Phases of Ethical

Hacking
 Footprinting & Reconnaissance
 Scanning
 Enumeration
 System Hacking
 Escalation of Privileges
 Covering Tracks
Footprinting and
Reconnaissance
 allows the attacker to gather the
information regarding internal and
external security architecture
 Collection of information also helps
to identify the vulnerabilities within a
system, which exploits to gain
access
 collection of information helps in
identifying different possible ways to
enter into the target network.
 Footprinting may involve both passive and active techniques:
1. Passive Footprinting:
1. Public Information Gathering: Collecting information from
publicly available sources such as websites, social media,
domain registration records, and other public databases.
2. Network Enumeration: Discovering information about a
network or system without actively engaging with it. This can
include finding information about network architecture, IP
addresses, and domain names.
2. Active Footprinting:
1. Scanning: Involves actively probing the target network to
discover live hosts, open ports, and services running on those
ports.
2. Enumeration: Extracting more detailed information about the
target system, such as user names, network shares, and other
valuable information.
 Types of Footprinting-Pseudonymous Footprinting

 includes footprinting through online sources. In

1. Browsing Anonymity:
collection of information about a
Employ secure and private browsing
target while concealing the true
practices, including the use of private
identity (assumed name) of the browsing modes, disabling cookies, and
person conducting the footprinting avoiding the use of personally identifiable
 taking steps to anonymize or use information (PII).
pseudonyms during the
reconnaissance process to minimize 2. Obfuscation Techniques:
the risk of detection or attribution Employ techniques to obfuscate the true
intent or origin of the footprinting activities.
1. Use of Online Anonymization This may involve intentionally introducing
Tools: noise or misleading information.
Utilize tools and services that help 3. Decentralized Research:
anonymize online activities, such as Conduct research activities from various
VPNs (Virtual Private Networks), Tor decentralized locations to avoid creating a
noticeable pattern that could be traced back
(The Onion Router), or other proxy to a single source.
services. 4. Limiting Digital Footprints:
2. Creation of Pseudonymous Take steps to minimize the digital footprints
Identities: left behind during the footprinting process.
Create and use online identities or This includes avoiding unnecessary
interactions, using tools that enhance online
aliases that are not directly linked to
privacy, and being cautious about revealing
the actual identity of the person personal information.
conducting the footprinting. This
Types of Footprinting-
Internet Footprinting
 for gaining information through the internet.
 In Internet Footprinting, processes such as
 Google Hacking
 Google Search
 Google Application
 including search engines other than Google as well.
Objectives of
Footprinting
 Know Security Posture – The data gathered will help us
to get an overview of the security posture of the company
such as details about the presence of a firewall, security
configurations of applications etc.
 Reduce Attack Area – Can identify a specific range of
systems and concentrate on particular targets only. This
will greatly reduce the number of systems we are
focussing on.
 Identify vulnerabilities – we can build an information
database containing the vulnerabilities, threats, loopholes
available in the system of the target organization.
 Draw Network map – helps to draw a network map of
the networks in the target organization covering topology,
trusted routers, presence of server and other information.
Footprinting
Methodology
Footprinting through
 Search Engines
 Advance Google Hacking Techniques
 Social Networking Sites
 Websites
 Email
 Competitive Intelligence
 WHOIS
 DNS
 Network
 Social Engineering
Footprinting through Search Engines

