CEH v8 Labs Module 02 Footprinting and Reconnaissance

CEH Lab Manual
F o o t p r i n t i n g
a n d
R e c o n n a i s s a n c e
M o d u l e
0 2
Module 0 2 - Footprinting and R e c o n n a issa n ce
Footprinting a Target Network

F o o tp rin tin g re fe rs to u n co verin g a n d co le ctin g a s m uch in fo rm a tio n a s p o ssib le
re g ard in g a ta rg e t n etn o rk
L a b S c e n a r io
Valuable
mfonnation____
sA
m
Penetration testing is much m ore than just running exploits against vulnerable
Test your
systems like we learned about 111 the previous module. 111 fact, a penetration test
begins before penetration testers have even made contact w ith the v ic tim s
knowledge
systems. Rather than blindly throwing out exploits and praying that one o f
them returns a shell, a penetration tester meticulously studies the environm ent
fo r potential weaknesses and their mitigating factors. By the time a penetration
Workbook review tester runs an exploit, he or she is nearly certain that it w ill be successful. Since
Web exercise
failed exploits can
111
some cases cause a crash or even damage to a victim
system, or at the very least make the victim un-exploitable 111 the fiiUire,
penetration testers w o n 't get the best results, or deliver the most thorough
X0741u\1cu\
report to then clients, i f they blindly turn an automated exploit machine on the
victim netw ork w ith no preparation.
L a b O b je c t iv e s
T he objective o f the lab is to extract in fo rm atio n concerning the target
organization that includes, but is not lim ited to:
IP address range associated w ith the target
Purpose o f organization and w h y does it exists
H o w big is the organization? W h a t class is its assigned IP Block?
Does the organization freely provide in fo rm atio n on the type o f

operating systems employed and netw ork topology 111 use?
Type o f firewall im plem ented, either hardware or software or

com bination o f both
Does the organization allow wireless devices to connect to w ired

networks?
Type o f rem ote access used, either SSH or \ T N
Is help sought on I T positions that give in fo rm atio n on netw ork

services provided by the organization?
C E H Lab Manual Page 2
Ethical Hacking and Countemieasures Copyright by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.
IdentitV organizations users w h o can disclose their personal

in form ation that can be used fo r social engineering and assume such
possible usernames
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 02
Footprinting and
Reconnaissance
L a b E n v ir o n m e n t
Tins lab requires:
Windows Server 2 0 1 2 as host machine
A web browser w ith an Internet connection
Administrative privileges to 11111 tools
L a b D u r a t io n
Time: 50 ]Minutes
O v e r v ie w o f F o o t p r in t in g
Before a penetration test even begins, penetration testers spend tune w ith their
clients working out the scope, mles, and goals ot the test. The penetration testers
may break 111 using any means necessary, from inform ation found 111 the dumpster,
to web application security holes, to posing as the cable guy.
A fter pre-engagement activities, penetration testers begin gathering information
about their targets. O ften all the information learned from a client is the list o f IP
addresses a n d /o r web domains that are
111 scope. Penetration testers then learn as
much about the client and their systems as possible, from searching for employees
on social networking sites to scanning die perimeter for live systems and open ports.
Taking all the information gathered into account, penetration testers sftidv the
systems to find the best routes o f attack. Tins is similar to what an attacker would do
or what an invading army would do when trying to breach the perimeter. Then
penetration testers move into vulnerabilitv analysis, die first phase where they are
actively engaging the target. Some might say some port scanning does complete
connections. However, as cybercrime rates nse, large companies, government
organizations, and other popular sites are scanned quite frequendy. D uring
vulnerability analysis, a penetration tester begins actively probing the victim
systems for vulnerabilities and additional information. O n ly once a penetration
tester has a hill view o f the target does exploitation begin. Tins is where all o f the
information that has been meticulously gathered comes into play, allowing you to be
nearly 100% sure that an exploit w ill succeed.
Once a system has been successfully compromised, the penetration test is over,
right? Actually, that's not nglit at all. Post exploitation is arguably the most
important part o f a penetration test. Once you have breached the perimeter there is
whole new set o f information to gather. Y o u may have access to additional systems
that are not available from the perimeter. The penetration test would be useless to a
client without reporting. Y o u should take good notes during the other phases,
because during reporting you have to tie evervdiing you found together
111
a way

everyone from the I T department who w ill be remediating the vulnerabilities to the
business executives who will be approving die budget can understand.
m
TASK 1
Overview
Lab Tasks
Pick an organization diat you feel is worthy o f vour attention. Tins could be an
e d u c a tio n a l in s titu tio n , a c o m m e rcia l com pany.
ch arity.
01
perhaps a nonprofit
Recommended labs to assist you 111 footprinting;
Basic N e tw o rk Troubleshooting Using the ping u tility and nslookup Tool
People Search Using A nyw ho and Spokeo Online Tool
Analyzing D om ain and IP Address Queries Using Sm artW hois
N etw o rk Route Trace Using Path A n alyzer Pro
Tracing Emails Using e M a ilT ra c k e rP ro T o o l
Collecting Inform ation A bout a targets Website Using Firebug
M irroring Website Using H T T ra c k W eb S ite C opier Too l
Extracting Companys Data Using W eb D ata E x tra c to r
Identifying Vulnerabilities and Inform ation Disclosures 111 Search Engines

using S earch D iggity
L a b A n a ly s is
Analyze and document the results related to die lab exercise. Give your opinion 011
your targets security posture and exposure through public and tree information.
P L E A S E TALK TO YOUR I NSTRUCTOR IF YOU HAVE QUESTIONS

R EL A TE D TO THI S LAB.
Ethical Hacking and Countermeasures Copyright by EC-Council

Lab

Using the Ping Utility
P in g is a co m p uter n e tw o rk a d m in i s tra ti
0)1 u tility
u sed to te s t th e re a c h a b ility o f a
h o st on a n In te rn e t p ro to c o l (IP ) n e tw o rk a n d to m easu re th e ro n n d - trip tim e fo r
m essages se n t fro m th e o rig in a tin g h o st to a d e stin a tio n com p uter.
I CON KEY
[Z7 Valuable
information
Test your
knowledge_____
* Web exercise
Workbook review
As a professional p e n e tra tio n te s te r, you w ill need to check fo r the reachability
o f a com puter 111 a network. Ping is one o f the utilities that w ill allow you to
gather im portant in fo rm atio n like IP address, m axim um P a c k e t Fam e size,
etc. about the netw ork com puter to aid 111 successful penetration test.
Tins lab provides insight in to the ping com m and and shows h o w to gather
in fo rm atio n using the ping com m and. T he lab teaches h o w to:
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 02
Footprinting and
Reconnaissance
Use ping
Em ulate the tracert (traceroute) com m and w ith ping
Find m axim um frame size for the netw ork
Id en tity IC M P type and code for echo request and echo reply packets
T o carry out tins lab you need:
A dm inistrative privileges to run tools
TCP/IP settings correctly configured and an accessible DNS se rv e r
Tins lab w ill w o rk
111
the C E H lab environm ent - on W indow s S erver
2 0 1 2 . W indow s 8, W indow s S erver 2 0 0 8 , and W indow s 7

All Rights Reserved. Reproduction is Strictly Prohibited.
L a b D u r a t io n
Tune: 10 Minutes
O v e r v ie w o f P in g
Packet Internet Groper.
T he ping command sends Internet Control Message Protocol (ICMP) echo request
packets to the target host and waits tor an ICMP response. D uring tins request-
Ping command Syntax:
response process, ping measures the tune from transmission to reception, known as
ping [-q] [-v] [-R] [-c

Count] [-iWait] [-s
PacketSize] Host.
die round-trip tim e, and records any loss o f packets.
&
PING stands for
Lab Tasks
1.
Find the IP address to r h ttp :/ Avww.cert1hedhacker.com
2.
T o launch S ta rt menu, hover the mouse cursor in the lo w er-left corner

o f the desktop
FIGURE 1.1: Windows Server 2012 Desktop view
Locate IP Address
3.
C lick Com m and Prom pt app to open the com m and p ro m p t w in d o w
FIGURE 1.2: Windows Server 2012Apps
Type ping w w w .c e rtifie d h a c k e r.c o m

For the command,
ping -c count, specify the
number of echo requests to
send.
111
the com m and pro m p t, and
press E n ter to find out its IP address

b.
T h e displayed response should be similar to the one shown 111 the

follow ing screenshot

X0741u\1cu\
X7941u\1cu\
X1051u\1cu\
Administrator: C:\Windows\system32\cmd.exe
' *
'
C:\)ping uuu.certifiedhacker.com
The ping command,
ping i wait, means wait
Pinging www.certifiedhacker.com [202.75.54.1011 with 32 bytes of data:

Request timed out.
Reply from 202.?5.54.101: bytes=32 time=267ms TTL=113
Reply fron 202.75.54.101: bytes=32 time=288ms TTL=113
Reply fron 202.75.54.101: bytes=32 time=525ms TTL=113
Ping statistics for 202.75.54.101:
Packets: Sent = 4, Received = 3, Lost = 1 <25z loss),
Approximate round trip times in m illiseconds:
time, that is the number of

seconds to wait between
each ping.
C:\>
Minimum = 267ms, Maximum = 525ms, Overage = 360ms
FIGURE 1.3: The ping command to extract die IP address for www.certifiedhacker.com
6.
Y o u receive the IP address o f ww w.certifledhacker.com that is

2 0 2 .7 5 .5 4 .1 0 1
Y o u also get in fo rm atio n on Ping S ta tis tic s , such as packets sent,

packets received, packets lost, and A p p ro x im a te round-trip tim e
N o w , find out the m axim um frame size 011 the netw ork. 111 the
com m and prom pt, type ping w w w .c e rtifie d h a c k e r.c o m - f - l 1 5 0 0
Finding M axim um
X3251u\1cu\
Frame Size
:\<ping www.certifiedhacker.com -f
1 1500
X0741u\1cu\
!Pinging www.certifiedhacker.com [202.75.54.101] with 1500 bytes of data:
Packet needs to be fragmented but UP set.
Packet needs to be fragmented but DF set.
Packets: Sent = 4, Received = 0, Lost = 4 <100* loss).
Request time out is
displayed because either the

machine is down or it
implements a packet
filter/firewall.
FIGURE 1.4: The ping command for www.certifiedhacker-com widi f
9.
11500 options
T h e display P a c k e t n eeds to be fra g m e n te d but DF s e t means that the

frame is too large to be 011 the netw ork and needs to be fragmented.
Since w e used - f switch w ith the ping com m and, the packet was not
sent, and the ping com m and returned tins error
10. Type ping w w w .c e rtifie d h a c k e r.c o m - f - l 1 3 0 0

!-!=
'
Ic:\>jping www.certifiedhacker.com - f -1 1300
In the ping command,
option f means dont

fragment.
Pinging www.certifiedhacker.com [202.75.54.101] with 1300 bytes of data:

Reply from 202.75.54.101: bytes=1300 time=392ms TTL=114
Packets: Sent = 4, Received = 4, Lost = 0 <0X loss),
Approximate round trip times in m illiseconds:
Minimum = 285ms, Maximum = 392ms, Average = 342ms
C:\>
FIGURE 1.5: The ping command for www.certifiedhacker.com with f
11300 options

11. Y o u can see that the m axim um packet size is less than 1 5 0 0 bytes and
m ore than 1 3 0 0 bytes
In die ping command,
Ping q, means quiet

output, only summary lines
at startup and completion.
12. N o w , try different values until you find the m axim um frame size. F o r
instance, ping w w w .c e rtifie d h a c k e r.c o m - f - l 1 4 7 3 replies w ith
P a c k e t n eeds to be fra g m e n te d but DF s e t and ping
w w w .c e rtifie d h a c k e r.c o m - f - l 1 4 7 2 replies w ith a su ccessfu l ping. I t
indicates that 1472 bytes is the m axim um frame size o il tins machine
netw ork
Note: T h e m axim um frame size w ill d iffer depending upon on the netw ork
X0741u\1cu\X0741u\1cu\
X1051u\1cu\
x 1
C:S)ping wow.cert i f iedhacker.com - f 1473 1
X0741u\1cu\
Pin<jinc www.certifiedhacker.com [202.75.54.1011 with 1473 bytes of data:
Packets: Sent = 4, Received = 0, Lost = 4 <100/ loss).
c a The router discards
packets when TTL reaches
0(Zero) value.
FIGURE 1.6: The ping command for www.certifiedhacker.com with f
11473 options
1-1=' '
C:\>'ping www.certifiedhacker.com - f -1 1472

[Pinging www.certifiedhacker.com [202.75.54.101] with 1472 bytes of data:

Approximate round trip times in milli-seconds:
FIGURE 1.7: Hie ping command for www.certifiedhacker.com with f
The ping command,
Ping R, means record

route. It turns on route
recording for the Echo
Request packets, and
displays die route buffer on
returned packets (ignored
by many routers).
11472 options
13. N o w , find out w h at happens w hen T T L (T im e to Live) expires. E ver}1

frame 011 the netw ork has T T L defined. I f T T L reaches 0, the router
discards the packet. This mechanism prevents the loss of p a c k e ts
14. 111 the com m and pro m p t, type ping w w w .c e rtifie d h a c k e r.c o m -i 3.
T h e displayed response should be similar to the one shown 111 the
follow ing figure, but w ith a different IP address

Bl
C:\>ping uuw.certifiedl1acker.com - i 3
Pinsrincf 17uu.certifiedhacker.com [202.75 .54.1011 uith 32 bytes of data: p
Reply from 183.82.14.17: TTL expired in transit.
Packets: Sent = 4, Received = 4, Lost = 0 <0X loss).
lc:\>
| <|
X3941u\1cu\X1941u\1cu\X2151u\1cu\
11
1<
FIGURE 1.8: The ping command for \vww cfi-rifierlhacker.com with -i 3 options
15. Reply from 1 8 3 .8 2 .1 4 .1 7 : T T L ex p ire d in tra n s it means that the router

(183.82.14.17, stadents w ill have some other IP address) discarded the
frame, because its T T L has expired (reached 0)
TASK
16. T he E m u la te tra c e rt (traceroute) com m and, using ping - m anually,

found the route fro m your PC to w w w .cert1fiedhacker.com
Em ulate T ra c e rt
17. T h e results you receive are different from those 111 tins lab. Y o u r results
may also be different fro m those o f the person sitting next to you
18.
111
the com m and pro m p t, type ping w w w .c e rtifie d h a c k e r.c o m -i 1 -n
1. (Use -11 1 in order to produce only one answer, instead o f receiving

four answers on W indow s or pinging forever on Linux.) T h e displayed
response should be similar to the one shown in the follow ing figure
C:\>ping www.certifiedhacker.com i 1 n 1
ca
the -i option represents

time to live TTL.
Pinging www.certifiedhacker.com [202.75.54.101] with 32 bytes of da

Request timed out.
Ping s ta tis tic s fo r 202.75.54.101:
Packets: Sent = 1, Received
= 0, Lost = 1 <100x 10ss>
X4251u\1cu\
C:\>
FIGURE 1.9: The ping command for !

X7941u\1cu\
X3251u\1cu\
reiti fiedl acker.com with i
1 n 1 options
19. 111 the com m and p ro m p t, type ping w w w .c e rtifie d h a c k e r.c o m -i 2 -n

1. T h e only difference between the previous ping com m and and tliis
one is - i 2. T h e displayed response should be similar to the one shown
111
the follow ing figure

C:\)ping www.certifiedhacker.com i 2 n 1
m 111 the ping command,

-t means to ping the
specified host until
stopped.

Request timed out.
Ping s ta tis tic s fo r 202.75.54.101:
C:\>
FIGURE 1.10: The ping command for www.certifiedl
1acke1.com with -i 2 n 1 options
20. 111 the com m and pro m p t, type ping w w w .c e rtifie d h a c k e r.c o m -i 3 -n
1. Use -n 1 111 order to produce only one answer (instead o f four on
W indow s or pinging forever on L inux). T h e displayed response should
be similar to the one shown 111 the follow ing figure
C:\)ping www.certifiedhacker.con - i 3 -n 1
the -v option means

verbose output, which lists
individual ICMP packets, as
well as echo responses.

Reply from 183.82.14.17: TTL expired in tra n s it.
Ping s tatistics for 202.75.54.101:
C:\>
FIGURE 1.11: Hie ping command for www.certifiedl acker.com with i
3 n 1 options
21. 111 the com m and p ro m p t, type ping w w w .c e rtifie d h a c k e r.c o m -i 4 -n

1.
Use -n 1
111
order to produce only one answer (instead o f four on
W in d o w s or pinging forever on Lin u x). T h e displayed response should
be similar to the one shown 111 the follow ing figure

G5
X0741u\1cu\
Hl >
'
D:\>ping www.certifiedhacker.com - i 4 -n 1
Reply from 121.240.252.1: TTL expired in tra n s it.
Ping s tatistics for 202.75.54.101:
Packets: Sent = 1, Received = 1, Lost = 0 <0X loss).
FIGURE 1.12: Hie ping command for wivw.certifiedhacker-com with i

Q In the ping command,
the 1 s12e option means to

send the buffer size.
4 n 1 options
22. W e have received the answer fro m the same IP address

. . . tw o d iffe re n t
.
.
.
.
steps. H u s one identities the packet rnter; some packet filters do not
d e c re m e n t T T L and are therefore invisible

m 111 the ping command,

the -w option represents
the timeout in milliseconds
to wait for each reply.
23. Repeat the above step until you reach th e IP address for
w w w .c e rtifie d h a c k e r.c o m (111 this case, 2 0 2 .7 5 .5 4 .1 0 1 )
EM
'
C:\)ping www.certifiedhacker.com - i 10 -n 1
Pinging www.certifiedhacker.com [202.75.54.101] with 32 bytes of data:
Packets: Sent = 1, Received = 1, Lost = 0 <0x loss),
C:\>
FIGURE 1.13: The ping command for www.certifiedhacker.com with i
10 n 1 options
24. H ere the successful ping to reach w w w .c e rtifie d h a c k e r.c o m is 15

hops. T h e output w ill be similar to the trace route results
Traceroute sends a
sequence of Internet
Control Message Protocol
(ICMP) echo request
packets addressed to a
destination host.
:\>p1ng www.cert1f 1edhacker.com -1 12 -n 1

inging www.certifiedhacker.com [202.75.54.1011 with 32 bytes of data
equest timed out.
ing statistics for 202.75.54.101:
Packets: Sent = 1, Received = 0, Lost = 1 (100X loss),
:S)ping www.certifiedhacker.com - i 13 -n 1
inging v4ww.certifiedhacker.com [202.75.54.1011 with 32 bytes of data
eply from 1.9.244.26: TTL expired in transit.
Packets: Sent = 1, Received = 1, Lost = 0 <0x loss),
:S)ping www.certifiedhacker.com i 14 n 1
inging Hww.nRrtif1Rrthacker.com [202.75.54.1011 with 32 bytes of data
eply from 202.75.52.1: TTL expired in transit.
:\>ping www.certifiedhacker.com - i 15 -n 1
inging www.certifiedhacker.com [202.75.54.1011 with 32 bytes of data
eply from 202.75.54.101: bytes=32 time=267ms TTL=114
pproximate round trip times in milli-seconds:
FIGURE 1.14: Hie ping command for www.ce tifiedhacker.com with i
15 n 1 options
25. N o w , make a note o f all die IP addresses fro m w hich you receive the
reply during the ping to emulate tracert
L a b A n a ly s is
Docum ent all die IP addresses, reply request IP addresses, and their TJL'Ls.

Tool/Utility
In fo r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d
I P A ddress: 202.75.54.101
P a c k e t Statistics:
P in g
Packets Sent 4
Packets Received 3
Packets Lost 1
A pproxim ate R ound T rip T im e 360111s
M a x im u m F ra m e Size: 1472
T T L R esponse: 15 hops
P L E A S E TALK TO YOUR I NSTRUCTOR IF YOU HAVE QUESTIONS

R EL A T E D TO THI S LAB.
Q u e s t io n s
1.
H o w does tracert (trace route) find the route that the trace packets are
(probably) using?
2.
Is there any other answer ping could give us (except those few w e saw
before)?
3.
W e saw before:
Request tim ed out
X7941u\1cu\
Packet needs to be fragmented but D F set
X7941u\1cu\
Reply from X X X . X X X . X X X . X X : T I L expired 111 transit
X7941u\1cu\
W h a t IC M P type and code are used for the IC M P E cho request?

4.
W h y does traceroute give different results on d ifferent networks (and

sometimes on the same network)?
In te r n e t C o n n e c tio n R e q u ire d
0 Yes
No
P la tfo rm S u p p o rte d
0 C la s s ro o m
D iLabs


Using the nslookup Tool
n slo o k u p is a n e tw o rk a d m in istra tio n com m and-line to o l a v a ila b le fo r m an y
co m p uter o p e ra tin g system s fo r q u e ryin g th e D o m a in N a m e System (D N S ) to
o b ta in th e d o m ain nam e, th e IP ad d ress m ap p in g , o r a n y o th e r sp e cific D N S reco rd .
[Z7 Valuable
information
Test your
knowledge_____
111 the previous lab, we gathered in fo rm atio n such as IP address. Ping

S ta tis tic s . M axim u m F ram e Size, and T T L Response using the ping utility.
U sing the IP address found, an attacker can perform further hacks like port
scanning, N etbios, etc. and can also tind country or region
111
w hich the IP is
* Web exercise
located and dom ain name associated w ith the IP address.
!322 Workbook review
111 the next step o f reconnaissance, you need to tind the DNS records. Suppose
111
a n etw o rk there are tw o dom ain name systems (D N S ) servers named A and
B, hosting the same A c tiv e D ire c to ry -In te g ra te d zone. U sing the nslookup
tool an attacker can obtain the IP address o f the dom ain name allowing h im or
her to find the specific IP address o f the person he or she is hoping to attack.
Though it is d ifficult to restrict other users to query w ith D N S server by using
nslookup com m and because tins program w ill basically simulate the process
that h ow other programs do the D N S name resolution, being a p e n e tra tio n
te s te r you should be able to prevent such attacks by going to the zones
properties, on the Z on e T ra n s fe r tab, and selecting the option not to allow
zone transfers. Tins w ill prevent an attacker fro m using the nslookup command
to get a list o f your zones records, nslookup can provide you w ith a wealth o f
D N S server diagnostic inform ation.
The objective o f tins lab is to help students learn how to use the nslookup
command.
This lab w ill teach you how to:
Execute the nslookup command

