Footprinting/Reconn

Foot printing and Reconnaissance

 

Easily described as preparation of actual hacking. Collecting broad information about the target. Passive way is searching target over google or public records / news and active way is gathering information by interacting with the target directly like asking inquiry to the help desk

To collect network information, such as domain name, internal domain name, IP address or whether security solution like IDS or honeypot running, you can set up the plan depends on what kinds of network topology it has.

To collect system/ host information such as operating system or user / group name etc, you can connect this information to find vulnerabilities or social engineering targets.

To collect organization’s information like company’s history, employees or job openings, you can use this information for social engineering or spamming etc.

There’re lot of ways to learn these information by using search engine, google advanced search, social networking sites, corporate/organization’s websites(target website), email, whois and DNS.

  1. Google Advanced search : Google has web crawler  which gives us lots of results when you search something on google, and if you use advanced search operators by typing some of keyword (cache: , link: , site: ..etc) it will give you specific results. For example, when you type “inurl:dbconn filetype:inc site:.com” on the google search bar.

which means finding files that have  .inc file type  and located on URL which are ended with .com and in that URL but it restricts the results to documents which contains dbconn on URL.  -> and the google shows you dbconn.inc files which could have account information about database manager or database.

You can find more example on GHDB (http://www.hackersforcharity.org/ghdb/) and Exploit DB, google dorks (https://www.exploit-db.com/google-hacking-database/)

2. Whois Lookup : This is the database are maintained by Regional Internet Registries, which has information about domain. You can check domain name server or details via whois lookup. You can check out whois information on whois lookup website like (https://whois.icann.org/en / https://www.whois.net/default.aspx) or some tools like LanWhois, Tamos Smart whois etc

3. DNS information : By using Domain dossier, DNS lookup you can easily find DNS information about targets, which gives you the information about location and type of target’s server.

ft2

https://network-tools.webwiz.co.uk/dns-records.htm

You can also type command on cmd window, nslookup [target address], also there’s record types for DNS information. If it’s mail server, the record type will be MX.

4. Traceroute : By using Traceroute command on cmd, you can find out the routers on the path to a target, this is the concept using ICMP protocol which has TTL field on the ICMP packet header.

5. Tools : Maltego 

Advertisements

Footprinting methodology details

For preparation of ethical hacking, foot printing and reconnaissance,  you need to know how to get information about the target. By checking out this methodology, you can see whether a company’s websites provide sensitive information or not and manage website details to public. like robots.txt

Search engine caches and internet archives like google or archive 
Browse the current website.
Other than caches or archives of the website, you can also get lot of information by browsing the current website. By using Burp Suite, Zaproxy, Paros Proxy, Website informer, Firebug and etc, you can view header of websites which provides connection status, content-type, accept-ranges, website server in use and version.

You can also use couple of other tools to get website information such as employee nme, email address, etc by setting up automated searches on GSA Email Spider and Web Data Extractor

 

Public and restricted websites by trial and error method or using service like netcraft 
You can find general information by checking target’s websites. From websites, you can check the source code by right-clicking or pressing [F12] key. Easily get information like programmers’ comments or contact details and script type.

 

Mirroring an entire website
Mirroring websites means copying every source code and resources from the target’s web server, and downloading them into your local directory. Once you get the mirrored site, you can easily analyze the website without sending actual or malicious (repetitive) request to an actual target server. HTTrack Web Site Copier, SurfOffline

 

ㅁGetting the OS information of target. SHODAN, Netcraft
ㅁExtra information like location. Google Map, Wikimapia
ㅁPeople search, SNS sites, blog , email or contact information. AnyWho
ㅁFinancial Service information, Google Finance, Yahoo
ㅁGetting company’s infrastructure details from job search like LinkedIn, Monster and Dice.