Footprinting is the first step of any attack on information systems in which an attacker collects information about a target network to identify various ways to intrude into the system.
| Passive | Active |
| without direct interaction | with direct interaction |
Information Obtained in Footprinting
| Organization Information | Network Information | System Information |
| – Employee details – phone numbers – location details – organization background – web technologies – News articles, press release etc | – domain, sub-domain – network blocks – topology, trusted routers, firewall – IP addresses of reachable systems – whois – DNS | – Webserver OS – location of webserver – publicly available email usernames and passwords |
| – The information is available on its website. – query whois database to get information | – whois database analysis – trace routing | – network – DNS – website and emails footprinting |
Footprinting techniques
Footprinting through Search Engines
– Advanced Google hacking techniques
– Google hacking database and google advanced search
https://www.exploit-db.com – The Exploit Database is a Common Vulnerabilities and Exposures (CVE) compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers.
– Video, Meta, FTP and IoT search engines
| Techniques | Tools |
| Google advanced search | – Google advanced search |
| Advanced image search | – Google advanced image search |
| Reverse image search | – Google image search – TinEye reverse image search – Yahoo image search |
| Video Search engines | – Youtube metadata – Youtube dataviewer |
| Meta search engine | – Startpage – MetaGer |
| FTP search engine | – NAPALM FTP indexer – FreewebFTP files search |
| IoT search engine | – Shodan.io – Censys – Thingful (pay) |
Footprinting through Web services
– People search services
| Facebook.com |
| Spokeo.com |
| theHarvester – theHarvester – d microsoft – 1 200 -b linkedin (search people) theharvester -d microsoft . com -1 200 -b baidu (search email) |
| Job sites are also good source of information about what technology the organization is using |
– Financial Services and Job Sites
– Deep and Dark web footprinting
– Competitive Intelligence and Business Profile sites
– Determine the OS
| netcraft.com – information about the site |
| shodan.io – searches the Internet for connected devices (routers, servers, and loT. |
| censys.io – monitors the infrastructure and discovers unknown assets anywhere on the Internet. It provides a full view of every server and device exposed to the Internet. |
– Finding Top level domain and sub-domains
| Google / Bing – Powerful search engines |
| netcraft.com – provides Internet security services, including anti-fraud and anti-phishing services, application testing, and PCI scanning. |
| Sublist3r – Sublist3r is a Python script designed to enumerate the subdomains of websites using OSINT |
| https://pentest-tools.com – Find Subdomains is an online tool used for discovering subdomains and their IP addresses, including network information and their HTTP servers. |
| technique | tools |
| Location of the target | – Google earth – google map – wikimapia |
| Gathering financial Information | – Google finance – MSN money – Yahoo finance |
| Gathering information from business profile sites | – opencorporates – crunchbase – corporationwiki – linkedln |
| Monitoring targets using alerts | – google alerts, X(twitter) – Mention, online reputation tool |
| Gathering information from groups, forums and blogs | – Google groups – yahoo groups |
| Gathering information from NNTP Usenet Newgroup | – newshosting – eweka – supernews |
| Public source code repositories | Recon-ng |
Footprinting through Social media sites
– social engineering
| Sherlock – search a vast number of social networking sites for a target username. This tool helps the attacker locate the target user on various social networking sites, along with the complete URL. pytthon3 sherlock victim |
| sociaI-searcher.com – search for content on social networks in real time and provides deep analytics data. |
– social media sites
| buzzsumo.com – advanced social search engine finds the most shared content for a topic, author, or domain. It shows the shared activity across all the major social networks including Twitter, Facebook, Linked In, Google Plus, and Pinterest. |
| https://followerwonk.com – Followerwonk helps you explore and grow your social graph: Dig deeper into Twitter analytics: Who are your followers? Where are they located? When do they tweet? |
– analyzing social network graphs
| https://gephi.org – visualization and exploration tool for all types of graphs and networks. It allows the easy creation of social data connectors to map community organizations and small world networks. |
Website footprinting
Looking for Software used and its version, OS used, Sub-directories and parameters, Filename, path, database field name or query, scripting platform, technologies used, contact details, CMS details.
