Module 02 - Footprinting and Reconnaissance PDF
Document Details
Uploaded by barrejamesteacher
null
EC-COUNCIL
Tags
Related
Summary
This document details the concepts of footprinting and reconnaissance in ethical hacking. It outlines different types of footprinting, including passive and active methods. The objective is to gather information about a target network for evaluation of its security posture.
Full Transcript
MODULE 02 FOOTPRINTING AND RECONNALIS EC-COUNCIL OFFICIAL CURRICULA This page is intentionally left blank. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconna...
MODULE 02 FOOTPRINTING AND RECONNALIS EC-COUNCIL OFFICIAL CURRICULA This page is intentionally left blank. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance LEARNING OBJECTIVES € LO#01: Explain Footprinting Concepts & LO#07: Use Different Techniques for Whois Footprinting € LO#02: Demonstrate Footprinting through Search Engines € LO#08: Use Different Techniques for DNS Footprinting € LO#03: Demonstrate Footprinting through Web Services € LO#09: Use Different Techniques for Network Footprinting € LO#04: Demonstrate Footprinting through Social Networking Sites € LO#10: Demonstrate Footprinting through Social Engineering & LO#05: Use Different Techniques for Website Footprinting € LO#11: Use Various Footprinting Tools € LO#06: Use Different Techniques for Email Footprinting € LO#12: Explain Footprinting Countermeasures Learning Objectives Footprinting is the first step in the evaluation of the security posture of the IT infrastructure of a target organization. Through footprinting and reconnaissance, one can gather maximum information about a computer system or a network and about any device connected to that network. In other words, footprinting provides a security profile blueprint for an organization and should be undertaken in a methodological manner. This module starts with an introduction to footprinting concepts and provides insights into the footprinting methodology. The module ends with an overview of footprinting tools and countermeasures. At the end of this module, you will be able to: = Describe footprinting concepts = Perform footprinting through search engines and using advanced Google hacking techniques = Perform footprinting through web services and social networking sites » Perform website footprinting and email footprinting = Perform Whois, DNS, and network footprinting = Perform footprinting through social engineering = Use different footprinting tools = Apply footprinting best practices Module 02 Page 103 Ethical Hacking and Countermeasures Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance LO#01: Explain Footprinting Concepts Footprinting Concepts This step acts as a preparatory phase for the attacker, who needs to gather as much information as possible to easily find ways to intrude into the target network. This section aims to familiarize you with footprinting, why it is necessary, and its objectives. Module 02 Page 104 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance What is Footprinting? C :E H Footprinting is the first step of any attack on information systems in which an attacker collects information about a target network to identify various ways to intrude into the system Types of Footprinting Passive Footprinting Active Footprinting Gathering information about Gathering information about the target without direct the target with direct interaction interaction What is Footprinting? An essential aspect of footprinting is identifying the level of risk associated with the organization’s publicly accessible information. Footprinting, the first step in ethical hacking, refers to the process of collecting information about a target network and its environment. Using footprinting, you can find a number of opportunities to penetrate and assess the target organization’s network. After you complete the footprinting process in a methodological manner, you will obtain the blueprint of the security profile of the target organization. Here, the term “blueprint” refers to the unique system profile of the target organization acquired by footprinting. There is no single methodology for footprinting, as information can be traced in a number of ways. However, the activity is important, as you need to gather all the crucial information about the target organization before beginning the hacking phase. For this reason, footprinting needs to be carried out in an organized manner. The information gathered in this step helps in uncovering vulnerabilities existing in the target network and in identifying different ways of exploiting these vulnerabilities. Types of Footprinting Footprinting can be categorized into passive footprinting and active footprinting. = Passive Footprinting Passive footprinting involves gathering information about the target without direct interaction. It is mainly useful when the information gathering activities are not to be detected by the target. Performing passive footprinting is technically difficult, as active traffic is not sent to the target organization from a host or anonymous hosts or services Module 02 Page 105 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance over the Internet. We can only collect archived and stored information about the target using search engines, social networking sites, and so on. = Active Footprinting Active footprinting involves gathering information about the target with direct interaction. In active footprinting, the target may recognize the ongoing information gathering process, as we overtly interact with the target network. Active footprinting requires more preparation than passive footprinting, as it may leave traces that may alert the target organization. Module 02 Page 106 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance Information Obtained in Footprinting @ © 1 1 1 | | 1l 1 | 1 | 1 Organization information Network information 1 System information 1 1 Employee details @ Domain and sub-domains 1 : @ Web server OS 1. Telephone numbers @ Network blocks i @ Location of web servers | 1 Branch and location details © Network topology, trusted 1 © Publicly available email 1 Background of the routers, and firewalls | addresses 1 organization © IP addresses of the reachable ! @ Usernames and passwords systems | Web technologies | 1. @ Whois records 1 News articles, press releases, | | | and related documents @ DNS records 1 1 Information Obtained in Footprinting The major objectives of footprinting include collecting the network information, system information, and organizational information of the target. By conducting footprinting across different network levels, you can gain information such as network blocks, specific IP addresses, employee details, and so on. Such information can help attackers in gaining access to sensitive data or performing various attacks on the target network. Organization Information: The information about an organization is available from its website. In addition, you can query the target’s domain name against the Whois database a nd obtain valuable information. T he information collected includes: (@) Employee details (employee names, contact addresses, designations, and work experience) Addresses and mobile/telephone numbers Branch and location details Partners of the organization Web links to other company-related sites Background of the organization Web technologies News articles, press releases, and related documents Legal documents related to the organization Module 02 Page 107 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance o Patents and trademarks related to the organization Attackers can access organizational information and use such information to identify key personnel and launch social engineering attacks to extract sensitive data about the entity. = Network Information: You can gather network information by performing Whois database analysis, trace routing, and so on. The information collected includes: o Domain and sub-domains o Network blocks o Network topology, trusted routers, and firewalls o |IP addresses of the reachable systems o Whois records o DNS records and related information = System Information: You can gather system information by performing network footprinting, DNS footprinting, website footprinting, email footprinting, and so on. The information collected includes: o Web server OS o Location of web servers o Publicly available email addresses o Usernames, passwords, and so on. Objectives of Footprinting To build a hacking strategy, attackers must gather information about the target organization’s network. They then use such information to identify the easiest way to break through the organization's security perimeter. As mentioned previously, the footprinting methodology makes it easy to gather information about the target organization and plays a vital role in the hacking process. Footprinting provides an outline of the security posture, such as the placement of firewalls, proxies, and other security solutions. Hackers can analyze the footprinting report to identify loopholes in the security posture of the target organization and build a hacking plan accordingly. By using a combination of tools and techniques, attackers can take an unknown entity (for example, XYZ Organization) and reduce it to a specific range of domain names, network blocks, and individual IP addresses of systems directly connected to the Internet, in addition to other details pertaining to its security posture. A detailed footprint provides maximal information about the target organization, allowing the attacker to identify vulnerabilities in the target systems to select appropriate exploits. Attackers can build their own information database regarding the security weaknesses of the target Module 02 Page 108 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance organization. Such a database can then help in identifying the weakest link in the organization’s security perimeter. Footprinting Threats The following are assorted threats made possible through footprinting: Social Engineering: Without using any intrusion methods, hackers directly and indirectly collect information through persuasion and other means. Hackers gather crucial information from willing employees who are unaware of the hackers’ intent. System and Network Attacks: Footprinting enables an attacker to perform system and network attacks. Thus, attackers can gather information related to the target organization’s system configuration, the operating system running on the machine, and so on. Using this information, attackers can find vulnerabilities in the target system and then exploit such vulnerabilities. They can then take control of a target system or the entire network. Information Leakage: Information leakage poses a threat to any organization. If sensitive information of an entity falls into the hands of attackers, they can mount an attack based on the information or alternatively use it for monetary benefit. Privacy Loss: Through footprinting, hackers can access the systems and networks of the organization and even escalate the privileges up to admin levels, resulting in the loss of privacy for the organization as a whole and for its individual personnel. Corporate Espionage: Corporate espionage is a central threat to organizations, as competitors often aim to attempt to acquire sensitive data through footprinting. Through this approach, competitors can launch similar products in the market, alter prices, and generally undermine the market position of a target organization. Business Loss: Footprinting can have a major effect on organizations such as online businesses and other e-commerce websites as well as banking and finance-related businesses. Billions of dollars are lost every year due to malicious attacks by hackers. Module 02 Page 109 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance Footprinting Methodology. cooserctins reamases | EH. —{ People Search Services 1 ‘_‘_l e Beder Google Hacking Database and Google 4 Footprinting through [ Advanced Search ] '—{ Financial Services and Job Sites ] Search Engines —— Video, Meta, FTP, and loT Search Engines ]._4 Deep and Dark Web Footprinting 1 Footprinting through = " and ] WebServices | _J e rofia Shes } [ — Social Engineering ] - Monitor Alerts and Online Reputation —{ Footprinting through }——- Social Media Sites ] _‘1 ] Social Networking Sites L Groups, Forums, Blogs, and NNTP 1 o | Analyzing Social Network Graphs ] Usenet Newsgroups —( bsite Footprinting J —t{ Public Source Code Repositories } ' Track Email Communication J Footprinting )_ | Analyze Emall Header ] —{ Web Spidering and Website Mirroring ] Techniques o '—+ Internet Archive 1 W Whols Lookup ] { Whois Foo!pdnfing J.—E.