Chapter 3 Footprinting PDF

Summary

This document provides an overview of "Footprinting." It focuses on the process of gathering information about a target system or network to identify vulnerabilities. The document also details active and passive footprinting techniques and concepts.

Full Transcript

Chapter-3

Footprinting and
Reconnaissance
Topics
Footprinting Concepts
Footprinting through Search Engines, Web Services, Social
Networking Sites
Social Engineering- Computer Based and Human Based
Website Footprinting
Email Footprinting
Whois Footprinting
DNS Footprinting
Network Footprinting
Footprinting Tools
Footprinting countermeasures
Footprinting
Footprinting, refers to the systematic process of
gathering information about a target network, system,
organization, or individual with the intent of
identifying potential vulnerabilities and weaknesses.
This information is often collected through various
passive and active reconnaissance techniques,
without actually exploiting any vulnerabilities.
Footprinting is a crucial initial phase in the hacking
process, providing hackers with a detailed
understanding of their target and serving as a
foundation for planning and launching cyberattacks.
Active Footprinting: Passive Footprinting:
Definition: Definition:
Active footprinting involves direct interaction with the target Passive footprinting involves the collection of information
to gather information, such as probing open ports, without directly interacting with the target. It relies on
performing vulnerability scans, or engaging with services. publicly available data and observed behaviors.
Characteristics: Characteristics:
It's more intrusive as it actively sends requests or probes to Non-intrusive and stealthy; doesn't involve direct
the target. communication with the target.
Typically involves scanning, probing, or querying target Gathers information from publicly accessible sources,
systems. such as websites, social media, news articles, and public
May generate network traffic and logs on the target, records.
potentially raising alerts. Output:
Output: Provides historical and pre-existing information about the
Provides specific and real-time information about the target.
target's current state. Gathers data such as domain names, IP addresses, contact
Reveals open ports, services, and potential vulnerabilities. details, employee names, and affiliations.
May trigger responses that can aid in OS or service Often used for reconnaissance before active footprinting.
identification. Tools and Techniques:
Tools and Techniques: Search engines, social media monitoring, web scraping,
Port scanning, banner grabbing, vulnerability scanning, DNS queries, online databases, and open-source
ICMP probing, DNS zone transfers, SMTP enumeration, intelligence (OSINT) tools.
SNMP enumeration, SMB enumeration, and more. Purpose:
Purpose: Passive footprinting establishes a baseline understanding
Active footprinting is used to identify immediate of the target's digital presence and public information.
weaknesses and vulnerabilities in the target. Aids in identifying potential attack vectors, targets, and
Helps in the preparation of specific attacks by revealing areas for further investigation during active footprinting.
potential entry points and misconfigurations.
 Active Footprinting concepts
Port Scanning:
Definition: Port scanning involves scanning a target system's network ports to
determine which ports are open and potentially vulnerable to attack.
Expected Output: A list of open ports and their associated services.
Tools: Nmap, Masscan, Zenmap.

Banner Grabbing(Web Application/Database):
Definition: Banner grabbing is the process of connecting to open ports and capturing
banners or service information that reveals software versions and configurations.
Expected Output: Information about the services running on open ports, including
version numbers.
Tools: Telnet, Netcat, Nmap.

OS Fingerprinting:
Definition: OS fingerprinting is the attempt to identify the operating system running on
a target host by analyzing its responses to network probes.
Expected Output: Information about the target's operating system.
Tools: Nmap, P0f, Xprobe2.
 Vulnerability Scanning:
Definition: Vulnerability scanning involves using specialized tools to scan for known vulnerabilities in
the target's software, services, and configurations.
Expected Output: A report listing identified vulnerabilities and their severity.
Tools: Nessus, OpenVAS, Qualys.

Ping Sweeping:
Definition: Ping sweeping is the process of sending ICMP (Internet Control Message Protocol) echo
requests to a range of IP addresses to determine which hosts are online.
Expected Output: A list of live hosts within the specified IP range.
Tools: Ping, fping, Nmap.

Traceroute:
Definition: Traceroute traces the path that network packets take from the source to the target, revealing
the intermediate routers and network devices.
Expected Output: A list of routers and their IP addresses along the network path.
Tools: Traceroute, MTR (My Traceroute), PathPing.

