Transcription
Ethical Hacking v10Module 2 – Footprintingand Reconnaissance
Footprinting andReconnaissance
Goals Describe what foot printing is Describe what reconnaissance is Explain the different types of foot printingand reconnaissance Describe the difference between passiveand active reconnaissance Describe foot printing methodology andtools Describe competitive intelligence gathering
Module 2.0 Footprinting and Reconnaissance 2.12.22.32.42.5Footprinting ConceptsFootprinting MethodologyFootprinting ToolsFootprinting CountermeasuresFootprinting Penetration Testing
2.1FootprintingConcepts
What is Footprinting? Footprinting is collecting as much information as possible about thetarget network for intrusion purposes Footprinting is the first step in planning an attack; gathering publiclysensitive information Allows Attacker Knowledge of organization’s security postureNarrows down the attackers focus to what he/she needsIdentify vulnerabilities of target systemsOutline the target organization’s network infrastructure for entrance;construct a network map
Passive Footprinting No direct interactionSearch enginesDomain/subdomain searchesLocation informationPeople searchesCompany financial informationInfrastructure detailsAlert servicesInformation gathering from groups, forums, blogsCompetitive intelligenceOnline reputationSocial media, social networking, groups, forums, blogs
Active Footprinting Query DNS Extract published document metadata Website spidering and mirroring Whois Traceroute Social engineering
Key Objectives of Footprinting Know the target’s security posture Reduce attacker’s focus area Begin to identify vulnerabilities Begin to draw a network map
Collect Network Information Domain namesNetwork zonesIP addressesRogue websites/private websitesTCP/IP services that are runningAccess control and ACL’sNetwork protocols usedVPN informationIDS’s being usedAnalog/Digital telephone informationAuthentication informationSystem information
Collect System Information OS information Service version Users/Groups System/service banners Routing tables SNMP information System architecture Remote systems/types System names Passwords
Collect Organization Information Employee information Website Company directory Location details Addresses/phone numbers HTML source code Security policies Web server links Organizational background News articles/press releases
2.2FootprintingMethodology Organization’s websiteSearch EnginesPeople SearchFinancial ServicesJob SitesAlertsGroups and Forums
Finding Organization’s Public and RestrictedWebsites Footprinting through search enginesFootprinting using advanced Google Hacking TechniquesFootprinting through social networking sitesWebsite foot printingEmail foot printingCompetitive intelligenceWHOIS foot printingDNS foot printingNetwork foot printingFootprinting through social engineering
Footprinting through Search Engines Attackers use search engines to extract information about a target Search engine caches and Internet archives may also provide sensitiveinformation that has been removed from the World Wide Web Google Yahoo Bing Ask Aol Baidu DuckDuckGo
Determine Operating System Use Netcraft to determine the operating system in use by the targetorganization Use SHODAN search engine to find computers, routers, server, etc.using filters
Collect Location Information Use Google Earth to get the physical location of the target Google MapsWikimapiaNational Geographic MapsYahoo MapsBing Maps
People Search – Social Networking,Sites/People Search Social networks are a great source of personal and organizationalinformation Use people search websites, which returns a good deal of information Residential addresses, email addresses, phone numberDate of birthPhotos and social networking profilesBlogsSatellite photos of residenciesProjects and operating environment
People Search Online Services AnyWhoUS vateEyePeople Search NowPublic Background Checks
Gather Information Regarding FinancialServices Financial services provide information about the target organizationincluding: Market valueShares in the organizationOrganization’s profileCompetitors
Gather Information using Job Sites Tracking an organization can be accomplished by searching job postings Job requirements Employee profiles Hardware and software information Jobsites MonsterLinkedInCareerBuilderDiceSimply hiredIndeedUSA jobs
Monitor Target Using Alerts Alerts monitor content and provide current information on a source Usually send an email or SMS To receive alerts, register on the website Google AlertsYahoo AlertsTwitter AlertsGiga Alerts
Gather Information Using Groups, Forums,and Blogs Groups, forums, and blogs provide sensitive information about atarget Full namePlace of work/residencePhone numbersEmail addressesPicturesUpcoming events/projects/goals Attackers and ethical hackers can create fictious profiles and attemptto join the target’s employee and other groups Attempt to get information by searching by FQDN, IP Addresses, etc.