 Finding Company’s Public and

Restricted Websites
 www.netcraft.com.
 www.shodan.io
 heartbleed.com
Collect Location
Information
 Google Earth
 Google Map
 Bing Map
 Wikimapia
 Yahoo Map
People Search Online
Services
 www.privateeye.com
 www.peoplesearchnow.com
 www.publicbackgroundchecks.com
 www.anywho.com
 www.intelius.com
 www.4111.com
 www.peoplefinders.com
Gather Information from
Financial Services
 www.google.com/finance
 finance.yahoo.com
Footprinting through Job
Sites
 www.linkedIn.com
 www.monster.com
 www.indeed.com
 www.careerbuilder.com
Monitoring Target Using
Alerts
 Google, Yahoo, and other Alert services offer
Content monitoring services
 with an alert feature that notifies the subscriber
 with the latest and up-to-date information related to
the subscribed topic.
Information Gathering Using
Groups, Forums, and Blogs
 Groups, Forums, Blogs, and Communities
can be a great source of sensitive
information
 Any official and non-official group can leak sensitive
information
Footprinting using Advanced
Google Hacking Techniques
 Google Advanced Search Operators
 Google Hacking Database (GHDB)
 Google hacking, Google Dorking is a combination of computer hacking
 techniques that find the security holes within an organization's network
and
 systems using Google search and other applications powered by Google.
 Google Hacking popularized by Johnny Long. He categorized the queries
in a
 database known as Google Hacking Database (GHDB).
 This categorized database of queries is designed to uncover the
information.
 This information might be sensitive and not publically available. Google
hacking is used to speed up searches.
 https://www.exploit-db.com/google-hacking-
database/ www.hackersforcharity.org is also an online platform for
GHDB.
Advanced Search Operators Description
site : Search for the result in the given domain
related : Search for Similar web pages
cache : Display the web pages stored in Cache
link : List the websites having a link to a specific web page
allintext : Search for websites containing a specific keyword
intext : Search for documents containing a specific keyword
allintitle : Search for websites containing a specific keyword in the
title
intitle : Search for documents containing a specific keyword in the
title
allinurl : Search for websites containing a specific keyword in URL
inurl : Search for documents containing a specific keyword in URL
For Google Advanced Search, you can also go to the following
URL: https://www.google.com/advanced_search
Footprinting through Social
Networking Sites
Social Engineering
 
What Users Do People updates their status
 Most recent personal information
Information
 Most recent location
 People maintain their profile
 Family & Friends information
 Photo of the target
 Activities & Interest
 Contact numbers
 Technology related information
 Email Addresses
 Upcoming events information
 Date of birth
 Location
 Work details
What attacker gets
 Platform & Technology related
 What attacker gets information.
 Personal Information about a  Target Location.
 target including personal  List of Employees / Friends
information, photo, etc. /Family.
 Social engineering  Nature of business
Footprinting through Websites

 monitoring and investigating about

the target organization's official
website for gaining information such
as Software running, versions of
these software’s, operating systems,
Sub-directories, database, scripting
information, and other details
 Netcraft.com and shodhan.io
Website Footprinting using
Web Spiders
 Web Data Extractor
Mirroring Entire Website
Extract Website
Information
 Archive.com is an online service
Monitoring Web Updates
Email Tracking Tools
Competitive Intelligence
Competitive Intelligence gathering is a method of collecting
information, analyzing and gathering statistics regarding the
competitors
Some basic sources of competitive intelligence are:
 Official Websites
 Job Advertisements
 Press releases
 Annual reports
 Product catalogs
 Analysis reports
 Regulatory reports
 Agents, distributors & Suppliers
Competitive Intelligence
Gathering
Basic Sources are

