# Footprinting and Reconnaissance + Scanning Networks - Part 1 ## Footprinting & Reconnaissance ### Brief The footprinting phase enables attackers to gather information about a target's internal and external security architecture, helping identify vulnerabilities for exploitation. Detailed reconnaissance narrows the attack focus, bringing the attacker closer to the target by analyzing IP ranges, domain details, and other critical data. ### Objective The major objectives of Footprinting are: 1. To know security posture 2. To reduce focus area 3. Identify vulnerabilities 4. Draw network map ### Methodology

#### Footprinting through Search Engines {% hint style="success" %} A fundamental and highly effective method of footprinting is using search engines. They retrieve publicly available information about a target from the internet, compiling all accessible data related to the searched entity. {% endhint %} * **Finding Company’s Public and Restricted Websites** {% tabs %} {% tab title="Define" %} Gathers information from an organization's official website, including public and restricted URLs. {% endtab %} {% tab title="Tools" %} * [netcraft](https://searchdns.netcraft.com/) * Google * Bing {% endtab %} {% endtabs %} * **Collect Location Information** {% tabs %} {% tab title="Define" %} Obtains local details such as the headquarters' physical location, nearby surroundings, branch office locations, and other relevant data from online maps and location services. {% endtab %} {% tab title="Tools" %} * Google Earth * Google Map * Bing Map * Wikimapia * Yahoo Map * Other Map and Location services {% endtab %} {% endtabs %} * People Search Online Services {% tabs %} {% tab title="Define" %} Several online services are commonly used to find phone numbers, addresses, and personal details. {% endtab %} {% tab title="Tools" %} * [www.privateeye.com](http://www.privateeye.com) * [www.peoplesearchnow.com](http://www.peoplesearchnow.com) * [www.publicbackgroundchecks.com](http://www.publicbackgroundchecks.com) * [www.anywho.com](http://www.anywho.com) * [www.intelius.com](http://www.intelius.com) * [www.4111.com](http://www.4111.com) * [www.peoplefinders.com](http://www.peoplefinders.com) {% endtab %} {% endtabs %} * Gather Information from Financial Services {% tabs %} {% tab title="Define" %} Various financial services, powered by search engines, provide financial data on internationally recognized organizations. {% endtab %} {% tab title="Tools" %} * [www.google.com/finance](http://www.google.com/finance) * finance.yahoo.com {% endtab %} {% endtabs %} * Footprinting through Job Sites {% tabs %} {% tab title="Define" %} Job sites feature company profiles, including location, industry details, contact information, employee count, job postings, and insights into required hardware and software. {% endtab %} {% tab title="Tools" %} * [www.linkedIn.com](http://www.linkedIn.com) * [www.monster.com](http://www.monster.com) * [www.indeed.com](http://www.indeed.com) * [www.careerbuilder.com](http://www.careerbuilder.com) {% endtab %} {% endtabs %} * Monitoring Target Using Alerts {% tabs %} {% tab title="Define" %} Alert services provide Content monitoring with notifications, keeping subscribers updated on their chosen topics. {% endtab %} {% tab title="Tools" %} * Google Alert {% endtab %} {% endtabs %} * **Information Gathering Using Groups, Forums, and Blogs** Groups, forums, blogs, and communities can be valuable sources of sensitive information, as both official and unofficial groups may unintentionally leak data. #### Footprinting using Advanced Google Hacking Techniques * Google Advanced Search Operators {% tabs %} {% tab title="Define" %} Advanced search operators help refine searches, making them more precise and focused on specific topics using search engines. {% endtab %} {% tab title="Tools" %} * [Advanced Search](https://www.google.com/advanced_search) {% endtab %} {% endtabs %}

Advanced Search Operators	Description
site :	Search for the result in the given domain
related :	Search for Similar web pages
cache :	Display the web pages stored in Cache
link :	List the websites having a link to a specific web page
allintext :	Search for websites containing a specific keyword
intext :	Search for documents containing a specific keyword
allintitle :	Search for websites containing a specific keyword in the title
intitle :	Search for documents containing a specific keyword in the title
allinurl :	Search for websites containing a specific keyword in URL
inurl :	Search for documents containing a specific keyword in URL

