Reconnaissance and Footprinting
⚡︎ This chapter have practical labs
Footprinting
Footprinting is a part of reconnaissance process which is used for gathering possible information about a target computer system or network.
When used in the computer security lexicon, "Footprinting" generally refers to one of the pre-attack phases; tasks performed before doing the actual attack. Some of the tools used for Footprinting are Sam Spade, nslookup, traceroute, Nmap and neotrace.
Footprinting Types: Active and Passive
Active - requires attacker to touch the device or network
Social engineering and other communication that requires interaction with target
Passive - measures to collect information from publicly available sources
Websites, DNS records, business information databases
Footprinting helps to:
Know Security Posture – The data gathered will help us to get an overview of the security posture of the company such as details about the presence of a firewall, security configurations of applications etc.
Reduce Attack Area – Can identify a specific range of systems and concentrate on particular targets only. This will greatly reduce the number of systems we are focussing on.
Identify vulnerabilities – we can build an information database containing the vulnerabilities, threats, loopholes available in the system of the target organization.
Draw Network map – helps to draw a network map of the networks in the target organization covering topology, trusted routers, presence of server and other information.
Footprinting could be both passive and active. Reviewing a company’s website is an example of passive footprinting, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering.
During this phase, a hacker can collect the following information (only high-level information):
Domain name
IP Addresses
Namespaces
Employee information
Phone numbers
E-mails
Job Information
Can be:
Anonymous - information gathering without revealing anything about yourself
Pseudonymous - making someone else take the blame for your actions
Competitive Intelligence - information gathered by businesses about competitors
Alexa.com - resource for statistics about websites
Footprinting Objectives
Network
DNS
IP networks
Acessible Systems
Websites
Access Control
VPN Endpoints
Firewall vendors
IDS Systems
Routing/Routed Protocols
Phone System (Analog/VoIP)
Organization
Org Structure
Websites
Phone Numbers
Directory Information
Office Locations
Company History
Business Associations
Hosts
Listening Services
Operating System Versions
Internet Reachability
Enumerated Information
SNMP Info
Users/Groups
Mobile Devices
Methods and Tools
Search Engines
NetCraft - Blueprint a comprehensive list of information about the technologies and information about target website.
Job Search Sites - Information about technologies can be gleaned from job postings.
Google search | Google dorks:
filetype:- looks for file typesindex of- directory listingsinfo:- contains Google's information about the pageintitle:- string in titleinurl:- string in urllink:- finds linked pagesrelated:- finds similar pagessite:- finds pages specific to that siteExample:
GHDB is very good for learn Google Dorks and how it's done in real world scenario
Metagoofil - Command line interface that uses Google hacks to find information in meta tags (domain, filetype, etc; Is a google dorks for terminal).
Website Footprinting
Web mirroring | Website Cloning - allows for discrete testing offline
HTTrack - you can use the CLI version or Web Interface version
Wget - Linux command
wget -mk -w 10 http://hackthissite.org/
Black Widow
WebRipper
Teleport Pro
Backstreet Browser
Archive.org / Wayback machine
Provides cached websites from various dates which possibly have sensitive information that has been now removed.
Wayback Machine -> Google.com:
Email Footprinting
Email header - may show servers and where the location of those servers are
Email headers can provide: Names, Addresses (IP, email), Mail servers, Time stamps, Authentication and so on.
EmailTrackerPro is a Windows software that trace an email back to its true point of origin:
Email tracking - services can track various bits of information including the IP address of where it was opened, where it went, etc.
DNS Footprinting
Ports
Name lookup - UDP 53
Zone transfer - TCP 53
Zone transfer replicates all records
Name resolvers answer requests
Authoritative Servers hold all records for a namespace
DNS Record Types
DNS Poisoning - changes cache on a machine to redirect requests to a malicious server
DNSSEC - helps prevent DNS poisoning by encrypting records
SOA Record Fields
Source Host - hostname of the primary DNS
Contact Email - email for the person responsible for the zone file
Serial Number - revision number that increments with each change
Refresh Time - time in which an update should occur
Retry Time - time that a NS should wait on a failure
Expire Time - time in which a zone transfer is allowed to complete
TTL - minimum TTL for records within the zone
IP Address Management
ARIN - North America
APNIC - Asia Pacific
RIPE - Europe, Middle East
LACNIC - Latin America
AfriNIC - Africa
Whois - obtains registration information for the domain from command line or web interface.
on Kali, whois is pre-installed on CLI; e.g:
whois google.com)on Windows, you can use SmartWhois GUI software to perform a whois, or any website like domaintools.com
Nslookup - Performs DNS queries; (nslookup is pre-installed on Kali Linux)
nslookup www.hackthissite.orgFirst two lines shows my current DNS server; The IP addresses returned are 'A record', meaning is the IPv4 address of the domain; Bottom line NsLookup queries the specified DNS server and retrieves the requested records that are associated with the domain.
