you. Thank you, Jose. We have some help with the mic here, but we'll have two minutes for questions. Anyone, raise your hand.