Module 2 - Footprinting & Reconaissance

Question 1

What is Footprinting?

Answer 1

Footprinting is the process of gathering information and creating a map of a target - its computer system and network.

This can be employee information, contact info, IP addresses, net blocks, technologies used, physical location and more.

Question 2

What is the difference between passive and active footprinting?

Answer 2

Generally speaking, passive vs. active footprinting is distinguished by whether or not you directly probe or interact with a target.

Passive mostly looks for information using OSINT or Google while active takes more risk and probes a target.

Question 3

What are some examples of information that is targeted during the footprinting phase?

Answer 3

1. Organizational Info: employee details, job titles, phone numbers, emails, location
2. Network Information: domains, subdomains, network blocks, IP ranges to scan, WHOIS / DNS records.
3. System Information: web server OS, location of web servers, publicly available emails, usernames, passwords

Question 4

What is footprinting through search engines? And what are some examples of footprinting with search engines?

Answer 4

You can utilize Google Hacking (or Google Dorking) which refers to using Google’s advanced search operators to find relevant information. You can find many of these in the Google Hacking Database.

Examples include:

• intitle:index of

Gives banner with software versions

• intitle:login site: eccouncil.org

Will find any site within the parent site that contains a login page

-VPN footprinting

Question 5

What is the difference between a TLD and a subdomain? How does DNS hierarchy work?

Answer 5

A TLD, or top level domain, is the last part of the domain name like .com or .org or .edu. TLDs are the highest level in the domain name system and categorize domains by type, or country.

A subdomain is part of a larger domain and comes before the main domain name, for example in news.tesla.com, news is a subdomain of tesla.com.

Subdomains are used to organize or navigate to different sections of a website.

In summary: the TLD is the main category of a domain name (like .com) while a subdomain is an extension of the main domain name used to organize different areas of a site.

The main domain, such as “tesla” in tesla.com is called the Second-Level Domain (SLD).

The complete domain name that specifies an exact location within the DNS hierarchy is called the FULLY QUALIFIED DOMAIN NAME (FQDN), and includes the TLD, SLD, and Subdomain, if any. Both news.tesla.com and tesla.com are examples of FQDN.

Question 6

What is a URL and what are its components?

Answer 6

URL stands for uniform resource locator and represents the exact address of a resource on the web. The components of a URL include:

1. Protocol (http or https)
2. Domain (FQDN)
3. Path (path/to/resource): specifies the location of a page or resource
4. Query Parameters: (?query=param) provide additional information or instructions to the server

Example:
https://blog.tesla.com/mileage/2025

In this URL:
- https is the protocol
- blog.tesla.com is the FQDN with ‘.com’ as the TLD, ‘tesla’ as the SLD, and ‘blog’ as the subdomain
- /mileage/2025 is the path to the specific page within the domain

Question 7

What is a query parameter in the context of URLs, and what are some examples of parameters?

Answer 7

In a URL, query parameters are attached to the end of the URL, following the path, and come after a question mark (‘?’). They provide additional information to the server and are often used to filter or customize the content returned by a website.

They usually appear in key value pairs, separated by an equal sign (‘=’), and multiple parameters are separated by an ampersand (‘&’).

Examples:

SEARCH QUERY:
URL: https://www.tesla.com/search?q=safety
Query Parameter: q=safety
Purpose: This parameter specifies the search term (safety) to find relevant results.

SORT ORDER:
URL: https://www.amazon.com/products?sort=price_asc
Query Parameter: sort=price_asc
Purpose: This parameter specifies the sort order of products, here sorting by price in ascending order.

FILTER
URL: https://www.example.com/products?category=electronics&brand=sony
Query Parameters: category=electronics, brand=sony
Purpose: These parameters filter products to show only those in the “electronics” category and from the “Sony” brand.

In a URL, the query parameters are always attached to the end of the URL, following the path. They are not part of the path but are used to provide additional details or modify the request.

Question 8

What are some tools that can be used to find a target’s TLD and subdomains?

Answer 8

Netcraft and Sublist3r can be used for reconnaissance and enumeration of domains and subdomains.

Netcraft is a service that provides various tools and information about websites and servers, including domain and IP address data. It’s widely used for gathering intelligence about the infrastructure of a target.

You can use Netcraft to gather general information about TLDs and subdomains by searching for domains and examining the details provided.

Sublist3r is specifically designed to discover subdomains, which are part of the domain name structure. Subdomains are identified and listed as part of the output from Sublist3r.

