2 - Footprinting and Reconnaissance

Question 1

What is footprinting?

Answer 1

• The process of collecting information about a target network and its environment.
• Determining the blueprint, or the unique system profile, of the target network.

Question 2

What are the types of footprinting?

Answer 2

• Passive Footprinting
  
  • Gathering information about a target without direct interaction.
  • Technically different, only collect the archived and stored information about the target using search engines, social networking sites, and so on.
• Active Footprinting
  
  • Gathering information about the target with direct interaction.
  • Overtly interacting with the target network

Question 3

What type of info is gained in footprinting?

Answer 3

• Network Information:
  
  • You can gather network information by performing Whois database analysis, trace routing, and so on.
  • Domain/sub-domains, network blocks, DNS records
• System Information:
  
  • You can gather system information by performing network footprinting, DNS footprinting, website footprinting, email footprinting, and so on.
  • Web Server OS’s, location of web servers, users and passwords
• Organization Information:
  
  • Information about an org is available from its website.
  • You can also query Whois DB to obtain valuable info
  • Employee details, address/mobile phone numbers, location details, background of org
  • **This info can be used in social engineering attacks**

Question 4

What are the Objectives of Footprinting?

Answer 4

• Know Security Posture
  
  • Identify loopholes in security posture to build a hacking plan
• Reduce Focus Area
  
  • Reduces area to specific IP range, networks, domain names, and remote access
• Identify Vulnerabilities
  
  • Hackers can build their own info DB about security weaknesses in target org.
• Draw Network Map
  
  • Helps attackers create a network diagram or the target

Question 5

What are the different Footprinting Methodologies?

Answer 5

• Footprinting Through Search Engines
  
  • Attackers use search engines to extract info about a target
• Footprinting Using Advanced Google Hacking Techniques
  
  • Refers to the use of advanced Google search operators for creating complex search queries in order to extract sensitive/hidden information.
• Information Gathering Using Google Advanced Search and Image Search
  
  • With Google Advanced Search and Advanced Image Search once can search web more precisely and accurately.
• Google Hacking Database (GHDB)
  
  • Source for querying the ever-widening reach of the Google search engine
• VoIP and VPN Footprinting through Google Hacking DB
  
  • You can use these Google hacking operators or ‘Google Dorks’ for footprinting VoIP and VPN networks
• Finding Company’s Top-Level Domains (TLDs) and Sub-Domains
  
  • Search for the target company’s external URL in search engine
• Finding the Geographical Location of the Target
  
  • Using Google Earth tool to get the physical location of the target, which helps them to perform social engineering and other non-technical attacks
• People Search on Social Networking Sites and People Search Services
  
  • Social networking sites provide useful info about people that could aide in social engineering
• Gathering Information from LinkedIn
  
  • Attackers can use InSpy, a python based LinkedIn enumeration tool.
• Gathering Information from Financial Services
  
  • Financial services provide a useful information about the target company such as market value, shares, etc.
• Monitoring Target Using Alerts
  
  • Alerts are the content monitoring services that provide up-to-date information based on your preference based user preference, usually via email or SMS
• Information Gathering Using Groups, Forums, and Blogs
  
  • Attackers often focus on groups, forums, and blogs to find information about a target organization and its people.
• Determining the Operating System
  
  • Use tools like NetCraft, Shodan, and Censys
• Collecting Information through Social Engineering on Social Media Sites
  
  • Social engineering on social media is where attackers gather info available, no tricking necessary
• Website Footprinting
  
  • The monitoring and analyzing the target org’s website for info
• Website Footprinting using Web Spiders
  
  • Spiders aka web crawlers/web robots are programs or scripts that browse websites in a methodical manner to collect info such as employee names, addresses, and so on.
• Mirroring Entire Website
  
  • Mirroring is the process of creating an exact replica or clone of website
• Extracting Website Information from https://archive.com
  
  • Allows you to visit archived versions of websites
• Monitoring Web Pages for Updates and Changes
  
