CEHv13 Notes – Module 02: Footprinting and Reconnaissance

congcong 好物分享

Footprinting is the first step in the evaluation of the security posture of the IT infrastructure of a target organization. Through footprinting and reconnaissance, one can gather maximum information about a computer system or a network and about any device connected to that network. In other words, footprinting provides a security profile blueprint for an organization and should be undertaken in a methodological manner.

Topics:

  1. Explain Footprinting Concepts
  2. Demonstrate Footprinting through Search Engines
  3. Demonstrate Footprinting through Internet Research Services
  4. Demonstrate Footprinting through Social Networking Sites
  5. Use Different Techniques for Whois Footprinting
  6. Use Different Techniques for DNS Footprinting
  7. Use Different Techniques for Network and Email Footprinting
  8. Demonstrate Footprinting through Social Engineering
  9. Automate Footprinting Tasks using Advanced Tools and AI
  10. Explain Footprinting Countermeasure

 

1. Explain Footprinting Concepts

Reconnaissance

Reconnaissance (also known as footprinting) refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack. An essential aspect of footprinting is identifying the level of risk associated with the organization’s publicly accessible information. Footprinting, the first step in ethical hacking, refers to the process of collecting information about a target network and its environment. Using footprinting, you can find a number of opportunities to penetrate and assess the target organization’s network.

Types of Reconnaissance

  • Passive
Gathering information about the target without direct interaction
It involves: 
• Open-source Intelligence (OSINT) gathering 
• Proprietary databases and paid services 
• Sharing intelligence with partner organizations or industry groups
  • Active
Gathering information about the target with direct interaction It involves: • DNS interrogation • Social engineering • Network/port scanning • User and service enumeration

Information Obtained in Footprinting

Organization information
• Employee details 
• Telephone numbers 
• Branch and location details 
• Background of the organization 
• Web technologies
• News articles, press releases, and related documents

Network information
• Domain and sub-domains 
• Network blocks
• Network topology, trusted routers, and firewalls
• IP addresses of the reachable systems
• Whois records 
• DNS records

System Information

• Web server OS 
• Location of web servers
• Publicly available email addresses
• Usernames and passwords 

2. Demonstrate Footprinting through Search Engines

Footprint ing Using Advanced Google Hacking Techniques

• Attackers use search engines to extract information about a target, such as employed technology platforms, employee details, login pages, and intranet portals, which help the attacker to perform social engineering and other types of advanced system attacks
• Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information that helps attackers find vulnerable target
Attackers can use advanced search operators available with these search engines and create complex queries to find, filter, and sort specific information regarding the target. Search engines
are also used to find other sources of publicly accessible information. For example, you can type “top job portals” to find major job portals that provide critical information about the target organization. 
Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information. 
What can a Hacker Do with Google Hacking? An attacker can create complex search-engine queries to filter large amounts of search results to obtain information related to computer security. The attacker can use Google operators to locate specific strings of text within search results. Thus, the attacker can not only detect websites and web servers that are vulnerable to exploitation but also locate private and sensitive information about the target. Once a vulnerable site is identified, attackers attempt to launch various possible attacks, such as buffer overflow and SQL injection, which compromise information security. Examples of sensitive information on public servers that an attacker can extract with the help of Google Hacking Database (GHDB) queries include: 
▪ Error messages that contain sensitive information 
▪ Files containing passwords 
▪ Sensitive directories 
▪ Pages containing logon portals 
▪ Pages containing network or vulnerability data, such as IDS, firewall logs, and configurations
▪ Advisories and server vulnerabilities 
▪ Software version information 
▪ Web application source code 
▪ Connected IoT devices and their control panels, if unprotected 
▪ Hidden web pages such as intranet and VPN services
Example: Use Google Advance Operator syntax [intitle:intranet inurl:intranet +intext:”human resources”] to find sensitive information about a target organization and its employees. Attackers use the gathered information to perform social engineering attacks.
An attacker can also leverage AI-powered ChatGPT or other generative AI technology to perform this task by using an appropriate prompt such as: “Use filetype search operator to obtain pdf files on the target website eccouncil.org and store the result in the recon1.txt file”
Shell-gpt / sgpt : https://github.com/tbckr/sgpt