Module 02 - Footprinting and Reconnaissance
F in d d ie I P a d d re s s o f a m a c h in e
C h a n g e th e s e rv e r y o u w a n t th e r e s p o n s e fr o m
E l i c i t a n a u t h o r it a tiv e a n s w e r fr o m th e D N S s e r v e r
F in d n a m e s e rv e rs f o r a d o m a in
F in d C n a m e (C a n o n ic a l N a m e ) f o r a d o m a in
F in d m a il s e rv e rs lo r a d o m a in
Id e n t if y v a r io u s D N S r e s o u r c e re c o r d s
Lab Environment
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 02
T o c a n y o u t th e la b , y o u n e e d :
Footprinting and
A d m in is t r a tiv e p r iv ile g e s to r u n to o ls
TCP/IP
T in s la b w ill w o r k
111
th e C E H la b e n v ir o n m e n t - 0 1 1 Window
2 0 1 2 . W indow s
8,
W indow s S e rv e r 2 0 0 8 . a n d W indow s 7
Reconnaissance
s e ttin g s c o r r e c t ly c o n fig u r e d a n d a n a c c e s s ib le D N S s e rv e r
S erver
nslookup com m and d o e s n t w o r k , re s ta rt th e com m and
I t th e
w in do w , a n d
ty p e
nslookup
t o r th e in t e r a c t iv e m o d e .
Lab Duration
T im e : 5 M in u te s
Overview of nslookup
nslookup m e a n s
nam e server lookup.
o p e ra tin g s y s te m s lo c a l
o p e ra te s
X0741u\1cu\
111
T o e x e c u te q u e n e s , n s lo o k u p u se s d ie
Domain Nam e System (DNS) resolver library,
in teractive
01
non-interactive
n s lo o k u p
m o d e . W h e n u s e d in te r a c tiv e ly b y
inX0741u\1cu\
v o k in g it w id io u t a rg u m e n ts 0 1 w h e n d ie fir s t a rg u m e n t is - (m in u s sig n ) a n d d ie
s e c o n dX0741u\1cu\
a rg u m e n t is
X0741u\1cu\
host nam e
01
IP address,
c o n fig u ra tio n s 0 1 re q u e sts w h e n p re s e n te d w ith th e
th e u s e r issu e s p a ra m e te r
nslookup prompt (> ). W h e n
a rg u m e n ts a re g iv e n , th e n th e c o m m a n d q u e rie s to d e fa u lt s e rv e r. T h e
sign)
in v o k e s s u b c o m m a n d s w h ic h a re s p e c ifie d
p re c e d e n s lo o k u p c o m m a n d s . 111
X0741u\1cu\
nam e 0 1
internet address o f
011
non-interactive mode. i.e .
110
- (minus
c o m m a n d lin e a n d s h o u ld
w h e n fir s t a rg u m e n t is
th e h o s t b e in g s e a rc h e d , p a ra m e te rs a n d th e q u e ry a re
s p e c ifie d as c o m m a n d lin e a rg u m e n ts
111
11011-
th e in v o c a tio n o f th e p ro g ra m . T h e
in te r a c tiv e m o d e se a rch e s th e in fo r m a tio n fo r s p e c ifie d h o s t u s in g d e fa u lt n a m e

s e rv e r.
W it h n s lo o k u p y o u w ill e id ie r re c e iv e a n o n - a u d io n ta tiv e o r a u th o rita tiv e a n s w e r.
Y o u re c e iv e a
non-authoritative answ er
b e c a u s e , b y d e fa u lt, n s lo o k u p ask s y o u r
n a m e s e rv e r to re c u rs e 111 o rd e r to re s o lv e y o u r q u e ry a n d b e c a u s e y o u r n a m e s e rv e r is
n o t a n a u th o rity fo r th e n a m e y o u a re a s k in g it a b o u t. Y o u c a n g e t a n
answ er b y
CEH Lab Manual Page 14
authoritative
q u e ry in g th e a u th o rita tiv e n a m e s e rv e r fo r d ie d o m a in y o u a re in te re s te d
Ethical Hacking and Countemieasures Copyright by EC-Comicil

Lab Tasks
1.
L a u n c h S ta rt m e n u b y h o v e r in g th e m o u s e c u r s o r
111
th e lo w e r - le ft
c o r n e r o f th e d e s k to p
S TASK
E xtract
Information
i j Windows Server 2012
fttndcMs Sewe* 2012 ReleM Qnxtdite OaiMtm
1 valuation copy fk*W
X7941u\1cu\ X6941u\1cu\ X7941u\1cu\ X3051u\1cu\ X0051u\1cu\ X0051u\1cu\ X3051u\1cu\
IPPRPGS *5;
F I G U R E 2 .1 : W i n d o w s S e r v e r 2 0 1 2 D e s k t o p v i e w
2.
C lic k th e Com m and Prom pt a p p to o p e n th e c o m m a n d p r o m p t

w in d o w
F I G U R E 2 .2 : W i n d o w s S e r v e r 2 0 1 2 A p p s
,____
The general
c o m m a n d s y n t a x is
nslookup [-option] [name |
-] [ s e r v e r ] .
3.
111 th e c o m m a n d p r o m p t, ty p e
4.
N o w , ty p e
nslookup, a n d
help a n d p re s s Enter. T h e
p re s s
E n ter
d is p la y e d re s p o n s e s h o u ld b e s im ila r
to d ie o n e s h o w n 111 th e fo llo w in g fig u re

ss
Administrator: C:\Windows\system32\cmd.exe - nslookup
C :\)n s lo o k u p
D e fa u lt S e rv e r: n s l.b e a m n e t. in
A d d ress:
2 0 2 .5 3 . 8 . 8
> h e lp
Commands:
( i d e n t i f i e r s a re shown in u p p e rc a s e , LJ means o p t i o n a l )
NAME
- p r i n t in f o about th e h o s t/d o m a in NAME u s in g d e f a u l t s e r v e r
NAME1 NAME2
- as ab o ve, but use NAME2 as s e r v e r
h e lp o r ?
p r i n t in f o on common commands
X0741u\1cu\
s e t OPTION
- s e t an o p tio n
all
- p r i n t o p tio n s * c u r r e n t s e r v e r and host
[no]debug
- p r i n t debugging in fo rm a tio n
X0741u\1cu\
[n o ld 2
p r i n t e x h a u s tiv e debugging in fo rm a tio n
[n o Id e f name
- append domain name to each qu e ry
[n o !re c u rs e
- ask f o r r e c u r s iv e answer t o q u e ry
.S' Typing "help" or "?" at
[n o !s e a rc h
- use domain s e a rc h l i s t
the command prompt
[no Ivc
- alw ays use a v i r t u a l c i r c u i t
domain =NAME
- s e t d e f a u l t domain name to NAME
generates a list of available
s r c h l i s t = N 1 [ / N 2 / . . . / N 6 1 - s e t domain to N1 and s e a rc h l i s t to N 1 ,N 2 , e t c .
ro o t =NAME
- s e t ro o t s e r v e r to NAME
commands.
re try = X
- s e t number o f r e t r i e s to X
X0741u\1cu\X0741u\1cu\
t imeout=X
s e t i n i t i a l t im e - o u t i n t e r v a l to X seconds
ty p e =X
- s e t q u e ry ty p e ( e x . A,AAAA,A*AAAA,ANY,CNAME,MX,NS,PTR,
S0A,SRU)
q u e ry ty p e =X
- same as typ e
X0741u\1cu\
c la s s X
s e t q u e ry c la s s < e x . IN ( I n t e r n e t ) , ANY)
[no]m s xf r
- use MS f a s t zone t r a n s f e r
ix f r v e r = X
- c u r r e n t v e rs io n to use in IXFR t r a n s f e r re q u e s t
s e r v e r NAME
- s e t d e f a u l t s e r v e r to NAME, u s in g c u r r e n t d e f a u l t s e r v e r
ls e r w e r NAME - s e t d e f a u l t s e r v e r to NAME, u s in g i n i t i a l s e r v e r
ro o t
- s e t c u r r e n t d e f a u l t s e r v e r to th e r o o t
Is [ o p t ] DOMAIN [> F IL E ] - l i s t add resses in DOMAIN ( o p t i o n a l : o u tp u t to F IL E )
X0741u\1cu\
-a
l i s t c a n o n ic a l names and a lia s e s
-d
l i s t a l l re c o rd s
- t TYPE
PTR e t c . >
view FILE
exit
>
l i s t re c o rd s o f th e g iv e n RFC re c o rd ty p e ( e x . A,CNAME,MX,NS,
- s o r t an ' I s ' o u tp u t f i l e and v ie w i t w it h pg

- e x i t th e program
F I G U R E 2 .3 : T h e n s l o o k u p c o m m a n d w i t h h e lp o p t i o n
5.
111 th e n s lo o k u p
6.
N o w , ty p e
in teractive m o d e ,
ty p e
set type=a a n d p re s s Enter
w w w .certifiedh acker.com a n d p re ss Enter. T h e
d is p la y e d
re s p o n s e s h o u ld b e s im ila r to d ie o n e s h o w n 111 d ie fo llo w in g fig u re
Note: T h e
D N S s e rv e r A d d re s s (2 0 2 .5 3 .8 .8 ) w ill b e d iffe r e n t fro m d ie o n e s h o w n 111
d ie s c re e n s h o t
F I G U R E 2 .4 : h i n s l o o k u p c o m m a n d , s e t t y p e = a o p t i o n
Use Elicit
A uthoritative
7.
Y o u g e t A uthoritative o r N on-authoritative answer. T h e a n s w e r v a n e s ,

b u t 111 d iis la b , it is Non-authoritative answ er
8.
L i n s lo o k u p in te r a c tiv e m o d e , ty p e
9.
N o w , ty p e
Note: T h e
set type=cnam e a n d p re s s Enter
certifiedhacker.com a n d p re s s Enter
D N S s e rv e r a d d re ss
(8.8.8.8) w ill b e
d iffe r e n t d ia n d ie o n e 111 s c re e n s h o t
10. T h e d is p la y e d re s p o n s e s h o u ld b e s im ila r to d ie o n e s h o w n as fo llo w s :
> set type=cname

> certifiedhacker.com
Server:
google-public-dns-a.google.com
Address:
8. 8.8. 8
X1051u\1cu\
Administrator:
C:\Windows\system32\cmd.exe
ns...
X0741u\1cu\
Q TASK 3
:\>
X4051u\1cu\
Find Cnam e
nslookup
)efau
lt
Server:
Iddress:
>
set
>
cert ified
Jeru
google-public-dns-a.google.con
8.8.8.8
type=cnane
hacker.con
er:
google-public
X0741u\1cu\
X0741u\1cu\
Iddress:
dns
.google.con
8.8.8.8
:ert if iedhacker .con

p
rin
ary
nane
seruer
responsible
s
ria
35
refresh
900
(15
re
600
(10
86400
try
expire
d
efau
lt
TTL
il
ns0.n
addr
ad
nin
yearlyfees.con
.n
oyearlyfees.con
nins>
n
(1
3600
in
s)
day)
(1
hour>
III
F I G U R E 2.5:111 ii s l o o k u p c o m m a n d , s e t t y p e = c n a m e o p t i o n
11. 111 iis lo o k u p in te r a c tiv e m o d e , ty p e
server 64 .1 4 7 .9 9 .9 0
(o r a n y o th e r I P
a d d re ss y o u re c e iv e in th e p re v io u s ste p ) a n d p re s s Enter.
12. N o w , ty p e s et type=a a n d p re s s Enter.

13. T y p e w w w .certifiedh acker.com a n d p re s s Enter. T h e d is p la y e d re s p o n s e
s h o u ld b e s im ila r to th e o n e s h o w n 111 d ie fo llo w in g fig u re .
[SB Administrator:X4251u\1cu\
C:\Windows\system32\cmd.exe - ns. L^.
111 nslookup
command, root option
means to set the current
default server to the root.
F I G U R E 2.6:111 n s l o o k u p c o m m a n d , s e t t y p e = a o p t i o n
14. I I y o u re c e iv e a
request tim ed out m e ssa g e , as
s h o w n in th e p re v io u s
fig u re , d ie n y o u r fir e w a ll is p re v e n tin g y o u fro m s e n d in g D N S q u e rie s

o u ts id e y o u r L A N .

15. 111 n s lo o k u p in te r a c tiv e m o d e , ty p e
set type=m x a n d p re s s Enter.
16. N o w , ty p e certifiedhacker.com a n d p re s s Enter. T h e d is p la y e d re s p o n s e

s h o u ld b e s im ila r to th e o n e s h o w n 111 d ie fo llo w in g fig u re .
X3251u\1cu\
-' T o m a k e q u e i y t y p e
of NS a default option for
your nslookup commands,
place one of the following
statements in the
user_id.NSLOOKUP.ENV
data set: set querytype=ns
or querytype=ns.
F I G U R E 2 .7 : I n n s l o o k u p c o m m a n d , s e t t y p e = m x o p t i o n
Lab Analysis
D o c u m e n t a ll d ie I P a d d re ss e s, D N S s e rv e r n a m e s , a n d o d ie r D N S in fo rm a tio n .
Tool/Utility
In f o r m a t io n C o lle c t e d / O b je c t iv e s A c h ie v e d
D N S S e r v e r N a m e : 2 0 2 .5 3 .8 .8
N o n - A u t h o r it a t iv e A n s w e r : 2 0 2 .7 5 .5 4 .1 0 1
n s lo o k u p
C N A M E ( C a n o n ic a l N a m e o f a n a lia s )
A lia s : c e r t1fie d h a c k e r .c o m
C a n o n ic a l n a m e : g o o g le - p u b l1c- d11s - a .g o o g le .c o m
M X ( M a i l E x c h a n g e r ) : m a 1 1 .c e rt1 fie d h a c k e r.c o m
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS

RELATED TO THIS LAB.
Questions
1.
A n a ly z e a n d d e te r m in e e a c h o t th e t o llo w in g D N S re s o u r c e re c o rd s :
SOA

2.
NS
PTR
CNAME
MX
SRY
E v a lu a t e th e d iffe r e n c e b e tw e e n a n a u t h o r it a tiv e a n d n o n - a u d io r ita tiv e
a n s w e r.
3.
D e te r m in e w h e n y o u w ill r e c e iv e re q u e s t tim e o u t in n s lo o k u p .
In t e r n e t C o n n e c t io n R e q u ir e d
0 Yes
No
P la t f o r m S u p p o r t e d
0 C la s s r o o m
!L a b s
Ethical Hacking and Countermeasures Copyright by EC-Comicil

People Search Using th e AnyWho

Online Tool
A _n y W h o is an o n lin e w h ite p ag es p eo p le search d ire c to ry fo r q u ic k ly lo o k in g u p
in d iv id u a lp h o n e num b ers.
Lab Scenario
Valuable
Y o u h a v e a lre a d y le a rn e d d ia t d ie burst stag e 111 p e n e tra tio n te s tin g is to g a th e r as
m fonnatioti______
m u c h in fo r m a tio n as p o s s ib le . 111 th e p re v io u s la b , y o u w e re a b le to tin d in fo r m a tio n
Test your
knowledge
re la te d to
*d W eb exercise
DNS records u s in g
th e n s lo o k u p to o l. I f a n a tta c k e r d is c o v e rs a fla w 111 a
D N S s e rv e r, h e o r sh e w ill e x p lo it th e fla w to p e rfo rm a c a c h e p o is o n in g a tta c k ,
m a k in g d ie s e rv e r c a c h e th e in c o r r e c t e n trie s lo c a lly a n d s e rv e th e m to o th e r u se rs
th a t m a k e th e sa m e re q u e st. A s a p e n e tra tio n te ste r, y o u m u s t a lw a y s b e c a u tio u s
m W orkbook review
a n d ta k e p r e v e n tiv e m e a su re s a g a in s t a tta ck s ta rg e te d a t a n a m e s e rv e r b y
configuring nam e servers
securely
to re d u c e th e a tta c k e r's a b ility to c o r m p t a z o n e file w id i
th e a m p lific a tio n re c o rd .
T o b e g in a p e n e tra tio n te st it is a ls o im p o rta n t to g a th e r in fo rm a tio n a b o u t a
location to
in tru d e in to th e u s e rs o rg a n iz a tio n s u c c e s s fu lly .
111
user
tin s p a rtic u la r la b , w e
w ill le a rn h o w to lo c a te a c lie n t o r u s e r lo c a tio n u s in g d ie
AnyWho o n lin e
to o l.
Lab Objectives
T h e o b je c tiv e o f d u s la b is to d e m o n s tra te th e fo o tp r in tin g te c h n iq u e to c o lle c t
confidential information
c o ntact details,
H Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 02
Footprinting and
Reconnaissance
o n a n o rg a n iz a tio n , s u c h as then:
a n d th e ir
s e a rc h a n d p h o n e n u m b e r lo o k u p u s in g h ttp : / /w w w .a n y w h o .c o m .
Lab Environment
111
th e la b , y o u n e e d :
A w e b b ro w s e r w ith a n In te r n e t c o n n e c tio n
A d m in is tr a tiv e p riv ile g e s to ru n to o ls
2 0 1 2 . W indow s
key personnel
u s in g p e o p le s e a rc h s e rv ic e s . S tu d e n ts n e e d to p e r fo r m p e o p le
111
8,
th e C E H la b e n v ir o n m e n t - o n
W indow s S erver
W indow s S e rv e r 2 0 0 8 . a n d W indow s 7
Ethical Hacking and Countenneasures Copyright by EC-Council
Lab Duration
T u n e : 5 ]\ lu iu te s
Overview of AnyW ho
A n y W h o is a p a rt o t d ie ATTi fam ily o t b ra n d s , w liic h m o s tly to c u s e s o n lo c a l
se a rch e s t o r p ro d u c ts a n d s e rv ic e s . T lie site lis ts in fo r m a tio n fr o m th e
(F u id a P e r s o n / R e v e r s e L o o k u p ) a n d th e
Y ellow Pages (F in d
W hite Pages
a B u s in e s s ).
Lab Tasks
1.
L a u n c h S ta rt m e n u b y h o v e r in g th e m o u s e c u r s o r o il th e lo w e r- le ft
AnyWho allow you to
s e a r c h f o r l o c a l b u s in e s s e s
by name to quickly find
their Yellow Pages listings
with basic details and maps,
8 W in d o w s Se rver 2012
plus any additional time

and money-saving features,
Window* Server
fviluaiioft copy Rutld
such as coupons, video
KIWI
profiles or online
reservations.
2.
C lic k th e G oogle Chrom e a p p to la u n c h th e C h r o m e b r o w s e r

X0741u\1cu\
01
la u n c h
a n y o th e r b r o w s e r
TASK 1
People Search
3.
L i d ie b ro w s e r, ty p e
http://w w w .anyw ho.com . a n d p re s s Enter 0 1 1 d ie
k e y b o a rd
w ith AnyWho

4 * C
X0741u\1cu\
(wwanyAo;orj
A n yW h o
9 <k.fc<S= LOOKUP
X0741u\1cu\
u
A n y W h o is p a r t o f t h e
White Pages | Find People By Name
ATTi family of brands,
Find a Person
X0741u\1cu\
which focuses on local
Fad Pcoote aOu Wfrte Fages Directory
X3251u\1cu\X7941u\1cu\
search products and
X4051u\1cu\
X7941u\1cu\
ceyorap
services.
X0741u\1cu\X4941u\1cu\X8841u\1cu\
V ywi u k M ) far sn 1M fnuxff Tryng ro *rfy w ad*s?

01 wAx yxi s 1 irtfmfcar c#10r* 1w1m6f 11 *0 rcconds?
VirWw ertntMi a ** cnliie *tie swe1 dicetor/ *hre yoi
car lad meto bv tte* nn* jdoeti w you c4n to 1
*!E]
Ary1Yo wn Papt 1 u:XM#4 m* <ty <mt\ prx

mrtm%0 n(M*dt ton Kirntt* ranon ro t5
ncw* tar tre * vd rum tr\tn *acr*1g ir
Br Nimm>
X3251u\1cu\
I By Awkm 1 By Ph4n Min**
X3251u\1cu\
X4251u\1cu\
X3251u\1cu\
V #> lati 1 rta * coniron rclud Ihi til In! ni

mdd mat ctfy/tial 10 iwcw you Mitti
X3251u\1cu\
X7941u\1cu\
If * !< <ro
(g rM yJm i
F I G U R E 3 .3 : A n y W h o - H o m e P a g e h t t p : / / w w w . a n y w h o . c o m
4.
In p u t d ie n a m e o f d ie p e rs o n y o u w a n t to s e a rc h fo r in d ie
s e c tio n a n d c lic k
White Page? | People Fin:

<
C ww wj nywho.com
X0741u\1cu\
ca
Find a Person
Find
it
AnyWho
Include both the first
and last name when
Ftnoirv Pcopfe Faeces tno B jsnesscs
searching the AnyWho

White Pages.
ft
B s YELLOW PACES
WHITE PAGES
REVERSE LOOKUP
I AREA/ZIP CODE LOOKUP
UAPS
W h it e P a g e s | Fin d P e o p le B y N am e
^ Find a Person
Tind People in Our White Pages Directory
Rose
City or ZIP
By Mama
Are you starching for an old friend? Trying to verify an address?

Oi maybe you see an unfamiliar phone number in your records?
AnyWho provides a Tree online while pages directory where you
can find people by their name, address or you can do a reverse
lookjp by phone number
| Christian
1
The AnyWho White Pages is updated weekly with phone

numbers of irdr/duals from across the nation For best results,
include both the first and last name when searching the
AnyWho White Pages and. if you have it. the ZIP Code
By Address I By Phone Number
Personal identifying information available on AnyWho

is n:t cro* Je J : AT&T and is provided sol elf by an
uraflated find party. Intel m3. Inc Full Disclaimer
X7941u\1cu\
F I G U R E 3 .4 : A n y W h o N a m e S e a r c h
5.
A n y W h o re d ire c ts y o u to
search results w ith
d ie n a m e y o u h a v e e n te re d .
TX0741u\1cu\
h e n u m b e r o f re s u lts m ig h t v a n
Find a Person by Name . Byi!** ..ByAd d iv ii
Rose
Yellow Pages listings
Chnstian
City or 7IP Cnflc
'tnt'O 1501
1 1 1c o cvUtJIiy nteluv.com DhtcMlnw

1 10 Listings Found for Rose Christian
Tind m o ie
R ose A Christian
M ore information for R ose A Christian
infoimatlon ftom Intollus
X4251u\1cu\
X4251u\1cu\
a m to Accreea 899( uape & Dnvng Drocncr s
Email and Otner Phone Lookup

Get Detailed Background information
Get Pucnc Records
view Property & Area Information
* view Social Network Pr&rilo
R ose B Christian
M ore information for R ose B Christian
MMIC
Email anc other Phone Lookup

*>Getoetaiso Backflround information
* Get Public Records
* view Praocitv & Area Information
X7941u\1cu\
X7941u\1cu\X7941u\1cu\
(searches by category or
By Phone Numbvf
name) are obtained from

YP.COM and are updated
m m +0* O M W
o n a r e g u l a r b a s is .
X0741u\1cu\
Add to Address B99k
WacsX7941u\1cu\
& Drtvhg DJectione
View Social Network Profile
Rose C Christian
X4251u\1cu\X7941u\1cu\
X7941u\1cu\X7941u\1cu\mmmm
W *% 9t t t
X4251u\1cu\
M ore Information for Rose C Christian
MM
A40 (o /.Mim B99k > Maps 4 Drivhg Direction&
Email 300 otner Phone lookup

Get Dttilac Background Information
G! Pjtl'C RtCOtdS
* Wew Property & A/ea Information
** view Social Netarork Profile
Ro* E Christian
M ore information tor Ro E Christian
X4251u\1cu\
F I G U R E 3 .5 : A n y W h o P e o p l e S e a r c h R e s u lt s

task
6.
C lic k d ie search results to see d ie a d d re ss d e ta ils a n d p h o n e n u m b e r o f

d ia t p e rs o n
View ing Person

Rose A Christian
Information
Southfield PI,
0-f
-SH ' 6
Add to Address Book | Print

!re, MD 21212
A re you R o se A Christian? Rem ove Listing
Information provided solely by Intelius
Get Directions
X3151u\1cu\
m
Enter Address
Southfield PI.
X0741u\1cu\
The search results
3 re. MD 21212
Cet Directions
>
display address, phone

number and directions for
the location.
Gulf of
O ' J J t t Z ' j r / j n d u i -j 'jj lj ! >./r-O
X3251u\1cu\
X3251u\1cu\
F I G U R E 3 .6 : A n y W h o - D e t a i l S e a r c h R e s u l t o f R o s e A C h r is t ia n
7.
S in u la d y , p e r fo rm a re v e rs e s e a rc h b y g iv in g p h o n e n u m b e r o r a d d re ss 111
d ie Reverse Lookup h e ld
y=l The Reverse Phone
Lookup service allows
X3251u\1cu\
C 0 ww/w.anyvrtx>.com everse- lookup
visitors to enter in a phone
AnyW ho
number and immediately
WflOtaO Arcc-f. Pitert m3 5v* >
X3251u\1cu\
l o o k u p w h o i t is r e g i s t e r e d
X3251u\1cu\
to.
JLkVHIfE PACES
KkfcKSt LOOKUP
AbWJPC006 LOOKUP
R everse Lookup | Find People By
X8841u\1cu\X2051u\1cu\X7941u\1cu\
Reverse Lookup
Phone Number
| <0sx r|
X7941u\1cu\
X0941u\1cu\
X3051u\1cu\
e 8185551212. (818)655-1212
X4941u\1cu\X8051u\1cu\
HP Cell phone numbers are not ewailable
Personal iJ6nnr.inc information available on
AnyWho's Reverse Phone LooKup service allows visitors to enter **

to. Perhaps you mssed an incoming phone call and want to
know who * is before you call back. Type the phone number into
the search box and well perform a white pages reverse lookup
search fni out exactly who it is registered to If we ha* a
match far the pnone number well show you the registrant's first
and last name, and maimg address If you want to do reverse
phone lookup for a business phone number then check out
Rwrse Lookup at YP.com.
number and immediately lookup who it is registered
AnyWho
is n pwaed by AT&T and is provided solerf by an
iâffiated third parly intelius. Inc Full Di$daimer
F I G U R E 3 .7: A n y W h o R e v e r s e L o o k u p P a g e

