CEHv11 - Module Two
Searching for Contact Information, Email Addresses, and Telephone Numbers from Company Website
Attackers can search the target company's website to obtain crucial information about the company, such as the company's contact details, location, partner information, news, and links to other sites
Gathering Information Using Google Advanced Search and Advanced Image Search
Attackers can use Google Advanced Search and Advanced Image Search to achieve the same precision as that of using the advanced operators but without typing or remembering the operators Using Google's Advanced search option, attackers can find sites that may link back to the target organization's website
Traceroute Analysis
Attackers conduct traceroute to extract information about network topology, trusted routers, and firewall locations
Gathering Wordlist from the Target Website
Attackers gather a list of words available on the target website to brute-force the email addresses gathered through search engines, social networking sites, web spidering, etc. Attackers use CeWL tool to gather a list of words from the target website Use the following command to extract all the words available on the target website: cewl www.certifiedhacker.com
Reverse DNS Lookup
Attackers perform a reverse DNS lookup on IP ranges in an attempt to locate a DNS PTR record for those IP addresses Attackers use various tools, such as DNSRecon, to perform the reverse DNS lookup on the target host Attackers can also find the other domains that share the same web server, using tools such as Reverse IP Domain Check
General Resources for Locating Information from Social Media Sites
Attackers track social media sites using BuzzSumo, Google Trend, Hashatit, etc. to discover most shared content using hashtags or keywords, track accounts and URLs, email addresses, etc. Attackers use this information to perform phishing, social engineering, and other types of attacks BuzzSumo's advanced social search engine finds the most shared content for a topic, author or a domain
Collecting Information through Social Engineering on Social Networking Sites
Attackers use social engineering tricks to gather sensitive information from social networking websites Attackers create a fake profile and then use the false identity to lure employees into revealing their sensitive information Attackers collect information about the employees' interests and tricks them into revealing more information
User-Directed Spidering
Attackers use standard web browsers to walk through the target website functionalities The incoming and outgoing traffic of the target website is monitored and analyzed by tools that include features of both a web spider and an intercepting proxy Attackers use tools such as Burp Suite and WebScarab to perform user-directed spidering
Footprinting through Job Sites
Attackers use the technical information obtained through job sites, such as Dice, LinkedIn, and Simply Hired, to detect underlying vulnerabilities in the target IT infrastructure
Gathering Information from LinkedIn
Attackers use theHarvester tool to perform enumeration on LinkedIn and find employees of the target company along with their job titles Attackers can use this information to gather more information, such as current location and educational qualifications, and perform social engineering or other kinds of attacks
Finding the Geographical Location of the Target
Attackers use tools, such as Google Earth, Google Maps, and Wikimapia, to obtain the physical location of the target, which helps them to perform social engineering and other non-technical attacks These tools help attackers to find or locate entrances to buildings, security cameras, gates, places to hide, weak spots in perimeter fences, etc.
Monitoring Web Pages for Updates and Changes
Attackers use web updates monitoring tools, such as WebSite-Watcher and VisualPing, to detect changes or updates in a target website, and they analyze the gathered information to detect underlying vulnerabilities in the target website
Monitoring Website Traffic of Target Company
Attackers use website traffic monitoring tools, such as Web-Stat, Alexa, and Monitis, to collect information about the target company's website, such as total visitors, page views, bounce rate, and site ranking
Finding IP Geolocation Information
IP geolocation helps to identify information, such as country, region/state, city, ZIP/postal code, time zone, connection speed, ISP (hosting company), domain name, IDD country code, area code, mobile carrier, and elevation IP geolocation lookup tools, such as IP2Location and IP Location Finder, help to collect IP geolocation information about the target, which in turn helps attackers in launching social engineering attacks, such as spamming and phishing
Extracting Website Information from https://archive.org
Internet Archive's Wayback Machine allows one to visit archived versions of websites
Gathering Information from IoT Search Engines
IoT search engines crawl the Internet for IoT devices that are publicly accessible Attackers use IoT search engines, such as Shodan, Censys, and Thingful, to gather information about the target IoT devices, such as manufacturer details, geographical location, IP address, hostname, and open ports
Objectives of Footprinting
Knowledge of security posture Reduction of focus area Identifying vulnerabilities Drawing of network map
Dumpster Diving
Looking for treasure in someone else's trash It involves the collection of phone bills, contact information, financial information, operations-related information, etc. from the target company's trash bins, printer trash bins, user desk for sticky notes, etc.
