Foot-printing

Foot-printing is the first step of any attack on any system. This initial stage involves gathering valuable information about the target system or network.

Information Obtained in Footprinting

Below is presented the kind of information expected to be gathered throughout this phase. The list is by no means exhaustive.

Organization

Network

System

Employee details

Domain and sub-domains

Web server OS

Telephone numbers

Network blocks (IP ranges)

Location of web server

Branch and location details

Network topology, trusted routers and firewalls etc.

Publicly available email addresses

Background of the organization

IP addresses

Usernames and passwords

Web technologies

Whois records

New articles, press releases, etc.

DNS records

Search engines

Google - Good Google dorks for advanced search:
- https://www.google.com/advanced_search
- https://www.exploit-db.com/google-hacking-database
DuckDuckGo - often reveals more (other) results than Google
Yandex - best reverse image search

Organization information gathering

Gather information from various social media platforms:

Employee Search:

Utilize "TheHarvester" to identify emails (among other) associated with the target organization. sudo theHarvester -d www.dsb.dk -b all
Utilize "Sherlock" to identify usernames on social media. sherlock USERNAME

Job Sites Scrutiny:

Investigate job sites for potential leads or information.

Network information gathering

Subdomain Enumeration:

To find subdomains of the target domain, use:

Amass: sudo amass enum -passive -d domain.com -o amass_results.txt
Netcraft DNS search

GRecon (Very nice tool):

Install:

git clone https://github.com/TebbaaX/GRecon.git
cd GRecon
python3 -m pip install -r requirements.txt
python3 Grecon.py

Device Enumeration:

Use Shodan to discover connected devices on the internet.

DNS Records Investigation:

Probe DNS records to uncover valuable information.

Use manual tools - dig, nslookup etc.
Online tool https://viewdns.info/
Central ops. can be used for simple services discovery as well.
SecurityTrails lookup specific records A, AAAA, CNAME, etc.

Network Range Identification (ARIN):

Locate the target's network range https://ip-netblocks.whoisxmlapi.com/lookup.

System information gathering

Technology Stack Profiling:

Employ Wappalyzer to identify technologies used on the target's website.

Source Code Examination and Cookie Analysis:

Analyze the source code of websites.
Inspect cookies related to websites.

Historical Data Analysis:

Access The Wayback Machine to view historical versions of the website.

Multipurpose tools

Recon-ng

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framewor

Start: sudo recon-ng

Install all modules: marketplace install all

List all modules: modules search

Example of usage

First, create a new workspace: workspaces create NEWWORKSPACE

To list workspaces: workspaces list

Then, add a domain to the scope: db insert domains

To view added domains: show domains

Next, load a module: modules load MODULE

To run: run

To view hosts: show hosts

Recon-ng has some nice features to generate reports

Other tools

YouTube metadata analyzer

MW Metadata normal grabs singular details about a YouTube video and its uploader, playlist and its creator, or channel.

Public FTP searcher

NAPALM FTP Indexer lets you search and download files located on public FTP servers.

Website crawler

Photon can extract the following data while crawling:

URLs (in-scope & out-of-scope)
URLs with parameters (example.com/gallery.php?id=2)
Intel (emails, social media accounts, amazon buckets etc.)
Files (pdf, png, xml etc.)
Secret keys (auth/API keys & hashes)
JavaScript files & Endpoints present in them
Strings matching custom regex pattern
Subdomains & DNS related data

photon -u www.DOMAIN.com

Can also utalize the Wayback machine. Use --wayback to fetch URLs from archive.org as seeds

Generate wordlist from website

CeWL (Custom Word List generator) is a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers such as John the Ripper.

Scan to a depth of 2 (-d 2) and use a minimum word length of 5 (-m 5), save the words to a file (-w docswords.txt), targeting the given URL (https://example.com):

cewl -d 2 -m 5 -w docswords.txt https://www.example.com

Additional resources

The OSINT Framework is a nice place to explore additional foot-printing categories and associated tools.

PreviousReconnaissance NextScanning (Nmap)

Last updated 1 year ago