CEH v10: 02 Footprinting
Table of Contents
Collect information about a target network.
Terminology #
Footprinting: collect information about a target network.
Passive Footprinting: collect without direct interaction.
Active Footprinting: collect with direct interaction.
Social Network Footprinting: get information about the target.
Website Footprinting: Information about the target through web pages.
Methods #
- Examining the web page’s source code
- Examining cookies
- Extracting metadata of web sites
- Monitoring website for updates
- Tracking email
- Email header analysis
- Competitive Intelligence Gathering
- Monitoring website traffic
- Tracking online reputation
- WHOIS
- IP geolocation
- DNS footprinting
Information collected #
- Organization Information (phone numbers, employee details, etc…)
- Relations with other companies
- Network Information (Domains, IPs, etc…)
- System Information (OSes, passwords)
Objectives of Footprinting: #
- Know Security Posture: know the security posture of the target organization
- Reduce Focus Area: reduce the attackers focus area to a specific range of IP, network, domain names, etc…
- Identify Vulnerabilities: identify vulnerabilities in the target system
- Draw Network Map: draw a map or outline the target organization’s network infrastructure
Advanced Google Hacking Techniques #
Operators:
cache:
- Display the web page stored in the google cachelink:
- List of web pages that have links to the specified web pagerelated:
- List of web pages that are similar to a specified web pageinfo:
- Presents some information that google has about the particular pagesite:
- Restrict the results to those websites in the given domainallintitle:
- Restricts the result to those websites with all of the search keywords in the titleintitle:
- Restrict the results to documents containing the search keyword in the titleallinurl:
- Restrict the results to those with all of the search keywords in the URLinurl:
- Restrict the results to documents containing the search keyword in the URLlocation:
- Find information for a specific locationintext:
- Restrict the results to documents containing the search keyword in the content
Find more at ahrefs blog.
WHOIS #
Whois databases are maintained by Regional Internet Registries and contain personal information of domain owner (eg.: email address).
whois
uses TCP port 43.
Example on Linux:
whois danielgorbe.com
DNS footprinting #
DNS record types:
A
: Points to a host’s IP addressMX
: Points to a domain’s mail serverNS
: Points to a host’s name serverCNAME
: Canonical naming allows aliases to a hostSOA
: Indicate authority for domainSRV
: Service recordsPTR
: Maps IP address to a hostnameRP
: Responsible personHINFO
: Host information record includes CPU type and OSTXT
: Unstructured text records
Example on Linux:
dig danielgorbe.com
Traceroute #
Trace the path between you and your target computer.
Example on Linux:
traceroute danielgorbe.com