* Google Hacking Database (GHDB) {% tabs %} {% tab title="Define" %} * Google Hacking, or Google Dorking, uses advanced search techniques to identify security vulnerabilities in an organization's network and systems through Google and related applications, enhancing search efficiency. * Queries are organized in the Google Hacking Database (GHDB), a categorized collection designed to uncover potentially sensitive or non-public information. {% endtab %} {% tab title="Tools" %} * [Google Hacking Database (GHDB)](https://www.exploit-db.com/google-hacking-database) {% endtab %} {% endtabs %} #### Footprinting through Social Networking Sites * Social Engineering Social engineering in information security involves psychological manipulation to extract information from social networks and other platforms, often for fraud, hacking, or gaining proximity to a target. * Footprinting using Social Engineering on Social Networking Sites {% tabs %} {% tab title="Define" %} Social networking sites are among the most effective sources of information, making it easy to find individuals and access both basic personal details and potentially sensitive data. Advanced features further provide real-time updates. {% endtab %} {% tab title="Tools" %} * Facebook * Twitter * LinkedIn * Instagram {% endtab %} {% endtabs %}

#### Website Footprinting {% hint style="success" %} Website Footprinting involves analyzing a target organization's official website to gather information on running software, versions, operating systems, subdirectories, databases, scripting details, and other relevant data. {% endhint %} This information can be collected using online services like **Netcraft** or tools such as **Burp Suite, ZAP Proxy, Website Informer, and Firebug** {% hint style="danger" %} With these details, an attacker can analyze source code, developer information, file system structure, and scripting {% endhint %} * Determining the Operating System {% tabs %} {% tab title="Define" %} Identifying the operating systems used by a target organization helps gather insights into potential vulnerabilities and attack vectors. {% endtab %} {% tab title="Tools" %} * [Netcraft](https://searchdns.netcraft.com/) * [FOFA](https://fofa.info/) * [Shodan](https://www.shodan.io/) {% endtab %} {% endtabs %} * Web Spiders or Web Crawlers Web spiders or crawlers are internet bots that systematically browse the web to collect targeted information, such as names and email addresses from websites. * Mirroring Entire Website Website mirroring is the process of downloading and replicating an entire website on a local system for analysis or offline access. {% hint style="warning" %} Downloading a website allows an attacker to analyze its structure, directories, and code in an offline environment, helping to identify potential vulnerabilities. {% endhint %}

* Extract Website Information [Wayback Machine - Internet Archive](https://web.archive.org/) is an online service that provides archived versions of websites, offering summaries on MIME-type Count, Summary for TLD/HOST/Domain, a sitemap of website and dates, Calendar view, and other historical data. * Monitoring Web Updates Monitoring websites for updates and changes, automatically detecting modifications to target websites.

#### Email Footprinting {% hint style="success" %} Email is a crucial communication tool for organizations, connecting employees, partners, and competitors. Its content can contain valuable data such as credentials, hardware/software details, network security insights, and financial information, making it a key target for attackers and penetration testers. {% endhint %} * Tracking Email from Email Header {% tabs %} {% tab title="Define" %} Tracing an email through its header provides a hop-by-hop analysis, revealing IP addresses, server names, and locations along its route. {% endtab %} {% tab title="Infomation" %} * Destination address * Sender's IP address * Sender's Mail server * Time & Date information * Authentication system information of sender's mail server {% endtab %} {% tab title="Tools" %} * Polite Mail * Email Tracker Pro * Email Lookup * Yesware * Who Read Me * Contact Monkey * Read Notify * Did They Read It * Get Notify * Point of Mail * Trace Email * G-Lock Analytics {% endtab %} {% endtabs %} #### Competitive Intelligence {% hint style="success" %} Competitive intelligence gathering involves collecting, analyzing, and compiling data on competitors using non-intrusive methods from various sources. {% endhint %}

Resources

* Official Websites * Job Advertisements * Press releases * Annual reports * Product catalogs * Analysis reports * Regulatory reports * Agents, distributors & Suppliers

* Competitive Intelligence Gathering These websites collect and provide company reports, including legal news, press releases, financial data, analysis reports, and details on upcoming projects and plans.

Gathering information from these resources, Penetration testers and attacker can identify: {% stepper %} {% step %} When did the company begin? {% endstep %} {% step %} Evolution of the company {% endstep %} {% step %} Authority of the company {% endstep %} {% step %} Background of an organization {% endstep %} {% step %} Strategies and planning {% endstep %} {% step %} Financial Statistics {% endstep %} {% step %} Other information {% endstep %} {% endstepper %} * Monitoring Website Traffic of Target Company Website monitoring tools provide insights into a target website's ranking, global user distribution, visitor statistics, page views, time spent on the site, total backlinks, and other analytical data.

