CEHv13-Module 02 Footprinting and Reconnaissance

Reconnaissance

The preparatory phase where an attacker gathers as much information as possible about a target

Footprinting

The process of collection information about a target network and its environment

Blueprint

The unique system profile of the target organization acquired by footprinting

Passive Footprinting

Gathering information about a target without direct interaction

Active Footprinting

Gathering information about a target with direct interaction

Information Obtained During Footprinting

1. Organizational Information

2. Network Information

3. System Information

Threats Made Possible Through Footprinting

1. Social Engineering

2. System and Network Attacks

3. Information Leakage

4. Privacy Loss

5. Corporate Espionage

6. Business Loss

Footprinting Methodolgy

A procedure for collection information about a target from all available sources

Types of Passive Footprinting

1. Through Search Engines

2. Through Internet Research Services

3. Through Social Networking Sites

4. Whois Footprinting

Types of Active Footprinting

1. DNS

2. Network and Email

3. Social Engineering

4. Footprinting Tasks Using Advnaced Tools and AI

Google Hacking

Refers to using advanced Google Search Operators for creating complex search queries to extract sensitive or hidden information

Google Hacking/Dork Operators

1. site

2. allinurl, inurl

3. allinanchor, inanchor

4. intext

5. allintitle, intitle

6. cache

7. link

8. related

9. info

10. location

11. filetype

12. source

13. before, after

Google Hacking Database (GHDB)

A subset of exploit-db that focuses on using Google Hacking Techniques

Google Hacking Database (GHDB) Categories

1. Footholds

2. Files Containing Usernames

3. Sensitive Directories

4. Web Server Detection

5.Vulnerable Files

6. Vulnerable Servers

7. Error Message

8. Files Containing Juicy Info

9. Files Containing Passwords

10. Sensitive Online Shopping Info

11. Network or Vulnerability Data

12. Pages Containing Login Portals

13. Various Online Devices

14. Advisories and Vulnerabilities

Shodan

A search engine used to detect devices and networks

Reverse Image Search

Allows you to use a photograph as the query

Meta Search Engine

Uses other search engines to produce their own results

File Transfer Protocol (FTP) Search Engine

Searches for files on an FTP Server

Internet of Things (IoT) Serach Engine

Crawls internet for publicly accessible IoT devices

Methods of Footprinting Using Search Engines

1. Google Hacking

2. Google Advanced Search, Image Search, and Reverse Image Search

3. Shodan

4. Video Search Engines

5. Meta Search Engines

6. File Transfer Protocol (FTP) Search Engines

7. Internet of Things (IoT) Search Engines

DNSdumpster

Domain research tool that can be used by attackers to discover hosts related to a domain

Pentest-Tools Find Subdomains

An online tool used for discovering subdomains and their IP addresses

Tools for Finding Subdomains

1. Netcraft

2. DNSdumpster

3. Pentest-Tools Find Subdomains

Wayback Machine

Allows target to get information removed from target's website

Photon

Attackers can use Photon to retrieve archived URLs of the target website from Wayback Machine

Spokeo

Attackers can use Spokeo to search for people belonging to the target organization

Tor Browser

Acts as a browser that allows users to connect to the dark web

Netcraft

Identifies sites associated with the target and finds the OS running on each site

Competitive Intelligence Gathering

Process of identifying, gathering, analyzing, verifying, and using information about your competitors

Indirect Competitive Intelligence Gathering

Involves gathering information from online resources

Electronic Data Gathering Analysis and Retrieval System (EDGAR) Database

Performs automated collection, validation, indexing, acceptance, and forwarding of submissions by companies and others who are required by law to file with the U.S. Security Exchange Commission (SEC)

D&B Hoovers

Leverages a commercial database of 120 million business records and analytics to deliver an intelligence solution that enables sales and marketing professionals to focus on the right prospects

LexisNexis

Provides content-enabled workflow solutions designed specifically for professionals in the legal, risk management, corporate, government, law enforcement, accounting, and academic markets

Business Wire

Focus on press release distribution and regulatory disclosure

Factiva

A global news database and licensed content provider

MarketWatch

Track the pulse of markets for engaged investors

Wall Street Transcript

A website as well as a paid subscription-based publication that publishes industry reports

Euromonitor

Provides strategy resource capabilities for consumer markets. It publishes reports on industries, consumers, and demographics

Experian

Provides insight on competitor's search, affiliate, display, and social marketing strategies

The Search Monitor

Provides competitive intelligence to monitor brand and trademark use, affiliate compliance, and competitive advertisers on paid search, organic search, local search, social media, mobile, and shopping engines worldwide

United States Patent and Trademark Office (USPTO)

Provides Information about Patent and Trademarks

SEMrush

A competitive keyword research tool

ABI/INFORM Global

Offers the latest business and financial information for researchers

SimilarWeb

Aggregates data from multiple sources to estimate traffic, geography, and referral data for a company's websites and mobile apps. It also provides a panel through a browser extension that allows refining other data sources by anonymously tracking browser activity across millions of browsers worldwide.