The following shell command is designed to conduct advanced Google hacking using the “filetype” operator to specifically target PDF files within the eccouncil.org domain. The command
then saves the obtained results to a file named "recon1.txt":
  • lynx --dump "http://www.google.com/search?q=site:eccouncil.org+filetype:pdf" | grep "http" | cut -d "=" -f2 | grep -o "http[^&]*" > recon1.txt
▪ `lynx --dump "http://www.google.com/search?q=site:eccouncil.org+filetype:pdf"`: Initiates the Lynx web browser in dump mode to access Google's search results for PDF files within the eccouncil.org domain.
▪ `| grep "http"`: Filters out lines containing the string "http" from the Lynx output. ▪ `| cut -d "=" -f2`: Splits each line using the "=" delimiter and selects the second field.
▪ `| grep -o "http[^&]*"`: Searches for patterns starting with "http" followed by any characters except "&".
▪ `> recon1.txt`: Redirects the final output to a file named "recon1.txt" for storage.

Google Hacking Database 

Source: https://www.exploit-db.com/google-hacking-database The GHDB is a subset of the Exploit-DB and focuses on using Google search queries (often referred to as "Google Dorks") to find sensitive information inadvertently exposed on the web. These queries exploit advanced Google search operators to uncover the following: ▪ Sensitive files: Such as configuration files, database dumps, and log files that may contain usernames, passwords, or other confidential data.
▪ Exposed directories: Open directories on web servers that might contain sensitive information.
▪ Error messages: Web server or application error messages that may reveal server configurations or vulnerabilities.
▪ Vulnerable devices: Identifying specific types of devices or software versions known to have vulnerabilities.

Footprinting Using Advanced Google Hacking Techniques

• Attackers use search engines to extract information about a target, such as employed technology platforms, employee details, login pages, and intranet portals, which help the attacker to perform social engineering and other types of advanced system attacks
• Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information that helps attackers find vulnerable targets

Google Hacking Database Source: https://www.exploit-db.com/google-hacking-database The GHDB is a subset of the Exploit-DB and focuses on using Google search queries (often referred to as "Google Dorks") to find sensitive information inadvertently exposed on the web. These queries exploit advanced Google search operators to uncover the following: 

  • Sensitive files: Such as configuration files, database dumps, and log files that may contain usernames, passwords, or other confidential data.
  • Exposed directories: Open directories on web servers that might contain sensitive information.
  • Error messages: Web server or application error messages that may reveal server configurations or vulnerabilities.
  • Vulnerable devices: Identifying specific types of devices or software versions known to have vulnerabilities.
Attackers can also use SearchSploit, which is a command-line search tool for Exploit-DB that allows taking a copy of the Exploit database for remote use. It allows attackers to perform detailed offline searches through their locally checked-out copy of the repository. This capability is particularly useful for security assessments of segregated or air-gapped networks without Internet access.

Google Dork.

VPN Footprinting through Google Hacking Database with AI

Footprinting through SHODAN Search Engine 

Source: https://www.shodan.io

Shodan is a search engine that enables attackers to perform footprinting at various levels. It is used to detect devices and networks with vulnerabilities. A search in Shodan for VoIP and VPN footprinting can deliver various results, which will help gather VPN-and VoIP-related information. 

Other Techniques for Footprinting through Search Engines 

▪ Gathering Information Using Google Advanced Search, Advanced Image Search, and Reverse Image Search
▪ Gathering Information from Video Search Engines
▪ Gathering Information from Meta Search Engines
▪ Gathering Information from File Transfer Protocol (FTP) Search Engines
▪ Gathering Information from IoT Search Engines
        shodan.io/search?query=SCADA
Mjor Search engines:
Google, Bing, Yahoo!, Ask.com, Aol, Baidu, DuckDuckGo

Search through LLM

Directly asking search engine such as : Give me an NMAP command to determine if there is a firewall in the way. 
Google: 
Bing: 
Grok:  https://x.ai/
Perplexity: https://www.perplexity.ai/
Operator: 
https://www.shodan.io/search?query=webcam
inurl:webcam
Google Dork:

3. Footprinting through Internet Research Services

 

Finding a Company’s Top-Level Domains (TLDs) and Sub-domains 

Tools to Search Company’s Sub-domains 
▪ Netcraft Source: https://www.netcraft.com 
▪ DNSdumpster Source: https://dnsdumpster.com
▪ Pentest-Tools Find Subdomains Source: https://pentest-tools.com