DNS Enumeration:
Definition: DNS enumeration involves querying DNS servers to gather information about a target's
domain names, subdomains, and DNS records.
Expected Output: A list of domain names, subdomains, and associated IP addresses.
Tools: nslookup, dig, dnsrecon.
 Passive Footprinting concepts
Google Hacking:
Definition: Using advanced search queries in search engines like Google to discover sensitive or hidden
information.
Expected Output: Information about vulnerable systems, login pages, exposed directories, and more.
Tools/Websites: Google Dorks, Google Hacking Database (GHDB).

Email Harvesting:
Definition: Collecting email addresses associated with the target.
Expected Output: Lists of email addresses related to the organization or individuals.
Tools/Websites: TheHarvester, Hunter.io, Email finding extensions.

WHOIS Lookup:
Definition: Retrieving domain registration information.
Expected Output: Domain owner's name, contact information, registration date, and more.
Tools/Websites: WHOIS lookup tools, registrar websites.

Metadata Analysis:
Definition: Extracting metadata from files (e.g., documents, images) to reveal hidden information.
Expected Output: Author names, software used, document history, geolocation data.
Tools/Websites: ExifTool, online metadata analyzers. (For a document it includes title, author, creation date, file size, last
modified date)
 Robot.txt Analysis:
Definition: Checking the robots.txt file on websites for information about restricted or allowed content.
Expected Output: URLs disallowed for web crawlers, revealing potentially sensitive areas.
Tools/Websites: Manually inspecting robots.txt, web crawler tools.

Archive Sites:
Definition: Searching archived versions of websites to access historical data.
Expected Output: Historical content, design changes, and previous site configurations.
Tools/Websites: Archive.org, archive.is, web archive search engines.

Search Engine Cache:
Definition: Accessing cached versions of web pages to retrieve historical data.
Expected Output: Previous versions of web pages, content changes over time.
Tools/Websites: Google Cache, Wayback Machine.

Social Media Profiling:
Definition: Analyzing an organization's or individual's presence on social media platforms.
Expected Output: Information about employees, organizational structure, interests, and connections.
Tools/Websites: Social media platforms (LinkedIn, Facebook, Twitter), OSINT tools.

Note : Robot.txt file is a simple text file used by websites to instruct Web Crawlers and bots about which part of the sites they can or cannot
access.
Web crawlers and bots are automated programs that systematically browse the web to index and retrieve content from websites
Footprinting through search engines- Google Hacking

 The use of specialized Google searches
 Find unusual information such as:
 Sites that may link back to target’s website
 Information about partners, vendors, suppliers, clients, etc.
 Error messages that contain sensitive information
 Files that contain passwords
 Sensitive directories
 Pages that contain hidden login portals
 Advisories and server vulnerabilities
 Software version information
 Web app source code
 Google Dorking, also known as "Google hacking," is a technique that involves using
advanced search operators in Google to find hidden information, vulnerable
websites, or sensitive data on the internet that is not intended to be public

Operator Description Example
 Using search strings with
intitle: find strings in the title of a page intitle:”Your Text”
advanced operators
allintext: find all terms in the title of a page allintext:”Contact”
 Find information not
inurl: find strings in the URL of a page inurl:”news.php?id=”
readily available on a
site: restrict a search to a particular site or site:yeahhub.com
website domain “Keyword”
 Can be used to find filetype:
find specific types of files (doc, pdf, mp3 etc)
filetype:pdf “Cryptography”
vulnerabilities, files based on file extension

containing passwords, link: search for all links to a site or URL link:”example.com”
lists of emails, log files, cache: display Google’s cached copy of a page cache:yeahhub.com
live camera feeds, and
much more info: display summary information about a page info:www.example.com

 Considered an easy way
of hacking
 Camera feeds – live feeds from AXIS cameras
 intitle:"Live View / - AXIS" | inurl:/mjpg/video.mjpg?timestamp
 Email lists contained in Excel files
 filetype:xls inurl:"email.xls"

 Log files containing passwords and corresponding emails
 filetype:log intext:password intext:(@gmail.com | @yahoo.com | @hotmail.com)

 Open FTP Servers that can contain sensitive information
 intext:"index of" inurl:ftp
 Return results that match “accounting” from target.com, but NOT from marketing.target.com
 site:target.com -site:marketing.target.com accounting

 Pages vulnerable to SQL injection attacks
 inurl:".php?id=" intext:(error AND sql)

 Scanning reports – vulnerabilities in scanned systems
 intitle:report (nessus | qualys) filetype:pdf

