Lecture 2 Lecture Objectives • Perform passive reconnaissance • Perform active reconnaissance • Gather information from public sources
CYB234_Lectuer#2 2 Reconnaissance • Reconnaissance/Footprinting is the process of collecting as much information as possible about a target system, to identify various ways to intrude into an organization's system. • One of the first steps will be to gather as much information as you can about the target network. • When conducting a black box test, you will be provided very little information, and must find it all out on your own. • Reconnaissance Types: • Passive Reconnaissance • Active Reconnaissance
CYB234_Lectuer#2 3 Passive Reconnaissance Techniques • Passive reconnaissance is the process of gathering information about a target network without actually connecting to the network. • We will examine some tools and techniques for performing passive reconnaissance. • Netcraft • BuiltWith • Shodan • Social Media • Google Searching
CYB234_Lectuer#2 4 Active Reconnaissance Techniques • In the Passive reconnaissance the attacker is not actually connecting to the target system, it is impossible for an intrusion detection system (IDS) to detect the scan. • Active scans are far more reliable but may be detected by the target system. • There are a few types of active scans, • Port Scanning • Enumeration • Wireshark • Maltego • OSINT Tools CYB234_Lectuer#2 5 Passive Reconnaissance Techniques Netcraft • Netcraft is a UK company that tracks websites. From this data, they’re able to calculate market share for web servers, uptime, etc. Another service is data about websites. This data can be extremely valuable to the hacker.
CYB234_Lectuer#2 7 Netcraft • https://www.netcraft.com • Choose What's that site running? • Type any webiste URL • Then press: LOOK UP
CYB234_Lectuer#2 8 CYB234_Lectuer#2 9 BuiltWith • https://builtwith.com • Type any webiste URL • Then press: lookup
CYB234_Lectuer#2 10 CYB234_Lectuer#2 11 Shodan • https://www.shodan.io • Type any webiste URL • Then press: lookup
CYB234_Lectuer#2 12 CYB234_Lectuer#2 13 Google Searching • Info about a site: info:http://www.google.com • Find related sites: related:http://www.google.com • Search the cache: cache:http://google.com search • Word in URL: inurl:http://google search • Restrict search to a site: site:http://somesite.net • Similar items: search ~tips • The OR operator: cats | dogs
CYB234_Lectuer#2 14 Example • For example, if you are searching for information about XYZ company, and you would like insight into their company policies, you might try • policies site:xyz.com
• Or if you are specifically looking for PDF documents from that company, you could try one of the following • policies filetype:pdf site:xyz.com
CYB234_Lectuer#2 15 Google Advanced Search
CYB234_Lectuer#2 16 Social Networking ▪ Social networking sites are tools to connect people. ▪ E.g., Facebook, Twitter, LinkedIn (useful for all sorts of business purposes). • Attackers use social engineering trick to gather sensitive information from social networking websites such as Facebook, MySpace, LinkedIn, Twitter, Pinterest, Google+, etc.
• Attackers create a fake profile on social networking sites and then use the false identity to lure the employees to give up their sensitive information.
CYB234_Lectuer#2 17 Active Reconnaissance Techniques Whois ▪ WHOIS databases are maintained by Regional Internet Registries (RIRs) and contain the personal information of domain owners. ▪ To grab information out of the regional Internet registry (RIR), you would use the whois program. ▪ Whois is a program that can be used on the command line on most Unix-like systems ▪ There are also websites that have implementations of whois if you don’t have a Unix- like system handy.
CYB234_Lectuer#2 19 Whois
• Information obtained from WHOIS database assists an attacker to
• Gather personal information that assists to perform social engineering ▪ WHOIS query returns: ▪ Domain name details ▪ Contact details of domain owner ▪ Domain name servers ▪ When a domain has been created ▪ Expiry records ▪ Records last updated • Name and contact information of the registrar (the organization or commercial entity that registered the domain name)
CYB234_Lectuer#2 20 Whois Query Example CYB234_Lectuer#2 21 Nslookup ▪ A tool that questions a DNS server for its host records. It’s accessible for Linux and Windows. ▪ In the following code, you can see the use of nslookup for name Resolution
Name server IP
Answer came from
cache. Not the authoritative server
IP of sybex.com CYB234_Lectuer#2 22 Maltego • Maltego is an open source intelligence and forensics application offering extraordinary data mining and intelligence gathering capabilities. • The community version is free.
CYB234_Lectuer#2 23 OSINT Website • https://osintframework.com provides a simple online tool whereby you can drill down on a specific search. • Searches can be conducted on email addresses, domains, Bitcoin transactions, and many other items. • For a penetration tester, searching a target domain will be useful.
CYB234_Lectuer#2 24 CYB234_Lectuer#2 25 Lab2 Basics of Footprinting Methodologies