 Official Websites
 Job Advertisements
 Press releases
 Annual reports
 Product catalogs
 Analysis reports
 Regulatory reports
 Agents, distributors & Suppliers
Website Traffic
Monitoring Tools
Tracking Online Reputation
of the Target
Whois Look Up
 Regional Internet Registries (RIR) maintain WHOIS database
 RIRs Acronym
Location
 African Network Information Center AFRINIC Africa
 American Registry for Internet Numbers ARIN United
States, Canada, several parts of the Caribbean region, and
Antarctica
DNS Tools
 WHOIS Lookup Tools for Mobile
 “DNS Tools” Application by www.dnssniffers.com is
available on google play store.
 It includes other features as well including DNS
Report, Blacklist Check, Email Validation, WHOIS,
ping and reverses DNS.
 www.dnssniffers.com
 www.ultratools.com
Whois app
Ultra tool mobile app
 There are several lookup tools powered by
www.whois.com.au such as: -
 WHOIS Lookup
 DNS Lookup
 RBL Lookup
 Traceroute
 IP Lookup
 API/Bulk Data Access
DNS Footprinting- DNS
reconnaissance or DNS enumeration,
DNS record type symbols
DNS Footprinting
 DNS footprinting is often a precursor to more
advanced attacks, such as DNS spoofing, DNS
cache poisoning, or targeted phishing
campaigns.
 Therefore, organizations must implement
proper DNS security measures, including
DNSSEC (DNS Security Extensions), DNS
firewalls, and regular DNS configuration audits,
to protect against potential threats.
 Extracting DNS Information using
DNSStuff
 https://www.dnsstuff.com
DNS Query Types: DNS footprinting involves
querying DNS servers for various types of
information, such as:
• Forward DNS Lookup: Mapping domain names to
IP addresses.
• Reverse DNS Lookup: Mapping IP addresses to
domain names.
• MX Records: Identifying mail servers associated
with a domain.
• NS Records: Identifying authoritative name
servers for a domain.
• SOA Records: Obtaining information about the
start of authority for a domain.
 Public DNS Servers: DNS
footprinting often starts with
querying public DNS servers like
those operated by Google (8.8.8.8,
8.8.4.4) or Cloudflare (1.1.1.1) to
gather basic information about the
target domain. These servers can
provide valuable information about a
domain's DNS configuration.
 Zone Transfers: If a DNS server is
misconfigured to allow zone
transfers, an attacker can potentially
retrieve a complete list of domain
names, IP addresses, and other DNS
records associated with the target
domain.
 This information can be used to
identify potential targets within the
network.
 DNS Enumeration Tools: There are
various tools available that automate the
process of DNS footprinting, such as:
• Dig: A command-line DNS querying tool
available on Unix-like operating systems.
• NSLookup: A command-line tool available
on Windows for querying DNS servers.
• DNSRecon: A popular DNS
reconnaissance tool that automates the
process of querying DNS servers and
analyzing the results.
Network footprinting
gain information about the target network
Using these tools, you can extract information such as: -
 Network address ranges
 Hostnames
 Exposed hosts
 OS and application version information
 Patch state of the host and the applications
 Structure of the applications and back-end servers
Tools for this purpose are listed below: -
 Whois
 Ping
 Nslookup
 Tracert
Traceroute Tools
 Tracert options are available in all operating system
as a command line feature.
 Visual traceroute, graphical and other GUI based
traceroute applications are also available.
 Traceroute or Tracert command results in the
 path information from source to destination in the
hop by hop manner.
 The result includes all hops in between source to
destination.
 The result also includes latency between these hops.
Traceroute Tools
Footprinting through Social
Engineering
 Eavesdropping
 Shoulder Surfing
 Dumpster Diving
 Impersonation
Footprinting Tool
Maltego
 Maltego is a data mining tools that are powered by Paterva.
 This interactive tool gathers data and represents graphs for analysis. The
measure purpose of this Data mining tools is an online investigation of
relationships among
 different pieces of information obtained from various sources lies over the
 internet.
 Using Transform, Maltego automate the process of gathering information
from different data sources.
 Nodes based graph represents this information.
 There is 3 version of Maltego Client software: -
 Maltego CE
 Maltego Classic
 Maltego XL
Countermeasures of Footprinting

 Employees on an organization must be restricted to access

social
 networking sites from the corporate network.
 Devices and Servers are configured to avoid data leakage.
 Provide education, training, and awareness of footprinting,
impact,
 methodologies, and countermeasures to the employees of an
 organization.
 Avoid revealing sensitive information in Annual reports, Press
releases,
 etc.
 Prevent search engines to cache web pages.
2.1 Scanning Networks

