footprinting lab Flashcards
what is cache: used for?
This operator allows you to view cached version of the web page. [cache:www.google.com]- Query returns the cached version of the website www.google.com
what is allinurl:
This operator restricts results to pages containing all the query terms specified in the URL. [allinurl: google career]—Query returns only pages containing the words “google” and “career” in the URL
what is inurl:
This operator restricts the results to pages containing the word specified in the URL [inurl: copy site:www.google.com]—Query returns only pages in Google site in which the URL has the word “copy”
what is allintitle:
This operator restricts results to pages containing all the query terms specified in the title. [allintitle: detect malware]—Query returns only pages containing the words “detect” and “malware” in the title
inanchor:
This operator restricts results to pages containing the query terms specified in the anchor text on links to the page. [Anti-virus inanchor:Norton]—Query returns only pages with anchor text on links to the pages containing the word “Norton” and the page containing the word “Anti-virus”
allinanchor:
This operator restricts results to pages containing all query terms specified in the anchor text on links to the page. [allinanchor: best cloud service provider]—Query returns only pages in which the anchor text on links to the pages contain the words “best,” “cloud,” “service,” and “provider”
link:
This operator searches websites or pages that contain links to the specified website or page. [link:www.googleguide.com]—Finds pages that point to Google Guide’s home page
related:
This operator displays websites that are similar or related to the URL specified. [related:www.certifiedhacker.com]—Query provides the Google search engine results page with websites similar to certifiedhacker.com
info:
This operator finds information for the specified web page. [info:gothotel.com]—Query provides information about the national hotel directory GotHotel.com home page
location:
This operator finds information for a specific location. [location: 4 seasons restaurant]—Query give you results based around the term 4 seasons restaurant
what are the google operators
- cache 2. location 3. info 4. related
- link 6. allinanchor 7. inanchor 8. allintitle
- inurl 10. allinurl 11. intitle
how to find pdf file types
allinurl:
what tools can you use to gain information about an organization through their videos
https://citizenevidence.amnestyusa.org/
You can use other video search engines such as Google videos (https://video.google.com), Yahoo videos (https://video.search.yahoo.com), etc.; video analysis tools such as EZGif (https://ezgif.com), VideoReverser.com, etc.; and reverse image search tools such as TinEye Reverse Image Search (https://tineye.com), Yahoo Image Search (https://images.search.yahoo.com), etc. to gather crucial information about the target organization.
what will I find in FTP search engines???
earch for files located on the FTP servers; these files may hold valuable information about the target organization.
FTP search engines provide information about critical files and directories, including valuable information such as business strategies, tax documents, employee’s personal records, financial records, licensed software, and other confidential information.
what are the FTP search engines should I use?
https://www.searchftps.net/
Global FTP Search Engine (https://globalfilesearch.com), FreewareWeb FTP File Search (http://www.freewareweb.com),
what information do IOT search engines provide?
These search engines provide crucial information, including control of SCADA (Supervisory Control and Data Acquisition) systems, traffic control systems, Internet-connected household appliances, industrial appliances, CCTV cameras, etc
what iot search engines should I use
https://www.shodan.io/
Censys (https://censys.io), Thingful (https://www.thingful.net), etc., which are IoT search engines, to gather information such as manufacturer details, geographical location, IP address, hostname, open ports, etc
what information can you extract from web services?
extract critical information such as a target organization’s domains, sub-domains, operating systems, geographic locations, employee details, emails, financial information, infrastructure details, hidden web pages and content, etc.
what are example of web services that provide information about a target organization
social networking sites, people search services, alerting services, financial services, and job sites
what information will I find through web services?
infrastructure details, physical location, employee details, etc. Moreover, groups, forums, and blogs may provide sensitive information about a target organization such as public network information, system information, and personal information. Internet archives may provide sensitive information that has been removed from the World Wide Web (WWW).
