CEHv12-02 - Recon Techniques - Footprinting and Recon

In

Footprinting concepts

  • Gathering information about a target system. Also known as fingerprinting or reconnaissance.
  • End goal is to find a way to break into the system.
  • Often offered as separate service bought by companies to check against leaks and to see what data is there.

Classification

  • Passive footprinting: no direct contact with target, relying on information that is publicly available.
  • Active footprinting: direct contact with target including, possible for target to be aware (e.g. through tasks that may be logged or recorded)

How to:

  1. Start with passive footprinting by gathering all publicly available data. Organiuze data obtained.
  2. Use active footprinting: starting probing for ports, networks, possible vulnerabilities etc. It¡’s good to learn more about stuff (employees) of a company: through them you can learn a lot more and gain a lot more access (e.g. contact them through social media and start a conversation, join a conference that you see the person is attending on LinkedIn and meet him).

Information types

  • System information:
    • Web server operating systems.
    • Server locations.
    • Active Directory or LDAP.
    • Users.
    • Passwords.
  • Network information:
    • Domains, subdomains.
    • IP addresses.
    • Whois and DNS records.
    • VPN firewalls using ike-scan.
  • Organization information:
    • Employee information.
    • Organization’s background
    • Phone numbers.
    • Locations.

Footprinting objectives

  • Learn security posture: analyze security, find loopholes, create an attack plan.
  • Identify focus area: narrow down the range of IP addresses.
  • Find vulnerabilities: identify weaknesses in the target’s security.
  • Map the network: graphical representation of target’s network a guide during the attack.

Footprinting reports

  • Main items:
    • Details about the performed tests.
    • Used techniques.
    • Test results.
  • Other information:
    • List of vulnerabilities and how they can be fixed.
    • List sources of information e.g. DNS, social medial, social engineering.
    • List what information you gathered from each source.
  • Should be kept highly confidential.

Google dorks

Use advanced search features of Google in order to do granular searching.

  • Look for vulnerabilties on software (eg. msexchange).

    • Look for tools on a site * site:reddit.com osint tools.
    • Look for user and password files inurl:/wp-content/uploads/ ext:txt "username" | "user name" | "uname" | "user" | "userid" | "user id" AND "password" | "pass word" | "pwd" | "pw".

  • Look for id= on a URL, and test SQL injections.

  • Operators:

    • site:: changes scope to an specific website.
    • inurl:: look for webpages which contain an sepecific character string.
    • intitle:: look for webpages which contain an sepecific character string on its title.
    • filetype:: look for files from a certaion type, like a PDF.
    • cache: find a storaged copy of a website.
    • related:: fin websites related to the site cite on the command.
    • link:: find websites linking to certain websites.
    • info:: find information on a certain website.

Shodan and Censys

  • Shodan: search devices connected to the Internet. It has lot of filters.

    Filter Description
    city Name of the city
    country 1 character country code
    http.title Title of the website
    net Network range ot IP on a CIDR
    org Name of the organization unit that owns the IP
    port Port number of the running service
    product Name of the software powering the device
    screenshot label Label thar describes the content
    state US state

  • Censys: search devices connected to the Internet.

    • Hosts and certificates database.
    • Explore tab: map the domain.

Sub-Domain enumeration

  • Domain: presence of the Internet.

  • Subdomains: smaller area on a domain. Enumeration widens the scope for finding targets.

  • Techniques:

    • Check all NS Records for zone transfers.
    • Enumerate general DNS records for a given domain.
    • Perform common SRV Record Enumeration: service records contain the hostname, port and priority of servers for a given service.
    • Brute force subdomain and host A and AAAA records discovery with given top domain and wordlist.
    • DNS PTR lookup given a IP range CIDR range
      • Querying dns for PTR record of each IP in subnet

  • How to:

    • Google dork: site:my-target-webiste.org.

    • Go to website, look for “page source code”, look for matches with Ctrl + F for my-target-webiste.org, look at cookies.

    • Netcraft: on Resoures - Tools - Search DNS, use “site contains…”.

    • Sublist3r: python tool

    • ExifTool: extract metadata.