Finding a Company’s Top-Level Domains (TLDs) and Sub-domains with AI 

Attackers can leverage AI-powered technologies to enhance and automate their footprinting tasks. With the aid of AI, attackers can effortlessly find the top-level domains and subdomains of the target. Example #1 An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: 
  • sgpt --chat domain --shell “Discover all the subdomains of ‘google.com’ using dig command.”
  • sgpt --chat footprint --shell “Use Sublist3r to gather a list of subdomains of the target organization eccouncil”

Extracting Website Information from https://archive.org

Archive is an Internet Archive Wayback Machine that explores archived versions of websites. Such exploration allows an attacker to gather information on an organization’s web pages since its creation. As the website https://archive.org keeps track of web pages from the time of their creation, an attacker can retrieve even information removed from the target website, such as web pages, audio files, video files, images, text, and software programs. Attackers use this information to perform phishing and other types of web application attacks on the target organization.

Footprinting through People Search Services 

You can use public record websites to find information about email addresses, phone numbers, house addresses, and other information. Many individuals use online people search services to find information about other people. Generally, online people search services such as Spokeo, Intelius, pipl, BeenVerified, Whitepages, Instant Checkmate, and PeekYou provide people’s names, addresses, contact details, date of birth, photographs, videos, profession, details about their family and friends, social networking profiles, property information, and optional background on criminal checks. Further, online people search services may often reveal the profession of an individual, businesses owned by a person, upcoming projects and operating environment, websites and blogs, contact numbers, important dates, company email addresses, cell phone numbers, fax numbers, and personal e-mail addresses. Using this information, an attacker can try to obtain bank details, credit card details, past history, and so on. This information proves to be highly beneficial for attackers to launch attacks. There are many available online people search services that help in obtaining information regarding people.
▪ People Search Service - Spokeo 
Source: https://www.spokeo.com 
Footprinting through Job Sites 
Dark Web Footprinting 
▪ Tor Browser, Source: https://www.torproject.org
Searching the Dark Web with Advanced Search Parameters
Determining the Operating System
▪ Netcraft Source: https://www.netcraft.com
▪ SHODAN Search Engine Source: https://www.shodan.io 
▪ Censys Source: https://censys.io

Competitive Intelligence Gathering

Competitive intelligence helps in determining: 
▪ What the competitors are doing? 
▪ How competitors are positioning their products and services? 
▪ What customers are saying about competitors’ strengths and weaknesses?
Information Resource Sites Information resource sites that help to gain competitive intelligence include: ▪ EDGAR Database Source: https://www.sec.gov/edgar 
▪ D&B Hoovers Source: https://www.dnb.com
▪ LexisNexis Source: https://www.lexisnexis.com
▪ Business Wire Source: https://www.businesswire.com
▪ Factiva Source: https://www.dowjones.com
Competitive Intelligence - What Are the Company's Plans? Information resource sites that help attackers gain a company’s business plans include: 
▪ MarketWatch Source: https://www.marketwatch.com
▪ The Wall Street Transcript Source: https://www.twst.com
▪ Euromonitor Source: https://www.euromonitor.com
▪ Experian Source: https://www.experian.com
▪ The Search Monitor
Competitive Intelligence - What Expert Opinions Say About the Company? Information resource sites that help the attacker to obtain expert opinions about the target company include: 
▪ SEMRush Source: https://www.semrush.com
▪ ABI/INFORM Global Source: https://www.proquest.com
▪ SimilarWeb Source: https://www.similarweb.com
▪ SERanking Source: https://seranking.com

Other Techniques for Footprint ing through Internet Research Services

▪ Finding the Geographical Location of the Target
o Google Earth Source: https://earth.google.com
▪ Gathering Information from Financial Services
o Google Finance Source: https://www.google.com/finance
▪ Gathering Information from Business Profile Sites
Attackers use business profile sites such as opencorporates, Crunchbase, and corporationwiki to gather important information about the target organizations, such as their location, addresses, contact information (such as phone numbers, email addresses), employee database, department names, type of service provided, and type of industry.
▪ Monitoring Targets Using Alerts
Tools such as Google Alerts, X Alerts, and Giga Alerts help attackers to track mentions of the organization’s name, member names, website, or any people or projects that are important. Attackers can gather updated information about the target periodically from the alert services and use it for further attacks.
o Google Alerts Source: https://www.google.com/alerts
▪ Tracking the Online Reputation of the Target 
An attacker may use ORM tracking tools to: o Track a company’s online reputation o Collect a company’s search engine ranking information o Obtain email notifications when a company is mentioned online o Track conversations o Obtain social news about the target organization Mention Source: https://mention.com 
▪ Gathering Information from Groups, Forums, and Blogs
Attackers can register with fake profiles in Google Groups, LinkedIn Groups, and so on. 
▪ Gathering Information from Public Source-Code Repositories
Source code–based repositories are online services or tools available on internal servers or can be hosted on third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. 
Attackers can use tools such as Recon-ng to discover public source-code repositories. o Recon-ng Source: https://github.com

