Footprinting and

Reconnaissance
 Footprinting Terminology
• Open Source or Passive Information Gathering: Open source or
passive information gathering is the easiest way to collect
information about the target organization. It refers to the process of
gathering information from the open sources, i.e., publicly available
sources. This requires no direct contact with the target
organization. Open sources may include newspapers, television,
social networking sites, blogs, etc.
• Active Information Gathering: In active information gathering,
process attackers mainly focus on the employees of the target
organization. Attackers try to extract information from the
employees by conducting social engineering: on-site visits,
interviews, questionnaires, etc.
 Footprinting Terminology cont’d
• Anonymous Footprinting: This refers to the process of collecting
information from sources anonymously so that your efforts cannot
be traced back to you.
• Pseudonymous Footprinting: Pseudonymous footprinting refers to
the process of collecting information from the sources that have
been published on the Internet but is not directly linked to the
author's name. The information may be published under a different
name or the author may have a well-established pen name, or the
author may be a corporate or government official and be prohibited
from posting under his or her original name. Irrespective of the
reason for hiding the author's name, collecting information from
such sources is called pseudonymous.
 Footprinting Terminology cont’d
• Organizational or Private Footprinting: Private
footprinting involves collecting information from an
organization's web- based calendar and email
services.
• Internet Footprinting: Internet footprinting refers to
the process of collecting information of the target
organization's connections to the Internet.
 What Is Footprinting?
• Footprinting, the first step in ethical hacking, refers
to the process of collecting information about a
target network and its environment. Using
footprinting you can find various ways to intrude into
the target organization's network system. It is
considered "methodological" because critical
information is sought based on a previous discovery.
 Why Footprinting?
Footprinting help us to…
• Know Security Posture
• Reduce Attack Area
• Build Information Database
• Draw Network Map
 Objectives of Footprinting
• Collect Network – TCP and UDP services running
Information – Access control mechanisms
– Domain name and ACLs
– – Networking protocols
Internal domain names
– – VPN points
Network blocks
– – ACLs
IP addresses of the reachable
systems – IDSes running
– Rogue websites/private – Analog/digital telephone
websites numbers
– Authentication mechanisms
– System enumeration
 Objectives of Footprinting Cont’d
• Collect System Information
– User and group names
– System banners
– Routing tables
– SNMP information
– System architecture
– Remote system type
– System names
– Passwords
 Objectives of Footprinting cont’d
• Collect Organization’s Information
– Employee details
– Organization's website
– Company directory
– Location details
– Address and phone numbers
– Comments in HTML source code
– Security policies implemented
– Web server links relevant to the organization
– Background of the organization
– News articles/press releases
 Footprinting Threats
• Social Engineering
• System and Network Attacks
• Information Leakage
• Privacy Loss
• Corporate Espionage
• Business Loss
 Footprinting Methodology
• Footprinting through Search Engines
• Website Footprinting
• Email Footprinting
• Competitive Intelligence
• Footprinting using Google
• WHOIS Footprinting
• DNS Footprinting
• Network Footprinting
• Footprinting through Social Engineering
• Footprinting through Social Networking Sites
 Footprinting through Search Engines
• A web search engine is designed to search for information on the World
Wide Web. The search results are generally presented in a line of results
often referred to as search engine results pages (SERPs). In the present
world, many search engines allow you to extract a target organization's
information such as technology platforms, employee details, login pages,
intranet portals, and so on. Using this information, an attacker may build a
hacking strategy to break into the target organization's network and may
carry out other types of advanced system attacks
• If you want to footprint the target organization, for example XYZ pvt ltd,
then type XYZ pvt ltd in the Search box of the search engine and press
Enter. This will display all the search results containing the keywords "XYZ
pvt ltd." You can even narrow down the results by adding a specific
keyword while searching. Furthermore, we will discuss other footprinting
techniques such as website footprinting and email Footprinting.