To identify
 live hosts on a network
 open & closed ports
 operating system information
 services running on a network
 running processes on a network
 the presence of Security Devices like
firewalls
 System architecture
 running services
 vulnerabilities
Scanning Networks
TCP Communication
TCP Flags
3 Way Handshake
Protocol
Colasoft Packet Builder
 Colasoft Packet Builder software enables to create
the customized network packets.
 These Customized Network packets can penetrate the
network for attacks.
 Customization can also use to create fragmented
packets. You can download the software from
www.colasoft.com.
 Colasoft packet builder offers Import and Export
options for a set of packets.
 You can also add a new packet by clicking
Add/button.
 Select the Packet type from the drop-down
option. Available options are: -
 ARP Packet
 IP Packet
 TCP Packet
 UDP Packet
Scanning Methodology

 Checking for live systems-host

discovery
 Discovering open ports-port
scanning
 Scanning beyond IDS
 Banner grabbing-OS fingerprinting
 Scanning Vulnerabilities
 Network Diagram
 Proxies-prepare proxies
Scanning Pentesting
Checking for Live
Systems
Ping Command

 Ping
 Nmap
 Nmap-ZenMap GUI
 Advanced IP Scanner
 nmap –sP –PE –PA<port
numbers> <starting IP/ending
IP>
ICMP Scanning

 ICMP Scanning is a method of identifying live hosts

by sending ICMP Echo requests to a host.
 ICMP Echo reply packet from host verify the host is
live.
 Ping Scanning is a useful tool for not only
identification of live host, but also for determining
ICMP packet are passing through firewalls, and TTL
value.
Ping Sweep

 Ping Sweep determines live host on a large scale.

 Ping Sweep is a method of sending ICMP Echo
Request packets to a range of IP addresses instead of
sending one by one requests and observing the
response.
 Live hosts respond with ICMP Echo Reply packets.
 Thus, instead of probing individually, we can probe a
range of IPs using Ping Sweep
Scanning Technique
Stealth scan
1. SYN Scan (Half-open Scan): This method sends SYN packets to the
target ports and listens for SYN-ACK responses. However, unlike a full
TCP connection, it does not complete the TCP handshake by sending an
ACK packet. This helps avoid creating logs of completed connections on
the target system.
2. FIN Scan: In this technique, the scanner sends TCP packets with the
FIN flag set. Normally, a TCP connection is terminated with a FIN-ACK
sequence. However, if a port is open, it will typically respond with a RST
packet, indicating that the port is closed. This can be useful for
detecting open ports without triggering alarms.
3. NULL Scan: Similar to the FIN scan, this technique involves sending
TCP packets with no flags set (hence, NULL). If a port is open, it typically
won't respond at all, whereas a closed port usually responds with a RST
packet.
4. Xmas Scan: This method involves sending TCP packets with the FIN,
URG, and PSH flags set (resembling a festive "Xmas tree"). Similar to
the FIN and NULL scans, it relies on the behavior of the target system's
response to determine open or closed ports.
TCP Connect / Full Open
Scan
Scan

 Full
Open Scanning
nmap –sT <ip address or range>
Stealth Scan (Half-open
Scan)
Stealth Scan (Half-open
Scan)
 nmap –sS <ip address or range>
Inverse TCP Flag Scanning

 Inverse TCP Flag Scanning is the Scanning process

in which Sender either send TCP probe with TCP
flags, i.e. FIN, URG, and PSH or without Flags.
 Probes with TCP flags is known as XMAS Scanning.
 In case, if there is no flag set, it is known as Null
Scanning.
Xmas Scan

 Xmas Scan is the type of scan in which contains multiple flags.