R e v e r s e lo o k u p w ill r e d ire c t y o u to d ie s e a rc h re s u lt p a g e w id i d ie d e ta ile d

in fo r m a tio n o f d ie p e rs o n fo r pX0741u\1cu\
a rtic u la r p h o n e n u m b e r 0 1 e m a il a d d re ss
n> yp.com
^ -
O a n y w h o y p .y e llo w p a g e s .c o m / re v e rs e p h o n e lo o k u p ?fro m = a n y w h o _ c o b ra &
Rose A Christian
Southfield PI, - - lore. MD 21212
X0741u\1cu\
Are you Rose A Christian7 Remove Listing

Unpublished
directory records are not
displayed. If you want your
Get Directions
Enter Address
residential listing removed,

you have a couple of
options:
To have your listing
Reverse Directions
unpublished, contact your

local telephone company.
To have your listing
C h in q u a p in
removed from AnyWho
X0741u\1cu\
without obtaining an
La ke Ev e s h a m
Pa r k Belvedere
Govanstown
unpublished telephone
W Northern Pkwy t N '

Ro se b a n k
number, follow the

instructions provided in
M i d -G o v a n s
Dnwci
AnyWho Listing Removal

X3251u\1cu\
to submit your listing for
removal.
Wyndhurst
P '* C a m e ro n
V i lla g e
'// He
Wooi
Chinqu 4p
Pork
Ke n il w o r t h Park
Ro l a n d Park
W in s t o n -G o v a n s
F I G U R E 3 .8 : A n y W h o - R e\ *e1 s e L o o k u p S e a r c h R e s u l t
Lab Analysis
A n a ly z e a n d d o c u m e n t a ll th e re s u lts d is c o v e re d 111 d ie la b e x e rcise .
Tool/Utility
W h it e P a g e s ( F i n d p e o p le b y n a m e ) : E x a c t lo c a tio n
o f a p e rs o n w it h a d d re s s a n d p h o n e n u m b e r
AnyWho
G e t D ir e c t io n s : P r e c is e r o u te to th e a d d re s s fo u n d
t o r a p e rs o n
R e v e r s e L o o k u p ( F i n d p e o p le b y p h o n e n u m b e r ):
E x a c t lo c a tio n o f a p e r s o n w it h c o m p le te a d d re s s


Questions
1.
C a n v o u c o lle c t a ll th e c o n ta c t d e ta ils o f th e k e y p e o p le o f a n y o rg a n iz a tio n ?
2.
C a n y o u re m o v e y o u r re s id e n tia l lis tin g ? I t v e s , h o w ?
3.
I t y o u h a v e a n u n p u b lis h e d lis tin g , w h y d o e s y o u r in fo rm a tio n s h o w u p 111

AnyWho?
4.
C a n y o u tin d a p e rs o n 111 A n y W h o th a t y o u k n o w h as b e e n a t th e sa m e
lo c a tio n fo r a y e a r o r le s s ? I f y e s , h o w ?
5.
H o w c a n a lis tin g b e re m o v e d fro m A n y W h o ?
0 Yes
N<
0 C la s s r o o m
!L a b s

People Search Using th e Spokeo

Online Tool
Sp o keo is a n o n lin e p eo p le search to o lp ro v id in g re a l- tim e in fo rm a tio n ab o u tp eo p le.
T h is to o l h e lp s n ith o n lin e fo o tp rin tin g a n d a lo w s y o n to d isco ve r d e ta ils a b o u t
p eo p le.
ICON
KEY
(^ 7 Valuable
information
Test your
knowledge
W eb exercise
W orkbook review
Lab Scenario
F o r a p e n e tra tio n te ste r, it is a lw a y s a d v is a b le to c o lle c t a ll p o s s ib le in fo rm a tio n
a b o u t a c lie n t b e fo re b e g in n in g th e test.
111
th e p re v io u s la b , w e le a rn e d a b o u t
AnyWho
c o lle c tin g p e o p le in fo r m a tio n u s in g th e
o n lin e to o l; s im ila rly , th e re a re
m a n y to o ls a v a ila b le th a t c a n b e u se d to g a th e r in fo rm a tio n o n p e o p le , e m p lo y e e s ,
a n d o rg a n iz a tio n s to c o n d u c t a p e n e tra tio n test. 111 tin s la b , y o u w ill le a rn to u se th e
Spokeo o n lin e to o l to c o lle c t
confidential information
o f k e y p e rs o n s
111
o rg a n iz a tio n .
Lab Objectives
T h e o b je c tiv e o t tin s la b is to d e m o n s tra te th e fo o tp r in tin g te c ln n q u e s to c o lle c t
people information u sm g
p e o p le s e a rc h s e rv ic e s . S tu d e n ts n e e d to p e rfo rm a p e o p le
s e a rc h u sm g h tt p :/ / w w w .s p o k e o .c o m .
Lab Environment
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 02
Footprinting and
Reconnaissance
111
A w e b b ro w s e r w ith a n In te r n e t c o im e c tio n
2 0 1 2 . W indow s
111
8,
W indow s S erver
W indow s S e rv e r 2 0 0 8 , a n d W indow s 7
Lab Duration
T n n e : 5 M in u te s

an
Overview of Spokeo
S p o k e o a g g re g ates v a s t q u a n titie s o f p u b lic d a ta a n d o rg a n iz e s d ie in fo rm a tio n in to
e a s y - to - fo llo w p ro file s . In fo r m a t io n su c h as n a m e , e m a il a d d re ss , p h o n e n u m b e r,
a d d re ss , a n d u s e r n a m e c a n b e e a s ily fo u n d u s in g th is to o l.
__________ Lab Tasks

~ task
1.
People Search
Spokeo
L a u n c h th e
S ta rt m e n u
b y h o v e r in g th e m o u s e c u r s o r 111 th e lo w e r - le ft
: 8 W in d o w s Server 2012
w w i 1P"L
Windows Server 2012 ReledieCandidate Caiacealn

__________________________________________ Evaluation copy. BuW 84a
W' W
2.
C lic k th e Google Chrom e a p p to la u n c h th e C h r o m e b r o w s e r
Start
Mwugor
Fa
X7941u\1cu\X7941u\1cu\
X0741u\1cu\
m
S p o k e o 's p e o p l e
search allows you to find
military buddies, or find
Windows
IW r tto ll
Administr...
Tools
Mannar
Hyppf-V
Virtjal
Command
Prompt
Computer
Tad(
Marager
old friends, reunite with

c la s s m a t e s , t e a m m a t e s a n d
A d m inistrator
rn
lost and distant family.
Earth
X0741u\1cu\X0741u\1cu\
X4251u\1cu\
X7941u\1cu\
X4251u\1cu\
,1 '
^
Adobe
Reader x
X4251u\1cu\
______
Gcoglc
chrome
F I G U R E 4 .2 : W i n d o w s S e r v e r 2 0 1 2 - A p p s
3.
O p e n a w e b b ro w s e r, ty p e
http://w w w .spokeo.com , a n d p re s s Enter o n
d ie
k e y b o a rd

X0741u\1cu\
C 'iwiwvlwiecccrr
sp ck e o
N*me
tm*1
Hno*
itvmna
AMn>
[
m
Apart from Name
Not your grandma's phone book
search, Spokeo supports

four types of searches:
Email Address
Phone Number
Qi
Username
Residential Address
F I G U R E 4 .3 : S p o k e o h o m e p a g e h t t p : / A f w v p . s p o k e o . c o m
4.
T o b e g in d ie s e a rch , in p u t d ie n a m e o f d ie p e rs o n y o u w a n t to se a rc h fo r 111
d ie N am e fie ld a n d c lic k Search

O M w *< "
X7941u\1cu\X7941u\1cu\
X1941u\1cu\
X4251u\1cu\
X3251u\1cu\
X0741u\1cu\
X0741u\1cu\
?***!.
vwwuwk'OCC/n
sp ck e o
Emal
Pnw*
Uwrww
M tn i
Rom Chriatan
Not your grandma's phone book
c>
X4251u\1cu\
F I G U R E 4 .4 : S p o k e o N a m e S e a r c h
5.
S p o k e o re d ire c ts y o u to
search results w id i
d ie n a m e y o u h a v e e n te re d
S p o k e o 's e m a i l s e a r c h
scans through 90+ social

networks and public
s o u r c e s t o f i n d d i e o w n e r 's
name, photos, and public
profiles.
F I G U R E 4 .5 : S p o k e o P e o p l e S e a r c h R e s u lt s

Public profiles from
social networks are

aggregated in Spokeo and
many places, including
s e a r c h e n g in e s .
8.
S e a rc h re s u lts d is p la y in g d ie
Address. Phone Number, Email Address. City
a n d State, e tc.
<
X0741u\1cu\
c C TWA.poo<e*n **rcKc- Rove

X3251u\1cu\
spekeo
on&7-t30#Alabarfl;3&733G1931
* SJ
Rom ChiMlan Pntar a C*y
-----1 is
0 Contantt
( M ,
1
a
di
v rant Oeuas
X4251u\1cu\
X0741u\1cu\
Location Nttory
X0741u\1cu\
X3251u\1cu\
sj
Rose Christian
SL
ConWei
Bunptc I it
UMôrH-). Al J611J
gyahoo.co
X3251u\1cu\
See taaSy Ir
Te (M a* yfim
ttnyttimnmtH artnt e
MmkISuus
So* AvMlahl*
UmiiM
So Available Kccultc
Soo Available Kcculfc
1 Fara*1 &*chrcu1:J
1 onetM & J osji Pre*la*
I0
Location Hist or.
;'^1 UiMiovnan. *L 16117 ^

i

9.
,m i
S e a rc h re s u lts d is p la y in g d ie
Location History
& = y A l l r e s u lt s w i l l b e
d i s p l a y e d o n c e t h e s e a r c h is
completed
spckeo
| Location Hittory
10. S p o k e o s e a rc h re s u lts d is p la y d ie
Fam ily Background, Fam ily Economic
H ealth a n d Fam ily Lifestyle

X0741u\1cu\X3251u\1cu\
wJBdmw
spckeo
*\
^57& -:]OAI0b<1rr3C73>6
Koe Christian -nteraClty
wiHy Bacfcpround
X3251u\1cu\
raudrt In# rf Nm
Mir** d
| Family Eccroiric H>f>

EfWWGanjMino
F I G U R E 4 .1 0 : S p o k e o P e o p l e S e a r c h R e s u lt s
I U k !! O n l i n e m a p s a n d
street view are used by over
11. S p o k e o s e a rc h re s u lts d is p la y d ie
Neighborhood to r
th e s e a rc h d o n e
3 0 0 ,0 0 0 w e b s i t e s , i n c l u d i n g
most online phone books
X3251u\1cu\
17*t30Alatrtma:367;
and real estate websites.
spckeo
F I G U R E 4 . 1 1: S p o k e o P e o p l e S e a r c h R e s u lt s

S p o k e o 's r e v e r s e
phone lookup functions

like a personal caller-ID
12. S im ila rly , p e rfo r m a Reverse s e a rc h b y g iv in g p h o n e n u m b e r, a d d re ss , e m a il

a d d re ss , e tc . 111 d ie
Search
h e ld to fin d d e ta ils o f a k e y p e rs o n o r a n
o rg a n iz a tio n
s y s t e m . S p o k e o 's r e v e r s e
phone number search
ootejp.'scafch
>St= UO&P
it
aggregates hundreds of
millions of phone book
spokeo
| ' [(*25) 002-6080 |
<*,
- I
records to help locate the

o w n e r 's n a m e , l o c a t i o n ,
time zone, email and other

public information.
Tull Nam Av.ll.bl

9 >*
X4251u\1cu\
Q
WlrilNam
X7941u\1cu\
POfc
n I
) AnM*
V rr!* OaUtH
1> iw am o m iwcmm r*ww . cm
X0741u\1cu\X0741u\1cu\
X0741u\1cu\X7941u\1cu\
""
X0741u\1cu\
**
__
-- ----
Mwt
Locution Hlttcry
------- _
jr.!!
F I G U R E 4 .1 2 : S p o k e o R e v e r s e S e a r c h R e s u l t o f M i c r o s o f t R e d m o n d O f f i c e
Lab Analysis
A n a ly z e a n d d o c u m e n t a ll th e re s u lts d is c o v e re d
Tool/Utility
111
d ie la b e x e rcise .
P r o f ile D e t a ils :
Current Address
Phone Number
E m a il A d d r e s s
M a r it a l S ta tu s
E d u c a t io n
O c c u p a t io n
L o c a t io n H is t o r y : In f o r m a t io n a b o u t w h e r e th e p e rs o n
h a s liv e d a n d d e ta ile d p r o p e r t y in f o r m a t io n
Spokeo
F a m il y B a c k g r o u n d : In f o r m a t io n a b o u t h o u s e h o ld
m e m b e rs t o r th e p e r s o n y o u s e a r c h e d
P h o t o s & S o c ia l P r o f ile s : P h o t o s , v id e o s , a n d s o c ia l
n e t w o r k p r o file s
N e ig h b o r h o o d : In f o r m a t io n a b o u t th e n e ig h b o r h o o d
R e v e r s e L o o k u p : D e t a ile d in f o r m a t io n f o r th e s e a rc h d o n e
u s in g p h o n e n u m b e rs


Questions
1.
H o w d o y o u c o lle c t a ll th e c o n ta c t d e ta ils o f k e y p e o p le u s in g S p o k e o ?
2.
Is it p o s s ib le to re m o v e y o u r re s id e n tia l lis tin g ? I f y e s , h o w ?
3.
H o w c a n y o u p e rfo r m a re v e rs e s e a rc h u s in g S p o k e o ?
4.
L is t th e k in d o f in fo rm a tio n th a t a re v e rs e p h o n e s e a rch a n d e m a il se a rch
w ill y ie ld .
0 Yes
No
0 C la s s r o o m
!L a b s

Analyzing Domain and IP Address

Queries Using SmartWhois
S m a rtW h o is is a n e tw o rk in fo rm a tio n u tility th a t a lo w s y o n to lo o k u p m o st
a v a ila b le in fo rm a tio n on a hostnam e, IP ad d ress, o r d o m ain .
Lab Scenario
Valuable
th e p re v io u s k b , y o u le a rn e d to d e te rm in e a p e rs o n o r a n o rg a n iz a tio n s lo c a tio n
information______
111
Test your
knowledge
lo c a tio n , h e o r sh e c a n g a th e r p e rs o n a l d e ta ils a n d c o n fid e n tia l in fo r m a tio n fro m th e
= W eb exercise
W orkbook review
u s in g th e Spokeo o n lin e to o l. O n c e a p e n e tra tio n te s te r h a s o b ta in e d th e u s e rs
u s e r b y p o s in g as a n e ig h b o r, th e c a b le g u v , o r th ro u g h a n y m e a n s o f s o c ia l
e n g in e e rin g . 111 th is la b , y o u w ill le a rn to u se th e
SmartW hois
to o l to lo o k u p a ll o l
th e a v a ila b le in fo r m a tio n a b o u t a n y I P a d d re ss , h o s tn a m e ,
01
X0741u\1cu\
d o m a in a n d u s in g
th e se in fo r m a tio n , p e n e tra tio n te ste rs g a m a cce ss to th e n e tw o r k o f th e p a rtic u la r
o rg a n iz a tio n fo r w h ic h th e y w is h to p e r fo rm a p e n e tra tio n test.
Lab Objectives
T h e o b je c tiv e o f tin s la b is to h e lp s tu d e n ts a n a ly z e
domain a n d IP address q u e n e s.
T in s la b h e lp s y o u to g e t m o s t a v a ila b le in fo rm a tio n 0 1 1 a
hostnam e, IP address,
a n d domain.
Lab Environment
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 02
X0741u\1cu\
Footprinting and
Reconnaissance
111
th e la b y o u n e e d :
A c o m p u te r r u n n in g a n y v e r s io n o f
A d m in is t r a to r p r iv ile g e s to r u n
T h e S m artW hois to o l, a v a ila b le
access
S m artW hois
111
D:\CEH-T00ls\CEH v 8 M odule 02
Footprinting and R econ n aissan ce\W H O IS Lookup Tools\S m artW hois

01
d o w n lo a d a b le f r o m h t t p :/ / w w w .ta m o s .c o m
I f y o u d e c id e to d o w n lo a d th e la te s t v e r s io n , th e n
111
W indow s w it h In te rn e t
s cre e n s h o ts s h o w n
th e la b m ig h t d if f e r

Lab Duration
X3251u\1cu\
E Q h t t p : / / w w w .. t a m o s . c o
T u n e : 5 M in u te s
Overview of SmartWhois
S m a r tW h o is is n e tw o rk in fo rm a tio n u tilit y th a t a llo w s y o u to lo o k u p m o s t a v a ila b le
in fo rm a tio n
011
hostname, IP address, o r domain,
in c lu d in g c o u n tr y , sta te o r
netw ork provider,
p ro v in c e , c ity , n a m e o f th e
te c lu iic a l s u p p o rt c o n ta c t
in fo r m a tio n , a n d a d m in is tra to r.
m
SmartWhois can be
S m a r tW h o is h e lp s y o u to s e a rc h fo r in fo r m a tio n s u c h as:
configured to work from

behind a firewall by using
T h e o w n e r o l th e d o m a in
T h e d o m a in re g is tra tio n d a te a n d th e o w n e r s c o n ta c t in fo r m a tio n
T h e o w n e r o f d ie I P a d d re ss b lo c k
HTTP/HTTPS proxy
servers. Different SOCKS
v e r s i o n s a r e a ls o s u p p o r t e d .
Lab Tasks
N ote: I f
y o u a re w o r k in g 111 th e lL a b s e n v ir o n m e n t, d ir e c tly ju m p to
step
num ber 13
1.
F o llo w th e w iz a r d - d r iv e n
2.
T o la u n c h th e
S ta rt
in s ta lla tio n
s te p s a n d in s ta ll S m a r t W h o is .
m e n u , h o v e r th e m o u s e c u r s o r 111 th e lo w e r - le ft
SmartWhois can save
obtained information to an
a r c h i v e f i le . U s e r s c a n l o a d
this archive the next time
the program is launched

and add more information
t o it . T h i s f e a t u r e a l l o w s
3.
T o la u n c h
S m artW hois, c lic k Sm artW hois
111
apps
you to build and maintain

your own database of IP
addresses and host names.

Start
X4251u\1cu\
X4251u\1cu\
Microsoft
Ucrwoft
Proxy
WcrG 2010
Office 2010
jptoad
Workben.
X7941u\1cu\X0051u\1cu\
W11RAR
X5051u\1cu\
Snog it!
Editor
p lr ^ ?
X2941u\1cu\X7941u\1cu\
Snagit 10
Adobe
Reader X
Start
<&rt
Met
Googfe
harm *u
J
Googie
Earn n _
ccnfigur..
Google
Earth
Uninstol
S' S
Bl
jlDtal
VJatworir
Keqster
AV Picture
Vcwrr
AV Picture
Vicwor
Run Client
\Aeb DMA
Google
Chtomt
Uninstall
C.
&
Mg)Png
MTTflort
).ONFM
5r
X7941u\1cu\
X0741u\1cu\
;<
X7941u\1cu\X2941u\1cu\ X4941u\1cu\
4.
MIB
Com pier
41
Dcrroin
Name Pro
Uninstall
or Repair
GEO
Mage
NctTrazc
S
Visual IP
Trace
HyperTra.
Updates
VisualKc...
?010
Reqister
Hyper Ira.
Hdp
FAQ
Uninstall
UypwTia..
PingPlott
Standard
I?
t
R jr Server
Path
id
f
SnurnMi
*>
HyporTra
F I G U R E 5 .2: W i n d o w s S e r v e r 2 0 1 2 A p p s
T AS K 1
T h e S m artW hois m a in w in d o w a p p e a rs
4.
ro
Lookup IP
Sm artW hois - Evaluation Version
File Query Edit View Settings Help
B|
>8
1)88
IP, host or domain: 9
There are no results to dtspl..
If you need to query a
non-default whois server or

make a special query click
View
Whois Console
from the menu or click the

Query button and select
Ready
Custom Query.
F I G U R E 5 .3 : T h e S m a r t W h o i s m a i n w i n d o w
D.
Type an
IP address, h ostnam e, o r dom ain n am e 111
th e fie ld ta b . A 11
e x a m p le o f a d o m a in n a m e qX0741u\1cu\
u e ry is s h o w n as fo llo w s , w w w .g o o g le .c o m .
T IP, host or domain: 9 google.com
Quety
F I G U R E 5 .4 : A S m a r t W h o i s d o m a i n s e a r c h
6.
N o w , c lic k th e
D om ain
Query ta b
to fin d a d ro p - d o w n lis t , a n d th e n c lic k
As
to e n te r d o m a in n a m e 111 th e fie ld .

S m a r t W h o i s is
capable of caching query

results, which reduces the
time needed to query an
address; if the information
i s i n t h e c a c h e f i l e i t is
immediately displayed and
no connections to the
whois servers are required..
F I G U R E 5 .5 : T h e S m a r t W h o i s S e l e c t i n g Q u e r y t y p e
7.
111 th e le f t p a n e o f th e w in d o w , th e
SmartWhois can
S m a rtW h o is
X0741u\1cu\
p r o c e s s li s t s o f I P
resu lt
d is p la y s , a n d d ie r ig h t p a n e
query.
d is p la y s d ie re s u lts o f y o u r
Evaluation Version
addresses, hostnames, or
domain names saved as
plain text (ASCII) or
IP, host or domain: J google.com
Unicode files. The valid
X3251u\1cu\
7] <>
Query
f o r m a t f o r s u c h b a t c h f i le s
is simple: Each line must
9009le.c0m
begin with an IP address,

hostname, or domain. If
you want to process
domain names, they must
be located in a separate file
from IP addresses and
hostnames.
Dns Admin
Google Inc.
Please contact contact-admingSgoogle.com 1600 Amphitheatre Parkway
Mountain View CA 94043
United States
dns-admingoogle.com *1.6502530000 Fax: 1.6506188571
DNS Admin
Google Inc.
1600 Amphitheatre Paricway
United States
dns-admin@qooale.com 1.6506234000 Fax: . 1.6506188571
X3941u\1cu\
DNS Admin
I Google Inc.
2400 E. Bayshore Pkwy
United States
dns-adm1ngi9009le.c0m 1.6503300100 Fax: 1.6506181499
1
ns4.google.com
ns3.google.com
F I G U R E 5 .6 : T h e S m a r t W h o i s D o m a i n q u e r y r e s u l t
8.
C lic k th e C le a r ic o n
X0741u\1cu\
111
th e t o o lb a r to c le a r d ie h is to r y .
Sm a rtW h o is
E valu atio n V ersion
JT ^
B>
F I G U R E 5 .7 : A S m a r t W h o i s t o o l b a r
9.
T o p e r fo r m a s a m p le
host nam e query,
ty p e w w w .fa c e b o o k .c o m .
Host Nam e Query

10. C lic k th e Q uery ta b , a n d d ie n s e le c t As IP /H o stn am e a n d e n te r a

h o s tn a m e
IP, host or domain: i
111
d ie fie ld .
v ^ c^ Q u ery^ ^
facebook.com
F I G U R E 5 .8 : A S m a r t W h o i s h o s t n a m e q u e r y
11 .
m
If you want to query a
111
th e le f t p a n e o f th e w in d o w , th e
domain registration
database, enter a domain
name and hit the Enter key
while holding the Ctrl key,
X4251u\1cu\
X4251u\1cu\
or just select As Domain
from the Query dropdown
resu lt
d is p la y s , a n d 111 th e r ig h t
p a n e , th e te x t a re a d is p la y s th e re s u lts o f y o u r
query.
Sm artW hois * Evaluation Version

File Query Edrt View Settings Help
0 3?
t 'T S
B> 3>
IP, host or domain: J www.facebook.com
<> Query
U
Domain Administrator
Facebook, Inc.
1601 Willow Road
Menlo Park CA 94025
United States
domainffifb.com -1.6505434800 Far 1.6505434800
Facebook, Inc.
1601 Willow Road
Menlo Park CA 94025
United States
domainfb.com -1.6505434800 Fax: 1.6505434800
X3941u\1cu\
Facebook, Inc.
1601 Wil ow Road
Menlo Park CA 94025
United States
doma1nffifb.com 1.6505434800 Fax: 1.6505434800
ns3.facebook.com
, ns5.facebook.com
m
I f y o u r e s a v i n g
results as a text file, you can
F I G U R E 5 .9 : A S m a r t W h o i s h o s t n a m e q u e r y r e s u l t
specify the data fields to be

saved. For example, you
12. C lic k th e C le a r ic o n
111
th e t o o lb a r to c le a r th e h is to r y .
can exclude name servers

or billing contacts from the
o u t p u t f i le . C l i c k
X0741u\1cu\
X0741u\1cu\
Settings ) Options ^Text
13. T o p e r fo r m a s a m p le
IP A ddress q u e r y ,
(W in d o w s 8 I P a d d re s s ) 111 th e
ty p e th e I P a d d re s s 1 0 .0 .0 .3
IP, host or dom ain fie ld .
& XML to configure the

options.
IP, host or domain:
^ 10.0.0.3
F I G U R E 5 .1 0 : A S m a r t W h o i s I P a d d r e s s q u e r y
14. 111 th e le f t p a n e o f th e w in d o w , th e
resu lt
d is p la y s , a n d 111 th e r ig h t
p a n e , th e te x t a re a d is p la y s th e re s u lts o f y o u r
query.

