CEH v11 Mod 2

Monitoring Web Pages for Updates and Changes

Attackers use web updates monitoring tools, such as WebSite-Watcher and VisualPing, to detect changes or updates in a target website, and they analyze the gathered information to detect underlying vulnerabilities in the target website

Monitoring Website Traffic of Target Company

Attackers use website traffic monitoring tools, such as Web-Stat, Alexa, and Monitis, to collect information about the target company's website, such as total visitors, page views, bounce rate, and site rankin

Gathering Wordlist from target Website

-Attackers gather a list of words available on the target website to brute-force the email addresses gathered through search engines, social networking sites, web spidering, etc. -Attackers use CeWL tool to gather a list of words from the target website -Use the following command to extract all the words available on the target website: cewl www.certifiedhacker.com

General Resources for Locating Information from Social Media Sites

-Attackers track social media sites using BuzzSumo, Google Trend, Hashatit, etc. to discover most shared content using hashtags or keywords, track accounts and URLs, email addresses, etc. -Attackers use this information to perform phishing, social engineering, and other types of attacks

Deep Dark Web Footprinting

-Attackers use deep and dark web searching tools, such as Tor Browser and ExoneraTor, to gather confidential information about the target, including credit card details, passport information, identification card details, medical records, social media accounts, Social Security Numbers (SSNs), etc

Gathering Information from Meta Search Engines

-Meta search engines use other search engines (Google, Bing, Ask.com, etc.) to produce their own results from the Internet -Attackers use meta search engines such as Startpage and MetaGer to gather more detailed information about the target, such as images, videos, blogs, and news articles, from different source

Locate Network Range

-Network range information assists attackers in creating a map of the target network -One can find the range of IP addresses using ARIN whois database search tool -One can also find the range of IP addresses and the subnet mask used by the target organization from Regional Internet Registry (RIR)

archive.org https://archive.org

-an Internet Archive Wayback Machine that explores archived versions of websites. Such exploration allows an attacker to gather information on an organization's web pages since its creation. - an attacker can retrieve even information removed from the target website, such as web pages, audio files, video files, images, text, and software programs. -Attackers use this information to perform phishing and other types of web application attacks on the target organization.

Google Hacking Database (GHDB)

-an authoritative source for querying the ever-widening scope of the Google search engine. In the GHDB, you will find search terms for files containing usernames, vulnerable servers, and even files containing passwords. -Attackers use Google dorks in Google advanced search operators to extract sensitive information about their target, such as vulnerable servers, error messages, sensitive files, login pages, and website

Whois Lookup

-databases are maintained by Regional Internet Registries and contain personal information of domain owners

Mirroring Entire Website

-enables an attacker to browse website offline; it also assists in finding directory structure and other valuable information from the mirrored copy without sending multiple requests to web server -mirroring tools, such as HTTrack Web Site Copier, and NCollector Studio, allow you to download a website to a local directory, recursively building all directories, HTML, images, flash, videos, and other files from the server to your computer

Conducting Location Search on Social Media Sites

-helps attackers in detecting the geolocation of the target -Attackers use online tools, such as Followerwonk, Hootsuite, and Sysomos, to search for both geotagged and non-geotagged information about the target on social media sites -Attackers use this information to perform various social engineering and non-technical attacks

Footprinting Tools OSRFramework: https://github.com

-includes applications related to username checking, DNS lookups, information leaks research, deep web search, and regular expression extraction. -The tools included in the OSRFramework package that attackers can use to gather information on the target are listed below: o usufy.py - Checks for a user profile on up to 290 different platforms o mailfy.py - Check for the existence of a given email o searchfy.py - Performs a query on the platforms in OSRFramework o domainfy.py - Checks for the existence of domains o phonefy.py - Checks for the existence of a given series of phones o entify.py - Uses regular expressions to extract entities

theHarvester tool http://www.edge-security.com

-perform enumeration on LinkedIn and find employees of the target company along with their job titles -Attackers can use this information to gather more information, such as current location and educational qualifications, and perform social engineering or other kinds of attack

Competitive Intelligence Gathering

-the process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources, such as the Internet -is non-interfering and subtle in nature

Footprinting Tools Maltego: https://www.paterva.com

a program that can be used to determine the relationships and real-world links between people, groups of people, organizations, websites, Internet infrastructure, documents, etc. Attackers can use different entities available in the tool to obtain information such as email addresses, a list of phone numbers, and a target's Internet infrastructure (domains, DNS names, Netblocks, IP addresses information).

