The first step to exploring a system is not just another point and click. It is the part that suprisingly, no one really talks about; gathering information on the subject. In order to successfully get in a system, one must know enough about the entity to gain access to it. This can be acomplished by choosing a subject (network/computer) and learning all there is to know about how it ticks. This information can be found a number of ways; the main ones being searching the Internet, discovering the networks behind the domains, finding locations and phone numbers, and finding a path in.
The first step to finding information about a subject is by simply searching the web for information. Once one finds the website of the subject, look for information about it, such as phone numbers, locations, and email address. Get as much information about the subject as possible. Read privacy policies to begin to learn about the security used and search for comment tags in the source code. Believe it or not, sometimes companies leave important information inside the sites source code, open to those who choose to read it. It does not stop there, search the web for affiliates and USENET postings that relate to the subject. If one finds a smaller branch of the company, chances are those branches will have a path to the subject. Search after for a while, one may be suprised with how much it is possible to learn about an entity on the Internet.
Once one has some background on the subject, start to learn about its web presence. Learn about its domain and networks it is on. Look for phone numbers, email addresses and locations of administrative staff. The most effective way to begin to obtain this information is though a “whois.” Start at www.networksolutions.com and search its database or simply type “whois yoursubject.com” on your UNIX(R) command line. Either way users will get a listing of information about that domain. Once completed that, try an organization whois. Just type “whois ‘your subject'” on a UNIX(R) command line. It should return a list of that companies domains. Search till one finds one that is active (Some large companies might buy all the domains relating to their topic in order to protect themselves from copyright infringement with a network at the other end. Now that the domains and information about them have been identified, start to search the DNS. Start by trying a zone transfer*. On the UNIX(R) command line, type “host -l ‘subjectsdomain’.” If ones computer is running Windows(R), www.samspade.com should do the job (but consider getting a UNIX(R) flavor). Find how many jumps you are from a system by typing “traceroute ‘subjectsdomain’.” There are tons of options. Just keep exploring and learning more about your subject.
Now that one has gained all this information, it is time to start to scan the system. Start by preforming a ping sweep on the subject (on a range of IP addresses and network blocks) to determine which are active. If considering a ping sweet on a large network, consider using another method, for ping sweeping on large networks could take hours or sometimes days to complete. Use “fping” (sends out ICMP ECHO packets side by side and waits for a response) to preform the ping sweep on your UNIX(R) command shell. Fping is to be used inside shell scripts with gping. With gping, one must give a range of IP addresses to sweep (Example: gping 192 111 1 1 111). One will then get a list of potential IP addresses, so now feed it to fping to complete the ping sweet and find which systems are active and connected to the network. (Example: gping 192 111 1 1 111 | fping -a). The -a will tell fping to list the active systems. If you want to resolve host names, use -d (Example: gping 192 111 1 1 111 | fping -d). For more options type “fping -h” for a list of all the options. Nmap (http://www.insecure.org/nmap), short for Network Mapper, is another tool that will preform a ping sweep (Use the -sP option). If ICMP is blocked, you could nmap to preform an ICMP sweep. Namp also offers a TCP ping scan (option -PT) which is a more advanced way to scan (port 80 and numbers close to that is your best bet). Example: nmap -sP -PT80 22.214.171.124/11.
To find out more ICMP information that ICMP ECHO packets or ping sweeps have not provided one with, try a ICMP query. SecurityFocus (www.securityfocus.com) has the tool icmpquery. By using this tool, try requesting the time on a system. It has both an address mask and timestamp request option. To query a router’s time: icmp -t 126.96.36.199. To query the subjects router’s submask: icmp -m 188.8.131.52. After gathering all this information, begin the port scan. Port scanning is the connection to UDP and TCP ports on a subject to find what is running or listening. These listening services may give one access to a system. So lets get to it. We will be using nmap again but this time with the -sS option. The -sS option is the stealth scan (SYN), it works by not making a full connection to the system making it harder for the system to detect it. An example of this option is: nmap -sS 184.108.40.206. Nmap by Fyodor is a very handy tool, -h to see all its great options. One will find that there are many helpful scanning tools.
There is another technique used to gain access to a system that might be the easiest way in. It is the art of social engineering. With the phone numbers found earlier in this document, make a call to the company. Get ahold of whoever the owner of the password is impersonating a trustworthy administrator. Ask for the password in a clever and convincing way. In most cases, if a good, convincing job is done, the password will be on a piece of paper by the time you hang up.
One could go on for hours explaining these techniques. With this start, grow from here. Just keep exploring and exploring, reading and reading. One is not done finding information about the subject till the least secure system on the network is found. From there, take it to the next step, and explore the system. Enjoy it and gain knowledge from it. With these first steps of exploring systems down, the rest should be breeze.
*A zone transfer allows a secondary master server to update its zone database from the primary master server.