—{ Extract Links, Wordlist, and Metadata ] IP Geolocation Lookup ] - Monitor Web Page Updates and ] ¢ Website Traffic DNS Footprinting ONS Interrogation ) Reverse DNS Lookup ‘ _{ Eaves g ] —{ Network Footprinting pa— ] — shoulder Surfing ] N Tracerout: Dumpster Diving ( Footprinting through W —_— ] _4 ] Social Engineering | Impersonation ] Footprinting Methodology Now that you are familiar with footprinting concepts and potential threats, we will discuss the footprinting methodology. The footprinting methodology is a procedure for collecting information about a target organization from all available sources. It involves gathering information about a target organization, such as URLs, locations, establishment details, number of employees, specific range of domain names, contact information, and other related information. Attackers collect this information from publicly accessible sources such as search engines, social networking sites, Whois databases, and so on. The diagram given below illustrates the common techniques used to collect information about the target organization from different sources. Module 02 Page 110 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance —( Advanced Google Hacking Techniques ] —[ People Search Services | Footprinting through Search Engines Google Hacking Database and Google Advanced Search | —[ Financial Services and Job Sites l Footprinting through L Video, Meta, FTP, and IoT Search Engines | | Deepand Dark Web Footprinting I Competitive Intelligence and Business Web Services Profile Sites Social Engineering Footprinting through I Monitor Alerts and Online Reputation | Social Media Sites Social Networking Sites Groups, Forums, Blogs, and NNTP Analyzing Social Network Graphs Usenet Newsgroups Website Footprinting L public Source Code Repositories | Track Email Communication Footprinting Email Footprinting Analyze Email Header —{ Web Spidering and Website Mirroring | Techniques — Internet Archive | Whols Lookup Whois Footprinting —{ Extract Links, Wordlist, and Metadata | IP Geolocation Lookup _{ Monitor Web Page Updates and l Website Traffic DNS Footprinting DNS Interrogation ] Reverse DNS Lookup ] _{ Eavesdropping I Network Footprinting PP —res ] — Shoulder Surfing | E Tracerout:. J — Dumpster Diving | Footprinting through b Social Engineering Impersonation I Figure 2.1: Footprinting Techniques Module 02 Page 111 Ethical Hacking and Countermeasures Copyright © by Eg-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance LO#02: Demonstrate Footprinting through Search Engines Footprinting through Search Engines I Attackers use search engines to extract information about a target, such as employed technology platforms, employee details, login pages, and intranet portals, which help the attacker to perform social engineering and other types of advanced system attacks 2 Major search engines: @ Google b Bing yarioor @D Aol. Baims... 1 Attackers can use advanced search operators available with these search engines and create complex queries to find, filter, and sort specific information about the target 2 Search engines are also used to find other sources of publically accessible information resources, e.g., you can type “top job portals” to find major job portals that provide critical information about the target organization Footprinting through Search Engines Search engines are the main sources of key information about a target organization. They play a major role in extracting critical details about a target from the Internet. Search engines use automated software, i.e., crawlers, to continuously scan active websites and add the retrieved results in the search engine index that is further stored in a massive database. When a user queries the search engine index, it returns a list of Search Engine Results Pages (SERPs). These Module 02 Page 112 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance results include web pages, videos, images, and many different file types ranked and displayed according to their relevance. Many search engines can extract target organization information such as technology platforms, employee details, login pages, intranet portals, contact information, and so on. The information helps the attacker in performing social engineering and other types of advanced system attacks. A Google search could reveal submissions to forums by security personnel, disclosing the brands of firewalls or antivirus software used by the target. This information helps the attacker in identifying vulnerabilities in such security controls. For example, consider an organization, perhaps Microsoft. Type Microsoft in the Search box of a search engine and press Enter; this will display the results containing information about Microsoft. Browsing the results often provides critical information such as physical location, contact addresses, services offered, number of employees, and so on, which may prove to be a valuable source for hacking. Examples of major search engines include Google, Bing, Yahoo, Ask, Aol, Baidu, WolframAlpha, and DuckDuckGo. Attackers can use advanced search operators available with these search engines and create complex queries to find, filter, and sort specific information regarding the target. Search engines are also used to find other sources of publicly accessible information. For example, you can type “top job portals” to find major job portals that provide critical information about the target organization. As an ethical hacker, if you find any deleted pages/information about your company in SERPs or the search engine cache, you can request the search engine to remove the pages/information from its indexed cache. Module 02 Page 113 Ethical Hacking and Countermeasures Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance Footprinting Using Advanced Google Hacking Techniques C lE H 1) Google hacking refers to the use of advanced Google search operators for creating complexsearch queries to extract sensitive or hidden information that helps attackers find vulnerable targets Popular Google advanced search operators Displays the web pages stored in the Google [allintitle:] Restricts the results to those websites [cache:] cache i containing all the search keywords in the title (link:] Lists web pages that have links to the specified i : Restricts the results to documents containing web page flotite:} the search keyword in the title [related:] Lists web