Module 02 Footprinting & Reconnaissance.pdf

Full Transcript

Module 1: Footprinting & Reconnaissance

What is Foot printing?
Any attack on an information system that begins with gathering data about the target network in
order to determine potential points of intrusion is known as "foot printing."
Types of Footprinting:

- Active Footprinting : Collect info with Direct interaction.

- Passive Footprinting : Collect info without direct interaction.

⮚ Tools for passive: whois , nslookup , dig, netcraft, dnssumpster , mxtoolbox,
theHarvester, Dmitry, peekyou, shodan.io, wapalyzer

⮚ Tools for active: tracert, ping, Maltego , Hunter.io, thehackertarget.com,

Information Obtained in Footprinting:--->>>

Organization Information:
Employee details
Telephone numbers
Branch and location details
Background of the organization
Web technologies
News articles, press releases, and related documents.

Page 1 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
Network Information:
Domain and sub-domains
Network blocks
Network topology, trusted routers, and firewalls
IP addresses of the reachable systems
Whois records
DNS records

System Information:
Web server OS
Location of web servers
Publicly available email addresses
Usernames and passwords and so on.

Foot printing through Search Engines: --->>>
Search engines are used by attackers to gather information about a target, including the
technological platforms used, employee profiles, login pages, and intranet portals. This
information is then used by the attacker to carry out social engineering and other sophisticated
system attacks.
Attackers can find, filter, and sort specific information about the target by creating sophisticated
queries using the advanced search operators that these search engines offer.

Major Search engines:
Google
Bing
Yahoo!
Ask
DuckDuckGo
Baidu

Page 2 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
Foot printing using Advanced Google Hacking Techniques:

Google Dorks:

filetype: - looks for file types
index of - directory listings
info: - contains Google's information about the page
intitle: - string in title
allintext:” username” “password”
intitle:"Index of" wp-admin
Intitle:”webcamXP 5”’

inurl: - string in url
link: - finds linked pages
related: - finds similar pages
site: - finds pages specific to that site
Metagoofil - uses Google hacks to find information in meta tags

Google Hacking Database (GHDB)

Page 3 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
Foot printing through Web Services: --->>>
⮚ Finding a Company Top-Level Domains (TLDs) and Sub-domains:

Dork: Site:fackbook.com -inurl:www

⮚ Tools to Search Company’s Sub-domains:

I. Netcraft

II. Sublist3r

III. Assestfinder

IV. subdomainfinder

V. Pentest-Tools Find Subdomains (https://pentest-tools.com)

⮚ Quickly lookup updated information about specific Autonomous System Number
(ASN), Organization, CIDR, or registered IP addresses (IPv4 and IPv6) among other
relevant data.

https://asnlookup.com

Page 4 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
Gathering Information from LinkedIn:

Tools:

I. Dmitry

Command: dmitry –w

-w: Perform a whois lookup on the domain name of a host

Page 5 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
Finding Sub-domain with dmitry using –s option

Command: dmitry –s facebook.com

II. GhostRecon (Information Gathering All-In-One): ---

HOW TO INSTALL:

git clone https://github.com/DR34M-M4K3R/GhostRecon
cd GhostRecon/

Page 6 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
 chmod +x Grecon install-requirements.sh./install-requirements.sh

HOW TO RUN TOOL?

Simply type Grecon on your terminal.

Page 7 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
Footprinting through Social Networking Sites:
Tools:
Sherlock
Social Searcher
UserRecon
Userfinder

Another tool is PEEK YOU, where you can find the information about people
of USA
Source: - https://www.peekyou.com/

Page 8 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
Website Footprinting:
Website footprinting refers to the monitoring and analysis of the target organization’s website for
information.

Browsing the target website will typically provide the following information:

Software used and its version
Operating system used
Sub-directories and parameters
Filename, path, or query
Technologies Used
Contact details and CMS details

Page 9 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
Tools:
Burp Suite
Web Data Extractor
Mirroring Entire Website (HTTrack)
archive.org
photon.py
WebSite-Watcher

Email Footprinting:

Email Tracking Tools:
eMailTrackerPro
Infoga
Mailtrack
PoliteMail
whoreadme
Page 10 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
 Hunter.io

Methods:
- Public Emails - Email Addresses available on Webpages.

- WHOIS - WHOIS give us info about Domain like when registered, expiry, owner, etc.

- IP Geolocation - Geolocation of Server and Organization

**DNS Footprinting**: --->>>
- A - Server IP Address (IPv4)

- AAAA – IPv6 address

- MX - Mail Server used for handling Emails for that domain.

- TTL - Time to Live (After how many hops packet will be discarded)

- CNAME - Provides additional names or aliases for the address record

- NS – Name Server of Website which used to send Mail

DNS Interrogation Tools:
Security Trails
Mxtoolbox
DNSRecon
DNSDumpster
nslookup
Dnsenum

Footprinting through Social Engineering:
- Eavesdropping - process of intercepting unauthorized communication to gather information.

- Shoulder Surfing - Secretly observing the target to gather sensitive information like
passwords, personal identification information, account information etc.

- Dumpster Diving: This is a process of collecting sensitive information by. looking
into the trash/bin.

Page 11 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
 - Impersonation: Pretending to be a legitimate or authorized person and using the phone
or other communication medium to mislead targets and trick them into revealing information.

User Recon Techniques

- **UserRecon** - (Tool) - https://github.com/issamelferkh/userrecon.git

git clone https://github.com/issamelferkh/userrecon.git

- This tool search for username on 75 different Social media sites.

