 Footprinting is the first step in reconnaissance

 Footprinting
2.1
 The attacker looks for tracks and traces the target leaves about itself on the Internet
 Collect as much information as possible
 Types of Information

FOOTPRINTING
 Value of footprinting:
 Information Sources
 Gain knowledge of the target’s overall security posture
 Passive Footprinting/OSINT  Create a “bird’s eye” view of the target

CONCEPTS  Active Footprinting

 Physical/facility vulnerabilities
 High-level network map
 Potential target areas to attack
 Potential human targets to engage
 Information that may not seem immediately useful may gain relevance later

Search for anything that might help you gain access to the target’s network:  Company website(s)
 General company information  Whois
 Company mission, products, services, activities, location, contact information

 Employee information  Search engines

 Email addresses, contact information, job roles
 People searches
 Internet presence
 Domain names, website content, online services offered, IP addresses, network reachability  Job boards
 Leaked documents and login information  Social networking / social media
 Overall security posture
 News articles and press releases
 Technologies used
 Specialized OSINT tools
 Industry and market information
 Company profile, assets, financial information, competitors
 Open Source Intelligence
 Use the Internet/publicly available sources to gather information on a target  Engage the target in seemingly innocuous ways
 Use “normal” expected actions
 Do not directly engage target  Avoid arousing suspicion

 Interact with the target’s public-facing servers

 Query the organization’s DNS server
 Traceroute to the target network
 Spider / mirror the target’s website
 Extract published document metadata

 Limited social engineering

 Gather business cards
 Chat with company representatives at trade shows and public events

 Collect names, job titles, personal information, contact information, email

 If your target has a website, visit it for initial information
addresses, etc.
 Use search engines to obtain additional information about the target including news
 Remember: at this stage you want to be subtle and go unnoticed
and press releases
 Google, Yahoo, Bing, Ask, Baidu, DuckDuckGo, AOL Search  Techniques include:
 Casual face-to-face contact
 Use search engine cached pages or Archive.org to see information no longer available
 Trade show or public event
 Use OSINT tools to automate information gathering and find hidden information  Eavesdropping
 Shoulder surfing
 Dumpster diving
 Impersonation on social networking sites
  Analyze gathered information to determine your next moves
 Get a sense of the target’s overall security posture
 Monitor website content for changes
 Look for information that can be used in your next steps
 Set alerts to notify you of updates
 Devices that can get you into the network:
 IP addresses to scan
 Alerts are usually sent via email or SMS
 Servers and services to vulnerability scan
 To receive alerts, register on the website  Internet-attached IoT devices to compromise

 Google Alerts  People to social engineer

 Email addresses to phish
 Yahoo Alerts
 Phone numbers to call for impersonation
 Twitter Alerts  Names and job roles to target

 Giga Alerts  Locations for physical reconnaissance

 Parking areas to scatter malicious USB sticks
 Some OSINT tools also offer monitoring and alerts  Easily accessible areas to plant sniffing/snooping devices
 Detect Wi-Fi signals

 A search engine that is also a cybersecurity framework

 Assembles information from publicly available sources

2.2 OSINT  Common Tools

 Includes:
 username, email address, contact information, language transition

TOOLS  public records, domain name, IP address, malicious file analysis,

 threat intelligence and more

https://osintframework.com/
 Cybersecurity framework search engine  Cyberspace search engine
 Assembles the information from publicly available sources  Combines several data gathering tools into a full-service online platform
 Users can get data directly from Spyse’s web interface or their API
 Has free and paid features

 An open source intelligence and forensics application

 Use to mine, gather and visualize data and relationships in an easy-to-understand
format
 Find relationships and links between people, groups, companies, organizations,
websites, Internet infrastructure, phrases, documents, files, etc.
 Used by law enforcement to analyze social media accounts
 Track profiles, understand social networks of influence, interests and groups