pages that are similar to the specified (allinurk] Restricts the results to those containingall the web page : search keywords in the URL [info:] Presents some information that Google has [inur] Restricts the results to documents containing about a particular web page AR the search keyword in the URL Restricts the results to those websites in the [site:] given domain [location:] Finds information for a specific location Copyright © by All Rights Reserved. Reproductionis Strictly Prohibited Footprinting Using Advanced Google Hacking Techniques Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information. The accessed information is then used by attackers to find vulnerable targets. Footprinting using advanced Google hacking techniques involves locating specific strings of text within search results using advanced operators in the Google search engine. Advanced Google hacking refers to the art of creating complex search engine queries. Queries can retrieve valuable data about a target company from Google search results. Through Google hacking, an attacker tries to find websites that are vulnerable to exploitation. Attackers can use the Google Hacking Database (GHDB), a database of queries, to identify sensitive data. Google operators help in finding the required text and avoiding irrelevant data. Using advanced Google operators, attackers can locate specific strings of text such as specific versions of vulnerable web applications. When a query without advanced search operators is specified, Google traces the search terms in any part of the webpage, including the title, text, URL, digital files, and so on. To confine a search, Google offers advanced search operators. These search operators help to narrow down the search query and obtain the most relevant and accurate output. The syntax to use an advanced search operator is as follows: operator: search_term Note: Do not enter any spaces between the operator and the query. Module 02 Page 114 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance Some popular Google advanced search operators include: Source: https://www.googleguide.com site: This operator restricts search results to the specified site or domain. For example, the [games site: www.certifiedhacker.com] query gives information on games from the certifiedhacker site. allinurl: This operator restricts results to only the pages containing all the query terms specified in the URL. For example, the [allinurl: google career] query returns only pages containing the words “google” and “career” in the URL. inurl: This operator restricts the results to only the pages containing the specified word in the URL. For example, the [inurl: copy site:www.google.com] query returns only Google pages in which the URL has the word “copy.” allintitle: This operator restricts results to only the pages containing all the query terms specified in the title. For example, the [allintitle: detect malware] query returns only pages containing the words “detect” and “malware” in the title. intitle: This operator restricts results to only the pages containing the specified term in the title. For example, the [malware detection intitle:help] query returns only pages that have the term “help” in the title, and the terms “malware” and “detection” anywhere within the page. inanchor: This operator restricts results to only the pages containing the query terms specified in the anchor text on links to the page. For example, the [Anti-virus inanchor:Norton] query returns only pages with anchor text on links to the pages containing the word “Norton” and the page containing the word “Anti-virus.” allinanchor: This operator restricts results to only the pages containing all query terms specified in the anchor text on links to the pages. For example, the [allinanchor: best cloud service provider] query returns only pages for which the anchor text on links to the pages contains the words “best,” “cloud,” “service,” and “provider.” cache: This operator displays Google's cached version of a web page instead of the current version of the web page. For example, [cache:www.eff.org] will show Google’s cached version of the Electronic Frontier Foundation home page. Module 02 Page 115 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance link: This operator searches websites or pages that contain links to the specified website or page. For example, [link:www.googleguide.com] finds pages that point to Google Guide’s home page. Note: According to Google’s documentation, “you cannot combine a link: search with a regular keyword search.” Also note that when you combine link: with another advanced operator, Google may not return all the pages that match. related: This operator displays websites that are similar or related to the URL specified. For example, [related:www.microsoft.com] provides the Google search engine results page with websites similar to microsoft.com. info: This operator finds information for the specified web page. For example, [info:gothotel.com] provides information about the national hotel directory GotHotel.com home page. location: This operator finds information for a specific location. For example, [location: 4 seasons restaurant] will give you results based on the term “4 seasons restaurant.” filetype: This operator allows you to search for results based on a file extension. For Example, [jasmine:jpg] will provide jpg files based on jasmine. What can a Hacker Do with Google Hacking? An attacker can create complex search-engine queries to filter large amounts of search results to obtain information related to computer security. The attacker can use Google operators to locate specific strings of text within search results. Thus, the attacker can not only detect websites and web servers that are vulnerable to exploitation but also locate private and sensitive information about the target. Once a vulnerable site is identified, attackers attempt to launch various possible attacks, such as buffer overflow and SQL injection, which compromise information security. Examples of sensitive information on public servers that an attacker can extract with the help of Google Hacking Database (GHDB) queries include: Error messages that contain sensitive information Files containing passwords Sensitive directories Pages containing logon portals Pages containing network or vulnerability data, such as IDS, firewall logs, and