 Footprinting

2.1  Types of Information

FOOTPRINTING  Information Sources

 Passive Footprinting/OSINT
CONCEPTS  Active Footprinting
 Footprinting is the first step in reconnaissance
 The attacker looks for tracks and traces the target leaves about itself on the Internet
 Collect as much information as possible

 Value of footprinting:
 Gain knowledge of the target’s overall security posture
 Create a “bird’s eye” view of the target
 Physical/facility vulnerabilities
 High-level network map
 Potential target areas to attack
 Potential human targets to engage
 Information that may not seem immediately useful may gain relevance later
Search for anything that might help you gain access to the target’s network:
 General company information
 Company mission, products, services, activities, location, contact information

 Employee information
 Email addresses, contact information, job roles

 Internet presence
 Domain names, website content, online services offered, IP addresses, network reachability
 Leaked documents and login information

 Overall security posture

 Technologies used
 Industry and market information
 Company profile, assets, financial information, competitors
 Company website(s)
 Whois
 Search engines
 People searches
 Job boards
 Social networking / social media
 News articles and press releases
 Specialized OSINT tools
 Open Source Intelligence
 Use the Internet/publicly available sources to gather information on a target
 Do not directly engage target
 Engage the target in seemingly innocuous ways
 Use “normal” expected actions
 Avoid arousing suspicion

 Interact with the target’s public-facing servers

 Query the organization’s DNS server
 Traceroute to the target network
 Spider / mirror the target’s website
 Extract published document metadata

 Limited social engineering

 Gather business cards
 Chat with company representatives at trade shows and public events
 If your target has a website, visit it for initial information
 Use search engines to obtain additional information about the target including news
and press releases
 Google, Yahoo, Bing, Ask, Baidu, DuckDuckGo, AOL Search

 Use search engine cached pages or Archive.org to see information no longer available
 Use OSINT tools to automate information gathering and find hidden information
 Collect names, job titles, personal information, contact information, email
addresses, etc.
 Remember: at this stage you want to be subtle and go unnoticed
 Techniques include:
 Casual face-to-face contact
 Trade show or public event
 Eavesdropping
 Shoulder surfing
 Dumpster diving
 Impersonation on social networking sites
 Monitor website content for changes
 Set alerts to notify you of updates
 Alerts are usually sent via email or SMS
 To receive alerts, register on the website
 Google Alerts
 Yahoo Alerts
 Twitter Alerts
 Giga Alerts

 Some OSINT tools also offer monitoring and alerts

 Analyze gathered information to determine your next moves
 Get a sense of the target’s overall security posture
 Look for information that can be used in your next steps
 Devices that can get you into the network:
 IP addresses to scan
 Servers and services to vulnerability scan
 Internet-attached IoT devices to compromise

 People to social engineer

 Email addresses to phish
 Phone numbers to call for impersonation
 Names and job roles to target

 Locations for physical reconnaissance

 Parking areas to scatter malicious USB sticks
 Easily accessible areas to plant sniffing/snooping devices
 Detect Wi-Fi signals
2.2 OSINT  Common Tools

TOOLS
 A search engine that is also a cybersecurity framework
 Assembles information from publicly available sources
 Includes:
 username, email address, contact information, language transition
 public records, domain name, IP address, malicious file analysis,
 threat intelligence and more

https://osintframework.com/
 Cybersecurity framework search engine
 Assembles the information from publicly available sources
 Cyberspace search engine
 Combines several data gathering tools into a full-service online platform
 Users can get data directly from Spyse’s web interface or their API
 Has free and paid features
 An open source intelligence and forensics application
 Use to mine, gather and visualize data and relationships in an easy-to-understand
format
 Find relationships and links between people, groups, companies, organizations,
websites, Internet infrastructure, phrases, documents, files, etc.
 Used by law enforcement to analyze social media accounts
 Track profiles, understand social networks of influence, interests and groups

