Module 02 Footprinting & Reconnaissance PDF
Document Details
Uploaded by PraiseworthyCornflower
Tags
Summary
This document details various techniques for footprinting, gathering information about a target network or system. It includes methods for active and passive footprinting, tools such as whois, nslookup, and the use of search engines, and other related topics.
Full Transcript
Module 1: Footprinting & Reconnaissance What is Foot printing? Any attack on an information system that begins with gathering data about the target network in order to determine potential points of intrusion is known as "foot printing." Types of Footprinting: - Active Foot...
Module 1: Footprinting & Reconnaissance What is Foot printing? Any attack on an information system that begins with gathering data about the target network in order to determine potential points of intrusion is known as "foot printing." Types of Footprinting: - Active Footprinting : Collect info with Direct interaction. - Passive Footprinting : Collect info without direct interaction. ⮚ Tools for passive: whois , nslookup , dig, netcraft, dnssumpster , mxtoolbox, theHarvester, Dmitry, peekyou, shodan.io, wapalyzer ⮚ Tools for active: tracert, ping, Maltego , Hunter.io, thehackertarget.com, Information Obtained in Footprinting:--->>> Organization Information: Employee details Telephone numbers Branch and location details Background of the organization Web technologies News articles, press releases, and related documents. Page 1 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 Network Information: Domain and sub-domains Network blocks Network topology, trusted routers, and firewalls IP addresses of the reachable systems Whois records DNS records System Information: Web server OS Location of web servers Publicly available email addresses Usernames and passwords and so on. Foot printing through Search Engines: --->>> Search engines are used by attackers to gather information about a target, including the technological platforms used, employee profiles, login pages, and intranet portals. This information is then used by the attacker to carry out social engineering and other sophisticated system attacks. Attackers can find, filter, and sort specific information about the target by creating sophisticated queries using the advanced search operators that these search engines offer. Major Search engines: Google Bing Yahoo! Ask DuckDuckGo Baidu Page 2 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 Foot printing using Advanced Google Hacking Techniques: Google Dorks: filetype: - looks for file types index of - directory listings info: - contains Google's information about the page intitle: - string in title allintext:” username” “password” intitle:"Index of" wp-admin Intitle:”webcamXP 5”’ inurl: - string in url link: - finds linked pages related: - finds similar pages site: - finds pages specific to that site Metagoofil - uses Google hacks to find information in meta tags Google Hacking Database (GHDB) Page 3 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 Foot printing through Web Services: --->>> ⮚ Finding a Company Top-Level Domains (TLDs) and Sub-domains: Dork: Site:fackbook.com -inurl:www ⮚ Tools to Search Company’s Sub-domains: I. Netcraft II. Sublist3r III. Assestfinder IV. subdomainfinder V. Pentest-Tools Find Subdomains (https://pentest-tools.com) ⮚ Quickly lookup updated information about specific Autonomous System Number (ASN), Organization, CIDR, or registered IP addresses (IPv4 and IPv6) among other relevant data. https://asnlookup.com Page 4 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 Gathering Information from LinkedIn: Tools: I. Dmitry Command: dmitry –w -w: Perform a whois lookup on the domain name of a host Page 5 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 Finding Sub-domain with dmitry using –s option Command: dmitry –s facebook.com II. GhostRecon (Information Gathering All-In-One): --- HOW TO INSTALL: git clone https://github.com/DR34M-M4K3R/GhostRecon cd GhostRecon/ Page 6 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 chmod +x Grecon install-requirements.sh./install-requirements.sh HOW TO RUN TOOL? Simply type Grecon on your terminal. Page 7 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 Footprinting through Social Networking Sites: Tools: Sherlock Social Searcher UserRecon Userfinder Another tool is PEEK YOU, where you can find the information about people of USA Source: - https://www.peekyou.com/ Page 8 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 Website Footprinting: Website footprinting refers to the monitoring and analysis of the target organization’s website for information. Browsing the target website will typically provide the following information: Software used and its version Operating system used Sub-directories and parameters Filename, path, or query Technologies Used Contact details and CMS details Page 9 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 Tools: Burp Suite Web Data Extractor Mirroring Entire Website (HTTrack) archive.org photon.py WebSite-Watcher Email Footprinting: Email Tracking Tools: eMailTrackerPro Infoga Mailtrack PoliteMail whoreadme Page 10 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 Hunter.io Methods: - Public Emails - Email Addresses available on Webpages. - WHOIS - WHOIS give us info about Domain like when registered, expiry, owner, etc. - IP Geolocation - Geolocation of Server and Organization **DNS Footprinting**: --->>> - A - Server IP Address (IPv4) - AAAA – IPv6 address - MX - Mail Server used for handling Emails for that domain. - TTL - Time to Live (After how many hops packet will be discarded) - CNAME - Provides additional names or aliases for the address record - NS – Name Server of Website which used to send Mail DNS Interrogation Tools: Security Trails Mxtoolbox DNSRecon DNSDumpster nslookup Dnsenum Footprinting through Social Engineering: - Eavesdropping - process of intercepting unauthorized communication to gather information. - Shoulder Surfing - Secretly observing the target to gather sensitive information like passwords, personal identification information, account information etc. - Dumpster Diving: This is a process of collecting sensitive information by. looking into the trash/bin. Page 11 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 - Impersonation: Pretending to be a legitimate or authorized person and using the phone or other communication medium to mislead targets