 Finding Company’s External and
Internal URLs
• A company's external and internal URLs provide a lot of useful
information to the attacker. These URLs describe the company
and provide details such as the company mission and vision,
history, products or services offered, etc. The URL that is used
outside the corporate network for accessing the company's
vault server via a firewall is called an external URL. It links
directly to the company's external web page. The target
company's external URL can be determined with the help of
search engines such as Google or Bing.
 Cont’d
• Tools to Search Internal URLs:
– Netcraft
– Link Extractor
 Public and Restricted Websites
• A public website is a website designed to show the presence
of an organization on the Internet. It is designed to attract
customers and partners. It contains information such as
company history, services and products, and contact
information of the organization.
• A restricted website is a website that is available to only a few
people. The people may be employees of an organization,
members of a department, etc. Restrictions can be applied
based on the IP number, domain or subnet, username, and
password
 Public and Restricted Websites
cont’d
• Restricted or private websites of
microsoft.com include:
http://technet.microsoft.com,
http://windows.microsoft.com,
http://office.microsoft.com, and
http://answers.microsoft.com.
 Collect Location Information
• Information such as physical location of the organization plays
a vital role in the hacking process. This information can be
obtained using the footprinting technique. In addition to
physical location, we can also collect information such as
surrounding public Wi-Fi hotspots that may prove to be a way
to break into the target organization's network.
• Attackers with the knowledge of a target organization's
location may attempt dumpster diving, surveillance, social
engineering, and other non-technical attacks to gather much
more information about the target organization.
• Example: earth.google.com
 People Search
• You can use the public record websites to find information
about people's email addresses, phone numbers, house
addresses, and other information. Using this information
you can try to obtain bank details, credit card details, mobile
numbers, past history, etc.
 People Search Online Services
• Zaba Search • PeekYou
• Zoomlnfo • Intelius
• Wink People Search • W PeopleSmart
• AnyWho • WhitePages
• People Lookup • Justdial
• 123 People Search
 People Search on Social
Networking Services
• Searching for people on social networking websites is
easy. Social networking services are the online
services, platforms, or sites that focus on facilitating
the building of social networks or social relations
among people. These websites provide information
that is provided by users. Here, people are directly or
indirectly related to each other by common interest,
work location, or educational communities, etc.
 Cont’d
• Some of social networking services are as
follows:
– Facebook
– LinkedIn
– Twitter
– Google+
 Gather Information from Financial
Services
• Financial services such as Google Finance, Yahoo! Finance,
and so on provide a lot of useful information such as the
market value of a company's shares, company profile,
competitor details, etc. The information offered varies from
one service to the next. In order to avail themselves of
services such as e-mail alerts and phone alerts, users need to
register on the financial services. This gives an opportunity for
an attacker to grab useful information for hacking.
 Footprinting through Job Sites
• Attackers can gather valuable information about the operating
system, software versions, company's infrastructure details,
and database schema of an organization, through footprinting
various job sites using different techniques. Depending upon
the posted requirements for job openings, attackers may be
able to study the hardware, network-related information, and
technologies used by the company. Most of the company's
websites have a key employees list with their email addresses.
This information may prove to be beneficial for an attacker.
For example, if a company wants to hire a person for a
Network Administration job, it posts the requirements
related to that position.
Usually attackers look for the following information:
• Job requirements
• Employee's profile
• Hardware information
• Software information
Examples of job websites include:
• http://www.monsterindia.com
• http://www.jobsisjob.com
• http://www.naukri.com
• http://www.timesjob. com
 Monitoring Targets Using Alerts
• Alerts are the content monitoring services that provide
automated up-to-date information based on your preference,
usually via email or SMS. In order to get alerts, you need to
register on the website and you should submit either an email
or phone number to the service. Attackers can gather this
sensitive information from the alert services and use it for
further processing of an attack.
• Google Alerts
• Yahoo! Alerts
• Giga Alert
 Website Footprinting
• It is possible for an attacker to build a detailed map of a
website's structure and architecture without IDS being
triggered or without raising any sys admin suspicions
• Using the Netcraft tool you can gather website information
such as IP address, registered name and address of the
domain owner, domain name, host of the site, OS details, etc.