During the COVID-19 crisis Maltego was used to aid virus containment efforts:
• Scientific study of the virus spread
• Trace tourist/visitor movement from coronavirus hotspots to other locations
 Shodan.io
 Search engine for Internet-connected devices
 Most commonly used to help users identify potential security issues with their
devices
 Can find anything that connects directly to the internet:
 Routers and servers
 Baby monitors
 Security cameras
 Maritime satellites
 Water treatment facilities
 Traffic light systems
 Prison pay phones
 Nuclear power plants

 Similar to Shodan
 Continually discovers Internet-
facing assets including IoT
devices
 Offers cloud-based dashboard
 theHarvester -d www.hackthissite.org -n -b google
 OSINT tool for gathering:
[*] Emails found: 2
 emails, sub-domains, hosts, employee names, open ports, and banners from different
public sources like search engines, PGP key servers, and SHODAN computer database ----------------------
ab790c1315@www.hackthissite.org
 Written in Python staff@hackthissite.org
 Many of its functions require an API key to effectively query the source
[*] Hosts found: 7
---------------------
0.loadbalancer.www.hackthissite.org:
22www.hackthissite.org:
2522www.hackthissite.org:
253dwww.hackthissite.org:
www.hackthissite.org:137.74.187.104, 137.74.187.100, 137.74.187.101, 137.74.187.103, 137.74.187.102
x22www.hackthissite.org:

 Uses OSINT and a variety of search engines to enumerate website subdomains

 Can conduct port scans against discovered websites

Subdomains are sometimes preferred targets for attackers:

• Often separately managed by the smaller child organization
• Frequently less secure than the parent domain
• Child organizations are typically smaller with fewer resources than the parent
 Full-featured web reconnaissance framework
 Has many modules with specific functions for conducting OSINT
 Written in Python
 Requires API keys from targets to be effective

 Gathers information from LinkedIn

 Install in Kali Linux:
apt install inspy
Search LinkedIn for Google employees using the provided wordlist of possible job titles:
inspy --empspy /usr/share/inspy/wordlists/title-list-
large.txt Google
Search for technologies (–techspy) in use at the target company (cisco) using the
provided list of terms:
inspy --techspy /usr/share/inspy/wordlists/tech-list-
small.txt cisco
 Follow a target’s Instagram likes and  OSINT automation tool
comments  Including target monitoring

 Written in Python
 Alternatively has a cloud-hosted version
 Different subscription levels

 A set of libraries for performing Open Source Intelligence tasks

 Has various scripts and applications for:
 Username checking
 DNS lookups
 Information leaks research
 Deep web search
 Regular expressions extraction
 etc.
 Useful information might reside in PDF or Office files
 Use this hidden metadata to perform social engineering
 Tools:
 Metagoofil
 ExtractMetadata
 FOCA
 Meta Tag Analyzer
 BuzzStream
 Analyze Metadata
 Exiftool

 Extracts metadata from publicly available documents belonging to a target

company
 pdf, doc, xls, ppt, docx, pptx, xlsx

 Uses Google hacks to find information in meta tags

 Generates a report of:
 usernames, email addresses, software versions, server names, etc.
  The use of specialized Google searches

2.3  Find unusual information such as:

 Sites that may link back to target’s website

ADVANCED
 Google Hacking
 Information about partners, vendors, suppliers, clients, etc.
 Google Dorking  Error messages that contain sensitive information

GOOGLE  Google Hacking Database  Files that contain passwords

 Sensitive directories

SEARCH  Pages that contain hidden login portals

 Advisories and server vulnerabilities
 Software version information
 Web app source code
  Using search strings with advanced operators
 Find information not readily available on a website
 Can be used to find vulnerabilities, files containing passwords,
lists of emails, log files, live camera feeds, and much more
 Considered an easy way of hacking

