Foot-printing
Foot-printing is the first step of any attack on any system. This initial stage involves gathering valuable information about the target system or network.
Last updated
Foot-printing is the first step of any attack on any system. This initial stage involves gathering valuable information about the target system or network.
Last updated
Below is presented the kind of information expected to be gathered throughout this phase. The list is by no means exhaustive.
Employee details
Domain and sub-domains
Web server OS
Telephone numbers
Network blocks (IP ranges)
Location of web server
Branch and location details
Network topology, trusted routers and firewalls etc.
Publicly available email addresses
Background of the organization
IP addresses
Usernames and passwords
Web technologies
Whois records
New articles, press releases, etc.
DNS records
- Good Google dorks for advanced search:
- often reveals more (other) results than Google
- best reverse image search
Gather information from various social media platforms:
Utilize "TheHarvester" to identify emails (among other) associated with the target organization. sudo theHarvester -d www.dsb.dk -b all
Utilize "Sherlock" to identify usernames on social media. sherlock USERNAME
Investigate job sites for potential leads or information.
To find subdomains of the target domain, use:
Amass: sudo amass enum -passive -d domain.com -o amass_results.txt
GRecon (Very nice tool):
Install:
Probe DNS records to uncover valuable information.
Use manual tools - dig, nslookup etc.
Technology Stack Profiling:
Source Code Examination and Cookie Analysis:
Analyze the source code of websites.
Inspect cookies related to websites.
Historical Data Analysis:
Recon-ng is a full-featured Web Reconnaissance framework written in Python. Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framewor
Start: sudo recon-ng
Install all modules: marketplace install all
List all modules: modules search
First, create a new workspace: workspaces create NEWWORKSPACE
To list workspaces: workspaces list
Then, add a domain to the scope: db insert domains
To view added domains: show domains
Next, load a module: modules load MODULE
To run: run
To view hosts: show hosts
Recon-ng has some nice features to generate reports
Photon can extract the following data while crawling:
URLs (in-scope & out-of-scope)
URLs with parameters (example.com/gallery.php?id=2)
Intel (emails, social media accounts, amazon buckets etc.)
Files (pdf, png, xml etc.)
Secret keys (auth/API keys & hashes)
JavaScript files & Endpoints present in them
Strings matching custom regex pattern
Subdomains & DNS related data
photon -u www.DOMAIN.com
Can also utalize the Wayback machine. Use --wayback to fetch URLs from archive.org as seeds
CeWL (Custom Word List generator) is a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers such as John the Ripper.
Scan to a depth of 2 (-d 2) and use a minimum word length of 5 (-m 5), save the words to a file (-w docswords.txt), targeting the given URL (https://example.com):
Netcraft
Use to discover connected devices on the internet.
Online tool
can be used for simple services discovery as well.
lookup specific records A, AAAA, CNAME, etc.
Locate the target's network range .
Employ to identify technologies used on the target's website.
Access to view historical versions of the website.
normal grabs singular details about a YouTube video and its uploader, playlist and its creator, or channel.
lets you search and download files located on public FTP servers.
The is a nice place to explore additional foot-printing categories and associated tools.