Chapter 2 Reconnaissance: Footprinting

Question 1

Two types of footprinting

Answer 1

Active and Passive

Question 2

Passive Footprinting

Answer 2

Accessing publicly available information about a target.

Question 3

Active Footprinting

Answer 3

Accessing information about a target using interaction with the organisation; social engineering, human interaction etc.

Question 4

Passive Information Gathering - Competitive Intelligence

Answer 4

Information legally gathered by a business entity about its competitors customers, products and marketing.

Question 5

Passive Information Gathering - Pseudonymous Footprinting

Answer 5

Gathering information from online sources posted by someone from the target but under a different name.

Question 6

Active Information Gathering - Social Engineering

Answer 6

Information gathering using phone calls, face to face interaction, social media interaction

Question 7

Passive Information Gathering - Dumpster Diving

Answer 7

Looking in the trash for information (passwords, filenames etc) written on paper or printouts.

Question 8

Using Search Engines and the internet

Answer 8

Usual Search Engines; Google, Yahoo, Bing, DuckDuckGo Use Google Alerts to monitor a target and get alerts for each new entry indexed by google.

Netcraft - Online tool used to obtain information not usually intended for public disclosure; web server version, IP address, subnet data, OS info, subdomain info etc.

Job Boards - Disclosure of company infrastructure and software estate.

Archive.org - Archived copies of websites/history

Google Cache - Archived copies of websites

Website Watcher at http://aignes.com checks web pages automatically for changes alerting you when they do (exam tip)

Question 9

Google Hacking

Answer 9

Using operators and syntax to fine tune searches to find information often unintentionally publicly available on the internet. Google Hacking Database is a handy tool which regularly catalogues search strings.

Question 10

Website Foorprint Tools to capture headers, cookies, connection status, content type and web server information

Answer 10

• Burpsuite
• Firebug
• Website Informer

Question 11

Web Mirroring/Copying Tools (Passive Footprinting)

Answer 11

• HTTrack
• Black Widow
• WebRipper
• Teleport Pro
• GNU Wget
• Backstreet Browser

Question 12

Four main focuses and benefits of footprinting according to the EEC

Answer 12

• Know the security posture (footprinting helps make this clear)
• Reduce the focus area (network range, number of targets etc)
• Identify vulnerabilities
• Draw a network map

EXAM TIP

Question 13

Target Alerts

Answer 13

Google, yahoo and twitter offer alerting so you can get emails/messages whenever new content regarding your target is found.

EXAM TIP

Question 14

Email Tracking Information and Tools

Answer 14

Email headers can provide good footprinting information about a target such as IP address, physical locations, even links visited by the recipient, OS information and sometimes how long a recipient spent reading the email.

Email Tracking websites and tips

• Using read reciepts
• www.emailtrackerpro.com
• www.mailtracking.com

Email tracking tools include

• GetNotify
• ContactMonkey
• Yesware
• Read Notify
• WhoReadMe
• MSGTAG
• Trace Email
• Zendio

Question 15

DNS Information

Answer 15

DNS is a naming system for computers that converts human-readable domain names into computer readable IP-addresses and vice versa.DNS uses UDP port 53 to serve its requests.

Question 16

DNS Record Types

Answer 16

• A (address)—Maps a hostname to an IP address
• SOA (Start of Authority)—Identifies the DNS server responsible for the domain information
• CNAME (canonical name)—Provides additional names or aliases for the address record
• MX (mail exchange)—Identifies the mail server for the domain
• SRV (service)—Identifies services such as directory services
• PTR (pointer)—Maps IP addresses to hostnames
• NS (name server)—Identifies other name servers for the domain

EXAM TIP

Question 17

The Domain Name System Security Extensions (DNSSEC)

Answer 17

DNSSEC was created in 1999 to help comnat DNS poisoning and is a suite of IETF (Internet Engineering Task Force) specifications for securing certain kinds of information provided by DNS.

EXAM TIP

Question 18

DNS Footprinting tool - WHOIS

Answer 18

Provides domain ownership information, including registrant and administrative names, contact numbers and DNS server names

EXAM TIP

Question 19

DNS Footprinting tool - nslookup

Answer 19

WIndows command to display default DNS server and associated IP addresses.

1. Enter nslookup at the command line
2. Type server (using the IP address of the SOA and press ENTER
3. Type set type=any and press ENTER
4. Type ls -d domainname.com (where domainname.com is the name of the zone) and press ENTER

You’ll recive an error code if the administrator has secured the domain or you’ll get a copy of the zone transfer

EXAM TIP - You’ll need to know nslookup syntax very well and how to get into interactive more

Question 20

Network Footprinting

Answer 20

Use tracert or ping to get targets IP ranges on a windows machine. Using linux, you’d use traceroute NOT tracert, and remember a route to a target can change at anytime.

Windows is ICMP whereas LINUX is UDP

EXAM TIP