* Tracking Online Reputation of the Target These tools help track an organization's reputation, ranking, and online presence while enabling notifications for updates and other relevant insights.

#### WHOIS Footprinting * WHOIS Lookup {% tabs %} {% tab title="Define" %} WHOIS provides domain-related information, including ownership details, IP addresses, netblock data, and name servers. A WHOIS lookup helps identify the entity behind a target domain. {% endtab %} {% tab title="Results" %} * Registrant information * Registrant Organization * Registrant Country * Domain name server information * IP Address * IP location * ASN * Domain Status * WHOIS history * IP history * Registrar history * Hosting history {% endtab %} {% tab title="Tools" %} * * * * * * * * * * SmartWhois {% endtab %} {% endtabs %} * DNS Footprinting DNS lookup information helps identify hosts within a target network, revealing domain-to-IP mappings and other relevant details.

Tools

* Domain Dossier * * * * * * * * * *

Feature	WHOIS Lookup	DNS Lookup
Focus	Domain ownership & registration	Domain-to-IP resolution & DNS records
Data Source	WHOIS databases (registrars)	DNS servers
Common Use	Checking domain availability, ownership	Resolving domain names, debugging DNS issues
Privacy Issues	WHOIS info may be hidden (GDPR, privacy services)	DNS info is generally public

#### Network Footprinting {% tabs %} {% tab title="Define" %} Network footprinting is a crucial technique for gathering information about a target network. Various tools are available to help map the network, revealing its structure and potential vulnerabilities. {% endtab %} {% tab title=" Information" %} * Network address ranges * Hostnames * Exposed hosts * OS and application version information * Patch state of the host and the applications * Structure of the applications and back-end servers {% endtab %} {% tab title="Tools" %} * Whois * Ping * Nslookup * Tracert {% endtab %} {% endtabs %} * Traceroute {% hint style="success" %} The **Traceroute** or **Tracert** command maps the path from source to destination, displaying all intermediate hops and their latency. {% endhint %} {% hint style="warning" %} You should understand about **hop** term. A **hop** refers to the transfer of a data packet from one network device to another, occurring each time the packet moves to a new network segment. {% endhint %}

An illustration of hops in a wired network (assuming a 0-origin hop count). The hop count between the computers in this case is 2

#### Footprinting through Social Engineering {% hint style="success" %} In footprinting, humans are often the weakest link. Extracting information from people is usually easier than retrieving data from secured systems. {% endhint %} * Social Engineering {% tabs %} {% tab title="Define" %} Social engineering is the art of extracting sensitive information by manipulating people. Social engineers operate discreetly, exploiting human trust and carelessness to obtain valuable data. {% endtab %} {% tab title="Information" %} * Credit card information * Username & Passwords * Security devices & Technology information * Operating System information * Software information * Network information * IP address & name server’s information. {% endtab %} {% endtabs %} * Eavesdropping Eavesdropping is a social engineering technique where an attacker covertly listens to conversations, reads messages, or accesses information sources without detection. * Phishing Phishing is a social engineering attack that uses digital means, such as emails, messages, or fake websites, to trick individuals into revealing sensitive information. * Shoulder Surfing Shoulder surfing is a social engineering technique where an attacker observes a target’s screen or keyboard to steal sensitive information like passwords or account numbers. * Dumpster Diving Dumpster diving is an old but effective technique where attackers search through discarded materials like printer trash, desk waste, or company garbage to find valuable information such as phone bills, contacts, financial records, and source codes. * Vishing Vishing (voice phishing) is a social engineering attack where scammers use phone calls to trick individuals into revealing sensitive information, such as passwords, credit card details, or personal data. * Smishing Smishing (SMS phishing) is a social engineering attack where attackers use text messages to deceive individuals into revealing sensitive information, clicking malicious links, or downloading malware. * Spear Phishing Spear Phishing is a targeted phishing attack aimed at specific individuals or organizations. Attackers craft personalized emails or messages to trick victims into revealing sensitive information or downloading malware. ### Footprinting Tools * Maltego * Recon-ng * FOCA * Metasploit

### Countermeasures of Footprinting

## Scanning Networks ### Brief After the footprinting phase, you may have gathered sufficient information about the target. The next step, **network scanning**, uses this data to identify hosts, open ports, and running services by systematically scanning networks and ports. ### Objective * To identify live hosts on a network * To identify open & closed ports * To identify operating system information * To identify services running on a network * To identify running processes on a network * To identify the presence of Security Devices like firewalls * To identify System architecture * To identify running services * To identify vulnerabilities