The following types of DNS records are especially useful to use on Nslookup:
Nslookup - Interactive mode zone transfer (Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain).
nslookupserver <IP Address>set type = <DNS type><target domain>
Dig - unix-based command like nslookup
dig <target>To get email records specify
-t MXdig <target> -t MX
To get zone transfer specify
axfr
Network Footprinting
IP address range can be obtained from regional registrar (e.g: ARIN for America, RIPE for Europe, etc)
Use
tracerouteto find intermediary serverstraceroute uses ICMP echo in Windows (tracert)
traceroute is good for detect Firewalls and the network path
Usage example:
traceroute -I nsa.govSpecify target:
traceroute <target>In this case is used ICMP ECHO for tracerouting:
-I
⚠️ Windows command -
tracert⚠️ Linux Command -traceroute
Other Relevant Tools
OSRFramework
⚡︎ OSRFramework has a practical lab
Uses open source intelligence to get information about target. (Username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction, and many others).
Web Spiders
Obtain information from the website such as pages, etc.
⚡︎ Recon-ng has a practical lab
Recon-ng is a web-based open-source reconnaissance tool used to extract information from a target organization and its personnel.
Provides a powerful environment in which open source web-based reconnaissance can be automated conducted, quickly and thoroughly.
⚡︎ Metasploit has a practical lab
The Metasploit Framework is a tool that provides information about security vulnerabilities and aids in penetration testing and IDS signature development; This is a huge framework that provide Recon tools as well.
⚡︎ theHarvester has a practical lab
theHarvester is a OSINT tool; Useful for gathering information like:
Emails
Subdomains
Hosts
Employee names
Open ports
Banners from different public sources like search engines, PGP key servers and SHODAN computer database.
Usage example:
theHarvester -d www.hackthissite.org -n -b googleIssue theHarvester command:
theHarvesterSpecify the domain:
-d <url>Perform dns lookup:
-nSpecify search engine/source:
-b google
Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS
Usage example:
python3 sublist3r.py -d hackthissite.orgSpecify the domain:
-d <url>
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack/brute force attack against a web server and analyzing the response.
Useful to find subdirectories on web application
Usage example:
dirb https://www.hackthissite.org/ /usr/share/wordlists/dirb/small.txtSpecify the url by issuing dirb command:
dib <url>Specify the wordlist:
/path/to/wordlist
Maltego
⚡︎ Maltego has practical labs
Maltego is a powerful OSINT tool, you can extract a broad type of information through the network, technologies and personnel(email, phone number, twitter).
You able to:
Identify IP address
Identify Domain and Domain Name Schema
Identify Server Side Technology
Identify Service Oriented Architecture (SOA) information
Identify Name Server
Identify Mail Exchanger
Identify Geographical Location
Identify Entities
Discover Email addresses and Phone numbers
Social Engineering Framework (SEF)
It’s a open source Social Engineering Framework (SCRIPT) that helps generate phishing attacks and fake emails. and it’s includes phishing pages, fake email, fake email with file attachment and other stuff that helps you in Social Engineering Attack.
Web Based Recon
Netcraft is a website analyzing server, with the help of this website we find basic and important information on the website like:
Background — This includes basic domain information.
Which OS, Web server is runing; Which ISP;
Network — This includes information from IP Address to Domain names to nameservers.
SSL/TLS — This gives the ssl/tls status of the target
Hosting History - This gives the information on the hosting history of the target
Sender Policy Framework (SPF) — This describes who can send mail on the domains behalf
DMARC -This is a mechanism for domain owners to indicate how mail purporting to originate from their domain should be authenticated
Web Trackers — This trackers can be used to monitor individual user behavior across the web Site Technology — This section includes details on:
Cloud & PaaS
Server-Side technologies (e.g: PHP)
Client-Side technologies (e.g: JavaScript library)
CDN Information
CMS Information (e.g: Wordpress, Joomla, etc)
Mobile Technologies
Web stats (e.g: Web analytics, collection, etc)
Character encoding
Shodan Unlike traditional search engines such as Google, use Web crawlers to traverse your entire site, but directly into the channel behind the Internet, various types of port equipment audits, and never stops looking for the Internet and all associated servers, camera, printers, routers, and so on.
Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client.
Shodan works well with basic, single-term searches. Here are the basic search filters you can use:
city: find devices in a particular city
country: find devices in a particular country
geo: you can pass it coordinates
hostname: find values that match the hostname
net: search based on an IP or /x CIDR
os: search based on an operating system
port: find particular ports that are open
before/after: find results within a timeframe
Alternative for Shodan.
Last updated
