CEHv11 - Module Two

Searching for Contact Information, Email Addresses, and Telephone Numbers from Company Website

Attackers can search the target company's website to obtain crucial information about the company, such as the company's contact details, location, partner information, news, and links to other sites

Gathering Information Using Google Advanced Search and Advanced Image Search

Attackers can use Google Advanced Search and Advanced Image Search to achieve the same precision as that of using the advanced operators but without typing or remembering the operators Using Google's Advanced search option, attackers can find sites that may link back to the target organization's website

Traceroute Analysis

Attackers conduct traceroute to extract information about network topology, trusted routers, and firewall locations

Gathering Wordlist from the Target Website

Attackers gather a list of words available on the target website to brute-force the email addresses gathered through search engines, social networking sites, web spidering, etc. Attackers use CeWL tool to gather a list of words from the target website Use the following command to extract all the words available on the target website: cewl www.certifiedhacker.com

Reverse DNS Lookup

Attackers perform a reverse DNS lookup on IP ranges in an attempt to locate a DNS PTR record for those IP addresses Attackers use various tools, such as DNSRecon, to perform the reverse DNS lookup on the target host Attackers can also find the other domains that share the same web server, using tools such as Reverse IP Domain Check

General Resources for Locating Information from Social Media Sites

Attackers track social media sites using BuzzSumo, Google Trend, Hashatit, etc. to discover most shared content using hashtags or keywords, track accounts and URLs, email addresses, etc. Attackers use this information to perform phishing, social engineering, and other types of attacks BuzzSumo's advanced social search engine finds the most shared content for a topic, author or a domain

Collecting Information through Social Engineering on Social Networking Sites

Attackers use social engineering tricks to gather sensitive information from social networking websites Attackers create a fake profile and then use the false identity to lure employees into revealing their sensitive information Attackers collect information about the employees' interests and tricks them into revealing more information

User-Directed Spidering

Attackers use standard web browsers to walk through the target website functionalities The incoming and outgoing traffic of the target website is monitored and analyzed by tools that include features of both a web spider and an intercepting proxy Attackers use tools such as Burp Suite and WebScarab to perform user-directed spidering

Footprinting through Job Sites

Attackers use the technical information obtained through job sites, such as Dice, LinkedIn, and Simply Hired, to detect underlying vulnerabilities in the target IT infrastructure

Gathering Information from LinkedIn

Attackers use theHarvester tool to perform enumeration on LinkedIn and find employees of the target company along with their job titles Attackers can use this information to gather more information, such as current location and educational qualifications, and perform social engineering or other kinds of attacks

Finding the Geographical Location of the Target

Attackers use tools, such as Google Earth, Google Maps, and Wikimapia, to obtain the physical location of the target, which helps them to perform social engineering and other non-technical attacks These tools help attackers to find or locate entrances to buildings, security cameras, gates, places to hide, weak spots in perimeter fences, etc.

Monitoring Web Pages for Updates and Changes

Attackers use web updates monitoring tools, such as WebSite-Watcher and VisualPing, to detect changes or updates in a target website, and they analyze the gathered information to detect underlying vulnerabilities in the target website

Monitoring Website Traffic of Target Company

Attackers use website traffic monitoring tools, such as Web-Stat, Alexa, and Monitis, to collect information about the target company's website, such as total visitors, page views, bounce rate, and site ranking

Finding IP Geolocation Information

IP geolocation helps to identify information, such as country, region/state, city, ZIP/postal code, time zone, connection speed, ISP (hosting company), domain name, IDD country code, area code, mobile carrier, and elevation IP geolocation lookup tools, such as IP2Location and IP Location Finder, help to collect IP geolocation information about the target, which in turn helps attackers in launching social engineering attacks, such as spamming and phishing

Extracting Website Information from https://archive.org

Internet Archive's Wayback Machine allows one to visit archived versions of websites

Gathering Information from IoT Search Engines

IoT search engines crawl the Internet for IoT devices that are publicly accessible Attackers use IoT search engines, such as Shodan, Censys, and Thingful, to gather information about the target IoT devices, such as manufacturer details, geographical location, IP address, hostname, and open ports

Objectives of Footprinting

Knowledge of security posture Reduction of focus area Identifying vulnerabilities Drawing of network map

Dumpster Diving

Looking for treasure in someone else's trash It involves the collection of phone bills, contact information, financial information, operations-related information, etc. from the target company's trash bins, printer trash bins, user desk for sticky notes, etc.

