Add to collection(s) Add to saved
  1. No category
Uploaded by muhammad qasim

Reconnaissance & Footprinting in Cybersecurity

advertisement 
RECONNAISSANCE &
FOOTPRINTING
@mmar
2
3
Reconnaissance is the preparatory
phase where an attacker
gathers as much information as possible about the target prior to
launching the attack
Reconnaissance is the process of gathering personal or sensitive
information about the target by an attacker to gain unauthorized
access to the victim's computer
Types

Reconnaissance by definition is not illegal and many reconnaissance techniques are
completely legal

LegalReconnaissance
• Looking up all the information about a company available on the internet,
including published phone numbers,address etc
• Interviewing amember of the staff for aschool project

IllegalReconnaissance
• Developing a “front” company and acting as a representative of that company,
specifically for the purpose of robbing or defrauding that target company

QuestionableReconnaissance
• Scanning a document lying on a desk might be legal in some cases
• Dumpster diving might not be illegal in some cases
• In much of the world performing port scanislegal
5
@mmar
Reconnaissance is further sub divided into three phases
given as follow
Step-1
Step-2
Step-3
• Footprinting
 Passive (0SINT)
• Scanning
• Enumeration
6
FOOTPRINTING
10
Footprinting
11
@mmar
Footprinting
12
@mmar
FOOTPRINTING
through Search Engines
13
Google Dorks
 Google hacking / Dorking utilizes Google's advanced search
engine features, which allow you to pick out custom content.
You can, for instance, pick out results from a certain domain
name using the site filter
Filter
Example
Description
site
site:tryhackme.com
returns results only from the
specified website address
inurl
inurl:admin
returns results that have the
specified word in the URL
filetype
filetype:pdf
returns results which are a
particular file extension
intitle
intitle:admin
returns results that contain the
specified word in the title
14
@mmar
Google Dorks
 inurl:indianairforce.nic.in intext:confidential|sensitive
15
@mmar
Google Dorks
 The Google Hacking database (GHDB) is an index of search
queries (we call them dorks) used to find publicly available
information, intended for pentesters and security
researchers
https://www.exploit-db.com/google-hacking-database
16
@mmar
Google Advanced
Search
 Google Advanced Search is a set of specialized search
features and filters that allow users to refine their search
queries to find more precise and specific results. It offers a
range of tools beyond the basic search bar, enabling users to
tailor their searches based on various criteria
Site or domain
File Type
Date Range
Language
Region
Usage Rights
https://www.google.com/advanced_search
17
@mmar
Other Search
Engines
Search Engine
URL
Remarks
Bing
https://www.bing.com/
Yandex
https://yandex.com/
Russian
Baidu
https://www.baidu.com/
Chinese
DuckDuckGo
https://duckduckgo.com/
Privacy preserving
search Engine
18
@mmar
Image Metadata
(Exif tool)
19
Exif tool
 Metadata is essentially data about data. In the context of images and
multimedia files, metadata can include information like the date and time
the photo was taken, camera settings, GPS location data, copyright
information, and more. ExifTool allows you to view, edit, and manipulate
this metadata, making it a useful tool for photographers, archivists, and
anyone who needs to manage or modify metadata in their files.
https://github.com/exiftool/exiftool (Kali Linux)
http://exif.regex.info/down.html
https://jimpl.com/
https://exifdata.com/
20
@mmar
Reverse Image Search
21
Using Search Engines, you can quickly discover visually similar photos from
around the web using Reverse Image Searching technology, utilizing contentbased image retrieval (CBIR) query techniques. Uploading a photograph from your
device or inputting the URL of an image, you can ask a search engine to locate and
show you related images used on other websites, either those images that are
exactly the same or the same but a different size, or those that contain similar
looking items or people. you may be able to identify where an image was taken by
recognizing a statue or building in the background that can be identified by the
Search Engine. Similarly, Search Engines may be able to locate other images of
your subject or logos on sites that identify them
Reverse Image
Search Engines
Name
URL
Works well for
Bing Visual Search
https://www.bing.com/visualsearch
Flipped and Altered Images, and
Faces
Yandex Visual Search
https://yandex.com/images/
