What is an IP Sweep Attack

Footprinting, or: How to Spy on a Company


published in: 2007#5, page 16

Category: threat

Keyword: Attack preparation

Summary: Before starting an attack, information about the target object is obtained. Attackers can fall back on a variety of resources: Information about companies is available in various forms these days, and cyber criminals and hackers also use this for their dangerous goals. This article describes how attackers proceed and what can be done against them.

Author: By Robert Chapman, Rotenburg an der Fulda

If hackers or cyber criminals collect information about a specific computer network environment, mostly for the purpose of an imminent break-in attempt, this is called footprinting. While this can be a tedious task, it is well worth it. Malicious hackers see spying as the first step in a real attack and spend up to 90% of their time on the footprinting phase in typical attacks. In extreme cases, collecting the information can take months, whereas the actual attack only takes a few hours.

Basically, the more attackers know about the company or its network, the easier or more effective the attack. In addition, based on this knowledge, they can choose the most efficient or simplest type of attack. For example, when attacking a server, it makes little sense to first test Microsoft security holes if it is working under Linux.

Footprinting consists of several steps: First the attackers collect basic information, then they determine and fathom the target network that they want to attack. Then they localize active computers in the target network and try to find open, unsecured ports or services on these systems. The last step is Operating System (OS) fingerprinting to identify the operating system used.

Passive reconnaissance

The information acquisition itself can be divided into two main phases.

In passive spying, the attacker collects information about a company or network without contacting the target. In doing so, he taps into various publicly available sources without the spied being aware of it or being alerted in any way. In addition, it is mostly completely legal to obtain this information. Companies cannot prevent most of this information from being publicly accessible because it is either explicitly desired or necessary for network operation. Typical sources of publicly available information include:

  • the company's website,
  • Internet search engines,
  • Newsgroups and forums,
  • Job offers,
  • internal documents - attackers rely not least on paper information and rummage through waste paper or garbage (so-called dumpster diving),
  • the human being - hackers often exploit human weaknesses or willingness to help in order to obtain information (social engineering).

Company website

The designated victim's website will almost always be the first port of call for information about an attack target. Here, attackers can often find out organizational details or find contact names and email address structures. Instead of looking at a website online, they often use tools such as the offline browser httrack to download the entire website and then read it offline. An analysis of the web source code can reveal a lot about the website and its structure as well as contain information about the operating systems and applications used.

Web sites are always changing, and there is some "interesting" information that has been removed from current sites. This is why many attackers also use the website archive.org, which with its "Wayback Machine" enables access to older versions of many sites. An attacker can often access versions of the target website that were already several years ago.

Internet search engines

Search engines are a useful tool that criminals will appreciate too. You can use it to find information about the target website as well as links to information about the target company from third parties. Since "Google & Co." index more or less everything that they somehow achieve, it is quite possible that attackers discover information or pages that would not be readily available or findable on the public website. Many companies overlook this fact, so that it is not uncommon for private or internal directories or services and web frontends to end up unintentionally in the search engine indexes. The "advanced search" of many search engines provides easy access to such things that are hidden at first glance (cf. 2005#5, p. 6). The use of different search engines can definitely bring further results because they use different indexing methods.

Newsgroups and forums

Usually there are always people in discussion groups who have something to say about a company or a person. Forums are particularly useful for attackers when they have technical questions: There has even been a case in which a system administrator, looking for a solution to a problem, posted the configuration data of a company router - a real stroke of luck for a potential one Attacker. In addition: Employees who write to newsgroups with a company account also leave their e-mail addresses there. They thus provide several pieces of information: a real email address and the company's email address format (see also 2006#2, p. 6) and also their name and themselves as the "entry point" for social engineering.

Job offers

For example, companies post job advertisements on the Internet, in the local press or in specialist magazines when they are looking for new employees. Offers of technical positions often describe the required knowledge, for example "System administrator with good Solaris 10 knowledge wanted". This is also valuable information for attackers looking for information about the operating systems, databases, network devices and applications used.

Internal documents

Discarded notes, documents or manuals of a company can be a real gold mine for attackers. Dumpster Diving is the process of obtaining written or printed information that may have been thrown into waste paper bins. For this purpose, attackers inspect the dumpster after office hours to see what the cleaning staff left behind by emptying the in-house waste bins. For example, you can find computer names, account information, network data and maybe even passwords there. A scrap of paper that an employee carelessly thrown away can give a malicious hacker access to the network. But information about the organizational structure and "internal knowledge" can also be very valuable in preparing for social engineering.

