Footprinting and Reconnaissance
This article covers the basics of footprinting and reconnaissance
- Types of Footprinting
- Objectives of Footprinting
- How and Where to Collect Information
- Footprinting Countermeasures
- Footprinting Reports
Footprinting refers to the process of gathering information about a target system. It is the first step of an attack in which the attacker tries to learn as much as possible about the target to find a way to break into the system.
Types of Footprinting
There are two types of footprinting:
- Passive footprinting
- Active footprinting
Passive footprinting means collecting information without interacting with the target directly. This type of footprinting is used when information gathering must not be detected by the target.
Active footprinting means collecting information by interacting with the target directly. With this type of footprinting there is a chance that the target becomes aware of the information gathering.
Attackers use footprinting to collect the following information:
- Network information
- IP addresses
- Whois and DNS records
- System information
- Web server operating systems
- Server locations
- Organization information
- Employee information
- Organization’s background
- Phone numbers
Objectives of Footprinting
The objectives of footprinting are to:
Learn security posture Analyze the security posture of the target, find loopholes, and create an attack plan.
Identify focus area Using different tools and techniques, narrow down the range of IP addresses.
Find vulnerabilities Use the collected information to identify weaknesses in the target’s security.
Map the network Graphically represent the target’s network and use it as a guide during the attack.
How and Where to Collect Information
There are plenty of tools and online resources that we can use to collect information about our target.
Search Engine and Online Resources
Search engines can be used to extract information about the target organization. Search results can include information about the target organization’s employees, intranet, login pages, and other information that could be useful to attackers.
One way of gathering information using search engines is by utilizing google hacking techniques.
Google hacking is a technique which attackers use to perform a complex search and extract important information about their targets. It involves using a set of search operators and building complex queries. The operators that are used in Google hacking are called dorks.
Whois, IP Geolocation, and DNS Interrogation
Whois refers to a query and response protocol which is used for retrieving information about assigned Internet resources.
Whois databases contain domain owners’ personal information and are maintained by the Regional Internet Registries.
There are two type of data models that exist:
- Thick whois
- Thin whois
Thick whois contains all information from all registrars for the specified set of data. Thin whois contains limited information about the specified set of data.
Whois query results typically include:
- Domain details
- Domain owner details
- Domain server
- Net range
- Domain expiration
- Creation and last update dates
Regional Internet Registries, which maintain the whois databases, include:
- ARIN (American Registry for Internet Numbers)
- AFRINIC (African Network Information Center)
- APNIC (Asia Pacific Network Information Center)
- RIPE (Reseaux IP Europeens Network Coordination Centre)
- LACNIC (Latin American and Caribbean Network Information Center)
IP geolocation helps find location information about a target such as country, city, postal code, ISP, and so on. With this information, hackers are able to perform social engineering attacks on the target.
DNS footprinting refers to collecting information about DNS zone data, which includes information about key hosts in the network.
DNS interrogation tools help attackers to perform DNS footprinting. Using these tools, attackers are able to obtain information about server types and their locations.
Email footprinting refers to collecting information from emails by monitoring the email delivery and inspecting the headers.
Information collected through email footprinting includes:
- IP address of the recipient
- Geolocation of the recipient
- Delivery information
- Visited links
- Browser and OS information
- Reading time
Email headers contain information about the sender, subject, and recipient. All this information is valuable to hackers when planning to attack their target.
Information contained in email headers include:
- Sender’s name
- IP/Email address of the sender
- Mail server
- Mail server authentication system
- Send and delivery stamp
- Unique number of the message
It is also possible to track emails using various tracking tools. Email tracking tools have the capability of tracking emails and inspecting their headers to extract useful information. The sender is notified of the email being delivered and opened by the recipient.
Website footprinting is a technique in which information about the target is collected by monitoring the target’s website. Hackers can map the entire website of the target without being noticed.
Website footprinting gives information about:
- Operating system
- Contact information
- Scripting platform
- Query details
By examining the website headers, it is possible to obtain information about the following headers:
- Connection Status
- Last-Modified Information
- X-powered-by Information
- Web Server Information
Additional ways to gather information is through HTML Source Code and cookie examination. By examining the HTML source code, it is possible to extract information from the comments in the code, as well as gain insight into the file system structure by observing the links and image tags.
Cookies too can reveal important information about the software that is running on the server and its behavior. Also, by inspecting sessions, it is possible to identify the scripting platforms.
There are programs designed to help in website footprinting. These programs are called web spiders and they methodically browse a website in search of specific information. Information collected this way can help attackers perform social engineering attacks.
Website mirroring or website cloning refers to the process of duplicating a website. Mirroring a website helps in browsing the site offline, searching the website for vulnerabilities, and discovering valuable information.
Websites may store documents of different format which in turn may contain hidden information and metadata that can be analyzed and used in performing an attack. This metadata can be extracted using various metadata extraction tools as well as help attackers perform social engineering attacks.
Network footprinting refers to the process of collecting information about the target’s network. During this process, attackers collect network range information and use the information to map the target’s network.
Network range gives attackers an insight into how the network is structured and which machines belong to the network.
Nmap is a tool used for network discovery. It uses raw IP packets to determine the available hosts on the network, the services offered by those hosts, operating systems they are running, firewall types that are being used, and other important characteristics.
Nmap features include the ability to scan large networks as well as mapping out networks.
Traceroute programs are used for discovering routers that are on the path to the target host. This information helps with carrying out man-in-the-middle and other related attacks.
Traceroute uses ICMP protocol and the TTL field in the IP header to discover the route. It records IP addresses and DNS names of discovered routers.
The results of a traceroute help attackers collect information about network topology, trusted routers, as well as firewall locations. They can use this to create network diagrams and plan their attacks.
Some of the footprinting countermeasures include:
- Restricting access to social media
- Enforcing security policies
- Educating employees about security threats
- Encrypting sensitive information
- Disabling protocols that are not required
- Proper service configuration
Footprinting reports should include details about the performed tests, used techniques, and test results. It should also include a list of vulnerabilities and how they can be fixed. These reports should be kept highly confidential, so that they do not fall into wrong hands.