Foot-printing

Information Obtained in Footprinting

Below is presented the kind of information expected to be gathered throughout this phase. The list is by no means exhaustive.

Search engines

• Google - Good Google dorks for advanced search:

  • https://www.google.com/advanced_search

  • https://www.exploit-db.com/google-hacking-database

• DuckDuckGo - often reveals more (other) results than Google

• Yandex - best reverse image search

Organization information gathering

Social Media Profiling:

• Gather information from various social media platforms:

  • Facebook

  • Twitter

  • LinkedIn

  • Instagram

Employee Search:

• Utilize "TheHarvester" to identify emails (among other) associated with the target organization. sudo theHarvester -d www.dsb.dk -b all

• Utilize "Sherlock" to identify usernames on social media. sherlock USERNAME

Job Sites Scrutiny:

• Investigate job sites for potential leads or information.

Network information gathering

Subdomain Enumeration:

To find subdomains of the target domain, use:

• Amass: sudo amass enum -passive -d domain.com -o amass_results.txt

• Netcraft DNS search

• GRecon (Very nice tool):

  Install:

Device Enumeration:

• Use Shodan to discover connected devices on the internet.

DNS Records Investigation:

Probe DNS records to uncover valuable information.

• Use manual tools - dig, nslookup etc.

• Online tool https://viewdns.info/

• Central ops. can be used for simple services discovery as well.

• SecurityTrails lookup specific records A, AAAA, CNAME, etc.

Network Range Identification (ARIN):

• Locate the target's network range https://ip-netblocks.whoisxmlapi.com/lookup.

System information gathering

Technology Stack Profiling:

• Employ Wappalyzer to identify technologies used on the target's website.

Source Code Examination and Cookie Analysis:

• Analyze the source code of websites.

• Inspect cookies related to websites.

Historical Data Analysis:

• Access The Wayback Machine to view historical versions of the website.

Multipurpose tools

Recon-ng

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framewor

Start: sudo recon-ng

Install all modules: marketplace install all

List all modules: modules search

Example of usage

First, create a new workspace: workspaces create NEWWORKSPACE

To list workspaces: workspaces list

Then, add a domain to the scope: db insert domains

To view added domains: show domains

Next, load a module: modules load MODULE

To run: run

To view hosts: show hosts

Recon-ng has some nice features to generate reports

Other tools

YouTube metadata analyzer

MW Metadata normal grabs singular details about a YouTube video and its uploader, playlist and its creator, or channel.

Public FTP searcher

NAPALM FTP Indexer lets you search and download files located on public FTP servers.

Website crawler

Photon can extract the following data while crawling:

• URLs (in-scope & out-of-scope)

• URLs with parameters (example.com/gallery.php?id=2)

• Intel (emails, social media accounts, amazon buckets etc.)

• Files (pdf, png, xml etc.)

• Secret keys (auth/API keys & hashes)

• JavaScript files & Endpoints present in them

• Strings matching custom regex pattern

• Subdomains & DNS related data

photon -u www.DOMAIN.com

Can also utalize the Wayback machine. Use --wayback to fetch URLs from archive.org as seeds

Generate wordlist from website

CeWL (Custom Word List generator) is a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers such as John the Ripper.

Scan to a depth of 2 (-d 2) and use a minimum word length of 5 (-m 5), save the words to a file (-w docswords.txt), targeting the given URL (https://example.com):

Additional resources

The OSINT Framework is a nice place to explore additional foot-printing categories and associated tools.