Module 02: Footprinting and Reconnaissance
Objective
The objective of the lab is to extract information about the target organization that includes, but is not limited to:
Organization Information Employee details, addresses and contact details, partner details, weblinks, web technologies, patents, trademarks, etc.
Network Information Domains, sub-domains, network blocks, network topologies, trusted routers, firewalls, IP addresses of the reachable systems, the Whois record, DNS records, and other related information
System Information Operating systems, web server OSes, location of web servers, user accounts and passwords, etc.
Overview of Footprinting
Footprinting refers to the process of collecting information about a target network and its environment, which helps in evaluating the security posture of the target organization’s IT infrastructure. It also helps to identify the level of risk associated with the organization’s publicly accessible information.
Footprinting can be categorized into passive footprinting and active footprinting:
Passive Footprinting: Involves gathering information without direct interaction. This type of footprinting is principally useful when there is a requirement that the information-gathering activities are not to be detected by the target.
Active Footprinting: Involves gathering information with direct interaction. In active footprinting, the target may recognize the ongoing information gathering process, as we overtly interact with the target network. </aside>
Lab-1 - Task 1: Gather Information using Advanced Google Hacking Techniques
Type
intitle:login site:eccouncil.org
and press Enter. This search command uses intitle and site Google advanced operators, which restrict results to pages on the eccouncil.org website that contain the login pages. An example is shown in the screenshot below.In the search bar, type the command
EC-Council filetype:pdf ceh
and press Enter to search your results based on the file extension and the keyword (here, ceh).Apart from the aforementioned advanced Google operators, you can also use the following to perform an advanced search to gather more information about the target organization from publicly available sources.
cache
: This operator allows you to view cached version of the web page. [cache:www.eccouncil.org]- Query returns the cached version of the website www.eccouncil.orgallinurl
: This operator restricts results to pages containing all the query terms specified in the URL. [allinurl: EC-Council career]—Query returns only pages containing the words “EC-Council” and “career” in the URLinurl
: This operator restricts the results to pages containing the word specified in the URL [inurl: copy site:www.eccouncil.org]—Query returns only pages in EC-Council site in which the URL has the word “copy”allintitle
: This operator restricts results to pages containing all the query terms specified in the title. [allintitle: detect malware]—Query returns only pages containing the words “detect” and “malware” in the titleinanchor
: This operator restricts results to pages containing the query terms specified in the anchor text on links to the page. [Anti-virus inanchor:Norton]—Query returns only pages with anchor text on links to the pages containing the word “Norton” and the page containing the word “Anti-virus”allinanchor
: This operator restricts results to pages containing all query terms specified in the anchor text on links to the page. [allinanchor: best cloud service provider]—Query returns only pages in which the anchor text on links to the pages contain the words “best,” “cloud,” “service,” and “provider”link
: This operator searches websites or pages that contain links to the specified website or page. [link:www.eccouncil.org]—Finds pages that point to EC-Council’s home pagerelated
: This operator displays websites that are similar or related to the URL specified. [related:www.eccouncil.org]—Query provides the Google search engine results page with websites similar to eccouncil.orginfo
: This operator finds information for the specified web page. [info:eccouncil.org]—Query provides information about the www.eccouncil.org home pagelocation
: This operator finds information for a specific location. [location: EC-Council]—Query give you results based around the term EC-Council
Lab-1 - Task 2: Gather Information from Video Search Engines
After the video link is copied, open a new tab in Mozilla Firefox, place your mouse cursor in the address bar and click https://mattw.io/youtube-metadata/ and press Enter.
