Planning and

Reconnaissance

ElMehdi BENDRISS
Bendriss+uir@gmail.com
http://ma.linkedin.com/in/bendriss/
Planning and Reconnaissance

• The importance of planning and reconnaissance in security testing

• Techniques for gathering information using open-source intelligence
(OSINT)
• Scanning and enumeration techniques
• Tools for network mapping, port scanning, and OS fingerprinting
Introduction
Footprinting is the first step in the evaluation of the security posture of
the IT infrastructure of a target organization. Through footprinting and
reconnaissance, one can gather maximum information about a
computer system or a network and about any device connected to that
network. In other words, footprinting provides a security profile
blueprint for an organization and should be undertaken in a
methodological manner.
What is Footprinting?
Information obtained in footprinting
Footprinting methodology
Footprinting through Search Engines
• Search engines are the main sources of key information about a
target organization. They play a major role in extracting critical details
about a target from the Internet.
• A Google search could reveal submissions to forums by security
personnel, disclosing the brands of firewalls or antivirus software
used by the target. This information helps the attacker in identifying
vulnerabilities in such security controls.
• Attackers can use advanced search operators available with these
search engines and create complex queries to find, filter, and sort
specific information regarding the target.
Footprinting Using Advanced Google Hacking
Techniques

example

example
Google Hacking DataBase (GHDB)
• The Google Hacking Database (GHDB) is an authoritative source for
querying the ever-widening scope of the Google search engine. In the
GHDB, you will find search terms for files containing usernames,
vulnerable servers, and even files containing passwords.
• Attackers use Google dorks in Google advanced search operators to
extract sensitive information about their target, such as vulnerable
servers, error messages, sensitive files, login pages, and websites
Google Hacking DataBase (GHDB)
• Google Hacking Database Categories:
• Footholds • Files Containing Juicy Info
• Files Containing Usernames • Files Containing Passwords
• Sensitive Directories • Sensitive Online Shopping Info
• Web Server Detection • Network or Vulnerability Data
• Vulnerable Files • Pages Containing Login Portals
• Vulnerable Servers • Various Online Devices
• Error Messages • Advisories and Vulnerabilities
VPN Footprinting through Google Hacking
Database
Other Techniques for Footprinting through
Search Engines
Gathering Information from IoT Search
Engines
• Internet of Things (IoT) search engines crawl the Internet for IoT
devices that are publicly accessible. Through a basic search on these
search engines, an attacker can gain control of Supervisory Control
and Data Acquisition (SCADA) systems, traffic control systems,
Internet-connected household appliances, industrial appliances, CCTV
cameras, etc. Many of these IoT devices are unsecured, i.e., they are
without passwords or they use the default credentials, which can be
exploited easily by attackers.
• With the help of IoT search engines such as Shodan, Censys, and
Thingful, attackers can obtain information such as the manufacturer
details, geographical location, IP address, hostname, and open ports
of the target IoT device.
Identifying Key Email Addresses through
Email Harvesting
• Email harvesting is a process which a large number of email addresses
are obtained through different methods. It is mainly used for bulk
emailing or for spamming. A penetration tester can use email
harvesting tools such as theHarvester to enumerate publicly available
email addresses of the target organization. These tools gather email
addresses from popular sites such as social networking sites, forums,
and blogs.
TheHarvester
• theHarvester is a tool for
gathering email accounts,
subdomain names, virtual hosts,
open ports/banners, and
employee names from different
public sources such as search
engines and Pretty Good Privacy
(PGP) key servers. It is effective
in the early stages of a
penetration test to know the
visibility of the company in the
Internet
 Metagoofil

• Metagoofil is an information-gathering tool designed for extracting the

metadata of public documents (PDF, doc, xls, ppt, docx, pptx, and xlsx)
belonging a target company.
• Metagoofil performs a search in Google to identify and download
documents to a local disk and then extracts the metadata with different
libraries such as Hachoir and PDFMiner. With the results, it generates a
report with usernames, software versions, and servers or machine names,
which helps penetration testers in the information-gathering phase.
 Enumerating Key Email Addresses from
Pastebin and HavelBeenPwned
One can obtain a large number of email addresses from websites such
as Pastebin and HavelBeenPwned. These websites are designed storing
and sharing text (code snippets) online for review. They are used for
posting data containing personal information such as names,
addresses, dates of birth, telephone numbers, and email addresses
extracted from insecure databases. Hence, they are major sources of
third-party-disclosed email addresses
Footprinting through Web Services
• Web services such as people search services can provide sensitive
information about the target.
• Social networking sites, people search services, alerting services,
financial services, and job sites provide information about a target
such as infrastructure details, physical location, and employee details.
Using this information, an attacker may build a hacking strategy to
break into the target organization's network and carry out other types
of advanced system attacks.
Finding a Company's Top-Level Domains
(TLDs) and Sub-domains
• A company's top-level domains (TLDs) and sub-domains can provide a large
amount of useful information to an attacker. It may contain information
such as organizational history, services and products, and contact
information.
• sub-domains are available to only a few people. Website administrators
create sub-domains to test new technologies before deploying them on the
main website. Generally, these sub-domains are in the testing stage and
are insecure; hence, they are more vulnerable to various exploitations.
• Most organizations use common formats for sub-domains. Therefore, a
hacker who knows the external URL of a company can often discover the
sub-domain through trial and error, or by using a service such as Netcraft.
• You can also use advanced Google search to identify all sub-domains of a
target: site:microsoft.com -inurl:www
 Tool : sublist3er / subfinder
• These tools are designed to enumerate
the subdomains of websites using OSINT.
It enables you to enumerate subdomains
across multiple sources at once. Further,
it helps penetration testers and bug
hunters in collecting and gathering
subdomains for the domain they are
targeting. It enumerates subdomains
using many search engines such as
Google, Yahoo, Bing, Baidu, and Ask. It
also enumerates subdomains using
Netcraft, VirusTotal, ThreatCrowd,
DNSdumpster, and ReverseDNS.
Other Techniques for Footprinting through
Web Services
Maltego
Maltego is an OSINT and forensics application. As a platform developed
to deliver a clear threat picture to the environment that an organization
owns and operates, Maltego is useful during the information-gathering
phase of all security-related work. It also demonstrates the complexity
and severity of single points of failure, as well as trust relationships that
exist within the scope of the infrastructure. The unique perspective
that Maltego offers to both network- and resource-based entities is the
aggregation of information posted across the Internet
Maltego
Lab
• Lab file 02
• Google Dorking : https://tryhackme.com/r/room/googledorking
• Geolocating Images :
https://tryhackme.com/r/room/geolocatingimages
• Shodan : https://tryhackme.com/r/room/shodan
• SANS 2024 OSINT Summit -
https://www.youtube.com/playlist?list=PLs4eo9Tja8bi1RZyKT_HlN48
QLIRW6HhG
Scanning and enumeration techniques
• As already discussed, footprinting is the first phase of hacking, in
which the attacker gains primary information about a potential target.
He/she then uses this information in the scanning phase to gather
more details about the target
Overview of Network Scanning
• Scanning is the process of gathering additional detailed information about
the target using highly complex and aggressive reconnaissance techniques.
• Network scanning refers to a set of procedures used for identifying hosts,
ports, and services in a network.
• Network scanning is also used for discovering active machines in a network
and identifying the OS running on the target machine.
• It is one of the most important phases of intelligence gathering for an
attacker, which enables him/her to create a profile of the target
organization.
• In the process of scanning, the attacker tries to gather information,
including the specific IP addresses that can be accessed over the network,
the target's OS and system architecture, and the ports along with their
respective services running on each computer.
Objectives for scanning
Some objectives for scanning a network are as follows:

