Footprinting (Whiteboard)

Take a deeper dive into the process of Footprinting with this lecture video. Footprinting is the blueprinting of the security profile of an organization. It is designed to profile an organization with respect to its networks. [toggle_content title="Transcript"] I want to discuss some of the theory that goes into foot printing before we go get into the tools and we start getting lost in the all of the interfaces and tools let us zoom out and let us look at the back ground around what happens or actually foot printing. So ultimately we are going to have a target it could be a company it could be a person. Regardless of what that target is. So this is also the point in which whether they have firewalls or intrusion detection systems or any sort of preventive mechanisms that would be in place that prevent us from having information disclosed in the foot printing module. It is disclosure oriented in other words we are going to take all of the information that is disclosed to us. And we are going to use that to our advantage. We are going to document anything and everything because it is not until we get the big picture of things. Do we start putting that picture together. It is like a puzzle in a sense but we are going to start one step at a time. So ultimately we are going to target inside the company or inside of that target. This is where we can use things like if we could find out their internal DNS scheme in subtitles we would call that active directory but it could be any directory service, LDAP, NDS, Active Directory to name a few. Also is there any sort of private website. If we can get access to those are the treasure trove of information because that is where we find things like the directories employee, directories portals in sort of private company staff that is always the holy grail of the type of stuff that we could find. Next Attack Thumbs Diving it could as simple as digging into the trash. Now this also assumes that we have physical access to our target and not every case do it. But if we do have physical access then we want to go ahead and start enumerating DNS private websites dumpster diving even doing things like shoulder surfing attacks, in many cases you can do a shoulder surfing attack right at the receptionist front desk. So as soon as you walk into the building. What do you see? What can you learn? We document that stuff as well And then of course eavesdropping it could happen just about anywhere it could the place where everybody gathers for lunch. It could be inside the office center or corporate center or any sort of nearby restaurant or location in which that facility is going to have access to. But if you notice there is only handful of things that we realistically can go after from a foot printing point of view against the target but if we can zoom out and look at what we can do externally over the network or over the internet. There is a lot more information that we can document and use to our advantage. So some of the basic tools that we use in our toolkit at this point is the telephone. We can have phone numbers disclosed to us simply call the phone number up and start social engineering. It could be as simple as that. Also the network what type of networks Is it backup lines & modems or it is T1 DSL lines Cable modem satellites. What can we learn from over the network? Also public websites – what point of presence do they have? How does this information get inside the company? Typically now they used to email the messaging of some sort so that we can use that to our advantage. Now I do have a few things prioritized here. The first places that I like to start is with Google doing a quick Whois search because that tells us our administrative contacts. The basics the DNS servers and things like that and we will see those when we actually look at the tools. So whois information or how their DNS structure is laid out there is a couple of really really good DNS reconnaissance tools that we can use. And then social networks it seems that everybody has a social presence nowadays so you can use that to your advantage. Is the social network highly popular or they have been used all the time or is the last update to the social sites you know. A year ago. All this needs to be taken into consideration. So Google Whois, DNS or social networks I like to start. However we are going to cover all of this and we are going to use the phone in the network, the websites and email to our advantage. But the common things that we like to document here are what are their IP address ranges or network blocks. We always prefer a particular IP address but there is actually information that can be used with the network block in itself. Because if a company is only using one IP address but they have the whole block to themselves. Is there something else that we can find that their - that we are allowing us to find out. We can learn that from the network block in itself. Also the web server content in the basics here it is HTML or hypertext we can learn the directory structures, we can learn programming languages. We can learn if it is Windows - if it is Linux or Apache we can learn all of that. So source code analyzing the source code of the web site. Or whatever source code you can get your hands on is also extremely valuable to us. In some cases we just like to mirror the whole website to ourselves. The bad part about this attack is that it is extremely active because you are going out to the website and you are basically duplicating it. So that you can analyze it in your home lab or office lab or something like that. Looking at the source code mirroring the websites. You may be able to determine what operating systems they are running and we are of course we would document that through the client and server process. Also publicly we would look at directories or databases. We are going to use search engines and not just Google. Sometimes Google displays a handful of results. But there is already other search engines and we need to use all of them because in many cases we are looking for that one tiny piece of information and if we can use that one tiny piece of information that wasn't Google that maybe lead to a compromise. Also URL analysis, how is the URL laid out what are you disclosing URL versus what are they not disclosing in the URL. We can learn about important they take security just by allowing us the end-user to see. Also Google Earth and in many cases if we get addresses from something like whois I just popped that in a simple Google Earth search and say if can see the front door of the building. In some cases you can go right to the front door and in other cases you might only see the business park or across the street or something to that effect. Also people's sites if you can learn about the different employees that work at that organization. You can not only go after them and the relationship of the employee to the actual company but also you can learn about the people themselves. What are their skill sets what backgrounds do they have and things like that. Also financially there is lots of information if it is a public company can you go after a financial analysis there is probably going to be some buzz there. The larger company versus if it is a smaller company. Also job sites they are advertising we need a Windows NT 4.0 pro migration expert and chances are that they are going to have some NT 4.0 servers that they need migrated. Also learning websites, now it is one thing for us to go find information about our target. But it is another thing altogether to setup an alert at something like Google Alerts or Giga Alert which is a paid service and have that information either emailed to us or have that email find us. So that we don't have to constantly go out and search for it. So in some cases I just set up alerts and have the information find me. Also archived websites there is a handful of places on the internet where you can find cached content or you could use something like where there actually is a copy of maybe some historical content. One of my favorite things to do in class is to actually pull up Microsoft's first home page or what was the first version of Myspace or something like that and you can find those on the archive websites. Also there is monitoring websites if you can just look at some of the monitoring websites and see maybe their operating system version or something like that. We can use that to our advantage. Also this is a little bit more of a stretch but it has resulted in good information in the past. Is there any sort of patent or trademark information about your target? What are their customers doing? Nowadays it just happens to be integrated with social networks or something like twitter. Do they have customer portals or something like that? Or what about press releases? If they are advertising a new product or new launch of something and then in the last we will wrap up with Google hacking. Google hacking techniques & using in the Google hacking database. Or all of the possible Google hacking commands this can make this whole analysis of foot printing very, very easy. So as you can imagine there is a lot to document here and a lot to report. When you are creating your pen testing report but nonetheless that is the important part. That summarized you have external resources available to you during a pen test. You have internal resources available to you during a pen test. You sit out here and only the thing in between you and your target is a handful of tools and techniques. So when you document this stuff appropriately you start putting that puzzle piece together. Now here is the caveat, most people that are new to the world of pen testing. They get lost on all of the tools and techniques or if you start from a tool centric point of view. You will get lost but let us take a step backwards. Look at the big picture. Once you understand that big picture is realistically putting the pieces of a puzzle together all of this will become a lot easier for you to understand. Internal versus external. Lots of documentation and this is the foundation to what we are going to see in the hands on hands approach to penetration testing. [/toggle_content]
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?