      Short Form Long Form Description
      -d –domain Domain name to enumerate subdomains of
      -b –bruteforce Enable the subbrute bruteforce module
      -p –ports Scan the found subdomains against specific tcp ports
      -v –verbose Enable the verbose mode and display results in realtime
      -t –threads Number of threads to use for subbrute bruteforce
      -e –engines Specify a comma-separated list of search engines
      -o –output Save the results to text file
      -h –help show the help message and exit

Social networking recon

People don’t think on what they put out on social media.

  • Use advance search parameters.

  • Look for usernames, they are usually similar to email addresses.

  • How to:

    • Social searcher: website.
    • Sherlock: python tool to find usernames across Social Network.
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      sherlock [-h] [--version] [--verbose] [--folderoutput FOLDEROUTPUT]
                  [--output OUTPUT] [--tor] [--unique-tor] [--csv] [--xlsx]
                  [--site SITE_NAME] [--proxy PROXY_URL] [--json JSON_FILE]
                  [--timeout TIMEOUT] [--print-all] [--print-found] [--no-color]
                  [--browse] [--local] [--nsfw]
                  USERNAMES [USERNAMES ...]

      positional arguments:
      USERNAMES             One or more usernames to check with social networks.
                          Check similar usernames using {?} (replace to '_', '-', '.').

Job board recon

  • Easy way to gte contact information, org charts.
  • Learn stack they use from job posts ads.

Deep-dark web recon

  • Dark web are unindexed websites that exist in the Dark net. Browse them with censorship-resistant and privacy-respecting specialized browser like:
  • Freenet
  • TOR.

Email tracking

Monitoring the email delivery and inspecting the e-mail headers may reveal:

  • IP address of the recipient.
  • Geolocation of the recipient.
  • Delivery information.
  • Visited links.
  • Browser and OS information.
  • Reading time.

There are email tracking tools, used marketers with JavaScript, tracking links, link shorteners or tracking pixels.

Headers

  • Email header analysis:

    • Sender’s name
    • IP/Email address of the sender
    • Mail server
    • Mail server authentication system
    • Send and delivery stamps
    • Unique number of the message

  • Authentication protocol headers: allows you to detect forged sender addresses. They should include information about their pass status

    • SPF: Sender Policy Framework (e.g. 'PASS' with IP 209.85.220.69 or 'NEUTRAL' ...), ased on e-mail servers who publish records and says “here’s the IP addresses we’ll send e-mails”:
      • Verifies if the domain of the e-mail owned by the sending server.
      • If not passed, many e-mail providers just block it.
    • DKIM: DomainKeys Identified Mail (e.g. 'PASS' with domain accounts.google.com): allows the receiver to verify that an email claimed to have come from a specific domain was authorized by the owner of that domain using a digital signature on the domain.
    • DMARC: Domain-based Message Authentication, Reporting and Conformance (e.g. PASS or FAIL): Combination of two protocols SPF + DKIM, which build on them and adds more policy

  • Verifying email legitimacy

    • Double check FROM.
    • Check the spelling in domain name so it’s coming from the domain of the company. If it’s random e-mail check if it’s from one of the biggest domain providers or if something legit.
    • Check IP of the domain.
    • It can be someones computer (home router IP) or a private server.
    • Major mail service providers checks to determine if domain of the e-mail is tied to the source IP of the e-mail (e.g. have a record, you may tie a public WiFi like coffee shop IP to domain and send the e-mails from there).

  • e-mail policies:

    • Different e-mail service provider have different policies regarding to their SMTP.
    • Once hacker recognizes e-mail servers then then he/she can create accounts there, send e-mails back and further to figure out what the rules are.
    • Each have own ruling list.

WHOIS and DNS recon

WHOIS

Query and response protocol (port 43), pulic records, completely legal. It is used for retrieving registry information about assigned Internet resources.

