CEH Chapter 2: Footprinting and Reconnaissance
Netcraft
-Good for getting Sub-domains and Determining OS -provides internet security services including anti-fraud and anti-phishing services, application testing and PCI scanning. -They also analyze the market share of web servers, operating systems, hosting providers and SSL certificate authorities and other parameters of the internet.
Footprinting: Geo-locating Tools
-Google Earth -Wikimapia -Bing Maps -Yahoo Maps -National Geographic maps
DNS
-Ip gets transfered into a name -Each domain = namespace 53UDP = name lookup 53TCP = zone transfer
Maltego
Shows relationships & real world links
Footprinting: People Search Tools
Social media, pipl Intelius BeenVerified Spokeo AnyWho PrivateEye Public Background Checks Zaba Search WebMii InSpy - is a python based LinkedIn enumeration tool. It performs enumeration on LinkedIn and finds people based on job title, company, or email address. InSpy has two functionalities: o TechSpy: Crawls LinkedIn job listings for technologies used by the provided company. o EmpSpy: Crawls LinkedIn for employees working at the provided company
DNS SOA Record
Start of Authority: -Id's primary name server for the zone -Indicates authority for domain
ORM- Online Reputation Management
This is the process of monitoring a company's rep on the internet and taking actions to minimize negative reviews. -Attackers use these tools to track company's online reputation, search engine rankings, obtain email notifications when a company is mentioned online, track convos, and obtain social news. Trachkur - provides social media monitoring Brand24 Social Mention ReviewTrackers Rankur
Filetype:
This operator allows you to search your results based on its file extension. [jasmine:jpg] will provide jpg files based on jasmine.
cache:
This operator displays Google's cached version of a web page, instead of the current version of the web page [cache:www.eff.org] will show Google's cached version of the Electronic Frontier Foundation home page
related:
This operator displays websites that are similar or related to the URL specified. [related:www.microsoft.com] provides the Google search engine results page with websites similar to microsoft.com.
location:
This operator finds information for a specific location. [location: 4 seasons restaurant] will give you results based around the term 4 seasons restaurant
info:
This operator finds information for the specified web page. [info:gothotel.com] provides information about the national hotel directory GotHotel.com home page
allinanchor:
This operator restricts results to only those pages containing all query terms specified in the anchor text on links to the page. [allinanchor: best cloud service provider] query returns only pages in which the anchor text on links to the pages contain the words "best," "cloud," "service," and "provider."
allinurl:
This operator restricts results to only those pages containing all the query terms specified in the URL. [allinurl: google career] query returns only pages containing the words "google" and "career" in the URL.
allintitle:
This operator restricts results to only those pages containing all the query terms specified in the title. [allintitle: detect malware] query returns only pages containing the words "detect" and "malware" in the title.
inanchor:
This operator restricts results to only those pages containing the query terms specified in the anchor text on links to the page. [Anti-virus inanchor:Norton] query returns only pages with anchor text on links to the pages containing the word "Norton" and the page containing the word "Anti-virus."
intitle:
This operator restricts results to only those pages containing the specified term in the title. [malware detection intitle:help] query returns only pages that have the term "help" in the title, and "malware" and "detection" terms anywhere within the page.
site:
This operator restricts search results to the specified site or domain. [games site: www.certifiedhacker.com] query gives information on games from the certifiedhacker site.
inurl:
This operator restricts the results to only those pages containing the word specified in the URL. [inurl: copy site:www.google.com] query returns only pages in Google site in which the URL has the word "copy."
link:
This operator searches websites or pages that contain links to the specified website or page. [link:www.googleguide.com] finds pages that point to Google Guide's home page.
