Footprinting and Reconnaissance + Scanning Networks - Part 1
Footprinting & Reconnaissance
Brief
The footprinting phase enables attackers to gather information about a target's internal and external security architecture, helping identify vulnerabilities for exploitation. Detailed reconnaissance narrows the attack focus, bringing the attacker closer to the target by analyzing IP ranges, domain details, and other critical data.
Objective
The major objectives of Footprinting are:
To know security posture
To reduce focus area
Identify vulnerabilities
Draw network map
Methodology
Footprinting through Search Engines
A fundamental and highly effective method of footprinting is using search engines. They retrieve publicly available information about a target from the internet, compiling all accessible data related to the searched entity.
Finding Company’s Public and Restricted Websites
Gathers information from an organization's official website, including public and restricted URLs.
Collect Location Information
Obtains local details such as the headquarters' physical location, nearby surroundings, branch office locations, and other relevant data from online maps and location services.
People Search Online Services
Several online services are commonly used to find phone numbers, addresses, and personal details.
Gather Information from Financial Services
Various financial services, powered by search engines, provide financial data on internationally recognized organizations.
Footprinting through Job Sites
Job sites feature company profiles, including location, industry details, contact information, employee count, job postings, and insights into required hardware and software.
Monitoring Target Using Alerts
Alert services provide Content monitoring with notifications, keeping subscribers updated on their chosen topics.
Information Gathering Using Groups, Forums, and Blogs
Groups, forums, blogs, and communities can be valuable sources of sensitive information, as both official and unofficial groups may unintentionally leak data.
Footprinting using Advanced Google Hacking Techniques
Google Advanced Search Operators
Advanced search operators help refine searches, making them more precise and focused on specific topics using search engines.
site :
Search for the result in the given domain
related :
Search for Similar web pages
cache :
Display the web pages stored in Cache
link :
List the websites having a link to a specific web page
allintext :
Search for websites containing a specific keyword
intext :
Search for documents containing a specific keyword
allintitle :
Search for websites containing a specific keyword in the title
intitle :
Search for documents containing a specific keyword in the title
allinurl :
Search for websites containing a specific keyword in URL
inurl :
Search for documents containing a specific keyword in URL
Google Hacking Database (GHDB)
Google Hacking, or Google Dorking, uses advanced search techniques to identify security vulnerabilities in an organization's network and systems through Google and related applications, enhancing search efficiency.
Queries are organized in the Google Hacking Database (GHDB), a categorized collection designed to uncover potentially sensitive or non-public information.
Footprinting through Social Networking Sites
Social Engineering
Social engineering in information security involves psychological manipulation to extract information from social networks and other platforms, often for fraud, hacking, or gaining proximity to a target.
Footprinting using Social Engineering on Social Networking Sites
Social networking sites are among the most effective sources of information, making it easy to find individuals and access both basic personal details and potentially sensitive data. Advanced features further provide real-time updates.
Website Footprinting
Website Footprinting involves analyzing a target organization's official website to gather information on running software, versions, operating systems, subdirectories, databases, scripting details, and other relevant data.
This information can be collected using online services like Netcraft or tools such as Burp Suite, ZAP Proxy, Website Informer, and Firebug
With these details, an attacker can analyze source code, developer information, file system structure, and scripting
Determining the Operating System
Identifying the operating systems used by a target organization helps gather insights into potential vulnerabilities and attack vectors.
Web Spiders or Web Crawlers
Web spiders or crawlers are internet bots that systematically browse the web to collect targeted information, such as names and email addresses from websites.
Mirroring Entire Website
Website mirroring is the process of downloading and replicating an entire website on a local system for analysis or offline access.
Downloading a website allows an attacker to analyze its structure, directories, and code in an offline environment, helping to identify potential vulnerabilities.
Extract Website Information
Wayback Machine - Internet Archive is an online service that provides archived versions of websites, offering summaries on MIME-type Count, Summary for TLD/HOST/Domain, a sitemap of website and dates, Calendar view, and other historical data.
Monitoring Web Updates
Monitoring websites for updates and changes, automatically detecting modifications to target websites.
Email Footprinting
Email is a crucial communication tool for organizations, connecting employees, partners, and competitors. Its content can contain valuable data such as credentials, hardware/software details, network security insights, and financial information, making it a key target for attackers and penetration testers.