A company’s top-level domains (TLDs) and sub-domains can provide much useful information such as
organizational history, services and products, and contact information
what are your tools for searching for domains??
https://www.netcraft.com
You can also use tools such as Sublist3r (https://github.com), Pentest-Tools Find Subdomains (https://pentest-tools.com), etc. to identify the domains and sub-domains of any target website.
what information will I find on peekyou
services provide names, addresses, contact details, date of birth, photographs, videos, profession, details about family and friends, social networking profiles, property information, and optional background on criminal checks.
what are people search services to gather personal information of key employees in the target organization.
pipl (https://pipl.com), Intelius (https://www.intelius.com), BeenVerified (https://www.beenverified.com), etc.,
why is gathering emails crucial for hackers??
Email ID is considered by most people as the personal identification of employees or organizations. Thus, gathering the email IDs of critical personnel is one of the key tasks of ethical hackers.
what would I use the dark web for?
can provide critical information such as credit card details, passports information, identification card details, medical records, social media accounts, Social Security Numbers (SSNs), etc.
what other sites can you use
The Hidden Wiki is an onion site that works as a Wikipedia service of hidden websites. (http://zqktlwi4fecvo6ri.onion/wiki/index.php/Main_Page)
FakeID is an onion site for creating fake passports (http://fakeidskhfik46ux.onion/)
The Paypal Cent is an onion site that sells PayPal accounts with good balances (http://nare7pqnmnojs2pg.onion/)
You can also use tools such as ExoneraTor (https://metrics.torproject.org), OnionLand Search engine (https://onionlandsearchengine.com), etc. to perform deep and dark web browsing
what site is used to learn about the target organizations OS
https://censys.io/domain?q=
what other websites can you use to gather OS information of target organization through passive footprinting.
Netcraft (https://www.netcraft.com), Shodan (https://www.shodan.io), etc.
what is sherlock
Sherlock is a python-based tool that is used to gather information about a target person over various social networking sites.
what tools can you use to gather additional information related to the target company and its employees from social networking sites.
Social Searcher (https://www.social-searcher.com), UserRecon (https://github.com)
what can you extract from the target organizations website
you can extract important information related to the target organization’s website such as the software used and the version, operating system details, filenames, paths, database field names, contact details, CMS details, the technology used to build the website, scripting platform, etc.
what info can Website footprinting provide
information associated with the website such as registered names and addresses of the domain owner, domain names, host of the sites, OS details, IP details, registrar details, emails, filenames, etc.
what is ping
Ping is a network administration utility used to test the reachability of a host on an IP network and measure the round-trip time for messages sent from the originating host to a destination computer
Lab #4
PERFORM WEBSITE FOOTPRINTING
What should you be able to do as an ethical hacker
you should be able to extract a variety of information about the target organization from its website; by performing website footprinting, you can extract important information related to the target organization’s website such as the software used and the version, operating system details, filenames, paths, database field names, contact details, CMS details, the technology used to build the website, scripting platform, etc. Using this information, you can further plan to launch advanced attacks on the target organization.
What are lab #4 objectives
- Gather information about a target website using ping command line utility
- Gather information about a target website using Website Informer
- Extract a company’s data using Web Data Extractor
- Mirror the target website using HTTrack Web Site Copier
- Gather a wordlist from the target website using CeWL
what is website footprinting?
Website footprinting is a technique used to collect information regarding the target organization’s website. Website footprinting can provide sensitive information associated with the website such as registered names and addresses of the domain owner, domain names, host of the sites, OS details, IP details, registrar details, emails, filenames, etc.
what is ping and what does it measure?
Ping is a network administration utility used to test the reachability of a host on an IP network and measure the round-trip time for messages sent from the originating host to a destination computer.
How does the ping command work and what does it obtain?
The ping command sends an ICMP echo request to the target host and waits for an ICMP response. During this request-response process, ping measures the time from transmission to reception, known as round-trip time, and records any loss of packets. The ping command assists in obtaining domain information and the IP address of the target website
what info will be given when entering the ping command?