Footprinting Tools

Maltego: Maltego can be used to determine the relationships and real world links between people, groups of people, organizations, websites, Internet infrastructure, documents, etc. Recon-ng: Recon-ng is a Web Reconnaissance framework with independent modules and database interaction, which provides an environment in which open source, web-based reconnaissance can be conducted

Information Gathering Using Business Profile Sites

Business profile sites contain the business information of companies located in a particular region, which includes their contact information and can be viewed by anyone Attackers use business profile sites, such as opencorporates and Crunchbase, to gather important information about the target organizations, such as their location, addresses, contact information, and employee database

Gathering Information from Meta Search Engines

Meta search engines use other search engines (Google, Bing, Ask.com, etc.) to produce their own results from the Internet Attackers use meta search engines such as Startpage and MetaGer to gather more detailed information about the target, such as images, videos, blogs, and news articles, from different sources

Mirroring Entire Website

Mirroring an entire website onto a local system enables an attacker to browse website offline; it also assists in finding directory structure and other valuable information from the mirrored copy without sending multiple requests to web server Web mirroring tools, such as HTTrack Web Site Copier, and NCollector Studio, allow you to download a website to a local directory, recursively building all directories, HTML, images, flash, videos, and other files from the server to your computer

Google search queries for VPN footprinting

filetype:pcf "cisco" "GroupPwd" - Cisco VPN files with Group Passwords for remote access "[main]" "enc_GroupPwd=" ext:txt - Finds Cisco VPN client passwords (encrypted but easily cracked!) "Config" intitle:"Index of" intext:vpn - Directory with keys of VPN servers inurl:/remote/login?lang=en - Finds FortiGate Firewall's SSL-VPN login portal !Host=*.* intext:enc_UserPassword=* ext:pcf - Looks for profile configuration files (.pcf), which contain user VPN profiles filetype:rcf inurl:vpn - Finds Sonicwall Global VPN Client files containing sensitive information and login filetype:pcf vpn OR Group - Finds publicly accessible .pcf used by VPN clients

Deep and Dark Web Footprinting

Deep web: It consists of web pages and contents that are hidden and unindexed and cannot be located using traditional web browsers and search engines It can be accessed by search engines like Tor Browser and The WWW Virtual Library Dark web or Darknet: It is the subset of the deep web that enables anyone to navigate anonymously without being traced It can be accessed by browsers, such as TOR Browser, Freenet, GNUnet, I2P, and Retroshare

Gathering Information from Financial Services

Financial services, such as Google Finance, MSN Money, and Yahoo! Finance, provide useful information about the target company, such as the market value of a company's shares, company profile, and competitor details Attackers can use this information to perform service flooding, brute-force, or phishing attacks

Footprinting through Social Engineering

Social engineering is an art of exploiting human behavior to extract confidential information Social engineers depend on the fact that people are unaware of their valuable information and are careless about protecting it

Gathering Information from Video Search Engines

Video search engines such as YouTube, and Google Videos allow attackers to search for a video content related to the target Attackers can further analyze the video content to gather hidden information such as time/date and thumbnail of the video Using video analysis tools such as YouTube DataViewer, and EZGif, an attacker can reverse and convert video to text formats to extract critical information about the target

Website Footprinting using Web Spiders

Web spiders, such as Web Data Extractor and ParseHub, perform automated searches on the target website and collect specified information, such as employee names and email addresses Attackers use the collected information to perform footprinting and social engineering attacks

Website Footprinting

Website footprinting refers to the monitoring and analysis of the target organization's website for information Attackers use Burp Suite, Zaproxy, Wappalyzer, Website Informer, etc. to view headers that provide the following information: Connection status and content-type Accept-Ranges and Last-Modified X-Powered-By information Web server in use and its version

Whois Lookup

Whois databases are maintained by Regional Internet Registries and contain personal information of domain owners

Footprinting Countermeasures (Cont'd)

1. Develop and enforce security policies to regulate the information that employees can reveal to third parties 2. Set apart internal and external DNS or use split DNS, and restrict zone transfer to authorized servers 3. Disable directory listings in web servers 4. Conduct periodic security awareness training to educate employees about various social engineering tricks and risks 5. Opt for privacy services on Whois Lookup database 6. Avoid domain-level cross-linking for critical assets 7. Encrypt and password-protect sensitive information 8. Place critical documents, such as business plans and proprietary documents offline to prevent exploitation 9. Train employees to thwart social engineering techniques and attacks 10. Sanitize the details provided to Internet registrars to hide the direct contact details of the organization 11. Disable the geo-tagging functionality on cameras to prevent geolocation tracking 12. Avoid revealing one's location or travel plans on social networking sites 13. Turn-off geolocation access on all mobile devices when not required 14. Ensure that no critical information is displayed on notice boards or wall