2.3 GoogleHacking
Google Advanced Search Operators Create complex search queries to extract sensitive information Helps to find vulnerabilities Uses advance Google search operators to find specific text strings inresults Advanced Operators: cache, link, related, info, site, allintitle, intitle,allinurl, inurlhttps://www.google.com/advanced searchhttps://www.google.com/advanced image /index.html
Google Advanced Search Find sites that may link back to target’s website Extract information like partners, vendors, suppliers, clients, etc. Attackers and Ethical Hackers can more precisely and accuratelysearch web
Google Hacking Database Google Hacking Database (GHDB) Google Dorks A search string that uses advanced search operators to find information thatis not readily available on a website Can be used to find vulnerabilities, hidden information and access pages oncertain websites Considered an easy way of atabase/
GHDB Example
What to Get From Google Hacking Error messages that contain sensitive information Files that contain passwords Sensitive directories Pages that contain hidden login portals Advisories and server vulnerabilities Software version information Web app source code
2.4 FootPrintingthrough SocialNetworkingSites
Information Gathered Present activity/physical location Job activities Company information Contact details, names, numbers, addresses, date of birth, photos Family & friends Property information Bank details Background and criminal checks
Social Networking Sites Facebook MySpace LinkedIn Twitter Pinterest Google YouTube Instagram
People Search Sites pipl.com Intelius.com Beenverified.com Spokeo.com Anywho.com Ussearch.com
InSpy Gathers information from LinkedIn Install in Kali Linux:apt install inspySearch LinkedIn for Google employees using the provided wordlist ofpossible job titles:inspy --empspy /usr/share/inspy/wordlists/title-listlarge.txt GoogleSearch for technologies (–techspy) in use at the target company (cisco)using the provided list of terms:inspy --techspy /usr/share/inspy/wordlists/tech-listsmall.txt cisco
The Harvester Search for hosts & email addresses Uses: DNSSearch EnginesLinkedInTwitterPGPGoogleNetcraftYahooothers
2.5 WebsiteFoot Printing
Website Footprinting Website foot printing is monitoring and analyzing the target’s website forinformation Browse the target website Use Burp Suite, Zaproxy, Paros Proxy, Website Informer, Firebug todetermine: HTML source codeExamine/steal cookiesConnection status and content-typeAccept-Ranges and Last-Modified informationX-Powered-By informationWeb server version Examine HTML sources Examining cookies
Web Spiders Web spiders automate searches on the target website and collectinformation: employee names, titles, addresses, email, phone and fax numbers, meta tags Adds to the foot printing and helps with social engineering attacks Tools SpiderFootVisual SEO StudioWildShark SEO Spider ToolBeam Us Up SEO Spider SEOScrapyScreaming FrogXenu
Mirroring Entire Website Allows attacker or ethical hacker to examine the entire website offline Helps gather information without making website requests that could bedetected Web mirror tools allows a download of the website to a localdirectory, directories, HTML, images, flash, videos, etc. You can take your time searching Need to copy slowly
Mirroring Entire Website Tools HTTrack Web SiteCopier SurfOffline Teleport Pro Portable OfflineBrowser Gnu Wget BlackWidow Ncollector Studio Website Ripper Copier PageNest Backstreet Browser Offline ExplorerEnterprise http://www.archive.org WebWatcher
Extract Website Information usinghttp://www.archive.org Allows access to archived versions of the website Copies the site as it was at the time You can find information that was subsequently deleted Not likely to have downloads
Monitoring Web Updating Using WebsiteWatcher Automatically checks web pages for updates and changes Sends alerts to interested users
Website Updates Monitoring Website Watcher Visual Ping Follow that Page Watch that Page Check4Change OnWebChange Infominder
Metadata Extraction Useful information might reside in PDF or Office files Use this hidden metadata to perform social engineering Tools: MetagoofilExtractMetadataFOCAMeta Tag AnalyzerBuzzStreamAnalyze MetadataExiftool
2.6 EmailFoot Printing
Reading the Email Source Header Address from which the message was sent Sender’s mail server Authentication system used by sender’s mail server Date and time of message Sender’s name Reveals spoofed info Reveals bogus links and phishing techniques
Information Gathered from Email Tracking Recipient IP address Geolocation Email received and read Read duration Proxy detection Links OS and Browser info Forwarded email Recipient device type
Email Tracking Tools PoliteMail Yesware ContactMonkey Zendio ReadNotify DidTheyReadit Trace Email Email Lookup Pointofmail WhoReadMe GetNotigy G-Lock Analytics
2.7CompetitiveIntelligenceGathering
Information Gathered What are competitors doing? How are they positioning their products and services?
