Footprinting & Recon

Ace your homework & exams now with Quizwiz!

FOCA

(Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents it scans

Email Footprinting Tools

- GetNotify - ContactMonkey - Yesware

Determining the Operating System

- netcraft - shodan - censys

Censys

A search engine that returns information about the types of devices connected to the Internet.

cname

A canonical name record is an alias of an existing record, thus allowing multiple DNS records to map to the same IP address. Canonical naming allows aliases to a host

RIR (Regional Internet Registry)

A not-for-profit agency that manages the distribution of IP addresses to private and public entities. RIN - North America AfriNIC - Africa APNIC - Asia Pacific LACNIC - Southern & Central America RIPE NCC - Europe the Middle East and Central Asia.

Netcraft

Company that tracks web statistics, used to fingerprint web servers, provides hosting history for websites

TTL (Time to Live)

Indicates the maximum duration that an IPv4 packet can remain on the network before it is discarded. TTL of a Linux system is 64 TTL of Windows is 128 TTL of routers is 254

Google Hacking

Manipulating a search string with additional specific operators to search for vulnerabilities or very specific information. example Find Nessus vulnerability reports: "This file was generated by Nessus".

theHarvester

Script utility for gathering results from open-source intelligence queries (linux)

Active OS Fingerprinting

Sends specially crafted packets to the remote OS and analyzes the received response. NMap is awesome at this

SRV

Service record

Google search [link:]

URL shows pages that point to that URL. For example, to find pages that point to Google Guide's home page, enter: [ link:www.googleguide.com ]

In Domain names, what is a zone

a collection of structured resource records that can include an SOA record, A record, CNAME record, NS record, PTR record, and MX record.

tcpdump

a command line utility that allows you to capture and analyze network traffic going through your system.

Recon-ng

a full-featured Web Reconnaissance framework written in Python (CLI - Linux)

Service-oriented architecture (SOA)

a method of software development that uses software components called services to create business applications. vulnerable to XML DoS

recon

a plug-in or extension for Chrome.

Web Data Extractor

a tool that automatically extracts specific information from web pages

Shodan

a web based device scanner (routers, servers, IoT). Identify default passwords.

WHOIS

an internet utility program that obtains information about a domain name or IP number from the database of a domain name registry

CSIRT (Computer Security Incident Response Team)

an organization that receives reports of security breaches, conducts analyses of the reports and responds to the senders. It's a single point of contact in the US to report computer security breaches and security incidents. For associates of the Department of Homeland Security

HTTrack

website mirroring tool

job postings/resumes

can give an indication of the type of environment the company has

Passive Footprinting

collecting information from publicly accessible sources

Wappalyzer

helps to find what software is used to run a particular page

web spiders

perform automated searches on the target website and collect specified information such as employee names, email addresses, etc.

active footprinting

requires the attacker to touch the device, network, or resource

Apache web server

runs on Linux - designed to create web servers that can host one or more HTTP-based websites

Google dork operator - ext

search for a specific type of document

pipl

search tool that can be used to identify an online presence for someone

Footprinting

the first step of an attack on information system in which an attacker collects information about a target network to identify various ways to intrude into the system

Google dork operator - filetype

to get information related to file extensions

DNSRecon

tool can be used to identify hostnames as a result of repeated requests based on a wordlist provided to a program

Email Tracking Tools

tools such as eMailTrackerPro, Infoga, Mailtrack, and PoliteMail, allow an attacker to track an email and extract information, such as sender identity, mail server, sender's IP address, and location.

Google Dorking

An electronic variation of dumpster diving is to use Google's search engine to look for documents and data posted online

Google Search Query - hyphen

Using a hyphen immediately before a word tells Google that you do not want pages that contain this word to appear in your results.

Metagoofil

extracts metadata of public documents (pdf, doc, xls, ppt, docx, pptx, xlsx, etc.) belonging to a target company

Passive OS fingerprinting

involves sniffing network traffic at any given collection point and matching known patterns tcpdump

WebScarab

is a OWASP tool that allows you to record, inspect, modify and build requests and responses sent using the HTTP protocol.

Wayback Machine

(archive.org) Site used to find previous versions/history of a web site.

CeWL

A Ruby app that crawls websites to generate word lists that can be used with password crackers such as John the Ripper. It is included with Kali Linux.

traceroute (tracert)

A command on many computer operating systems that discovers the IP addresses, and possibly host names, of the routers used by the network when sending a packet from one computer to another.

reverse DNS lookup

A function that finds the host name of a device whose IP address is known.

Web Mirroring

Copying a website directly to your system to test offline HTTrack Web Site Copier NCollector Studio

Extracting DNS Information

DNS records provide important information about the location and types of servers. Attackers can gather DNS information to determine key hosts in the network for social engineering attacks

GHDB (Google Hacking Database)

Database of search strings optimized for locating vulnerable websites and services.

Google search [allinurl:]

Google restricts results to those containing all the query terms you specify in the URL. For example, [ allinurl: google faq ] will return only documents that contain the words "google" and "faq" in the URL, such as "www.google.com/help/faq.html".

allintitle:

Google search command which returns sites that contain the search terms in the page title.

Google search [site:]

Google will restrict your search results to the site or domain you specify. For example, [ admissions site:www.lse.ac.uk ] will show admissions information from London School of Economics' site and [ peace site:gov ] will find pages about peace within the .gov domain.

OSRFramework

Includes applications related to username checking, DNS lookups, information leaks research, deep web search, and regular expression extraction.

MX

Mail Exchange records define a server as an e-mail server

PTR (Pointer) record

Maps IP address to a hostname

Exiftool

Metadata Extraction

A Record

Points to a host's IP address

Google Hacking Database (GHDB)

Provides a database of search strings optimized for locating vulnerable websites and services.

OSINT (Open Source Intelligence)

Publicly available information plus the tools used to aggregate and search it.

Service (SRV) Record

Specifies a host and port for a specific service

OS Fingerprinting

The practice of identifying the operating system of a networked device by using passive or active techniques.

ARIN (American Registry for Internet Numbers)

The regional Internet registry responsible for managing both IPv4 and IPv6 IP number distribution.

What is the ICMP message used to allow the traceroute program to indicate hops?

Time exceeded in transit

Sublist3r

a python script designed to enumerate subdomains of websites using OSINT. [-d DOMAIN] [-b BRUTEFORCE] [-p PORTS] [-v VERBOSE] [-t THREADS] [-e ENGINES] [-o OUTPUT] [-h HELP] -shows help messages

PeekYou

a search engine that allows you to look for people using their real names and usernames

Maltego

is a program that can be used to determine the relationships and real-world links between people, groups of people (social networks), companies, organizations, websites, Internet infrastructure, phrases, documents, and files demonstrate social engineering weaknesses in your environment - automated passive recon

Google search [location:]

on Google News, only articles from the location you specify will be returned. For example, [ queen location:canada ] will show articles that match the term "queen" from sites in Canada.


Related study sets

Project Management Exam 1 Short Answers

View Set

SLS Module 9: Academic Integrity and Ethics

View Set

Psych Exam 4 Study Guide Multiple Choice

View Set

Chapter 13 Palliative and End of life

View Set

Father of Our Country George Washington

View Set