Social engineering

Social engineering is probably the easiest way to get information about a company. Because humans are probably the weakest link in any security model. Hackers and criminals take advantage of this and try to manipulate employees in such a way that they either unintentionally or knowingly reveal information. The attackers abuse human characteristics such as trust, helpfulness, gratitude and curiosity (news is only available if information is provided) or take advantage of the revenge of an angry employee. An attacker is already active here, but - depending on the type of "access" to the employees - does not yet appear in information security log files.

It is very difficult to find suitable means of defense against social engineering - after all, there is no hardware or software that covers the human uncertainty factor. Awareness-raising and training of employees as well as a clear classification of internal data appear to be the most promising countermeasures (cf. 2007#1, p. 92, 2004#2, p. 10 and 2002#1, page 10).

When it comes to passive spying, cyber criminals are initially interested in all aspects of the target organization. If they learn contact details of employees, they can call them to check information and to find out more details: names, phone numbers, email addresses, mergers and acquisitions, corporate partners - all of this information can provide the crucial clue that completes the puzzle. Last but not least, attackers also use websites that can be used to find details about people, for example people.yahoo.com or social networks like Xing to create a foreign identity and thus spy on further information. Insider knowledge or the cloak of the supposed colleague are good "door openers" for further steps.

Active espionage

The other type of information gathering is active spying: This means that the steps to gathering information can - in principle - be technically noted or logged, i.e. a data record is created about the attempt to spy on. The line between active and passive is sometimes not very clear: if an attacker makes a simple domain name system query (DNS) to find out the address belonging to the website or a server, it will be logged somewhere , but it is unlikely that this will be noticed or perceived as suspicious by the target organization.

A second example from the gray area: If an attacker sends an email to a fictitious employee of the target company, he will probably receive an error message back. From this he can possibly read out the e-mail format and the server through which the e-mail has passed. This enables the attacker to derive the names and addresses of the mail server. Even if this action was logged there, it is an event that occurs frequently and therefore usually does not attract any attention.

During active spying, attackers collect and use network information to create a picture of the target network and identify weak points. The following steps include active spying and are considered in more detail below: -Lookup, Zone Transfer, Ping Sweep, Traceroute, Port-Scan, -Fingerprinting.


There are several command line tools in operating systems that can be used to perform domain name system queries: nslookup, whois, dig, and others. Attackers can use them to discover a target's name and address information. The address that belongs to a particular domain name can be found out by simply querying it. With the help of detailed queries, hackers can also find out specific addresses, such as that of the responsible mail server. If attackers discover Whois information, they can find out the names and contact details of those people who have registered a particular domain name. Instead of using the command line tools, it is also possible to use utilities or websites where all this information is available "in one go", for example www.dnsstuff.com. -Information is not a secret, but it should be limited to what is externally accessible for external inquiries in order not to provide any additional information about the network organization.

Zone transfer

Name and address data records are usually grouped together in so-called zones and this information is stored in zone files on servers. DNS servers keep each other up to date by exchanging data via zone files. If attackers could request an entire zone file from a DNS server, they would get all of the information at once instead of having to perform multiple queries. Many servers use security measures to prevent unauthorized access to these files. But there is a possibility that it will work, and then the hackers will have a complete list of the names and addresses of the target object in their hands.

If an attacker has comprehensive information about his target network, he can identify the associated addresses and address blocks and possibly also infer the structure of the network. As soon as an accessible computer has an "IP identity", attackers are also able to target it for their criminal activities.

Ping sweep

Hackers also use the ping diagnostic tool to investigate networks. If you ping a data packet to an address in the target network and receive a response, it is clear that the computer in question exists and you can communicate with it. A so-called ping sweep checks the entire address range for systems that can be reached in this way; There are a number of scan tools that automate this process. External pings should be largely prevented using a firewall rule, unless there is a special need for this. Ping sweeps can also be detected by firewalls or intrusion detection and lead to an alarm - but this is more difficult if the attacker only occasionally sends individual requests over a long period of time and possibly uses different sender addresses.