Question 9

What is The Harvester?

Answer 9

The Harvester is an open-source recon tool

It’s an enumeration tool that automates processes using a web crawler/spider. You can specify company databases to enumerate.

You can harvest email lists using the harvester and email spider to collect publically available emails

You can also do footprinting through job sites. For example, finding a network administrator job posting asking for experience in X technologies, X experiences. This can help fingerprint a target’s IP infrastructure.

Question 10

What are some people search tools?

Answer 10

Spokeo
Intelius
Been Verified
Peek You
White Pages

These provide information services, including people and property search, background checks and reverse phone lookup. They also index people and their links on the web.

Question 11

What is the deep web/dark web?

Answer 11

The dark web uses the same web infrastructure as the clear web but dark web pages are not accessible by standard web browsers or indexed by traditional search engines. These pages typically have a .onion TLD and can only be accessed via the special software like the Tor web browser or similar Tor-enabled web browsers.

.onion addresses are not resolved through regular DNS system buyt through the Tor network, so standard browsers cannot resolve these IPs because they rely on traditional DNS.

In summary, the primary technological differences between the clear and dark web are network configurations, browser capabilities, and different protocols used.

The URLs are hidden, unindexed. and not locateable without a specific browser to access those specific resources.

Question 12

What is dark web fingerprinting?

Answer 12

FIngerprinting on the dark web. Looking of gathering and analyzing information on a target organization or personnel. You can often find breaches credentials on the dark web, including usernames and passwords of company personnel. Sites like haveibeenpwned track a person’s appearances in a hack or breach, and which company’s breach they were involved in. You can take this info and go does some dark web fingerprinting to find login info. You can also access any other leaked company documents on dark web marketplaces or dump sites.

Question 13

What is a WHOIS record, and what is WHOis footprinting?

Answer 13

A WHOIS record is a publicly-available record that lists relevant ownership information and other hosting details related to domain names.

For public net blocks, which are routable on the internet, an organization would need a block of public IP addresses assigned by a regional internet registry (like ARIN in North America or RIPE in Europe). These public net blocks are unique globally, allowing devices within those ranges to communicate over the internet directly.

Question 14

What kind of information is available in a WHOIS record?

Answer 14

• Owner
• Date of registration
• Registrar (company that issued the domain like Godaddy, Namecheap)
• Dates: when domain was created, for what period, when it expires
• Contact info: contact info for relevant technical/billing/admin contacts
• Name server: info about the servers that direct traffic to the site

Question 15

What is footprinting through web services?

Answer 15

Footprinting through web services is the process of gathering information on a target using publicly accessible online tools and websites. Examples include:

• People services

Netcraft and Shodan reveal the technology used

Question 16

What are some examples of web-based resources and services that can be used to find information about a target?

Answer 16

1. Domain information: you can use tools like WHOIS (a website, and also a command line utility) to find ownership records for domain names, including owner, the dates of purchase/registration, technical and admin contacts, and renewal dates.
2. Social media: you can use sites like Facebook and LinkedIn to find information about current employees and also job postings that could disclose the types of technologies used by the company (ie a system admin job posting will likely post the technologies they would like the candidate to have experience with).
3. People search services: you can use services like Spokeo an PeekYou to find personal information about key employees, like home address, phone number, email, property records, legal records, criminal records, relatives and more.
4. Website analysis tools: tools such as Netcraft and Shodan check the technologies and security settings of a target website.
5. Archived Pages: looking at older versions of a website through tools like the Wayback machine to see if any site changes are helpful or informative.

Question 17

What is SHODAN?

Answer 17

Shodan is a search engine specifically designed for finding internet-connected devices and systems. Unlike traditional search engines like Google that index web pages, Shodan scans the internet for devices and services that are directly accessible from the internet, and it indexes information about these devices.

*What Shodan does:
1. Scans for Devices

Shodan searches for devices and systems that are exposed to the internet, such as servers, routers, webcams, industrial control systems, and more.

2. Collections Information
   It gathers detailed information about these devices, including IP addresses, open ports, software versions, and sometimes even metadata like device banners (which can include details about the device’s operating system or software).
3. Searches by Criteria:
   You can use Shodan to search for devices based on specific criteria, such as the type of device, geographic location, host name, company/org name, software versions or specific vulnerabilities.

Question 18

What is netcraft?

Answer 18

Netcraft is a cybersecurity company that runs a popular site repot tool that can tell you all of the relevant technology that a certain website is running as well as its hosting information, and also analyzes SSL and TLS certificates to check for encryption and the site’s general security posture.