### Overview of Network Scanning The **Network Scanning** phase involves probing the target network to gather critical information. By analyzing responses, an attacker can identify network details, open ports, and running services. This helps map the network architecture, providing a clearer picture of the target. #### TCP Communication Internet Protocol (IP) traffic is categorized into two types: TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). * TCP is a connection-oriented protocol, meaning a reliable connection must be established before data transfer. It enables bidirectional communication, ensuring data is sent and received in an organized manner. * UDP is a connectionless and lightweight Internet protocol. It transmits multiple messages as independent packets, sending data in chunks without requiring a stable connection. {% hint style="warning" %} Unlike TCP, UDP does not provide reliability, flow control, or error recovery for IP packets, making it faster but less dependable. {% endhint %} Due to its simplicity, UDP headers are smaller and require less network overhead compared to TCP, making data transmission more efficient.

Flag filed in the TCP header is of 9 bits. Which includes the following 6 TCP flags:

A TCP connection is established using a three-way handshake between hosts. This process ensures a reliable, connection-oriented session. The handshake consists of three essential steps to initiate communication.

When Host A wants to communicate with Host B, a TCP connection is established through a three-way handshake: 1. Host A sends a Sync packet to host B. 2. Host B upon receipt of Sync packet from Host A, reply to Host A with Sync+Ack packet. 3. Host A reply with Ack packet when it receives Sync+Ack packet from host B. Once this process is successfully completed, the TCP connection is established. {% hint style="info" %} The U.S. Department of Defense (DoD) developed the TCP/IP model by integrating the OSI Layer Model with the DoD model. Transmission Control Protocol (TCP) and Internet Protocol (IP) are the core networking standards that define the Internet. {% endhint %} * IP defines how computers can get data to each other over a routed, interconnected set of networks. TCP defines how applications can create reliable channels of communication across such a network. * IP defines addressing and routing, while TCP defines how to have a conversation across the link without garbling or losing data. {% hint style="info" %} The layers in the TCP/IP model function similarly to those in the OSI model, following similar specifications. The key difference is that the TCP/IP model merges the top three OSI layers (Application, Presentation, and Session) into a single Application Layer. {% endhint %} #### Creating Custom Packet Using TCP Flags **Colasoft Packet Builder** allows users to create customized network packets, which can be used for testing, troubleshooting, or even penetrating networks for attacks. It also supports the creation of fragmented packets for advanced network analysis. ### Methodology The Scanning Methodology consists of the following steps: {% stepper %} {% step %} Checking for live systems (Host discovery) {% endstep %} {% step %} Port Scanning {% endstep %} {% step %} Scanning beyond IDS {% endstep %} {% step %} Banner grabbing {% endstep %} {% step %} Scanning Vulnerabilities {% endstep %} {% step %} Network Diagram {% endstep %} {% step %} Proxies {% endstep %} {% endstepper %}

#### Checking for Live Systems {% hint style="success" %} To begin, you need to identify active hosts within the target network. This is typically done using ICMP packets. {% endhint %} * ICMP Scanning ICMP scanning is a technique used to identify active hosts by sending ICMP Echo Requests. If a host responds with an ICMP Echo Reply, it confirms that the host is live and reachable on the network.

* Ping Sweep {% tabs %} {% tab title="Define" %} Ping Sweep is a technique used to identify live hosts across a large network. Instead of sending ICMP Echo Requests to individual IP addresses one by one, it sends requests to an entire range of addresses. Active hosts respond with ICMP Echo Reply packets, confirming their presence. {% endtab %} {% tab title="Tools" %} * SolarWinds Ping Sweep * Angry IP Scanner {% endtab %} {% endtabs %} #### Check for Open Ports * SSDP Scanning {% hint style="info" %} The Simple Service Discovery Protocol (SSDP) enables the discovery of network services without relying on server-based configurations like DHCP, DNS, or static host settings. {% endhint %} It is commonly used for discovering Plug & Play devices through Universal Plug and Play (UPnP). SSDP supports both IPv4 and IPv6, making it versatile for modern networks. {% hint style="warning" %} Universal Plug and Play (UPnP) is a standard that lets network devices **automatically** find, communicate with and control each other. {% endhint %} * Scanning Tool * Nmap [**Nmap**](https://nmap.org/book/man-briefoptions.html) provides host discovery, port scanning, and service enumeration. It can also detect operating system versions, retrieve hardware (MAC) addresses, identify service versions, and uncover vulnerabilities or exploits using Nmap Scripting Engine (NSE). * Hping2 & Hping3 {% tabs %} {% tab title="Define" %} [Hping](https://www.kali.org/tools/hping3/) is a command-line TCP/IP packet assembler and analyzer tool. It allows users to send customized packets and view target responses, similar to how the ping command displays ICMP Echo Replies. Hping supports packet fragmentation, custom payloads, adjustable packet sizes, and file transfers. It works with multiple protocols, including TCP, UDP, ICMP, and RAW IP. {% endtab %} {% tab title="Information" %} * Test firewall rules. * Advanced port scanning. * Testing net performance. * Path MTU discovery. * Transferring files between even fascist firewall rules. * Traceroute-like under different protocols. * Remote OS fingerprinting & others. {% endtab %} {% endtabs %} * Scanning Techniques