You can use other video search engines such as
Google videos (https://www.google.com/videohp),
Yahoo videos (https://in.video.search.yahoo.com),
EZGif (https://ezgif.com),
TinEye Reverse Image Search (https://tineye.com),
Yahoo Image Search (https://images.search.yahoo.com),
Lab-1 - Task 3: Gather Information from FTP Search Engines
You can use FTP search engines such as FreewareWeb FTP File Search to gather crucial FTP information about the target organization or NAPALM FTP
Lab-1 - Task 4: Gather Information from IoT Search Engines
IoT search engines crawl the Internet for IoT devices that are publicly accessible. These search engines provide crucial information, including control of SCADA (Supervisory Control and Data Acquisition) systems, traffic control systems, Internet-connected household appliances, industrial appliances, CCTV cameras, etc.
Lab-2 - Task 1: Find the Company’s Domains and Sub-domains using Netcraft
Netcraft - https://www.netcraft.com
Sublist3r - https://github.com
Pentest-Tools Find Subdomains - https://pentest-tools.com
Lab-2 - Task 2: Gather Personal Information using PeekYou Online People Search Service
PeekYou - https://www.peekyou.com
Spokeo - https://www.spokeo.com
pipl - https://pipl.com
Intelius - https://www.intelius.com
BeenVerified - https://www.beenverified.com
Lab-2 - Task 3: Gather an Email List using theHarvester
theHarvester: This tool gathers emails, subdomains, hosts, employee names, open ports, and banners from different public sources such as search engines, PGP key servers, and the SHODAN computer database as well as uses Google, Bing, SHODAN, etc. to extract valuable information from the target domain. This tool is intended to help ethical hackers and pen testers in the early stages of the security assessment to understand the organization’s footprint on the Internet. It is also useful for anyone who wants to know what organizational information is visible to an attacker.
Lab-2 - Task 4: Gather Information using Deep and Dark Web Searching
You can also anonymously explore the following onion sites using Tor Brower to gather other relevant information about the target organization:
The Hidden Wiki is an onion site that works as a Wikipedia service of hidden websites. (http://zqktlwiuavvvqqt4ybvgvi7tyo4hjl5xgfuvpdf6otjiycgwqbym2qad.onion/wiki)
FakeID is an onion site for creating fake passports (http://ymvhtqya23wqpez63gyc3ke4svju3mqsby2awnhd3bk2e65izt7baqad.onion)
Cardshop is an onion site that sells cards with good balances (http://s57divisqlcjtsyutxjz2ww77vlbwpxgodtijcsrgsuts4js5hnxkhqd.onion)
You can also use tools such as:
ExoneraTor (https://metrics.torproject.org)
OnionLand Search engine (https://onionlandsearchengine.com),
Lab-2 - Task 5: Determine Target OS Through Passive Footprinting
Censys (https://search.censys.io/)
Netcraft (https://www.netcraft.com)
Shodan (https://www.shodan.io)
Lab-3 - Task 2: Gather Personal Information from Various Social Networking Sites using Sherlock
Type
python3 sherlock satya nadella
and press Enter. You will get all the URLs related to Satya Nadella, as shown in the screenshot. Scroll down to view all the results.
Lab-4 - Task 2: Gather Information about a Target Website using Photon
Photon is a Python script used to crawl a given target URL to obtain information such as URLs (in-scope and out-of-scope), URLs with parameters, email addresses, social media accounts, files, secret keys and subdomains. The extracted information can further be exported in the JSON format.
Type
python3 photon.py -u http://www.certifiedhacker.com
and pressEnter
to crawl the target website for internal, external and scripts URLs.Now, type
python3 photon.py -u http://www.certifiedhacker.com -l 3 -t 200 --wayback
and pressEnter
to crawl the target website using URLs from archive.org.
Lab-4 - Task 3: Gather Information About a Target Website using Central Ops
The Central Ops website - https://centralops.net
Website Informer (https://website.informer.com)
Burp Suite (https://portswigger.net)
Zaproxy (https://www.zaproxy.org)
Lab-4 - Task 4: Extract a Company’s Data using Web Data Extractor
Web data extraction is the process of extracting data from web pages available on the company’s website. A company’s data such as contact details (email, phone, and fax), URLs, meta tags (title, description, keyword) for website promotion, directories, web research, etc. are important sources of information for an ethical hacker. Web spiders (also known as a web crawler or web robot) such as Web Data Extractor perform automated searches on the target website and extract specified information from the target website.
