footprinting lab

Question 1

what is cache: used for?

Answer 1

This operator allows you to view cached version of the web page. [cache:www.google.com]- Query returns the cached version of the website www.google.com

Question 2

what is allinurl:

Answer 2

This operator restricts results to pages containing all the query terms specified in the URL. [allinurl: google career]—Query returns only pages containing the words “google” and “career” in the URL

Question 3

what is inurl:

Answer 3

This operator restricts the results to pages containing the word specified in the URL [inurl: copy site:www.google.com]—Query returns only pages in Google site in which the URL has the word “copy”

Question 4

what is allintitle:

Answer 4

This operator restricts results to pages containing all the query terms specified in the title. [allintitle: detect malware]—Query returns only pages containing the words “detect” and “malware” in the title

Question 5

inanchor:

Answer 5

This operator restricts results to pages containing the query terms specified in the anchor text on links to the page. [Anti-virus inanchor:Norton]—Query returns only pages with anchor text on links to the pages containing the word “Norton” and the page containing the word “Anti-virus”

Question 6

allinanchor:

Answer 6

This operator restricts results to pages containing all query terms specified in the anchor text on links to the page. [allinanchor: best cloud service provider]—Query returns only pages in which the anchor text on links to the pages contain the words “best,” “cloud,” “service,” and “provider”

Question 7

link:

Answer 7

This operator searches websites or pages that contain links to the specified website or page. [link:www.googleguide.com]—Finds pages that point to Google Guide’s home page

Question 8

related:

Answer 8

This operator displays websites that are similar or related to the URL specified. [related:www.certifiedhacker.com]—Query provides the Google search engine results page with websites similar to certifiedhacker.com

Question 9

info:

Answer 9

This operator finds information for the specified web page. [info:gothotel.com]—Query provides information about the national hotel directory GotHotel.com home page

Question 10

location:

Answer 10

This operator finds information for a specific location. [location: 4 seasons restaurant]—Query give you results based around the term 4 seasons restaurant

Question 11

what are the google operators

Answer 11

1. cache 2. location 3. info 4. related
2. link 6. allinanchor 7. inanchor 8. allintitle
3. inurl 10. allinurl 11. intitle

Question 12

how to find pdf file types

Answer 12

allinurl:

Question 13

what tools can you use to gain information about an organization through their videos

Answer 13

https://citizenevidence.amnestyusa.org/
You can use other video search engines such as Google videos (https://video.google.com), Yahoo videos (https://video.search.yahoo.com), etc.; video analysis tools such as EZGif (https://ezgif.com), VideoReverser.com, etc.; and reverse image search tools such as TinEye Reverse Image Search (https://tineye.com), Yahoo Image Search (https://images.search.yahoo.com), etc. to gather crucial information about the target organization.

Question 14

what will I find in FTP search engines???

Answer 14

earch for files located on the FTP servers; these files may hold valuable information about the target organization.

FTP search engines provide information about critical files and directories, including valuable information such as business strategies, tax documents, employee’s personal records, financial records, licensed software, and other confidential information.

Question 15

what are the FTP search engines should I use?

Answer 15

https://www.searchftps.net/

Global FTP Search Engine (https://globalfilesearch.com), FreewareWeb FTP File Search (http://www.freewareweb.com),

Question 16

what information do IOT search engines provide?

Answer 16

These search engines provide crucial information, including control of SCADA (Supervisory Control and Data Acquisition) systems, traffic control systems, Internet-connected household appliances, industrial appliances, CCTV cameras, etc

Question 17

what iot search engines should I use

Answer 17

https://www.shodan.io/

Censys (https://censys.io), Thingful (https://www.thingful.net), etc., which are IoT search engines, to gather information such as manufacturer details, geographical location, IP address, hostname, open ports, etc

Question 18

what information can you extract from web services?

Answer 18

extract critical information such as a target organization’s domains, sub-domains, operating systems, geographic locations, employee details, emails, financial information, infrastructure details, hidden web pages and content, etc.

Question 19

what are example of web services that provide information about a target organization

Answer 19

social networking sites, people search services, alerting services, financial services, and job sites

Question 20

what information will I find through web services?

Answer 20

infrastructure details, physical location, employee details, etc. Moreover, groups, forums, and blogs may provide sensitive information about a target organization such as public network information, system information, and personal information. Internet archives may provide sensitive information that has been removed from the World Wide Web (WWW).