Infoga https://github.com

a tool used for gathering email account information (IP, hostname, country, etc.) from different public sources (search engines, pgp key servers, and Shodan), and it checks if an email was leaked using the haveibeenpwned.com API.

Footprinting Tools FOCA: https://www.elevenpaths.com

a tool used mainly to find metadata and hidden information in the documents that its scans. FOCA is capable of scanning and analyzing a wide variety of documents, with the most common ones being Microsoft Office, Open Office, or PDF files.

Footprinting Tools Recon-ng: https://github.com

a web reconnaissance framework with independent modules for database interaction that provides an environment in which open-source web-based reconnaissance can be conducted.

Social Searcher https:://www.social-searcher.com

allows attackers to search for content in social networks in real time and provides deep analytics data. Attackers use this tool to track a target user on various social networking sites and obtain information such as complete URLs to their profiles, their postings, and other personal information.

Footprinting Tools BillCipher: https://www.github.com

an information gathering tool for a website or IP address. It can work on any operating system that supports Python 2, Python 3, and Ruby. This tool includes various options such as DNS lookup, Whois lookup, port scanning, zone transfer, host finder, and reverse IP lookup, which help to gather critical informatio

eMailTrackerPro http://www.emailtrackerpro.com

attackers use this to analyze email headers and extract information such as the sender's geographical location, IP address, and so on. It allows an attacker to review the traces later by saving past traces.

UDP Traceroute

Like Windows, Linux also has a built-in traceroute utility, but it uses the UDP protocol for tracing the route to the destination. Go to the terminal in the Linux operating system and type the traceroute command along with the destination IP address or domain name

TCP Traceroute

Many devices in any network are generally configured to block ICMP traceroute messages. In this scenario, an attacker uses TCP or UDP traceroute, which is also known as Layer 4 traceroute. Go to the terminal in Linux operating system and type the tcptraceroute command along with the destination IP address or domain

Metagoofil https://code.google.com

Metagoofil extracts the metadata of public documents (pdf, doc, xls, ppt, docx, pptx, xlsx, etc.) belonging to a target company

Website-Watcher https://www.aignes.com

helps to track websites for updates and automatic changes. When an update or change occurs, WebSite-Watcher automatically detects and saves the last two versions onto your disk.

Followerwonk https://followerwonk.co

helps you explore and grow your social graph: Dig deeper into Twitter analytics: Who are your followers? Where are they located? When do they tweet?

How to find a network Range:

in the (American Registry for Internet Numbers)ARIN Whois database search tool. A user can also visit the ARIN website (https://www.arin.net/about/welcome/region) and enter the server IP in the SEARCH Whois text box. This gives the network range of the target network.

Sherlock https://github.com

use Sherlock to search a vast number of social networking sites for a target username. This tool helps the attacker to locate the target user on various social networking sites along with the complete URL.

Whois query returns:

Domain name details Contact details of domain owners Domain name servers NetRange When a domain was created Expiry records Last updated record

Web Data Extractor http://www.webextractor.com

Web Data Extractor automatically extracts specific information from web pages. It extracts targeted contact data (email, phone, and fax) from the website, extracts the URL and meta tags (title, description, keyword) for website promotion, searches directory creation, performs web research, and so on

Footprinting Countermeasures

Restrict the employees' access to social networking sites from the organization's network Configure web servers to avoid information leakage Educate employees to use pseudonyms on blogs, groups, and forums Do not reveal critical information in press releases, annual reports, product catalogs, and so on. Limit the amount of information that you are publishing on the website/Internet Use footprinting techniques to discover and remove any sensitive information publicly available Prevent search engines from caching a web page and use anonymous registration services Develop and enforce security policies such as information security policy, password policy, and so on, to regulate the information that employees can reveal to third parties Set apart internal and external DNS or use split DNS, and restrict zone transfer to authorized servers Disable directory listings in the web servers Opt for privacy services on Whois lookup database Avoid domain-level cross-linking for critical assets Encrypt and password-protect sensitive information Do not enable protocols that are not required Always use TCP/IP and IPSec filters for defense in depth Configure IIS to avoid information disclosure through banner grabbing Hide the IP address and the related information by implementing VPN or keeping the server behind a secure proxy Request archive.org to delete the history of the website from the archive database Keep the domain name profile private Place critical documents such as business plans and proprietary documents offline to prevent exploitation Train employees to thwart social engineering techniques and attacks Sanitize the details provided to the Internet registrars to hide the direct contact details of the organization Disable the geo-tagging functionality on cameras to prevent geolocation tracking Avoid revealing one's location or travel plans on social networking sites Turn-off geolocation access on all mobile devices when not required Ensure that no critical information such as strategic plans, product information, and sales projections is displayed on notice boards or walls Conduct security awareness training periodically to educate employees about various social engineering tricks and risks