Competitive Intelligence Gathering (cont'd) When was this company started? What is its history? Where is it located? Who leads it? Sites to use EDGAR databaseHooversLexisNexisBusiness Wire
Competitive Intelligence Gathering Competitive intelligence gathering identifies, gathers, analyzes, andverifies information by utilizing the Internet Competitive intelligence is non interfering and subtle
Direct Approach Sources Interact at Trade Shows Social Engineering
Indirect Approach Sources Company websites Search engines Press releases and annual reports Trade journals, conferences, newspapers Patents and trademarks Social engineering employees Product catalogs and outlets Regulatory reports Customer and vendor interviews Clients, distributors, suppliers, etc.
Where is the Company Going? What are itsPlans? Sources Market WatchThe Wall Street TranscriptLipper MarketplaceEuromonitorExperianSEC InfoThe Search Monitor
Competitive Intelligence: Experts on theCompany Sources ProQuestCompete ProAttentionMeterCopernic TrackerJobitorialSEMRush
Monitoring Website Traffic Attacker or Ethical Hacker uses monitoring tools such as Web-Stat,Alexa, Monitis to collect information regarding target’s customer base Total visitsPage viewsBounce rateLive visitors mapSite ranking
Reputation of the Target Online Reputation Management (ORM) is monitoring a company’sreputation on the Internet and acting on the data to improvereputation Information gathered Company’s online reputationCompany’s search engine rankingGathering online conversationsGet any social news regarding target
Tools for Tracking Online Reputation Rankur Social Mention ReputationDefender Naymz Brandyourself Google Alerts WhosTalkin PR Software BrandsEye Talkwalker
2.8 WhoisFoot Printing
WHOIS Lookup WHOIS databases are maintained by Regional Internet Registries andhold personal information of domain owners WHOIS query Domain name and detailsOwner informationDNS serversNetRangeWhen createdExpiryLast update Can aid attacker or ethical hacker with social engineering
Regional Internet Registries (RIRs) ARIN AFRNIC RIPE APNIC
WHOIS Lookup Tools LanWhoIs Batch IP Converter CallerIP WhoIs Lookup Multiple Addresses WhoIs Analyzer Pro HotWhoIs ActiveWhoIs WhoisThisDomain SoftFuse Whois Whois Domain Dossier BetterWhois Whois Online Web Wiz Network-Tools.com DNSstuff Network Solutions Whois WebToolHub UltraTools
WHOIS Mobile Tools DNS Tools UltraTools Mobile Whois Lookup Tool
2.9 DNS,Logical, andGeographicalFoot Printing
DNS Lookup Example
TLDs, Domains, and Subdomains TLD org Domain eccouncil Subdomain sales Search Tools: Netcraft Sublist3r
Sublist3r Install in Kali:apt install sublist3rSublist3r -d domain
Extracting DNS Information Attackers use DNS data to find key hosts on the target’s network Examine DNS record types A – hostMX – mail serverNS – name serverCNAME – aliasSOA – authority for domainSRV – service recordsPTR – maps IP Address to hostnameRP – responsible personHINFO – Host information record (CPU type/OS)TXT – Unstructured text record
Extracting DNS Information Domain Dossier DNS Lookup Google search “domains owned by ”
DNS Interrogation Tools DIGmyDNSToolsProfessional ToolsetDNS RecordsDNSData ViewDNSWatchDomainToolsDNS Query UtilityDNS LookupDNS Query Utility
Location Search Tools Google Maps Google Earth Wikimapia National Geographic Maps Yahoo Maps Bing Maps
2.10 NetworkFootprinting
Locate Network Range Assists an attacker in mapping the target network Find in ARIN whois database search Using Regional Internet Registry (RIR)
Traceroute Traceroute programs use ICMP protocol and TTL field to discoverrouters on the path to a target’s host Attackers can extract information regarding network topology, trustedrouters, and firewall locations Assists in building the network map (diagram)
Online Traceroute Example https://www.monitis.com/traceroute/ https://centralops.net/co/
Traceroute Tools Path Analyzer ProVisualRouteNetwork PingerGEOSpidervTraceTroutRoadkil’s Trace RouteMagic NetTrace3D TracerouteAnalogX HyperTraceNetwork Systems TraceroutePing Plotter
2.11 FootPrintingthrough SocialEngineering