✓ Discover the network's live hosts, IP addresses, and open ports of the live hosts. Using the open
ports, the attacker will determine the best means of entering the system.
✓ Discover the OS and system architecture of the target. This is also known as fingerprinting. An
attacker can formulate an attack strategy based on the OS's vulnerabilities.
✓ Discover the services running/listening on the target system. Doing so gives the attacker an
indication of the vulnerabilities (based on the service) that can be exploited for gaining access to
the target system.
✓ Identify specific applications or versions of a particular service.
✓ Identify vulnerabilities in any of the network systems. This helps an attacker to compromise the
target system or network through various exploits
Types of Scanning
• Network Scanning — Lists the active hosts and IP addresses. Network
scanning is a procedure for identifying active hosts on a network, either to
attack them or assess the security of the network.
• Port Scanning — Lists the open ports and services. Port scanning is the
process of checking the services running on the target computer by
sending a sequence of messages in an attempt to break in. Port scanning
involves connecting to or probing TCP and UDP ports of the target system
to determine whether the services are running or are in a listening state.
• Vulnerability Scanning — Shows the presence of known weaknesses.
Vulnerability scanning is a method for checking whether a system is
exploitable by identifying its vulnerabilities. A vulnerability scanner consists
of a scanning engine and a catalog. The catalog includes a list of common
files with known vulnerabilities and common exploits for a range of servers.
What is Enumeration
• Enumeration is the process of extracting usernames, machine names,
network resources, shares, and services from a system or network.
• In the enumeration phase, an attacker creates active connections
with the system and sends directed queries to gain more information
about the target.
• The attacker uses the information collected using enumeration to
identify vulnerabilities in the system security, which help them exploit
the target system.
• In turn, enumeration allows the attacker to perform password attacks
to gain unauthorized access to information system resources.
Enumeration techniques in an intranet
environment
In particular, enumeration allows the attacker to collect the following
information:

• Network resources
• Network shares
• Routing tables
• Audit and service settings
• SNMP and fully qualified domain name (FQDN) details
• Machine names
• Users and groups
• Applications and banners
Techniques for Enumeration
• Extract usernames using email IDs
• Extract information using default passwords
• Brute force Active Directory
• Extract information using DNS Zone Transfer
• Extract user groups from Windows
• Extract usernames using SNMP
• Services and Ports
Services and Ports Enumeration
• TCP/UDP 53: DNS Zone Transfer
• TCP/UDP 135: Microsoft RPC Endpoint Mapper
• UDP 137: NetBIOS Name Service (NBNS)
• TCP 139: NetBIOS Session Service (SMB over NetBIOS)
• TCP/UDP 445: SMB over TCP (Direct Host)
• UDP 161: Simple Network Management Protocol (SNMP)
• TCP/UDP 162: SNMP Trap
• TCP/UDP 389: Lightweight Directory Access Protocol (LDAP)
• TCP 2049: Network File System (NFS)
• TCP 25: Simple Mail Transfer Protocol (SMTP)
• TCP 22: Secure Shell (SSH)
• TCP/UDP 3268: Global Catalog Service
• TCP 20/21: File Transfer Protocol
• TCP 23: Telnet
• UDP 69: Trivial File Transfer Protocol (TFTP)
Tools for enumeration
• Nmap / Zenmap
• Hping3
• Metasploit
• Net view
• Powerview
• Snmpwalk / snmpcheck
• Ldapsearch
• Smtpuserenum
Lab
• Lab file 03
• Nmap : https://tryhackme.com/r/room/furthernmap
• Nmap Live Host Discovery : https://tryhackme.com/r/room/nmap01
• Passive Reconnaissance :
https://tryhackme.com/r/room/passiverecon
• Active Reconnaissance : https://tryhackme.com/r/room/activerecon

Elmehdi
BENDRISS