 SQL Database – contents of exposed databases, including usernames and passwords
 intitle:"index of" "dump.sql"
 List of popular Google Dorks

https://www.exploit-db.com/google-hacking-database/
Footprinting Through Social Networking Sites
 Attackers use social networking sites to gain important and sensitive data
about their target
 They often create fake profiles through these social media
 Aim is to lure their target and extract vulnerable information

 Employees may post :
 Personal information such as DOB, educational and employment background,
spouse’s names, etc.
 Information about their company such as potential clients and business partners,
trade secrets of business, websites, company’s upcoming news, mergers,
acquisitions, etc.
 Common social networking sites used:
 Facebook, MySpace, LinkedIn, Twitter, Pinterest, Google+,YouTube, Instagram
 Present activity/physical location
 Job activities

 Company information

 Contact details, names, numbers, addresses, date of birth,
photos
 Family & friends
 Property information

 Bank details
 Background and criminal checks
 People Search Sites
 CheckPeople
 A great source of personal and organizational
information  BeenVerified
 Residential addresses, email addresses, phone  Truthfinder
number
 peopleWhiz
 Satellite photos of residences
 PeopleLooker
 Date of birth
 Intelius
 Photos and social networking profiles
 Checkmate
 Friends/family/associates
 Peoplefinders
 Hobbies/current activities/blogs
 IDtrue
 Work information
 Projects and operating environment
 Travel details
Social Engineering- Computer Based and Human Based
Human-Based Social Engineering: In human-based social engineering, the primary manipulator
is a real person who interacts directly with the target. This can involve in-person communication,
phone calls, or other forms of direct human interaction.
This approach typically relies on social skills, persuasion, and the ability to build rapport with
the target. Manipulators may use techniques like pretexting (creating a fabricated scenario),
impersonation, or tailgating (following an authorized person into a secure area) to achieve
their goals.
This approach is often more resource-intensive and may target a smaller number of individuals
due to the need for direct interaction.
Computer-Based Social Engineering: Computer-based social engineering relies on automated
or scripted methods, often using digital communication channels like email, messaging apps, or
social media. There is no direct human interaction involved; instead, the manipulation is carried
out through written or automated messages.
This approach relies on written communication and the use of psychological tactics to trick the
target. Common methods include phishing (sending deceptive emails to trick recipients into
taking action), baiting (enticing targets to download malicious files), and pretexting through
digital channels.
It can be automated to reach a larger audience, making it possible to target a larger number of
potential victims simultaneously.
 Collect names, job titles, personal information, contact information,
email addresses, etc.
 Remember: at this stage you want to b e subtle and go unnoticed

 Techniques include:
 Casual face-to-face contact
 Trade show or public event
 Eavesdropping
 Shoulder surfing
 Dumpster diving
 Impersonation on social networking sites
Website Footprinting
Website Footprinting, also known as web reconnaissance or information gathering, is the process of collecting
information about a website, its infrastructure, and the associated web resources.

 Monitoring and analyzing the target’s website for information
 Browse the target website
 Use Burp Suite, Zaproxy, Paros Proxy,Website Informer, Firebug, etc. to determine:
 Connection status and content-type
 Accept-Ranges and Last-Modified information
 X-Powered-By information
 Web server version

 Examine HTML sources
 Examining cookies

 Use OSINT to discover additional information about a website
 Identify personnel, hostnames, domain names, and useful data residing on exposed web
servers
 Search Google, Netcraft, Shodan, LinkedIn, PGP key servers, and other sites
 Search known domain names and IP blocks
 Searches Google’s cache  Web content scanner
 Looks for vulnerabilities, errors,  Looks for existing and hidden web objects
configuration issues, proprietary
 Useful for finding hidden subdirectories in a
information, and interesting security
nuggets on web sites web app
 Works by launching a dictionary based attack
 Use it to find information that can b e
against a web server
exposed through Google Dorking
 Analyzes the response
 Allows access to archived versions  Download an entire copy of the website to a local
of the website directory
 Copies the site as it was at the time
 You can find information that was
 You can examine the entire website offline
subsequently deleted  Helps gather information without making website
 Archived sites may or may not requests that could b e detected
include original downloads
 You can take your time searching
 Also contains extensive content
 Need to copy slowly
uploaded by the community
 TOOLS
Website Ripper
 HTTrack Web Site
Copier
C opier
Offline Explorer
 SurfOffline Enterprise
 Teleport Pro Archive.org
 Portable Offline Browser WebWatcher
 Email Footprinting
 Tracking Email can reveal
 Email Source Header  Recipient IP address