Website Archive Searching
Going through archive.com(Wayback Machine), Google Cache to search old snapshots of current websites
Footprinting: Financial Services
Google finance - features business and enterprise headlines for many corporations, including their financial decisions and major news events Yahoo! Finance, TheStreet, MarketWatch
DNS HINFO
Host information record -includes CPU type and OS
Footprinting: Job Sites
Job requirements, Employee data, HW/SW info -Glassdoor, -LinkeIn, -Monster, -Indeed
DNS PTR Record
Pointer: -maps IP address to hostname
Footprinting: Websites
-Monitoring and analyzing target website -May provide OS use, sub-dirs. & file paths, contact info Tools - BurpSuite, ZaProxy, Paros Proxy, Firebug and website informer These tools allow attacker to view headers that provide connection status and type, accept-ranges and last-modified info, x-powered-by information, web server in use and its version -Examining HTML souce provides and coments -Contact details of web developer -File system structure and script type -Examining cookies may provide -Software in use and its behavior -Scripting platforms used
Footprinting Pen Testing
1. Get proper authorization 2.Define the Scope 3. Perform footprinting through search engines (google, yahoo, bing, ask) 4. Perform footprinting through web services (Netcrat, Pipl, Google Finance, Google Alerts) 5. Perform footprinting through social media (facebook, LinkedIn) 6. Perform website footprinting (Burp Suite, Web Data Extractor, HTTrack, Website Copier) 7. Perform email footprinting (emailTrackerPro, Yesware) 8. Gather Competitive Intel (Hoovers, LexisNexis, Business Wire) 9. Perform Whois footprinting(SmartWhois, Batch IP converter) 10. DNS footprinting (DNSstuff, DIG, MyDNSTools) 11. Network Footprinting (Path Analyzer Pro, VisualRoute) 12. Perform Social Engineering (evesdropping, shoulder surfing, dumpster diving) 13. Document all findings
Footprinting Objectives
1. Know the security posture 2. Reduce the focus area 3. Identify vulnerabilities 4. Draw a network map
arin.net
American way to get an ip address
Footprinting Types
Active: requires attacker to touch the device, network, or resource Passive: measures to collect information from publicly accessible sources
DNS A record
Address -Points to a host's IP address
Footprinting
Attacker collects intel about a target network. -First step in any attack -Passive = w/o direct interaction -Active = direct interaction
Google Hacking DB (GHDB)
Authoritative source for querying Google. The Exploit DB is a Common Vulnerabilities & Exploits (CVE) compliant archive. You can also footprint, VoIP and VPN here
Web Spiders
Automated searches on target website for employee names, email address, etc.. Tools -Web Data - It extracts targeted contact data (email, phone, and fax) from the website, extracts the URL and meta tag (title, description, keyword) for website promotion, searches directory creation, web research and so on. -Extractor - SpiderFoot -Visual-seo, -Wildshark -Beam us up -Scrapy -Streaming Frog -Xenu
Competitive Intelligence Resources
Business origins/development: EDGAR database, Hoovers LexisNexis, Business Wire Business Plans/Financials: SEC Info, Experian, Market Watch, Wall Street Monitor, Euromonitor
DNS CNAME record
Canonical Name -Provides for domain name aliases with your zone -allows aliases to a host
Information obtained in footprinting
Collected network information, system information, and the organizational information of the target.
Footprinting: Alerts
Content monitoring services that provide up to date info based on your preference usually via email or SMS in an automated manner -Google Alerts, -Twitter Alerts, -Giga Alert -TalkWalker Alerts
Web Mirroring
Copying a website directly to your system to test offline HTTrack Black Widow WebRipper Pavuk Teleport Pro Gnu Wget Backstreet Browser
Footprinting: DNS Interrogation tools
DIg myDNSTools Domain Dossier DNS Data ViewDNSWatch NsLookup
Domain Name System Security Extensions
DNSSE. --A suite of specifications used to protect the integrity of DNS records and prevent DNS poisoning attacks.
Email Footprinting Tools
Destination tracking to pinpoint social engineering vectors. Intercepting or copying email headers give you this and more. Websites: -emailtrackerpro - analyzes email headers and reveals information such as sender's geographical location, IP address and so on -mailtracking.com -GetNotify, -ContactMonkey, - Yesware, -Read Notify, -WhoReadMe, -MSGTAG, - Trace Email, -Zendio
Foot Printing: Locate Network Range
Find range of ipaddress using ARIN whois database search tool Can find range of IPs and subnet mask used by target org for the RIR Regional Internet Registry
Footprinting Tools: FOCA & Recon-Dog
Fingerprinting Organizations with Collected Archives - finds metadata & hidden info in documents it scans Recon Dog is an all in one tool that uses APIs to gather network info so your identity isn't compromised
Footprinting techniques
Footprinting through search engines Footprinting through web services Footprinting through social networking sites Website footprinting Email footprinting Competitive intelligence Whois footprinting DNS footprinting Network footprinting Footprinting through social enginee
IANA
Internet Assigned Numbers Authority: Precursor to ICANN (Internet Corporation for Assigned Names and Numbers)
DNS MX record
Mail Exchange -ID's your email servers within your domain -Points to domain's mail server
whois
Maintained by Regional Internet Registries. DNS details, contact info, NetRange, Domain age,Expiry records, Records last update, network map Assist hackers in gathering personal info for social engineering, create network map, obtain details of target network
DNS NS record
Name Server -Defines the name servers within your namespace -Points to host's name serv
Sublist3r
a python script designed to enumerate subdomains of websites using OSINT. [-d DOMAIN] [-b BRUTEFORCE] [-p PORTS] [-v VERBOSE] [-t THREADS] [-e ENGINES] [-o OUTPUT] [-h HELP] -shows help messages
RIR's
Regional Internet Registry: ARIN (American Registry for Internet Numbers) = Canada, Caribbean, USA APNIC (Asia-Pacific Network Information Center) = Asia and Pacific RIPE (Reseaux IP Europeens) = Europe, Middle East, parts of central Asia/North Africa LACNIC (Latin America and Caribbean Network Information Center) = Latin America/Caribbean AfriNIC (African Network Information Center) = Africa
DNS RP record
Responsible Person
DNS SRV Record
Service: -Defines hostname/port of service
Zone Transfer
The act of copying a primary name server's zone file
Competitive Intelligence
The information gathered by a business entity about its competitors' customers, products, and marketing
Footprinting: Groups, Forums, Blogs
They provide Public network info, system info, personal info Search for information by -Fully Qualified Domain Names (FQDNs), -IPs, -usernames -Google Groups, -Yahoo Groups -Register with fake profiles and social engineer the organizations employees
Monitoring Web Pages for Updates and Changes
Tools -WebSite- Watcher helps to track websites for updates and automatic changes. When an update or change occurs, WebSite-Watcher automatically detects and saves the last two versions onto your disk -VisualPing -Follow That Page -WatchThatPage -OnWebChange -InfoMinder -UpdateScanner -Verisionista
Windows way of tracing packets
Tracert -d -Do not resolve addresses to hostnames. -h maximum_hops -Maximum number of hops to search for target. -j host-list -Loose source route along host-list (IPv4-only). -w timeout -Wait timeout milliseconds for each reply. -R -Trace round-trip path (IPv6-only). -S srcaddr -Source address to use (IPv6-only). -4 -Force using IPv4. -6 -Force using IPv6.