Question 21

A company’s top-level domains (TLDs) and sub-domains can provide much useful information such as

Answer 21

organizational history, services and products, and contact information

Question 22

what are your tools for searching for domains??

Answer 22

https://www.netcraft.com
You can also use tools such as Sublist3r (https://github.com), Pentest-Tools Find Subdomains (https://pentest-tools.com), etc. to identify the domains and sub-domains of any target website.

Question 23

what information will I find on peekyou

Answer 23

services provide names, addresses, contact details, date of birth, photographs, videos, profession, details about family and friends, social networking profiles, property information, and optional background on criminal checks.

Question 24

what are people search services to gather personal information of key employees in the target organization.

Answer 24

pipl (https://pipl.com), Intelius (https://www.intelius.com), BeenVerified (https://www.beenverified.com), etc.,

Question 25

why is gathering emails crucial for hackers??

Answer 25

Email ID is considered by most people as the personal identification of employees or organizations. Thus, gathering the email IDs of critical personnel is one of the key tasks of ethical hackers.

Question 26

what would I use the dark web for?

Answer 26

can provide critical information such as credit card details, passports information, identification card details, medical records, social media accounts, Social Security Numbers (SSNs), etc.

Question 27

what other sites can you use

Answer 27

The Hidden Wiki is an onion site that works as a Wikipedia service of hidden websites. (http://zqktlwi4fecvo6ri.onion/wiki/index.php/Main_Page)

FakeID is an onion site for creating fake passports (http://fakeidskhfik46ux.onion/)

The Paypal Cent is an onion site that sells PayPal accounts with good balances (http://nare7pqnmnojs2pg.onion/)

You can also use tools such as ExoneraTor (https://metrics.torproject.org), OnionLand Search engine (https://onionlandsearchengine.com), etc. to perform deep and dark web browsing

Question 28

what site is used to learn about the target organizations OS

Answer 28

https://censys.io/domain?q=

Question 29

what other websites can you use to gather OS information of target organization through passive footprinting.

Answer 29

Netcraft (https://www.netcraft.com), Shodan (https://www.shodan.io), etc.

Question 30

what is sherlock

Answer 30

Sherlock is a python-based tool that is used to gather information about a target person over various social networking sites.

Question 31

what tools can you use to gather additional information related to the target company and its employees from social networking sites.

Answer 31

Social Searcher (https://www.social-searcher.com), UserRecon (https://github.com)

Question 32

what can you extract from the target organizations website

Answer 32

you can extract important information related to the target organization’s website such as the software used and the version, operating system details, filenames, paths, database field names, contact details, CMS details, the technology used to build the website, scripting platform, etc.

Question 33

what info can Website footprinting provide

Answer 33

information associated with the website such as registered names and addresses of the domain owner, domain names, host of the sites, OS details, IP details, registrar details, emails, filenames, etc.

Question 34

what is ping

Answer 34

Ping is a network administration utility used to test the reachability of a host on an IP network and measure the round-trip time for messages sent from the originating host to a destination computer

Question 35

Lab #4

Answer 35

PERFORM WEBSITE FOOTPRINTING

Question 36

What should you be able to do as an ethical hacker

Answer 36

you should be able to extract a variety of information about the target organization from its website; by performing website footprinting, you can extract important information related to the target organization’s website such as the software used and the version, operating system details, filenames, paths, database field names, contact details, CMS details, the technology used to build the website, scripting platform, etc. Using this information, you can further plan to launch advanced attacks on the target organization.

Question 37

What are lab #4 objectives

Answer 37

1. Gather information about a target website using ping command line utility
2. Gather information about a target website using Website Informer
3. Extract a company’s data using Web Data Extractor
4. Mirror the target website using HTTrack Web Site Copier
5. Gather a wordlist from the target website using CeWL

Question 38

what is website footprinting?

Answer 38

Website footprinting is a technique used to collect information regarding the target organization’s website. Website footprinting can provide sensitive information associated with the website such as registered names and addresses of the domain owner, domain names, host of the sites, OS details, IP details, registrar details, emails, filenames, etc.

Question 39

what is ping and what does it measure?

Answer 39

Ping is a network administration utility used to test the reachability of a host on an IP network and measure the round-trip time for messages sent from the originating host to a destination computer.

Question 40

How does the ping command work and what does it obtain?

Answer 40

The ping command sends an ICMP echo request to the target host and waits for an ICMP response. During this request-response process, ping measures the time from transmission to reception, known as round-trip time, and records any loss of packets. The ping command assists in obtaining domain information and the IP address of the target website

Question 41

what info will be given when entering the ping command?