{% hint style="success" %} Since I plan to cover Nmap's role in scanning techniques in detail, I'll separate that section to keep this blog post concise and focused. {% endhint %} #### Scanning Beyond IDS {% hint style="warning" %} Attackers use fragmentation and small packets to evade security devices like firewalls, IDS/ IPS. *A common technique involves splitting the payload into smaller packets, making it harder for security systems to detect malicious activity.* IDS must reassemble incoming packet streams to analyze and detect potential attacks. The small packet is further modified to be more complicated to reassemble and detect by packet reassemble. {% endhint %} {% hint style="warning" %} Another method of using fragmentation involves sending packets out of order with intentional delays between them. This technique disrupts proper reassembly, making it harder for security systems to detect malicious traffic. Attackers often route these fragmented packets through proxy servers or compromised machines to further obscure their origin and launch stealthy attacks. {% endhint %} #### OS Fingerprinting & Banner Grabbing {% hint style="success" %} **OS Fingerprinting** is a technique used to identify the operating system running on a target machine. By analyzing system responses, attackers can determine vulnerabilities and potential exploits specific to that OS, aiding in targeted attacks. {% endhint %} The two types of OS Fingerprinting: * Active OS Fingerprinting * Passive OS Fingerprinting {% hint style="success" %} **Banner Grabbing** is similar to OS fingerprinting but focuses on identifying the services running on a target machine. By retrieving service banners, attackers or security analysts can determine software versions, configurations, and potential vulnerabilities. {% endhint %} * Active OS Fingerprinting or Banner Grabbing Nmap can efficiently perform active banner grabbing to identify running services. Its OS detection capability works by sending specially crafted TCP and UDP packets and analyzing the target's response. A detailed assessment of these responses provides valuable clues, helping to determine the operating system type. * Passive OS Fingerprinting or Banner Grabbing Passive OS Fingerprinting involves analyzing network traffic without directly interacting with the target. This method relies on inspecting packet attributes such as Time to Live (TTL) values and Window Size to infer the operating system, making detection stealthier compared to active scanning. {% hint style="warning" %} The TTL value and Window Size are extracted from the TCP packet header while monitoring network traffic. {% endhint %}

Banner Grabbing Tools

* ID Server * Netcraft * Netcat * Telnet * Xprobe * pof * Maltego

#### Draw Network Diagrams {% hint style="success" %} Gaining access to a network requires a deep understanding of its architecture and detailed information. Key insights, such as security zones, security devices, routing infrastructure, and the number of hosts, help an attacker map out the network structure. Once a network diagram is created, it reveals both logical and physical pathways, guiding the attacker to their intended target. {% endhint %} {% hint style="info" %} A network diagram visually represents the network environment, offering a clear and structured view of its components. Network mappers are specialized tools that utilize scanning techniques and other network analysis methods to create a detailed map of the network, aiding in both security assessments and attack planning. {% endhint %} {% hint style="warning" %} An important consideration is that these tools generate network traffic, which can expose the presence of an attacker or penetration tester. Security systems may detect and flag unusual scanning activity, potentially leading to countermeasures. {% endhint %} * Network Discovery Tool {% tabs %} {% tab title="OpManager" %} OpManager is a powerful network monitoring tool that provides fault management and supports various network components, including WAN links, routers, switches, VoIP systems, and servers. It also offers performance management, ensuring optimal network efficiency. {% endtab %} {% tab title="Network View " %} Network View is an advanced network discovery tools. It can perform discovery of routes, TCP/IP nodes using DNS, ports, and other network protocols. {% endtab %} {% tab title="Others" %} * Network Topology Mapper * LANState Pro {% endtab %} {% endtabs %} * Drawing Network Diagrams SolarWinds Network Topology Mapper is a powerful tool for network discovery and topology visualization. It automatically maps networks and provides features like manual node editing, multi-level discovery, and Visio diagram export. The generated topology includes key details such as node names, IP addresses, hostnames, system names, machine types, vendors, system locations, and more. #### Prepare Proxies {% hint style="success" %} A proxy is an intermediary system that sits between an attacker and the target, masking the attacker's identity. Proxies play a crucial role in networks, often used by scanners to obscure their origin and prevent tracing back to the source. {% endhint %}