configurations Advisories and server vulnerabilities Module 02 Page 116 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance Software version information Web application source code Connected IoT devices and their control panels, if unprotected Hidden web pages such as intranet and VPN services Example: Use Google Advance Operator syntax [intitle:intranet inurl:intranet +intext:”human resources”] to find sensitive information about a target organization and its employees. Attackers use the gathered information to perform social engineering attacks. The screenshot below shows a Google search engine results page displaying the results for the query mentioned above. G [intitlesintranet inurkintranet +int X + &« > C @ google.com/search?q=%5Bintitle%3Aintranet+inuri%3Aintranet+%2Bintext%3A... Q ©» Google I[intitle:intfanet inurliintranet +intext"human resources’| X & Q Q Al () Images @ News Q Shopping [3) Videos i More Tools About 15,500 results (0.65 seconds) https://ehs.Ibl.gov » resource > intranet Intranet (Staff Only) - Environment, Health & Safety This page is for EHS Employees and Guests. If you have any questions or comments, send us feedback by using the Admin Help Desk form. https://axerosolutions.com » Blog HR Intranet: 10 Benefits of an Intranet for Human Resources An HR intranet is excellent for sharing typical HR documents, ranging from health insurance documents, scheduling, contact information, and training manuals. By. https://www.claromentis.com » intranet-departments » h... Human Resources - HR Intranet Software - Claromentis Intranet software for human resources teams. Improve information sharing, streamline processes, and onboard new employees with our HR intranet software. https:/thehrcompany.ie » HR Support for Corporations Human Resources Intranet - The HR Company Human Resources Intranet — used properly, it can be a powerful tool for saving time and reducing costs. A HR intranet is a proper use of new technology. Figure 2.2: Search engine results for given Google Advance Operator syntax Module 02 Page 117 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance Google Hacking Database C:E H 'J The Google Hacking Database €« C & epbtddoom T M 2 (GHDB) is an authoritative source for querying the ever- widening reach of the Google search engine J Attackers use Google dorks in Google advanced search operators to extract sensitive Versied [ ) has Ag information about their target, such as vulnerable servers, pou| 13~ error messages, sensitive files, login pages, and websites EXPLOIT »~ DATABASE hetps/fwww. npu-aa com Google Hacking Database Source: https://www.exploit-db.com The Google Hacking Database (GHDB) is an authoritative source for querying the ever-widening scope of the Google search engine. In the GHDB, you will find search terms for files containing usernames, vulnerable servers, and even files containing passwords. The Exploit Database is a Common Vulnerabilities and Exposures (CVE) compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Using GHDB dorks, attackers can rapidly identify all the publicly available exploits and vulnerabilities of the target organization’s IT infrastructure. Attackers use Google dorks in Google advanced search operators to extract sensitive information about the target, such as vulnerable servers, error messages, sensitive files, login pages, and websites. Google Hacking Database Categories: = Footholds = Files Containing Juicy Info = Files Containing Usernames = Files Containing Passwords = Sensitive Directories = Sensitive Online Shopping Info = Web Server Detection = Network or Vulnerability Data = Vulnerable Files = Pages Containing Login Portals = Vulnerable Servers = Various Online Devices = Error Messages = Advisories and Vulnerabilities Module 02 Page 118 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance o Type Platform Author Port Tag Any - Any - Begin typing.» Any - Any - ol Advanced Verified Has App Y Filters Y Reset All Show| 15 v Search 2022-03-02 # X Printix Client 1.3.1106.0 - Remote Code Execution (RCE) Remote Windows Logan Latvala Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Momen 20220302 # X. WebApps Multiple ) Scripting (XSS) Eldawakhly 2022-03-02 * X Prowise Reflect v1.0.9 - Remote Keystroke Injection Remote Windows Rik Lutz 2022-03-02 & X Xerte 3.9 - Remote Code Execution (RCE) (Authenticated) WebApps PHP Rik Lutz 2022-03-02 % X Xerte 3.10.3 - Directory Traversal (Authenticated) WebApps PHP Rik Lutz Momen 2022-02-28 & X WAGO 750-8212 PFC200 G2 2ETH RS - Privilege Escalation Remote Hardware Eldawakhly zIdawe Figure 2.3: Screenshot of Google Hacking Database Attackers can also use SearchSploit, which is a command-line search tool for Exploit-DB that allows taking a copy of the Exploit database for remote use. It allows attackers to perform detailed offline searches through their locally checked-out copy of the repository. This capability is particularly useful for security assessments of segregated or air-gapped networks without Internet access. Module 02 Page 119 Ethical Hacking and Countermeasures Copyright © by E@-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance inurl:"/sslvpn_logon.shtml" intitle:"User Authentication" "WatchGuard Technologies" | Finds pages containing login portals inurl:/sslvpn/Login/Login Finds VPN login portals site:vpn.*.*/intitle:"login" intext:Please Login SSL VPN inurl:remote/login Finds Fortinet VPN login pages intext:FortiClient site:vpn.*.*/intext:"login" intitle:"login" Retrieves various VPN login pages intitle:"index of" /etc/openvpn/ Retrieves juicy informationand sensitive directories "---—-BEGIN OpenVPN Static key V1-—-" ext:key Finds OpenVPN static keys intitle:"index of" "vpn-config.*" Retrieves juicy informationabout the vpn-configfile Index of / i Finds OpenVPN configuration files, some certificates, and. *.ovpn keys inurl:"/vpn/tmindex.html" vpn Finds Netscaler and Citrix Gateway VPN login portals intitle:"SSL VPN Service" + intext:"Your system administrator provided the following Finds Cisco ASA login web pages information to help understand and remedy the security conditions:" Metps://www.exploit-db.com VPN Footprinting through Google Hacking Database Google hacking operators or Google dorks can be used for footprinting virtual private networks (VPNs). They provide information such as pages containing login portals and directories with keys of VPN servers. The following tables summarize some Google hacking operators or Google dorks that are used to obtain specific information for VPN footprinting. Google Dork Description inurl:"/sslvpn_logon.shtml" intitle:"User Authentication" "WatchGuard Technologies” Finds pages containing login portals inurl:/sslvpn/Login/Login Finds VPN login portals site:vpn.