Operator Description Example

Operator Description Example
intitle: find strings in the title of a page intitle:”Your Text”
OR Match at least one keyword google OR bing OR duckduckgo
allintext: find all terms in the title of a page allintext:”Contact”
AND Match all keywords Samsung AND Apple
inurl: find strings in the URL of a page inurl:”news.php?id=”
““ Exact match "Google Dorks Explained"
site: restrict a search to a particular site or domain site:yeahhub.com “Keyword”
- Exclude a keyword Linux -site:Wikipedia.org
find specific types of files (doc, pdf, mp3 etc) based on
filetype: filetype:pdf “Cryptography”
file extension * Wildcard of one or more words "username * password"
link: search for all links to a site or URL link:”example.com”
"google (dorks OR dorking OR hacking)" AND
() Grouping keywords
cache: display Google’s cached copy of a page cache:yeahhub.com (explained OR tutorial OR guide)

info: display summary information about a page info:www.example.com

  Return results that match “accounting” from target.com, but NOT from
 Camera feeds – live feeds from AXIS cameras marketing.target.com
 intitle:"Live View / - AXIS" | inurl:/mjpg/video.mjpg?timestamp
 site:target.com -site:marketing.target.com accounting
 Email lists contained in Excel files
 filetype:xls inurl:"email.xls"
 Pages vulnerable to SQL injection attacks
 inurl:".php?id=" intext:(error AND sql)
 Log files containing passwords and corresponding emails
 filetype:log intext:password intext:(@gmail.com | @yahoo.com |  Scanning reports – vulnerabilities in scanned systems
@hotmail.com)  intitle:report (nessus | qualys) filetype:pdf
 Open FTP Servers that can contain sensitive information  SQL Database – contents of exposed databases, including usernames
 intext:"index of" inurl:ftp
and passwords
 intitle:"index of" "dump.sql"

 List of popular Google Dorks

https://www.exploit-db.com/google-hacking-database/
 Organization Description
Internet Corporation for Assigned • A not-for-profit public-benefit corporation
Names and Numbers (ICANN) • Dedicated to keeping the Internet secure, stable and
interoperable

2.4 WHOIS
 Internet Authorities • Promotes competition and develops policy on the
Internet's unique identifiers
 Whois • DNS names and Autonomous System (AS) numbers*

FOOTPRINTING  Whois Tools The Internet Assigned Numbers

Authority (IANA)
• A department within ICANN
• Maintains a central repository for Internet standards
• Verifies and updates changes to Top Level Domain (TLD)
information
• Distributes Internet numbers to regions for Internet use
The Internet Engineering Task • An open standards organization
Force (IETF) • They develop and promote voluntary Internet standards
(especially those related to IP)

* Every major network that is part of the Internet has an identifying Autonomous System number

 Governing bodies that responsible for controlling all IP addresses and domain
registrations in their operating region
 American Registry for Internet Numbers (ARIN)
 U.S., Canada, Antarctica and parts of the Caribbean region

 Asia-Pacific Network Information Centre (APNIC)

 Asia, Australia, New Zealand

 African Network Information Center (AfriNIC) - Africa and the Indian Ocean
 Reseaux IP Europeens Network Coordination Centre (RIPE NCC)
 Europe, Russia, Central Asia, Middle East

 Latin America and Caribbean Network Information Center (LACNIC)

 Latin America and parts of the Caribbean
 A widely-used query and response protocol
 Used to query databases that store the registered users or assignees of an Internet  There is no single Whois database
resource such as:  Registrars and registries each maintain their own respective Whois database
 Domain names  Registrars – companies and organizations that have ICANN accreditation and are registry
 IP address blocks certified to sell domain names
 Autonomous system numbers  Also responsible for any resellers under them
 Registries – organizations responsible for maintaining the records of a specific top level
 The protocol stores and delivers database content in a human-readable format domain (TLD) such as .com, .net, .org, etc.
 It is widely available for publicly available for use
 ICANN requires that records remain accurate for the life of the domain registration