-./userrecon - Enter Name

- **sherlock** - Simmilar to user recon

python3 sherlock

- **theHarvester** - theHarvester --source

- **Job Sites** - (LinkedIn, indeed, monster.com, etc.)

- **Social Searcher**

- This Website search for username on different social media Platform. User Search is not limited
to 1 search per website.

-**GhostRecon**

Google Dorks & Google Hacking Database (GHDB)

- **Intitle** : Matches Given String to Page Title. (intitle:Owasp top 10)

- **Intext** : Matches Given String with string in Text. (intitle:How to become a Hacker")

- **Site** : Limit the search to a specific site only. (site:drive.google.com)

Page 12 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
- **Inurl** : Matches Given String with string in URL. (inurl:twitter.com)

- **Filetype** : Matches File Type with Search Query. (filetype:pdf)

- **Exploit DB** https://Exploit-db.com/google-hacking-database

Domain Recon Technique

website-informer - IP Address, Owner Email, Sub Domains, DNS, Registrar

whois.domaintools.com - IP Address, Sub Domains, DNS, Registrar, other sites registered on
same Server (If Any).

Shodan- Shodan is a Device Search Engine. Shodan searches for devices accessible through the
internet.

- Search for Devices running those services

- Search for Devices connected to that organization

- search for Devices based on location

- search for open devices like Camera, Printer, Router, IOT Devices, TVs, etc

Builtwith.com / Wappalyzer

- This website tells us about Technology used to build website. like Google Analytics, Chatbots,
Programming Languages, E-Commerce Technology, etc.
DnsDumpster.com

- Provide Information about Domain Name

DnsTwister- https://dnstwister.report/

- This website shows domains with similar names which are registered or available.

Dirb - Directory Buster/fuzzer

Sublist3r - Identify subdomains

DirSearch - Directory buster/fuzzer
Feroxbuster - Dir buster/fuzzer

Page 13 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
Tools can be used for Footprinting

Maltego - Maltego is a GUI based tool which searches for all Connections of Domain with Server,
other Websites, MX Servers and other domains connected to these mail servers or other domains
hosted on same server.

Recon-ng - Recon-ng is a web reconnaissance framework with independent modules and database
interaction, which provides an environment in which open source, web-based reconnaissance can
be conducted.

FOCA - FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to
find metadata and hidden information in the documents it scans.

OSINT Framework - Open-Source Intelligence Gathering Framework that is focused on
gathering information from free tools or resources.

Recon-Dog - Recon-Dog is an all-in-one tool for information gathering needs, which uses APIs to
collect information about the target system.

BillCipher - BillCipher is an information gathering tool for a website or IP address.

BlackBird- Information Gathering tool

RED-HAWK - Infromation Gathering Tool

Methods and Tools:
Search Engines
NetCraft - information about website and possibly OS info

Job Search Sites - information about technologies can be gleaned from job postings

Google

Website Footprinting
Web mirroring - allows for discrete testing offline

▪ HTTrack
Page 14 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
 ▪ Black Widow
▪ Wget
▪ WebRipper
▪ Teleport Pro
▪ Backstreet Browser

Archive.org - provides cached websites from various dates which possibly have sensitive
information that has been now removed

Email Footprinting

Email header - may show servers and where the location of those servers are

Email tracking - services can track various bits of information including the IP address of where
it was opened, where it went, etc.

DNS Footprinting
DNS Footprinting is a technique that is used by an attacker to gather DNS information about the
target system. DNS Footprinting allows the attacker to obtain information about the DNS Zone
Data, which includes:

DNS Domain Names
Computer Names
IP Addresses
Network related information

Tools:

DNSDumpster.com
nslookup
nslookup -type=
Dig
Page 15 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
 dig
dig any

DNS Record Types:--

Name Description Purpose

SRV Service Points to a specific service

SOA Start of Authority Indicates the authoritative NS for a namespace

PTR Pointer Maps an IP to a hostname

NS Nameserver Lists the nameservers for a namespace

MX Mail Exchange Lists email servers

CNAME Canonical Name Maps a name to an A reccord

A Address Maps an hostname to an IP address

DNS Poisoning - changes cache on a machine to redirect requests to a malicious server

DNSSEC - helps prevent DNS poisoning by encrypting records

SOA Record Fields

Source Host - hostname of the primary DNS

Contact Email - email for the person responsible for the zone file

Serial Number - revision number that increments with each change

Refresh Time - time in which an update should occur

Retry Time - time that a NS should wait on a failure

Expire Time - time in which a zone transfer is allowed to complete

Page 16 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
TTL - minimum TTL for records within the zone

IP Address Management Authority:

ARIN - North America

APNIC - Asia Pacific

RIPE - Europe, Middle East
LACNIC - Latin America

AFRINIC – Africa

Whois - obtains registration information for the domain

Nslookup - performs DNS queries

nslookup [ - options ] [ hostname ]

interactive zone transfer

nslookup

▪ server
▪ set type = any
▪ ls -d domainname.com

Dig - unix-based command like nslookup

Command: dig @server name type

Page 17 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293
Network Footprinting

IP address range can be obtained from regional registrar (ARIN here)

Use traceroutes to find intermediary servers

traceroute uses ICMP echo in Windows

Windows command - tracert

Linux Command – traceroute

Other Tools

OSRFramework - uses open source intelligence to get information about target

Web Spiders - obtain information from the website such as pages, etc.

Social Engineering Tools

Maltego

Social Engineering Framework (SEF)

Shodan - search engine that shows devices connected to the Internet

Huntet.io

Zoom eye

Page 18 By:
Prepared
IEMA Research & Development Pvt. Ltd.
W: https://iemlabs.com/ phone No: 1800 202 8293