Monitoring Targets using Alerts

-Alerts are content monitoring services that automatically provide up-to-date information based on your preference, usually via email or SMS -Tools, such as Google Alerts and Twitter Alerts, help attackers to track mentions of the organization's name, member names, website, or any people or projects

Google Advanced Search

-Attackers can use Google Advanced Search and Advanced Image Search to achieve the same precision as that of using the advanced operators but without typing or remembering the operators -Using Google's Advanced search option, attackers can find sites that may link back to the target organization's website

Footprinting through Search Engines:

-Attackers use search engines to extract information about a target, such as employed technology platforms, employee details, login pages, and intranet portals, which help the attacker to perform social engineering and other types of advanced system attack -Attackers can use advanced search operators available with these search engines and create complex queries to find, filter, and sort specific information about the target -Search engines are also used to find other sources of publically accessible information resources, e.g., you can type "top job portals" to find major job portals that provide critical information about the target organization

Collecting Information through Social Engineering on Social Networking Sites

-Attackers use social engineering tricks to gather sensitive information from social networking websites -Attackers create a fake profile and then use the false identity to lure employees into revealing their sensitive information -Attackers collect information about the employees' interests and tricks them into revealing more information

User-Directed Spidering

-Attackers use standard web browsers to walk through the target website functionalities -The incoming and outgoing traffic of the target website is monitored and analyzed by tools that include features of both a web spider and an intercepting proxy -Attackers use tools such as Burp Suite and WebScarab to perform user-directed spidering

Finding the Geographical Locations of the Target

-Attackers use tools, such as Google Earth, Google Maps, and Wikimapia, to obtain the physical location of the target, which helps them to perform social engineering and other non-technical attacks -These tools help attackers to find or locate entrances to buildings, security cameras, gates, places to hide, weak spots in perimeter fences, etc.

Information Gathering Using Business Profile Sites

-Business profile sites contain the business information of companies located in a particular region, which includes their contact information and can be viewed by anyone -Attackers use business profile sites, such as opencorporates and Crunchbase, to gather important information about the target organizations, such as their location, addresses, contact information, and employee database

Tracking Email Communications

-Email tracking is used to monitor the delivery of emails to an intended recipient -Attackers track emails to gather information about a target recipient, such as IP addresses, geolocation, browser and OS details, to build a hacking strategy and perform social engineering and other such attacks

Email Tracking Tools

-Email tracking tools, such as eMailTrackerPro, Infoga, Mailtrack, and PoliteMail, allow an attacker to track an email and extract information, such as sender identity, mail server, sender's IP address, and location -eMailTrackerPro analyzes email headers and reveals information, such as sender's geographical location and IP address

Extracting Website Links

-Extracting website links is an important part of website footprinting where an attacker analyses a target website to determine its internal and external links -Attackers can use various online tools, such as Octoparse, Netpeak Spider, and Link Extractor, to extract linked images, scripts, iframes, and URLs of the target website

Gathering Information from FTP Search Engines

-FTP search engines are used to search for files located on the FTP servers -Attackers use FTP search engines, such as NAPALM FTP Indexer and Global FTP Search Engine, to retrieve critical files and directories about the target that reveal valuable information, such as business strategy, tax documents, and employee's personal records

Gathering INFO from financial services

-Financial services, such as Google Finance, MSN Money, and Yahoo! Finance, provide useful information about the target company, such as the market value of a company's shares, company profile, and competitor details -Attackers can use this information to perform service flooding, brute-force, or phishing attacks

Footprinting Techniques

-Footprinting through Search Engines -Footprinting through Web Services -Footprinting through Social Networking Sites -Website Footprinting -Email Footprinting -Whois Footprinting -DNS Footprinting -Network Footprinting -Footprinting through social engineering

Information obtained from Whois database assists an attacker to:

-Gather personal information that assists in social engineering -Create a map of the target organization's network -Obtain internal details of the target network

Harvesting Email Lists

-Gathering email addresses related to the target organization acts as an important attack vector during the later phases of hacking -Attackers use automated tools such as theHarvester and Email Spider to collect publicly available email addresses of the target organization that helps them perform social engineering and brute-force attacks

Information Gathering Using Groups, Forums, and Blogs

-Groups, forums, and blogs provide sensitive information about a target, such as public network information, system information, and personal information -Attackers register with fake profiles in Google groups, Yahoo groups, etc. and try to join the target organization's employee groups, where they share personal and company information