Source: domainnamestat.com

 WHOIS databases are maintained by Regional Internet Registries and hold personal  whois.com • UltraTools
information of domain owners
 Domainnamestat.com • SoftFuse Whois
 WHOIS query
 LanWhoIs • Domain Dossier
 Domain name and details
 Owner information  Batch IP Converter • BetterWhois
 DNS servers  CallerIP • Whois Online
 Network Blocks • Web Wiz
 WhoIs Lookup Multiple Addresses
 Autonomous System Numbers
 WhoIs Analyzer Pro
• Network-Tools.com
 When created
 Expiry
• DNSstuff
 HotWhoIs
 Last update • Network Solutions Whois
 ActiveWhoIs
 Can aid attacker or ethical hacker with social engineering • WebToolHub
 WhoisThisDomain
 2.5 DNS
 DNS Information
 DNS Query Tools

FOOTPRINTING  Location Search Tools

 Attackers use DNS data to find key hosts on the target’s network
 Nslookup  DNS Records
 DNS record types:
 dig  DNSData View
 A – IPv4 host address
 AAAA - IPv6 host address  host  DNSWatch
 MX – mail server
 whatsmydns.net  DomainTools
 NS – name server
 CNAME – alias  myDNSTools  DNS Query Utility
 SOA – authority for domain
 Professional Toolset  DNS Lookup
 SRV – service records
 PTR – maps IP Address to hostname
 RP – responsible person
 HINFO – Host information record (CPU type/OS)
 TXT – Unstructured text record
 dig www.example.com
nslookup www.hackthissite.org
dig @8.8.8.8 www.example.com A
Server: 192.168.63.2 dig +short www.example.com A
Address: 192.168.63.2#53
dig example.com txt
Non-authoritative answer: dig example.com cname
Name: www.hackthissite.org dig example.com ns
Address: 137.74.187.103 dig example.com MX
Name: www.hackthissite.org dig axfr zonetransfer.me @nsztm1.digi.ninja.
Address: 137.74.187.102

 Find subdomains for a domain

 Install in Kali:
apt install sublist3r
Sublist3r -d <domain>

• Subdomains are useful to investigate

• They are often independently
managed by the local business unit
or child organization
• They typically have fewer resources
(and thus fewer security controls)
than the parent organization
Helps you perform physical or aerial reconnaissance of a target
 Website Footprinting
 Google Maps

2.6 WEBSITE
 Google Earth  Tools
 Wikimapia  Spiders
 National Geographic Maps
 Yahoo Maps
FOOTPRINTING  Mirroring
 Update Monitoring
 Bing Maps

 Monitoring and analyzing the target’s website for information

 Browse the target website  Use OSINT to discover additional information about a website

 Use Burp Suite, Zaproxy, Paros Proxy, Website Informer, Firebug, etc. to determine:  Identify personnel, hostnames, domain names, and useful data residing on exposed
 Connection status and content-type web servers
 Accept-Ranges and Last-Modified information  Search Google, Netcraft, Shodan, LinkedIn, PGP key servers, and other sites
 X-Powered-By information
 Search known domain names and IP blocks
 Web server version

 Examine HTML sources

 Examining cookies
 Searches Google’s cache
 Web spiders automate searches on the target website and collect information:
 Looks for vulnerabilities, errors, configuration issues, proprietary information, and  employee names, titles, addresses, email, phone and fax numbers, meta tags
interesting security nuggets on web sites
 Helps with footprinting and social engineering attacks
 Use it to find information that can be exposed through Google Dorking
 Tools
 SpiderFoot
 Visual SEO Studio
 WildShark SEO Spider Tool
 Beam Us Up SEO Spider SEO
 Scrapy
 Screaming Frog
 Xenu