Faces, Buildings, and Locations
Google Images Search
https://www.google.com/imghp
Tineye
https://tineye.com/
Logos and Alternate sized versions
of the same image.
PimEyes
https://pimeyes.com/en
Faces
23
@mmar
IoT Search Engines
 Shodan: Shodan is often referred to as the "search engine for hackers" because it
allows users to search for internet-connected devices and systems based on
various criteria such as IP address, ports, banners, and more. It is commonly used
for security research, and it can be used to find vulnerable devices, industrial
control systems, webcams, and other internet-connected resources.
 Censys: Censys is another search engine that focuses on internet-wide scanning
and indexing. It provides a searchable database of information about hosts and
networks on the internet. Censys is often used for security research, asset
discovery, and monitoring internet-wide trends
24
@mmar
Shodan
 Enumerating Devices on Shodan (Search Queries):
 port:1833 (Default MQTT Port)
 port:502 (Modbus-enabled ICS/SCADA systems)
 SCADA Country:"US“ (Search for SCADA systems using geolocation)
 “Schneider Electric” (Search for SCADA systems using PLC name)
 upnp httpd (Search for devices with UPnP functionality that also have an exposed
web server)
 Server: gSOAP/2.8" "Content-Length: 583 (Find electric Vehicle chargers)
https://securitytrails.com/blog/top-shodan-dorks
25
@mmar
Shodan
Based on Shodan’s results, we know exactly which version of OpenSSH is running on each server. If we
click on an IP address, we can retrieve a summary of the host
26
@mmar
27
@mmar
FOOTPRINTING
through Social Media
28
29
@mmar
30
@mmar
31
@mmar
32
@mmar
33
@mmar
Leaked Credentials
34
@mmar
Leaked Credentials
35
@mmar
Leaked Credentials
Shehramgilani@live.Com
dell6*****
Mehtabsami123@gmail.Com
27343945
59119138
Humayunejaz64@gmail.Com
CENSORED PASSWORD
pakis***********
HASH
32614a9c0df2de4368d288f0b33c70c180b88f1f
Abutt*****
a5ce3c18d20098d90b695d0a75c43df99998ab61
pakis********
afce7959d4b69e9b2f8c9bb1d5773fa4f72e8458
@mmar
Leaked Credentials
37
@mmar
FOOTPRINTING
Open Source Code
38
Open Source Code
 Code stored online can provide a glimpse into the programming languages
and frameworks used by an organization. On a few rare occasions,
developers have even accidentally committed sensitive data and credentials
to public repos (GitHub,, GitHub Gist GitLab SourceForge)
 This manual searching approach will work best on small repos. For larger
repos, we can use several tools to help automate some of the searching, such
as Gitrob and Gitleaks. Most of these tools require an access token to use the
source code-hosting provider’s API
39
@mmar
Open Source Code
 GitHub’s search, for example, is very flexible. We can use GitHub to search a
user’s or organization’s repos; however, we need an account if we want to
search across all public repos
40
@mmar
Open Source Code
 The following screenshot shows an example of Gitleaks finding an AWS
access key ID in a file
41
@mmar
FOOTPRINTING
Web Services
42
43
@mmar
44
@mmar
45
@mmar
46
@mmar
47
@mmar
48
@mmar
49
@mmar
FOOTPRINTING
Websites
50
AIM
• Find Directories and pages of a website
• Find Subdomains
• Find the Technology Stack used to build the site
51
52
@mmar
53
@mmar
54
@mmar
55
@mmar
56
@mmar
Website Monitoring Tools
57
@mmar
Finding Technology
Stack
 Wappalyzer (https://www.wappalyzer.com/) is an online tool
and browser extension that helps identify what technologies
a website uses, such as frameworks, Content Management
Systems (CMS), payment processors and much more, and it
can even find version numbers as well. BuiltWith is another
online tool that provides the same functionality
 What web is a command line utility that provides the same
information on CLI
58
@mmar
Security Headers
and SSL/TLS
 Security Headers (https://securityheaders.com/) will analyze HTTP
response headers and provide basic analysis of the target site’s security
posture. We can use this to get an idea of an organization’s coding and
security practices based on the results
59
@mmar
Security Headers
and SSL/TLS
 Another scanning tool we can use is the SSL Server Test from Qualys SSL
Labs (https://www.ssllabs.com/ssltest/).This tool analyzes a server’s
SSL/TLS configuration and compares it against current best practices. It
will also identify some SSL/TLS related vulnerabilities, such as Poodle or
Heartbleed
60
@mmar
61
@mmar
Finding Subdomains
Site:microsoft.com -inurl:www
62
@mmar
63
@mmar
64
@mmar
Finding Subdomains
https://app.pentest-tools.com/
65
@mmar
@mmar
@mmar
Way Back
Machine