SERanking

An online competitor analysis tool that provides a complete view of the target organization's website traffic dynamics

Social Networking Sites

Online services, platforms, or sites that focus on facilitating the building of social networks or social relations among people

LinkedIn

A social networking site for professionals

theHarvester

A tool used for OSINT gathering that performs enumeration on websites

BuzzSumo

Finds most shared topics content for a topic, author, or domain

Sherlock

Used to search social media sites for a username

Social Searcher

Allows attacker to search for content on social media in real time and provides analytics data

Whois

A query and response protocol used for querying databases that store the registered users or assignees of an internet resource

Whois Port

Port 43 (TCP)

Thick Whois (Distributed Model)

Stores complete WHOIS information from all the registrars for a particular set of data

Thin Whois (Centralized Model)

Stores only the name of the Whois server of the registrar of the domain, which in turn holds complete details of the data being looked

Decentralized Whois

Stores complete Whois information and has multiple independent entities to manage the Whois database

IP2Location

Used to identify a visitor's geographic location

DNS A Record

Points to an IP address

DNS AAAA Record

Points to an IPv6 address

DNS MX Record

Points to the domain's mail server

DNS NS Record

Points to the host's name server

DNS CNAME Record

Canonical naming allows aliases to host

DNS SOA Record

Indicates authority for a domain

DNS SRV Record

Service record

DNS PTR Record

Maps IP address to hostname

DNS RP Record

Responsible person

DNS HINFO Record

Host information record

DNS TXT Record

Unstructured text record

SecurityTrails

An advanced DNS enumeration tool capable of creating a DNS map of the target domain network. It can enumerate current or past records. It also enumerates subdomains.

Fierce

A DNS tool used for scanning and collecting crucial information about the target domain. Can enumerate subdomains and non-contiguous IP addresses

DNS Lookup

Used to find the IP address for a hostname

Reverse DNS Lookup

Used to find the hostname for a given IP address

DNSRecon

Used to perform a reverse DNS lookup

Reverse Lookup

Used to perform a reverse DNS lookup

ARIN Website

A networking footprinting tool that allows you to find the target network range of a target

Traceroute Utility

A networking footprinting tool that traces the path or route through which the target host packets travel in the network

Layer 4 Traceroute

Many devices block ICMP Traceroute so attackers can use TCP or UDP Traceroute instead

PingPlotter

A networking footprinting Traceroute tool

NetScanTools Pro

A networking footprinting Traceroute tool

eMailTrackerPro

An email footprinting tool that analyzes email headers and allows the attacker to save past traces

IP2LOCATION's Email Header Tracer

An email footprinting tool that allows attackers to analyze and trace email paths using email headers

Social Engineering

The art of exploiting human behavior to extract confidential information

Eavesdropping

A social engineering attack that involves intercepting communication without the consent of the communicating parties

Shoulder Surfing

A social engineering attack that involves standing behind the victim to observe the victim's computer activities

Dumpster Diving

A social engineering attack that involves rummaging for information in garbage bins

Impersonation

A social engineering attacker where attacker pretends to be a legitimate or authorized person

Maltego

An automated footprinting tool that can be used to determine the relationships between real word links between people, groups, organizations, websites, and internet infrastructure

Recon-ng

A web reconnaissance framework with independent modules for database interaction that provides an environment which open-source web-based reconnaissance can be conducted

Fingerprinting Organizations with Collected Archives (FOCA)

A footprinting tool mainly used to find metadata and hidden information in documents

Subfinder

A footprinting subdomain discovery tool that helps attackers find valid subdomains for websites using passive online sources

OSINT Framework

An open source intelligence gathering framework that helps in performing automated footprinting and reconnaissance

Recon-Dog

A footprinting tool that uses APIs to collect information from the target system

BillChipher

A footprinting tool for websites or IP addresses

Use Cases of AI in OSINT

1. Web Scraping

2. Pattern Recognition

3. Content Summarization

4. Sentiment Analysis

5. Image Recognition: Face Recognition, Metadata Analysis, Reverse Image Search

6. AI Detection

Taranis AI

An AI-powered OSINT tool

OSS Insight

An AI-powered OSINT Tool for GitHub

Still learning (14)

You've begun learning these terms. Keep up the good work!