and trick them into revealing information. User Recon Techniques - **UserRecon** - (Tool) - https://github.com/issamelferkh/userrecon.git git clone https://github.com/issamelferkh/userrecon.git - This tool search for username on 75 different Social media sites. -./userrecon - Enter Name - **sherlock** - Simmilar to user recon python3 sherlock - **theHarvester** - theHarvester --source - **Job Sites** - (LinkedIn, indeed, monster.com, etc.) - **Social Searcher** - This Website search for username on different social media Platform. User Search is not limited to 1 search per website. -**GhostRecon** Google Dorks & Google Hacking Database (GHDB) - **Intitle** : Matches Given String to Page Title. (intitle:Owasp top 10) - **Intext** : Matches Given String with string in Text. (intitle:How to become a Hacker") - **Site** : Limit the search to a specific site only. (site:drive.google.com) Page 12 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 - **Inurl** : Matches Given String with string in URL. (inurl:twitter.com) - **Filetype** : Matches File Type with Search Query. (filetype:pdf) - **Exploit DB** https://Exploit-db.com/google-hacking-database Domain Recon Technique website-informer - IP Address, Owner Email, Sub Domains, DNS, Registrar whois.domaintools.com - IP Address, Sub Domains, DNS, Registrar, other sites registered on same Server (If Any). Shodan- Shodan is a Device Search Engine. Shodan searches for devices accessible through the internet. - Search for Devices running those services - Search for Devices connected to that organization - search for Devices based on location - search for open devices like Camera, Printer, Router, IOT Devices, TVs, etc Builtwith.com / Wappalyzer - This website tells us about Technology used to build website. like Google Analytics, Chatbots, Programming Languages, E-Commerce Technology, etc. DnsDumpster.com - Provide Information about Domain Name DnsTwister- https://dnstwister.report/ - This website shows domains with similar names which are registered or available. Dirb - Directory Buster/fuzzer Sublist3r - Identify subdomains DirSearch - Directory buster/fuzzer Feroxbuster - Dir buster/fuzzer Page 13 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 Tools can be used for Footprinting Maltego - Maltego is a GUI based tool which searches for all Connections of Domain with Server, other Websites, MX Servers and other domains connected to these mail servers or other domains hosted on same server. Recon-ng - Recon-ng is a web reconnaissance framework with independent modules and database interaction, which provides an environment in which open source, web-based reconnaissance can be conducted. FOCA - FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents it scans. OSINT Framework - Open-Source Intelligence Gathering Framework that is focused on gathering information from free tools or resources. Recon-Dog - Recon-Dog is an all-in-one tool for information gathering needs, which uses APIs to collect information about the target system. BillCipher - BillCipher is an information gathering tool for a website or IP address. BlackBird- Information Gathering tool RED-HAWK - Infromation Gathering Tool Methods and Tools: Search Engines NetCraft - information about website and possibly OS info Job Search Sites - information about technologies can be gleaned from job postings Google Website Footprinting Web mirroring - allows for discrete testing offline ▪ HTTrack Page 14 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 ▪ Black Widow ▪ Wget ▪ WebRipper ▪ Teleport Pro ▪ Backstreet Browser Archive.org - provides cached websites from various dates which possibly have sensitive information that has been now removed Email Footprinting Email header - may show servers and where the location of those servers are Email tracking - services can track various bits of information including the IP address of where it was opened, where it went, etc. DNS Footprinting DNS Footprinting is a technique that is used by an attacker to gather DNS information about the target system. DNS Footprinting allows the attacker to obtain information about the DNS Zone Data, which includes: DNS Domain Names Computer Names IP Addresses Network related information Tools: DNSDumpster.com nslookup nslookup -type= Dig Page 15 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 dig dig any DNS Record Types:-- Name Description Purpose SRV Service Points to a specific service SOA Start of Authority Indicates the authoritative NS for a namespace PTR Pointer Maps an IP to a hostname NS Nameserver Lists the nameservers for a namespace MX Mail Exchange Lists email servers CNAME Canonical Name Maps a name to an A reccord A Address Maps an hostname to an IP address DNS Poisoning - changes cache on a machine to redirect requests to a malicious server DNSSEC - helps prevent DNS poisoning by encrypting records SOA Record Fields Source Host - hostname of the primary DNS Contact Email - email for the person responsible for the zone file Serial Number - revision number that increments with each change Refresh Time - time in which an update should occur Retry Time - time that a NS should wait on a failure Expire Time - time in which a zone transfer is allowed to complete Page 16 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 TTL - minimum TTL for records within the zone IP Address Management Authority: ARIN - North America APNIC - Asia Pacific RIPE - Europe, Middle East LACNIC - Latin America AFRINIC – Africa Whois - obtains registration information for the domain Nslookup - performs DNS queries nslookup [ - options ] [ hostname ] interactive zone transfer nslookup ▪ server ▪ set type = any ▪ ls -d domainname.com Dig - unix-based command like nslookup Command: dig @server name type Page 17 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293 Network Footprinting IP address range can be obtained from regional registrar (ARIN here) Use traceroutes to find intermediary servers traceroute uses ICMP echo in Windows Windows command - tracert Linux Command – traceroute Other Tools OSRFramework - uses open source intelligence to get information about target Web Spiders - obtain information from the website such as pages, etc. Social Engineering Tools Maltego Social Engineering Framework (SEF) Shodan - search engine that shows devices connected to the Internet Huntet.io Zoom eye Page 18 By: Prepared IEMA Research & Development Pvt. Ltd. W: https://iemlabs.com/ phone No: 1800 202 8293