DNS TXT record
Unstructured text records
Advanced Google Hacking Techniques
Uses advanced search operators to find sensitive or hidden information pointing to vulnerabilities[cache:], [link:], [info:], [site:], [intitle:], [inurl:] and more.
Web Spider politeness
Whether or not the spider pays attention to the robots.txt file that protects vulnerable parts of websites from crashing due to high load
Footprinting: Traceroute
Work on the concept of ICMP protocol Using TTL field in the header of the ICMP packet to discover routers in path Extract info about network topology, trusted routers, and firewall locations Tools - -Path analyzer pro - delivers network route tracing with performance tests, DNS, Whois, and network resolution to investigate network issues. It shows the route from source to destination graphically. -VisualRoute -Geo Spider -Trout, etc.
Network Information
You can gather by performing Whois database analysis, trace routing, and so on. Information collected o Domain and sub-domains o Network blocks o IP addresses of the reachable systems o Whois record o DNS records, and related information
System Information
You can gather information by performing network footprinting, DNS footprinting, website footprinting, email footprinting, and so on. Infromation collected o Web server OSes o Location of web servers o Users and passwords and so on.
Extracting Metadata of Public Documents
hidden information about the public documents that can be analyzed in order to obtained information such as title of the page, description, keywords, creation/modification data and time of the content, usernames and e-mail addresses of employees of the target organization. Tools -Metagoofil -extracts metadata of public documents (pdf, doc, xls, ppt, docx, pptx, and xlsx) belonging to a target company. ExtractMetadata FOCA Meta Tag Analyzer BuzzStream Analyse Metadata Exiftool Web Data Extractor
Organization Information
information about an organization is available from its website Information collected o Employee details (names, contact addresses, designation, and work experience) o mobile/telephone numbers o Location details o Background of the organization o Web technologies o News articles, press releases, and related document
SHODAN Search Engine
is the computer search engine that searches the Internet for connected devices (routers, servers, and IoT.). You can use to discover which devices are connected to the Internet, where they are located and who is using them. good for VoIP
Active footprinting techniques
o Query published name servers of the target o Extract metadata of published documents and files o Gather website information using web spidering and mirroring tools o Gather information through email tracking o Perform Whois lookup o Extract DNS information o Perform traceroute analysis o Perform social engineering
Foortprinting Countermeasures
o Restrict the employees to access social networking sites from organization's network o Configure web servers to avoid information leakage o Educate employees to use pseudonyms on blogs, groups, and forums o Do not reveal critical information in press releases, annual reports, product catalogues and so on. o Limit the amount of information that you are publishing on the website/ Internet o Use footprinting techniques to discover and remove any sensitive information publicly available o Prevent search engines from caching a web page and use anonymous registration services o Develop and enforce security policies such as information security policy, password policy and so on to regulate the information that employees can reveal to third parties o Set apart internal and external DNS or use split DNS, and restrict zone transfer to authorized servers o Disable directory listings in the web servers
Passive footprinting techniques
o Search engines o Top-level Domains (TLDs) and sub-domains through web services o Social networking sites o Financial services o Job sites o Monitor target using alert services o Gather information using groups, forums, and blogs o Determine the OS in use by the target organization o Extract information about the target using Internet archives o Competitive intelligence o Monitor website traffic of the target o Track the online reputation of the target o Collect information through social engineering on social networking sites
OSRFramework
provide a collection of scripts that can enumerate users, domains, and more across over 200 separate service -username checking, DNS lookups, deep web search and more tools included in this -usufy.py, -mailfy.py, -searchfy.py, -domainfy.py, -phonefy.py
Linux way of tracing packets
traceroute -4, -6: force ipv4/ipv6 tracerouting -I: ICMP ECHO for probes -T: TCP SYN for probes -F: do not fragment packets -m: max hops -P: raw packet with set protocol -n: prevents IP mapping to hostnames
