Footprinting (Reconnaissance) refers to the process of gathering information about a specific computer system or a network environment and the company it belongs to. This is the preparatory phase for the hacker where he gathers as much information as he can so as to find ways to intrude into the target. Footprinting can reveal the vulnerabilities of the target system and improve the ways in which they can be exploited.
Footprinting has to be done in a slow and methodological manner where the hacker spends 90% of his time in blueprinting the security profile of the target and only 10% in launching the attack. Footprinting can actually help hacker decide on the type of attack that is most suitable for the target.
Information Gathering Methodology
Suppose if a hacker decides to break into a target-company, he can only do so after blueprinting the target and assessing the possible vulnerabilities. Based on this information, the hacker can carry out possible attacks such as breaking into the company’s database, hacking its website or causing denial of service. The following are some of the different types of information that a hacker could gather before actually carrying out the attack.
Obtaining the Domain Name Information
Various background information about the target website (domain name) such as the name of its owner and registrar, date of its registration, expiry date, name servers associated, contact details associated with it such as email, phone and address can be found out by performing a Whois lookup. The following are some of the popular websites where you can perform Whois lookup on any domain to uncover its background information:
Finding IP Address and Hosting Provider
Information such as the IP address of the website and its hosting provider can be very crucial. This can be easily found out using the following website:
http://www.whoishostingthis.com
Finding IP Address Location
Finding out the physical location of the IP address is very simple. Just visit the following website and enter the target IP address to reveal its physical location:
Finding IP Address Range
While small websites may have a single IP address, big players such as Google, Facebook and Microsoft have a range of IP addresses allocated to their company for hosting additional websites and servers. This range of information can be obtained from the official website of American Registry for Internet Numbers (ARIN). The URL for the ARIN website is listed below:
Web Searches
You can go to the target's website and browse around as you try to collect as much useful information as possible. Use Google to look information such as:
• Names of Employees and other Contact Information. You can proceed to find these people on Facebook or LinkedIn.
• Patents and trademark.
• SEC filings in case it is a public entity.
• Incorporation filings in case it is a private entity.
• Webinars, articles, or presentations.
If you are using Google, you can use keywords to get most relevant information (phone number, address etc) that you can find on Google if you just know the high keyword to use. You can also perform advanced web search using Google advanced search feature. (Google Dorking)
Example : intitle:"Index of" phpinfo.php
intitle:index.of ws_ftp.ini
There are certain web crawling tools that are able to mirror a website and download all the publicly accessible files from the target website. This then allows you to scan the copy offline. You are likely to unearth information regarding the configuration and layout of the website, files, and directories, the source code for the webpages, names and email address of the IT employees and comments about the workings of the code.
Websites
There are certain websites that contains informations about different organizations and their employees. You can do a people search if you just know which websites to use:
This can be used for people search depending on the country or region you are targeting.
Whois
A very simple but effective means for collecting additional information about our target is Whois. The Whois service allows us to access specific information about our target including the IP addresses or host names of the company’s Domain Name Systems (DNS) servers and contact information which usually contains an address and a phone number.
Whois is built into the Linux OS. The simplest way to use this service is to open a terminal and enter the following command:
whois target_domain
For example, to find out information about Facebook, we would issue the following command: whois facebook.com
Netcraft
Another great source of information is Netcraft. You can visit their site at http://news.netcraft.com. Start by searching for your target in the “What’s that site Running?
Netcraft will return any websites it is aware of that contain your search words.
Active Reconnaissance (footprinting) Tools:
Host
Oftentimes, our reconnaissance efforts will result in host names rather than IP addresses. When this occurs, we can use the “host” tool to perform a translation for us. The host tool is built into most Linux systems including Kali. We can access it by opening a terminal and typing:
host target_hostname
Extracting Information from DNS
DNS servers are an excellent target for hackers and penetration testers. They usually contain information that is considered highly valuable to attackers. DNS is a core component of both our local networks and the Internet. Among other things, DNS is responsible for the process of translating domain names to IP addresses. As humans, it is much easier for us to remember “google.com” rather than http://74.125.95.105. However, machines prefer the reverse. DNS serves as the middle man to perform this translation process.