Gathering Information from IoT Search Engines

-IoT search engines crawl the Internet for IoT devices that are publicly accessible -Attackers use IoT search engines, such as Shodan, Censys, and Thingful, to gather information about the target IoT devices, such as manufacturer details, geographical location, IP address, hostname, and open ports

Deep Web

-It consists of web pages and contents that are hidden and unindexed and cannot be located using traditional web browsers and search engines -It can be accessed by search engines like Tor Browser and The WWW Virtual Library

Dark Web or Darknet

-It is the subset of the deep web that enables anyone to navigate anonymously without being traced -It can be accessed by browsers, such as TOR Browser, Freenet, GNUnet, I2P, and Retroshare

TOR Browser

-It is used to access the deep and dark web where it acts as a default VPN for the user and bounces the network IP address through several servers before interacting with the web

Objectives of Footprinting:

-Knowledge of security posture -Reduction of focus area -Identifying vulnerabilities -Drawing of network map

Footprinting Tools OSINT Framework:

-OSINT Framework is an open source intelligence gathering framework that is focused on gathering information from free tools or resources -It provides a simple web interface that lists various OSINT tools arranged by categories and is shown as OSINT tree structure on the web interface -Tools listed includes the following indicators: (T) - Indicates a link to a tool that must be installed and run locally (D) - Google Dork (R) - Requires registration (M) - Indicates a URL that contains the search term and the URL itself must be edited manually

Tracking Online Reputation of the Target

-Online Reputation Management (ORM) is a process of monitoring a company's reputation on the Internet and taking certain measures to minimize the negative search results/reviews and thereby improve its brand reputation -Attackers use ORM tracking tools, such as Trackur and Brand24, to track a company's online reputation, search engine ranking information, email notifications when a company is mentioned online, and social news about the company

Information obtained in Footprinting

-Organizational Information: Employee details, telephone numbers, location, background of the organization, web technologies, etc. -Network Information: Domain and sub-domains, network blocks, IP addresses of the reachable systems, Whois record, DNS, etc. -System Information: OS and location of web servers, users and passwords, etc.

Types of Footprinting

-Passive Footprinting: Gathering information without direct interaction -Active Footprinting: Gathering information with direct interaction

Traceroute Tools

-Path Analyzer Pro (https://www.pathanalyzer.com): It delivers network route tracing with performance tests, DNS, Whois, and network resolution to investigate network issues -VisualRoute (http://www.visualroute.com): It is a traceroute and network diagnostic tool that identifies the geographical location of routers, servers, and other IP device

Reverse Image Search

-Reverse image search helps an attacker in tracking the original source and details of images, such as photographs, profile pictures, and memes -Attackers can use online tools such as Google Image Search, TinEye Reverse Image Search, and Yahoo Image Search to perform reverse image search

Determining the Operating System

-SHODAN (https://www.shodan.io)search engine lets you find connected devices (routers, servers, IoT, etc.) using a variety of filter -Censys (https://censys.io) search engine provides a full view of every server and device exposed to the Internet -Netcraft (https://www.netcraft.com) Attackers use the Netcraft tool to identify all the sites associated with the target domain along with the operating system running at each site.

Finding a Company's Top-Level Domains (TLDs) and Sub-Domains

-Search for the target company's external URL in a search engine, such as Google and Bing -Sub-domains provide an insight into different departments and business units in an organization -You may find a company's sub-domains by trial and error method or using a service such as https://www.netcraft.com -You can use the Sublist3r python script, which enumerates subdomains across multiple sources at once

Threats made possible by Footprinting:

-Social Engineering -System and Network Attacks -Information Leakage -Privacy Loss -Corporate Espionage -Business Loss

Footprinting through Social Engineering

-Social engineering is an art of exploiting human behaviour to extract confidential information -Social engineers depend on the fact that people are unaware of their valuable information and are careless about protecting it

People Search on Social Networking Sites and People Search Services

-Social networking services, such as Facebook, Twitter, and LinkedIn, provide useful information about the individual that helps the attacker in performing social engineering and other attacks -The people search can provide critical information about a person or an organization, including location, emails, websites, blogs, contacts, important dates, etc. -People search online services, such as Intelius, pipl, BeenVerified, Whitepages, and PeekYou, provide people's names, addresses, contact details, date of birth, photographs, videos, profession, and so on

Traceroute

-Traceroute programs work on the concept of ICMP protocol and use the TTL field in the header of ICMP packets to discover the routers on the path to a target host