^3
SmartWhois - Evaluation
Version
X0741u\1cu\X0741u\1cu\
X1051u\1cu\
X7941u\1cu\
r x
Tile Query Edt View Settings Help
X3251u\1cu\b
IP, hast or domain; | 9 10.0.0.3
10.0.0.0 -10.255.255....
!=
Query
10.0.0.3
X X 10.0.0.0 10255.255.255
I
Internet Assigned Numbers Authority
4676 Admiralty Way, Suite 330

Marina del Rey
CA
90292-6595
United States
H=y1 S m a r t W h o i s s u p p o r t s
69
command line parameters
Internet Corporation for Assigned Names and Number
specifying IP
yj;
address/hostname/domain
, as well as files to be
X0941u\1cu\X3941u\1cu\
X7941u\1cu\
opened/saved.
Internet Corporation for Assigned Names aid Number
A
l
X0741u\1cu\ X0741u\1cu\
1-310-301 5820
9buse1ana,org
301-58200 abuseO1ana.0rg
> PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED
[n
Updated: 2004-02-24
Source: whois.arin.net
Completed at 7/30/2012 12:32:24 PM

Processing time: 0.14 seconds
View source
Done
_________________J
F I G U R E 5 .1 1 : T h e S m a r t W h o i s I P q u e r y r e s u l t
Lab Analysis
D o c u m e n t a ll th e I P a d d re s s e s / h o s tn a m e s f o r th e la b t o r f u r th e r in f o r m a t io n .
Tool/Utility
D o m a in n a m e q u e r y r e s u lt s : O w n e r o f th e w e b s ite
H o s t n a m e q u e r y r e s u lt s : G e o g r a p h ic a l lo c a tio n o f
S m a r t W h o is
th e h o s te d w e b s ite
I P a d d r e s s q u e r y r e s u lt s : O w n e r o f th e I P a d d re s s
b lo c k

Questions
1.
D e te r m in e w h e th e r y o u c a n u se S m a r tW h o is i f y o u a re b e h in d a fir e w a ll o r
a p ro x y s e rv e r.
2.
W h y d o y o u g e t C o n n e c tio n tim e d o u t o r C o n n e c tio n fa ile d e r ro rs ?
3.
Is it p o s s ib le to c a ll S m a r tW h o is d ire c d y fro m m y a p p lic a tio n ? I f y e s , h o w ?

4.
W h a t a re L O C re c o rd s , a n d a re th e y s u p p o rte d b y S m a r tW h o is ?
5.
W h e n ru n n in g a b a tc h q u e ry , y o u g e t o n ly a c e rta in p e rc e n ta g e o f th e
d o m a in s / IP a d d re sse s p ro c e s s e d . W h y a re s o m e o f th e re c o rd s u n a v a ila b le ?
Yes
No
0 C la s s r o o m
0 !L a b s

Lab
Network Route Trace Using Path

Analyzer Pro
P a th A n a ly s e r P ro d e liv e rs ad van ced n e tw o rk ro u te tra c in g n ith p e rfo rm a n ce tests,
D N S , w ho/s, a n d n e tiro rk re so lu tio n to in ve stig a te n e tiro rk issu es.
Lab Scenario
Valuable
information______
U s in g th e in fo r m a tio n
IP address, hostname, domain, e tc. fo u n d
111
th e p re v io u s
la b , a cce ss c a n b e g a in e d to a n o rg a n iz a tio n s n e tw o rk , w h ic h a llo w s a p e n e tra tio n
Test your
knowledge
= W eb exercise
W orkbook review
te s te r to th o ro u g h ly le a rn a b o u t th e o rg a n iz a tio n s n e tw o rk e n v iro n m e n t fo r
p o s s ib le v u ln e ra b ilitie s .
T a k in g a ll
th e
p e n e tra tio n te ste rs s tu d y th e sy ste m s to tin d d ie b e s t
in fo rm a tio n g a th e re d in to
a c c o u n t,
routes of attack. T h e sa m e
task s c a n b e p e rfo rm e d b y a n a tta c k e r a n d th e re s u lts p o s s ib ly w ill p r o v e to b e v e r y
fa ta l fo r a n o rg a n iz a tio n . 111 s u c h cases, as a p e n e tra tio n te s te r y o u s h o u ld b e

c o m p e te n t to tra c e
netw ork issues.
netw ork route, d e te rm in e
netw ork path,
a n d tro u b le s h o o t
H e r e y o u w ill b e g u id e d to tra c e d ie n e tw o r k ro u te u s in g d ie to o l
Path Analyzer Pro.
Lab Objectives
re search e m a il addresses,
T h e o b je c t iv e o f tin s la b is to h e lp s tu d e n ts
n e t w o r k p a th s , a n d I P a d d re s s e s . T h is la b h e lp s to d e te r m in e w h a t I S P , r o u te r ,
o r s e rv e rs a re re s p o n s ib le f o r a
n e tw o rk problem .
Lab Environment
H Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 02
Footprinting and
Reconnaissance
111
th e la b y o u n e e d :
P a t h A n a ly z e r p ro : P a t h A n a ly z e r p r o is lo c a te d a t D
Y o u c a n a ls o d o w n lo a d th e la te s t v e r s io n o f
P ath A n a ly ze r Pro fr o m
th e lin k h tt p :/ / w w w .p a t h a 11a ly z e r .c o m / d o w n lo a d .o p p
111
:\CEH-Tools\CEHv 8
M odule 0 2 Footprinting and R e c o n n a is s a n c e \T ra c e ro u te Tools\P ath

A n a ly ze r Pro
s creen sh ots s h o w n

All Rights Reserved. Reproduction is Stticdy Prohibited.
W indow s S erver 2 0 1 2
In s t a ll tin s t o o l o n
D o u b le - c lic k PAPro27.m si
F o llo w th e w iz a r d d r iv e n in s ta lla t io n to in s ta ll it
A d m in is t r a t o r p r iv ile g e s to r u n
Path A n aly ze r Pro
Lab Duration
Overview of Network Route Tra ce

T r a c e r o u t e is a c o m p u te r n e t w o r k t o o l lo r m e a s u rin g th e
ro u te path
and
tra n s it tim e s o f p a c k e ts a c ro s s a n In t e r n e t p r o t o c o l ( I P ) n e tw o r k . T h e
tr a c e r o u te t o o l is a v a ila b le o n a lm o s t a ll U n ix - lik e o p e r a tin g s y s te m s . V a r ia n t s ,
Traceroute is a
system administrators
utility to trace the route IP
s u c h as
tra c e p a th
o n m o d e r n L in u x in s ta lla tio n s a n d tra c e rt
o n M ic r o s o f t
W in d o w s o p e r a tin g s y s te m s w it h s im ila r f u n c tio n a lit y , a re a ls o a v a ila b le .
packets take from a source

system to some destination
system.
Lab Tasks
1.
F o llo w th e w iz a r d - d r iv e n in s ta lla t io n s te p s to in s ta ll P a t h A n a ly z e r P r o
2.
T o la u n c h th e
S ta rt
m e n u , h o v e r th e m o u s e c u r s o r in th e lo w e r - le ft
3.
T o la u n c h
P ath A n alyzer Pro, c lic k Path A n aly ze r Pro 111 a p p s
A dm inistrator
Start
&
Path Analyzer Pro
summarizes a given trace
Server
M<nye1
within seconds by
generating a simple report
Wncawi
PuwerStiell
with all the important
information on the target
Compute
Task
Manager
Admimstr..
Tooh
Mozilla
Fkiefctt
ttyp*f-V
Manager
hyperV
Virtual
Machine
Command
Prompt
Google
Chrome
Google
fcarth
Adobe
Reader X
<0
we call this die Synopsis.
Path
Aiktyiet
Pt02J
X7941u\1cu\X7941u\1cu\
X7941u\1cu\X8051u\1cu\
&

F I G U R E 6 .2 : W i n d o w ' s S e r v e r 2 0 1 2 A p p s
4.
C lic k th e E v a lu a te b u tto n
5.
T h e m a in w in d o w o f P a t h A n a ly z e r P r o a p p e a rs as s h o w n in th e
R e g is tr a t io n F o r m
011
f o llo w in g s c re e n s h o t
X2051u\1cu\
Path Analyzer Pro

File Vgm Hep
9 4
rsr ini &
New 0092
X0741u\1cu\
Trace N etw ork
P efcrercE
Paae Setup Print
Exoort Export KM.
Chedc for Ibdstes
Help
Standard Options
Protoca)
Port: 3 Smart 65535 C
<D ICM5
X3251u\1cu\
I O TO> ( J
'C Report
N*T-f*rx/
Trace
| Onc-ttroe Trace
*fji Svnooab | ( 3 Charts [ Q Geo | yl loo | O Sfcfa
O ucp
source Pat
I RcnJw [65535
Traces Mods
I () Defaiit
I C) FIN5*oc*tt fW/
ASN
Netivork Name %
Acvanced Probe Detak

_crgJ of potkct
X0741u\1cu\
X0741u\1cu\
X3251u\1cu\
X0741u\1cu\
Srrart
6^
T]
Ufetim
1
nr*sec0ncs
Type-cf-55rvce
() Urspcaficc
O NWnte-Dday
M3xmun TT1_
lrtai Seqjerce Mmfce
X3251u\1cu\X0741u\1cu\
[*j Ranôrr |l
U
-$\
J FIN Packets Only-
generates only TCP packets

with the FIN flag set in
acctôtu
o r d e r X0741u\1cu\
to solicit an RST or
^ r 0 03 la
TCP reset packet as a
F I G U R E 6 .3 : T h e P a t h A n a l y z e r P r o M a i n w i n d o w
response from the target.

This option may get
beyond a firewall at the
6. S e le c t th e
IC M P
p r o to c o l in th e
target, thus giving the user
Standard O ptions s e c tio n .
Standard Options
Protocol
more trace data, but it

could be misconstrued as a
malicious attack.
ICMP |
O
TCP
NAT-friendly
0 UDP
Source P ort
1 I Random
65535
-9-
Tracing Mode
( ) D efault
O A daptive
O FIN Packets Only
F I G U R E 6 .4 : T h e P a t h A n a l y z e r P r o S t a n d a r d O p t i o n s
Padi Analyzer Pro
7.
of p a c k e t
summarize all the relevant

background information on
email address.
111
th e Length
s e c tio n a n d le a v e th e r e s t o f th e o p tio n s 111 tin s s e c tio n a t
th e n d e fa u lt s e ttin g s .
X0741u\1cu\
its target, be it an IP
address, a hostname, or an
U n d e r A dvanced Probe D e ta ils , c h e c k th e S m a rt o p tio n
Note:
F ir e w a ll is r e q u ir e d to b e d is a b le d f o r a p p r o p r ia te o u tp u t

Advanced Probe Details

Length o f packet
Padi Analyzer Pro
benefits:
Research IP addresses,
Smart
64
Lifetime
email addresses, and

network paths
*
300
Pinpoint and
milliseconds
troubleshoot network
availability and
Type-of-Service
p e r f o r m a n c e is s u e s
() Unspecified
Determine what ISP,
O Minimize-Delay
router, or server is
responsible for a
Maximum TTL
network problem
30
Locate firewalls and

other filters that may be
Initial Sequence Number
impacting connections
0 Random
Visually analyze a
network's path
characteristics
*
F I G U R E 6 .5 : T h e P a t h A n a l y z e r P r o A d v a n c e d P r o b e D e t a i l s w i n d o w
Graph protocol latency,
8.
jitter, and other factors
Trace actual applications

and ports, not just IP
9.
hops
111 th e
A dvanced T ra c in g D e ta ils
s e c tio n , th e o p tio n s r e m a in a t th e ir
d e fa u lt s e ttin g s .
C h e c k Stop on control m essages (ICM P)
111
th e A d van ce T racin g
D e ta ils s e c tio n
Generate, print, and

export a variety of
Advanced Tracing Details
impressive reports
Work-ahead Limit
X7941u\1cu\
Perform continuous and
t i m e d t e s t s w i d i r e a l-
01 TTLs
time reporting and
Minimum Scatter
history
20
milliseconds
Probes per TTL

Minimum:
10
Maximum:
V ] Stop on control messages flC M Pj

F I G U R E 6 .6 : T h e P a t h A n a l y z e r P r o A d v a n c e d T r a c i n g D e t a i l s w i n d o w
10. T o p e r fo r m th e tra c e a fte r c h e c k in g th e s e o p tio n s , s e le c t th e ta rg e t h o s t,

fo r in s ta n c e w w w .g o o g le .c o m . a n d c h e c k th e P o r t :
S m a rt as d e fa u lt
(65535).
T arg et:
w w w.google.com
0 Sm art ]6 5 5 3 5 'Q ' I
Trace
| | One-time Trace
F I G U R E 6 .7 : A P a t h A n a l y z e r P r o A d v a n c e T r a c i n g D e t a i l s o p t i o n
Note: Path Analyzer
11 . 111 th e d ro p - d o w n m e n u , s e le c t th e d u r a tio n o f tim e as T im e d T ra c e
Pro is not designed to be

used as an attack tool.
Target:
ww w .google.com
Po rt: 0 Sm a rt
X0741u\1cu\
65535
Trace
] [ Timed Trace
F I G U R E 6 .8 : A P a t h A n a l y 2 e r P r o A d v a n c e T r a c i n g D e t a i l s o p t i o n
12. E n t e r th e
Type tim e o f tr a c e
111
th e p r e v io u s ly m e n tio n e d fo r m a t as
HH: MM: SS.

3 Type time of trace!_ !_ [ x
<>
-0-3
<>
Time o f trace (hh:mm:ss)
Cancel
Accept
SB TASK 2
F I G U R E 6 .9 : T h e P a t h A n a l y z e r P r o T y p e t i m e o f t r a c e o p t i o n
T ra c e Reports
13. \ X lu le P a th A n a ly z e r P r o p e r fo r m s th is tr a c e , th e
T a rg e t:
T ra c e
ta b c h a n g e s
Stop.
a u to m a tic a lly to
vvww.google.com
P o rt: 3 Sm art 180
Stop
Tim ed Trace
F I G U R E 6 .1 0 : A P a t h A n a l y z e r P r o T a r g e t O p t i o n
14. T o se e th e tr a c e re s u lts , c lic k th e
d ep ictin g
R eport ta b
Target vww.QOoge corr
X3251u\1cu\
c h a rt
| Titred Trace
X0741u\1cu\
O Report 5 Svnoow 3 Charts vj Geo
H = y j T hX0741u\1cu\
e Advanced Probe
to d is p la y a lin e a r
th e n u m b e r o f h o p s b e tw e e n y o u a n d th e ta rg e t.
Loc (3 Stats
D e t a i l s s e t t in g s d e t e r m i n e
how probes are generated
to perform the trace. These
include the Length of
packet, Lifetime, Type of
|Hop
Service, Maximum TTL,

and Initial Sequence
Number.
Hostname
IP Adciesj
No icplv packets received from TTLs 1 through 2

n
1 1.17
r
4
1
29
1
No reply pockets received from TTL 5
6
1
X7941u\1cu\
7
1.SZ
8
2
.95
;
1145
X4051u\1cu\ 9
rric
IQ
7
M i 176
ASN
.nt
5.29.static
98.static.52
1.95
).145
2100.net
Network Ncme % los
Krln Latency
13209
0.0c
3.96
4755
0.00
4.30
OJM
JJC
DOC
3.X
0JX
1663
25T7
X0741u\1cu\
2582
2607
25.W
v... 4755
151&9
15169
15169
15169
GOOGLE
GCOGLE
GOOGLE
GOOGLE
Latency
Avg Latency Max Latency
StdDev
257.78
63179
165.07
lllllllllllllllllllllll127924
776113
227.13
llllllllllllllll 251.84
lllllllllllllllll 260.64
lllllllllllllllllll
!llllllllllllllllll 275.12
ll lllllllllllllllll 309.08
567.27
62290
276.13
66022
71425
176.7S
81.77
660.49 208.93
2C3.45
219.73
F I G U R E 6 .1 1 : A P a t h A n a l y z e r P r o T a r g e t o p t i o n
15. C lic k th e Synopsis ta b , w h ic h d is p la y s a o n e - p a g e s u m m a r y o f y o u r

tra c e re s u lts .
Taroet: I wvw.gxgte.:om
m
Length of packet:
T h i s o p t i o n a l l oX0741u\1cu\
ws you to
Report |
Sy-Kpnc
X7941u\1cu\
Trace
|E
Chorto
j^
Geo
| [gj
lined Trace
log | 1> Stota
set the length of the packet

for a trace. The minimum
s iz e o f a p a c k e t , a s a
Forward DNS (A records)
74.125236.176
g e n e r a l r u l e , is
approximately 64 bytes,
depending on the protocol
u s e d . T h e m a x i m u m s iz e o f
R ev ers e DNS (PT R- iccotd) *r/vw.l.google.o

Alternate Name
w.vw.gocg o co.
a packet depends on die

p h y s i c a l n e t w o r k b u t is
generally 1500 bytes for a
regular Ethernet network
or 9000 bytes using Gigabit
Ethernet networking with
REGISTRIES
The orgamzaton name cn fi e at the registrar for this IP is Google Inc. and the organization associated *ith the originating autonomous system is Google Inc.
jumbo frames.
INTERCEPT
The best point cf lav/u intercept is within the facilities of Google Inc..
F I G U R E 6 .1 2 : A P a t h A n a l y z e r P r o T a r g e t o p t i o n

16 . C lic k th e C harts ta b to v ie w th e re s u lts o f y o u r tra c e .
TASK 3
V ie w Charts
Target: I mvw.goo^c.a:
X0741u\1cu\
Port: @ Smait [80

X0741u\1cu\
Race
| |Timednace
Repat 1 3 Synopsis | ^ Chars | U Geo | [g] Log | 51 Stats [
0^
X9941u\1cu\
: sa
eg
600
X9941u\1cu\
-S
500
S400
300E
%
zoo
10
Anomaly
m
Path Analyzer Pro
uses Smart as the default

Length of packet. When
the Smart option is
checked, die software
a u t o m a t i c a l l y s e le c t s d i e
m i n i m u m s iz e o f p a c k e t s
based on the protocol
selected under Standard
Options.
F I G U R E 6 .1 3 : T h e P a t h A n a l y z e r P r o C h a r t W i n d o w
17. C lic k Geo, w h ic h d is p la y s a n im ag in ary w o r ld m a p fo r m a t o t y o u r

tra c e .
TASK 4
V ie w Im aginary
Map
F I G U R E 6 .1 4 : T h e P a t h A n a l y z e r P r o c h a r t w i n d o w

TASK 5
V ital Statistics
18. N o w , c lic k th e S ta ts ta b , w h ic h fe a tu r e s th e V ita l S ta tis tic s o f y o u r

c u r r e n t tra c e .
Taiact; *av. google, :on
C'
Source
X0741u\1cu\X3251u\1cu\
X3251u\1cu\X0741u\1cu\
X3251u\1cu\
X3251u\1cu\
X7941u\1cu\
X3251u\1cu\
X3251u\1cu\
m
M
a x iX3251u\1cu\
mum TTL: The
X7941u\1cu\
maximum Time to Live

(TTL) is the maximum
number of hops to probe
---------------- q
X0741u\1cu\
1
SjTooss 3 charts I O Geo
X0051u\1cu\
Target
Protocol
&ort: f Smart 30
' |
Tracc
iTimsdTrocc
|2 Slats
Distance
Avg Latency Trace Began
Trace Ended
Filters
10.0.D2 (echO: WN-MSSRCK4K41J74.125256.176 ICMP

10.0.02 (ethO: WNMSSELCK4K41 74.125236.176 ICMP
10.0.D2 (cthO: W N MSSELCK4K41
X0741u\1cu\
10
C.0.D2 (tr.hC: V/ N-MS5ELCK4K41
ICMP
10
1C.0.02 (h0! W N-MSSELCK4K41 74.125256.176 ICMP
10.0.02 (cthO: WN MSSELCK4K41 74.125236.176 ICMP
10.0.02 (cthC. W N MSSELCK4K41
1C.0.02 (e.hC: W N-MS5RCK4K4174.125236.176 ICMP
X3941u\1cu\
10.0.02 (h0- WN-MSSHCK4K41; 74.125256.176 ICMP
X0741u\1cu\
10
30908
10
323.98
74.125236.176 ICMP
353.61
74.125236.176 37941
39016
404.82
10
10
74.125236.176 ICMP
10
435.14
10
42423
X0741u\1cu\
30-1111-12 11:5*52 UTC 50-luM2 11:542 UTC
2
2
30-Jul 12 11:53:43 UTC
30 Jul 12 11:53:52 UTC
10.0.02 (ethO. WN-MSSELCK4K41 74.125236.176 ICMP

1C.0.02 (e.hC. W N MSSELCK4K41
10
465.05
74.125236.176 ICMP
121-3C*Jul UTC53:33
10
30-Jul-l2 11:5343 UTC

437.93
2
30 JuM2l 1:5324 UTC
10.0.02(*h0-WN-MSSH( K4K4I;
10
J0-luM2 11:53:14 UTC
tO- JuU2 11:55-24 UTC
30 Jul 1211:5304 UTC

30-Jul-12 11:52:54 UTC
30-JuM2 11:52:45 UTC
30 Jul 12 11:53:14 UTC

30-Jul-1211 ;53 04 UTC
30-JuM2 11:52.54 UTC
2
2
2
30-luH2 11:52:35 UTC
J0-luU2 11:5245 UTC
30 Jul 12 11:5225 UTC

30-JuH2 11:52:15 UTC
30 Jul 12 11:52:35 UTC

30-Jul-12 11:5225 UTC
2
2
1C.0.02 (cthO: W N MSSELCK4K41
74.125236.176 ICMP
10
74.125256.176 ICMP
X0051u\1cu\
1C.0.0 (cthC: W N MSSUCK4K41 74.125 236.176 ICMP
10.0.02 (cthO. W NMSSCLCK4K41 74.125236.176 ICMP
10.0.02 (e h0: W N-MSSELCMK41 74.125236.1 6 ICMP
10.0.02 (h0 W N-MSSHl K4K4I; 74.125256.176 ICMP
1C.0.0 (cshC: W N MSSELCMK-11
ICMP
10
10.0.02 (ehO. W M-MSSELCK4K41
ICMP
10
30-1111-12 11:55:11 UTC 50-JuH2 11:55-21 UTC

30 Jul 12 11:55:01 UTC 30-Jul-12 11:55:11 UTC
Jul 30 121 UTC 54:51 30 Jul-12 11:55.01 UTC
2
2
2
3C-Jul-12 1* :54:41 UTC 30-Jul-12 11:54:51 UTC

30*1111-12 11:54:32 UTC JO-iul-12 11:5441 UTC
30-Jul-1211:54-22 UTC
30 Jul 12 11:54:32 UTC
2
2
2
10
417^4
30 Jul 12 11:54:12 UTC 30 Jul 12 11:5422 UTC
3c-JuM2r:54a21rc 30-JuM2 11:54:12 UTC
421.11
44992
10
446.94
10
443.51
10
497.68
10
5833
74.125236.176 681.78
649.31
74.125236.176
30JuH2 11:53 33 UTC
in an attempt to reach the

target. The default number
o f h o p s is s e t t o 3 0 . T h e
Source
Target
Protocol
Distance
Avg Latency Trace Segan
10.0.02 (ethO: W N-MSSELCK4K41
74.125256.176
ICMP
10
46.5771
Trace Ended
30-JU-12 11:52:16 UTC 50-Jul-1211:55-21 UTC
Filters
2
Maximum TTL that can be

u s e d is 2 5 5 .
F I G U R E 6 .1 5 : T h e P a t h A n a l y z e ! P r o S t a t i s t i c s w i n d o w
19. N o w E xport th e r e p o r t b y c lic k in g E xport o n th e to o lb a r.