*.*/ intitle:"login" inurl:weblogin intitle:("USG20-VPN" | "USG20W- VPN" | USG40|USG40W | USG60 | USG60W |USG110|USG210|U | Finds hosts with the Zyxel hardcoded $G310|USG1100| USG1900 | USG2200|"ZyWALL110"|"ZyWALL | password vulnerability 310"|"ZyWALL1100" | ATP100 | ATP100W | ATP200 | ATP500 | AT P700|ATP800 | VPN50|VPN100 | VPN300|VPNOOO|"FLEX") intext:Please Login SSL VPN inurl:remote/login. - Finds Fortinet VPN login pages intext:FortiClient site:vpn.*.*/ intext:"login" intitle:"login" Retrieves various VPN login pages Retrieves juicy information and intitle:"index of" /etc/openvpn/ sensitive directories Module 02 Page 120 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance ".----BEGIN OpenVPN Static key V1-----" ext:key Finds OpenVPN static keys Retrieves juicy information about the intitle:"ind " fig.*" nutie:"incex of” “vpn-contig vpn-config file Finds OpenVPN configuration files, Ind fftp.txt" intext:"index of" "ftp" Finds files containing juicy information inurl:WS_FTP.log intitle:sindex.of /cftp /robots.txt intitle: "Index of ftp passwords" Finds files containing passwords inurl: /ftp intitle:" office" Detects the web server inurl:/web-ftp.cgi site:sftp.*.*/ intext:"login" intitle:"server Finds pages containing login portals login" Finds the “ws_ftp.ini” file, which contain usernames intitle:"Index of" ws_ftp.ini and passwords of FTP users inurl:ftp -inurl:(http | https) Finds archived email conversations, at times revealing intext:" @gmail.com" intext:subject full credit-card numbers and customer information as fwd| confidential |important | CARD | cvv well as private company emails Detects various pages of CrushFTP Weblinterface, allintitle:"CrushFTP Webinterface" which includes login portals as well password reset/recovery page "ws_ftp.log" ext:log Finds sensitive directories intitle:"Monsta ftp" intext:"Lock session Shows websites that use the FTP service of Monsta to IP" FTP "index of" /ftp/logs Finds potential log files intitle:"index of" inurl:ftp intext:admin Lists admin folders on FTP servers Table 2.2: Google search queries to find FTP servers Module 02 Page 129 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance As shown in the screenshot, attackers can use NAPALM FTP Indexer, an online tool, to search for critical files and documents related to the target domain. § NAPALM FTP Indexer X + & - C @& searchftps.net ll'-!?g. Im»crosofl With all the words v Q Search I Showing results 0 to 19 of about 10000 for “microsoft* Order DateDesc DateAsc SizeDesc SzeAsc None Related keywords « microsoft * pub » ubunty * pool e main s Mmono « libmono o gl e al « deb « dfsg « linux « fedora « releases « Everything » Packages e noarch « mm « 4ubuntut o 1c35 * php + apache « airflow * providers » system e json « microsoft4 « build4 « 2arch64 * golang LAMfedora/linux/releases/35/Everything/aarché4/os/Packa: L = ol analol / 114.4KB golang-github-microsoft-opengcs-devel-0.3.9-7.fc35.noarch.rpm Last chequed: 2022-02-28 21:01 Similar files: [Browse) /publlinux/fedora/linux/releases/35/Everything/x86_64/os/Packages/g/ 1144 KB golang-github-microsoft-opengcs-devel-0.3.9-7.fc35.noarch.rpm Last chequed: 2022-02-28 20:59 Similar files: [Browse] L.mirrors/gentoo-portage/licenses/ 259 KB microsoft-edge Last chequed: 2022-02-28 21:01 Similar files: [Browse) LAfedoralinuxireleases/3S/Everything/aarchd/os/Packages/al 43.9KB Last chequed: 2022-02-28 21:01 Similar files: [Browse) los/fedora.old/releases/29/Everything/aarché4/os/Packages/p/ 80.2KB php-microsoft-tolerant-php-parser-0.0.15-1.fc29.noarch.rpm Last chequed: 2022-02-28 21:00 Similar files: [Browse) /publlinux/fedora/linux/releases/35/Everything/x86_64/os/Packages/p/ 85.0 KB php-microsoft-tolerant-php-parser-0.1.1-1.fc35.noarch.rpm Last chequed: 2022-02-28 21:01 Similar files: [Browse) Imisc/apache/airflow/providers/ 111.2KB apache_airflow_providers_microsoft_azure-3.6.0-py3-none-any.whl Last chequed: 2022-02-28 20:59 Similar files: [Browse] Imisc/apache/airflow/providers/ 62.1 KB apache-airflow-providers-microsoft-azure-3.6.0.tar.gz Figure 2.10: Screenshot of the FTP search engine NAPALM FTP Indexer showing search results for “microsoft” Gathering Information from loT Search Engines Internet of Things (I0T) search engines crawl the Internet for |oT devices that are publicly accessible. Through a basic search on these search engines, an attacker can gain control of Supervisory Control and Data Acquisition (SCADA) systems, traffic control systems, Internet-connected household appliances, industrial appliances, CCTV cameras, etc. Many of these 0T devices are unsecured, i.e., they are without passwords or they use the default credentials, which can be exploited easily by attackers. Module 02 Page 130 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance With the help of 10T search engines such as Shodan, Censys, and Thingful, attackers can obtain information such as the manufacturer details, geographical location, IP address, hostname, and open ports of the target |oT device. Using this information, the attacker can establish a back door to the loT devices and gain access to them to launch further attacks. As shown in the screenshot, attackers can use Shodan to find all the loT devices of the target organization that are having open ports and services. @ SCADA - Shodan Search X + &~ C @ shodan.io/search?query=SCADA Q 1P " ¥ A& 0'. SHODAN Explore Pricing & SCADA n n TOTAL RESULT e bt e SN &4 View Report (& Browse Images (I View on Map 1 ,841 New Service: Keep track of what you have connected to the Intemnet. Check out Shodan Monitor INTRIE 217.145.94.14 o == UNNAMED Varna Ne 220 scada FTP server (Version 6.4/0penBSO/[email protected]) ready. P o. Varna Net OLEG £30 Login Incorrect. A zone 214+ The following comands are recognized (* «>'s unlsplemented). v & - Buigara Vams USER PORT MOOf MSND* REST XM MELP PWD MOTH Pass Pasv RETR MEOM R LISY NOOP X0 Switzerland 213 101.53.156.195 2022 T 84T Belgium 197 @2e-56-105 ssdcioud Katka Broker nda net United States 10 E2E