 Web content scanner

 Similar to DIRB
 Looks for existing and hidden
web objects  GUI-based

 Useful for finding hidden

subdirectories in a web app
 Works by launching a dictionary
based attack against a web
server
 Analyzes the response
  HTTrack Web Site Copier • Website Ripper Copier
 Download an entire copy of the website to a local directory
 SurfOffline • PageNest
 You can examine the entire website offline
 Teleport Pro • Backstreet Browser
 Helps gather information without making website requests that could be detected
 Portable Offline Browser • Offline Explorer Enterprise
 You can take your time searching
 Gnu Wget • Archive.org
 Need to copy slowly
 BlackWidow
• WebWatcher

 Ncollector Studio

 Allows access to archived versions of the website

 Copies the site as it was at the time
 You can find information that was subsequently deleted
 Archived sites may or may not include original downloads

 Also contains extensive content uploaded by the community

 Automatically checks web pages for updates and changes
 Sends alerts to interested users

2.7 EMAIL
 Email Source Header
 Example tools:
 Website Watcher
 Email Tracking
 Visual Ping
 Follow that Page
FOOTPRINTING  Email Tracking Tools

 Watch that Page

 Check4Change
 OnWebChange
 Infominder

 Reading the email source header can reveal:

 Address from which the message was sent
 Sender’s mail server
 Authentication system used by sender’s mail server
 Date and time of message
 Sender’s name

 Also reveals:
 Spoofed info
 Bogus links and phishing techniques
Tracking emails can reveal:
 EmailTrackerPro • Trace Email
 PoliteMail • Email Lookup
 Recipient IP address
 Yesware • Pointofmail
 Geolocation
 ContactMonkey • WhoReadMe
 Email received and read
 Read duration  Zendio • GetNotigy
 Proxy detection  ReadNotify
• G-Lock Analytics
 Links
 DidTheyReadit
 OS and Browser info
 Forwarded email
 Recipient device type

2.8  Network Range

NETWORK  Network Whois

 Traceroute
FOOTPRINTING
 Map the target network
 Find in RIR whois database search
 Search online:
 https://centralops.net/co/domaindossier.aspx
 https://networksdb.io/ip-addresses-of/

 Use command prompt tools:

 whois
 curl

$ host -t a github.io  Discover routers and firewalls along the path to a target
github.io has address 185.199.109.153
 Uses ICMP or UDP with an increasing TTL to elicit router identification

$ whois 185.199.109.153  Find the IP address of the target firewall

 Help map the target network
inetnum: 185.199.108.0 - 185.199.111.255
netname: US-GITHUB-20170413
country: US

$ curl -s https://networksdb.io/ip-addresses-of/github-inc | grep 'IP

Range' | awk '{print $3" - "$5}' | sort
140.82.112.0 - 140.82.127.255
148.62.46.150 - 148.62.46.151
  Path Analyzer Pro
 https://www.monitis.com/traceroute/
 VisualRoute
 https://centralops.net/co/
 Network Pinger
 GEOSpider
 vTrace
 Trout
 Roadkil’s Trace Route
 Magic NetTrace
 3D Traceroute
 AnalogX HyperTrace
 Network Systems Traceroute
 Ping Plotter

2.9  Attackers use social networking sites to gain important and sensitive data about
FOOTPRINTING  Social Networking Sites
their target
 They often create fake profiles through these social media

THROUGH  Information
 Aim is to lure their target and extract vulnerable information

 Employees may post :

 People Search
SOCIAL  Social Media Groups
 Personal information such as DOB, educational and employment background, spouse’s
names, etc.