As penetration testers, it is important to focus on the DNS servers that belong to our target. The reason is simple. In order for DNS to function properly, it needs to be aware of both the IP address and the corresponding domain name of each computer on its network. In terms of reconnaissance, gaining full access to a company’s DNS server is like finding a pot of gold at the end of a rainbow. Or maybe, more accurately, it is like finding a blueprint to the organization. But in in this case, the blueprint contains a full listing of internal IP addresses and host names that belong to our target. Remember one of the key elements of information gathering is to collect IP addresses that belong to the target.
A side from the pot of gold, another reason why picking on DNS is so enjoyable is that in many cases these servers tend to operate on the “if it isn’t broke, don’t touch it” principle.
Inexperienced network administrators often regard their DNS servers with suspicion and mistrust. Oftentimes, they choose to ignore the box completely because they do not fully understand it. As a result, patching, updating, or changing configurations on the DNS server is often a low priority. Add this to the fact that most DNS servers appear to be very stable (as long as the administrator is not monkeying with it) and you have a recipe for a security disaster. These admins wrongly learn early in their career that the less they mess with their DNS servers, the less trouble it seemed to cause them.
As a penetration tester, given the number of misconfigured and unpatched DNS servers that abound today, it is natural to assume that many current network admins operate under the same principle.
If the above statements are true in even a small number of organizations, we are left with valuable targets that have a high probability of being unpatched or out of date. So the next logical question becomes, how do we access this virtual pot of gold? Before we can begin the process of examining a DNS server, we need an IP address. Earlier in our reconnaissance, we came across several references to DNS. Some of these references were by host names, whereas others were by IP addresses. Using the host command, we can translate any host names into IP addresses and add these IPs to the potential target list. Again, you must be sure to double-and triple-check that the IP you collect is within your authorized scope before continuing.
Now that we have a list of DNS IP addresses that belong to or (serve our target) we can begin the process of interrogating DNS to extract information. Although it is becoming rarer to find, one of our first tasks when interacting with a target DNS is to attempt a zone transfer.
Recall that DNS servers contain a series of records that match up the IP address and host name for all the devices that the servers are aware of. Many networks deploy multiple DNS servers for the sake of redundancy or load balancing. As a result, DNS servers need a way to share information. This “sharing” process occurs through the use of a zone transfer. During a zone transfer, also commonly referred to as AXFR, one DNS server will send all the host-to-IP mappings it contains to another DNS server. This process allows multiple DNS servers to stay in sync.
Even if we are unsuccessful in performing a zone transfer, we should still spend time investigating any DNS servers that fall within our authorized scope.
Networking & Recon Command: nslookup
The first tool we will use to examine DNS is nslookup. nslookup is a tool that can be used to query DNS servers and potentially obtain records about the various hosts of which it is aware. nslookup is built into many versions of Linux including Kali and is even available for Windows. nslookup operates very similarly between the various OSs; however, you should always review the specifics for your particular system. You can do so in Linux by reviewing the nslookup man page. This is accomplished by opening a terminal and typing:
man nslookup
nslookup is a tool that can be run in interactive mode. This simply means we will first invoke the program and then feed it the particular switches we need to make it function properly.
Networking & Recon Command: Dig
Another great tool for extracting information from DNS is “dig”. To work with dig, we simply open a terminal and enter the following command:
dig @target_ip
Naturally, you will need to replace the “target_ip” with the actual IP address of your target. Among other things, dig makes it very simple to attempt a zone transfer. Recall that a zone transfer is used to pull multiple records from a DNS server. In some cases, a zone transfer can result in the target DNS server sending all the records it contains. This is especially valuable if your target does not distinguish between internal and external IPs when conducting a zone transfer. We can attempt a zone transfer with dig by using the
“–t AXFR” switch.
