CEH Module 2: Footprinting and Reconnaissance
Job site examples
Dice, LinkedIn and Simply Hired
"Config" intitle:"Index of" intext:vpn
Directory with keys of VPN servers (VPN Footprinting)
When did the company begin? How did it develop?
EDGAR Database D & B Hoover's LexisNexis Business Wire
Geolocation tools help attackers find or locate______________________.
Entrances to buildings, security cameras, gates, places to hide, weak spots in perimeter fences etc.
__________ are used to search for files on FTP servers to
FTP search engines; retrieve critical files and directories about the target that reveal valuable information, such as business strategy, tax documents and employees personal records
Attackers create a ________________ and the use a ____________ to lure employees into revealing their sensitive information
Fake profile False identity
______________ provide useful information about the target company, such as the market value of a company's shares, company profile, and competitor details
Financial services
Attackers can search _____________, to
Find valuable information about the operating systems, software, web servers, etc used by the target information
intitle:"SPA504G Configuration"
Finds Cisco SPA504G Configuration Utility for IP phones (voip footprinting)
"[main]" "enc_GroupPwd=" ext:txt
Finds Cisco VPN client passwords (encrypted but easily cracked) (VPN Footprinting)
Inurl:/remote/login?lang=en
Finds ForiGate Firewall's SSL-VPN login portal (VPN Footprinting)
filetype:rcf inurl:vpn
Finds Sonicwall Gloval VPN Client files containing sensitive information and login (VPN Footprinting)
intitle:"Sipura.SPA.Configuration" - .pdf
Finds configuration pages for online VoIP devices (voip footprinting)
filetype:pcf vpn OR Group
Finds publicly accessible profile configuration files (.pcf) used by VPN clients (VPN Footprinting)
inurl:/voice/advanced/ intitle:Linksys SPA configuration
Finds the Linksys VoIP router configuration page (voip footprinting)
Attackers use business profile sites to:
Gather important information about the target organizations, such as their location, addresses, contact information, and employee data base
Passive Footprinting
Gathering information about a target without direct interaction
active footprinting
Gathering information about the target with direct interaction
Attackers can use _________ and ___________ to achieve the same precision as that of using the advanced operators but without typing or remembering the operators
Google Advanced Search; Advanced Image Search
Attackers use tools such as ________ to obtain the physical location of the target, which helps them to perform __________.
Google Earth, Google Maps and Wikimapia; social engineering and other non-technical attacks.
Attackers can use online tools such as ___________ to perform reverse image search.
Google Image Search, TinEye Reverse Image Search, and Yahoo Image Search
Tools such as __________ and __________, help attackers to track mentions of the organization's name, member names, website, or any people or projects.
Google alerts and Twitter alerts
financial services examples
Google finance, MSN Money, and Yahoo Finance
Attackers register with fake profiles in _____________ and try to join the target organization's employee groups, where they share personal and company information
Google groups, Yahoo groups
intitle:asterisk.management.portal web-access
Look for the Asterisk management portal (voip footprinting)
!Host=*.* intext:enc_userpassword=*ext:pcf
Looks for profile configuration files (.pcf), which contain user VPN profiles (VPN Footprinting)
Iot search engines gather information such as:
Manufacturer details, geographical location, IP address, host name and open ports
What expert opinions say about the company?
SEMRush AttentionMeter ABI/INFORM Global SimilarWeb
The deep web can be accessed by
Search engines like Tor Browser and The WWW Virtual Library
IoT search engine examples
Shodan, Censys, and Thingful
Attackers use meta search engines such as ___________ to _____________ such as ___________
Startpage and MeraGer; gather more detailed information about the target; images, videos, blogs, and news articles from different sources.
__________ provide an insight into different departments and business units in an organization.
Sub-domains
Enumerates subdomains across multiple services at once.
Sublist3r python script
Objectives of Footprinting
The objectives of footprinting are to: Learn security posture Identify focus area Find vulnerabilities Map the network
Dark web or darknet
The subset of the deep web that enables anyone to navigate anonymously without being traced
Attackers track social media sites to
discover most shared content using hashtags or keywords, track accounts and URLs, email addresses, etc
SHODAN
let's you find connected devices (routers, servers, IoT, etc) using a variety of filters
Footprinting
the first step of any attack on information systems in which an attacker collects information about a target network for identifying various ways to intrude into the system
Attackers use automated tools such as _______________ and ____________________ to collect publicly available email addresses of the target organization that helps them perform social engineering and brute-force attacks.
theHarvester and Email Spider
Attackers use _____________ to perform enumeration on LinkedIn and find employees of the target company along with their job titles.
theHarvester tool
sources of competitive intelligence
-Company websites and employment ads -Search engines, internet, and online databases -press releases and annual reports -trade journals, conferences, and newspapers -patent and trademarks -social engineering employees -product catalogs and retail outlets -analyst and regulatory reports -customer and vendor interviews -agents, distributors, and suppliers
usenet newsgroup
A repository containing a collection of notes or messages on various subjects and topics that are submitted by users over the Internet
BuzzSumo
Advanced social search engine finds the most shared content for a topic, author or a domain
Monitoring targets using alerts
Alerts are content monitoring services that automatically provide up to date information based on your preference, usually via email or SMS
Google Hacking Database (GHDB)
An authoritative source for querying the ever widening reach of the Google Search engine
Google Dorks
Attackers use Google dorks in Google advanced search operators to extract sensitive information about their target, such as vulnerable servers, error messages, sensitive files, login pages, and websites
The dark web or darknet can be accessed by
Browsers such as TOR Browser, Freenet, GNUnet, I2P, and Retroshare
Information Gathering Using Business Profile Sites
Business profile sites contain the business information of companies located in a particular region, which includes their contact information and can be viewed by anyone.