Extracting Metadata of Public Documents

-Useful information may reside on the target organization's website in the form of pdf documents, Microsoft Word files, etc. -Attackers use metadata extraction tools, such as Metagoofil, Exiftool, and Web Data Extractor, to extract metadata and hidden information -Attackers use this information to perform social engineering and other attack

Information Gathering Using NNTP Usenet Newsgroups

-Usenet newsgroup is a repository containing a collection of notes or messages on various subjects and topics that are submitted by the users over the Internet -Attackers can search the Usenet newsgroups, such as Newshosting and Eweka, to find valuable information about the operating systems, software, web servers, etc. used by the target organization

Gathering Information from Video Search Engines

-Video search engines such as YouTube, and Google Videos allow attackers to search for a video content related to the target -Attackers can further analyze the video content to gather hidden information such as time/date and thumbnail of the video -Using video analysis tools such as YouTube DataViewer, and EZGif, an attacker can reverse and convert video to text formats to extract critical information about the target

Website Footprinting using Web Spiders

-Web spiders, such as Web Data Extractor and ParseHub, perform automated searches on the target website and collect specified information, such as employee names and email addresses -Attackers use the collected information to perform footprinting and social engineering attacks

ICMP Traceroute

-Windows operating system by default uses ICMP traceroute. Go to the command prompt and type the tracert command along with the destination IP address or domain name

Internet Assigned Numbers Authority (IANA) reserved private internets:

10.0.0.0-10.255.255.255 (10/8 prefix), 172.16.0.0-172.31.255.255 (172.16/12 prefix), 192.168.0.0-192.168.255.255 (192.168/16 prefix).

What can a hacker do with Google Hacking?

An attacker can create complex search engine queries to filter large amounts of search results to obtain information related to computer security. The attacker uses Google operators that help locate specific strings of text within the search results. Thus, the attacker can not only detect websites and web servers that are vulnerable to exploitation but also locate private, sensitive information about others, such as credit card numbers, social security numbers, passwords, and so on.

Footprinting through Job Sites

Attackers can gather valuable information about the operating system, software versions, company's infrastructure details, and database schema of an organization through footprinting job sites using different techniques. Many organizations' websites provide recruiting information on a job posting page that, in turn, reveals hardware and software information, network-related information, and technologies used by the company (e.g., firewall, internal server type, OS used, network appliances, and so on.).

Searching for Web Pages Posting Patterns and Revision Numbers

Attackers can search for copyright notices and revision numbers on the web and can use these details to perform deep analyses on the target organization

Searching for Contact Information, Email Addresses, and Telephone Numbers from Company Website

Attackers can search the target company's website to obtain crucial information about the company, such as the company's contact details, location, partner information, news, and links to other sites

Social engineers attempt to gather:

Credit card details and social security number User names and passwords Security products in use Operating systems and software versions Network layout information IP addresses and names of servers

Social engineering techniques include:

Eavesdropping Shoulder surfing Dumpster diving Impersonation

Footprinting Tools:

FOCA (Fingerprinting Organizations with Collected Archives): a tool used mainly to find metadata and hidden information in the documents it scans OSRFramework: ncludes applications related to username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction, etc.

Sublist3r

Sublist3r is a Python script designed to enumerate the subdomains of websites using OSINT. It enables you to enumerate subdomains across multiple sources at once. Further, it helps penetration testers and bug hunters in collecting and gathering subdomains for the domain they are targeting.

Sublist3r Syntax

[-d DOMAIN] [-b BRUTEFORCE] [-p PORTS] [-v VERBOSE] [-t THREADS] [-e ENGINES] [-o OUTPUT]

Google Advanced Search Operations:

[cache:] Displays the web pages stored in the Google cache [link:] Lists web pages that have links to the specified web page [related:] Lists web pages that are similar to the specified web page [info:] Presents some information that Google has about a particular web page [site:] Restricts the results to those websites in the given domain [allintitle:] Restricts the results to those websites containing all the search keywords in the title [intitle:] Restricts the results to documents containing the search keyword in the title [allinurl:] Restricts the results to those containing all the search keywords in the URL [inurl:] Restricts the results to documents containing the search keyword in the URL [location:] Finds information for a specific location

Octoparse https://www.octoparse.co

offers automatic data extraction as it quickly scrapes web data without coding and turns web pages into structured data

Intelius www.intelius.com

people search online service to search for people belonging to the target organization. Using this service, attackers obtain information such as phone numbers, address history, age, date of birth, relatives, previous work history, educational background, and so on

Google Hacker

refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information that helps attackers find vulnerable target

Footprinting

the first step of any attack on information systems in which an attacker collects information about a target network to identify various ways to intrude into the system