Answer 41

Note the target domain’s IP address in the result above (here, 162.241.216.11). You also obtain information on Ping Statistics such as packets sent, packets received, packets lost, and approximate round-trip time.

Question 42

what will the command

ping www.certifiedhacker.com -f -l 1500

return?

Answer 42

Packet needs to be fragmented but DF set, means that the frame is too large to be on the network and needs to be fragmented. The packet was not sent as we used the -f switch with the ping command, and the ping command returned this error.

Question 43

what does the command

ping www.certifiedhacker.com -i 3

return?

Answer 43

92.168.100.6: TTL expired in transit means that the router (192.168.100.6, you will have some other IP address) discarded the frame because its TTL has expired (reached 0).

Question 44

what is the maximum value you can set for TTL

Answer 44

255

Question 45

what does - n specify in the command

ping www.certifiedhacker.com -i 2 -n 1

Answer 45

-n specifies the number of echo requests to be sent to the target.

Question 46

what is website informer

Answer 46

Website Informer is an online tool that gathers detailed information on a website such as a website’s traffic rank, daily visitors rate, page views, etc. Website Informer discovers the main competitors of the website, reveals DNS servers used by the website, and also obtains the Whois record of the target website

Question 47

what tools can I use to perform website footprinting

and what seems to be the main important part when using these tools

Answer 47

website.informer.com
You can also use tools such as Burp Suite (https://portswigger.net), Zaproxy (https://www.owasp.org

the registrars url

Question 48

what is web data extraction and what information can be gained through this process

Answer 48

Web data extraction is the process of extracting data from web pages available on the company’s website. A company’s data such as contact details (email, phone, and fax), URLs, meta tags (title, description, keyword) for website promotion,directories, web research, etc. are important sources of information for an ethical hacker.

Question 49

how does web data extraction work?

Answer 49

Web spiders (also known as a web crawler or web robot) such as Web Data Extractor perform automated searches on the target website and extract specified information from the target website

Question 50

what other tools can be used to extract data?

Answer 50

You can also use other web spiders such as ParseHub (https://www.parsehub.com), SpiderFoot (https://www.spiderfoot.net), etc. to extract the target organization’s data

Question 51

what is website mirroring?

Answer 51

Website mirroring is the process of creating a replica or clone of the original website; this mirroring of the website helps you to footprint the web site thoroughly on your local system, and allows you to download a website to a local directory, analyze all directories, HTML, images, flash, videos, and other files from the server on your computer.

Question 52

what other tools can be used to mirror a website

Answer 52

You can also use other mirroring tools such as NCollector Studio (http://www.calluna-software.com), Cyotek WebCopy (https://www.cyotek.com),

Question 53

what is CeWL

Answer 53

CeWL is a ruby app that is used to spider a given target URL to a specified depth, optionally following external links, and returns a list of unique words that can be used for cracking passwords.

Question 54

what does this mean

cewl -d 2 -m 5 www.certifiedhacker.comcew

how can you turn it into a word list

what command would you use to extract it

Answer 54

-d represents the depth to spider the website (here, 2) and -m represents minimum word length (here, 5).

cewl -w wordlist.txt -d 2 -m 5 www.certifiedhacker.com

pluma wordlisst.txt

Question 55

Lab #5

Answer 55

Perform email foot printing

Question 56

what should you be able to do as an ethical hacker in regards to emails

What will you collect and what will this enable you to do

Answer 56

As a professional ethical hacker, you need to be able to track emails of individuals (employees) from a target organization for gathering critical information that can help in building an effective hacking strategy

Email tracking allows you to collect information such as IP addresses, mail servers, OS details, geolocation, information about service providers involved in sending the mail etc. By using this information, you can perform social engineering and other advanced attacks.

Question 57

what is email footprinting and how is it done

Answer 57

E-mail footprinting, or tracking, is a method to monitor or spy on email delivered to the intended recipient. This kind of tracking is possible through digitally time-stamped records that reveal the time and date when the target receives and opens a specific email.

Question 58

what information does email footprinting reveal

Answer 58

1. Recipient’s system IP address
2. The GPS coordinates and map location of the recipient
3. When an email message was received and read
4. Type of server used by the recipient
5. Operating system and browser information
6. If a destructive email was sent
7. The time spent reading the email
8. Whether or not the recipient visited any links sent in the email
9. PDFs and other types of attachments
10. If messages were set to expire after a specified time

Question 59

what is the email header and what information does it reveal

Answer 59

details of the sender, routing information, addressing scheme, date, subject, recipient, etc. Additionally, the email header helps ethical hackers to trace the routing path taken by an email before delivering it to the recipient.