Question 19

What is a Sublis3r and The Harvester?

Answer 19

Sublist3r is a command like tool that enumerates all the subdomains of a given company domain.

The Harvester is a more broad information gathering tool that gathers relevant info about a target including IP addresses, emails, subdomains and other publicly available information from various public sources like Google, Shodan, LinkedIn, PCG servers etc.

Question 20

What are some other ways to perform website footprinting?

Answer 20

• Ping command line utility

Question 21

What are some ways to do DNS footprinting, specifically from the command line?

Answer 21

• dig (domain information groper) - used for querying DNS records for a given domain, yielding its IP address and relevant DNS records like A, MX, CNAME etc for the domain.
• nslookup is similar and is another tool to query DNS and find the IP from a domain name or vice versa

Outside the command line:

Use DNSRecon to perform a reverse DNS lookup, revealing domain names associated with an IP address, which helps identify other websites hosted on the same server.

Using SecurityTrails, you can gather detailed information about a domain’s subdomains and DNS records, allowing for a comprehensive view of a target’s web infrastructure and historical DNS data.

Question 22

What is network footprinting and how does traceroute work?

Answer 22

• traceroute traces all the relevant hops between your machine and a target domain

Tracerouting is a network diagnostic tool used to map the path that data packets take from a source device to a destination across a network. For ethical hackers, it provides valuable insights into the structure and configuration of a target’s network, which can reveal potential entry points or vulnerabilities.

How Tracerouting Works
Traceroute works by sending packets with progressively increasing Time-To-Live (TTL) values, a field in the IP header that specifies how many hops (routers) a packet can travel before being discarded.

Step-by-Step Process:

The tool sends a packet to the destination with an initial TTL of 1.
The first router along the path receives the packet, decreases the TTL by 1 (making it 0), and discards it, sending back an ICMP “Time Exceeded” message that includes the router’s IP address.
Traceroute then increments the TTL to 2 and sends another packet. The second router discards it after the TTL reaches 0 and sends back an ICMP response.
This process continues until the packet reaches the final destination, giving information about each “hop” along the way.
Output:

Traceroute returns a list of routers the packet passed through, along with the time each hop took, showing the path and the delay at each point.
If a device along the path doesn’t respond, the traceroute shows a timeout (* * *), indicating a potential firewall or unreachable host.
Why Tracerouting is Helpful to Ethical Hackers
Traceroute helps ethical hackers map the network layout and identify critical infrastructure components. Here’s how:

Network Mapping:

Traceroute provides insight into the structure of the target network, revealing the path and routers involved. This can help map out IP ranges, which routers and firewalls the data encounters, and which areas are likely the boundary of the target’s network.
Identifying Firewalls and Filtering Devices:

If a hop stops responding, it might indicate a firewall or filtering device that blocks ICMP traffic. Recognizing these points helps hackers understand where security measures are likely in place.
Finding Network Latency and Bottlenecks:

By analyzing the response times at each hop, ethical hackers can identify network segments with high latency or potential bottlenecks, which may be more vulnerable to DoS attacks.
Assessing Multi-Homed Networks:

Some companies use multiple internet providers or load balancers for redundancy. Traceroute can show if traffic paths diverge, helping hackers understand load balancing, redundancy, or backup systems.

Question 23

What do each of the following tools accomplish?

Maltego
Recon-ng
OSRFramework
FOCA
BillCIpher
OSINT Framework

Answer 23

Maltego: Maltego is a data visualization tool that maps relationships between entities like people, companies, and domains by gathering data from public sources and presenting it in an interactive graph, useful for OSINT investigations.

Recon-ng: Recon-ng is a web reconnaissance framework with modular tools for gathering information from public sources, like social media and domain registries, and storing results in a database for easy analysis.

OSRFramework: OSRFramework is a suite of OSINT tools that checks usernames, emails, domains, and other identifiers across multiple platforms, helping identify and track a target’s digital footprint.

FOCA: FOCA (Fingerprinting Organizations with Collected Archives) extracts metadata from documents like PDFs and Word files to reveal sensitive information about a target’s network and internal structure.

BillCipher: BillCipher is an information-gathering tool for websites and IP addresses that runs multiple reconnaissance tasks, like DNS lookups and port scans, to reveal infrastructure details about a target.

OSINT Framework: OSINT Framework is a collection of links to free tools and resources organized by category, helping researchers find the best sources for OSINT tasks like people search, domain analysis, and social media investigations.