During the COVID-19 crisis Maltego was used to aid virus containment efforts:
• Scientific study of the virus spread
• Trace tourist/visitor movement from coronavirus hotspots to other locations
 Shodan.io
 Search engine for Internet-connected devices
 Most commonly used to help users identify potential security issues with their
devices
 Can find anything that connects directly to the internet:
 Routers and servers
 Baby monitors
 Security cameras
 Maritime satellites
 Water treatment facilities
 Traffic light systems
 Prison pay phones
 Nuclear power plants
 Similar to Shodan
 Continually discovers Internet-
facing assets including IoT
devices
 Offers cloud-based dashboard
 OSINT tool for gathering:
 emails, sub-domains, hosts, employee names, open ports, and banners from different
public sources like search engines, PGP key servers, and SHODAN computer database
 Written in Python
 Many of its functions require an API key to effectively query the source
theHarvester -d www.hackthissite.org -n -b google

[*] Emails found: 2

----------------------
ab790c1315@www.hackthissite.org
staff@hackthissite.org

[*] Hosts found: 7

---------------------
0.loadbalancer.www.hackthissite.org:
22www.hackthissite.org:
2522www.hackthissite.org:
253dwww.hackthissite.org:
www.hackthissite.org:137.74.187.104, 137.74.187.100, 137.74.187.101, 137.74.187.103, 137.74.187.102
x22www.hackthissite.org:
 Uses OSINT and a variety of search engines to enumerate website subdomains
 Can conduct port scans against discovered websites

Subdomains are sometimes preferred targets for attackers:

• Often separately managed by the smaller child organization
• Frequently less secure than the parent domain
• Child organizations are typically smaller with fewer resources than the parent
 Full-featured web reconnaissance framework
 Has many modules with specific functions for conducting OSINT
 Written in Python
 Requires API keys from targets to be effective
 Gathers information from LinkedIn
 Install in Kali Linux:
apt install inspy
Search LinkedIn for Google employees using the provided wordlist of possible job titles:
inspy --empspy /usr/share/inspy/wordlists/title-list-
large.txt Google
Search for technologies (–techspy) in use at the target company (cisco) using the
provided list of terms:
inspy --techspy /usr/share/inspy/wordlists/tech-list-
small.txt cisco
 Follow a target’s Instagram likes and
comments
 OSINT automation tool
 Including target monitoring

 Written in Python
 Alternatively has a cloud-hosted version
 Different subscription levels
 A set of libraries for performing Open Source Intelligence tasks
 Has various scripts and applications for:
 Username checking
 DNS lookups
 Information leaks research
 Deep web search
 Regular expressions extraction
 etc.
 Useful information might reside in PDF or Office files
 Use this hidden metadata to perform social engineering
 Tools:
 Metagoofil
 ExtractMetadata
 FOCA
 Meta Tag Analyzer
 BuzzStream
 Analyze Metadata
 Exiftool
 Extracts metadata from publicly available documents belonging to a target
company
 pdf, doc, xls, ppt, docx, pptx, xlsx

 Uses Google hacks to find information in meta tags

 Generates a report of:
 usernames, email addresses, software versions, server names, etc.
 2.3
ADVANCED
 Google Hacking
 Google Dorking

GOOGLE  Google Hacking Database

SEARCH
 The use of specialized Google searches
 Find unusual information such as:
 Sites that may link back to target’s website
 Information about partners, vendors, suppliers, clients, etc.
 Error messages that contain sensitive information
 Files that contain passwords
 Sensitive directories
 Pages that contain hidden login portals
 Advisories and server vulnerabilities
 Software version information
 Web app source code
 Using search strings with advanced operators
 Find information not readily available on a website
 Can be used to find vulnerabilities, files containing passwords,
lists of emails, log files, live camera feeds, and much more
 Considered an easy way of hacking
Operator Description Example
intitle: find strings in the title of a page intitle:”Your Text”
allintext: find all terms in the title of a page allintext:”Contact”
inurl: find strings in the URL of a page inurl:”news.php?id=”

site: restrict a search to a particular site or domain site:yeahhub.com “Keyword”

find specific types of files (doc, pdf, mp3 etc) based on

filetype: filetype:pdf “Cryptography”
file extension
link: search for all links to a site or URL link:”example.com”
cache: display Google’s cached copy of a page cache:yeahhub.com

info: display summary information about a page info:www.example.com

Operator Description Example
OR Match at least one keyword google OR bing OR duckduckgo
AND Match all keywords Samsung AND Apple
““ Exact match "Google Dorks Explained"