Note the target domain’s IP address in the result above (here, 162.241.216.11). You also obtain information on Ping Statistics such as packets sent, packets received, packets lost, and approximate round-trip time.
what will the command
ping www.certifiedhacker.com -f -l 1500
return?
Packet needs to be fragmented but DF set, means that the frame is too large to be on the network and needs to be fragmented. The packet was not sent as we used the -f switch with the ping command, and the ping command returned this error.
what does the command
ping www.certifiedhacker.com -i 3
return?
92.168.100.6: TTL expired in transit means that the router (192.168.100.6, you will have some other IP address) discarded the frame because its TTL has expired (reached 0).
what is the maximum value you can set for TTL
255
what does - n specify in the command
ping www.certifiedhacker.com -i 2 -n 1
-n specifies the number of echo requests to be sent to the target.
what is website informer
Website Informer is an online tool that gathers detailed information on a website such as a website’s traffic rank, daily visitors rate, page views, etc. Website Informer discovers the main competitors of the website, reveals DNS servers used by the website, and also obtains the Whois record of the target website
what tools can I use to perform website footprinting
and what seems to be the main important part when using these tools
website.informer.com
You can also use tools such as Burp Suite (https://portswigger.net), Zaproxy (https://www.owasp.org
the registrars url
what is web data extraction and what information can be gained through this process
Web data extraction is the process of extracting data from web pages available on the company’s website. A company’s data such as contact details (email, phone, and fax), URLs, meta tags (title, description, keyword) for website promotion,directories, web research, etc. are important sources of information for an ethical hacker.
how does web data extraction work?
Web spiders (also known as a web crawler or web robot) such as Web Data Extractor perform automated searches on the target website and extract specified information from the target website
what other tools can be used to extract data?
You can also use other web spiders such as ParseHub (https://www.parsehub.com), SpiderFoot (https://www.spiderfoot.net), etc. to extract the target organization’s data
what is website mirroring?
Website mirroring is the process of creating a replica or clone of the original website; this mirroring of the website helps you to footprint the web site thoroughly on your local system, and allows you to download a website to a local directory, analyze all directories, HTML, images, flash, videos, and other files from the server on your computer.
what other tools can be used to mirror a website
You can also use other mirroring tools such as NCollector Studio (http://www.calluna-software.com), Cyotek WebCopy (https://www.cyotek.com),
what is CeWL
CeWL is a ruby app that is used to spider a given target URL to a specified depth, optionally following external links, and returns a list of unique words that can be used for cracking passwords.
what does this mean
cewl -d 2 -m 5 www.certifiedhacker.comcew
how can you turn it into a word list
what command would you use to extract it
-d represents the depth to spider the website (here, 2) and -m represents minimum word length (here, 5).
cewl -w wordlist.txt -d 2 -m 5 www.certifiedhacker.com
pluma wordlisst.txt
Lab #5
Perform email foot printing
what should you be able to do as an ethical hacker in regards to emails
What will you collect and what will this enable you to do
As a professional ethical hacker, you need to be able to track emails of individuals (employees) from a target organization for gathering critical information that can help in building an effective hacking strategy
Email tracking allows you to collect information such as IP addresses, mail servers, OS details, geolocation, information about service providers involved in sending the mail etc. By using this information, you can perform social engineering and other advanced attacks.
what is email footprinting and how is it done
E-mail footprinting, or tracking, is a method to monitor or spy on email delivered to the intended recipient. This kind of tracking is possible through digitally time-stamped records that reveal the time and date when the target receives and opens a specific email.