Tracking Email from Email Header
Tracing an email through its header provides a hop-by-hop analysis, revealing IP addresses, server names, and locations along its route.
Competitive Intelligence
Competitive intelligence gathering involves collecting, analyzing, and compiling data on competitors using non-intrusive methods from various sources.
Competitive Intelligence Gathering
These websites collect and provide company reports, including legal news, press releases, financial data, analysis reports, and details on upcoming projects and plans.
Gathering information from these resources, Penetration testers and attacker can identify:
When did the company begin?
Evolution of the company
Authority of the company
Background of an organization
Strategies and planning
Financial Statistics
Other information
Monitoring Website Traffic of Target Company
Website monitoring tools provide insights into a target website's ranking, global user distribution, visitor statistics, page views, time spent on the site, total backlinks, and other analytical data.
Tracking Online Reputation of the Target
These tools help track an organization's reputation, ranking, and online presence while enabling notifications for updates and other relevant insights.
WHOIS Footprinting
WHOIS Lookup
WHOIS provides domain-related information, including ownership details, IP addresses, netblock data, and name servers. A WHOIS lookup helps identify the entity behind a target domain.
DNS Footprinting
DNS lookup information helps identify hosts within a target network, revealing domain-to-IP mappings and other relevant details.
Focus
Domain ownership & registration
Domain-to-IP resolution & DNS records
Data Source
WHOIS databases (registrars)
DNS servers
Common Use
Checking domain availability, ownership
Resolving domain names, debugging DNS issues
Privacy Issues
WHOIS info may be hidden (GDPR, privacy services)
DNS info is generally public
Network Footprinting
Network footprinting is a crucial technique for gathering information about a target network. Various tools are available to help map the network, revealing its structure and potential vulnerabilities.
Traceroute
The Traceroute or Tracert command maps the path from source to destination, displaying all intermediate hops and their latency.
You should understand about hop term. A hop refers to the transfer of a data packet from one network device to another, occurring each time the packet moves to a new network segment.
Footprinting through Social Engineering
In footprinting, humans are often the weakest link. Extracting information from people is usually easier than retrieving data from secured systems.
Social Engineering
Social engineering is the art of extracting sensitive information by manipulating people. Social engineers operate discreetly, exploiting human trust and carelessness to obtain valuable data.
Eavesdropping
Eavesdropping is a social engineering technique where an attacker covertly listens to conversations, reads messages, or accesses information sources without detection.
Phishing
Phishing is a social engineering attack that uses digital means, such as emails, messages, or fake websites, to trick individuals into revealing sensitive information.
Shoulder Surfing
Shoulder surfing is a social engineering technique where an attacker observes a target’s screen or keyboard to steal sensitive information like passwords or account numbers.
Dumpster Diving
Dumpster diving is an old but effective technique where attackers search through discarded materials like printer trash, desk waste, or company garbage to find valuable information such as phone bills, contacts, financial records, and source codes.
Vishing
Vishing (voice phishing) is a social engineering attack where scammers use phone calls to trick individuals into revealing sensitive information, such as passwords, credit card details, or personal data.
Smishing
Smishing (SMS phishing) is a social engineering attack where attackers use text messages to deceive individuals into revealing sensitive information, clicking malicious links, or downloading malware.
Spear Phishing
Spear Phishing is a targeted phishing attack aimed at specific individuals or organizations. Attackers craft personalized emails or messages to trick victims into revealing sensitive information or downloading malware.
Footprinting Tools
Maltego
Recon-ng
FOCA
Metasploit
Countermeasures of Footprinting
Scanning Networks
Brief
After the footprinting phase, you may have gathered sufficient information about the target. The next step, network scanning, uses this data to identify hosts, open ports, and running services by systematically scanning networks and ports.
Objective
To identify live hosts on a network
To identify open & closed ports
To identify operating system information
To identify services running on a network
To identify running processes on a network
To identify the presence of Security Devices like firewalls
To identify System architecture
To identify running services
To identify vulnerabilities
Overview of Network Scanning
The Network Scanning phase involves probing the target network to gather critical information. By analyzing responses, an attacker can identify network details, open ports, and running services. This helps map the network architecture, providing a clearer picture of the target.
TCP Communication
Internet Protocol (IP) traffic is categorized into two types: TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
TCP is a connection-oriented protocol, meaning a reliable connection must be established before data transfer. It enables bidirectional communication, ensuring data is sent and received in an organized manner.