* Proxy Servers Proxy server anonymizes web traffic by acting as an intermediary between the user and publicly available servers. When a user requests a resource, the proxy forwards the request on their behalf, helping to conceal their identity and enhance privacy. {% hint style="info" %} When a user makes a request, it is first sent to the proxy server, which processes and forwards it to the destination. The proxy can handle various requests, such as *web page access, file downloads, and connections to other servers*, while masking the user's identity. {% endhint %} {% hint style="warning" %} The most common use of a proxy server is as a web proxy, which allows users to access the World Wide Web while bypassing IP address blocking. This helps in circumventing restrictions, enhancing privacy, and maintaining anonymity online. {% endhint %}

Summary

* Hiding Source IP address for bypassing IP address blocking. * Impersonating. * Remote Access to Intranet. * Redirecting all requests to the proxy server to hide identity. * Proxy Chaining to avoid detection.

* Proxy Chaining Proxy Chaining is a technique that involves routing traffic through multiple proxy servers for enhanced anonymity. In this process, one proxy server forwards the request to another, creating a chain that makes it more difficult to trace the original source. {% hint style="warning" %} While not recommended for production environments or as a long-term solution, this technique utilizes your existing proxy infrastructure to enhance anonymity. {% endhint %}

* Proxy Tool {% tabs %} {% tab title="Tools" %} * Proxy Switcher * Proxy Workbench * TOR * CyberGhost {% endtab %} {% tab title=" Proxy Switcher" %} Proxy Switcher scans for available proxy servers, allowing users to select and enable a proxy to hide their IP address for enhanced anonymity and privacy. {% endtab %} {% tab title="Tools for Mobile" %} * Proxy Droid * Net Shade {% endtab %} {% endtabs %} * Introduction to Anonymizers {% tabs %} {% tab title="Define" %} Anonymizer is a tool designed to completely hide or remove identity-related information, ensuring online activities remain untraceable and private. {% endtab %} {% tab title="Purpose" %} * Minimizing risk * Identity theft prevention * Bypass restrictions and censorship * Untraceable activity on the Internet {% endtab %} {% endtabs %} * Censorship Circumvention Tool * Tails Tails (The Amnesic Incognito Live System) is a widely used censorship circumvention tool based on Debian GNU/Linux. It functions as a live operating system, running directly from a USB or DVD on almost any computer. Designed for privacy and anonymity, Tails enables users to browse the internet securely without leaving traces on the system.

Anonymizers for Mobile

* Orbot * Psiphon * Open door

#### Spoofing IP Address {% hint style="success" %} IP Address Spoofing is a technique used to gain unauthorized access to systems by falsifying IP addresses. Attackers manipulate IP packets to impersonate a legitimate machine, making it appear as if the traffic originates from a trusted source. {% endhint %} Spoofing process involves modification of header with a spoofed source IP address, a checksum, and the order values. Packet-switched networking causes the packets arriving at the destination in different order. When these out of order packets are received at the destination, these packets are\ resembled to extract the message. {% hint style="info" %} IP spoofing can be detected using techniques such as Direct TTL probing and IP Identification Number analysis. {% endhint %} * Direct TTL probing In Direct TTL Probing, packets are sent to a host suspected of spoofing, and the responses are analyzed. By comparing the TTL value in the reply with the TTL in the suspected spoofed packet, IP spoofing can be identified. If the TTL values do not match, the packet is likely spoofed. {% hint style="warning" %} However, TTL values can naturally vary in normal traffic, and this technique is most effective for detecting spoofing when the attacker is on a *different subnet*. {% endhint %}

* IPID Additional probes are sent to check the IP Identification (IPID) of the host. If the IPID values are not sequential or closely related, the traffic is likely spoofed. This technique is particularly useful when the attacker is within the *same subnet*.

*** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://walterdrake.gitbook.io/mysite/reconnaissance/reconnaissance/footprinting-and-reconnaissance-+-scanning-networks-part-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.