 Reading the email source header can  Geolocation

reveal:  Email received and read
 Address from which the message was sent  Read duration
 Sender’s mail server  Proxy detection
 Authentication system used by sender’s mail  Links
server  O S and Browser info
 Date and time of message  Forwarded email
 Sender’s name  Recipient device type

 Also reveals: Tools
 Spoofed info  Zendio
 EmailTrackerPro
 Bogus links and phishing techniques
 PoliteMail  ReadNotify
Note : Spoofing refers to falsified or manipulated data that is  Yesware  DidTheyReadit
intentionally presented to deceive or mislead systems, users, or
entities. Example : IP Address spoofing, Email Spoofing, Caller ID  ContactMonkey
spoofing, DNS Spoofing
 A widely-used query and response protocol
 Used to query databases that store the registered users or assignees of an
Internet resource such as:
 Domain names
 IP address blocks
 Autonomous system numbers

 The protocol stores and delivers database content in a human-readable
format
 It is widely available for publicly available for use

Source: domainnamestat.c om
 WHOIS databases are maintained by Regional Popular WHOIS Lookup Tools
Internet Registries and hold personal
 whois.com
information of domain owners
 Domainnamestat.com
 WHOIS query
 Domain name and details  LanWhoIs
 Owner information  Batch IP Converter
 DNS servers  CallerIP
 Network Blocks
 WhoIs Lookup Multiple Addresses
 Autonomous System Numbers
 When created  WhoIs Analyzer Pro
 Expiry  HotWhoIs
 Last update  ActiveWhoIs
 Can aid attacker or ethical hacker with social  WhoisThisDomain
engineering
 DNS Footprinting
 Attackers use DNS data to find key hosts on DNS Query Tools
the target’s network
 Nslookup
 DNS record types:
 A – IPv4 host address  dig
 AAAA - IPv6 host address  host
 MX – mail server
 whatsmydns.net
 NS – name server
 CNAME – alias  myDNSTools
 SOA – authority for domain  Professional Toolset
 SRV – service records
 PTR – maps IP Address to hostname
 RP – responsible person
 HINFO – Host information record (CPU type/OS)
 TXT – Unstructured text record
nslookup www.hackthissite.org

Server: 192.168.63.2
Address: 192.168.63.253

Non-authoritative answer:
Name: www.hackthissite.org Address: 137.74.187.103
Name: www.hackthissite.org Address: 137.74.187.102
Domain Information Groper.
Used to query the DNS
dig www.example.com
Network Footprinting
$ host -t a github.io OR nslookup hostname // Retrieves IP address with the hostname
github.io has address 185.199.109.153

$ whois 185.199.109.153 // returns the owner information

inetnum: 185.199.108.0 - 185.199.111.255
netname: US-GITHUB-20170413
country: US

$ curl -s https://networksdb.io/ip-addresses-of/github-inc | grep 'IP Range' | awk '{print
$3" - "$5}' | sort // extract and sort the IP address ranges associated with GitHub Inc.
140.82.112.0 - 140.82.127.255
148.62.46.150 - 148.62.46.151
 Discover routers and firewalls along the path to a target
 Uses ICMP or UDP with an increasing TTL to elicit router identification

 Find the IP address of the target firewall
 Help map the target network
 https://www.monitis.com/traceroute/

 https://centralops.net/co/
 Footprinting Countermeasures
 Recognize that once information is on the Internet, it might never fully
disappear
 Perform OSINT (Open Source intelligence) on yourself regularly to see
what’s out there
 Identify information that might be harmful
 When possible, go to the sites that publish that information and remove
it
 Delete/deactivate unnecessary social media profiles
 Use an identity protection service
 Use Shodan and Google Dorks to search for exposed files and
devices
 If any are discovered, implement protective measures
Note : (Open-Source Intelligence) refers to the process of gathering, analyzing, and utilizing
publicly available information from a wide range of sources to derive actionable intelligence.
Footprinting Countermeasures(cont’d)
 Set up a monitoring service such as Google Alerts to notify you if new
information appears
 Train yourself (and your employees) to recognize the danger and
be cautious about what they share on social media
 If possible, use a data protection solution to minimize data
leakage from the company
 Turn off tracking features on your phone and configure privacy
settings
 Disable location on photos you plan to post publicly on social media
 Remove metadata from images if you don’t want others to know which
device you are using to capture
THANK YOU
Any Questions!

37