The Web Data Extractor Pro main window appears. Click new session to start a new session.
The Session window appears; type a URL (here, https://www.certifiedhacker.com) in the Start URL field. Check all the options, as shown in the screenshot.
Web Data Extractor will start collecting information (Session, Meta tags, Emails, Phones, Faxes, Links, and Domains).
ParseHub (https://www.parsehub.com)
SpiderFoot (https://www.spiderfoot.net)
Lab-4 - Task 5: Mirror a Target Website using HTTrack Web Site Copier
Website mirroring is the process of creating a replica or clone of the original website; this mirroring of the website helps you to footprint the web site thoroughly on your local system, and allows you to download a website to a local directory, analyze all directories, HTML, images, flash, videos, and other files from the server on your computer.
You can duplicate websites by using website mirroring tools such as HTTrack Web Site Copier. HTTrack is an offline browser utility that downloads a website from the Internet to a local directory, builds all directories recursively, and transfers HTML, images, and other files from the webserver to another computer.
Here, we will use the HTTrack Web Site Copier tool to mirror the entire website of the target organization, store it in the local system drive, and browse the local website to identify possible exploits and vulnerabilities.
Cyotek WebCopy (https://www.cyotek.com),
Lab-4 - Task 6: Gather Information About a Target Website using GRecon
GRecon searches for available subdomains, sub-subdomains, login pages, directory listings, exposed documents, WordPress entries and pasting sites and displays the results.
Lab-4 - Task 7: Gather a Wordlist from the Target Website using CeWL
In the terminal window, type
cewl -d 2 -m 5 https://www.certifiedhacker.com
and press Enter.A unique wordlist from the target website is gathered, as shown in the screenshot.
Lab-5 - Task 1: Gather Information about a Target by Tracing Emails using eMailTrackerPro
Lab-6 - Task 1: Perform Whois Lookup using DomainTools
SmartWhois (https://www.tamos.com)
Batch IP Converter (http://www.sabsoft.com)
Lab-7 - Task 1: Gather DNS Information using nslookup Command Line Utility and Online Tool
nslookup is a network administration command-line utility, generally used for querying the DNS to obtain a domain name or IP address mapping or for any other specific DNS record. This utility is available both as a command-line utility and web application.
In the Windows 11 machine, launch a Command Prompt, type nslookup and press Enter. This displays the default server and its address assigned to the Windows 11 machine.
In the nslookup interactive mode, type set type=a and press Enter. Setting the type as “a” configures nslookup to query for the IP address of a given domain.
Other Tools:
DNSdumpster (https://dnsdumpster.com)
DNS Records (https://network-tools.com)
Lab-7 - Task 2: Perform Reverse DNS Lookup using Reverse IP Domain Check and DNSRecon
Lab-7 - Task 3: Gather Information of Subdomain and DNS Records using SecurityTrails
SecurityTrails is an advanced DNS enumeration tool that is capable of creating a DNS map of the target domain network. It can enumerate both current and historical DNS records such as A, AAAA, NS, MX, SOA, and TXT, which helps in building the DNS structure. It also enumerates all the existing subdomains of the target domain using brute-force techniques.
DNSChecker (https://dnschecker.org)
DNSdumpster (https://dnsdumpster.com)
Lab-8 - Task 1: Locate the Network Range
Lab-8 - Task 2: Perform Network Tracerouting in Windows and Linux Machines
tracert
VisualRoute (http://www.visualroute.com)
Traceroute NG (https://www.solarwinds.com)
Lab-9 - Task 1: Footprinting a Target using Recon-ng
Recon-ng
is a web reconnaissance framework with independent modules and database interaction that provides an environment in which open-source web-based reconnaissance can be conducted. Here, we will use Recon-ng to perform network reconnaissance, gather personnel information, and gather target information from social networking sites.