Footprinting Tools
Maltego: Maltego can be used to determine the relationships and real world links between people, groups of people, organizations, websites, Internet infrastructure, documents, etc. Recon-ng: Recon-ng is a Web Reconnaissance framework with independent modules and database interaction, which provides an environment in which open source, web-based reconnaissance can be conducted
Information Gathering Using Business Profile Sites
Business profile sites contain the business information of companies located in a particular region, which includes their contact information and can be viewed by anyone Attackers use business profile sites, such as opencorporates and Crunchbase, to gather important information about the target organizations, such as their location, addresses, contact information, and employee database
Gathering Information from Meta Search Engines
Meta search engines use other search engines (Google, Bing, Ask.com, etc.) to produce their own results from the Internet Attackers use meta search engines such as Startpage and MetaGer to gather more detailed information about the target, such as images, videos, blogs, and news articles, from different sources
Mirroring Entire Website
Mirroring an entire website onto a local system enables an attacker to browse website offline; it also assists in finding directory structure and other valuable information from the mirrored copy without sending multiple requests to web server Web mirroring tools, such as HTTrack Web Site Copier, and NCollector Studio, allow you to download a website to a local directory, recursively building all directories, HTML, images, flash, videos, and other files from the server to your computer
Google search queries for VPN footprinting
filetype:pcf "cisco" "GroupPwd" - Cisco VPN files with Group Passwords for remote access "[main]" "enc_GroupPwd=" ext:txt - Finds Cisco VPN client passwords (encrypted but easily cracked!) "Config" intitle:"Index of" intext:vpn - Directory with keys of VPN servers inurl:/remote/login?lang=en - Finds FortiGate Firewall's SSL-VPN login portal !Host=*.* intext:enc_UserPassword=* ext:pcf - Looks for profile configuration files (.pcf), which contain user VPN profiles filetype:rcf inurl:vpn - Finds Sonicwall Global VPN Client files containing sensitive information and login filetype:pcf vpn OR Group - Finds publicly accessible .pcf used by VPN clients
Deep and Dark Web Footprinting
Deep web: It consists of web pages and contents that are hidden and unindexed and cannot be located using traditional web browsers and search engines It can be accessed by search engines like Tor Browser and The WWW Virtual Library Dark web or Darknet: It is the subset of the deep web that enables anyone to navigate anonymously without being traced It can be accessed by browsers, such as TOR Browser, Freenet, GNUnet, I2P, and Retroshare
Gathering Information from Financial Services
Financial services, such as Google Finance, MSN Money, and Yahoo! Finance, provide useful information about the target company, such as the market value of a company's shares, company profile, and competitor details Attackers can use this information to perform service flooding, brute-force, or phishing attacks
Footprinting through Social Engineering
Social engineering is an art of exploiting human behavior to extract confidential information Social engineers depend on the fact that people are unaware of their valuable information and are careless about protecting it
Gathering Information from Video Search Engines
Video search engines such as YouTube, and Google Videos allow attackers to search for a video content related to the target Attackers can further analyze the video content to gather hidden information such as time/date and thumbnail of the video Using video analysis tools such as YouTube DataViewer, and EZGif, an attacker can reverse and convert video to text formats to extract critical information about the target
Website Footprinting using Web Spiders
Web spiders, such as Web Data Extractor and ParseHub, perform automated searches on the target website and collect specified information, such as employee names and email addresses Attackers use the collected information to perform footprinting and social engineering attacks
Website Footprinting
Website footprinting refers to the monitoring and analysis of the target organization's website for information Attackers use Burp Suite, Zaproxy, Wappalyzer, Website Informer, etc. to view headers that provide the following information: Connection status and content-type Accept-Ranges and Last-Modified X-Powered-By information Web server in use and its version
Whois Lookup
Whois databases are maintained by Regional Internet Registries and contain personal information of domain owners
Footprinting Countermeasures (Cont'd)
1. Develop and enforce security policies to regulate the information that employees can reveal to third parties 2. Set apart internal and external DNS or use split DNS, and restrict zone transfer to authorized servers 3. Disable directory listings in web servers 4. Conduct periodic security awareness training to educate employees about various social engineering tricks and risks 5. Opt for privacy services on Whois Lookup database 6. Avoid domain-level cross-linking for critical assets 7. Encrypt and password-protect sensitive information 8. Place critical documents, such as business plans and proprietary documents offline to prevent exploitation 9. Train employees to thwart social engineering techniques and attacks 10. Sanitize the details provided to Internet registrars to hide the direct contact details of the organization 11. Disable the geo-tagging functionality on cameras to prevent geolocation tracking 12. Avoid revealing one's location or travel plans on social networking sites 13. Turn-off geolocation access on all mobile devices when not required 14. Ensure that no critical information is displayed on notice boards or wall
Monitoring Targets Using Alerts