- Exclude a keyword Linux -site:Wikipedia.org

* Wildcard of one or more words "username * password"

"google (dorks OR dorking OR hacking)" AND

() Grouping keywords
(explained OR tutorial OR guide)
 Camera feeds – live feeds from AXIS cameras
 intitle:"Live View / - AXIS" | inurl:/mjpg/video.mjpg?timestamp

 Email lists contained in Excel files

 filetype:xls inurl:"email.xls"

 Log files containing passwords and corresponding emails

 filetype:log intext:password intext:(@gmail.com | @yahoo.com |
@hotmail.com)

 Open FTP Servers that can contain sensitive information

 intext:"index of" inurl:ftp
 Return results that match “accounting” from target.com, but NOT from
marketing.target.com
 site:target.com -site:marketing.target.com accounting

 Pages vulnerable to SQL injection attacks

 inurl:".php?id=" intext:(error AND sql)

 Scanning reports – vulnerabilities in scanned systems

 intitle:report (nessus | qualys) filetype:pdf

 SQL Database – contents of exposed databases, including usernames

and passwords
 intitle:"index of" "dump.sql"
 List of popular Google Dorks

https://www.exploit-db.com/google-hacking-database/
 2.4 WHOIS
 Internet Authorities
 Whois

FOOTPRINTING  Whois Tools

 Organization Description
Internet Corporation for Assigned • A not-for-profit public-benefit corporation
Names and Numbers (ICANN) • Dedicated to keeping the Internet secure, stable and
interoperable
• Promotes competition and develops policy on the
Internet's unique identifiers
• DNS names and Autonomous System (AS) numbers*
The Internet Assigned Numbers • A department within ICANN
Authority (IANA) • Maintains a central repository for Internet standards
• Verifies and updates changes to Top Level Domain (TLD)
information
• Distributes Internet numbers to regions for Internet use
The Internet Engineering Task • An open standards organization
Force (IETF) • They develop and promote voluntary Internet standards
(especially those related to IP)

* Every major network that is part of the Internet has an identifying Autonomous System number
 Governing bodies that responsible for controlling all IP addresses and domain
registrations in their operating region
 American Registry for Internet Numbers (ARIN)
 U.S., Canada, Antarctica and parts of the Caribbean region

 Asia-Pacific Network Information Centre (APNIC)

 Asia, Australia, New Zealand

 African Network Information Center (AfriNIC) - Africa and the Indian Ocean
 Reseaux IP Europeens Network Coordination Centre (RIPE NCC)
 Europe, Russia, Central Asia, Middle East

 Latin America and Caribbean Network Information Center (LACNIC)

 Latin America and parts of the Caribbean
 A widely-used query and response protocol
 Used to query databases that store the registered users or assignees of an Internet
resource such as:
 Domain names
 IP address blocks
 Autonomous system numbers

 The protocol stores and delivers database content in a human-readable format

 It is widely available for publicly available for use

Source: domainnamestat.com
 There is no single Whois database
 Registrars and registries each maintain their own respective Whois database
 Registrars – companies and organizations that have ICANN accreditation and are registry
certified to sell domain names
 Also responsible for any resellers under them
 Registries – organizations responsible for maintaining the records of a specific top level
domain (TLD) such as .com, .net, .org, etc.
 ICANN requires that records remain accurate for the life of the domain registration
 WHOIS databases are maintained by Regional Internet Registries and hold personal
information of domain owners
 WHOIS query
 Domain name and details
 Owner information
 DNS servers
 Network Blocks
 Autonomous System Numbers
 When created
 Expiry
 Last update