Netwworks Private Limted Toples: Russian Federation 95 T india, Membai obC-hls tor Ical-Co%aePbed 1655 2a00GE9CE) T oC-historical -6adeda Lede b1 10664 )50¢ India 51 CPONMSNT MOATA testArray More. opcRasOata OPCRAMDATASTAGEL ~ odbC-h 4966271007 51 et S ,,,,,,,,,,,, - b 80 87 e 443 16 9000 20 8021 es 50000 ez More. P ORGANIZATION! Pragra: no-cache Last-Moditled:fri, 6 Fed 2105 6:28:15 GMT Swisscom (Schweiz) AG 200 Cxplres:Mon, 7 Mar 2022 23:4:22 GO Orange Belgium SA 196 Linode e’ +/ BAS SCADA Softline Trade JSC €5 7” DNA Oyj 29 More. X Remote Desktop Protocol 71 Comnection: close Content-Type: text/html Microsoft RPC Endpoint Content-Length: 879 Mapper 30 Last-Modlfled: Tue,... MS-SQL Server 19 Figure 2.11: Screenshot of Shodan showing search results for SCADA devices Module 02 Page 131 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance Q @ * » 2 217.145.94.14 @ General Information Hostnames B SRS Bulgaria Varna A Figure 2.12: Screenshot of Shodan showing open ports and services of a SCADA system Module 02 Page 132 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance LO#03: Demonstrate Footprinting through Web Services Footprinting through Web Services Web services such as people search services can provide sensitive information about the target. Social networking sites, people search services, alerting services, financial services, and job sites provide information about a target such as infrastructure details, physical location, and employee details. Using this information, an attacker may build a hacking strategy to break into the target organization’s network and carry out other types of advanced system attacks. This section aims to familiarize you with finding the target company’s top-level domains, sub- domains, and geographical location, performing people search on social networking sites and people search services, gathering information from job sites, financial services, third-party data repositories, performing deep and dark web footprinting, determining the operating system, VOIP and VPN footprinting through Shodan, gathering competitive intelligence, etc. Module 02 Page 133 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance Finding a Company’s Top-Level Domains (TLDs) and Sub-domains C |E H [T 1 Search for the target Hercrarr company’s external URL in Hostnames matching microsoft.com a search engine, such as » Q Search weh srother patiens? Google and Bing 'J Sub-domains provide an 446 results (showing 1 1o 20) insight into different departments and business unitsin an organization 'J You may find a company’s sub-domains by trial and error method or using a service such as https://www.netcraft.com ‘& You can use the Sublist3r python script, which enumerates subdomains across multiple sources at once hitps://www.netcroft.com https//github.com Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited. Finding a Company’s Top-Level Domains (TLDs) and Sub-domains A company's top-level domains (TLDs) and sub-domains can provide a large amount of useful information to an attacker. A public website is designed to show the presence of an organization on the Internet. It is available for free public access. It is designed to attract customers and partners. It may contain information such as organizational history, services and products, and contact information. The target organization’s external URL can be located with the help of search engines such as Google and Bing. Module 02 Page 134 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance & = o X G domains owned by microsoft- ¢ X = == < (¢] 8 google.com/search?q=domains+owned +by+microsoft&riz=1C1GCEU_enIN888I.. Q@ © % N & G."\'gle |domains owned by microsoft | X 4 Q Q Al @ News (2 Images Q Shopping [3) Videos i More Tools About 13,10,00,000 results (0.71 seconds) https://en.everybodywiki.com > List_of_Microsoft_do. List of Microsoft domains - EverybodyWiki Bios & Wiki Brand Domain Launch date Bing bing.com January 29, 1996 Bing bing.net September 3, 1997 Bing bing.co.uk May 19, 1999 View 86 more rows People also ask What domains are owned by Microsoft? v What are Microsoft domains? v How many domains Microsoft have? v What email domains does Microsoft use? v Feedback hitps:/vvww.namepros.com > NamePros Blog Ten Great Domain Names Owned by Microsoft - NamePros... 02-Aug-2017 — Live.com is one of Microsoft's most famous domains. According to Alexa, the domain has a global Alexa ranking of sixteen https://docs.microsoft.com»... > Manage domains Buy a domain name - Microsoft 365 admin 22-Feb-2022 — Sign in and go to Settings > Domains > Buy a domain. In the admin center, go ha Natltinen + PMomealne nana Ao the Poccalee nnma aaland Nin. Figure 2.13: Google search engine showing search results for domains owned by Microsoft The sub-domain is available to only a few people. These persons may be employees of an organization or members of a department. In many organizations, website administrators create sub-domains to test new technologies before deploying them on the main website. Generally, these sub-domains are in the testing stage and are insecure; hence, they are more vulnerable to various exploitations. Sub-domains provide insights into the different departments and business units in an organization. Identifying such sub-domains may reveal critical information regarding the target, such as the source code of the website and documents on the webserver. Access restrictions can be applied based on the IP address, domain or subnet, username, and password. The sub-domain helps to access the private functions of an organization. Most organizations use common formats for sub-domains. Therefore, a hacker who knows the external URL of a company can often discover the sub-domain through trial and error, or by using a service such as Netcraft. Module 02 Page 135 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance You can also use the advanced Google search operator shown below to identify all the sub- domains of the target: site:microsoft.com -inurl:www G sitemicrosoftcom -inurkwww - ¢ X = & > C @ google.com/search?q=site¥%3Amicrosoft.com+-inur%3Awww&riz=1C1IGCEUen.. @ 12 W H» & mfle [site:microsoft com -inurl www] X & Q QAI [ Images @ News Q Shopping © Maps : More Tools About 3,68,00,000 resuits (0.45 seconds) https://careers.microsoft.com Microsoft jobs: Careers at Microsoft Experienced professionals Want to make a