File
View
Help
9
New
Close
Preferences
Paae Setup
ft
Print
Export
Export KML
Check for Updates
Help j
F I G U R E 6 .1 6 : T h e P a t h A n a l y z e r P r o S a v e R e p o r t A s w i n d o w
D:\Program Files (x 86)\Path
2 0 . B v d e fa u lt, th e r e p o r t w ill b e s a v e d a t
A n a ly ze r Pro 2.7.
lo c a tio n .
H o w e v e r , y o u m a y c h a n g e it to y o u r p r e fe r r e d
X0741u\1cu\
Save File
Save Statistics As
Program File...
Organize
Path Analyzer Pro 2.7
v C
Search Path Analyzer Pro 2.7
z|
1= - I
N e w folder
Downloads
Date m odified
Type
Recent places
N o items m atch you r search.
Libraries
H Docum ents
m
The Initial Sequence
Number is set as a counting

mechanism within the
packet between the source
J * M usic
E
Pictures
5 Videos
a n d t h e t a r g e t . I t is s e t t o
Random as the default, but
you can choose another
starting number by
1 % Com puter
Local Disk (C:)
l a Local Disk (D:)
<
unchecking the Random

button and filling in
File name:
Sam ple Report
another number. Please

Note: The Initial Sequence
Save as type: CSV Files (\c sv )
Number applies only to

TCP connections.
H ide Folders
F I G U R E 6 .1 7 : T h e P a t h A n a l y z e r P r o S a v e R e p o r t A s w i n d o w

Lab Analysis
D o c u m e n t th e I P a d d re s s e s th a t a re tra c e d f o r th e la b f o r f u r th e r in f o r m a t io n .
Tool/Utility
Report:
Number of hops
I P a d d re s s
H o s tn a m e
ASN
X7941u\1cu\
P a t h A n a ly z e r P r o
Network name
Latency
S y n o p s is : D is p la y s s u m m a r y o f v a lu a b le
in f o r m a t io n 0 1 1 D N S , R o u tin g , R e g is tr ie s , In t e r c e p t
C h a r t s : T r a c e re s u lts 111 th e fo r m o f c h a r t
G e o : G e o g r a p h ic a l v ie w o f th e p a th tra c e d
S t a t s : S ta tis tic s o f th e tra c e

Questions
1.
W h a t is d ie s ta n d a rd d e v ia tio n m e a s u re m e n t, a n d w h y is it im p o rta n t?
2.
I f y o u r tra c e fa ils o n th e fir s t o r s e c o n d h o p , w h a t c o u ld b e th e p ro b le m ?
3.
D e p e n d in g o n y o u r T C P tra c in g o p tio n s , w h y c a n 't y o u g e t b e y o n d m y lo c a l
n e tw o rk ?
0 Yes
No
0 C la s s r o o m
!L a b s

Tracing an Email Using the

eMailTrackerPro Tool
e M a ilT ra c k e rP ro is a to o l th a t a n a ly se s e n / a il h ead ers to d isclo se th e o rig in a l sen d ers
lo ca tio n .
Lab Scenario
Valuable
111
th e p re v io u s k b , y o u g a th e re d in fo rm a tio n s u c h as n u m b e r o f
hops
b e tw e e n a
m fonnatioti______
h o s t a n d c lie n t,
Test your
X0741u\1cu\
th ro u g h ro u te rs 0 1 fire w a lls , a n d a h o p o c c u rs e a c h tim e p a c k e ts a re p a sse d to th e
knowledge
n e x t ro u te r. T h e n u m b e r o f h o p s d e te rm in e s th e d is ta n c e b e tw e e n th e s o u rc e a n d
*d W eb exercise
m W orkbook review
IP address,
e tc . A s y o u k n o w , d a ta p a c k e ts o fte n h a v e to g o
d e s tin a tio n h o s t. A n a tta c k e r w ill a n a ly z e th e h o p s fo r d ie fir e w a ll a n d d e te rm in e d ie

p ro te c tio n la y e rs to h a c k in to a n o rg a n iz a tio n o r a c lie n t. A tta c k e r s w ill d e fin ite ly trv
to h id e d ie k tm e identity a n d location w h ile in tru d in g in to a n o X0741u\1cu\
rg a n iz a tio n 0 1 a
c lie n t b y g a in in g ille g a l a ccess to o th e r u s e rs c o m p u te rs to a c c o m p lis h th e ir task s. I f
a n a tta c k e r u se s e m a ils as a m e a n s o f a tta c k , it is v e r y e s s e n tia l fo r a p e n e tra tio n
te s te r to b e fa m ilia r w id i
em ail headers
a n d d ie ir re la te d d e ta ils to b e a b le to
a n d prevent s u c h a tta c k s w ith a n o rg a n iz a tio n .

e m a il u s in g th e
111
track
tin s la b , y o u w ill le a rn to tra c e
eM ailTrackerPR o to o l.
Lab Objectives
T h e o b je c tiv e o f tin s la b is to d e m o n s tra te e m a il U a c in g
using eM ailTrackerPro.
S tu d e n ts w ill le a rn h o w to :
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 02
Footprinting and
Reconnaissance
T r a c e a n e m a il to its tm e
Collect N etw ork
geographical so u rc e
( IS P ) a n d
domain Whois in fo r m a tio n
fo r a n y e m a il tra c e d
Lab Environment
111 th e la b , y o u n e e d th e e M a ilT r a c k e r P r o to o l.
e M a ilT r a c k e r P r o is lo c a te d a t
D :\C E H -T o o ls \C E H v 8 M o d u le 0 2
Footprinting and R econ n aissan ce\E m ail T ra c k in g

T o o ls \e M a ilT ra c k e rP ro

Y o u c a n a ls o d o w n lo a d d ie la te s t v e r s io n o f e M a ilT ra c k e rP ro fr o m th e
lin k h ttp : / / w w w .e m a 11t r a c k e r p r o .c o m / d o w n lo a d .h tm l
I f v o u d e c id e to d o w n lo a d th e la te s t v e r s io n , th e n
h i th e la b m ig h t d if f e r
F o llo w th e w izard -d riven in s ta lla t io n s te p s a n d in s ta ll th e t o o l
T in s t o o l in s ta lls J a v a ru n tim e as a p a r t o l th e in s ta lla t io n
R u n tin s t o o l 111
A d m in is t r a tiv e p r iv ile g e s a re r e q u ire d to m il tin s t o o l
T h is la b r e q u ire s a v a lid e m a il a c c o u n t ! H
W indow s S e rv e r 2 0 1 2
o tm a il, G m ail, Y ahoo, e tc .).
W e su g g e s t y o u s ig n u p w it h a n y o f th e s e s e r v ic e s to o b ta in a n e w e m a il
a c c o u n t f o r tin s la b
P le a s e d o n o t u s e y o u r real e m a il a c c o u n ts a n d
passw ords 111
th e s e
e x e rc is e
Lab Duration
.____ e M a i l T r a c k e r P r o
Overview of eMailTrackerPro
helps identify die true

source of emails to help
track suspects, verify the
sender of a message, trace
and report email abusers.
E m a il tr a c k in g is a m e th o d to
m o n ito r or spy o n
e m a il d e liv e r e d to th e
in te n d e d r e c ip ie n t:
W h e n a n e m a il m e s s a g e w a s r e c e iv e d a n d re a d
I f d e s tr u c tiv e e m a il is s e n t
T h e G P S lo c a tio n a n d m a p o f th e r e c ip ie n t
T h e tim e s p e n t re a d in g th e e m a il
W h e t h e r o r n o t th e r e c ip ie n t v is ite d a n y L in k s s e n t 111 th e e m a il
P D F s a n d o th e r ty p e s o f a tta c h m e n ts
I f m e s s a g e s a re s e t to e x p ire a fte r a s p e c ifie d tim e
Lab Tasks
S.
TASK
T ra c e an Email
1. L a u n c h th e S ta rt m e n u b y h o v e r in g th e m o u s e c u r s o r
111
th e lo w e r - le ft

W in d o w s Se rver 2012
Windows Serve! 2012 ReleaCarvlKJaie Oatacente!
JL. Liiu
Evaluation copy. Build MOO
,E m
2.
O n th e S ta rt m e n u , c lic k e M a ilT ra c k e rP ro to la u n c h th e a p p lic a tio n

e M a ilT r a c k e r P r o
eMailTrackerPro
Advanced Edition includes

an online mail checker
which allows you to view
all your emails on the
server before delivery to
your computer.
3.
C lic k OK i f th e Edition S e le c tio n p o p - u p w in d o w a p p e a rs
4.
N o w y o u a re r e a d y to s ta rt tra
5.
C lic k th e T ra c e an e m ail o p tio n to s ta rt th e tra c e
c in g
e m a il h e a d e rs w it h e M a ilT ra c k e rP ro


| ,-x '
X0741u\1cu\
eMailTrackerPro v9.0h Advanced Edition Tria' day 8 of 15

Start here My Inbox My I race Reports
eMailTrackerPro
X4251u\1cu\
License information
I w a n t to :
"ra:e an emal
H elp & L in k s
Log*< lp network responsible for an email address
View 0 Mai !Track orP to manual
View my mtxjx
eMailTrackerf '10 tulcrals
View previous traces
Ftequenly asked questions

Hnw 10 tiar.w an mnail
Huai In 1:hnrk yiiui inlmK
How to so tup mail accounts

m
T h i s t o o l a ls o
How to sotup ruloc foi omails
uncovers common SPAM
How to import aettinqs
tactics.
X2151u\1cu\X2051u\1cu\X3941u\1cu\
X5941u\1cu\
X0151u\1cu\ Go staijv. to
yol
arecr
Irbcx *
eNeirTadyrPio 5tar
Copyrgh:(dflVfcjafyvare, Inc. 1996-2011
vO.Oh(buiH 3375)
8cf s I5da/tnsl. Ta apply a licence cl.ck here or for purchase information cUk here
F I G U R E 7 .3 : T h e e M a i T T r a c k e r P r o M a i n w i n d o w
6.
C lic k m g T ra c e an e m a il w ill d ir e c t y o u to th e e M a ilT ra c k e rP ro by

V is u a lw a re w in d o w
7.
S e le c t
T ra c e an e m ail I h ave received. N o w ,
fr o m th e e m a il y o u w is h to tr a c e a n d p a s te it in
c o p y th e e m a il h e a d e r
E m ail headers fie ld
u n d e r E n te r D e ta ils a n d c lic k T ra c e
V isualw are e M a ilTra c k e rP ro Tria l (d a y
of
15
------- 1* I
CQDfjgure I Help I About I
eMailTrackerPro by Visualware
: T rac e an email I have received

A received email message often contains information that can locate the computer where the message was
composed, the company name and sender's ISP (rrv&e.info).
y=J The filter system in
eMailTrackerPro allows
you to create custom filters
O Look up network responsible for an email add ress

An email address lookup will find information about the network responsible for mai sent from that address. It will not
get any information about the sender of mail from an address but can stfl produce useful information.
to match your incoming

m a i l.
Enter Details
To proceed, paste the email headers in the box below (hfiw
I.fjnd.th.h9ir$.?)
Note: If you are using Microsoft Outlook, you can trace an emarf message drectly from Outlook by using the
eMadTrackerPro shortcut on the toolbar.
Em ail h eaders____________________________________________________________________________________
R e t u r n - P a t h : < r i n i m a t t h e w s 0 g m a i l . com >
R e c e i v e d : f r o m WINMSSELCK4K41 ( [ 2 0 2 . 5 3 . 1 1 . 1 3 0 ] ) b y r n x . g o o g l e . c o m w i t h
id wi63ml5681298pbc.35.2012.07.25.21.14.41 (version-TLSvl/SSLv3
c i p h e r = O T H E R ) ; W ed, 2 5 J u l 2 0 1 2 2 1 : 1 4 : 4 2 - 0 7 0 0 (PDT)
6 f 1440a.39bc.331c@mx.google.com>
M e s s a g e - I D : < 5 0 1 0 c 4 3 2 .8
D a c e : W ed, 2 5 J u l 2 0 1 2 2 1 : 1 4 : 4 2 - 0 7 0 0 (PD T)
F r o m : M i c r o s o f t O u t l o o k < r i n i m a t t h e w s @ g m a i l . com >
F I G U R E 7 .4 : T h e e M a i l T r a c k e r P r o b y V i s u a l w a r e W i n d o w

TAS K 2
Note:
111 O u t lo o k , t in d th e e m a il h e a d e r b y f o llo w in g th e s e s te p s :
Finding Email
H eader
D o u b le - c lic k th e e m a il to o p e n it in a n e w w in d o w
C lic k th e s m a ll a r r o w 111 th e lo w e r - r ig h t c o r n e r o f th e
b o x to o p e n
M e ssag e Options in f o r m a t io n
U n d e r In te rn e t headers, y o u w ill t in d th e Em ail header, as
X7941u\1cu\
d is p la y e d
111
th e s c r e e n s h o t
X3251u\1cu\X4251u\1cu\X7941u\1cu\
hi >"<*
X7941u\1cu\X0151u\1cu\
X4251u\1cu\X7941u\1cu\
X0741u\1cu\X4251u\1cu\
X4251u\1cu\
X7941u\1cu\
k-
J- j j
*
------------
X0741u\1cu\
X0741u\1cu\Mim
1I U .oI.
-'
"'
-I
*-...
Ut. Tlj i'H'TO J Ml I

*11vrd
WttolKi r <h*n 1<t!

(
X1051u\1cu\
X7941u\1cu\X3251u\1cu\
Tags to o lb a r
box
The abuse report
option from the My Trace

Reports window
automatically launches a
browser window with the
abuse report included.
F I G U R E 7 .5 : F i n d i n g E m a i l H e a d e r i n O u d o o k 2 0 1 0
T ra c e
T ra c e rep o rt w in d o w
8.
C lic k in g th e
9.
T h e e m a il lo c a tio n is tra c e d in a G U I w o r ld m a p . T h e lo c a tio n a n d I P
b u tto n w ill d ir e c t y o u to th e
Em ail
a d d re s s e s m a y v a n 7. Y o u c a n a ls o v ie w th e s u m m a r y b y s e le c tin g
Sum m ary s ectio n
011
th e r ig h t s id e o f th e w in d o w
10. T h e T a b le s e c tio n r ig h t b e lo w th e M a p s h o w s th e e n tir e H o p
111
th e
r o u te w it h th e I P a n d s u s p e c te d lo c a tio n s f o r e a c h h o p
11. IP address m ig h t
*
X3251u\1cu\
X3251u\1cu\X4251u\1cu\X0741u\1cu\
[File Options Help
b e d if f e r e n t th a n th e o n e s h o w n 111 th e s c r e e n s h o t
X7941u\1cu\
X7941u\1cu\
eMailTrackerPro v9.0h Advanced Edition Trial day 8 of 15
Ihetrsce sccnplecc; theX3251u\1cu\

information found is displayed on the nght |
viwiRejwit
km:
To: ..... - gruriil. Klin

IE3
Date: Wed. 25 Jul 2012 06:36:30 0700 (PDT)

Subject: Getting started on Google*
Location: [ America j
Each email message
includes an Internet header
Misdirected: no
with valuable information,

e M a i l T r a c k e r P r o a n a l y2 e s
AI>us4 Reporting: To automatically generate an email

abuse report click here
From IP: 209.85.216.199
the message header and
System Information:
reports the IP address of
There is no SMTP server running on this system

(the port K closed).
There is no HTTP server running on this system
(the port isclosed).
There is no HTTPS server running on this system
(the port is closed).
There is no FTP server running on this system
(the port is closed).
the computer where the

m e s s a g e o r i g i n a t e d , it s
estimated location, the
individual or organization
the IP address is registered
to, the network provider,
and additional information
as available
X0741u\1cu\
5
3
ID
11
13
14
15
115113.166.96
209 85 251.35
66.2*9 94 92
&*.233175.1
64.233174.178
72.U 23982
72.U 239 65
TOO QC OCT TC
115.113 165.9B. static- 1

{Am & rjcd}
{A m & rjcd j
lA m or/C d j
{A m e r/c o )
lA m en c Q j
lA m e r K t)
Network Whois
Domain Whois
Email Header
1 You are cr cay6 of a 15 aey t rial. To apply a licence Qick here or ter purchase intorrraticr Cickherc
F I G U R E 7 .6 : e M a i l T r a c k e r P r o E m a i l T r a c e R e p o r t

TASK 3
T ra c e Reports
12. Y o u c a n v ie w th e c o m p le te tr a c e r e p o r t 0 1 1 M y
r*
T ra c e R eports ta b
eMailTrackerPro v9.0h Advanced Edttio . Trial day 8 of 15
~ DT *
Fie Options Help

Stdithaiw Wy Inbox jllyTracc Rpmtejsub|c<: Guttings
Previous Traces
& a &
Map
ITMI
Delete
Subject
Fiom
com
Moeirg
IP
yahoo.com@<
!
@yahoo.com
...*yahoor
jyahooeom
74 G1
j<$y ahoo.com 202.5:
Zendio Trial Accourcuotomcroorvico^zcndio.com

?utf8?Brrw1|cm=
:qmoil com
202.5
Mwinq g@yah 0G.com
C O T r a c k i n g a n e m a i l is
Qt 1 j UiI*mI on lnurt*|1ly1l/îfHf^|11' gangly:120? 9

!*oiTn orep ly daaaifc tab
r
useful for identifying the

company and network
Trace intormation
providing service for the
bub>c!: êttivj a n tic
address.
N6diecte 110
r !00)*+
Frcrc <00 di.ttett*;plj:.5:cqfc.ccn

Seniif TP 209 85 216.199
Abjs: >c<kess tScne Fojtc)

Ucdtia : Kcun:ar **, cdfcr1a, use
You are cn day S cf a 15 day :r.a. To apply a
e Click here cr far purchase information
C_
F I G U R E 7 .7 : T h e e M a i l T r a c k e r P r o - M y T r a c e R e p o r t s t a b
Lab Analysis
D o c u m e n t a ll th e liv e e m a ils d is c o v e r e d d u rin g th e la b w it h a ll a d d itio n a l
in fo r m a t io n .
.
emailTrackerPro can
d e t e c t a b n o r m a lit ie s i n t h e
Tool/Utility
email header and warn you

diat die emailmay be spam
M a p : L o c a t io n o f tra c e d e m a il 111 G U I m a p
T a b le : H o p
111
th e r o u te w it h I P
E m a i l S u m m a r y : S u m m a r y o f th e tr a c e d e m a il
eMailT rackerPro
F r o m & T o e m a il a d d re s s
Date
S u b je c t
L o c a t io n
T r a c e In f o r m a t io n :
S u b je c t
Sender IP
L o c a t io n
5619
56
632?
All Rights Reserved.
X3251u\1cu\
Repro
duction is Stricdy Prohibited.
X4251u\1cu\
X4941u\1cu\
X0741u\1cu\
X7941u\1cu\
X3251u\1cu\
X4941u\1cu\
X0741u\1cu\
X3251u\1cu\
X9941u\1cu\X9051u\1cu\
X4941u\1cu\
X3251u\1cu\
X0741u\1cu\
X4941u\1cu\
X0741u\1cu\
X1051u\1cu\
X0741u\1cu\
X0741u\1cu\

Questions
1.
W lia t is d ie d iffe r e n c e b e tw e e n tra c in g a n e m a il a d d re ss a n d tra c in g a n e m a il
m e ssa g e ?
2.
W h a t a re e m a il In te r n e t h e a d e rs ?
3.
W h a t d o e s u n k n o w n m e a n 111 th e ro u te ta b le o f d ie id e n tific a tio n re p o rt?
4.
D o e s e M a ilT r a c k e r P r o w o r k w ith e m a il m e ssa g e s th a t h a v e b e e n
fo rw a rd e d ?
5.
E v a lu a te w h e th e r a n e m a il m e ssa g e c a n b e tra c e d re g a rd le s s o f w h e n it w a s
se n t.
0 Yes
No
0 C la s s r o o m
!L a b s

Collecting Information about a

Target Website Using Firebug
F ire b u g in te g ra te s n ith F ire fo x , p ro rid in g a lo t o f develop w e n t to o ls a lo n in g jo n to
e d it, debug, a n d m o n ito r C S S , H T M L , a n d Ja v a S c rip t liv e in a n y ire b p ag e.
Lab Scenario
/ Valuable
information______
Test your
knowledge
sA W eb exercise
A s y o u a ll k n o w , e m a il is o n e o f th e im p o r ta n t to o ls th a t h a s b e e n c re a te d .
U n f o r t u n a t e ly , a tta c k e rs h a v e m is u s e d e m a ils to s e n d s p a m to c o m m u n ic a te 111
s e c re t a n d lu d e th e m s e lv e s b e h in d th e s p a m e m a ils , w h ile a tte m p tin g to

u n d e rm in e b u s in e s s d e a lin g s .
111
s u c h in s ta n c e s , it b e c o m e s n e c e s s a r y f o r
p e n e tr a tio n te s te rs to tra c e a n e m a il to f in d th e
source of e m ail
e s p e c ia lly
w h e r e a c r im e h a s b e e n c o m m itte d u s in g e m a il. Y o u h a v e a lr e a d y le a r n e d in th e
m W orkbook review
p r e v io u s la b h o w to fin d th e lo c a tio n b y tr a c in g a n e m a il u s in g e M a ilT r a c k e r P r o
c ity , s ta te , co untry,
to p r o v id e s u c h in f o r m a t io n as
e tc . fr o m w h e r e th e e m a il
w a s a c f t ia llv s e n t.
T h e m a jo r it y o f p e n e tr a tio n te s te rs u s e th e M o z illa F ir e f o x as a w e b b r o w s e r t o r
Firebug f o r a w e b
t h e ir p e n te s t a c t iv it ie s . 111 tin s la b , y o u w ill le a r n to u s e
a p p lic a t io n p e n e tr a tio n te s t a n d g a th e r c o m p le te in fo r m a t io n . F ir e b u g c a n
p r o v e to b e a u s e fu l
debugging
t o o l th a t c a n h e lp y o u tr a c k ro g u e J a v a S c rip t
c o d e o n s e rv e rs .
Lab Objectives
T h e o b je c tiv e o f d u s la b is to h e lp s ftid e n ts le a rn e d itin g , d e b u g g in g , a n d m o n ito rin g
C S S , H T M L , a n d Ja v a S c r ip t 111 a n y w e b s ite s .
H Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 02
Footprinting and
Reconnaissance
Lab Environment
111
A w e b b ro w s e r w ith a n In te r n e t c o n n e c tio n
2 0 1 2 , W indow s
111
8,
W indow s S erver
W indow s S e rv e r 2 0 0 8 , a n d W indow s 7
Lab Duration
Overview of Firebug
F ir e b u g is a n a d d - o n to o l fo r M o z illa F ir e fo x . R u n n in g F ir e b u g d is p la y s in fo r m a tio n
su c h as d ir e c to ry s tru c tu re , in te r n a l U R L s , c o o k ie s , s e ssio n ID s , e tc.
Lab Tasks
Firebug includes a lot
1.
of features such as
S ta rt
T o la u n c h th e
m e n u , h o v e r th e m o u s e c u r s o r in th e lo w e r - le ft
debugging, HTML
inspecting, profiling and
etc. which are very useful
for web development.
2.
O i l th e
S ta rt
m e n u , c lic k
M ozilla F irefox
to la u n c h th e b r o w s e r
Start
Seroei
Wndows
Admirostt..
Hyper-V
Mauger
poyversheii
TOOK
Manager
On
X7941u\1cu\X3941u\1cu\
m
Firebug features:
Adm inistrator
Task
Manager
Javascript debugging
Javascript
CommandLine
Central
fane
Monitor die Javascrit
XmlHttpReque st
Logging
X0741u\1cu\
Tracing
Hyper-V
Virtual
Machine..
Command
Prompt
Google
fcarth
Google
Chrome
11 K
Performance and
Mu/illa
hretox
Inspect HTML and