 Packet sent to the target along with URG, PSH & FIN; or a packet
having all flags creates an abnormal situation for the receiver.
Receiving system has to take a
 decision when this condition occurs.
 Closed port responds with single RST packet.
 If the port is open, some systems respond as an open port, but the
modern system ignores or dropped these requests because the
combination of these flags is bogus.
 FIN Scan works only with Operating Systems with RFC-793
based TCP/IP Implementation.
 FIN Scan does not work with any current version of Windows
typically Windows XP or later.
Inverse TCP Flag
Scanning
Inverse TCP Flag
Scanning
 nmap–sX -v <ip address or
range>
FIN Scan

 FIN Scan is the process of sending the packet having only

FIN flag set.
 These packets can reliably pass the firewall. FIN Scan
packets, when sent to the
 target, the port is considered to be open if there is no response.
 If the port is closed, RST is returned.
 NULL Scan
 NULL Scan is the process of sending the packet without any flag set.
Responses are similar to FIN and XMAS Scan.
 ACK Flag Probe Scanning
 ACK flag Scanning technique sends TCP packet with ACK flag set
towards the target.
UDP Scanning
UDP Scanning
 Like TCP-based scanning techniques, there are also UDP
Scanning methods.
 Keeping in mind, UDP is a connectionless protocol.
 UDP does not have flags.
 UDP packets are working with ports; no connection
orientation
 requires.
 No response if the targeted port is open however if the port is
closed, the response message of "Port unreachable" returned.
 Most of the Malicious Programs, Trojans, Spywares uses UDP
ports to access the target.
UDP Scanning

 nmap –sU –v <ip address or

range>
 NetScan Tools Pro
Scanning Tools for
Mobile
 Network Scanner
 Fing Network Tools
 Network Discovery Tool
 Port Droid Tool
Scanning Beyond IDS

 uses Fragmentation and Small

packets to evade Security devices
such as Firewalls, IDS, and IPS
 splitting the payload into the smaller
packet
 sending these fragmented packets
out of order
 sent using proxy servers, or through
compromised machines to launch
attacks
OS Fingerprinting & Banner
Grabbing
 1. Active OS Fingerprinting: NMAP
 NMPA can perform Active Banner grabbing with ease. NMAP, as we
know, is a powerful networking tool which supports many features and
commands.
 Operating System detection capability allows to send TCP and UDP
packet and observe the response from the targeted host.
 2. Passive OS Fingerprinting
 Passive OS Fingerprinting requires detail assessment of traffic.
 You can perform Passive banner grabbing by analyzing network traffic
along with special inspection of Time to Live (TTL) value and Window
Size.
 TTL value and Window Size are inspected from a header of TCP packet
while observing network traffic.
Passive OS Fingerprinting or
Banner Grabbing
Banner Grabbing Tools

 ID Server
 Netcraft
 Netcat
 Telnet
 Xprobe
 pof
 Maltego
Draw Network Diagrams

 NetworkMappers are the network

mapping tools, which uses scanning
and other network tools and
techniques and draw a picture of a
network.
Network Discovery Tool

 1. Network Topology Mapper

 2. OpManager
 3. Network View
 4. LANState Pro
Drawing Network
Diagrams
 Solar
Wind Network Topology Mapper
can discover network & create a
comprehensive network topology
diagram
Prepare Proxies

 Proxy Servers
 Proxy Chaining
 Proxy Tool
1. Proxy Switcher
2. Proxy Workbench
3. TOR
4. CyberGhost
 Proxy Tools for Mobile
Prepare Proxies
Introduction to
Anonymizers
 Censorship Circumvention Tool
 Tails
 Anonymizers for Mobile
 Orbot
 Psiphon
 Open door
Spoofing IP Address
Spoofing IP Address
Enumeration

Information that is enumerated in this phase

are: -
 Routing Information
 SNMP Information
 DNS Information
 Machine Name
 User Information
 Group Information
 Application and Banners
 Network Sharing Information
 Network Resources
Techniques for
Enumeration
 Enumeration Using Email ID
 Enumeration using Default
Password
 Enumeration using SNMP
 Brute Force Attack on Active
Directory
 Enumeration through DNS Zone
Transfer
Enumeration Techniques