 The Wayback Machine is a historical archive of websites that
dates back to the late 90s. You can search a domain name,
and it will show you all the times the service scraped the web
page and saved the contents. This service can help uncover
old pages that may still be active on the current website.
https://archive.org/web/)
68
@mmar
69
@mmar
FOOTPRINTING
Emails
70
71
@mmar
72
@mmar
73
@mmar
74
@mmar
https://phonebook.cz/
75
@mmar
FOOTPRINTING
WHOIS INFORMATION
76
77
@mmar
78
@mmar
79
@mmar
FOOTPRINTING
DNS INFORMATION
80
81
@mmar
82
@mmar
Record Types
Zone transfer. Includes all records
about a domain
Axfr
83
@mmar
Dig
Most common DNS Enumeration tool
DNS Enumeration swiss army knife
84
Dig
 Dig can be used for simple domain lookup
>dig zonetransfer.me
85
@mmar
Dig
 We can also specify the type of record with dig command
>dig ns zonetransfer.me
>dig mx zonetransfer.me
>dig cname zonetransfer.me
(Name server)
(Mail server)
(cname record)
86
@mmar
Host
Simplest DNS Enumeration tool
87
Host
 Host provides a simple way to perform DNS lookups and
retrieve DNS records
>host zonetransfer.me
88
@mmar
Host
 We can use host tool to look up a specific record
>host -t ns zonetransfer.me
>host -t mx zonetransfer.me
(Name server)
(Mail server)
89
@mmar
Host
 Host can be used to map IP address to the website with
reverse lookup
>host 192.168.2.2
90
@mmar
nslookup
(A cross platform tool for DNS
Enumeration)
91
nslookup
 We can use nslookup on windows to enumerate dns
records
>nslookup zonetransfer.me
92
@mmar
nslookup
 We can specify a specific record type and use the tool in an
interactive manner
>nslookup
>Set type=ns
>zonetransfer.me
93
@mmar
Zone Transfer
94
Zone Transfer
Zone transfer is a mechanism in DNS for sharing and synchronizing
DNS database information between servers. Pentesters and hackers
can leverage zone transfer to gather intelligence about a target's DNS
infrastructure. Zone transfers provide a comprehensive list of DNS
records, including subdomains, IP addresses, and mail servers
95
CONCEPT
2
Initiate Zone
transfer
1
Identify the name
server
96
Zone transfer
 Host tool can be used to initiate zone transfer. First look for
the name server and then check if it supports zone transfer.
Try all listed name servers for best results
>host -t ns zonetransfer.me
97
@mmar
Zone transfer
>host –l zonetransfer.me nsztm2.digi.ninja
98
@mmar
Zone transfer
 Dig can also be used to initiate zone transfer
>dig ns zonetransfer.me
>dig axfr zonetransfer.me @nsztm2.digi.ninja
99
@mmar
Zone transfer
 Similarly, nslookup can also be used to perform zone
transfer
>nslookup
>set type=ns
>zonetranfer.me
>server nsztm2.digi.ninja
>set type=any
>ls –d zonetransfer.me
100
@mmar
Automated tools
101
DNS Recon
 DNSRECON is designed to automate and streamline the
process of querying DNS servers, retrieving DNS records,
and conducting various types of DNS-related scans
>dnsrecon –d zonetransfer.me –t axfr
102
@mmar
DNS Recon
 To perform our brute force attempt, we will use the -d
option to specify a domain name, -D to specify a file name
containing potential subdomain strings, and -t to specify the
type of enumeration to perform, in this case brt for brute
force
103
@mmar
DNS Enum
 DNSenum is another automated tool that collects all
possible information about the target
>dnsenum zonetransfer.me
104
@mmar
Fierce
 Fierce is another tool for DNS enumeration
>fierce --domain zonetransfer.me
105
@mmar
Historical DNS Records
https://securitytrails.com/
106
@mmar
FOOTPRINTING
Network
107
108
@mmar
109
110
@mmar
111
@mmar
112
@mmar
FOOTPRINTING
Social Engineering
113
114
@mmar
OSINT Cheat Sheet
115
@mmar
FOOTPRINTING
Identify Target
Identify IP
Identify ASN (https://ipinfo.io/)
Identify Servers if possible
Network and Website
Information
Gather Org Information
Gather Employees Emails, phone nos
(harverster) (hunter.io),Linkedin
Gather documents
(google dorks)
army secret site:*.gov.in filetype:pdf
Network topology
DNS, Subdomains, whois, web
technologies
Identify Admins (whois)
https://lookup.icann.org/en/lookup
Gather Passwords
Haveibeenpawned
breadcheddirectory
Scanning &
Enumeration
116
117
THANKS
118
Related documents
Academic Writing - SharkWrites!
Academic Writing - SharkWrites!
two degree of freedom pid controller design using genetic algorithms
two degree of freedom pid controller design using genetic algorithms
AP World History
AP World History
The benefits of exercise and The dangers of lack of exercise
The benefits of exercise and The dangers of lack of exercise
Activity 2
Activity 2
Download
advertisement