 Can aid attacker or ethical hacker with social engineering

 whois.com • UltraTools
 Domainnamestat.com • SoftFuse Whois
 LanWhoIs • Domain Dossier
 Batch IP Converter • BetterWhois
 CallerIP • Whois Online
 WhoIs Lookup Multiple Addresses • Web Wiz

 WhoIs Analyzer Pro

• Network-Tools.com
• DNSstuff
 HotWhoIs
• Network Solutions Whois
 ActiveWhoIs
• WebToolHub
 WhoisThisDomain
 2.5 DNS
 DNS Information
 DNS Query Tools

FOOTPRINTING  Location Search Tools

 Attackers use DNS data to find key hosts on the target’s network
 DNS record types:
 A – IPv4 host address
 AAAA - IPv6 host address
 MX – mail server
 NS – name server
 CNAME – alias
 SOA – authority for domain
 SRV – service records
 PTR – maps IP Address to hostname
 RP – responsible person
 HINFO – Host information record (CPU type/OS)
 TXT – Unstructured text record
 Nslookup  DNS Records
 dig  DNSData View
 host  DNSWatch
 whatsmydns.net  DomainTools
 myDNSTools  DNS Query Utility
 Professional Toolset  DNS Lookup
nslookup www.hackthissite.org

Server: 192.168.63.2
Address: 192.168.63.2#53

Non-authoritative answer:
Name: www.hackthissite.org
Address: 137.74.187.103
Name: www.hackthissite.org
Address: 137.74.187.102
dig www.example.com
dig @8.8.8.8 www.example.com A
dig +short www.example.com A
dig example.com txt
dig example.com cname
dig example.com ns
dig example.com MX
dig axfr zonetransfer.me @nsztm1.digi.ninja.
 Find subdomains for a domain
 Install in Kali:
apt install sublist3r
Sublist3r -d <domain>

• Subdomains are useful to investigate

• They are often independently
managed by the local business unit
or child organization
• They typically have fewer resources
(and thus fewer security controls)
than the parent organization
Helps you perform physical or aerial reconnaissance of a target
 Google Maps
 Google Earth
 Wikimapia
 National Geographic Maps
 Yahoo Maps
 Bing Maps
  Website Footprinting

2.6 WEBSITE
 Tools
 Spiders

FOOTPRINTING  Mirroring
 Update Monitoring
 Monitoring and analyzing the target’s website for information
 Browse the target website

 Use Burp Suite, Zaproxy, Paros Proxy, Website Informer, Firebug, etc. to determine:
 Connection status and content-type
 Accept-Ranges and Last-Modified information
 X-Powered-By information
 Web server version

 Examine HTML sources

 Examining cookies
 Use OSINT to discover additional information about a website
 Identify personnel, hostnames, domain names, and useful data residing on exposed
web servers
 Search Google, Netcraft, Shodan, LinkedIn, PGP key servers, and other sites
 Search known domain names and IP blocks
 Searches Google’s cache
 Looks for vulnerabilities, errors, configuration issues, proprietary information, and
interesting security nuggets on web sites
 Use it to find information that can be exposed through Google Dorking
 Web spiders automate searches on the target website and collect information:
 employee names, titles, addresses, email, phone and fax numbers, meta tags

 Helps with footprinting and social engineering attacks

 Tools
 SpiderFoot
 Visual SEO Studio
 WildShark SEO Spider Tool
 Beam Us Up SEO Spider SEO
 Scrapy
 Screaming Frog
 Xenu
 Web content scanner
 Looks for existing and hidden
web objects
 Useful for finding hidden
subdirectories in a web app
 Works by launching a dictionary
based attack against a web
server
 Analyzes the response
 Similar to DIRB
 GUI-based
 Download an entire copy of the website to a local directory
 You can examine the entire website offline
 Helps gather information without making website requests that could be detected
 You can take your time searching
 Need to copy slowly
 HTTrack Web Site Copier • Website Ripper Copier
 SurfOffline • PageNest
 Teleport Pro • Backstreet Browser
 Portable Offline Browser • Offline Explorer Enterprise
 Gnu Wget • Archive.org