what information does email footprinting reveal
- Recipient’s system IP address
- The GPS coordinates and map location of the recipient
- When an email message was received and read
- Type of server used by the recipient
- Operating system and browser information
- If a destructive email was sent
- The time spent reading the email
- Whether or not the recipient visited any links sent in the email
- PDFs and other types of attachments
- If messages were set to expire after a specified time
what is the email header and what information does it reveal
details of the sender, routing information, addressing scheme, date, subject, recipient, etc. Additionally, the email header helps ethical hackers to trace the routing path taken by an email before delivering it to the recipient.
what other tools can I use for email tracking
You can also use email tracking tools such as Infoga (https://github.com), Mailtrack (https://mailtrack.io), etc. to track an email and extract target information such as sender identity, mail server, sender’s IP address, location, etc
what info does the whois method provide?
this method provides target domain information such as the owner, its registrar, registration details, name server, contact information, etc. Using this information, you can create a map of the organization’s network, perform social engineering attacks, and obtain internal details of the network.
what is the whois method, how does it work, what does it provide
Whois is a query and response protocol used for querying databases that store the registered users or assignees of an Internet resource such as a domain name, an IP address block, or an autonomous system
. This protocol listens to requests on port 43 (TCP). Regional Internet Registries (RIRs) maintain Whois databases, and contains the personal information of domain owners. For each resource, the Whois database provides text records with information about the resource itself and relevant information of assignees, registrants, and administrative information (creation and expiration dates)..
what does DNS zone data include?
what can you do with this info?
domain names, computer names, IP addresses, domain mail servers, service records, and much more about a target network.
you can determine key hosts connected in the network and perform social engineering attacks to gather even more information.
what is DNS
DNS considered the intermediary source for any Internet communication. The primary function of DNS is to translate a domain name to IP address and vice-versa to enable human-machine-network-internet communications
what is nslookup and what is it used for?
nslookup is a network administration command-line utility, generally used for querying the DNS to obtain a domain name or IP address mapping or for any other specific DNS record.
nslookup
what do you get and what does it mean?
Server: dns.google and Address: 8.8.8.8
this specifies that the result was directed to the default server hosted on the local machine (Windows 10) that resolves your requested domain.
Thus, if the response is coming from your local machine’s server (Google), but not the server that legitimately hosts the domain www.certifiedhacker.com; it is considered to be a non-authoritative answer. Here, the IP address of the target domain www.certifiedhacker.com is 162.241.216.11.
what must you do if the result returned is non authoriative
obtain the domains authoritive name server
what does typing this do set type=cname
and the websites domain
The CNAME lookup is done directly against the domain’s authoritative name server and lists the CNAME records for a domain.
This returns the domain’s authoritative name server (ns1.bluehost.com), along with the mail server address (dnsadmin.box5331.bluehost.com), as shown in the screenshot.
what can you do now that you have the domains authoritative name through the command
set type=a
ns1.bluehost.com
return the IP address.
once we have the IP address we can exploit the server to perform attacks such as DoS, DDoS, URL Redirection, etc.
what other tools can you use for DNS lookup
ou can also use DNS lookup tools such as Professional Toolset (https://tools.dnsstuff.com), DNS Records (https://network-tools.com), etc. to extract additional target DNS information.
what is the DNS lookup for and what is the reverse DNS operation do?
DNS lookup is used for finding the IP addresses for a given domain name, and the reverse DNS operation is performed to obtain the domain name of a given IP address.
Lab #8
Perform Network Footprinting
what info is collected in the network footprinting stage
network range, traceroute, TTL values, etc. This information will help you to create a map of the target network and perform a man-in-the-middle attack.
what does network range information assist in? What info will it give you? What will it identify
Network range information assists in creating a map of the target network. Using the network range, you can gather information about how the network is structured and which machines in the networks are alive. Further, it also helps to identify the network topology and access the control device and operating system used in the target network.
what tool do you use to find the network range?
ARIN
https://www.arin.net/about/welcome/region
what is the route
The route is the path that the network packet traverses between the source and destination.
what is network tracerouting, what does it provide, what does it enable?