Monitoring Targets Using Alerts

Alerts are content monitoring services that automatically provide up-to-date information based on your preference, usually via email or SMS Tools, such as Google Alerts and Twitter Alerts, help attackers to track mentions of the organization's name, member names, website, or any people or projects

Searching for Web Pages Posting Patterns and Revision Number

Attackers can search for copyright notices and revision numbers on the web and can use these details to perform deep analyses on the target organization

Competitive Intelligence Gathering

Competitive intelligence gathering is the process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources, such as the Internet Competitive intelligence is non-interfering and subtle in nature

Conducting Location Search on Social Media Sites

Conducting location search on social media sites, such as Twitter, Instagram, and Facebook, helps attackers in detecting the geolocation of the target Attackers use online tools, such as Followerwonk, Hootsuite, and Sysomos, to search for both geotagged and non-geotagged information about the target on social media sites Attackers use this information to perform various social engineering and non-technical attacks

Extracting DNS Information

DNS records provide important information about the location and types of servers Attackers can gather DNS information to determine key hosts in the network and can perform social engineering attacks

Tracking Email Communications

Email tracking is used to monitor the delivery of emails to an intended recipient Attackers track emails to gather information about a target recipient, such as IP addresses, geolocation, browser and OS details, to build a hacking strategy and perform social engineering and other such attacks

Email Tracking Tools

Email tracking tools, such as eMailTrackerPro, Infoga, Mailtrack, and PoliteMail, allow an attacker to track an email and extract information, such as sender identity, mail server, sender's IP address, and location eMailTrackerPro analyzes email headers and reveals information, such as sender's geographical location and IP address

Extracting Website Links

Extracting website links is an important part of website footprinting where an attacker analyses a target website to determine its internal and external links Attackers can use various online tools, such as Octoparse, Netpeak Spider, and Link Extractor, to extract linked images, scripts, iframes, and URLs of the target website Octoparse offers automatic data extraction as it quickly scrapes web data without coding and turns web pages into structured data

Footprinting Tools

FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents it scans OSRFramework includes applications related to username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction, etc. OSINT Framework: OSINT Framework is an open source intelligence gathering framework that is focused on gathering information from free tools or resources It provides a simple web interface that lists various OSINT tools arranged by categories and is shown as OSINT tree structure on the web interface Recon-Dog: Recon-Dog is an all-in-one tool for information gathering needs, which uses APIs to collect information about the target system BillCipher: BillCipher is an information gathering tool for a Website or IP address

Gathering Information from FTP Search Engines

FTP search engines are used to search for files located on the FTP servers Attackers use FTP search engines, such as NAPALM FTP Indexer and Global FTP Search Engine, to retrieve critical files and directories about the target that reveal valuable information, such as business strategy, tax documents, and employee's personal records

What is Footprinting?

Footprinting is the first step of any attack on information systems in which an attacker collects information about a target network to identify various ways to intrude into the system

Harvesting Email Lists

Gathering email addresses related to the target organization acts as an important attack vector during the later phases of hacking Attackers use automated tools such as theHarvester and Email Spider to collect publicly available email addresses of the target organization that helps them perform social engineering and brute-force attacks

Footprinting Using Advanced Google Hacking Techniques

Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information that helps attackers find vulnerable targets

Information Gathering Using Groups, Forums, and Blogs

Groups, forums, and blogs provide sensitive information about a target, such as public network information, system information, and personal information Attackers register with fake profiles in Google groups, Yahoo groups, etc. and try to join the target organization's employee groups, where they share personal and company information

Locate the Network Range

Network range information assists attackers in creating a map of the target network One can find the range of IP addresses using ARIN whois database search tool One can also find the range of IP addresses and the subnet mask used by the target organization from Regional Internet Registry (RIR)

Tracking Online Reputation of the Target

Online Reputation Management (ORM) is a process of monitoring a company's reputation on the Internet and taking certain measures to minimize the negative search results/reviews and thereby improve its brand reputation Attackers use ORM tracking tools, such as Trackur and Brand24, to track a company's online reputation, search engine ranking information, email notifications when a company is mentioned online, and social news about the company

Information Obtained in Footprinting

Organization information: Employee details, telephone numbers, location, background of the organization, web technologies, etc. Network information: Domain and sub-domains, network blocks, IP addresses of the reachable systems, Whois record, DNS, etc. System information: OS and location of web servers, users and passwords, etc.