difference? So do we. Step in to explore the wealth of career opportunities and take your career to the next level hitps://dotnet microsoft.com NET | Free. Cross-platform. Open Source NET is a developer platform with tools and libraries for building any type of app, including web. mobile, desktop, games, loT, cloud, and microservices hitps://support. microsoft.com » contactus Contact Us - Microsoft Support Contact Microsoft Support. Find solutions to common problems, or get help from a support agent https:/Nisualstudio.microsoft.com » downloads Download Visual Studio Tools - Install Free for Windows, Mac... 15-Feb-2022 — A standalone source code editor that runs on Windows, macOS, and Linux. The top ptck for Java and web developers, with tons of extensions (o Figure 2.14: Finding sub-domains using Google Advanced Search Operator Tools to Search Company’s Sub-domains * Netcraft Source: https://www.netcraft.com Netcraft provides Internet security services, including anti-fraud and anti-phishing services, application testing, and PCl scanning. They also analyze the market share of web servers, operating systems, hosting providers and SSL certificate authorities, and other parameters of the Internet. As shown in the screenshot below, attackers can use Netcraft to obtain all the sub- domains related to the target domain. Module 02 Page 136 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance _Mercrarr = Hostnames matching microsoft.com » Q Search with another pattern? 446 results (showing 1to 20) Rank Site First seen Netblock 0s Site Report 37 teams.microsoft.com & Novemter 2016 Microsoft Corporation Windows Server 2008 ‘ 42 cdocs.microsoft.com & April 2016 Akamai Technologies, Inc. Linux ‘ 65 www.microsoft.com & August 1995 Akamai Technologies, Inc. Linux B 69 supportmicrosoft.com £ October 1997 Akamai Technologies, Inc. Linux B 147 admin.microsoft.com & November 2017 Microsoft Corporation Windows Server 2008. 212 answers.microsoft.com & August 2009 Akamai Technologies, Inc. Linux. 32 accountmicrosoft.com July 2006 Ak i International, BV L ‘ 430 socialtechnetmicrosoft.com &£ August 2008 Akamai Technologies, Inc. Linux ' 476 security. microsoft.com December 2006 Microsoft Corporation Windows Server 2008 a 607 techcommunity.microsoft.com October 2016 Akamai Technologies Linux ' 629 endpointmicrosoft.com & March 2020 Microsoft Corporation Windows Server 2008 B 696 azure. microsoft.com & May 2015 Microsoft Corporation Windows Server 2008 ' Figure 2.15: Screenshot of Netcraft displaying sub-domains of microsoft.com Sublist3r Source: https.//github.com Sublist3r is a Python script designed to enumerate the subdomains of websites using OSINT. It enables you to enumerate subdomains across multiple sources at once. Further, it helps penetration testers and bug hunters in collecting and gathering subdomains for the domain they are targeting. It enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. It also enumerates subdomains using Netcraft, VirusTotal, ThreatCrowd, DNSdumpster, and ReverseDNS. Syntax: python sublist3r.py [-d DOMAIN] [-b BRUTEFORCE] [-p PORTS] [-v VERBOSE] [-t THREADS] [-e ENGINES] [-o OUTPUT] Module 02 Page 137 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance Short Form | Long Form Description -d --domain Domain name to enumerate subdomains of -b --bruteforce | Enable the subbrute bruteforce module -p --ports Scan the found subdomains against specific TCP ports -v --verbose Enable the verbose mode and display results in real time -t --threads Number of threads to use for subbrute bruteforce -e --engines Specify a comma-separated list of search engines -0 --output Save the results to a text file -h --help Show the help message and exit Table 2.3: Sublist3r options with description Examples 1: As shown in the screenshot, Sublist3r helps attackers in enumerating the subdomains of a target company from multiple sources at the same time. Figure 2.16: Screenshot of Sublist3r displaying sub-domains of google.com Module 02 Page 138 Ethical Hacking and Countermeasures Copyright © by Eg-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance Examples 2: Sublist3r also helps attackers in enumerating the subdomains of a target company with a specific port open. As shown in the screenshot, attackers search for subdomains of google.com (-d google.com) using the Bing search engine (-e Bing) with port 80 (-p 80) open. o0 Parrot Terminal File Edit View Search Terminal Help attacker@parrot t $python sublist3r.py -d google.com -p 80 -e Bing # Coded By Ahmed Aboul-Ela - @aboul3la '-] Searching now in Bing.. -] Total Unique Subdomains Found: 30 -] Start port scan now for the following ports: 80 80 ipvbtest mail.goo support.google.com - Figure 2.17: Screenshot of Sublist3r displaying sub-domains of google.com with port 80 open Module 02 Page 139 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance * Pentest-Tools Find Subdomains Source: https://pentest-tools.com Pentest-Tools Find Subdomains is an online tool used for discovering subdomains and their IP addresses, including network information and their HTTP servers. As shown in the screenshot, attackers search for sub-domains related to microsoft.com to obtain critical information about the target company domain, such as sub-domains, IP addresses, operating systems, servers used, technology used, web platform, and page titles. ¥ Find Subdomains Online - Pente X -+ N = o < C @ pentest-tools.com/information-gathering/find-subdomains-of-domain C Q 2 * a REPORT Find Subdomains (Light) TARGET microsoft.com - Scan summary Scan status Start time Finish time Scan duration Tests performed Finished 3/8/2022, 7:36:53 AM 3/8/2022,7:42:53 AM 6 minutes, 0 seconds mn - Findings Subdomains Q, Search subdomains HOSTNAME P ADDRESS os SERVER TECHNOLOGY :l:lioh\l PAGE TITLE :‘:0.::“‘ :: dev.microsoft.com 21883101 icrosoft Developer setup.microsoft.com 13.66.231.217 ;’n _‘L""U‘i::. nux.microsoft.com 1377154182 Business Applications payment.microsoft.com 13.72061179 Windows Microsoft-it$ ASPNET | Microsoft Dynamics enterprise microsoft com 1372361179 :'l';;::" oY Figure 2.18: Screenshot of Pentest-Tools displaying sub-domains of microsoft.com Module 02 Page 140 Ethical Hacking and Countermeasures Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Footprinting and Reconnaissance People Search on Social Networking Sites and People Search C |E H Servic