Network tracerouting is a process of identifying the path and hosts lying between the source and destination. Network tracerouting provides critical information such as the IP address of the hosts lying between the source and destination, which enables you to map the network topology of the organization.
what info can traceroutes extract?
Traceroute can be used to extract information about network topology, trusted routers, firewall locations, etc.
how do you perform a trace,
how do you visualize the options, how to limit the hops
in the command prompt
tracert www.website.com
tracert/?
tracert -h 5 www.website.com
how to perform a trace on linux
traceroute ww.website.com
what are other traceroute tools
VisualRoute (http://www.visualroute.com), Traceroute NG (https://www.solarwinds.com)
what information is collected using footprinting tools
nformation collected by the footprinting tools contains the target’s IP location information, routing information, business information, address, phone number and social security number, details about the source of an email and a file, DNS information, domain information, etc.
how can you view all the commands that allow you to add/delete reords to a database, query a database, ect.
help
marmo
how to install all the modules in recon-ng and how to display all the modules available
marketplace install all
modules search
how to create a workspace?
workspaces create CEH
how to display a list of workspaces?
workspaces list
how to add a domain?
db insert domains. then in the domain(TEXT) enter website.coms
what does show domains command do
view the added domains
how to view modules related to brute forcing
use command
modules load brute
how to load the recon/domains-hosts/brute_hosts module,
type the modules load recon/domains-hosts/brute_hosts then type runba
what is maltego, what does it provide, what is unique about it?
Maltego is a footprinting tool used to gather maximum information for the purpose of ethical hacking, computer forensics, and pentesting. It provides a library of transforms to discover data from open sources and visualizes that information in a graph format, suitable for link analysis and data mining. Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate, and even making it possible to see hidden connections.
what is the OSRF framework, what does it do?
OSRFramework is a set of libraries that are used to perform Open Source Intelligence tasks. They include references to many different applications related to username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction, and many others. It also provides a way of making these queries graphically as well as several interfaces to interact with such as OSRFConsole or a Web interface.
how to check for the existence of a profile given user details on different social networking platforms
usufy.py
usufy.py Mark Zuckerberg -p twitter facebook youtube
The usufy.py will search the user details in the mentioned platforms and will provide you with the existence of the user, as shown in the screenshot
Type domainfy.py -n [Domain Name] -t all
tool will retrieve all the domains related to the target domain.
searchfy.py
- Gathers information about the users on social networking pages.
mailfy.py
Gathers information about email accounts
phonefy.py
Checks for the existence of a given series of phones
entify.py
Extracts entities using regular expressions from provided URLs
what is Billcipher, what info can you get
BillCipher is an information gathering tool for a Website or IP address. Using this tool, you can gather information such as DNS Lookup, Whois lookup, GeoIP Lookup, Subnet Lookup, Port Scanner, Page Links, Zone Transfer, HTTP Header, etc.
what other footprinting tools can you use
Recon-Dog (https://www.github.com), Th3Inspector (https://github.com), Raccoon (https://github.com), Orb (https://github.com)
what is OSINT, whatdoes it dowhat does it focus on
OSINT Framework is an open source intelligence gathering framework that helps security professionals for performing automated footprinting and reconnaissance, OSINT research, and intelligence gathering. It is focused on gathering information from free tools or resources. This framework includes a simple web interface that lists various OSINT tools arranged by category and is shown as an OSINT tree structure on the web interface.
what are OSINT indicators
(T) - Indicates a link to a tool that must be installed and run locally
(D) - Google Dork
(R) - Requires registration
(M) - Indicates a URL that contains the search term and the URL itself must be edited manually
what is Namechk
Namechk is used to see if your desired username or vanity URL is still available at dozens of popular social networking and social bookmarking websites. You can also find the best username with Namechk.
what is the domain dossier tool for?
the Domain Dossier tool generates reports from public records about domain names and IP addresses to help solve problems, investigate cybercrime, or just to better understand how things are set up.