 BlackWidow
• WebWatcher

 Ncollector Studio
 Allows access to archived versions of the website
 Copies the site as it was at the time
 You can find information that was subsequently deleted
 Archived sites may or may not include original downloads

 Also contains extensive content uploaded by the community

 Automatically checks web pages for updates and changes
 Sends alerts to interested users
 Example tools:
 Website Watcher
 Visual Ping
 Follow that Page
 Watch that Page
 Check4Change
 OnWebChange
 Infominder
 2.7 EMAIL
 Email Source Header
 Email Tracking

FOOTPRINTING  Email Tracking Tools

 Reading the email source header can reveal:
 Address from which the message was sent
 Sender’s mail server
 Authentication system used by sender’s mail server
 Date and time of message
 Sender’s name

 Also reveals:
 Spoofed info
 Bogus links and phishing techniques
Tracking emails can reveal:

 Recipient IP address
 Geolocation
 Email received and read
 Read duration
 Proxy detection
 Links
 OS and Browser info
 Forwarded email
 Recipient device type
 EmailTrackerPro • Trace Email
 PoliteMail • Email Lookup
 Yesware • Pointofmail
 ContactMonkey • WhoReadMe
 Zendio • GetNotigy

 ReadNotify
• G-Lock Analytics

 DidTheyReadit
 2.8  Network Range

NETWORK  Network Whois

 Traceroute
FOOTPRINTING
 Map the target network
 Find in RIR whois database search
 Search online:
 https://centralops.net/co/domaindossier.aspx
 https://networksdb.io/ip-addresses-of/

 Use command prompt tools:

 whois
 curl
$ host -t a github.io
github.io has address 185.199.109.153

$ whois 185.199.109.153

inetnum: 185.199.108.0 - 185.199.111.255

netname: US-GITHUB-20170413
country: US

$ curl -s https://networksdb.io/ip-addresses-of/github-inc | grep 'IP

Range' | awk '{print $3" - "$5}' | sort
140.82.112.0 - 140.82.127.255
148.62.46.150 - 148.62.46.151
 Discover routers and firewalls along the path to a target
 Uses ICMP or UDP with an increasing TTL to elicit router identification
 Find the IP address of the target firewall
 Help map the target network
 https://www.monitis.com/traceroute/
 https://centralops.net/co/
 Path Analyzer Pro
 VisualRoute
 Network Pinger
 GEOSpider
 vTrace
 Trout
 Roadkil’s Trace Route
 Magic NetTrace
 3D Traceroute
 AnalogX HyperTrace
 Network Systems Traceroute
 Ping Plotter
 2.9
FOOTPRINTING  Social Networking Sites

THROUGH  Information
 People Search
SOCIAL  Social Media Groups

NETWORKING
SITES
 Attackers use social networking sites to gain important and sensitive data about
their target
 They often create fake profiles through these social media
 Aim is to lure their target and extract vulnerable information

 Employees may post :

 Personal information such as DOB, educational and employment background, spouse’s
names, etc.
 Information about their company such as potential clients and business partners, trade
secrets of business, websites, company’s upcoming news, mergers, acquisitions, etc.
 Common social networking sites used:
 Facebook, MySpace, LinkedIn, Twitter, Pinterest, Google+, YouTube, Instagram
 Present activity/physical location
 Job activities
 Company information
 Contact details, names, numbers, addresses, date of birth, photos
 Family & friends
 Property information
 Bank details
 Background and criminal checks
 A great source of personal and organizational information
 Residential addresses, email addresses, phone number
 Satellite photos of residences