But this tool may not give all these details for every site. In
such cases, you should browse the target website.
 Mirroring an Entire Website
• Website mirroring is the process of creating an exact
replica of the original website. This can be done with
the help of web mirroring tools. These tools allow
you to download a website to a local directory,
recursively building all directories, HTML, images,
flash, videos and other files from the server to your
computer.
Mirroring an Entire Website cont’d
Website mirroring has the following benefits:
• It is helpful for offline site browsing.
• Website mirroring helps in creating a backup site for
the original one.
• A website clone can be created.
• Website mirroring is useful to test the site at the time
of website design and development.
 Website Mirroring Tools
• HTTrack wesite copier
• SurfOffline
• BlackWidow
• Webripper etc…
 Extract Website Information
• Extract Website Information from http: //www.
archive .org
– Archive is an Internet Archive Wayback Machine that
allows you to visit archived versions of websites. This
allows you to gather information on a company's web
pages since their creation. As the website www.archive.org
keeps track of web pages from the time of their inception,
you can retrieve even information that has been removed
from the target website.
 Monitoring Web Updates Using
Website Watcher
• Website Watcher is used to keep track of websites
for updates and automatic changes. When an update
or change occurs, Website Watcher automatically
detects and saves the last two versions onto your
disk, and highlights changes in the text. It is a useful
tool for monitoring sites to gain competitive
advantage.
 Tracking Email Communications
• Email tracking is a method that helps you to monitor as well
as to track the emails of a particular user. This kind of tracking
is possible through digitally time stamped records to reveal
the time and date a particular email was received or opened
by the target. A lot of email tracking tools are readily available
in the market, using which you can collect information such as
IP addresses, mail servers, and service provider from which
the mail was sent. Attackers can use this information to build
the hacking strategy. Examples of email tracking tools include:
eMailTrackerPro and Paraben E-mail Examiner.
Collecting Information from Email Headers

• An email header is the information that travels with

every email. It contains the details of the sender,
routing information, date, subject, and recipient. The
process of viewing the email header varies with
different mail programs.
Cont’d
information: from E-mail Header
• Sender's mail server
• Data and time received by the originator's email servers
• Authentication system used by sender's mail server
• Data and time of message sent
• A unique number assigned by mr.google.com to identify the
message
• Sender's full name and IP address
• The address from which the message was sent
• The attacker can trace and collect all of this information by
performing a detailed analysis of the complete email header.
 Email Tracking Tools
• eMailTrackerPro
• PoliteMail
• Email Lookup - Free Email Tracker
• Read Notify
• DidTheyReadlt
• TraceEmail
• MSGTAG
• Zendio
• Pointofmail etc…
Competitive Intelligence Gathering
• Competitive intelligence is not just about analyzing
competitors but also analyzing their products, customers,
suppliers, etc. that impact the organization. It is non-
interfering and subtle in nature compared to the direct
intellectual property theft carried out through hacking or
industrial espionage. It mainly concentrates on the external
business environment. It gathers information ethically and
legally instead of gathering it secretly. According to Cl
professionals, if the intelligence information gathered is not
useful, then it is not called intelligence.
Cont’d
• Competitive intelligence is performed for determining:
– What the competitors are doing
– How competitors are positioning their products and services
– Company websites and employment ads
– Press releases and annual reports
– Trade journals, conferences, and newspapers
– Patents and trademarks
– Social engineering employees
– Product catalogs and retail outlets
 Footprinting using Google Hacking
Techniques
• Google hacking refers to the art of creating complex search
engine queries. If you can construct proper queries, you can
retrieve valuable data about a target company from the
Google search results. Through Google hacking, an attacker
tries to find websites that are vulnerable to numerous exploits
and vulnerabilities. This can be accomplished with the help of
Google hacking database (GHDB), a database of queries to
identify sensitive data. Google operators help in finding
required text and avoiding irrelevant data. Using advanced
Google operators, attackers locate specific strings of text such
as specific versions of vulnerable web applications.
