Footprinting and Reconnaissance

What is Footprinting?

Footprinting is the first phase of a penetration test. It is the process of collecting as much information as possible about a target, for identifying possible vulnerable and entry points to make effective an attack.

Attackers gather information using public resources available on the Internet, on the real world, like dumpster diving, or through social engineering. The attackers try to find specific areas where they should focus their efforts, identify vulnerabilities in the systems to select the appropriate attack methodologies and/or exploits and draw a map of the organization’s network and, in general, they need to learn as much as they can about the target and find as much information as possible that can help them in the next phases of the attack.

There are some clear objectives during the footprinting like:

  • Collect network information: Domain names, internal domain names, network blocks, IP addresses of the reachable systems, rogue websites, private websites, TCP and UDP services running, access control mechanism and ACLs, network protocols, VPN points, IDSes running, analog and digital phone numbers, authentication mechanisms, system enumeration, …
  • Collect system information: User and group names, system banners, routing tables, SNMP information, system architecture, remote system type, system name, passwords, …
  • Collect organization’s information: Employee details, organization’s website, company directory, location details, address and phone numbers, comments in HTML source code, security policies implemented, web server links relevant to the organization, background of the organization, new articles, press releases, …

Obviously, each attacker has its own style and its own methodology, but a very basic one, can be:

  1. Footprinting through search engines.
  2. Footprinting using advanced search engine hacking techniques, like Google hacking.
  3. Footprinting through social network sites.
  4. Website footprinting.
  5. Email footprinting.
  6. Competitive intelligence.
  7. WHOIS footprinting.
  8. DNS footprinting.
  9. Network footprinting.
  10. Footprinting through social engineering.

Footprinting through search engines

Attackers use search engines to extract information about a target such as technology platforms, employee details, login pages, intranet portals, etc. which can help to perform social engineering attacks and other types of advanced system attacks. Search engines caches and internet archives can give as some useful information already removed from the websites.

And think big like attackers do. We have tools like Netcraft that can gives as a lot of information about the target system like subdomains or operative systems running. We have search engines like Shodan that allow us to find specific computers or devices connected to the Internet. You can find useful information using map apps like Google Maps, Bing Maps, … Social network sites like Facebook, Linkedin, Pipl, etc. There are tons of people directories and social networks where people give all their personal details and huge amounts of personal and private information without realizing about it. Financial services web pages, job sites, forums, blogs, groups, … plenty of places to gather information about a target.

Footprinting using advanced search engine hacking techniques

Nowadays, the different search engines provide us with complex syntax to allow us to refines our searches and, in the same way this can help users to perform more accurate   searches, it can allow attackers to find and extract sensitive or hidden information. Let’s take Google for example, as we can see in this page, it offers us multiple options to refine our searches and find resources that are not easily accessible. A easy way to use some of these operators, it is using the google advanced search page. This technique is very useful and very well know, we can even find pages with DB of multiple dorks to make our life even easier, like: GHDB.

Footprinting through social network sites

I have spoken about it in the first point but, I need to do it again, you can not image the huge amount of information an attacker can find through social networks. And we shouldn’t restrict our operations to searches, we can create fake profiles to lure the employees to give up their sensitive information. From users/employees point of view, an attacker can gather: contact info, location, friends lists, family lists, interests, activities, …. From a companies point of view, an attacker can gather: business strategies, product profiles, contact points for social engineering, platform/technology information, type of business, …. And more and more and more.

Website footprinting

Very interesting information can be gathered from the companies website. Software used and its version, operative system used, sub-directories and parameters, filenames, path, database field names or queries, scripting platform, contact details and CMS details. Using tools like HTTP proxies (Burp Suite, OWASP ZAP, …) we can view the request headers with info about the web page and systems running. Examining the source code we can find file system structure, contact details, script type, interesting undeleted comments, cookie’s information. And we do not need to do the search ourselves, there are some tools called web spiders that can perform the search for us. Or we can do this offline mirroring the entire website. In addition to the search engines caches, we can use archive.org to find information that was online and now has been removed. Documents with metadata information can be found here too.

Email footprinting

We can take two different paths here. The first one is to examine the email headers, in there we can find some useful information. The second path is to use email tracking tools to obtain useful information.

Competitive intelligence

Information about competitors can be very useful, especially for social engineering attacks. History of the company, company plans, experts opinions, website traffic, reputation, etc. any of this can be useful.

WHOIS footprinting

WHOIS is a database maintained by Regional Internet Registries and contain the personal information of domain owners.

DNS footprinting

Attackers can gather DNS information to determinate key hosts in the network and can perform social engineering attacks.

Footprinting through social engineering

Attackers can do things like eavesdropping, shoulder surfing, dumpster diving or impersonation on social networking sites to obtain interesting and useful information.

There are literally hundreds, probably thousands of tools useful for this phase of the attack. It will be impossible list all of them here, but I hope these lines are enough to stand out the importance of this phase.

See you.

Advertisements
Footprinting and Reconnaissance

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s