Question 60

what other tools can I use for email tracking

Answer 60

You can also use email tracking tools such as Infoga (https://github.com), Mailtrack (https://mailtrack.io), etc. to track an email and extract target information such as sender identity, mail server, sender’s IP address, location, etc

Question 61

what info does the whois method provide?

Answer 61

this method provides target domain information such as the owner, its registrar, registration details, name server, contact information, etc. Using this information, you can create a map of the organization’s network, perform social engineering attacks, and obtain internal details of the network.

Question 62

what is the whois method, how does it work, what does it provide

Answer 62

Whois is a query and response protocol used for querying databases that store the registered users or assignees of an Internet resource such as a domain name, an IP address block, or an autonomous system

. This protocol listens to requests on port 43 (TCP). Regional Internet Registries (RIRs) maintain Whois databases, and contains the personal information of domain owners. For each resource, the Whois database provides text records with information about the resource itself and relevant information of assignees, registrants, and administrative information (creation and expiration dates)..

Question 63

what does DNS zone data include?

what can you do with this info?

Answer 63

domain names, computer names, IP addresses, domain mail servers, service records, and much more about a target network.

you can determine key hosts connected in the network and perform social engineering attacks to gather even more information.

Question 64

what is DNS

Answer 64

DNS considered the intermediary source for any Internet communication. The primary function of DNS is to translate a domain name to IP address and vice-versa to enable human-machine-network-internet communications

Question 65

what is nslookup and what is it used for?

Answer 65

nslookup is a network administration command-line utility, generally used for querying the DNS to obtain a domain name or IP address mapping or for any other specific DNS record.

Question 66

nslookup

what do you get and what does it mean?

Answer 66

Server: dns.google and Address: 8.8.8.8

this specifies that the result was directed to the default server hosted on the local machine (Windows 10) that resolves your requested domain.

Thus, if the response is coming from your local machine’s server (Google), but not the server that legitimately hosts the domain www.certifiedhacker.com; it is considered to be a non-authoritative answer. Here, the IP address of the target domain www.certifiedhacker.com is 162.241.216.11.

Question 67

what must you do if the result returned is non authoriative

Answer 67

obtain the domains authoritive name server

Question 68

what does typing this do set type=cname

and the websites domain

Answer 68

The CNAME lookup is done directly against the domain’s authoritative name server and lists the CNAME records for a domain.

This returns the domain’s authoritative name server (ns1.bluehost.com), along with the mail server address (dnsadmin.box5331.bluehost.com), as shown in the screenshot.

Question 69

what can you do now that you have the domains authoritative name through the command

set type=a
ns1.bluehost.com

Answer 69

return the IP address.

once we have the IP address we can exploit the server to perform attacks such as DoS, DDoS, URL Redirection, etc.

Question 70

what other tools can you use for DNS lookup

Answer 70

ou can also use DNS lookup tools such as Professional Toolset (https://tools.dnsstuff.com), DNS Records (https://network-tools.com), etc. to extract additional target DNS information.

Question 71

what is the DNS lookup for and what is the reverse DNS operation do?

Answer 71

DNS lookup is used for finding the IP addresses for a given domain name, and the reverse DNS operation is performed to obtain the domain name of a given IP address.

Question 72

Lab #8

Answer 72

Perform Network Footprinting

Question 73

what info is collected in the network footprinting stage

Answer 73

network range, traceroute, TTL values, etc. This information will help you to create a map of the target network and perform a man-in-the-middle attack.

Question 74

what does network range information assist in? What info will it give you? What will it identify

Answer 74

Network range information assists in creating a map of the target network. Using the network range, you can gather information about how the network is structured and which machines in the networks are alive. Further, it also helps to identify the network topology and access the control device and operating system used in the target network.

Question 75

what tool do you use to find the network range?

Answer 75

ARIN

https://www.arin.net/about/welcome/region

Question 76

what is the route

Answer 76

The route is the path that the network packet traverses between the source and destination.

Question 77

what is network tracerouting, what does it provide, what does it enable?

Answer 77

Network tracerouting is a process of identifying the path and hosts lying between the source and destination. Network tracerouting provides critical information such as the IP address of the hosts lying between the source and destination, which enables you to map the network topology of the organization.

Question 78

what info can traceroutes extract?