 Cont’d
Some of the popular Google operators include:
• Site: The .Site operator in Google helps to find only pages that
belong to a specific URL.
• allinurl: This operator finds the required pages or websites by
restricting the results containing all query terms.
• Inurl: This will restrict the results to only websites or pages
that contain the query terms that you have specified in the
URL of the website.
• allintitle: It restricts results to only web pages that contain all
the query terms that you have specified.
 Google Hacking Tools
• Metagoofil
• Goolink Scanner
• SiteDigger
• Google Hacks
• BiLE Suite
• Google Hack Honeypot
• GMapCatcher etc…
 WHOIS Lookup
• WHOIS is a query and response protocol used for querying
databases that stores the registered users or assignees of an
Internet resource, such as a domain name, an IP address
block, or an autonomous system. WHOIS databases are
maintained by Regional Internet Registries and contain the
personal information of domain owners. They maintain a
record called a LOOKUP table that contains all the information
associated with a particular network, domain, and host.
Anyone can connect and query to this server to get
information about particular networks, domains, and hosts.
 WHOIS Lookup Tools
• SmartWhois
• Country Whois
• Lan Whois
• Whois Analyzer Pro
• CallerIP
• Active Who is
• WhoisThisDomain
 Extracting DNS Information
• DNS footprinting allows you to obtain information about DNS zone
data. This DNS zone data includes DNS domain names, computer
names, IP addresses, and much more about a particular network.
The attacker performs DNS footprinting on the target network in
order to obtain the information about DNS. He or she then uses the
gathered DNS information to determine key hosts in the network
and then performs social engineering attacks to gather more
information.
• DNS footprinting can be performed using DNS interrogation tools
such as www.DNSstuff.com.By using www.DNSstuff.com, it is
possible to extract DNS information about IP addresses, mail server
extensions, DNS lookups, Whois lookups, etc
 DNS Interrogation Tools
A few more well-known DNS interrogation tools are listed as
follows:
• DIG available athttp://www.kloth.net
• myDNSTools available at http://www.mydnstools.info
• Professional Toolset available at http://www.dnsstuff.com
• DNS Records available at http://network-tools.com
• DNSData View available athttp://www.nirsoft.net
• DNSWatch available at http://www.dnswatch.info
• DomainTools Pro available at http://www.domaintools.com
• DNS available at http://e-dns.org
 Determine the Operating System
• have collected information about IP addresses, network ranges, server
names, etc. of the target network. Now it's time to find out the OS
running on the target network. The technique of obtaining information
about the target network OS is called OS fingerprinting. The Netcraft tool
will help you to find out the OS running on the target network.
Let's see how Netcraft helps you deter,ome the OS of the target network.
• Open the http://news.netcraft.comsite in your browser and type the
domain name of your target network in the What's that site running? field
(here we are considering the domain name "Microsoft.com"). It displays
all the sites associated with that domain along with the operating system
running on each site.
 Traceroute
• Finding the route of the target host is necessary to test
against man-in-the-middle attacks and other relative attacks.
Therefore, you need to find the route of the target host in the
network. This can be accomplished with the help of the
Traceroute utility provided with most operating systems. It
allows you to trace the path or route through which the target
host packets travel in the network.
• Traceroute uses the ICMP protocol concept and TTL (Time to
Live) field of IP header to find the path of the target host in
the network
 Traceroute Tools
• Path Analyzer Pro
• VisualRoute 2010 etc…
 Traceroute Tools
• Network Pinger available at http://www.networkpinger.com
• GEOSpider available at http://www.oreware.com
• vTrace available at http://vtrace.pl
• Trout available at http://www.mcafee.com
• Roadkil's Trace Route available at http://www.roadkil.net
• Magic NetTrace available at http://www.tialsoft.com
• 3D Traceroute available at http://www.d3tr.de
• AnalogX HyperTrace available at http://www.analogx.com
etc…
 Footprinting through Social
Engineering
• Social engineering is a totally non-technical process in which an
attacker tricks a person and obtains confidential information about
the target in such a way that the target is unaware of the fact that
someone is stealing his or her confidential information. The
attacker actually plays a cunning game with the target to obtain
confidential information. The attacker takes advantage of the
helping nature of people and their weakness to provide confidential
information.
