CEH Chapter 2 > Footprinting and Reconnaissance
HINFO
Host Information
NS
Host Name Server
PTR
IP-Host Mapping
WHOIS Lookup
"WHOIS" finds information regarding domain name and ownership from its database, IP Address, Netblock data, Domain Name Servers and other information. Regional Internet Registries (RIR) maintain the WHOIS database.
Objectives of Footprinting
1. To know security posture 2..To reduce the focus area 3. To identify vulnerabilities 4. To draw network map
Lookup Results show a complete domain profile, including:
>Registrant information >Registrant organization >Registrant country >Domain name server information >IP address >IP location >ASN >Domain status >WHOIS history >IP history >Registrar history >Hosting history
Penetration testers or attackers can identify the following:
>When the company was established >Evolution of the company >Authority of the company >Background of the organization >Strategies and planning >Financial statistics >Other information
DNS Interrogation Tools
>http://www.dnsstuff.com >http://network-tools.com >http://www.kloth.net >http://www.mydn stools.info >http://www.nirsoft.net >http://www.dnswatch.info >http://www.domaintools.com >http://www.dnsqueries.com >http://www.ultratools.com >http://www.webmaster-toolkit.com
African Network Information Centre
AFRINIC > Africa
Asia-Pacific network Information Centre
APNIC > Asia, Australia, New Zealand and Neighboring countries
American Registry for Internet Numbers
ARIN > United States, Canada, several parts of the Caribbean Region and Antarctica
Tracking Email from an Email Header
An email is tracked by its header. You can track an email from its header and trace the email hop by hop along with IP addresses, Hop Name, and location. Several online and software applications offer email header tracking.
Extract Website Information
Archive.com is an online service that provides an archived version of websites. The result consists of a summary of the website including a summary on the MIME-type count, summary for TLD/HOST/Domain, a sitemap of the website and dates, calendar views, and other information.
Gathering Information from Financial Services
By just searching for your target organization, you can obtain their financial information. Service providers are Google (www.google.com/finance) and Yahoo (finance.yahoo.com).
CNAME
Canonical Naming that allows aliases to a host
Competitive Intelligence
Competitive Intelligence is an approach to collecting information and analyzing and gathering competitors' statistics. Competitive Intelligence is non-interfering as it is the process of collecting information through different resources. Some primary sources of competitive intelligence are: >Official Websites >Job Advertisements >Press Releases >Annual Reports >Product Catalogs >Analysis Reports >Regulatory Reports >Agents, Distributors, and Suppliers
DNS Footprinting
DNS lookup information is helpful for identifying a host within a targeted network.
MX
Domain's Mail Server
Dumpster Diving
Dumpster Diving is the process of looking for treasure in trash. This technique is old but still effective. It includes accessing the target's trash such as printer trash, user desk, company trash to find phone bills, contact information, financial information, source codes, and other helpful material.
Eavesdropping
Eavesdropping is a type of Social Engineering footprinting in which the social engineer gathers information by covertly listening to conversations. This includes listening, reading, and accessing any source of information without being detected.
Email Footprinting
Email plays an essential role in the running an organization's business. Email is one of the most popular, widely used, professional methods of communication and is used by every organization for communicating with partners, employees, competitors, contractors, and other people involved in the organization's daily business. Polite Mail is a handy tool for email footprinting. Polite Mail tracks email communication with Microsoft Outlook. Tracing an email using an email header can reveal the following information: >Destination address >Sender's IP address >Sender's Mail server >Time and Date information >Authentication system information of sender's mail server.
Countermeasures of Footprinting
Footprinting countermeasures include the following: >An organization's employees' access to social networking sites from the corporate network must be restricted >Devices and servers should be configured to avoid data leakage >Education, training, and awareness regarding footprinting, its impact, methodologies, and countermeasures should be provided to employees >Revealing sensitive information in annual reports, press releases, etc. should be avoided >Prevent search engines from caching web pages
Competitive Intelligence Gathering
For competitive information, you should visit websites like EDGAR, LexisNexis, Business Wire, and CNBC.
Google Hacking Database (GHDB)
Google hacking, also known as "Google Dorking", is a combination of computer hacking techniques for finding security holes within an organization's network and systems using Google search and other applications powered by Google.
Monitoring a Target Using Alerts
Google, Yahoo, and other alert services offer content monitoring services through an alert feature that notifies the subscriber about the latest and up-to-date information related to the subscribed topic.
Gathering Information Using Groups, Forums, and Blogs
Groups, forums, blogs, and communities can be a great source of sensitive information. Joining these platforms using a fake ID and accessing the target organization's group is not difficult for anyone these days. Any official and non-official group can become a source for the leakage of sensitive information.