NETWORKING
 Information about their company such as potential clients and business partners, trade
secrets of business, websites, company’s upcoming news, mergers, acquisitions, etc.
 Common social networking sites used:

SITES  Facebook, MySpace, LinkedIn, Twitter, Pinterest, Google+, YouTube, Instagram

 Present activity/physical location  A great source of personal and organizational information

 Job activities  Residential addresses, email addresses, phone number

 Satellite photos of residences
 Company information
 Date of birth
 Contact details, names, numbers, addresses, date of birth, photos
 Photos and social networking profiles
 Family & friends
 Friends/family/associates
 Property information
 Hobbies/current activities/blogs
 Bank details
 Work information
 Background and criminal checks
 Projects and operating environment
 Travel details

 CheckPeople  Social Media groups, forums, and blogs provide more intimate information about a
person
 BeenVerified  Current interests
 Truthfinder  Current activities
 Hobbies
 peopleWhiz
 Political and social viewpoints
 PeopleLooker  Can be used to cultivate a relationship with the target
 Intelius  Attackers create fictious profiles and attempt to join groups
 Checkmate  Disinformation campaigns use bots to:
 Automate posting
 Peoplefinders
 Increase visibility of an issue
 IDtrue  Give malicious information traction
 Make an opinion or idea seem to be popular
 2.10  Recognize that once information is on the Internet, it might never fully disappear

FOOTPRINTING  Perform OSINT on yourself regularly to see what’s out there

AND
 Identify information that might be harmful

 Mitigation and protection methods  When possible, go to the sites that publish that information and remove it

RECONNAISSANCE  Delete/deactivate unnecessary social media profiles

 Use an identity protection service

COUNTER-  Use Shodan and Google Dorks to search for exposed files and devices
 If any are discovered, implement protective measures

MEASURES

 Set up a monitoring service such as Google Alerts to notify you if new information  Conduct only private dialogues, trying to avoid public communication on forums
appears and other sites
 Train yourself (and your employees) to recognize the danger and be cautious  Keep a close eye on which web pages and portals you visit
about what they share on social media
 Some of them may require too much information for registration: name, phone
 If possible, use a data protection solution to minimize data leakage from the number, real address
company
 Use different nicknames on the Internet – it will be much more difficult to find you
 Turn off tracking features on your phone and configure privacy settings
 Switch your profile to private mode, if the social network allows you to do this
 Disable location on photos you plan to post publicly on social media
 When adding friends on social media, only add people you actually know in real
 Remove metadata from images if you don’t want others to know which device you life
are using to capture
 INTRO TO
2.11
• Footprinting gathers as much information as possible about a target in advance of

• ETHICAL
the attack
You’re looking for any information that can help you break into the target network

FOOTPRINTING •
• HACKING
Footprinting can be passive or active
It’s usually subtle / unnoticeable

AND  Review •
REVIEW
Small, random, seemingly unimportant details can together paint a bigger picture
or become important later in your hacking efforts

RECONNAISSANCE •Research sources can include:

• INTRO TO
Search engines • Press releases

REVIEW •
•
Whois
WebsitesETHICAL •
•
Advanced online services
DNS
•
•
HACKING
Social media
Social networking sites
•
•
Email
Competitive intelligence sites
•
REVIEW
Job boards • Limited social engineering

INTRO TO
• OSINT is the use of publicly available sources and tools to footprint a target
INTRO TO
ETHICAL ETHICAL
• You can examine email headers and use email tracking tools to identify the actual
• You can perform advanced Google searches using “dorks” (search strings with source of an email
advanced operators)
TheHACKING HACKING
• You can use Whois, traceroute, and other tools to identify IP blocks, the firewall IP
• Google Hacking Database (GHDB) lists popular dorks created by the community address, and other network-available points of entry to the target
•
•
REVIEW
Whois is a protocol for searching domain registration information
You can use dig, nslookup, and many other tools to query a DNS server for host
•
REVIEW
Social networking sites and social media can provide a wealth of information

information
•
•
INTRO TO
You can footprint websites through the use of:
Spiders that automatically crawl through a website looking for
specific types of information
INTRO TO
• ETHICAL
Site mirroring so you can take your time examining an offline copy
of the website
ETHICAL
•
HACKING
Tools like dirb and DirBuster that attempt to uncover hidden
subdirectories on a website HACKING
REVIEW REVIEW
• Google cache and archive.org that maintain snapshots of websites
over time