| Burp Suite – platform for performing security testing of web applications. Its various tools work together to support the entire testing process, from initial mapping and analysis of an application’s attack surface to finding and exploiting security vulnerabilities. Burp Proxy allows attackers to intercept all requests and responses between the browser and the target web application and obtain information such as web server used, its version, and webapplication-related vulnerabilities. |
| Examining the HTML source code – indentifying CMS |
| Examining Cookies – identifying software running, scripting platform |
– Web spidering
| Webspiders – Web data extractor, Parsehub |
– Website mirroring
| HTTrack Web Site Copier – offline browser utility. It downloads a website from the Internet to a local directory and recursively builds all the directories including HTML, images, and other files from the web server on another computer. |
| https://archive.org – Internet Archive Wayback Machine that explores archived versions of websites. |
| Photon to retrieve archived URLs of the target website from archive.org – python photon.py -u -1 3 -t 200 –wayback – python photon.py -u – 1 3 -t 200 -only-urls |
| Extracting Website links | – octoparse – netpeak spider – link extractor |
| gathering wordlist from the target website | – CeWL cewl http://www.certifiedhacker.com |
| Extracting metadata from public documents | – ExifTool – Web data extrator – metafoofil |
| Monitoring webpages for updates and changes | – Website-watcher – visual ping – follow that page |
| Searching for contact info, email address, telephone etc | – target website |
| Searching for webpage posting patterns and revision numbers | – websearch |
| Monitoring website traffic of the target company | – web-stat – ranktracker – goingup.com – opentracker – google analytics |
Email footprinting
– Tracking Email communications
Collecting information from the email header
| infoga – for gathering email account information (IP, hostname, country, etc.) from different public sources (search engines, pgp key servers, and Shodan), and it checks if an email was leaked using the haveibeenpwned.com API – python infoga.py –domain microsoft.com –source all –breach -v2 –report . . /microsoft .txt – python infoga .py –info m4ll0k@protorunail . com –breach -v 3 -report . . /m4110k.txt |
| eMailTrackerPro – analyze email headers and extract information such as the sender’s geographical location, IP address, and so on. It allows an attacker to review the traces later by saving past traces. |
DNS footprinting
– DNS interrogation – These tools can extract a range of IP addresses using IP routing lookup.
| SecurityTrails – advanced DNS enumeration tool capable of creating a DNS map of the target domain network. It can enumerate both current and historical DNS records such as A, AAAA, NS, MX, SOA, and TXT, which helps in building the DNS structure. |
– Reverse DNS lookup
| DNSRecon – perform a reverse DNS lookup on the target host: dnsrecon -r 162.241 . 216 . 0-162.241.216.255 |
| Reverse Lookup – performs a reverse IP lookup by taking an IP address and locating a DNS PTR record for that IP address |
Network footprinting
– locate network range
– traceroute
| ARIN – enter the server IP into the SEARCH Whois text box. This yields the network range of the target network. |
| Traceroute – Finding the route of the target host on the network is necessary to test against man-in-the-middle attacks and other related attacks. ICMP traceroute TCP traceroute UDP traceroute |
| Path Analyzer Pro – performs network route tracing with performance tests, DNS, Whois, and network resolution to investigate network issues. |
| Visualroute.com – is a traceroute and network diagnostic tool. Attackers use VisualRoute to identify the geographical location of routers, servers, and other IP devices in the target network. |
Footprinting through social engineering
– Eavesdropping
– Shoulder surfing
– Dumpster diving
– Impersonation
| Maltego – automated tool that can be used to determine the relationships and realworld links between people, groups of people, organizations, websites, Internet infrastructure, documents, etc. |
| Recon-ng– reconnaissance framework with independent modules for database interaction that provides an environment in which open-source web-based reconnaissance can be conducted. |
| FOCA – find metadata and hidden information in the documents that its scans. FOCA is capable of scanning and analyzing a wide variety of documents, with the most common ones being Microsoft Office, Open Office, or PDF files. |
| OSRFramework – related to username checking, DNS lookups, information leaks research, deep web search, and regular expression extraction. |
| Recon-Dog – all-in-one tool for all basic information gathering needs. It uses APls to collect information about the target system. |
| Bill Cipher – information gathering tool for a website or IP address. It can work on any operating system that supports Python 2, Python 3, and Ruby. This tool includes various options such as DNS lookup, Whois lookup, port scanning, zone transfer, host finder, and reverse IP lookup, which help to gather critical information. |
| Spyse – collect and analyze information about devices and websites available on the Internet. It probes every public IP address, crawls every website, curates and enriches the resulting data, and makes the data intelligible through an interactive search engine and application programming interface (API). |
| Grecon |
| theHarvester |
| Th31nspector |
| Raccoon |
| Orb |
Footprinting Countermeasures
| Develop and enforce security polices |
| Restrict zone transfer |
| Disable directory listings |
| Educate social engineering tricks and risks |
| privacy Whois Lookup database |
| Avoid domain-level cross linking |
| Encrypt and password-protect sensitive information |
| Place critical documents offline |
| Train employee of social engineering and attacks |
| Hide the direct contact details |
| Disable geo-tagging functionality |
| Avoid reviewing location or travel plans |
| Turn off geolocation access |
| Ensure no critical information on notice boards |
CY - Technical Memory extension 