Pentesting

Footprinting

What is the difference between reconnaissance and footprinting?

  • Recon is more of an umbrella term for gathering information on targets

  • Footprinting is more of an effort to map out, at a high level what the target landscape looks like.

Types of information we try to gather during fingerprinting

  • High level network architecture ( types of routers or servers they are using )

  • Applications and websites

  • Physical security measures in place

  • Employee daily routines

What is anonymous footprinting?

  • Anonymous footprinting is when you try to hide the source of all the information gathering

What is pseudonymous footprinting?

  • Pseudonymous footprinting is when you make someone else take the blame for your actions.

What are the four main focuses and benefits of footprinting?

  1. Know the security posture

  2. Reduce the focus area

  3. Identify vulnerabilities

  4. Draw a network map

Active footprinting vs passive footprinting

  • Active footprinting requires the attacker to touch the device, network or resource

    • Methods include

      • Social Engineering

      • Human Interaction

      • Anything that requires the hacker to interact with the organization

  • Passive footprinting is all about the gathering publicly accessible information and not so much about how you are going about getting it.

    • Methods include

      • Gathering of competitive intelligence (refers to the information gathered by business entity about its competitors' customers, products, and marketing)

      • Using search engines

      • Perusing social media sites

      • Dumpster diving

      • Gaining network IP ranges

      • Using DNS records for information

What is social engineering?

  • Social Engineering boils down to convincing people to reveal sensitive information

Footprinting Methods and Tools

  • What is Google Hacking?

    • Google Hacking is manipulating a search string with additional operators to search the web for vulnerabilities

What is website footprinting?

  • Website footprinting is analyzing a website from afar and can show things like:

    • Software in use

    • OS

    • filenames

    • paths

    • contact details

  • Website footprinting tools

    • Burp Suite

    • Firebug

    • Website Informer

    • SpiderFoot

    • XProbe

    • P0f

    • Recon-ng

  • Web Mirroring is a method for footprinting where you copy a website directly to your system

    • Web Mirorring tools

      • HTTrack

      • Black Widow

      • WebRipper

      • Teleport Pro

      • GNU Wget

      • Backstreet Browser

      • WebCopier Pro

      • SurfOffline

What is email footprinting?

  • Email communication can provide IP address and physical location information

  • Email footprinting tools

    • GetNotify

    • ContactMonkey

    • Yesware

    • Read Notify

    • WhoReadMe

    • MSGTAG

    • Trace Email

    • Zendio

What is DNS footprinting?

  • DNS Records provide a wealth of footprinting information for the ethical hacker

  • nslookup - provides a means to query DNS servers for information

  • nslookup can also provide a zone transfer, pulling every record from the DNS server. Here are instructions on how to do this

nslookup [-options] {hostname | [-server]}

  1. Enter nslookup at the command line.

  2. Type server , using the IP address of the SOA

  3. Type set type=any and press Enter

  4. Type ls -d domainname.com, where domainname.com is the name of the zone, and then press Enter.

Network Footprinting

  • traceroute

    • a command line tool that tracks a packet across the internet and provides the route path and transit times.

    • uses ICMP ECHO packets (UDP in Linux) to report information on each hop form the source to the destination

    • Windows uses tracert using ICMP only

    • Linux uses traceroute using UDP only

  • What is the OSRFramework?

    • The OSRFramework is an open source research framework in Python that helps you to perform user profiling by using different OSINT tools.

    • Basically a set of libraries used to perform Open Source Intelligence (OSINT) that helps you gather more accurate data using multiple applications in one easy to use package

    • Some of the information you can find are:

      • username

      • domain

      • phone number

      • DNS lookups

      • Information leaks research

      • deep web search

What are some of the applications found in the OSRFramework?

  • mailfy.py - checks if a user name (e-mail) has been registered in up to 22 different e-mail providers

  • searchfy.py - looks for profiles using full names and other information in seven platforms. This queries the OSRFramework platforms itself.

  • domainfy.py - verifies the existence of a given domain

  • phonefy.py - checks for the existence of phone numbers, can also be used to check if a phone number has been linked to spam practices.

  • entify.py - looks for regular expressions

  • usufy.py - verifies if a user name / profile exists in up to 306 different platforms

Other tools

  • Web Spiders - applications that crawl through a website, reporting information on what they find.

  • Social Engineering Framework (SEF) - can automate things like extracting email addresses out of websites and general preparation for social engineering. It has ties into Metasploit payloads for easy phishing attacks.

  • Maltego - an open source intelligence and forensics application designed explicitly to demonstrate social engineering (and other weaknesses for your environment

PreviousStaged vs Non-Staged PayloadsNextReconnaissance

Last updated