Traceroute is a utility that shows the connection path between the source and destination. The network path used and its intermediate stations (hops) are also relevant aspects for hackers. The last hops can already be within the destination network, which provides additional information about the network and its subnets. In addition, many of the intermediate hops identify themselves so that attackers can gain further information about geographic data and the service provider of the target. Hackers who prefer pictorial representations resort to graphical versions such as Visual Route; this utility plots the results on a world map and shows details of the hops and their respective locations. Here, too, the question arises as to which systems have to react to the corresponding queries for diagnostic purposes - a restriction to the minimum seems advisable.

Port scan

If attackers have scouted out active computers in the target network, they need details: They want to know which ports are open or can be reached, which services are running on them. A port scan can be used to check which Transmission Control Protocol (TCP) ports and connectionless User Datagram Protocol (UDP) ports are available on a computer. In this way, the attackers learn on the one hand which "doors" are there - which they later try out to gain access - and on the other hand they receive information about the function of the respective system, possibly also about its operating system. A popular tool for port scans is the Network Mapper, or nmap for short, which is available for Linux and Windows platforms and supports a large number of scans with different parameters ( http://insecure.org/nmap/).

The different types of port scans include, for example, connect scans, SYN, NULL, ACK scans, Xmas tree or idle scans. The aim of footprinting is to get the best possible picture of the target network without triggering an alarm. A connect scan establishes a complete connection with the target system, just like a data transfer. This tells the attackers that the port is open and ready. At the same time, however, the target object learns that a remote system has connected to it. In addition, the "victim" receives their identity in the form of the address. A single connection will certainly not trigger an alarm, but it will be noticed if an attacker tries to establish a connection with consecutive ports in a short period of time. Firewalls and intrusion detection systems (IDS) detect this type of scan, which is why attackers resort to camouflaged scans instead.

The other scans listed, apart from the idle scan, send packets to the destination with various combinations of packet flags. When a target port is closed, the target object sends back a packet with a reset (RST) flag - this tells an attacker that the port is not available. However, if the target object does not send anything back, the port is probably available, but does not understand the flag sequence. If hackers do not receive an answer, they assume that the port is open and that it may be worth trying to establish a connection. Because these various scans do not fully associate with the target, they are also not so easily recognized. and firewalls are basically able to detect this type of data traffic in a network.

The idle scan, on the other hand, uses so-called zombie computers in order not to attract attention: attackers direct their queries to the target via third parties whose computers they have control of and receive the answers there. In this way, at least the origin of an attack can be disguised, because it looks as if the scans came from the zombie computer or computers. In addition, when queries are made across many distributed systems, it is difficult to identify a coherent attack.


With fingerprinting, an attacker tries to find out which operating system is used on a particular system in order to be able to use targeted weak points and suitable tricks later; nmap can also be used for this. Different operating systems react differently to scans because their network functions are implemented differently. therefore makes assumptions about the operating system. Open ports also provide information because certain ports are reserved for certain services on certain operating systems: For example, certain ports will be open on a Microsoft platform that are probably closed on a Linux platform.

Half the battle

Fingerprinting is the last part of the footprinting puzzle. The attackers then often have a very precise picture of the target network including host names, addresses, open ports, operating systems and functions of certain computers. In order to obtain such information, attackers can use a variety of utilities: from simple free open source packages to extensive chargeable scan suites. Tools like Sensepost, Spiderfoot or Wikto are footprinting tools that can generate a lot of information in a single pass. These are definitely legal software tools because they can also be used to check the integrity of a network.

Obtaining information is already "half the battle" of an attack - then it gets down to the "nitty-gritty": the cyber criminals decide on an attack strategy. Here, too, they often use publicly accessible databases that provide information about security gaps in order to find out the weakest systems and to try out known exploits in order to exploit specific malfunctions, to gain access or increased privileges or to carry out denial-of-service attacks. Once this stage has been reached, it becomes very difficult for companies to successfully ward off an attack - the defensive work in advance should therefore also have a corresponding priority and be carried out just as carefully as securing the systems themselves.

Robert Chapman is the managing director of Firebrand Training GmbH (formerly Training Camp).

back to content
© SecuMedia-Verlags-GmbH, 55205 Ingelheim (DE),
2007#5, page 16
tag: kes.info, 2007: art: 2007-5-016