Edit HTML
Edit CSS
3.
T v p e th e U R L
h ttp s ://g etfireb u g.co m
111
th e F ir e f o x b r o w s e r a n d c lic k
In s ta ll Firebug

X0741u\1cu\X0741u\1cu\
^
X0741u\1cu\
^ TAS K
| 9
T ! *
X7941u\1cu\
** f rebog
fi\ ft c*
etfreCuq <onr~|
W h a t is Firebug?
Docum entation
Com m unity
introCiKtion ana Features
FAQ and v:
Dtscibswt foru*s anc
:tp i. F ir e b u g
Installing Firebug
Install Firebug
Other Versions Firebuc Lite Exi
t a/~u rwWeb Development Evolved.
X7941u\1cu\
Introduction to Firebug
The m ost pop ular and pow erfu l w eb d eve lo p m e n t tool
Hi bug pyl opntomalogllt

Rob Campbell glv*t * quick
Introduction to Fit bug.
v/vtch now -
*P lrapct HTML and modify style and layout In real-time
X3251u\1cu\
*0 Use tb most advanced JavaScript debugger available for any browser
<A
V Acairatety analyze network usage and performance

^ Extend Firebug and add features to make Firebug even more powerful
* Get the information you need to got it done with Firebug.
X3251u\1cu\
More ScfMWMlI
More Features -
F I G U R E 8 .3: W i n d o w s S e r v e r 2 0 1 2 - A p p s
C lic k in g In s ta ll Firebug w ill r e d ir e c t to th e D ow nload Firebug p a g e
4.
C lic k th e Dow nload lin k to in s ta ll F ir e b u g
MMM
X0741u\1cu\
!_!:
X3941u\1cu\
>
Dmnlud fifet
gelfitebug coir ovnlod*/
X0741u\1cu\X0741u\1cu\
*1 0 s1.
^ A 1H
ft c-
Download Firebug
y
j Firebug
Firebug for Firefox
inspects HTML and

modify style and layout in
r e a l - t im e
Firebug 1.10 for Firefox 14: Recommended

Compjtlbtc with: FI1 fox 13-16
|l)own1rart| Release Notes. New 1 eatures
Finebug 1.9.2
Compatible with: Firefox 6-13
Powntoad. Retease notes
Firebug 1.8.4
Compatible with: Fliefox 5-9
Download, Release notes
Firebug 1.7.3
Compatible with: Firefox 3.6, 4, 5
5.
O n th e Add-Ons p a g e , c lic k th e b u tto n Add to F irefox to in itia te th e

A d d - O n in s ta lla t io n
^ F rbug; Acld-om for R id a
X3941u\1cu\X7941u\1cu\
X4251u\1cu\
X7941u\1cu\
X0741u\1cu\
L J
^ fi *) ;
> V I US btlpvy/add 0X0741u\1cu\
ro.moil<
0(g/w1US/firff 0x/rtdd vWbug'
X7941u\1cu\
X4251u\1cu\
X0741u\1cu\
X3251u\1cu\
P ft
C
?| Google
X0741u\1cu\
X3251u\1cu\
R9itcr or Loc in I Othor Applications *
Firebug adds several
configuration options to
ADD-ONS
LXILMSJONS I PtKSONAS I IHLMLS I C0CLLCTI0NS
M0RL-.
search for add ons
Firefox. Some of these

options can be changed
Welcome to Firefox Add-ons. Choose from thousands of extra features and styles to make Firefox your own
through die UI, others can

be manipulated only via
# * Extensions Firebug
aboutxonfig.
Firebug 1.10.1
1 , 3 8 1 user reviews
3,0 0 2 ,5 0 6 users
by Joe Hewitt, Jan Odvarko, robcee, HrcbugWorfcLngGroup

Firebug Integrates with Firefox to put a wealth of development tools at your fingertips
while yx>u browse. You can edit, debug, and monitor CSS. HTM L, and JavaScript live in
any web page...
Q Add to colection
< Share this Add on

6.
C lic k th e In s ta ll N o w b u tto n
111
th e S o ftw a re In s ta lla tio n w in d o w
S oftw are In s ta lla tio n
paneTTabMinWidth
describes minimal width in
Install add-ons only from authors whom you trust.
pixels of the Panel tabs

inside die Panel Bar when
t h e r e is n o t e n o u g h
M a licio u s softw are can d a m a g e y o u r c o m p u te r o r vio la te y o u r p rivacy.
horizontal space.
Y o u ha ve asked to install th e fo llo w in g item :
Firebug
(Author not verified)
h ttp s://ad d on s.m ozilla .o rg /fire fox /d ow n lo ad s/latest/
X3251u\1cu\
184
B / a d d o n -1843-latest.xpi src:
Install N o w
C ancel
7.
O n c e th e F ir e b u g A d d - O n is in s ta lle d , i t w ill a p p e a r as a
bug o n
th e
N avig atio n T o o lb a r as
grey colored
h ig h lig h te d in th e f o llo w in g
s c re e n s h o t
m
showFirstRunPage
[s
specifies whether to show

the first run page.
Firebug:: Add-ons for Firefox
11
X0741u\1cu\
X0741u\1cu\
ft Mozilla Corporation (US) http5://addon5.mozilla.o_______ C t
^ Google________f i
ft
8.
C lic k th e Firebug ic o n to v ie w th e F ir e b u g p a n e .
9.
C lic k th e Enable lin k to v ie w th e d e ta ile d in fo r m a t io n f o r C o n s o le

p a n e l. P e r f o r m th e sa m e fo r th e S c r ip t , N e t , a n d C o o k ie s p a n e ls
The console panel
offers a JavaScript
c o m m a n d l i n e , lis t s a ll
kinds of messages and
offers a profiler for
JavaScript commands.

10. E n a b lin g th e C o n s o le p a n e l d is p la y s a ll th e re q u e s ts b y th e p a g e . T h e
o n e h ig h lig h te d 111 th e s c r e e n s h o t is th e
11 .
The CSS panel
manipulates CSS rules. It

offers options for adding,
111
H eaders ta b
th is la b , w e h a v e d e m o n s tr a te d h tt p :/ / w w w .m ic r o s o ft .c o m
12. T h e H eaders ta b d is p la y s th e R e s p o n s e H e a d e r s a n d R e q u e s t H e a d e rs
editing and removing CSS
b y d ie w e b s ite
s t y l e s o f d i e d i f f e r e n t f i le s
of a page containing CSS. It
C$1 - xr^
X0741u\1cu\
X0741u\1cu\
X0741u\1cu\
also offers an editing mode,
* D- *
* U 9|
i n w h i c h y o u c aX7941u\1cu\X4251u\1cu\X7941u\1cu\
n edit the
W e lc o m e t o M ic ro s o ft
c o n t e n t o f d i e C S S f i le s
d i r e c t l y v i a a t e x t a r e a ..
3cwrJoa41 Sccunty Support Bjy
X3151u\1cu\ X3151u\1cu\ X3151u\1cu\
X4251u\1cu\ X3051u\1cu\
fi
[m m r | mm im vnpi UtiM Mot laotM-t

M * | *I | Cnori Mn)1
nfc Debug nf Cootaei
UUf
13. S im ila r ly , th e re s t o f th e ta b s 111 th e C o n s o le p a n e l lik e
Response, H TM L, a n d C ookies
Param s.
h o ld im p o r ta n t in f o r m a t io n a b o u t th e
w e b s ite
m
The HTML panel
displays die generated
14. T h e H T M L p a n e l d is p la y s in f o r m a t io n s u c h as s o u rc e c o d e , in t e r n a l
U R L s o f th e w e b s ite , e tc .
HTML/XML of die
currendy opened page. It
PHD
differs from die normal
source code view, because

it also displays all
Welcome to Microsoft
manipulations on the
P-04uct Downloads Secisity Suppcrt Buy
DOM tree. On the right

s id e i t s h o w s t h e C S S s t y le s
X0741u\1cu\
defined for die currendy
<
|Mmu -j (S.
* DOM
selected tag, die computed

styles for it, layout
information and die DOM
variables assigned to it in
different tabs.
US, it* aL Lu.-t
nUMUtUittt
F I G U R E 8 .1 0 : W i n d o w s S e r v e r 2 0 1 2 A p p s
15. T h e N e t p a n e l s h o w s th e R equest s ta rt a n d R equ est phases s ta rt and
elap sed tim e re la tiv e to th e R equest s ta rt
b y h o v e r in g th e m o u s e
c u r s o r 0 1 1 th e T im e lin e g r a p h f o r a re q u e s t

N e t P a n e l 's p u r p o s e is
to monitor HTTP traffic
initiated by a web page and
present all collected and
computed information to
d i e u s e r . I t s c o n t e n t is
composed of a list of
entries where each entry
represents one
request/response round
t r i p m a d e b y d i e p a g e ..
16. E x p a n d a re q u e s t in th e N e t p a n e l to g e t d e ta ile d in f o r m a t io n o n
P a r a m s , H e a d e r s , R e s p o n s e , C a c h e d , a n d C o o k ie s . T h e s c re e n s h o t th a t
fo llo w s s h o w s th e C a c h e in f o r m a t io n
^ ^
Script panel debugs
;T1
X0741u\1cu\
1
------------
il
;ojw
fi' ft
JavaScript code. Therefore
Welcome to Microsoft
die script panel integrates a
,odwtj fcwnbads
p o w e r f u l d e b u g g i n g t o o l X3251u\1cu\
Security
Support
b a s e d o n f e a t u r e s li k e
different kinds of
breakpoints, step-by-step
X0741u\1cu\
X3941u\1cu\
execution of scripts, a
X7941u\1cu\
display for the variable

stack, watch expressions
X7941u\1cu\.
UI
.!
1 . ..
1 1
UT 4uPMu4>l
.A UN
X3251u\1cu\
X3251u\1cu\
and more..
nxWtnMM
:0 >
11 *tuam iM i
wmwwwam^^M
11
X0741u\1cu\
*MX. IfWm Kfifw |<M Cm U
X7941u\1cu\X4251u\1cu\X4251u\1cu\
X3251u\1cu\X4251u\1cu\X4251u\1cu\
X3251u\1cu\
X7941u\1cu\
trJ z z
1r0
an*CM
4 u m w luriJSK'i-MiMo.
a i vucu.1ra.M MX.il m 1
X4251u\1cu\
X0741u\1cu\
X0741u\1cu\
<jnoe*ofUn
. .j . *.
17. E x p a n d a re q u e s t in th e C o o k ie s p a n e l to g e t in f o r m a t io n o n a c o o k ie
V a lu e , R a w d a ta , ] S O N , e tc .
W c lc o m c t o M icro s o ft
X0741u\1cu\
X3251u\1cu\
(*duct OewwoMi S*cuty Seaport Buy
Export cookies for

d i i s s it e - e x p o r t s a ll
cookies of die current
X0741u\1cu\
X0741u\1cu\
ft Coobn* Fto
Cti*jk U.ictt ccciic-.)
w e b s i t e a s t e x t f i le .
Therefore die Save as
d i a l o g is o p e n e d a l l o w i n g
you to select die path and
choose a name for the
e x p o r t e d f i le .

Note:
Y o u c a n h n d in f o r m a t io n r e la te d to th e C S S , S c r ip t , a n d D O M p a n e l 0 1 1
th e r e s p e c tiv e ta b s .
Lab Analysis
C o lle c t in fo r m a tio n su c h as in te r n a l U R L s , c o o k ie d e ta ils , d ir e c to r y s tm e tin e ,
s e ssio n ID s . e tc . fo r d iffe r e n t w e b s ite s u s in g F ire b u g .
Tool/Utility
S e r v e r o n w h ic h t h e w e b s it e is h o s t e d :
M ic r o s o f t IIS / 7 . 5
D e v e lo p m e n t F r a m e w o r k : A S P . N E T
H T M L S o u r c e C o d e u s in g Ja v a S c r ip t , j Q u e r y ,
F ir e b u g
Ajax
O t h e r W e b s it e In f o r m a t io n :
In t e r n a l U R L s
C o o k ie d e ta ils
D ir e c t o r y s tru c tu re
S e s s io n ID s

Questions
1.
D e te r m in e th e F ir e b u g e r r o r m e s s a g e th a t in d ic a te s a p ro b le m .
2.
A f t e r e d itin g p a g e s w it h in F ir e b u g , h o w c a n y o u o u tp u t a ll th e c h a n g e s
th a t y o u h a v e m a d e to a s ite 's C S S ?
3.
111 th e F ir e b u g D O M p a n e l, w h a t d o th e d if f e r e n t c o lo r s o f th e v a r ia b le s
mean?
4.
W h a t d o e s th e d if f e r e n t c o lo r lin e in d ic a t e
111
th e T im e lin e re q u e s t in th e
N e t p a n e l?
0 Yes
No
0 C la s s r o o m
D iL a b s

Mirroring W ebsites Using th e

HTTrack Web Site Copier Tool
H T T rn c k W eb S ite C o p ie r is a n O fflin e h X3251u\1cu\
r on s e r u tility th a t a lo n sjo / / to don \nload
a W o rld W id e W eb s ite th ro u g h th e In te rn e t to jo u r lo c a l d ire c to ry .
Lab Scenario
/ Valuable
information______
Test your
knowledge
sA W eb exercise
m W orkbook review
W e b s it e s e rv e rs s e t c o o k ie s to h e lp a u th e n tic a te th e u s e r it th e u s e r lo g s 111 to a
s e c u re a re a o f th e w e b s ite . L o g in in f o r m a t io n is s to re d 111 a c o o k ie s o th e u s e r
c a n e n te r a n d le a v e th e w e b s ite w ith o u t h a v in g to re - e n te r th e sa m e
a u th e n tic a tio n in f o r m a t io n o v e r a n d o v e r .
Y o u h a v e le a r n e d
111
th e p r e v io u s la b to e x tr a c t in f o r m a t io n fr o m a w e b
a p p lic a t io n u s in g F ir e b u g . A s c o o k ie s a re tr a n s m itte d b a c k a n d f o r t h b e tw e e n a
b r o w s e r a n d w e b s ite , i f a n a tta c k e r o r u n a u th o r iz e d p e rs o n g e ts 111 b e tw e e n th e
d a ta tra n s m is s io n , th e s e n s itiv e c o o k ie in f o r m a t io n c a n b e in te r c e p te d . A
a tta c k e r c a n a ls o u s e F ir e b u g to se e w h a t Ja v a S c r ip t w a s d o w n lo a d e d a n d
e v a lu a te d . A tt a c k e r s c a n m o d ify a re q u e s t b e fo r e i t s s e n t to th e s e r v e r u s in g
T a m p e r d a ta . I t t h e y d is c o v e r a n y S Q L o r c o o k ie v u ln e r a b ilit ie s , a tta c k e rs c a n
p e r fo r m a S Q L in je c tio n a tta c k a n d c a n ta m p e r w it h c o o k ie d e ta ils o f a re q u e s t
b e fo r e i t s s e n t to th e s e r v e r . A tt a c k e r s c a n u s e s u c h v u ln e r a b ilit ie s to t r ic k
b ro w s e r s in t o s e n d in g s e n s itiv e in f o r m a t io n o v e r in s e c u r e c h a n n e ls . T h e
a tta c k e rs th e n s ip h o n o f f th e s e n s itiv e d a ta f o r u n a u th o r iz e d a c c e s s p u rp o s e s .
T h e r e f o r e , as a p e n e tr a tio n te s te r , y o u s h o u ld h a v e a n u p d a te d a n tiv ir u s
p r o te c tio n p ro g ra m to a tta in In t e r n e t s e c u rity .
111 tin s la b , y o u w ill le a r n to m ir r o r a w e b s ite u s in g th e H T T r a c k W e b S ite

C o p ie r T o o l a n d as a p e n e tr a tio n te s te r y o u c a n p r e v e n t D - D o S a tta c k .
Lab Objectives
T h e o b je c tiv e o f tin s la b is to h e lp s tu d e n ts le a rn h o w to m ir r o r w e b s ite s .
Lab Environment
T o c a n y o u t th e la b , y o u n e e d :

11
D :\CEH-Tools\CEHv8 M odule 02
F ootprinting and R e c o n n aissan ce\W eb site Mirroring T o o ls \H T T ra c k
W e b s ite C opier
W e b D a t a E x t r a c t o r lo c a te d a t
dem onstrated in
this lab are
available in
D:\CEH-
Y o u c a n a ls o d o w n lo a d th e la te s t v e r s io n o f H T T ra c k W eb S ite C opier
Tools\CEHv8
Module 02
&
Tools
fr o m th e lin k h t t p :/ / w w w .h tt r a c k .c o m / p a g e / 2 / e n / 111d e x .h tm l
Footprinting and
Reconnaissance
111
F o llo w th e W izard driven in s ta lla tio n p ro c e s s
2 0 1 2 . W indow s
111
8,
W indow s S erver
W indow S e rv e r 2 0 0 8 , a n d W indow s 7
T o r u n t liis t o o l A d m in is t r a t iv e p r iv ile g e s a re re q u ire d
Lab Duration
T im e : 10 !M in u te s
Overview of Web Site Mirroring

WinHTTrack arranges
t h e o r i g i n a l s it e 's r e l a t i v e
li n k - s t r u c t u r e .
W eb mirroring a llo w s
y o u to d o w n lo a d a w e b s ite to a lo c a l d ir e c to r}7, b u ild in g
re c u r s iv e ly a ll directories.
HTML, images, flash, videos, a n d
o d ie r h ie s fro m d ie
s e rv e r to y o u r c o m p u te r.
Lab Tasks
1.
T o la u n c h th e
S ta rt m e n u ,
h o v e r th e m o u s e c u r s o r in th e lo w e r - le ft
| | W in d o w s Se rver 2012
WintioM Soivm201? Release Candidate DaUcMt1
TO 5 W
X4941u\1cu\
X1941u\1cu\
___________________E/dualicn copy. Buid 840!
2.
WinHTTrack works as
a command-line program
111 th e
S ta rt m e tr o
a p p s , c lic k W in H T T ra c k to la u n c h th e a p p lic a d o n
W in H T T ra c k
or dirough a shell for bodi

private (capture) and
professional (on-line web
mirror) use.

Administrator ^
Start
UirvvjM
rL
Windows
Admintstf...
PowiefShe!
Tools
Ccrpuw
X0741u\1cu\
&
Task
Jjpor.V
Hyp V
Virtual
Machine...
11
Path
copyng
Pro 2.7
id
hfitcHy.trt
rwrirv
Cl
Coojfc
tanti
Adobe
Kcafler X
WirHfTr..
webste
J:
1:T
(**Up
Mozila
J TAS K
3.
111 th e W in H T T r a c k m a in w in d o w , c lic k
X0741u\1cu\
Mirroring a
File
N e x t to
c re a te a
N e w P ro ject
iBI
WinHTTrack Website Copier [New Project 1]
Preferences Mirror Log V/indow Help
W ebsite
Welcome to WinHTTrack Website Copter!
a Local Disk <D:>

^ DVD RW Drive < E:*
E , . New Volume <F:>
Please click on the NEXT button to
ra c k website
< 3ack |
7 Quickly updates
Neit ?
copiei
d o w n l o a d e d s it e s a n d
resumes interrupted
downloads (due to
F I G U R E 9 .3 : H T T r a c k W e b s i t e C o p i e r M a i n W i n d o w
connection break, crash,

etc.)
4.
E n t e r th e
p ro je c t nam e 111 th e P ro je c t nam e h e ld .
to s to re th e c o p ie d file s . C lic k
S e le c t th e B a s e p a th
Next

_og Window Help
1 + J Local Disk <0

X7941u\1cu\X0741u\1cu\
1 3 l j L0C3I Disk <D:>
New project name.
&) Wizard to specify which
DVD P.\A Cnve <:>
links must be loaded
1 Si c i N* * Yoiume <^;>
( a c c e p t / r e f u X4251u\1cu\
se: link, all
1-1='
WinHTTrack Website Copier [New Project 1]

X7941u\1cu\X3251u\1cu\
X3941u\1cu\
Mirror
File Preferences
'
| ]eg Project
|
Project category
-hfo
domain, all directory)
New project
Base path;
1 ..|
t:\NVWebSles
< ock
Not >
Ccnccl
Help
KJUM
F I G U R E 9 .4 : H T T r a c k W e b s i t e C o p i e r s e l e c t i n g a N e w P r o j e c t
5.
Enter
w w w .c e rtifie d h a c k e r.c o m u n d e r W eb A ddresses: (URL) a n d
th e n c lic k th e
S e t options b u tto n
WinHTTrack Website Copier [Test Projectwhtt]
X0741u\1cu\
File reterences
X4251u\1cu\
X0741u\1cu\
V\ndov\
Help
B i j . local Disk <C>

MrTcrirg Mode
B L CEH-Took
S Timeout and minimum
Enter addresses) in URL box
, Irtel
(fj | NfyWebSitc* |
j ^ Jfi Program filc
i S i. Program hies xto)
transfer rate manager to

a b a n d o n s l o w e s t s it e s
X0741u\1cu\
Ul,J
Sl i . Windows
X8841u\1cu\
L .Q NTUSERDAT
B , , Local D<lr <D>
| Dowriodd web
545
Web Addr*t#: (URL)
cortfiodhackor.com I
DVD RW Dn/e <E:>
New '/olume <F:>
FWcrerccs ord r
F I G U R E 9 .5 : H T T r a c k W e b s i t e C o p i e r S e l e c t a p r o j e c t a n a m e t o o r g a n i z e y o u r d o w n l o a d
^ Downloading a site can

ovedoad it, if you have a
fast pipe, or if you capture
S et options b u tto n w ill la u n c h th e
6.
C lic k in g th e
W in H T T ra c k w in d o w
7.
C lic k th e Scan Rules ta b a n d s e le c t th e c h e c k b o x e s f o r th e t ile ty p e s as
too many simultaneous cgi

(dynamically generated
pages)
s h o w n in th e f o llo w in g s c r e e n s h o t a n d c lic k
OK

WinHTTrack
H
M IM E types
Proxy
Browser ID
| S ca n Rules | ]
Limits
Log , Index. C a c h e
R ow Control
Links
]
|
Experts O nly
Build
Spider
Use wildcards to exclude or include URLs or links.