Lab-9 - Task 2: Footprinting a Target using Maltego
Maltego is a footprinting tool used to gather maximum information for the purpose of ethical hacking, computer forensics, and pentesting. It provides a library of transforms to discover data from open sources and visualizes that information in a graph format, suitable for link analysis and data mining. Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate, and even making it possible to see hidden connections.
Lab-9 - Task 3: Footprinting a Target using OSRFramework
OSRFramework is a set of libraries that are used to perform Open Source Intelligence tasks. They include references to many different applications related to username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction, and many others. It also provides a way of making these queries graphically as well as several interfaces to interact with such as OSRFConsole or a Web interface.
Use domainfy to check with the existing domains using words and nicknames. Type domainfy -n [Domain Name] -t all (here, the target domain name is ECCOUNCIL) and press Enter.
Use searchfy to check for the existence of a given user details on different social networking platforms such as Github, Instagram and Keyserverubuntu. Type searchfy -q "target user name or profile name" (here, the target user name or profile is Tim Cook and it is searched in all the social media platforms) and press Enter.
Similarly, you can use following OSRFramework packages to gather more information about the target:
usufy - Gathers registered accounts with given usernames.
mailfy – Gathers information about email accounts
phonefy – Checks for the existence of a given series of phones
entify – Extracts entities using regular expressions from provided URLs
Lab-9 - Task 4: Footprinting a Target using FOCA
FOCA (Fingerprinting Organizations with Collected Archives) is a tool that reveals metadata and hidden information in scanned documents. These documents are searched for using three search engines: Google, Bing, and DuckDuckGo. The results from the three engines amounts to a lot of documents. FOCA examines a wide variety of records, with the most widely recognized being Microsoft Office, Open Office and PDF documents. It may also work with Adobe InDesign or SVG files. These archives may be on-site pages and can be downloaded and dissected with FOCA.
The FOCA new project wizard appears, follow the steps below:
Enter a project name in the Project name field (here, Project of www.eccouncil.org).
Enter the domain website in the Domain website field (here, www.eccouncil.org).
You can leave the optional Alternative domains field empty.
Under the Folder where to save documents field, click on the Folder icon. When the Browse For Folder pop up window appears, select the location to save the document that is extracted by FOCA (here, Desktop) and click OK.
Leave the other settings to default and click the Create button.
Lab-9 - Task 5: Footprinting a Target using BillCipher
BillCipher is an information gathering tool for a Website or IP address. Using this tool, you can gather information such as DNS Lookup, Whois lookup, GeoIP Lookup, Subnet Lookup, Port Scanner, Page Links, Zone Transfer, HTTP Header, etc. Here, we will use the BillCipher tool to footprint a target website URL.
BillCipher displays various available options that you can use to gather information regarding a target website.
Lab-9 - Task 6: Footprinting a Target using OSINT Framework
OSINT Framework is an open source intelligence gathering framework that helps security professionals for performing automated footprinting and reconnaissance, OSINT research, and intelligence gathering. It is focused on gathering information from free tools or resources. This framework includes a simple web interface that lists various OSINT tools arranged by category and is shown as an OSINT tree structure on the web interface.
The OSINT Framework includes the following indicators with the available tools:
(T) - Indicates a link to a tool that must be installed and run locally
(D) - Google Dork
(R) - Requires registration
(M) - Indicates a URL that contains the search term and the URL itself must be edited manually
Recon-Dog (https://www.github.com)
Grecon (https://github.com)
Th3Inspector (https://github.com)
Raccoon (https://github.com)
Orb (https://github.com)
Hacker's Mantra:
A hacker is someone who enjoys playful cleverness, not necessarily with computers. The programmers in the old MIT free software community of the 60s and 70s referred to themselves as hackers. Around 1980, journalists who discovered the hacker community mistakenly took the term to mean "security breaker." - Richard Stallman
Was this helpful?