Footprinting through Social Engineering Social engineering is a way to exploit human behavior to get sensitiveand sometimes confidential information Social engineers depend on deceiving their contacts Social Engineers gather Credit card informationUsernames and passwordsSecurity products usedOperating systems and software and versionsNetwork mapIP addresses and server names
Footprinting through Social Engineering(cont'd) Techniques EavesdroppingShoulder surfingDumpster divingImpersonation on social networking sites
Eavesdropping, Shoulder Surfing, DumpsterDiving Eavesdropping Unauthorized listening of conversations Interception of any form of communication Shoulder Surfing Attackers secretly observe a target Gather passwords, personal identification, credit card information Dumpster Diving Looking for sensitive information in the literal trash Can get phone bills, contacts, clients, suppliers, vendors All in trash bins
2.12 FootPrinting Tools MaltegoRecon-ngFOCAAdditional Footprinting Tools
Maltego Maltego is a program used to find relationships and links betweenpeople, groups, companies, organizations, websites, Internetinfrastructure, phrases, documents, files, etc.
Maltego Example
Recon-ng Recon-ng is a Web reconnaissance framework with modules,database interaction, built-in functions, interactive help, andcommands, that provides the ability to do web-based reconnaissance
Recon-ng Example
FOCA Fingerprinting Organization with Collected Archives is a tool to getmetadata and hidden information in document scans FOCA can be used to initiate multiple attacks to extract metadata andconduct network analysis, DNS searches, fingerprinting, searchingdirectories, etc.
FOCA Example
Netcraft.com Internet security and data mining Anti-fraud and anti-phishing services Application testing and PCI scanning Internet analysis Market share of web servers, operating systems, hosting providersand SSL certificate authorities
Shodan.io Search engine for Internet connected devices IoT, power plants, security, buildings, the Web, webcams Search term examples: Voip VPN webcamxp
Shodan Example
Censys.io Helps information security practitioners discover, monitor, andanalyze devices that are accessible from the Internet Regularly probe every public IP address and popular domain names Curate and enrich the resulting data Make it intelligible through an interactive search engine and API Assess your network attack surfaces Discover new threats Determine global impact
2.13 Foot PrintingPenetrationTesting Footprinting Pen Testing
Footprinting Penetration Testing Footprinting penetration testing allows ethical hacker to see whatinformation is publicly available It is advisable to get as much information as is publicly available Prevent DNS information to be publicly available Prevent information leakage Prevent social engineering
Footprinting Penetration Testing (cont'd) Get authorization Define scope Use search engine foot printing Use Google hacking Use social networking sites Use website foot printing Use email foot printing Gather competitive intelligence
Footprinting Penetration Testing (cont'd) Perform WHOIS foot printing Perform DNS foot printing Perform network foot printing Perform Social Engineering Document all findings
Countermeasures Restrict employeesConfigure web serversEducate employees regarding social mediaControl press releases, annual reports, product cataloguesLimit what is published on InternetDiscover and remove sensitive information from public viewMonitor caching techniquesEnforce security policiesRestrict zone transfersDisable directory listingsOpt in all privacy policies
Countermeasures (cont'd) Opt in for privacy services on Whois Lookup database Avoid domain-level cross-linking Encrypt and password protect sensitive information
Foot PrintingandReconnaissanceReview Footprinting gathers as much information inadvance about a target Can be passive or active Usually subtle / unnoticeable Can include: Advanced online services Social Media Company intelligence gathering Website cloning Some social engineering
Lab 2: Foot Printing andPassive Reconnaissance
Online Reputation Management (ORM) is monitoring a company's reputation on the Internet and acting on the data to improve reputation Information gathered Company's online reputation Company's search engine ranking Gathering online conversations Get any social news regarding target