UDP is a connectionless and lightweight Internet protocol. It transmits multiple messages as independent packets, sending data in chunks without requiring a stable connection.
Unlike TCP, UDP does not provide reliability, flow control, or error recovery for IP packets, making it faster but less dependable.
Due to its simplicity, UDP headers are smaller and require less network overhead compared to TCP, making data transmission more efficient.
Flag filed in the TCP header is of 9 bits. Which includes the following 6 TCP flags:
A TCP connection is established using a three-way handshake between hosts. This process ensures a reliable, connection-oriented session. The handshake consists of three essential steps to initiate communication.
When Host A wants to communicate with Host B, a TCP connection is established through a three-way handshake:
Host A sends a Sync packet to host B.
Host B upon receipt of Sync packet from Host A, reply to Host A with Sync+Ack packet.
Host A reply with Ack packet when it receives Sync+Ack packet from host B.
Once this process is successfully completed, the TCP connection is established.
IP defines how computers can get data to each other over a routed, interconnected set of networks. TCP defines how applications can create reliable channels of communication across such a network.
IP defines addressing and routing, while TCP defines how to have a conversation across the link without garbling or losing data.
Creating Custom Packet Using TCP Flags
Colasoft Packet Builder allows users to create customized network packets, which can be used for testing, troubleshooting, or even penetrating networks for attacks. It also supports the creation of fragmented packets for advanced network analysis.
Methodology
The Scanning Methodology consists of the following steps:
Checking for live systems (Host discovery)
Port Scanning
Scanning beyond IDS
Banner grabbing
Scanning Vulnerabilities
Network Diagram
Proxies
Checking for Live Systems
To begin, you need to identify active hosts within the target network. This is typically done using ICMP packets.
ICMP Scanning
ICMP scanning is a technique used to identify active hosts by sending ICMP Echo Requests. If a host responds with an ICMP Echo Reply, it confirms that the host is live and reachable on the network.
Ping Sweep
Ping Sweep is a technique used to identify live hosts across a large network. Instead of sending ICMP Echo Requests to individual IP addresses one by one, it sends requests to an entire range of addresses. Active hosts respond with ICMP Echo Reply packets, confirming their presence.
Check for Open Ports
SSDP Scanning
It is commonly used for discovering Plug & Play devices through Universal Plug and Play (UPnP). SSDP supports both IPv4 and IPv6, making it versatile for modern networks.
Universal Plug and Play (UPnP) is a standard that lets network devices automatically find, communicate with and control each other.
Scanning Tool
Nmap
Nmap provides host discovery, port scanning, and service enumeration. It can also detect operating system versions, retrieve hardware (MAC) addresses, identify service versions, and uncover vulnerabilities or exploits using Nmap Scripting Engine (NSE).
Hping2 & Hping3
Hping is a command-line TCP/IP packet assembler and analyzer tool. It allows users to send customized packets and view target responses, similar to how the ping command displays ICMP Echo Replies.
Hping supports packet fragmentation, custom payloads, adjustable packet sizes, and file transfers. It works with multiple protocols, including TCP, UDP, ICMP, and RAW IP.
Scanning Techniques
Since I plan to cover Nmap's role in scanning techniques in detail, I'll separate that section to keep this blog post concise and focused.
Scanning Beyond IDS
Attackers use fragmentation and small packets to evade security devices like firewalls, IDS/ IPS. A common technique involves splitting the payload into smaller packets, making it harder for security systems to detect malicious activity. IDS must reassemble incoming packet streams to analyze and detect potential attacks. The small packet is further modified to be more complicated to reassemble and detect by packet reassemble.
Another method of using fragmentation involves sending packets out of order with intentional delays between them. This technique disrupts proper reassembly, making it harder for security systems to detect malicious traffic. Attackers often route these fragmented packets through proxy servers or compromised machines to further obscure their origin and launch stealthy attacks.
OS Fingerprinting & Banner Grabbing
OS Fingerprinting is a technique used to identify the operating system running on a target machine. By analyzing system responses, attackers can determine vulnerabilities and potential exploits specific to that OS, aiding in targeted attacks.
The two types of OS Fingerprinting:
Active OS Fingerprinting
Passive OS Fingerprinting
Banner Grabbing is similar to OS fingerprinting but focuses on identifying the services running on a target machine. By retrieving service banners, attackers or security analysts can determine software versions, configurations, and potential vulnerabilities.