Footprinting through Social Networking Sites

 People Search on Social Networking Sites 

Social networking sites such as Facebook, Twitter, LinkedIn, and Instagram allow you to find people by name, keyword, company, school, friends, colleagues, and the people living around them. 
Gathering Inform at ion from LinkedIn •
• Attackers use theHarvester tool to perform enumeration on LinkedIn and find employees of the target company along with their job titles
Attackers can use this information to gather more information, such as current location and educational qualifications, and perform social engineering or other kinds of attacks
Gathering Information from LinkedIn 
LinkedIn is a social networking website for professionals. It connects the world’s human resources to aid productivity and success. The site contains personal information such as name, position, organization name, current location, educational qualifications, and so on. Information gathered from LinkedIn helps an attacker in performing social engineering or other kinds of attacks. Attackers can use theHarvester tool to gather information from LinkedIn based on the target organization name: 
▪ theHarvester Source: https://github.com 
theHarvester -d eccouncil -l 200 -b linkedin
In the above command, -d specifies the domain or company name to search, -l specifies the number of results to be retrieved, and -b specifies the data source as LinkedIn.
Harvesting Email Lists 
Gathering email addresses related to the target organization acts as an important attack vector during the later phases of hacking. Attackers can use automated tools such as theHarvester and Email Spider to collect publicly available email addresses of the employees of the target organization. These tools harvest email lists related to a specified domain using search engines such as Google, Bing, and Yahoo. Attackers use these email lists and usernames to perform social engineering and brute force attacks on the target organization. ▪ theHarvester
Source: https://github.com
Attackers use theHarvester tool to extract email addresses related to the target domain. For example, attackers use the following command to extract email addresses of microsoft.com using the Baidu search engine: 
theharvester -d microsoft.com -l 200 -b baidu
In the above command, -d specifies the domain used for harvesting the emails, -l will limit the results to 200, and -b tells theHarvester to extract the results from the Baidu search engine; alternatively, you can use Google, Bing, etc.
Harvesting Email Lists with AI 
Attackers can leverage AI-powered technologies to enhance and automate their footprinting tasks. With the aid of AI, attackers can effortlessly find valuable email details of their target organization. For example, An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Use theHarvester to gather email accounts associated with 'microsoft.com', limiting results to 200, and leveraging 'baidu' as a data source”
sgpt --chat fp --shell “Use theHarvester to gather email accounts associated with 'microsoft.com', limiting results to 200, and leveraging 'baidu' as a data source”
Analyzing Target Social Media Presence 
Several online services and resources are available to gather valuable information about a target from one or more social media sites. These services allow attackers to discover most shared content across social media sites by using hashtags or keywords, track accounts and URLs on various social media sites, obtain a target’s email address, etc. This information helps attackers to perform phishing, social engineering, and other types of attacks. Attackers use tools such as BuzzSumo, Google Trends, Hashatit, and Ubersuggest to locate information on social media sites: 
▪ BuzzSumo Source: https://buzzsumo.com
Tools for Footprinting through Social Networking Sites 
Attackers use various tools such as Sherlock and Social Searcher to footprint social networking sites such as Twitter, Instagram, Facebook, and Pinterest to gather sensitive information about the target such as the date of birth, educational qualification, employment status, name of relatives, and information about the organization that they are working for, including the business strategy, potential clients, and upcoming project plans. 
▪ Sherlock Source: https://github.com
Sherlock "Elon Musk"
▪ Social Searcher Source: https://www.social-searcher.com 
Footprinting through Social Networking Sites with AI
For example, An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Use Sherlock to gather personal information about Sundar Pichai and save the result in recon2.txt”
sgpt --chat footprint --shell “Use Sherlock to gather personal information about Sundar Pichai and save the result in recon2.txt”

Whois Footprinting

 

DNS Footprintin

 

Network and Email Footprinting

 

Footprint ing through Social Engineering

 

Automate Footprinting Tasks using Advanced Tools and AI

 

Footprinting Countermeasures

 

https://blog.51sec.org

版权声明:
作者:congcong
链接:https://www.techfm.club/p/191387.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>