• Social engineering can be performed in many ways such as
eavesdropping, shoulder surfing, dumpster diving, impersonation
on social networking sites, and so on
 Collect Information through
Social Networking Sites
• Collecting Facebook Information: Facebook is one of the
world's largest social networking sites. It allows people to
create their personal profile, add friends, exchange instant
messages, create or join various groups or communities, and
much more. An attacker can grab all the information provided
by the victim on Facebook. To grab information from
Facebook, the attacker should have an active account.
Browsing the target person's profile may reveal a lot of useful
information such as phone number, email ID, friend
information, educational details, professional details, his
interests, photos, and much more.
 Footprinting Tools
• Maltego: Maltego is an open source intelligence and forensics
application. It can be used for the information gathering
phase of all security-related work. Maltego is a platform
developed to deliver a clear threat picture to the environment
that an organization owns and operates. It can be used to
determine the relationships and real-world links between
people, social networks, companies, organizations, websites,
Internet infrastructure (domains, DNS names, Netblocks, IP
addresses), phrases, affiliations, documents, and files.
 Footprinting Tools cont’d
• Domain Name Analyzer Pro: Domain Name Analyzer
Professional is Windows software for finding,
managing, and maintaining multiple domain names.
It supports the display of additional data (expiry and
creation dates, name server information), tagging
domains, secondary whois lookups (for thin model
whois TLDs like COM, NET, TV).
 Footprinting Tools cont’d
• Web Data Extractor: Web Data Extractor is a data
extractor tool. It extracts targeted company contact
data (email, phone, and fax) from the web, extracts
the URL and meta tag (title, desc, keyword) for
website promotion, searches directory creation, etc.
 Footprinting Countermeasures
Footprinting countermeasures are the measures or actions taken to counter
or offset information disclosure. A few footprinting countermeasures are
listed as follows:
• Configure routers to restrict the responses to footprinting requests.
• Lock the ports with suitable firewall configuration.
• Evaluate and limit the amount of information available before publishing it
on the website/Internet and disable the unnecessary services.
• Prevent search engines from caching a webpage and use anonymous
registration services.
• Configure web servers to avoid information leakage and disable unwanted
protocols.
• Use an IDS that can be configured to refuse suspicious traffic and pick up
footprinting patterns
 Footprinting Pen Testing
• A footprinting pen test is used to determine an
organization's publicly available information on the
Internet such as network architecture, operating
systems, applications, and users. In this method, the
pen tester tries to gather publicly available sensitive
information of the target by pretending to be an
attacker. The target may be a specific host or a
network.
 Footprinting Pen Testing cont’d
• The pen tester can perform any attack that an
attacker could perform. The pen tester should try all
possible ways to gather as much information as
possible in order to ensure maximum scope of
footprinting pen testing. If the pen tester finds any
sensitive information on any publicly available
information resource, then he or she should enter
the information and the respective source in the
report
 Footprinting Pen Testing steps
• Step 1: Get proper authorization
• Step 2: Define the scope of the assessment
• Step 3: Perform footprinting through search engines
• Step 4: Perform website footprinting
• Step 5: Perform email footprinting
• Step 6: Gather competitive intelligence
• Step 7: Perform Google hacking
 Footprinting Pen Testing steps
• Step 8: Perform WHOIS footprinting
• Step 9: Perform DNS footprinting
• Step 10: Perform network footprinting
• Step 11: Perform social engineering
• Step 12: Perform footprinting through social
networking sites
• Step 13: Document all the findings