If we wanted to attempt a zone transfer against a fictitious DNS server with an IP address of eg. 192.168.1.23 and a domain name of “example.com” we would issue the following command in a terminal window:
dig @192.168.1.23example.com –t AXFR
If zone transfers are allowed and not restricted, you will be presented with a listing of host and IP addresses from the target DNS server that relate to your target domain.
Extracting Information from E-mail Servers
E-mail servers can provide a wealth of information for hackers and penetration testers. In many ways, e-mail is like a revolving door to your target’s organization. Assuming your target is hosting their own e-mail server, this is often a great place to attack. It is important to remember, “You can’t block what you must let in.” In other words, for e-mail to function properly, external traffic must pass through your border devices like routers and firewalls, to an internal machine, typically somewhere inside your protected networks.
As a result of this, we can often gather significant pieces of information by interacting directly with the e-mail sever. One of the first things to do when attempting to recon an e-mail server is to send an e-mail to the organization with an empty .bat file or a nonmalicious .exe file like calc.exe. In this case, the goals is to send a message to the target e-mail server inside the organization in the hope of having the e-mail server inspect, and then reject the message.
Once the rejected message is returned back to us, we can attempt to extract information about the target e-mail server. In many cases, the body of the message will include a precanned write-up explaining that the server does not accept e-mails with potentially dangerous extensions. This message often indicates the specific vendor and version of antivirus that was used to scan the email. As an attacker, this is a great piece of information to have.
Having a return message from a target e-mail server also allows us to inspect the headers of the e-mail. Inspecting the Internet headers will often allow us to extract some basic information about the e-mail server, including IP addresses and the specific software versions or brand of e-mail server running.
Information Gathering Tool: MetaGooFil
Another excellent information gathering tools is “MetaGooFil”. MetaGooFil is a metadata extraction tool that is written by the same folks who brought us the Harvester. Metadata is often defined as “data about data”. When you create a document like Microsoft Word or a PowerPoint presentation, additional data are created and stored within your file. These data often include various pieces of information that describe the document including the file name, the file size, the file owner or user name of the person who created the file, and the location or path where the file was saved. This process occurs automatically without any user input or interaction.
The ability of an attacker to read this information may present some unique insights into the target organization including user names, computer or server names, network paths, files shares, and other goodies. MetaGooFil is a tool that scours the Internet looking for documents that belong to your target. After finding these documents, MetaGooFil downloads them and attempts to extract useful metadata.
To know more: https://github.com/laramies/metagoofil
Information Gathering Tool: theHarvester
Another great tool for reconnaissance is theHarvester. It is an open-source tool used for gathering information about a target domain or email address, yet powerful and effective tool designed to be used in the early stages of a penetration test or red team engagement. The tool can be used to extract emails address, subdomains, hosts, employee names, open ports, and banners from different public sources like search engines, PGP key servers, and SHODAN. The tool supports several search engines, including Google, Bing, Yahoo, and LinkedIn.
Information Gathering Tool: Amass
Amass is an open-source network mapping and (reconnaissance) information gathering tool developed by OWASP (Open Web Application Security Project). It is designed to help security professionals and researchers perform various tasks related to reconnaissance, network mapping, and enumeration. Some of the features provided by Amass are:
Subdomain enumeration: It can be used to enumerate subdomains for a given domain by leveraging various sources such as DNS, web archives, and search engines.
Port scanning: It can be used to perform port scanning to identify open ports on the target network system.
SSL certificate scraping: It can be used to scrape SSL/TLS certificates to gather information about the target network.
DNS information collection: Amass can gather DNS information such as NS records, MX records, and SOA records.
Whois data collection: Amass can collect Whois information about the target domain.
Webpage crawling: Amass can crawl webpages to gather information such as URLs, headers, and title tags.