Footprinting Methodology
Hackers often use the following techniques for gathering information: >Search Engines >Advanced Google Hacking Techniques >Social Networking Sites >Websites >Email >Competitive Intelligence >WHOIS >DNS >Network >Social Engineering
Shoulder Surfing
In Shoulder Surfing, information is collected by standing behind a target when he is dealing with sensitive information. By using this technique, passwords, account numbers, or other secret information can be gathered, depending upon the carelessness of the target.
Footprinting through Social Engineering
In footprinting, one of the easiest components to hack is human being itself. We can collect information from a human quite easily with social engineering. Some basic social engineering techniques are: >Eavesdropping >Shoulder Surfing >Dumpster Diving >Impersonation
Phishing
In the process of Phishing, emails sent to a targeted group contain messages that look legitimate. The recipient clicks the link provided in the email assuming that it as a legitimate link. Once the reader clicks the link, it redirects the user to a fake webpage that looks like an official website. For example, the recipient may be redirected to a fake bank webpage that then asks for sensitive information. Similarly, clicking on the link may download a malicious script onto the recipient's system to fetch information.
SDA
Indicate Authority for the Domain
People update their statuses
Information >Most recent personal information >Most recent location >Information about family & friends >Activities & Interests >Technology related information >Upcoming events information What Attacker Achieves >Platform & Technology related information >Target location >List of Employees / Friends / Family >Nature of business
People maintain their profiles
Information >Photo of the target >Contact number >Email address >Date of birth >Location >Work details What attackers Achieves >Personal information about a target including personal details, photo, etc. >Social engineering
Internet Footprinting
Internet Footprinting includes footprinting and reconnaissance methods for collecting information through the internet. Popular options for internet footprinting include the Google hacking database, Google Advanced Search, and some other search engines.
Latin America and Caribbean Network Information Centre
LACNIC > Latin America and parts of the caribbean region
Reseaux IP Europeens Network Coordination Centre
RIPE NCC > Europe, Russia, the Middle East and Central Asia
Maltego
Maltego is a data mining tool that is powered by Paterva. This interactive tool gathers data and shows the results in graphs for analysis. The major purpose of this data mining tool is an online investigation of relationships among different pieces of information obtained from various sources over the internet. By using Transform, Maltego automates the process of gathering information from different data sources. A node-based graph represents this information. There are three versions of Maltego client software, and they are mentioned below: >Maltego CE >Maltego Classic >Maltego XL
Mirroring an Entire Website
Mirroring a website is the process of replicating the entire website in a local directory. Downloading an entire website onto a local directory enables the attacker to use and inspect the website, its directories, and its structure. It also enables the attacker to find other vulnerabilities from this downloaded copy in an offline environment.
Footprinting through Job Sites
On Job Sites, organizations that offer job vacancies provide their organization's information and portfolio as well as the job post. This information includes the company's location, industry information, contact information, the number of employees, job requirements, and hardware and software information. Similarly, personal information can be collected from a targeted individual by posting a fake job vacancy on such sites. Some of the most popular job sites are: >www.linkedIn.com >www.monster.com >www.indeed.com >www.careerbuilder.com
Network Footprinting
One of the most important types of footprinting is Network Footprinting. Fortunately, there are several tools available that can be used for network footprinting to gain information about the target network.
Email Tracking Tools
Popular Email Tracking tools are as follows: >Polite Mail >Email Tracker Pro >Email Lookup >Yesware >Who Read Me >Contact Monkey >Read Notify >Did They Read It >Get Notify >Point of Mail >Trace Email >G-Lock Analytics
Recon-ng
Recon-ng is a full feature Web Reconnaissance framework used for gathering information as well as network detection. This tool is written in python and has independent modules, database interaction, and other features. You can download the software from www.bitbucket.org. This Open Source Web Reconnaissance tool requires the Kali Linux Operating system.
RP
Responsible Person
site:
Search for the results in the given domain
SRV
Service Records
Social Engineering
Social Engineering in information security refers to the technique of psychological manipulation. This trick is used to gather information from people through different social networking platforms for hacking and using the information to get close to the target.
Social Engineering
Social Engineering is the art of extracting sensitive information from people. Social Engineers play with human psychology and trick people into sharing their valuable information.
Google Advanced Search Operators
Some advanced operators can be used to modify a search for a specific topic using search engines. These advanced search operators make the search more focused and appropriate to a task.