 Date of birth
 Photos and social networking profiles
 Friends/family/associates
 Hobbies/current activities/blogs
 Work information
 Projects and operating environment
 Travel details
 CheckPeople
 BeenVerified
 Truthfinder
 peopleWhiz
 PeopleLooker
 Intelius
 Checkmate
 Peoplefinders
 IDtrue
 Social Media groups, forums, and blogs provide more intimate information about a
person
 Current interests
 Current activities
 Hobbies
 Political and social viewpoints

 Can be used to cultivate a relationship with the target

 Attackers create fictious profiles and attempt to join groups
 Disinformation campaigns use bots to:
 Automate posting
 Increase visibility of an issue
 Give malicious information traction
 Make an opinion or idea seem to be popular
 2.10
FOOTPRINTING
AND  Mitigation and protection methods

RECONNAISSANCE
COUNTER-
MEASURES
 Recognize that once information is on the Internet, it might never fully disappear
 Perform OSINT on yourself regularly to see what’s out there
 Identify information that might be harmful
 When possible, go to the sites that publish that information and remove it
 Delete/deactivate unnecessary social media profiles
 Use an identity protection service
 Use Shodan and Google Dorks to search for exposed files and devices
 If any are discovered, implement protective measures
 Set up a monitoring service such as Google Alerts to notify you if new information
appears
 Train yourself (and your employees) to recognize the danger and be cautious
about what they share on social media
 If possible, use a data protection solution to minimize data leakage from the
company
 Turn off tracking features on your phone and configure privacy settings
 Disable location on photos you plan to post publicly on social media
 Remove metadata from images if you don’t want others to know which device you
are using to capture
 Conduct only private dialogues, trying to avoid public communication on forums
and other sites
 Keep a close eye on which web pages and portals you visit
 Some of them may require too much information for registration: name, phone
number, real address
 Use different nicknames on the Internet – it will be much more difficult to find you
 Switch your profile to private mode, if the social network allows you to do this
 When adding friends on social media, only add people you actually know in real
life
 2.11
FOOTPRINTING
AND  Review

RECONNAISSANCE
REVIEW
 INTRO TO
• Footprinting gathers as much information as possible about a target in advance of

• ETHICAL
the attack
You’re looking for any information that can help you break into the target network

HACKING
• Footprinting can be passive or active
• It’s usually subtle / unnoticeable
•
REVIEW
Small, random, seemingly unimportant details can together paint a bigger picture
or become important later in your hacking efforts

• Research sources can include:

• INTRO TO
Search engines • Press releases
•
•
Whois
Websites ETHICAL •
•
Advanced online services
DNS
•
•
HACKING
Social media
Social networking sites
•
•
Email
Competitive intelligence sites
•
REVIEW
Job boards • Limited social engineering
 INTRO TO
• OSINT is the use of publicly available sources and tools to footprint a target
• ETHICAL
You can perform advanced Google searches using “dorks” (search strings with
advanced operators)
• TheHACKING
Google Hacking Database (GHDB) lists popular dorks created by the community
•
•
REVIEW
Whois is a protocol for searching domain registration information
You can use dig, nslookup, and many other tools to query a DNS server for host
information
•
•
INTRO TO
You can footprint websites through the use of:
Spiders that automatically crawl through a website looking for
specific types of information
• ETHICAL
Site mirroring so you can take your time examining an offline copy
of the website
•
HACKING
Tools like dirb and DirBuster that attempt to uncover hidden
subdirectories on a website

REVIEW
• Google cache and archive.org that maintain snapshots of websites
over time
 INTRO TO
ETHICAL
• You can examine email headers and use email tracking tools to identify the actual
source of an email
•
HACKING
You can use Whois, traceroute, and other tools to identify IP blocks, the firewall IP
address, and other network-available points of entry to the target
•
REVIEW
Social networking sites and social media can provide a wealth of information

INTRO TO
ETHICAL
HACKING
REVIEW