footprinting Footprinting overview Version: 1.0.2 On this page
Footprinting overview Also known as fingerprinting or reconnaissance 📝 Gathering information about a target system E.g. software, network protocols, operating systems or hardware devices. End goal is to find a way to break into the system. 🤗 Often offered as separate service bought by companies to check against leaks and to see what data is there. See also • Reconnaissance | Hacking stages and • Information Gathering | Penetration testing phases Also known as passive reconnaissance , passive fingerprinting or passive information gathering 📝 No direct contact with target Rely on information that is publicly available. Most difficult to detect E.g. • News • job postings • WHOIS databases • government records • document sifting • dumpster diving | Social engineering • competitive analysis • browser search • map lookup • DNS lookup • Facebook/Twitter search Open-source intelligence (OSINT) 📝 Collection and analysis of information that is gathered from public, or open, sources ❗ "Open-source" is unrelated to open-source software or collective intelligence Categories: • media • internet • public government data • professional and academic publications • commercial data • grey literature awesome-osint | list of tools , OsintFramework | graph of tools Competitive intelligence Also known as competitive analysis Assessment of the strengths and weaknesses of current and potential competitors Tools include Also known as active reconnaissance , active fingerprinting or active information gathering 📝 Direct contact with target including Possible for target to be aware e.g. through tasks that may be logged or recorded ExamplesBuying beers for company employees to see what you can extract. Network mapping with nmap, perimeter mapping, port scanning, web profiling... • E-mail tracking • Phishing scheme with an email • Querying name servers • File metadata • Social engineering • Extracting DNS information • Traceroute analysis 💡 Easier idea to start with passive footprinting by gathering all publicly available dataThen organizing it, and putting in one place. Then use active footprinting with starting probing for ports, networks, possible vulnerabilities etc. 💡Good to learn more about stuff (employees) of a companythrough them you can learn a lot more and gain a lot more access e.g. contact them through social media and start a conversatione.g. join a conference that you see the person is attending on LinkedIn and meet him. Network information Domains, subdomains IP addresses Whois and DNS recordsVPN firewalls using e.g. ike-scan System information Web server operating systems Server locations Users Passwords Organization information Employee information Organization's background Phone numbers Locations Learn security posture Analyze security Find loopholes Create an attack plan Identify focus area Narrow down the range of IP addresses. Find vulnerabilities Identify weaknesses in the target's security. Map the network Graphical representation of target's network a guide during the attack. Collects and visualizes information e.g. • IP location • routing • business • address • phone number • social security number • source of an email and a file • DNS • domain 📝 Maltego Proprietary software for open-source intelligence (OSINT) Provides graphical link for investigative tasks. Recon-ng (The Recon-ng Framework) Open source CLI tools for open source web-based reconnaissance FOCA Fingerprinting Organizations with Collected Archives Open-source tool to find metadata and hidden information in the documents:Finds documents (e.g. PDF, SVG) through search engines or manual upload Analyze them and identify which documents are created by same team, using which servers/clients. Recon-dog Open-source CLI tool self-claimed as Reconnaissance Swiss Army Knife Can extracts targets from STDIN (piped input) and act upon them Passive reconnaissance tool extracting all information with APIs without any contact with target Dmitry CLI tool to analyze a website e.g. dmitry https://cloudarchitecture.io • Performs WHOIS lookup on IP and domain • Retrieves Netcraft information • Search for subdomains/email addresses • Performs TCP scanning • Grabs banner for each port IncludesDetails about the performed tests Used techniques Test results It should also includeList of vulnerabilities and how they can be fixedE.g. wrong configuration in webserver because you're allowing a forward and somebody is using your proxy for reflection attacks.Reflection attack = Send a packet from A to B, A gives wrong source IP for DDoS attacks. List sources of information e.g. DNS, social medial, social engineering. List what information you gathered from each sourceE.g. login pages, technologies, files, contact details, GPS location, IP address, email servers. Should be kept highly confidential Countermeasures Enforcing security policies Educating employees about security threatsRaises awareness, reduces risks dramatically Encrypting sensitive information💡 Use proper encryption everywhere🤗 Many companies uses VPN/proxy with encryption for outside communication, but service communicate with each other without any encryption. Disabling protocols that are not required Proper service configurationDouble check all services that application depends. Do not disable/enable configuration without knowing consequences. Scrutinize information released to the public domainE.g. you post on social media which routers the company has just boughtAllows hacker toknow default router configurations get image of OS in the router and conduct tests in a VM Limit site cachingInform search engines what they're supposed to index through e.g. robots.txtE.g User-agent: * Disallow: / prevents indexing any page (Disallow: /) for any crawler (User-agent: *) Use Whois Guard Restricting access to social mediaExtra risk as you click on many links and giving away companies IP address