You can put several scan strings on the same line.
Use spaces as separators.
Example: +*zip -www. *.com -www. * edu/cgi-bin/*. cgi
m
File names with original
structure kept or splitted

mode Cone html folder, and
o n e i m a g e f o l d e r ) , d o s 8 -3
filenames option and userdefined structure
Tip: To have ALL GIF files included, use something like +www.someweb.com/1.gif.
(+*.gif
I -gif wil include/exclude ALL GIFs from ALL sites)
OK
C ancel
Help
S3 HTML parsing and tag
T h e n , c lic k
Next
analysis, including
javascript code/embedded
HTML code
WinHTTrdck Website Copier (Test Project.whtt]
X0741u\1cu\
X4251u\1cu\
File Preferences Mrror
cq Window
Help
a - j^ Local Dsk <C:>
X0741u\1cu\0 ^ CEH-Tooli
& 1 del
B
i net pub
! )-- j, Intel
Mirroring Mode Enter adJress(es) in URL

box
I ^) ,i; MyV/d)Sites
X0741u\1cu\
j }
Program. Files
j
Program files (x86)
I il-- Uscr
- j. Windows
X3251u\1cu\
j L Q NTfStRDAT
] u Local Disk <D>
Download web ste(s)
V/ob Addresses: (URL)

a
certr'iedtacker.c
51 ^ DVD RW Drive <E;>
S i - New Volume <F;>
Pnefererces and mrror options:
.I
9.
Prosy support to
B y d e fa u lt, th e r a d io b u tto n w ill b e s e le c te d f o r P le a s e ad ju st
co nn ectio n p a ra m e te rs if n ecessary, th en press F IN IS H to launch

th e m irroring o p eratio n
maximize speed, with

optional authentication
10. C lic k Finish to s ta rt m ir r o r in g th e w e b s ite

WinHTTrack Website Copier - [Test Projeciwhtt]

File Preferences Mirror .og
Window Help
Local Disk J>

CD The tool lias integrated
X0741u\1cu\
DNS cache and native

https and ipv6 support
j ||j
CEH Tool:
j 0Jt ddl
: Si j, netpub
j Si X0741u\1cu\
me!
I Si j. M/V/ebSites
Program Files
j
Remcte conncct
Connect to this provider
| Do not use remote access connection
X8051u\1cu\V Disconnect when fnished
Program F les (x80)
0 j. J503
i ra >. Windows
V Shutdaivn PC when fnished
L - Q NTUStRXIAT
S x a i Local Dklc <[>>

DVD F.Vb Crive <E;>
3
New Vo umc <R>
Onhdd
Tron3lcr schcdulod lor (hh/
rrr
C Save *tilings only do not lajrch download n
F I G U R E 9 .8 : H T T r a c k W e b s i t e C o p i e r T y p e o r d r o p a r i d d r a g o n e o r s e v e r a l W e b a d d r e s s e s
C D H T T r a c k c a n a ls o
update an existing mirrored
11. S ite m ir r o r in g p ro g re s s w ill b e d is p la y e d as 111 th e f o llo w in g s c r e e n s h o t
d o w n l o a d s . H T T r a c k is
X3251u\1cu\X0741u\1cu\
fully configurable by
options and by filters
X4941u\1cu\
s it e a n d r e s u m e i n t e r r u p t e d
X0741u\1cu\
X0741u\1cu\
Site
mirroring
in progress [2/14 ( ! 32794 ,(13 S bytes] [Test Project.whtt]
File preference: Miiro Log Window
Help
P^ Local D is k <C>
: X CEH-Tods
j B -Jj del
X3151u\1cu\
X3051u\1cu\
X3051u\1cu\
X3251u\1cu\
Informatbn
J . netpub
j 0 ^ lntel
| 0 M MyWcbSitcs
I . ~J Program Files
Q X3251u\1cu\
| Progrom
Files (86)
X4251u\1cu\
X4251u\1cu\
I ra i . Users
j 0 1 Windows
~ j j NTUSFR.DAT
y - g Local Diik<0:>
Bytes saved
Tim:
Transfer rate:
X0741u\1cu\
Active connection#
320.26K1B
2rrin22j
OB/S (1.19KB/S)
1
Urks scanned:
2/14 (13)
-le wrtten:
*es updated
14
0
0
W }Actions:]
scanning
www cotif edhacker conv)s
DVD RW DrK* < E:>

B r j Nevr Volume <F:>
1
1
1------I
SKIP
SKIP
SKIP
1
1
1
SKIP
-KIP
1
1
1
1
1
1
1
1
SKIP
SKIP
SKIP
SKIP
SKIP
SKIP
SKIP
SKIP
J Lsz
Help
CD Filter by file type, link

location, structure depth,
f i l e s iz e , s i t e s iz e , a c c e p t e d
F I G U R E 9 .9 : H T T r a c k W e b s i t e C o p i e r d i s p l a y i n g s it e m i r r o r i n g p r o g r e s s
12. W in H T T r a c k s h o w s th e m e s s a g e M irroring o p e ra tio n c o m p le te o n c e
o r r e f u s e d s it e s o r f i l e n a m e
(with advanced wild cards)..
th e s ite m ir r o r in g is c o m p le te d . C lic k
B row se M irrored W eb s ite

Site mirroring finished! [Test Project.whtt]

File Preferences Mirror .og
Window Help
3 j* . Local Disk <C>

E
CEH-Tools
Mrroring operation ccmplctc
Clfck Exit to quit 1/VnHTTrac*.

See Og f!fe(s) t recessay to ensure that ever/thrg is OK.
Intel
Tharks for using WinHTTrack1
; M
(MyWebSiles |
0 I Program Files
j 0
Program F les (x80)
I
J t U sen
i g| j. Vndow;
1 Q NTUSBUJAT
|- a Local Disk <[>.>
^ DVD RW Crive <h>
[ij
Nev/Voumc <F:>
Optional log file with
error-log and commentslo g .
X4251u\1cu\
Brcwoo Mrrcrod Wobaitc
MUM
F I G U R E 9 .1 0 : H T T r a c k W e b s i t e C o p i e r d i s p l a y i n g s it e m i r r o r i n g p r o g r e s s
13 . C lic k in g th e
B row se M irrored W e b s ite
b u tto n w ill la u n c h th e m ir r o r e d
w e b s ite f o r w w w .c e r t1fie d h a c k e r .c o m . T h e U R L in d ic a te s th a t th e s ite is

lo c a te d a t th e lo c a l m a c h in e
Note:
C] Use bandwidth limits,
I f th e w e b p a g e d o e s n o t o p e n f o r s o m e re a s o n s , n a v ig a te to th e
d ir e c to r } w h e r e y o u h a v e m ir r o r e d th e w e b s ite a n d o p e n in d e x .h tm l w it h
X0741u\1cu\
c o n n e c t i o n l i m i t s , s iz e
any web browser
limits and time limits
Downloads and support
X7941u\1cu\X4941u\1cu\X7941u\1cu\
Downbacfe
Ask questions
X0741u\1cu\
X3251u\1cu\
X0741u\1cu\
fecole real
w<
!tiv Mr
Help and how-to
hMnwt Ejplxe
acen91<eduw^n< the
Mxrovofl (imnuMli
S ecurity a n d updates
X0741u\1cu\
V _ V Chtl
(S)
**
b!ran
Ifta MM iKtttO,
F I G U R E 9 .1 1 : H T T r a c k W e b s i t e C o p i e r M i r r o r e d W e b s i t e I m a g e
14 . A f e w w e b s ite s a re v e r y la r g e a n d w ill ta k e a lo n g tim e to m ir r o r th e

C Do not download too
c o m p le te s ite
large websites: use filters;

try not to download during
working hours
15. I f y o u w is h to s to p th e m ir r o r in g p ro c e s s p r e m a tu r e ly , c lic k
C ancel in
th e S ite m irroring progress w in d o w

16. T h e s ite w ill w o r k lik e a live hosted w e b s ite .

Lab Analysis
D o c u m e n t th e m irro re d w e b s ite d ire c to rie s , g e ttin g H T M L , im a g e s , a n d o th e r tile s.
Tool/Utility
HTTrack Web
S it e C o p ie r
O f f lin e c o p y o f th e w e b s ite
w w w .c e r tif ie d h a c k e r .c o m is c re a te d

Questions
5.
H o w d o y o u r e tr ie v e th e file s th a t a re o u ts id e th e d o m a in w h ile
m ir r o r in g a w e b s it e ?
6.
H o w d o y o u d o w n lo a d ftp tile s / s ite s ?
7.
C a n H T T r a c k p e r fo r m fo rm - b a s e d a u t h e n t ic a t io n ?
8.
C a n H T T r a c k e x e c u te H P - U X o r I S O 9 6 6 0 c o m p a tib le file s ?
9.
H o w d o y o u g ra b a n e m a il a d d re s s 111 w e b p a g e s ?
Yes
0 No
0 C la s s r o o m
0 !L a b s

Extracting a Companys Data Using

Web Data Extractor
W eb D a ta E x tra c to r is u sed to e x tra c t targ e te d co m p a n j(s) co n tact d e ta ils o r d a ta
su ch a s e m ails; fa x , p h o n e th ro u g h w eb fo r resp o n sib le b '2 b co m m u n icatio n .
Lab Scenario
/ Valuable
information______
Test your
knowledge
sA W eb exercise
A tt a c k e r s c o n t in u o u s ly lo o k lo r th e e a s ie s t m e th o d to c o lle c t in fo r m a t io n .
T h e r e a re m a n y to o ls a v a ila b le w it h w h ic h a tta c k e rs c a n e x tra c t a c o m p a n y s
d a ta b a s e . O n c e th e y h a v e a c c e s s to th e d a ta b a s e , th e y c a n g a th e r e m p lo y e e s
e m a il a d d re s s e s a n d p h o n e n u m b e rs , th e c o m p a n y s in t e r n a l U R L s , e tc . W it h
th e in f o r m a t io n g a th e re d , th e y c a n s e n d s p a m e m a ils to th e e m p lo y e e s to f ill
th e ir m a ilb o x e s , h a c k in t o th e c o m p a n y s w e b s ite , a n d m o d ify th e in t e r n a l
m W orkbook review
U R L s . T h e y m a y a ls o in s ta ll m a lic io u s v ir u s e s to m a k e th e d a ta b a s e in o p e r a b le .
As an expert
p e n e tra tio n te s te r, y o u
s h o u ld b e a b le to d u n k fr o m a n a tta c k e r s
p e r s p e c tiv e a n d t r y a ll p o s s ib le w a y s to g a th e r in f o r m a t io n 0 1 1
Y o u s h o u ld b e a b le to c o lle c t a ll th e
organizations.
co n fid e n tia l in fo rm atio n
of an
o r g a n iz a tio n a n d im p le m e n t s e c u r ity fe a tu re s to p r e v e n t c o m p a n y d a ta le a k a g e .
111 tin s la b , y o u w ill le a r n to u s e W e b D a t a E x t r a c t o r to e x tr a c t a c o m p a n y s
d a ta .
Lab Objectives
T h e o b je c tiv e o f tin s la b is to d e m o n s tra te h o w to e x tra c t a c o m p a n y s d a ta u s in g
W eb Data Extractor. S m d e n ts w ill le a rn h o w to :
E x t r a c t M e t a T a g , E m a il, P h o n e / F a x f r o m th e w e b p a g e s

Lab Environment
& 7 Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 02
T o e a r n o u t th e la b y o u n e e d :
W e b D a t a E x t r a c t o r lo c a te d a t
Footprinting and
Y o u c a n a ls o d o w n lo a d th e la te s t v e r s io n o l W
eb D ata E x tra c to r f r o m
th e lin k h tt p :/ A v w w .w e b e x t r a c t o r .c o m / d o w n lo a d .h tm
Reconnaissance
111
W D E s e n d q u e r i e s t o
search engines to get
screen sh ots s h o w n
W indow s S erver
T h is la b w ill w o r k in th e C E H la b e n v ir o n m e n t - 0 1 1
2 0 1 2 , W indow s
D :\CEH-Tools\CEHv 8 M odule 02
F ootprinting and R e c o n n aissan ce\A d ditio n al Footp rin tin g Tools\W eb

D ata E x tra c to r
8,
W indow s S erver 2 0 0 8 . a n d W indow s 7
Lab Duration
T im e : 10 M in u te s
matching website URLs
Overview of Web Data Extracting

VVJDE will query 18+
W e b d a ta e x tra c tio n is a ty p e o f in fo r m a tio n re trie v a l d ia t c a n e x tra c t a u to m a tic a lly
popular search engines,
u n s tru c tu re d o r s e m i- s tm c tu re d w e b d a ta so u rc e s 111 a s tru c tu re d m a n n e r.
extract all matching URLs

from search results, remove
duplicate URLs and finally
visits those websites and
extract data from there
Lab Tasks
1.
T o la u n c h th e
S ta rt m e n u ,
h o v e r th e m o u s e c u r s o r in th e lo w e r - le ft
F I G U R E 1 0.1: W i n d o w s 8 D e s k t o p v i e w
~ TAS K
Extracting a
2.
111 th e
S ta rt m e n u , c lic k W eb D ata E x tra c to r
to la u n c h th e a p p lic a tio n
W eb D ata E x tra c to r
W ebsite

Start
Admin A
*rofte
Microsoft
Office
Picture...
SktDnte
Mats
X1051u\1cu\ X4051u\1cu\
1*oiigm
m WDE - Phone,
X7941u\1cu\X7941u\1cu\X3251u\1cu\
Fax H arvester
module is
designed to
spider the w eb for
fresh Tel, FAX
numbers targeted
to th e group th a t
you w a n t to
m arket your
product or
services to
VOcw
*
Microsoft
Outlook
2010
Microsoft
PowerPoint
2010
Microsoft
Excel 2010
Microsoft
Publisher
?010
Microsoft
Microsoft
Word ?010
Office ?010
181
ii i
Mcrosoft
Mrt (iidNli nllilol) me 9am*
%/}. r !
Certificate
for VBA_.
Organizer
Microsoft
Office ?010
Upload...
Snagit 10
Snagit 10
Editor
Extractor
Unguag...
Web Data
Bl
Xbax UVf Gaw
X4251u\1cu\
10
Microsoft
OneNote
2010
Mozilb
Firefox
<9
3
< >
&
AWittl h*
Antivirus
<
Adobe
Reader 9
Adobe
Extend Sc
>-
F I G U R E 1 0 .2 : W i n d o w s 8 A p p s
3.
N e w to s ta rt a n e w
W e b D a t a E x t r a c t o r s m a in w in d o w a p p e a rs . C lic k
s e s s io n
W e b D ata Extractor 8.3

File View Help
&
It has various limiters
of scanning range - url
t?
m
New
Cur speed
StartStofi I
0 00 kbps
Avg speed 0 00 kbps
Qpen
filter, page text filter,
L$ess,on Meta tags Emails Phones Faxes Merged list Urls
Inactive sites
domain filter -using which

you can extract only the
URL processed 0
Sites processed 0/0. Time: 0 msec
T raffic received 0 bytes
links or data you actually

need from web pages,
instead of extracting all the
links present there, as a
result, you create your own
custom and targeted data

base of urls/links collection
F I G U R E 1 0 .3 : T h e W e b D a t a E x t r a c t o r m a i n w i n d o w
C lic k in g N e w o p e n s th e Session settings w in d o w .

T y p e a U R L rw w w .c e r t1h e d h a c k e r.c o m ) 111 d ie
H Web Data Extractor
S ta rtin g URL h e ld .
S e le c t
d ie c h e c k b o x e s fo r a ll th e o p tio n s as s h o w n 111 th e s c re e n s h o t a n d c lic k
OK
a u t o m a t i c a l l y g e t li s t s o f
m e t a - t a g s , e - m a il s , p h o n e
and fax numbers, etc. and
store them in different
formats for future use

Session settings
Source Oflsitelnks Filter URL Filter: Text Filter: Data Parser Connection
Search engines Site / Directory / Groups URL li
S tarting URL htp: //www. certif iedhacker. com

Spidef in
0 Jg ]
<: Retrieval depth

O Process exact amount of pages
3 Fixed "Stay with full

ud" and "Follow offsite
wthnfJURL
htp: //www.certifiedhacker. com
Save data
anualy using Save bulton on the

coresponding extracted data pageat. You can save data in
links" options which failed
Extracted data wi be automaticaly saved in the selected lolder using CSV form
f o r s o m e s it e s b e f o r e
the diferent format
Folder C:\Users\Admin\Documents\WebExtractor\Data\certfiedhacker com

@ Extract emails
Extract Meta tags

0 Extract site body
M Extract URL as base URL
@ Extract phones
@ Extract faxes
vl
F I G U R E 1 0 .4 : W e b D a t a E x t r a c t o r t h e S e s s i o n s e t t i n g w i n d o w '
6.
C lic k S ta rt to in itia te th e d a ta e x tr a c tio n

W e b Data Extractor 8.3
New
V
Ed*
Qpen
m 1
stofi 1
Sterl
Jobs 0 / [5
Cw. speed 0 00kbps
Avg speed 0 00 kbps
URL processed 0
Sites processed 0 / 0 Tine: 0 msec
T raffle received 0 bytes
& It supports
operation through
proxy-server and
w orks very fast,
as it is able of
loading several
pages
sim ultaneously,
and requires very
fe w resources.
Powerful, highly
targeted em ail
spider harvester
F I G U R E 1 0 .5 : W e b D a t a E x t r a c t o r i n i t i a t i n g t h e d a t a e x t r a c t i o n w i n d o w s
7.
W e b D a t a E x t r a c t o r w ill s ta rt c o lle c tin g th e in f o r m a t io n
phones, fa x e s ,
In fo rm atio n
(em ails,
e tc .). O n c e th e d a ta e x tr a c tio n p ro c e s s is c o m p le te d , a n
d ia lo g b o x a p p e a rs . C lic k
OK

T=mn
W e b Data Extractor 8.3
9'
Cdit
Open
Jobs |0 | / [i r j
Otort Ctofj
tr
Cur. speed 0.00kbp:

A g. peed 0.00 kbp*
Session Meta tags (64) Emails (6) Fhones(29) Faxes (27) Merged list Urls (638) Inactive sites
URL proressed 74
Site processed: 1/1. Time: 2:57 min
T raffic received 626.09 Kb
m\
Web Data Extractor has finished toe
session.
You can check extracted data using the correspondent pages.
&
Meta Tag Extractor
module is designed to
extract URL, meta tag (tide,
description, keyword) from
web-pages, search results,
open web directories, list of
u r l s f r o m l o c a l f i le
F I G U R E 1 0 .6 : W e b D a t a E x t r a c t o r D a t a E x t r a c t i o n w i n d o w s
T h e e x tr a c te d in f o r m a t io n c a n b e v ie w e d b y c lic k in g th e ta b s
Web Data Extractor 8.3
m
New
E<*
Qpen
Start
Jobs 0 / 5
Cu speec 00kbps
Stop
Avg speed 00kbps
Meta lags Emais Phones Faxes Merged list Urls
I
I
Inactive sites
Sites processed 0 / 01 Time: 0 msec

T raffic received 0 bytes
F I G U R E 1 0 .7 : W e b D a t a E x t r a c t o r D a t a E x t r a c t i o n w i n d o w s
S e le c t th e M e ta ta g s ta b to v ie w th e U R L , T id e , K e y w o r d s ,
D e s c r ip t io n , H o s t , D o m a in , a n d P a g e s iz e in f o r m a t io n
File View Help
EQ if you w a n t
WDE to sta y
w ith in firs t page,
ju s t s e le c t
"Process First
P age Only". A
s e ttin g of 0" w ill
New
[ Sesson |
Opr
Start
Stop
Jobs 0 j/ 5
Mcto tags G4) | Ennafc (6]
Phores (23)
Inactive sites
p rocess in d ex or
h om e page w ith
U1I5 (638)
HostDoma Page 5iz Page l<

com
8 /12/2
htp://e*<ifi*dh*:k*tcov/R*cip*/Chick*n_with_b Your eonrpary R*cip*cd*Uil Son! kywadc 4 A short d4ccrotio1 of you hUp://c#rtfi*dh 1com 9594
htp://cettf1edha:ke 1 covRecces/contact-u$.html Your corrparv Contact js
Some kevwads 4 A shat
1
com 5828 /12/2
descrbtion of you http://certifiodh< c
htp://cetf1edha:ke 1 cor/Recif:e$/honey_cake.hlml Your corrpany Recipes detail Some keywads 4 A shat descrption
com 9355
/12/2
of you http://certifiedhi c
htp: //cetf edha:ke1 com/RecifesAebob. Nml
Your corrpany R ecipes detail S ome keywads 4 A shat descrbtion of you http: //certifiedhi c
1/12/2
1/12/2
com 8397 /12/2
Your corrpary Menu
Some keywads 4 A slot desciption of you
Your corrpary Recipe!
Some kcywcidi 4 A short description of you
1/12/2
lvtp://ce*ifiedhoske1co/n5ciee/1ecipes.hlml
s e ttin g of "1" w ill
Merged 1st
trtp //ccW1eJk-ke1co*1/R;i|jes/dppe_1;dket111l ,!our uonpany Recipes detail Sume keywuds 4 Asfwt (fescrption of you hUp.//cef(ViedM ccom 10147
http://certfiedh< ccom 7S09
w e b s ite . A
Faxes (27|
URL
Title
Keyword*
Descupticn
Mp://cett1edha:ke1c01r/Bec1Fe$/1;h1cken_C1jffy.hh Your corrpany HeciDes detail borne keywads t A shat
descrotion of you http://certf1edhi c
hup.//ce*rfdhacketcot/Rgcice3/1ncruhtml
process and look

fo r d a ta in w h o le
Cur. ipeed 0.C0 Japs

Avg. speed 0.C0 lops
hNp://ccrtficdh< ccom 1271

/12/2
htfp//c*ifi*dhA:4ce1 eoiv/Redpet/Chines^Peppe^ Your corrpary Recipes detail ?om k6yv*rds4Ashcrt d*e1iption of you
9E35
htlp//eerlifiedh; c
/1
2/2
h!tp://cetf1edha:ketcovRecice$/!ancoori chcken Your conrpaa> Recipes detail Some kevwads 4 A shat descrbtion of vou http://certifiedh< ccom 862
h,tp://ce-tifiedhaêcotvR 2cipes/ecipes-detail.htm Your corrpany Recipes detail Some keywads 4 A shat descrption of
1
com 1C804 /12/2
you http://certifiedh< c
h!tp://cetifiedha:kecovSocid Media.'abcut-us.htm Unite Together s Better(creat keyword:, orphia:Abcier descriptior of
1
com
13274
/12/2
this : http://certifiedhi
h1tp://ceU1ejhaêtcovR5c1f:es/1neru-categDfy.ht Your corrpany Menu category Some keywads 4 A shat descrotion
1
com 11584 /12/2
of you http://certf edh<
h!tp://ce tifiedha*e1cor1/R5cipes/ ecipes-:ategory.l Your corrpany Recipes categ! Some keywads 4 A shat descrbtion of you http://certfiedh< com 12451
h,tp:/cetifiedho;ketcom/Socid Mcdio/somple blog.I Unite Together e Better(crcot keyword*, ofpho-Abod descriptior
hitp7/cehfie:trket com/S ocid Media/samplecorte Unite- Together ts Better (creat keyword;, or phra-A brier
description
of Ihis http
h:tp: //cetifiedhackei con/S pciel M edia.sampleloain.
http:
//certifiedhi
htp: //cetifiedhackei com/T jrbc M ex/iepngw. htc
http:
//certfiedh<
htp://cetifiedhaêtcom/S xicl Media.sampleporifc Unite Together s Better (creat keyword?, or phra: A brier
descriptior of !his 1 http://certifiedh<
http://cethedhackei com/Under the trees/blog.html Under the Trees
http://certifi
edhi
1/12/2
1/12/2
1
of Uni-3 http://certifiedhi c16239 /12/2
1/12/2
com 12143
com 1489 /12/2
com 5227 /12/2
com 1E259 /12/2
com 893 /12/2
a s s o c ia te d file s
u nder root dir
only.
http://:ertried
1
com 2S63 /12/2
h< c
frtp://cetifiedhacketconn/Under the trees/contact.ht Unde! the Trees
F I G U R E 1 0 .8 : W e b D a t a E x t r a c t o r E x t r a c t e d e m a i l s w i n d o w s
10. S e le c t E m ails ta b to v ie w th e E m a il, N a m e , U R L , T it le , H o s t ,

K e y w o r d s d e n s ity , e tc . in f o r m a t io n re la te d to e m a ils
X0741u\1cu\
X4251u\1cu\
X0741u\1cu\
X3051u\1cu\X7941u\1cu\X7941u\1cu\
X0741u\1cu\
X0741u\1cu\
X4251u\1cu\
X5051u\1cu\
X3941u\1cu\X3151u\1cu\
X0741u\1cu\
X0741u\1cu\
X0741u\1cu\
X0741u\1cu\
X0741u\1cu\
X0741u\1cu\
X0741u\1cu\
X3251u\1cu\
X3251u\1cu\
X3941u\1cu\
X3251u\1cu\
X0741u\1cu\
X0741u\1cu\
X0741u\1cu\
X0741u\1cu\
X0741u\1cu\
X0741u\1cu\
X0741u\1cu\ X3251u\1cu\
X3251u\1cu\
X3251u\1cu\
X3251u\1cu\
X0741u\1cu\ X3251u\1cu\
X0741u\1cu\
X0741u\1cu\
X3251u\1cu\
X0741u\1cu\
X0741u\1cu\
X0741u\1cu\
X2151u\1cu\
X3251u\1cu\
X3251u\1cu\
X0741u\1cu\
X7941u\1cu\
N5V Edt
H!
0p5n
Jobs 0 / 5
Cur speed 0 CM kfapt

