Skip to main content

FOOTPRINTING/RECONNAISSANCE



This refers to the act of checking out the network, getting familiar with its layout, etc, in order to attack it - in other words, we are just gathering target information. We try to create a complete profile, with domain names, network blocks and individual IP addresses.

There is no one way to footprint. Different situations will take different paths. In general, we try to find:
  • Domain Names (both external and internal)
  • Network blocks
  • Specific IPs (both reachable by internet and unreachable outside the local network)
  • Access control mechanisms
  • System architectures
  • Intrusion detection systems
  • an enumeration of the system (user and group names, system banners, routing tables, SNMP information)
  • Networking protocols


This part of the attack can be both technical and physical. We consult as many sources as possible to glean information about the network.
A good starting point is the targets website – where we can look for email addresses, links to other servers, contact information, etc. It is sometimes easier to download an entire website to view offline than looking at it online, check out my tutorial here. You can use the wget command on linux. FOCA is another tool to use to find some very useful information about websites such as metadata.

Perform whois searches on domains to gain more information, including nameservers, etc. Link. The whois command on linux is also very useful, you can use it to perform very specific searches – for example registrar queries, organizational queries, domain queries, network queries and POC queries.

Use netcraft to find a lot of useful information about a site.
Some tools will help with the footprinting process, for example Spiderfoot.
EDGAR is also a semi-useful resource.

We can also use a security flaw in misconfigured DNS servers called Zone transfers to easily get a lot of information about the system. A zone transfer can give us an entire blueprint of the target network – internal hostnames and IP addreses.
This code demonstrates how to manually request a zone transfer from a misconfigured DNS server:
Code:
[bash]$ nslookup
Default Server: dns.example.com
Address: 192.168.0.1
>> server 192.168.0.1
Default Server: [192.168.0.1]
Address: 192.168.0.1
>> set type=any
>> ls –d Example.com. >> /tmp/dns_zone_transfer
That will save the information in a file called dns_zone_transfer which we can then view to gain more information. We can use commands like grep to find systems in the zone transfer that are potentially vulnerable to attack, and we can find systems with interesting names that may be very useful to us – for example we may find a backup server or something. It is often useful to find “test” systems which are often badly set up, and then rarely used – because they are the perfect place to set up our “camp” in the network.

There are a lot of useful network query tools we can use to gain information as well, including the host command:
Code:
host –l Example.com
Or
Code:
host –l –v –t any Example.com

Also, check out the dig command on Linux which is also a very useful command.
Some other good tools can be downloaded here

Traceroute is a useful tool which we can use to map out networks. In Linux, this is the traceroute command, and in windows this is the tracert command. By using this command with an IP address of domain name, we can see what route our packet takes to get to a server. We can use the –p –s switches with the command to set a specific port to use – in case only certain ports are allowed through a firewall, etc. Port 53 is the DNS lookup port so that is generally allowed through:
Code:
traceroute –S –p53 10.10.10.2
Labels:

Comments

Post a Comment

Popular posts from this blog

PROXIES LIST 9/26/2016 HIGH QUALITY

TOTAL NO. OF PROXIES:1629
Post a Comment
Read more

Hachiman's Quote- "I Hate nice Girls!"

" I hate nice girls . Just exchanging pleasantries with them makes me curious,and texting each other makes me feel restless. If I get a call, for the rest of the day, I’ll keep checking my call history with a stupid grin on my face. But I know the truth. They’re just being nice . Anyone nice to me is nice to others too. But I always find myself on the verge of forgetting that. If the truth is a cruel mistress, then a lie must be a nice girl . And so, niceness is a lie. I would always hold expectation. I would always misunderstand. At some point, I stopped hoping. An experienced loner never falls for the same trap twice. A lone warrior, surviving hundreds of battles. When it comes to losing, I’m the strongest. That’s why, no matter what happens, I will always hate nice girls. "
Post a Comment
Read more

Which Programming Language To Learn For Hacking?

Having the prior knowledge of programming is something which will separate you from all the other script kiddes( Wanna be hackers ) and other tool lovers out there, Lots of times during penetration tests you come across a point where you need to write or build your own custom scripts and programs this is where the knowledge of programming comes handy.  Buy Best Hacking Gadgets Here --- Buy Now! The other and by the far the most important advantage of programming is that you will be able to understand exploit codes and even learn to write them too, Though there are softwares which have made the process of exploit writing much simpler, but you still need to have a solid grasp of programming languages in order to know how the exploits work.
Post a Comment
Read more