Active OS Fingerprinting or Banner Grabbing
Nmap can efficiently perform active banner grabbing to identify running services. Its OS detection capability works by sending specially crafted TCP and UDP packets and analyzing the target's response. A detailed assessment of these responses provides valuable clues, helping to determine the operating system type.
Passive OS Fingerprinting or Banner Grabbing
Passive OS Fingerprinting involves analyzing network traffic without directly interacting with the target. This method relies on inspecting packet attributes such as Time to Live (TTL) values and Window Size to infer the operating system, making detection stealthier compared to active scanning.
The TTL value and Window Size are extracted from the TCP packet header while monitoring network traffic.
Draw Network Diagrams
Gaining access to a network requires a deep understanding of its architecture and detailed information. Key insights, such as security zones, security devices, routing infrastructure, and the number of hosts, help an attacker map out the network structure. Once a network diagram is created, it reveals both logical and physical pathways, guiding the attacker to their intended target.
An important consideration is that these tools generate network traffic, which can expose the presence of an attacker or penetration tester. Security systems may detect and flag unusual scanning activity, potentially leading to countermeasures.
Network Discovery Tool
OpManager is a powerful network monitoring tool that provides fault management and supports various network components, including WAN links, routers, switches, VoIP systems, and servers. It also offers performance management, ensuring optimal network efficiency.
Drawing Network Diagrams
SolarWinds Network Topology Mapper is a powerful tool for network discovery and topology visualization. It automatically maps networks and provides features like manual node editing, multi-level discovery, and Visio diagram export. The generated topology includes key details such as node names, IP addresses, hostnames, system names, machine types, vendors, system locations, and more.
Prepare Proxies
A proxy is an intermediary system that sits between an attacker and the target, masking the attacker's identity. Proxies play a crucial role in networks, often used by scanners to obscure their origin and prevent tracing back to the source.
Proxy Servers
Proxy server anonymizes web traffic by acting as an intermediary between the user and publicly available servers. When a user requests a resource, the proxy forwards the request on their behalf, helping to conceal their identity and enhance privacy.
The most common use of a proxy server is as a web proxy, which allows users to access the World Wide Web while bypassing IP address blocking. This helps in circumventing restrictions, enhancing privacy, and maintaining anonymity online.
Proxy Chaining
Proxy Chaining is a technique that involves routing traffic through multiple proxy servers for enhanced anonymity. In this process, one proxy server forwards the request to another, creating a chain that makes it more difficult to trace the original source.
While not recommended for production environments or as a long-term solution, this technique utilizes your existing proxy infrastructure to enhance anonymity.
Proxy Tool
Proxy Switcher
Proxy Workbench
TOR
CyberGhost
Introduction to Anonymizers
Anonymizer is a tool designed to completely hide or remove identity-related information, ensuring online activities remain untraceable and private.
Censorship Circumvention Tool
Tails
Tails (The Amnesic Incognito Live System) is a widely used censorship circumvention tool based on Debian GNU/Linux. It functions as a live operating system, running directly from a USB or DVD on almost any computer. Designed for privacy and anonymity, Tails enables users to browse the internet securely without leaving traces on the system.
Spoofing IP Address
IP Address Spoofing is a technique used to gain unauthorized access to systems by falsifying IP addresses. Attackers manipulate IP packets to impersonate a legitimate machine, making it appear as if the traffic originates from a trusted source.
Spoofing process involves modification of header with a spoofed source IP address, a checksum, and the order values. Packet-switched networking causes the packets arriving at the destination in different order. When these out of order packets are received at the destination, these packets are resembled to extract the message.
Direct TTL probing
In Direct TTL Probing, packets are sent to a host suspected of spoofing, and the responses are analyzed. By comparing the TTL value in the reply with the TTL in the suspected spoofed packet, IP spoofing can be identified. If the TTL values do not match, the packet is likely spoofed.
However, TTL values can naturally vary in normal traffic, and this technique is most effective for detecting spoofing when the attacker is on a different subnet.
IPID
Additional probes are sent to check the IP Identification (IPID) of the host. If the IPID values are not sequential or closely related, the traffic is likely spoofed. This technique is particularly useful when the attacker is within the same subnet.
Last updated
Was this helpful?