Types of Footprinting

Passive Footprinting: Gathering information about the target without direct interaction Active Footprinting: Gathering information about the target with direct interaction

Traceroute Tools

Path Analyzer Pro - It delivers network route tracing with performance tests, DNS, Whois, and network resolution to investigate network issues VisualRoute - It is a traceroute and network diagnostic tool that identifies the geographical location of routers, servers, and other IP devices

Impersonation

Pretending to be a legitimate or authorized person and using the phone or other communication medium to mislead targets and trick them into revealing information

Footprinting Countermeasures

Restrict the employees' access to social networking sites from the organization's network Configure web servers to avoid information leakage Educate employees to use pseudonyms on blogs, groups, and forums Do not reveal critical information in press releases, annual reports, product catalogues, etc. Limit the amount of information published on the website/Internet Use footprinting techniques to discover and remove any sensitive information publicly available Prevent search engines from caching a web page and use anonymous registration services

Gathering Information using Reverse Image Search

Reverse image search helps an attacker in tracking the original source and details of images, such as photographs, profile pictures, and memes Attackers can use online tools such as Google Image Search, TinEye Reverse Image Search, and Yahoo Image Search to perform reverse image search

Determining the Operating System

SHODAN search engine lets you find connected devices (routers, servers, IoT, etc.) using a variety of filters Censys search engine provides a full view of every server and device exposed to the Internet

Finding a Company's Top-Level Domains (TLDs) and Sub-domains

Search for the target company's external URL in a search engine, such as Google and Bing Sub-domains provide an insight into different departments and business units in an organization You may find a company's sub-domains by trial and error method or using a service such as https://www.netcraft.com You can use the Sublist3r python script, which enumerates subdomains across multiple sources at once

Shoulder Surfing

Secretly observing the target to gather critical information, such as passwords, personal identification number, account numbers, and credit card information

Tools for Footprinting through Social Networking Sites

Sherlock tool is used to search a vast number of social networking sites for a target username Social Searcher allows you to search for content in social networks in real-time and provides deep analytics data

People Search on Social Networking Sites and People Search Services

Social networking services, such as Facebook, Twitter, and LinkedIn, provide useful information about the individual that helps the attacker in performing social engineering and other attacks The people search can provide critical information about a person or an organization, including location, emails, websites, blogs, contacts, important dates, etc. People search online services, such as Intelius, pipl, BeenVerified, Whitepages, and PeekYou, provide people's names, addresses, contact details, date of birth, photographs, videos, profession, and so on

Traceroute

Traceroute programs work on the concept of ICMP protocol and use the TTL field in the header of ICMP packets to discover the routers on the path to a target host

Eavesdropping

Unauthorized listening of conversations or reading of messages It is the interception of any form of communication, such as audio, video, or text

Extracting Metadata of Public Documents

Useful information may reside on the target organization's website in the form of pdf documents, Microsoft Word files, etc. Attackers use metadata extraction tools, such as Metagoofil, Exiftool, and Web Data Extractor, to extract metadata and hidden information Attackers use this information to perform social engineering and other attacks Metagoofil extracts the metadata of public documents (pdf, doc, xls, ppt, docx, pptx, xlsx, etc.) belonging to a target company

Information Gathering Using NNTP Usenet Newsgroups

Usenet newsgroup is a repository containing a collection of notes or messages on various subjects and topics that are submitted by the users over the Internet Attackers can search the Usenet newsgroups, such as Newshosting and Eweka, to find valuable information about the operating systems, software, web servers, etc. used by the target organization

Popular Google advanced search operators

[cache:] Displays the web pages stored in the Google cache [link:] Lists web pages that have links to the specified web page [related:] Lists web pages that are similar to the specified web page [info:] Presents some information that Google has about a particular web page [site:] Restricts the results to those websites in the given domain [allintitle:] Restricts the results to those websites containing all the search keywords in the title [intitle:] Restricts the results to documents containing the search keyword in the title [allinurl:] Restricts the results to those containing all the search keywords in the URL [inurl:] Restricts the results to documents containing the search keyword in the URL [location:] Finds information for a specific location

Google search queries for VoIP footprinting

intitle:"Login Page" intext:"Phone Adapter Configuration Utility" - Pages containing login portals inurl:/voice/advanced/ intitle:Linksys SPA configuration - Finds the Linksys VoIP router configuration page intitle:"D-Link VIP Router" "Welcome" - Pages containing D-Link login portals intitle:asterisk.management.portal web-access - Look for the Asterisk management portal intitle:"SPA504G Configuration" - Finds Cisco SPA504G Configuration Utility for IP phones intitle:asterisk.management.portal web-access - Finds the Asterisk web management portal inurl:8080 intitle:"login" intext:"UserLogin" "English" - VoIP login portals intitle:"Sipura.SPA.Configuration" - .pdf - Finds configuration pages for online VoIP devices