Answer 78

Traceroute can be used to extract information about network topology, trusted routers, firewall locations, etc.

Question 79

how do you perform a trace,

how do you visualize the options, how to limit the hops

Answer 79

in the command prompt
tracert www.website.com

tracert/?

tracert -h 5 www.website.com

Question 80

how to perform a trace on linux

Answer 80

traceroute ww.website.com

Question 81

what are other traceroute tools

Answer 81

VisualRoute (http://www.visualroute.com), Traceroute NG (https://www.solarwinds.com)

Question 82

what information is collected using footprinting tools

Answer 82

nformation collected by the footprinting tools contains the target’s IP location information, routing information, business information, address, phone number and social security number, details about the source of an email and a file, DNS information, domain information, etc.

Question 83

how can you view all the commands that allow you to add/delete reords to a database, query a database, ect.

Answer 83

help

marmo

Question 84

how to install all the modules in recon-ng and how to display all the modules available

Answer 84

marketplace install all

modules search

Question 85

how to create a workspace?

Answer 85

workspaces create CEH

Question 86

how to display a list of workspaces?

Answer 86

workspaces list

Question 87

how to add a domain?

Answer 87

db insert domains. then in the domain(TEXT) enter website.coms

Question 88

what does show domains command do

Answer 88

view the added domains

Question 89

how to view modules related to brute forcing

Answer 89

use command

modules load brute

Question 90

how to load the recon/domains-hosts/brute_hosts module,

Answer 90

type the modules load recon/domains-hosts/brute_hosts then type runba

Question 91

what is maltego, what does it provide, what is unique about it?

Answer 91

Maltego is a footprinting tool used to gather maximum information for the purpose of ethical hacking, computer forensics, and pentesting. It provides a library of transforms to discover data from open sources and visualizes that information in a graph format, suitable for link analysis and data mining. Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate, and even making it possible to see hidden connections.

Question 92

what is the OSRF framework, what does it do?

Answer 92

OSRFramework is a set of libraries that are used to perform Open Source Intelligence tasks. They include references to many different applications related to username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction, and many others. It also provides a way of making these queries graphically as well as several interfaces to interact with such as OSRFConsole or a Web interface.

Question 93

how to check for the existence of a profile given user details on different social networking platforms

Answer 93

usufy.py

Question 94

usufy.py Mark Zuckerberg -p twitter facebook youtube

Answer 94

The usufy.py will search the user details in the mentioned platforms and will provide you with the existence of the user, as shown in the screenshot

Question 95

Type domainfy.py -n [Domain Name] -t all

Answer 95

tool will retrieve all the domains related to the target domain.

Question 96

searchfy.py

Answer 96

• Gathers information about the users on social networking pages.

Question 97

mailfy.py

Answer 97

Gathers information about email accounts

Question 98

phonefy.py

Answer 98

Checks for the existence of a given series of phones

Question 99

entify.py

Answer 99

Extracts entities using regular expressions from provided URLs

Question 100

what is Billcipher, what info can you get

Answer 100

BillCipher is an information gathering tool for a Website or IP address. Using this tool, you can gather information such as DNS Lookup, Whois lookup, GeoIP Lookup, Subnet Lookup, Port Scanner, Page Links, Zone Transfer, HTTP Header, etc.

Question 101

what other footprinting tools can you use

Answer 101

Recon-Dog (https://www.github.com), Th3Inspector (https://github.com), Raccoon (https://github.com), Orb (https://github.com)

Question 102

what is OSINT, whatdoes it dowhat does it focus on

Answer 102

OSINT Framework is an open source intelligence gathering framework that helps security professionals for performing automated footprinting and reconnaissance, OSINT research, and intelligence gathering. It is focused on gathering information from free tools or resources. This framework includes a simple web interface that lists various OSINT tools arranged by category and is shown as an OSINT tree structure on the web interface.

Question 103

what are OSINT indicators

Answer 103

(T) - Indicates a link to a tool that must be installed and run locally
(D) - Google Dork
(R) - Requires registration
(M) - Indicates a URL that contains the search term and the URL itself must be edited manually

Question 104

what is Namechk

Answer 104

Namechk is used to see if your desired username or vanity URL is still available at dozens of popular social networking and social bookmarking websites. You can also find the best username with Namechk.

Question 105

what is the domain dossier tool for?

Answer 105

the Domain Dossier tool generates reports from public records about domain names and IP addresses to help solve problems, investigate cybercrime, or just to better understand how things are set up.