Alerts are content monitoring services that automatically provide up-to-date information based on your preference, usually via email or SMS Tools, such as Google Alerts and Twitter Alerts, help attackers to track mentions of the organization's name, member names, website, or any people or projects
Searching for Web Pages Posting Patterns and Revision Number
Attackers can search for copyright notices and revision numbers on the web and can use these details to perform deep analyses on the target organization
Competitive Intelligence Gathering
Competitive intelligence gathering is the process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources, such as the Internet Competitive intelligence is non-interfering and subtle in nature
Conducting Location Search on Social Media Sites
Conducting location search on social media sites, such as Twitter, Instagram, and Facebook, helps attackers in detecting the geolocation of the target Attackers use online tools, such as Followerwonk, Hootsuite, and Sysomos, to search for both geotagged and non-geotagged information about the target on social media sites Attackers use this information to perform various social engineering and non-technical attacks
Extracting DNS Information
DNS records provide important information about the location and types of servers Attackers can gather DNS information to determine key hosts in the network and can perform social engineering attacks
Tracking Email Communications
Email tracking is used to monitor the delivery of emails to an intended recipient Attackers track emails to gather information about a target recipient, such as IP addresses, geolocation, browser and OS details, to build a hacking strategy and perform social engineering and other such attacks
Email Tracking Tools
Email tracking tools, such as eMailTrackerPro, Infoga, Mailtrack, and PoliteMail, allow an attacker to track an email and extract information, such as sender identity, mail server, sender's IP address, and location eMailTrackerPro analyzes email headers and reveals information, such as sender's geographical location and IP address
Extracting Website Links
Extracting website links is an important part of website footprinting where an attacker analyses a target website to determine its internal and external links Attackers can use various online tools, such as Octoparse, Netpeak Spider, and Link Extractor, to extract linked images, scripts, iframes, and URLs of the target website Octoparse offers automatic data extraction as it quickly scrapes web data without coding and turns web pages into structured data
Footprinting Tools
FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents it scans OSRFramework includes applications related to username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction, etc. OSINT Framework: OSINT Framework is an open source intelligence gathering framework that is focused on gathering information from free tools or resources It provides a simple web interface that lists various OSINT tools arranged by categories and is shown as OSINT tree structure on the web interface Recon-Dog: Recon-Dog is an all-in-one tool for information gathering needs, which uses APIs to collect information about the target system BillCipher: BillCipher is an information gathering tool for a Website or IP address
Gathering Information from FTP Search Engines
FTP search engines are used to search for files located on the FTP servers Attackers use FTP search engines, such as NAPALM FTP Indexer and Global FTP Search Engine, to retrieve critical files and directories about the target that reveal valuable information, such as business strategy, tax documents, and employee's personal records
What is Footprinting?
Footprinting is the first step of any attack on information systems in which an attacker collects information about a target network to identify various ways to intrude into the system
Harvesting Email Lists
Gathering email addresses related to the target organization acts as an important attack vector during the later phases of hacking Attackers use automated tools such as theHarvester and Email Spider to collect publicly available email addresses of the target organization that helps them perform social engineering and brute-force attacks
Footprinting Using Advanced Google Hacking Techniques
Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information that helps attackers find vulnerable targets
Information Gathering Using Groups, Forums, and Blogs
Groups, forums, and blogs provide sensitive information about a target, such as public network information, system information, and personal information Attackers register with fake profiles in Google groups, Yahoo groups, etc. and try to join the target organization's employee groups, where they share personal and company information
Locate the Network Range
Network range information assists attackers in creating a map of the target network One can find the range of IP addresses using ARIN whois database search tool One can also find the range of IP addresses and the subnet mask used by the target organization from Regional Internet Registry (RIR)
Tracking Online Reputation of the Target
Online Reputation Management (ORM) is a process of monitoring a company's reputation on the Internet and taking certain measures to minimize the negative search results/reviews and thereby improve its brand reputation Attackers use ORM tracking tools, such as Trackur and Brand24, to track a company's online reputation, search engine ranking information, email notifications when a company is mentioned online, and social news about the company
Information Obtained in Footprinting
Organization information: Employee details, telephone numbers, location, background of the organization, web technologies, etc. Network information: Domain and sub-domains, network blocks, IP addresses of the reachable systems, Whois record, DNS, etc. System information: OS and location of web servers, users and passwords, etc.
