MOD2: Footprinting and Recon Flashcards
Information obtained in footprinting.
- Organizational info –> ex Employee details is most important
- Network Info –> DNS, IP addresses etc,
- System info –> users and pws, OS, location of web servers
Footprinting using Google Hacking techniques:
What type of information does [cache:] provide?
Displays the web pages stored in the Google cache.
Footprinting using Google Hacking techniques:
What type of information does [link:] provide?
Lists web pages that have links to the specified web pages.
Footprinting using Google Hacking techniques:
What type of information does [related:] provide?
Lists web pages that are similar to the specified web pages.
Footprinting using Google Hacking techniques:
What type of information does [info:] provide?
Presents some information that Google has about a particular web page.
Footprinting using Google Hacking techniques:
What type of information does [site:] provide?
Restricts the results to those websites in the given domain.
Footprinting using Google Hacking techniques:
What type of information does [intitle:] provide?
Restricts the results to documents containing the search keyword in the title.
Footprinting using Google Hacking techniques:
What type of information does [allintitle:] provide?
Restricts the results to those websites containing all the search keywords in the title.
Footprinting using Google Hacking techniques:
What type of information does [allinurl:] provide?
Restricts the results to those containing all the search keywords in the URL.
Footprinting using Google Hacking techniques:
What type of information does [inurl:] provide?
Restricts the results to documents containing the search keyword in the URL.
Footprinting using Google Hacking techniques:
What type of information does [location:] provide?
Finds information for a specific location.
You can do Google search queries for VoIP and VPN footprinting.
True / False.
True.
You can check out Google Dork, where they provide predefined search queries and the description for each.
Name 1 meta search engine that uses other search engines (Google, Bing, etc) to produce their own results from the internet.
“Startpage” or “Metager”.
What is a FTP (File Transfer Protocol) search engine?
A global File Search Engine that lets you search images, videos, music, folders, disc images, compressed files, regular files.
People in today’s day are still using FTP search engines to send and receive files however it’s not as secure as today’s security products.
What information can you find at Netcraft.com?
Top level domains (TLD) and sub-domains.
What 2 tools are useful to enumerate on LinkedIn to find employees of target companies along with their job titles?
“theHarvester” and “Email Spider”.
What is an example of a whaling attack?
Going after the executive.
FYI: Attackers can go through Google to find financial services details for the target company.
What is the Deep Web?
It consists of web pages and contents that ARE HIDDEN and UNINDEXED and cannot be located using traditional web browsers and search engines.
It can be accessed by the Tor Browser and the WWW Virtual Library.
What is the Darknet?
It is a subset of the deep web that enables ANYONE to navigate ANONYMOUSLY without being traced.
It can be accessed by browsers like Tor Browser, Freenet, GNUnet, I2P, and Retroshare.
What kind of information can attackers find on the deep and dark net?
They can use searching tools such as Tor Browser and ExoneraTor to gather confidential information about the target.
This includes: Social Security Numbers (SSNs), credit card details, passport information, identification card details, medical records, social media accounts, etc.
Name 2 sites that help determine the OS by finding connected devices (such as routers, servers, IoT, etc).
“SHODAN” and “Censys”.
What is competitive intelligence gathering?
Gathering information about your competitor.
This is passive information gathering.
Competitive Intelligence Gathering: what are some information resource sites for determining how a company began /developed?
- EDGAR Database
- D & B Hoovers
- LexisNexis
- Business Wire
Competitive Intelligence Gathering: what are some information resource sites for determining what the company’s plans are?
- MarketWatch
- The Wall Street Transcript
- Alexa
- Euromonitor
Competitive Intelligence Gathering: what are some information resource sites for determining what experts say about the company?
- SEMRush
- AttentionMeter
- ABI/INFORM Global
- SimilarWeb
What tool is used to search a vast number of social networking sites for a target username?
Sherlock.
What is the benefit of web mirroring (using a tool like HTTrack, Web Site Copier, NCollector Studio) for attackers?
Any of these tools can be used to download a copy of the website to a local directory, recursively building all directories, HTML, images, flash, videos, and other files from the server to your company.
What is the benefit of using archive.org for attackers?
They can see a timeline of websites evolve. Sometimes even find comments in the source code that can be helpful for gathering more information, especially using the Wayback Machine.
It can also help to determine internal and external links.
What tool is used by attackers to gather a list words from the target website?
CeWL.
This tool helps attackers gather a list of words available on the target website to brute-force the email addresses gathered through search engines, social networking sites, web spidering, etc.
ex. cewl www.certifiedhacker.com
What tool is used to extract metadata of public documents?
Tool: Metagoofil (this tool extracts metadata of public documents such as pdf, doc, xls, ppt, docx, pptx, xlsx, etc)
Another tool: Exiftool
Attackers use this to gather useful information that resides in the organization’s website in the form of PDF documents, Microsoft word files, etc.
