Footprinting & Recon
FOCA
(Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents it scans
Email Footprinting Tools
- GetNotify - ContactMonkey - Yesware
Determining the Operating System
- netcraft - shodan - censys
Censys
A search engine that returns information about the types of devices connected to the Internet.
cname
A canonical name record is an alias of an existing record, thus allowing multiple DNS records to map to the same IP address. Canonical naming allows aliases to a host
RIR (Regional Internet Registry)
A not-for-profit agency that manages the distribution of IP addresses to private and public entities. RIN - North America AfriNIC - Africa APNIC - Asia Pacific LACNIC - Southern & Central America RIPE NCC - Europe the Middle East and Central Asia.
Netcraft
Company that tracks web statistics, used to fingerprint web servers, provides hosting history for websites
TTL (Time to Live)
Indicates the maximum duration that an IPv4 packet can remain on the network before it is discarded. TTL of a Linux system is 64 TTL of Windows is 128 TTL of routers is 254
Google Hacking
Manipulating a search string with additional specific operators to search for vulnerabilities or very specific information. example Find Nessus vulnerability reports: "This file was generated by Nessus".
theHarvester
Script utility for gathering results from open-source intelligence queries (linux)
Active OS Fingerprinting
Sends specially crafted packets to the remote OS and analyzes the received response. NMap is awesome at this
SRV
Service record
Google search [link:]
URL shows pages that point to that URL. For example, to find pages that point to Google Guide's home page, enter: [ link:www.googleguide.com ]
In Domain names, what is a zone
a collection of structured resource records that can include an SOA record, A record, CNAME record, NS record, PTR record, and MX record.
tcpdump
a command line utility that allows you to capture and analyze network traffic going through your system.
Recon-ng
a full-featured Web Reconnaissance framework written in Python (CLI - Linux)
Service-oriented architecture (SOA)
a method of software development that uses software components called services to create business applications. vulnerable to XML DoS
recon
a plug-in or extension for Chrome.
Web Data Extractor
a tool that automatically extracts specific information from web pages
Shodan
a web based device scanner (routers, servers, IoT). Identify default passwords.
WHOIS
an internet utility program that obtains information about a domain name or IP number from the database of a domain name registry
CSIRT (Computer Security Incident Response Team)
an organization that receives reports of security breaches, conducts analyses of the reports and responds to the senders. It's a single point of contact in the US to report computer security breaches and security incidents. For associates of the Department of Homeland Security
HTTrack
website mirroring tool
job postings/resumes
can give an indication of the type of environment the company has
Passive Footprinting
collecting information from publicly accessible sources
Wappalyzer
helps to find what software is used to run a particular page
web spiders
perform automated searches on the target website and collect specified information such as employee names, email addresses, etc.
active footprinting
requires the attacker to touch the device, network, or resource
Apache web server
runs on Linux - designed to create web servers that can host one or more HTTP-based websites
Google dork operator - ext
search for a specific type of document
pipl
search tool that can be used to identify an online presence for someone
Footprinting
the first step of an attack on information system in which an attacker collects information about a target network to identify various ways to intrude into the system
Google dork operator - filetype
to get information related to file extensions
DNSRecon
tool can be used to identify hostnames as a result of repeated requests based on a wordlist provided to a program
Email Tracking Tools
tools such as eMailTrackerPro, Infoga, Mailtrack, and PoliteMail, allow an attacker to track an email and extract information, such as sender identity, mail server, sender's IP address, and location.
Google Dorking
An electronic variation of dumpster diving is to use Google's search engine to look for documents and data posted online
Google Search Query - hyphen
Using a hyphen immediately before a word tells Google that you do not want pages that contain this word to appear in your results.
Metagoofil
extracts metadata of public documents (pdf, doc, xls, ppt, docx, pptx, xlsx, etc.) belonging to a target company
Passive OS fingerprinting
involves sniffing network traffic at any given collection point and matching known patterns tcpdump
WebScarab
is a OWASP tool that allows you to record, inspect, modify and build requests and responses sent using the HTTP protocol.
Wayback Machine
(archive.org) Site used to find previous versions/history of a web site.
CeWL
A Ruby app that crawls websites to generate word lists that can be used with password crackers such as John the Ripper. It is included with Kali Linux.
traceroute (tracert)
A command on many computer operating systems that discovers the IP addresses, and possibly host names, of the routers used by the network when sending a packet from one computer to another.
reverse DNS lookup
A function that finds the host name of a device whose IP address is known.
Web Mirroring
Copying a website directly to your system to test offline HTTrack Web Site Copier NCollector Studio
Extracting DNS Information
DNS records provide important information about the location and types of servers. Attackers can gather DNS information to determine key hosts in the network for social engineering attacks
GHDB (Google Hacking Database)
Database of search strings optimized for locating vulnerable websites and services.
Google search [allinurl:]
Google restricts results to those containing all the query terms you specify in the URL. For example, [ allinurl: google faq ] will return only documents that contain the words "google" and "faq" in the URL, such as "www.google.com/help/faq.html".
allintitle:
Google search command which returns sites that contain the search terms in the page title.
Google search [site:]
Google will restrict your search results to the site or domain you specify. For example, [ admissions site:www.lse.ac.uk ] will show admissions information from London School of Economics' site and [ peace site:gov ] will find pages about peace within the .gov domain.
OSRFramework
Includes applications related to username checking, DNS lookups, information leaks research, deep web search, and regular expression extraction.
MX
Mail Exchange records define a server as an e-mail server
PTR (Pointer) record
Maps IP address to a hostname
Exiftool
Metadata Extraction
A Record
Points to a host's IP address
Google Hacking Database (GHDB)
Provides a database of search strings optimized for locating vulnerable websites and services.
OSINT (Open Source Intelligence)
Publicly available information plus the tools used to aggregate and search it.
Service (SRV) Record
Specifies a host and port for a specific service
OS Fingerprinting
The practice of identifying the operating system of a networked device by using passive or active techniques.
ARIN (American Registry for Internet Numbers)
The regional Internet registry responsible for managing both IPv4 and IPv6 IP number distribution.
What is the ICMP message used to allow the traceroute program to indicate hops?
Time exceeded in transit
Sublist3r
a python script designed to enumerate subdomains of websites using OSINT. [-d DOMAIN] [-b BRUTEFORCE] [-p PORTS] [-v VERBOSE] [-t THREADS] [-e ENGINES] [-o OUTPUT] [-h HELP] -shows help messages
PeekYou
a search engine that allows you to look for people using their real names and usernames
Maltego
is a program that can be used to determine the relationships and real-world links between people, groups of people (social networks), companies, organizations, websites, Internet infrastructure, phrases, documents, and files demonstrate social engineering weaknesses in your environment - automated passive recon
Google search [location:]
on Google News, only articles from the location you specify will be returned. For example, [ queen location:canada ] will show articles that match the term "queen" from sites in Canada.