Foot printing and Reconnaissance
Easily described as preparation of actual hacking. Collecting broad information about the target. Passive way is searching target over google or public records / news and active way is gathering information by interacting with the target directly like asking inquiry to the help desk
To collect network information, such as domain name, internal domain name, IP address or whether security solution like IDS or honeypot running, you can set up the plan depends on what kinds of network topology it has.
To collect system/ host information such as operating system or user / group name etc, you can connect this information to find vulnerabilities or social engineering targets.
To collect organization’s information like company’s history, employees or job openings, you can use this information for social engineering or spamming etc.
There’re lot of ways to learn these information by using search engine, google advanced search, social networking sites, corporate/organization’s websites(target website), email, whois and DNS.
- Google Advanced search : Google has web crawler which gives us lots of results when you search something on google, and if you use advanced search operators by typing some of keyword (cache: , link: , site: ..etc) it will give you specific results. For example, when you type “inurl:dbconn filetype:inc site:.com” on the google search bar.
which means finding files that have .inc file type and located on URL which are ended with .com and in that URL but it restricts the results to documents which contains dbconn on URL. -> and the google shows you dbconn.inc files which could have account information about database manager or database.
You can find more example on GHDB (http://www.hackersforcharity.org/ghdb/) and Exploit DB, google dorks (https://www.exploit-db.com/google-hacking-database/)
2. Whois Lookup : This is the database are maintained by Regional Internet Registries, which has information about domain. You can check domain name server or details via whois lookup. You can check out whois information on whois lookup website like (https://whois.icann.org/en / https://www.whois.net/default.aspx) or some tools like LanWhois, Tamos Smart whois etc
3. DNS information : By using Domain dossier, DNS lookup you can easily find DNS information about targets, which gives you the information about location and type of target’s server.
You can also type command on cmd window, nslookup [target address], also there’s record types for DNS information. If it’s mail server, the record type will be MX.
4. Traceroute : By using Traceroute command on cmd, you can find out the routers on the path to a target, this is the concept using ICMP protocol which has TTL field on the ICMP packet header.
5. Tools : Maltego