Enumeration Using Email ID

 Extraction of information using Email ID can provide useful
information like username, domain name, etc. An Email
address contains username and domain name in it.
Enumeration using Default Password
 Every device and software has its default credentials and
settings. This default setting and configuration are
recommended to be changed.
 Some administrators keep using default passwords and
settings.
Enumeration using SNMP
 Enumeration using SNMP is a process of gaining information through SNMP.
 The attacker uses default community strings or guesses the string to extract
information about a device.
 SNMP protocol was developed to allow the manageability of devices by the
administrator, such as servers, routers, switches, workstations on an IP
network.
 It allows the network administrators to manage network performance of a
network, finds, troubleshoots and solve network problems, design, and plan
for network growth.
 SNMP is an application layer protocol. It provides communication between
managers and agents.
 The SNMP system is consisting of three elements:
 SNMP manager
 SNMP agents (managed node)
 Management Information Base (MIB)
Brute Force Attack on Active Directory
 Active Directory (AD) provides centralized command and
control of domain users, computers, and network printers.
 It restricts the access to network resources only to the defined
users and computers
Enumeration through DNS Zone Transfer
 Enumeration through DNS zone transfer process includes
extracting information like locating DNS Server, DNS
Records, Other valuable network related information such as
hostname, IP address, username, etc.
 A zone transfer is a process to update DNS servers; Zone file
carries valuable information which is retrieved by the attacker.
 nmap –sP 10.10.10.0/24 ping
sweep
 nmap –sU -p 10.10.10.12 udp
port scanning
 nmap –sS 10.10.10.12 stealth
scan
 nmap –sSV -O 10.10.10.12 OS &
version scanning
NetBIOS Enumeration

 NetBIOS is Network Basic Input / Output System program that

allows the communication in between different applications
running on different systems within a local area network.
 NetBIOS service uses a unique 16- ASCII Character string in
order to identify the network devices over TCP/IP.
 NetBIOS Enumeration Tool
 The nbstat command is a useful tool to display information
about NetBIOS over TCP/IP statistics.
 It is also used to display information such as NetBIOS name
tables, name cache, and other information.
 Command using nbstat utility is shown below: -
 nbtstat.exe –a "NetBIOS name of the remote system."
 nbtstat -A 192.168.1.10
 Enumeration using SuperScan Tool
SNMP Enumeration

 Simple Network Management Protocol (SNMP) Enumeration is a

technique of enumeration using most widely used network management
protocol SNMP.
LDAP Enumeration

 Lightweight Directory Access Protocol

(LDAP)
 The Lightweight Directory Access Protocol LDAP is an open
standard, Internet protocol.
 LDAP is for accessing and maintaining distributed directory
information services in a hierarchical and logical structure.
 A directory service plays an important role by allowing the
sharing of information like user, system, network, service, etc.
throughout the network.
NTP Enumeration

 Network Time Protocol (NTP)

 NTP is Network Time Protocol used in a network to
synchronize the clocks across the hosts and network devices.
 The NTP is an important protocol, as directory services,
network devices and host rely on clock settings for login
purposes and logging to keep a record of events.
SMTP Enumeration

 Simple Mail Transfer Protocol (SMTP)

 SMTP Enumeration is another way to extract information
about the target using Simple Mail Transfer Protocol (SMTP).
 SMTP Protocol ensures the mail communication between
Email servers and recipients over Internet port 25.
 SMTP is one of the popular TCP/IP protocol widely used by
most of the email servers now defined in RFC 821.
Enumeration Countermeasures

 Using advance security techniques

 advanced security softwares
 updated versions of protocols
 strong security policies, unique, and difficult
password,
 strong encrypted communication between client
and server,
 disabling unnecessary ports, protocols, sharing and
default enabled services
 can prevent from enumeration at a certain level.