Types of Footprinting
Passive Footprinting: Gathering information about the target without direct interaction Active Footprinting: Gathering information about the target with direct interaction
Traceroute Tools
Path Analyzer Pro - It delivers network route tracing with performance tests, DNS, Whois, and network resolution to investigate network issues VisualRoute - It is a traceroute and network diagnostic tool that identifies the geographical location of routers, servers, and other IP devices
Impersonation
Pretending to be a legitimate or authorized person and using the phone or other communication medium to mislead targets and trick them into revealing information
Footprinting Countermeasures
Restrict the employees' access to social networking sites from the organization's network Configure web servers to avoid information leakage Educate employees to use pseudonyms on blogs, groups, and forums Do not reveal critical information in press releases, annual reports, product catalogues, etc. Limit the amount of information published on the website/Internet Use footprinting techniques to discover and remove any sensitive information publicly available Prevent search engines from caching a web page and use anonymous registration services
Gathering Information using Reverse Image Search
Reverse image search helps an attacker in tracking the original source and details of images, such as photographs, profile pictures, and memes Attackers can use online tools such as Google Image Search, TinEye Reverse Image Search, and Yahoo Image Search to perform reverse image search
Determining the Operating System
SHODAN search engine lets you find connected devices (routers, servers, IoT, etc.) using a variety of filters Censys search engine provides a full view of every server and device exposed to the Internet
Finding a Company's Top-Level Domains (TLDs) and Sub-domains
Search for the target company's external URL in a search engine, such as Google and Bing Sub-domains provide an insight into different departments and business units in an organization You may find a company's sub-domains by trial and error method or using a service such as https://www.netcraft.com You can use the Sublist3r python script, which enumerates subdomains across multiple sources at once
Shoulder Surfing
Secretly observing the target to gather critical information, such as passwords, personal identification number, account numbers, and credit card information
Tools for Footprinting through Social Networking Sites
Sherlock tool is used to search a vast number of social networking sites for a target username Social Searcher allows you to search for content in social networks in real-time and provides deep analytics data
People Search on Social Networking Sites and People Search Services
Social networking services, such as Facebook, Twitter, and LinkedIn, provide useful information about the individual that helps the attacker in performing social engineering and other attacks The people search can provide critical information about a person or an organization, including location, emails, websites, blogs, contacts, important dates, etc. People search online services, such as Intelius, pipl, BeenVerified, Whitepages, and PeekYou, provide people's names, addresses, contact details, date of birth, photographs, videos, profession, and so on
Traceroute
Traceroute programs work on the concept of ICMP protocol and use the TTL field in the header of ICMP packets to discover the routers on the path to a target host
Eavesdropping
Unauthorized listening of conversations or reading of messages It is the interception of any form of communication, such as audio, video, or text
Extracting Metadata of Public Documents
Useful information may reside on the target organization's website in the form of pdf documents, Microsoft Word files, etc. Attackers use metadata extraction tools, such as Metagoofil, Exiftool, and Web Data Extractor, to extract metadata and hidden information Attackers use this information to perform social engineering and other attacks Metagoofil extracts the metadata of public documents (pdf, doc, xls, ppt, docx, pptx, xlsx, etc.) belonging to a target company
Information Gathering Using NNTP Usenet Newsgroups
Usenet newsgroup is a repository containing a collection of notes or messages on various subjects and topics that are submitted by the users over the Internet Attackers can search the Usenet newsgroups, such as Newshosting and Eweka, to find valuable information about the operating systems, software, web servers, etc. used by the target organization
Popular Google advanced search operators
[cache:] Displays the web pages stored in the Google cache [link:] Lists web pages that have links to the specified web page [related:] Lists web pages that are similar to the specified web page [info:] Presents some information that Google has about a particular web page [site:] Restricts the results to those websites in the given domain [allintitle:] Restricts the results to those websites containing all the search keywords in the title [intitle:] Restricts the results to documents containing the search keyword in the title [allinurl:] Restricts the results to those containing all the search keywords in the URL [inurl:] Restricts the results to documents containing the search keyword in the URL [location:] Finds information for a specific location
Google search queries for VoIP footprinting
intitle:"Login Page" intext:"Phone Adapter Configuration Utility" - Pages containing login portals inurl:/voice/advanced/ intitle:Linksys SPA configuration - Finds the Linksys VoIP router configuration page intitle:"D-Link VIP Router" "Welcome" - Pages containing D-Link login portals intitle:asterisk.management.portal web-access - Look for the Asterisk management portal intitle:"SPA504G Configuration" - Finds Cisco SPA504G Configuration Utility for IP phones intitle:asterisk.management.portal web-access - Finds the Asterisk web management portal inurl:8080 intitle:"login" intext:"UserLogin" "English" - VoIP login portals intitle:"Sipura.SPA.Configuration" - .pdf - Finds configuration pages for online VoIP devices