  • Tools that allow you to detect changes or updates on a website and will alert you when it happens
• Tracking Email Communications
  
  • Monitor the delivery of emails to recipients
• Collecting Information from Email Header
  
  • Contains details of the sender, router information, date, subject, and recipient
• Competitive Intelligence Gathering
  
  • The process of identifying, gathering, analyzing, verifying, and using information about your competitors from resources like the internet
• Monitoring Website Traffic of Target Company
  
  • Attacker uses monitoring tool to collect the info about target company
• Whois Lookup
  
  • DB maintained by Regional Internet Registries and contain personal info of domain owners
• Finding IP Geolocation Information
  
  • Helps identify info such as country, region/state, connecting speed, ISP, etc.
• Extracting DNS Information
  
  • Attackers gather DNS info to determine key hosts in the network and can perform social engineering attacks.
• Locate the Network Range
  
  • Assists attackers in creating a map of the target
• Traceroute
  
  • Works on concept of ICMP protocol and use the TTL field to discover the routers on the path to a target host
• Footprinting through Social Engineering
  
  • The art of exploiting human behavior to extract confidential information

Question 6

What are some Footprinting Countermeasures?

Answer 6

• Restict access to social media
• Properly config web servers
• Educate employees to responsibly use forums
• Do not reveal info in press releases, etc
• Limit amount of info you publish on the website/internet
• Use Footprinting to discover info about your company
• Prevent search engines from caching web pages
• Develop and enforce security policies
• Disable directory listings in the web servers
• Train employees about social engineering
• Avoid domain-level cross-linking

Question 7

What are the steps for Footprinting Pen-Testing?

Answer 7

• Get Proper Authorization
• Define Scope of Assessment
• Perform footprinting through search engines
• Perform footprinting through web services
• Perform footprinting through social networking sites
• Perform website footprinting
• Perform email footprinting
• Gather competitive intel
• Perform whois footprinting
• Perform DNS footprinting
• Perform network footprinting
• Perform social engineering
• Document all findings

Question 8

What are some types of Google Searches for Footprinting?

Answer 8

• Using Google Advanced Search and Advanced Image Search
• Reverse Image Search
• Video Search Engines (YouTube, Google videos)
• Meta Search Engines (Startpage and MetaGer)
• FTP Search Engines (search files located on FTP servers)
• IoT Search Engines (crawl internet for IOT devices that are accessible)

Question 9

What tools are used for Email harvesting?

Answer 9

theHavester and Email Spider

Question 10

What is Deep and Dark Web footprinting?

Answer 10

• Deep Web: Consists of web pages and contents that are hidden and unindexed and cannot be located using traditional web browsers and search engines
• Dark Web Darknet: The subset of deep web that enables anyone to navigate anonymously without being traced
• Tools: Tor Browser ExoneraTor

Question 11

What are some methods to footprint through web services?

Answer 11

• Using Business Profile sites
• Monitor target using alerts
• Tracking reputation online
• Using groups, forums, and blogs
• Using NNTP Usenet newsgroups

Question 12

What are web spiders?

Answer 12

Perform automated searches on the target website and collect specified info, such as employee names and email addresses.

Question 13

What is website link extracting?

Answer 13

Where an attacker analyses a target website to determine its internal and external links.

• Tools: Octoparse, Netpeak Spider, and Link Extractor

Question 14

What is wordlist gathering?

Answer 14

Where attackers gather a list of words available on the target website to bruteforce the email addresses gathered through search engines, social networking sites, web spidering.

• Tools: CeWL

Question 15

What are some techniques for website footprinting?

Answer 15

• Monitoring web pages for updates and changes
• Searching for contact info, email addresses, and telephone numbers from company website
• Searching for web pages posting patterns and revision numbers
• Monitoring website traffic

Question 16

What are some footprinting tools?

Answer 16

FOCA, OSRFramework, OSINT framework, Billcipher