Social media site trackers
BuzzSumo, Google Trend, Hashatit
filetype:pcf "cisco" "GroupPwd"
Cisco VPN files with Group Passwords for remote access (VPN Footprinting)
Deep Web
Consists of web pages and contents that are hidden and unindexed and cannot be located using traditional web browsers and search engines
Conducting location search on social media sites helps attackers:
In detecting the geolocation of the target
People search online services examples
Intelius, pipl, BeenVerified, Whitepages and PeekYou
Attackers collect information about the employees' ___________ to trick them into revealing more information.
Interests
_____________ crawl the internet for IOT devices that are publicly accessible.
IoT search engines
competitive intelligence gathering
Is the process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources such as the Internet
TOR Browser
It is used to access the deep and dark web where it acts as a default VPN for the user and bounces the network IP address through several servers before interacting with the web
Information acquired from job sites
Job requirements Employees' profile Hardware information Software information
What are the company's plans?
MarketWatch The Wall Streer Transcript Alexa Euromonitor
FTP search engine examples
NAPALM FTP Indexer and Global FTP Search Engine
Examples of Usenet newsgroups
Newshosting and Eweka
Tracking online reputation of the target
Online reputation management (ORM) is a process of monitoring a company's reputation on the Internet and taking certain measures to minimize the negative search results/reviews and thereby improve its brand reputation
Business profile site examples
Opencorporates and Crunchbase
Information obtained in footprinting
Organization information Network information System information
Meta search engines use ______________ to______________.
Other search engines (google, bing, ask.com etc); produce their own results from the Internet
intitle:"D-link VIP Router" "Welcome"
Pages containing D-link login portals (voip footprinting)
Intitle:"login page" "phone adapter configuration Utility"
Pages containing login portal (VoIP footprinting)
__________ provide people's names, addresses, contact details, date of birth, photographs, videos, profession, and so on.
People search online services
Censys
Provides a full view of every server and device exposed to the internet.
Groups, forums, and blogs provide sensitive information about a target, such as
Public network information, system information, and personal information.
___________ helps an attacker in tracking the original source and details of images, such as____________
Reverse Image Search. photographs, profile pictures, and memes.
Attackers can further analyze the video content to gather hidden information such as ______________
Time/date and thumbnail of the video
Attackers use dark web searching tools such as _______________, to gather confidential information about the target including __________________________
Tor Browser and ExoneraTor; credit card details, passport information, identification card details, medical records, social media accounts, SSNs, etc
Attackers use ORM tracking tools to
Track a company's online reputation, search engine ranking information, email notifications when a company is mentioned online, and social news about the company
ORM tracking tools examples:
Trackur and Brand24
inurl:8080 intitle:"login" intext:"UserLogin" "English"
VoIP login portals (voip footprinting)
___________ and __________ footprinting can be done through SHODAN
Voip VPN
What users do: maintain profile
What attackers get: Contact info, location, etc
What users do: create events
What attackers get: activities
What organizations do: user surveys
What attackers get: business strategies
What users do: connect to friends, chat
What attackers get: friends list, friends' info etc
What users do: share photos and videos
What attackers get: identity of family members, interests, etc
What organizations do: recruitment
What attackers get: platform/technology
What organizations do: promote products
What attackers get: product profile
What organizations do: user support
What attackers get: social engineering
What organizations do: background check to hire employees
What attackers get: type of business
What users do: play games, join groups
What attackers get:Interests
You may find a company's sub-domain by trial and error or using a service such as
Www. Netcraft.com
Using video tools such as _____________, an attacker can reverse and convert video to text formats to extract critical information about the target.
YouTube DataViewer and EZGif
Video search engines such as __________________ allow attackers to search for a video content related to the targer
YouTube and Google Videos
Restricts the results to those websites containing all the search keywords in the title
[allintitle:]
Restricts the results to those containing all the search keywords in the URL
[allinurl:]
Displays web pages stored in the google cache
[cache:]
Presents some information that Google has about a particular web page
[info:]
Restricts the results to documents containing the search keyword in the title
[intitle:]
Restricts the results to documents containing the search keyword in the URL
[inurl:]
Lists web pages that have links to the specified webpages
[link:]
Finds information for a specific location
[location:]
Lists webpages that are similar to the specified web page
[related:]
Restricts the results to those websites in the given domain
[site:]