Online People Search Services
Some of these websites include: >www.privateeye.com >www.peoplesearchnow.com >www.publicbackgroundchecks.com >www.anywho.com >www.intelius.com www.4 1 1 1.com >www.peoplefinders.com
FOCA stands for Fingerprinting Organizations with Collected Archives.
The FOCA tool finds metadata and other hidden information within a document on a website. Scanned searches can be downloaded and analyzed. FOCA is a powerful tool that can support various types of documents including Open Office, Microsoft Office, Adobe InDesign, PDF, SVG, etc. Search uses three search engines: Google, Bing, and DuckDuckGo.
A
The Host's IP Address
Tracking the Online Reputation of the Target
The reputation of an organization can be monitored through online services. Online Reputation Management (ORM) offers to monitor an organization's reputation.
Monitoring a Target Company's Website Traffic
There are some website monitoring tools that are being widely used by developers, attackers, and penetration testers to check the statistics of websites.
Traceroute
Tracert options are available in all Operating Systems as a command line feature. Visual traceroute, graphical, and other GUI-based traceroute applications are also available. Traceroute or Tracert command traces the path information from source to destination in the hop by hop manner. The result includes all hops between source and destination. The result also includes latency between these hops.
TXT
Unstructured Records
Determining the Operating System
Using websites such as Netcraft.com can also help in searching for Operating Systems that are in use by the targeted organizations. Simply go to the website www.netcraft.com and enter the target organization's official URL.
Website Footprinting
Website Footprinting includes monitoring and investigating the target organization's official website for gaining information such as the software being used, the versions of this software, Operating Systems, sub-directories, database, scripting information, and other details.
Footprinting
means gathering every possible piece of information related to the target and target network. The collected information helps in identifying different possible ways to enter into the target network. Usually, information is gathered from both public and secret sources.
Finding a Company's Public and Restricted Websites
an attacker also collects information of an organization's official website including its public and restricted URLs. The official website's URL can simply be obtained through search engines as previously explained. However, to find the restricted URL of an organization's website, the attacker will have to use different services that can fetch information from websites. www.netcraft.com
cache:
display the web pages stored in the cache
Footprinting through Search Engines
extract information from the internet about anything subject. You can open a web browser and use a search engine, such as Google or Bing, to search for anything you want. The search engine generates results showing every piece of information available on the internet.
OnWebChange
http://onwebchange.com
Page2RSS
http://page2rss.com
Black Widow
http://softbytelabs.com
NCollector Studio
http://www.calluna-software.com
Change Detection
http://www.changedetection.com
Follow That Page
http://www.followthatpage.com
GNU Wget
http://www.gnu.org.com
Hooeey Webprint
http://www.hooeeywebprint.com
Infominder
http://www.infominder.com
Offline Explorer Enterprise
http://www.metaproducts.com
Portable Offline Browser
http://www.metaproducts.com
Monitis
http://www.monitis.com/
PageNest
http://www.pagenest.com
Backstreet Browser
http://www.spadixbd.com
Surf offline Professional
http://www.surfoffline.com/
Teleport Pro
http://www.tenmax.com
Website Ripper Copier
http://www.tensons.com
Watch That Page
http://www.watchthatpage.com
Check4Change
https://addons.mozilla.org
LexisNexis
https://risk.lexisnexis.com
Alexa
https://www.alexa.com/
Win HTTrack Website Copier
https://www.httrack.com/page/2/
EDGAR
https://www.sec.gov/edgar.shtml
Web-Stat
https://www.web-stat.com/
Pseudonymous Footprinting
is the collection of information about a target through online sources. In Pseudonymous footprinting, information about a target is published over the internet by anyone other than the target. This type of information is shared without real credentials in order to avoid begin traced to the actual source of the information.
link:
list the websites with a link to a specific web page
intext:
search for documents containing a specific keyword
inurl:
search for documents containing a specific keyword in URL
intitle:
search for documents containing a specific keyword in the title
related:
search for similar web pages
allintext:
search for websites containing a specific keyword
allinurl:
search for websites containing a specific keyword in URL
allintitle:
search for websites containing a specific keyword in the title
Web Spiders or Web Crawlers
the internet bots used to perform regular and automated browsing on the World Wide Web. This crawling on a targeted website gathers specific information such as names and email addresses.
Collect Location
the physical location of the headquarters, what surrounds it, the location of branch offices, and other related information can Some of the most popular online services are: >Google Earth >Google Map >Bing Map >Wikimapia >Yahoo Map
Business Wire
www.businesswire.com/portal/site/home/
CNBC
www.cnbc.com
Hoovers
www.hoovers.com