  • Access:
    • Use different websites such as whois.net
    • Use CLI: whois cloudarchitecture.io
  • Models:
    • Thick WHOIS: information from all registrars for the specified set of data.
    • Thin WHOIS: limited information about the specified set of data.
  • Results:
    • Domain details.
    • Domain owner details (contact information). Can be hidden by a WHOIS guard (proxy between the owner of the domain and who’s accessing), but emails are usually still redirected to the owner (phishing target).
    • Domain server (site owner might have account in the server, and you can test passwords there).
    • Net range.
    • Domain expiration: If auto-renewal fails, can be transfered or bought.
    • Creation and last update dates.
  • Regional internet registries: WHOIS databases are maintained by the Regional Internet Registries (RIRs). Every ISP, hosting company etc. must be member of one of the registries to get IP addresses:
    • ARIN: American Registry for Internet Numbers
    • AFRINIC: African Network Information Center
    • APNIC: Asia Pacific Network Information Center
    • RIPE: Réseaux IP Européens Network Coordination Centre
    • LACNIC: Latin American and Caribbean Network Information Center

DNS recon

Domain Name Service, which collects information about DNS zone data, retrieveing key hosts in the network.

  • How to: host -t a cloudarchitecture.com (-t: type of domain record, a trrieve A type of domain records).
  • Reverse DNS lookup: use one of IP addresses that’s listed as an A,m to retrieve multiple IP addresses tied to same domain:
    1
    2
    host 13.33.17.159`
    159.17.33.13.in-addr.arpa domain name pointer server-13-33-17-159.arn53.r.cloudfront.net.
  • Zone transfers (ZANG), dig command (dig axfr @nsztml.digi.ninja zonetransfer.me), nslookup. Resources can be found in digi.ninja.

Social Engineering Recon

  • Eavesdropping: hear conversations, people like to yell on their phones, or read emails load.
  • Shoulder-surfing: look over their shoulder as you pass by.
  • Dumpster diving: documents, notes with passwords. Documents may need to be shredded.
  • Impersonating: as default, people will belive you if you pose as service desk.

Other footprinting tools

Collect and visualizes information (e.g. IP location, routing, business, address, phone number, social security number, source of an email and a file, DNS, domain).

  • Maltego, proprietary software for OSINT, provides graphical link for investigative tasks.
  • OSINT framework: provides graphical link for investigative tasks.
  • Recon-ng (The Recon-ng Framework): open source CLI tools for open source web-based reconnaissance.
  • Recon-dog:
    • Open-source CLI tool self-claimed as Reconnaissance Swiss Army Knife.
    • Can extracts targets from STDIN (piped input) and act upon them.
    • Passive reconnaissance tool extracting all information with APIs without any contact with target.
  • FOCA: Fingerprinting Organizations with Collected Archives: open-source tool to find metadata and hidden information in the documents:
    1. Finds documents (e.g. PDF, SVG) through search engines or manual upload.
    2. Analyze them and identify which documents are created by same team, using which servers/clients.
  • Dmitry (DeepMagic Information Gathering Tool): CLI tool to analyze a website e.g. dmitry https://cloudarchitecture.io:
    1. Performs WHOIS lookup on IP and domain.
    2. Retrieves Netcraft information.
    3. Search for subdomains/email addresses.
    4. Performs TCP scanning.
    5. Grabs banner for each port.

Footprinting and recon countermeasures

  • Enforcing security policies.
  • Educating employees about security threats: raising awareness reduces risks dramatically.
  • Encrypting sensitive information: use proper encryption everywhere. Many companies uses VPN/proxy with encryption for outside communication, but service communicate with each other without any encryption.
  • Access control: authentication, use of MFA.
  • Disabling protocols that are not required.
  • Proper service configuration:
    • Double check all services that application depends.
    • Do not disable/enable configuration without knowing consequences.
  • Scrutinize information released to the public domain: e.g. you post on social media which routers the company has just bought, it allows hacker to know default router configurations and get image of OS in the router and conduct tests in a VM.
  • Limit site caching: inform search engines what they’re supposed to index through (e.g. robots.txt):
    • User-agent: * Disallow: / prevents indexing any page (Disallow: /) for any crawler (User-agent: *).
  • Use Whois Guard.
  • Restricting access to social media: extra risk as you click on many links and giving away companies IP address,