2 - Footprinting & Recon
Module 02 - Footprinting and Reconnaissance
Perform Footprinting through Search Engines
Perform Footprinting through Web Services
Find the Company's Domains and Sub-domains using Netfcraft
Go to https://www.netcraft.com and insert company's domain.
After that you can use a people search service as https://www.peekyou.com to find people from the target organization.
In addition there're famous tools such as:
theHarvester: this tool gathers email, subdomains, hosts, empleyee names, open ports and banners from different publicsh source (e.g. search engines, PSG key and SHODAN computer DB, Google, Bing, etc) and extract valuable information from the target domain.
theHarvester -d microsoft.com -l 200 -b baidu
#-d domain or company name, -l number of results, -b data source
Gather personal information from various social networking sites using Sherlock
Sherlock, a powerful command line tool provided by Sherlock Project, can be used to find usernames across many social networks.
python3 sherlock.py Mario Rossi
Perform Website Footprinting
Gather info about target website using Ping command line utility
Ping
ping <Target_IP> -f -l 1500 # -f switch sets the Do Not Fragment bit on the ping packet - l buffer size
#we can try to change value of TTL with flag -i and -n number of echo requests
Analyzing the output, if there're packets lost, we adjust the size or length of the packet, reducing -l value till to have 100% of packets sent!
ping <Target_IP> -f -l 1472
Gather info about website using Photon
Photon is a Python script used to crawl a given target URL to obtain information such as URLs (email, social media, file, secret key and subdom). The extracted info can further be exported in JSON format.
python3 photon.py -u <http://Target_IP>
# -u specifies the target website, -l specifies level to crawl, -t specifies number of threads
# --wayback specifies using URLs from archive.org as seeds
python3 photon.py -u <http://Target_IP> -l 3 -t 200 --wayback
Gather info about a target website using Central Ops
CentralOps is a free online network scanner that investigates domain and IP addresses, DNS records, traceroute, nslookup, whois searches, etc.
Mirroring website using HTTrack Web Site Copier
It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online.
Using Scan Rules tab we can add custom file format to select.
After downloading all, we can press Browse Mirrored Website to see website dumped.
Perform Email Footprinting
Gather info about a target by tracing emails using eMailTrackerPro
https://emailtrackerpro.software.informer.com/download/
https://www.youtube.com/watch?v=5Y7rJ_iBaGE
Other Email Tracking Tools
Infoga
Mailtrack
Perform Whois Footprinting
DomainTools
DomainTools website permits to perform Whois lookup on a website URL.
Other Tools
SmartWhois
Batch IP Converter
Perform DNS Footprinting
Gather DNS infor using nslookup command line utility and online tool
Nslookup is a network administration command-line utility, generally used for querying the DNS to obtain a domain name or IP address mapping or for any other specific DNS record. The utility is available both as a command-line utility and web app.
It's possible to do nslookup to query for the IP address of given domain setting type=a and take a CNAME lookup directly against the domain's authoritative name server and lists the CNAME record for a domain.
nslookup
set type=a #Configure nslookup to query for IP address of the domain
<Target_IP>
set type=cname #List the CNAME records for a domain
<Target_IP>
Perform reverse DNS lookup using Reverse IP domain check and DNSRecon
DNS Lookup is used for finding the IP addresses for a given domain name, and the reverse DNS operation is performed to obtain the domain name of a given IP address.
Using Reverse IP Domain Check tool we can find the other domains/sites that share the same web server as our target server.
Perform Network Footprinting
Locate the network range
Network range info assists in creating a map of the target network.
We can use ARIN Whois db search tool to do it.
Perform network tracerouting in Windows and Linux machines
Tracert
Traceroutes the network configuration information on the target domain
tracert <Target_IP>
tracert -h 5 <Target_IP> #-h number of hops allowed
There's an additional online tool called SolarWinds.
Perform advanced network route tracing using Path Analyzer Pro
Path Analyzer Pro performs network route tracing with performance test, DNS, Whois and network resolution to investigate network issues.
Network route tracing can determine the intermediate nodes traversed towards the destination and can detect the complete route (path) from source to destination.
Set Protocol -> ICMP
Target -> <Target_IP>
Port -> 65535
Time to trace -> 3 min
Stop or wait finish, and see report, synopsis log stats and others output.
If we want, there's an option to export result in .csv file format.
Perform Footprinting using Various Footprinting Tools
Footprinting a target using Recon-ng
Recon-ng is a web reconnaissance fw with indipendent modules and db interaction that provides an environment in which open-source web-based reconnaissance can be conducted.
marketplace install all -> install all modules
modules search -> displays all modules
workspaces create -> create a new workspace
workspaces list -> list your available workspaces
db insert domains -> add a domain to the database to search
modules load brute -> view all modules related to brute forcing
Footprinting a target using Maltego
Maltego is a footprinting tool used to gather maximum information for the purpose of EH, computer forensics, and pentesting. It provides a library of transforms to discover data from open sources and visualize them in a graph format.
Footprinting a target using OSINT Framework
OSINT Framework is an open-source intelligence gathering framework that helps security professionals for performing automated footprinting and reconnaissance, OSINT research and intelligence gathering.
Last updated