What are other techniques for website footprinting?
- monitor web pages for updates/changes (Tool example: WebSite-Watcher, VisualPing)
- search for contact info, email addresses, telephone numbers from company websites
- search for web pages posting patterns / revision numbers
- monitor website traffic of target company (Tool example: Web-Stat, Alexa, Monitis)
What type of information can email tracking tools provide?
Tools: eMailTrackerPro, Infoga, Mailtrack, PoliteMail
Allows the attacker to track an email and extract information such as: sender identity, mail server, sender’s IP address, location, OS details, geolocation.
eMailTrackerPro analyses email headers and reveals information such as sender’s geographic location and IP address.
Who maintains the Whois databases?
Regional Internet Registries.
What information does the Whois databases contain?
Personal information of domain owners. This includes: - domain name details - contact details of domain owners - domain name servers - NetRange - When a domain was created - expiry records - last updated record
FYI: “whois” then “iprange” will give information that is specific.
List the Regional Internet Registries (RIRs)?
- AFRINIC : Africa, portions of the Indian Ocean.
- APNIC : Portions of Asia, portions of Oceania.
- ARIN: Canada, many Caribbean and North Atlantic islands, and the United States.
- LACNIC : Latin America, portions of the Caribbean.
- RIPE NCC : Europe, the Middle East, Central Asia.
What information obtained from Whois database provides assistance to an attacker?
- gathering personal information that assist in social engineering
- creating a map of the target organization’s network
- obtain internal details of the target network
Why do attackers perform a reverse DNS lookup on IP ranges?
To locate a DNS PTR record.
fyi - PTR (pointer record) provides the domain name associated with an IP address.
Tools: DNSRecon
Attackers can also find other domains that share the same web server.
Tools: Reverse IP Domain Checker
What is the benefit of locating a network range of a target?
It can help in creating a map of the target network.
Attackers can use:
- ARIN whois database search tool to find the range of IP addresses.
RIR can provide information such as the range of IP addresses and the subnet masks used by the target organization.
What program works on the concept of ICMP protocol and use the TTL field in the header of ICMP packets to discover the routers on the path to a target host?
hint: tool to be used for network footprinting.
Traceroute.
This tool can be used to extract information about network topology, trusted routers, firewall locations, etc.
What tool is used to determine the relationships and real world links between people, groups of people, organizations, websites, internet infrastructure, documents, etc.
Maltego.
What tool is used as a Web Reconnaissance framework with independent modules and database interaction, which provides an environment in which open source, web-based recon can be conducted.
Recon-ng.
What tool is used to find metadata and hidden information in the documents it scans?
FOCA (Fingerprinting Organizations with Collected Archives).
Which footprinting tool includes applications related to username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction, etc
OSRFramework
If using theHarvester, what does this cmd line do?
theHarvester -d microsoft.com -l 200 -b baidu
- d specifies the domain or company name to search
- l specifies the number of results to be retrieved
- b specifies the data source
What type of request is sent during a ping request?
The ping command sends an ICMP echo request to the target host and waits for an ICMP response.
What does “packet needs to be fragmented by DF set” mean?
ping www.certifiedhacker.com -f -l 1500
Pinging certifiedhacker.com [0.0.0.0] with 1500 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 0.0.0.0
Packets: Sent = 4 , Received = 0, Lost = 4 (100% loss)
It means that the frame is too large to be on the network and needs to be fragmented.
The packet was not sent as we used the -f switch with the ping command, and the ping command returned this error.
What does it mean if TTL reaches 0?
The router discards the packet. This mechanism prevents the loss of packets.
What does 0.0.0.0: TTL expired in transit mean?
It means that the router discarded the frame because it’s TTL expired (reached 0)
What does -n mean in the below:
ping www . Certifiedhacker . Com -n 1
-n represents the number of echo requests to be sent to the target.
How can you find the hop count on the target?
Find the hop value by trying different TTL value to reach the target domain.
What is the primary function of DNS?
to translate a domain name to IP address and vice-versa to enable human-machine-network-internet communications.
What is DNS PTR?
A DNS pointer record (PTR for short) provides the domain name associated with an IP address. A DNS PTR record is exactly the opposite of the ‘A’ record, which provides the IP address associated with a domain name. DNS PTR records are used in reverse DNS lookups.
When using nslookup, you receive a “non-authoritative answer”. What does that mean?
ex.
nslookup
> set type=a
www.certifiedhacker.com
Non-authoritative answer:
Name: certifiedhacker.com
Address: 0.0.0.0
Aliases: www.certifiedhacker.com
Thus, if the response is coming from your local machine’s server (Google), but not the server that legitimately hosts the domain www.certifiedhacker.com; it is considered a NON-authoritative answer.
So, if an attacker can determine the authoritative name server (primary name server) and obtain its associated IP address, he/she might attempt to exploit the server to perform attacks such as DoS, DDoS, URL Redirection, etc.