Avg. tpscd 0.0C kbps
Start Stofi |
1
1
Session Meta 095 (64) | Enaih (6) | ?hones |29) Fccs(27) Merged 1st Urls (G33) Inactive
srei
X4251u\1cu\
X0741u\1cu\
X0741u\1cu\
Host
Keywords density Keyivcrcs
E-nail
Narre URL
Tfcle
X0741u\1cu\
X0741u\1cu\
X0741u\1cu\
concact0X3251u\1cu\
jrite reapazinecsmrunitv.
contact X0741u\1cu\
httpJ/cettifiedhackor.conv'Social
Med Unit Topetke* is B3ttef (creat3c
X3251u\1cu\
X0741u\1cu\
http:<7cettifiedhackef.c
X3251u\1cu\
1rro1ntrospre.seD
nfo
htD:/l/ce!t1fiedh3cker.ccrrvc0Dcratel(
lttD://cet1fedh3ck5r.corr1
5ale5@Tt!o:p*e w=fc
sdes
http://ceitifiedh3ckcr.com'corporatek
htp./1/ceitifiedhackcr.com
X3251u\1cu\
X3251u\1cu\
X3251u\1cu\
supDcrt@ntotpre
vueb X0741u\1cu\
5Lpp0t http:J/cettifiedh3cker
com/corpcrê-k
http</cetif edhackercorr!
aalia@dis3r.con
aalia
http^/cettifiedhacker.com/P-folio/ccn P Folio
http://cetif edhacker.com
cortact@!>cnapDtt. com
contact htp: //co!tifiodh:ckor.conYR ociposAo Vou corpa>y Htp:7cetifodh:jck 0r.c
3ecpos
0
0
0
0
m WDE send
queries to search
engines to get
m atching w eb site
URLs. N ext it
visits those
m atching
w ebsites for data
extraction. How
many deep it
spiders in the
m atching
w ebsites depends
X3251u\1cu\
on "Depth" setting
of "External Site"
tab
X3151u\1cu\
X3151u\1cu\
X3151u\1cu\
F I G U R E 1 0 .9 : W e b D a t a E x t r a c t o r E x t r a c t e d P h o n e d e t a i l s w i n d o w
11 . S e le c t th e
Phones
ta b to v ie w th e in f o r m a t io n re la te d to p h o n e lik e
P h o n e n u m b e r, S o u r c e ,
X1941u\1cu\X1941u\1cu\
T a g , e tc .
X5941u\1cu\
Web Data Extractor 83
Jobs 0 / 5
m
g*
Open
%
Start
9
1
St0Q |
Cut. speed 0.00 kbps
Avg speed 000 kbos
j Session Meta tags (64) Emails (6) | Phenes (29)"| Faxes (27) Merged list Urls (6381 Inactive sites
Phone
Title
Host
Keywords de Key /
Sdace
X0741u\1cu\
1800123986563 1-830-123-936563 cal http://certifiedha cker.com/Online B:>okr>a/a> Onlne 300kina: Siterru http://certifiedhackef.c1
1800123986563
1-830-123-936563 cal http://certifiedhacker.com/Online B:>o*ung/bc Onlne Booking. Brows http://certifiedhackef.c1
1800123986563 1-830-123-936563 cal http://certifiedhacker.com/Online Bôking/c* Onine Booking: Checl http://certifiedhackef.c1
http7/certifiedhackef rom/Dnline Bsokinfl/ea Onine Booking Conta http7/eertifiedhaek c!
1?345659863?
1?3-456-5$863?
1800123986563 1-830-123-936563 cal http://certifiedhacker.com/On line B50k*>g/c:* Onine Booking: Conta http://certifiedhackef.c 1
http://certifiedhacker.com/Online Bxjking/ca Onine Booking: Conta http://certifiedhackef.c1
800123986563 800-123-988563
http://certifiedhacker.com/'Online Bookirtg/fac Onine Booking: FAQ http://certifiedhackef.c 1
1800123986563 1-8D0-123-936563 cal
http://certifiedhacker.com/Online
Bx>king/p 3i Onine 300king: Sitem< http://certifiedhackef.c
18 123986563 1-8X1-123-936563 cal
X3251u\1cu\
http://certifiedhacker.com/Online Bx>king/$e< Onine 300king: Searc http://certifiedhackef.c 1
1001492
100-1492
http^/cortifiodhackor.convOnline Boking/sei Onine Booking: Searc htp://certifiedhackef. c!
15019912
150 19912
http://certifiedhacker.com/Online B50king/se< Onine 300king: Searc http://certifiedhackef.c1
18 123986563 1-830-123-936563 cal
http://certifiedhacker.com/Online Booking/ten Onfine Booking: Typoc http://certifiedhackef.c1
1800123986563 1-8D0-123-936563 cal
http://ccrtificdhackcr.com/Onlinc B50king/hDl Onine Dooking: Hotel http://ccrtifiedhacka.ci
1800123986563 1 9X123 936563 cal
901234567
+90 123 45 87 Phone http: //certifiedhacker. com/ P-folio/cDntacl htri P-Foio
http: //certifiedhackef. c!
6662588972
(665)256-8972
http://certifiedhacker.com/Real Estates/page: Professional Real Esta htp://certifiedhackef. c!
6662588972
(665) 256-8572
http://certifiedhacker.com/Real Eslates/pags: Professional Real Esta http:/ /cerlifiedhackef.ci
http://certifiedhacker.com/Real Estates/page: Professional Real Esta http://certifiedhackef. c!
6662588972
(660)256-8572
http://certifiedhacker.com/Real Estates/page: Professional Real Esta http //certifiedhackef. c!
6662568972
(660) 256-8272
http://certifiedhacker.com/Real Estates/peg* Professional Real Esta http //certifiedhackef. c!
18 123986563 1-830-123-936563 cal http://certifiedhacker.com/'Social Media/sarrp Unite Together is Bet http //certifiedhackef. c!
102009
http://certifiedhacker.com/Under the treesTbc Undef lie T rees
http //certifiedhackef. ci
102009
X0741u\1cu\
132009
http://cert11edhacker.com/Under the trees/bc Undef tie I fees
http://certifiedhackef. ci
132003
77 xrw
httrv //(*rrifiArlhArkA
?Air I Irvfef
Tit hHr> //pprtiKprlhArlf r,
X0051u\1cu\X0051u\1cu\X0051u\1cu\X5941u\1cu\X4941u\1cu\X2051u\1cu\
F I G U R E 1 0 .1 0 : W e b D a t a E x t r a c t o r E x t r a c t e d P h o n e d e t a i l s w i n d o w
12. S im ila r ly , c h e c k f o r th e in f o r m a t io n u n d e r F a x e s , M e r g e d lis t , U r ls

(6 3 8 ), In a c t iv e s ite s ta b s
13. T o s a v e th e s e s s io n , g o to
F ile
a n d c lic k
S ave session

M odule 02 - Footprinting and R e co n n a issa n ce
----
File| View Help

Edit session
Jobs 0 J / 5
Cur. speed
Open session
Avg. speed
Svc session
ctti-s |
s (29) Faxes (27) Merged list Urls (638 Inactive sites
Delete sesson
URL procesced 74
Delete All sessions
Traffic received 626.09 Kb
Start session
Stop session
Stop Queu ng sites
bit
Sfe Save extracted

links directly to
disk file, so there
is no limit in
number of link
extraction per
session. It
supports
operation through
proxy-server and
works very fast,
as it is able of
loading several
pages
simultaneously,
and requires very
few resources
F IG U R E 10.11: W e b D a ta E x tra c to r E x tra c te d P h o n e d etails w in d o w
14. Specify the session name in the Save session dialog box and click OK
X3251u\1cu\
'1^1' a

[File View Hdp
m
New
0 p
1 IJobs [0 |/
Cur. speed 0.0Dkbps

Avg speed 0 03 kbps
<* Qpen
Start Stoc |
1
1
Ses$k>r Meta tegs (64) Emails (6) Phones (29) Faxes (27) Merged list Urls (638) Inactive sites
S*o piococcod 1 1. Time 4:12 min
X0741u\1cu\
X3941u\1cu\
X4051u\1cu\
X0741u\1cu\
URL pcocesied 74
Tralfic receded 626.09 Kb
Save session
Please specify session name:
F IG U R E 10.12: W e b D a ta E x tra c to r E x tra cte d P h o n e d etails w in d o w
15. By default, the session will be saved at

D:\Users\admin\Documents\WebExtractor\Data

L a b A n a ly s is
Document all die Meta Tags, Emails, and Phone/Fax.
T o o l/ U tility
Inform ation Collected/Objectives Achieved

Meta tags Information: U R L , Title, Keywords,
Description, Host. Domain, Page size, etc.
W eb Data
Extractor
E m a il Information: Email Address, Name, U R L ,

Title, Host, Keywords density, etc.
Phone Information: Phone numbers, Source,
Tag, etc.

Q u e s t io n s
1. What does Web Data Extractor do?
2. H ow would you resume an interrupted session 111 Web Data Extractor?
3. Can you collect all the contact details of an organization?
Internet Connection Required
Yes
0 No
Platform Supported
0 Classroom
0 iLabs

I d e n t if y i n g V u l n e r a b i l i t i e s a n d
I n f o r m a t i o n D i s c l o s u r e s in S e a r c h
E n g i n e s u s i n g S e a r c h D ig g ity
/ Valuable
mformation___
Test your
knowledge
*4 Web exercise
m Workbook review
Search Diggity is the primary atack tool of the Google Hacking Diggity Project It
is an MS Win dons GUI application that serves as a front-end to the latest versions
of Diggity tools: GoogleDiggity, BingDiggity, Bing LinkFromDomainDiggity,
CodeSearchDiggity, DLPDiggity, FlashDiggity, Main areDiggity, Po/tS can Diggity,
SHOD.4NDiggity, BingBina/yMalnareSearch, andNotlnMyBackYardDiggity.
A n easy way to find vulnerabilities 111 websites and applications is to Google
them, which is a simple method adopted by attackers. Using a Google code
search, hackers can identify crucial vulnerabilities 111 application code stnngs,
providing the entry point they need to break through application security.
As an expert ethical hacker, you should use the same method to identify all
the vulnerabilities and patch them before an attacker identities them to exploit
vulnerabilities.
The objective of tins lab is to demonstrate how to identity vulnerabilities and
information disclosures 111 search engines using Search Diggity. Students will learn
how to:
H Tools
demonstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 02
Footprinting and
Reconnaissance
Extract Meta Tag, Email, Phone/Fax from the web pages
T o carry out the lab. you need:
Search Diggity is located at D:\CEH-Tools\CEHv8 Module 02

Footprinting and Reconnaissance\Google Hacking
Tools\SearchDiggity

A ll Rights Reserved. Reproduction is Stricdy Prohibited.
Yo u can also download the latest version of Search Diggity from the
link http: / /www.stachliu.com/resources /tools /google-hacking-diggitvproject/attack-tools
If you decide to download the latest version, then screenshots shown
111 the lab might differ
Tins lab will work 111 the C E H lab environment - 011 Windows Server
2012. Windows 8. Windows Server 2008. and Windows 7
L a b D u r a tio n
Time: 10 Minutes
G o o g le D ig g ity is the
p rim a ry G o o g le h ackin g
O v e r v ie w o f S e a r c h D ig g it y
to o l, u tiliz in g th e G o o g le
JS O N / A T O M C u sto m
S e arch A P I to id e n tify
vu ln e ra b ilitie s and
Search Diggity has a predefined query database that nuis against the website to scan
die related queries.
in fo rm a tio n d isclo su res v ia

G o o g le searching.
Lab Tasks
1. T o launch the Start menu, hover the mouse cursor 111 the lower-left
corner of the desktop
F IG U R E 11.1: W in d o w s S e rve ! 2012D eskto p view
2. 111 the Start menu, to launch Search Diggity click the Search Diggity
Launch Search
Diggity
A dm inistrato r ^
Start
MypV
X0741u\1cu\
MMMger
tools
a
X4251u\1cu\
*j
Hyper V
Vliiijol
Machine..
Command
Control
Panel
Google
Chrome
1 Vy1hOt
f/anaqer
o
F"
Adobe
Reader X
X7941u\1cu\
Mozilla
Internet
Informal).
Services..
F IG U R E 11.2: W in d o w s Server 2012 Start m enu

3. The Search Diggity main window appears with Google Diggity as the
default
s s - . Q u e rie s S e le ct
G o o g le d ork s (search
q u eries) yo u w ish to use in
scan b y ch eck in g
X5941u\1cu\
a p p ro p riate boxes.
Aggr$$M
Queries
r
X0741u\1cu\
FS06
Category
t GK>*
X2941u\1cu\
Cautious
Wnja
Google Custom sparer ID: Create
Sutxsteqory
search String
Page Titfe
l Q C iRibOfn
l SharePoart 0ggrty
> Usioe
> I ISLOONCW
> f 1 DLPOwty Initial
*
NonSWF seartfes
& t ] FtashDggty lnai
Google Status: Ready
Download Progrss: Id 0.*n Fo >
X3251u\1cu\
F IG U R E 11.3: Search D im ity M a in w in d o w
4. Select Sites/Domains/IP Ranges and type the domain name 111 the
domain field. Click Add
Ooton?
CodeSearch
Srpl
MH0
Brng
llnkfromDomniri
DLP
Flash
Mnlwor#
PortSar
I
n FSD6
? p SharePDtit Diggty
S e le ct (h ig h lig h t) on e o r
> 12 SLD3
m o re re su lts in th e resu lts

p ain , d ie n c lic k th is b u tto n
to d o w n lo ad d ie search
re su lt file s lo c a lly to yo u r
Category
> sldbnew
> r DLPDigg.ty Intial
Subcategory
Search Stnng
SKorin n
IjlT.Tl
_(
Clear
t> Q GH06
> GHDBRebom
0 D o w n lo a d JB u tto n
BingMnlwnr#
| mcrosofC.com
Quer*s
X4051u\1cu\X3251u\1cu\
HorTnMyfi.vfcvird
Advanced
Hide
Page Ttie
Selected Result
>
t> F FiashDiggty Intial
Flash MorrS'AF Seerches
co m p u ter. B y d e fa u lt,
d o w n lo ad s to
D :\D iggityD ow nloa

d s \.
Gooqk* Slatuk: Reedy
Download Protjrvvs: Id
F IG U R E 11.4: Search D im ity - Selecting Site s/D o m ain s/IP Ranges

5. The added domain name will be listed in the box below the Domain
held
Im p o rt B u tto n
Im p o rt a tex t file lis t o f

d o m a in s / IP rang es to
^5
scan. E a c h q u ery w ill be
Search Diggiiy
File
ru n ag ainst G o o g le w ith
Codons
J
s i t e : y o u r d o m a in n a
m e . co m ap pended to it.
r ~êSeard1
SmuJe
|- I
X1051u\1cu\
Helo
Bing
LinkFromDomain
Advanced
SU N
DLP
|
Flash
MaHware
msm
Pro
|B
*
Queries
HatfrMyBadcyard
BingMalvsare
Shodan
Le. exanfie.ccrn <or> 128. 192.100.1
Query Appender
X0741u\1cu\X0741u\1cu\X4251u\1cu\X0741u\1cu\
PcriSczn
Settings
b9
---------------- microsoft.com [Remove]
dear
Hide
fr 1!! F5PB
Subcategory
fr E: CHD6
Search String
Page Title
URL
fr C GHDeReborr
fr (v sfiarcPon: oqgkv
fr (lJ S1DB
fr S I06NEW
Soloctod Result
fr IT OtPDlQqltY Iftlldl
fr C Rash HanSMlF Searches
- (T RashDig^Ty inrtial
fr C SVVF Fk dng Generic

fr SVVF Targeted 5eorches j
*
Google Status: Red
Dotviihjad Progress: tzk! C? n Fo.dr
X0741u\1cu\
X0741u\1cu\
F IG U R E 11.5: Search D ig g ity D o m ain added
6. Now , select a Query Irom left pane you wish to run against the website
that you have added 111 the list and click Scan
aa t a s k
Run Query against

a website
Note: 111 this lab, we have selected the query SWF Finding Generic. Similarly,
you can select other queries to run against the added website
"5
Seaich Diogity
X7941u\1cu\
X0741u\1cu\
X7941u\1cu\
X1051u\1cu\
oodons
CodeScarfr
X4251u\1cu\X7941u\1cu\
HdO
Bing
LirkfrornDomam
DLP
Flash
Malware
PortScan
HotiftMyflxIcyard
Settings
. Caned
Proxies
SingMalwnre
Shodan
< .Q 1 fcfll1 <> 126.192.100.1

1
microsort.com [Kcmove]
lEOal
Oownloac] 1
Clear
X0741u\1cu\
Hide
F D6
GHD6
Category
Subcategory
search string
psge Title
URL
O GHDBRebom
SharePoinl t>ggiy
SLOB
O SLDBNEW
DIPDigjjty Tnrtiol
W h e n scan n in g is
kicke d o ff, th e selected

q u e ry is ru n ag ainst th e
Selected Result
Fiasf nodswf sarchs

[ FiasjiDtggjty Initial_____
117 SWF Prdr>g Gencric]
fr n SWF Targeted Searches
co m p lete w eb site.
boogie status: ReacJy
Download Progress: :de
holJt'
F IG U R E 11.6: Search D ig g ity Selecting query and Scanning

R e s u lts P a n e - A s
scan ru n s, re su lts fo u n d w ill
7. The following screenshot shows the scanning process

^
x -
Search Dignity
b eg in p o p u latin g in th is
w in d o w pane.
LinkFromDomain
X3251u\1cu\
5 nr 313
PortScan
f totin M/Backyard
Bing Malware
S ho da n
AcSarced
> 128.192.100.1
Cancel
rrecrosoft.com [Rer ove]

Proxies
Download
|__________
Ceai
Hide
F5D6
GHDB
GHOBRetoorr
X5941u\1cu\
X6941u\1cu\
X1051u\1cu\
m
sliaroPoin: Digqty
5106
Sub cntegory
Search String
Page T*e
F1ahD1gg!ty ]ml SWF Finding G< exfcswt ste :mu Finland irrxrg
URL
rttp ://vww.mKTO ?ott.com/europe/home.swt
FlastiDiggity ]ml SWF Finding G< ext:swt ste:m< Start the Tour j http://vr//7v.rn1cr0xtt.com/napp01nt/flosh/Mapl'o1r1t
F-lastiDiaqity inn sw f Finding G< oxt:swf s1tc:m1< cidc hrc - mic -ttp:,7vwMm1cr0Mft.com/learn1nq/elcarr1nq/Dcmosl Z
SLD6ICW
OlPOiggltY Irtlai
Tosh NonSWF Searches

HashDtg^ty ustal
( SWF Finding Grwr<
S im p le Sim p le
Cntegory
Stotted Result
Not using Custom Swai J> ID
Request Delay Interval: [0m5 120000ms].
Not using proxies
Simple Scan Started. [8/7/2012 6:53:23 pm!
Found 70 results) for query: ext:sv.151te:m!crosoft.c0fn .
search te x t b ox w ill a llo w

yo u to ru n on e sim p le
q u e ry at a tim e, in stead o f
Google Status: Scanning..
Download Progress: t i t ' -r Fo d~r
u sin g th e Q u erie s ch eck b ox

F IG U R E 11.7: Search D ig g ity Scantling ill progress
d ictio n arie s.
All the URLs that contain the SW F extensions will be listed and the
output will show the query results
ca O u tp u t G e n e ra l
o u tp u t d e scrib in g the
p rog ress o f th e scan an d
p aram eters used..
F IG U R E 11.8: Search D ig g ity - O u tp u t w in d o w
L a b A n a ly s is
Collect die different error messages to determine die vulnerabilities and note die
information disclosed about the website.
T o o l/ U tility
Search D ig g ity
Inform ation Collected/Objectives Achieved

Many error messages found relating to vulnerabilities

Q u e s t io n s
Is it possible to export the output result for Google Diggity? If yes,
how?
Internet Connection Required

0 Yes
No
Platform Supported
0 Classroom
!Labs

A ll Rights Reserved. Reproduction is Stricdy Prohibited.

CEH v8 Labs Module 02 Footprinting and Reconnaissance

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

CEH v8 Labs Module 02 Footprinting and Reconnaissance

Enviado por

Direitos autorais:

Formatos disponíveis

CEH Lab Manual

Module 0 2 - Footprinting and R e c o n n a issa n ce

Footprinting a Target Network

failed exploits can

some cases cause a crash or even damage to a victim

IP address range associated w ith the target

Purpose o f organization and w h y does it exists

H o w big is the organization? W h a t class is its assigned IP Block?

Does the organization freely provide in fo rm atio n on the type o f

Type o f firewall im plem ented, either hardware or software or

Does the organization allow wireless devices to connect to w ired

Type o f rem ote access used, either SSH or \ T N

Is help sought on I T positions that give in fo rm atio n on netw ork

C E H Lab Manual Page 2

Ethical Hacking and Countemieasures Copyright by EC-Council

Module 0 2 - Footprinting and R e c o n n a issa n ce

IdentitV organizations users w h o can disclose their personal

Windows Server 2 0 1 2 as host machine

A web browser w ith an Internet connection

Administrative privileges to 11111 tools

C E H Lab Manual Page 3

Ethical Hacking and Countemieasures Copyright by EC-Council

Module 0 2 - Footprinting and R e c o n n a issa n ce

Recommended labs to assist you 111 footprinting;

Basic N e tw o rk Troubleshooting Using the ping u tility and nslookup Tool

People Search Using A nyw ho and Spokeo Online Tool

Analyzing D om ain and IP Address Queries Using Sm artW hois

N etw o rk Route Trace Using Path A n alyzer Pro

Tracing Emails Using e M a ilT ra c k e rP ro T o o l

Collecting Inform ation A bout a targets Website Using Firebug

M irroring Website Using H T T ra c k W eb S ite C opier Too l

Extracting Companys Data Using W eb D ata E x tra c to r

Identifying Vulnerabilities and Inform ation Disclosures 111 Search Engines

P L E A S E TALK TO YOUR I NSTRUCTOR IF YOU HAVE QUESTIONS

C E H Lab Manual Page 4

Ethical Hacking and Countermeasures Copyright by EC-Council

Module 0 2 - Footprinting and R e c o n n a issa n ce

Footprinting a Target Network

h o st on a n In te rn e t p ro to c o l (IP ) n e tw o rk a n d to m easu re th e ro n n d - trip tim e fo r

m essages se n t fro m th e o rig in a tin g h o st to a d e stin a tio n com p uter.

Em ulate the tracert (traceroute) com m and w ith ping

Find m axim um frame size for the netw ork

A dm inistrative privileges to run tools

TCP/IP settings correctly configured and an accessible DNS se rv e r

Tins lab w ill w o rk

the C E H lab environm ent - on W indow s S erver

2 0 1 2 . W indow s 8, W indow s S erver 2 0 0 8 , and W indow s 7

C E H Lab Manual Page 5

Ethical Hacking and Countermeasures Copyright by EC-Council

Module 0 2 - Footprinting and R e c o n n a issa n ce

Ping command Syntax:

ping [-q] [-v] [-R] [-c

die round-trip tim e, and records any loss o f packets.

PING stands for

Find the IP address to r h ttp :/ Avww.cert1hedhacker.com

T o launch S ta rt menu, hover the mouse cursor in the lo w er-left corner

FIGURE 1.1: Windows Server 2012 Desktop view

C lick Com m and Prom pt app to open the com m and p ro m p t w in d o w

FIGURE 1.2: Windows Server 2012Apps

Type ping w w w .c e rtifie d h a c k e r.c o m

C E H Lab Manual Page 6

the com m and pro m p t, and

press E n ter to find out its IP address

T h e displayed response should be similar to the one shown 111 the