CEHv13 Notes - Module 02: Footprinting and Reconnaissance

Footprinting is the first step in the evaluation of the security posture of the IT infrastructure of a target organization. Through footprinting and reconnaissance, one can gather maximum information about a computer system or a network and about any device connected to that network. In other words, footprinting provides a security profile blueprint for an organization and should be undertaken in a methodological manner.

Topics:

1. Explain Footprinting Concepts
2. Demonstrate Footprinting through Search Engines
3. Demonstrate Footprinting through Internet Research Services
4. Demonstrate Footprinting through Social Networking Sites
5. Use Different Techniques for Whois Footprinting
6. Use Different Techniques for DNS Footprinting
7. Use Different Techniques for Network and Email Footprinting
8. Demonstrate Footprinting through Social Engineering
9. Automate Footprinting Tasks using Advanced Tools and AI
10. Explain Footprinting Countermeasure

 

1. Explain Footprinting Concepts

Reconnaissance

Reconnaissance (also known as footprinting) refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack. An essential aspect of footprinting is identifying the level of risk associated with the organization’s publicly accessible information. Footprinting, the first step in ethical hacking, refers to the process of collecting information about a target network and its environment. Using footprinting, you can find a number of opportunities to penetrate and assess the target organization’s network.

Types of Reconnaissance

• Passive

Gathering information about the target without direct interaction

It involves: 

• Open-source Intelligence (OSINT) gathering 

• Proprietary databases and paid services 

• Sharing intelligence with partner organizations or industry groups

• Active

Gathering information about the target with direct interaction It involves: • DNS interrogation • Social engineering • Network/port scanning • User and service enumeration

Information Obtained in Footprinting

Organization information

• Employee details 

• Telephone numbers 

• Branch and location details 

• Background of the organization 

• Web technologies

• News articles, press releases, and related documents

Network information

• Domain and sub-domains 

• Network blocks

• Network topology, trusted routers, and firewalls

• IP addresses of the reachable systems

• Whois records 

• DNS records

System Information

• Web server OS 

• Location of web servers

• Publicly available email addresses

• Usernames and passwords 

2. Demonstrate Footprinting through Search Engines

Footprint ing Using Advanced Google Hacking Techniques

• Attackers use search engines to extract information about a target, such as employed technology platforms, employee details, login pages, and intranet portals, which help the attacker to perform social engineering and other types of advanced system attacks

• Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information that helps attackers find vulnerable target

Attackers can use advanced search operators available with these search engines and create complex queries to find, filter, and sort specific information regarding the target. Search engines

are also used to find other sources of publicly accessible information. For example, you can type “top job portals” to find major job portals that provide critical information about the target organization. 

Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information. 

What can a Hacker Do with Google Hacking? An attacker can create complex search-engine queries to filter large amounts of search results to obtain information related to computer security. The attacker can use Google operators to locate specific strings of text within search results. Thus, the attacker can not only detect websites and web servers that are vulnerable to exploitation but also locate private and sensitive information about the target. Once a vulnerable site is identified, attackers attempt to launch various possible attacks, such as buffer overflow and SQL injection, which compromise information security. Examples of sensitive information on public servers that an attacker can extract with the help of Google Hacking Database (GHDB) queries include: 

▪ Error messages that contain sensitive information 

▪ Files containing passwords 

▪ Sensitive directories 

▪ Pages containing logon portals 

▪ Pages containing network or vulnerability data, such as IDS, firewall logs, and configurations

▪ Advisories and server vulnerabilities 

▪ Software version information 

▪ Web application source code 

▪ Connected IoT devices and their control panels, if unprotected 

▪ Hidden web pages such as intranet and VPN services

Example: Use Google Advance Operator syntax [intitle:intranet inurl:intranet +intext:”human resources”] to find sensitive information about a target organization and its employees. Attackers use the gathered information to perform social engineering attacks.

An attacker can also leverage AI-powered ChatGPT or other generative AI technology to perform this task by using an appropriate prompt such as: “Use filetype search operator to obtain pdf files on the target website eccouncil.org and store the result in the recon1.txt file”

Shell-gpt / sgpt : https://github.com/tbckr/sgpt

The following shell command is designed to conduct advanced Google hacking using the “filetype” operator to specifically target PDF files within the eccouncil.org domain. The command

then saves the obtained results to a file named "recon1.txt":

• lynx --dump "http://www.google.com/search?q=site:eccouncil.org+filetype:pdf" | grep "http" | cut -d "=" -f2 | grep -o "http[^&]*" > recon1.txt

▪ `lynx --dump "http://www.google.com/search?q=site:eccouncil.org+filetype:pdf"`: Initiates the Lynx web browser in dump mode to access Google's search results for PDF files within the eccouncil.org domain.

▪ `| grep "http"`: Filters out lines containing the string "http" from the Lynx output. ▪ `| cut -d "=" -f2`: Splits each line using the "=" delimiter and selects the second field.

▪ `| grep -o "http[^&]*"`: Searches for patterns starting with "http" followed by any characters except "&".

▪ `> recon1.txt`: Redirects the final output to a file named "recon1.txt" for storage.

Google Hacking Database 

Source: https://www.exploit-db.com/google-hacking-database The GHDB is a subset of the Exploit-DB and focuses on using Google search queries (often referred to as "Google Dorks") to find sensitive information inadvertently exposed on the web. These queries exploit advanced Google search operators to uncover the following: ▪ Sensitive files: Such as configuration files, database dumps, and log files that may contain usernames, passwords, or other confidential data.

▪ Exposed directories: Open directories on web servers that might contain sensitive information.

▪ Error messages: Web server or application error messages that may reveal server configurations or vulnerabilities.

▪ Vulnerable devices: Identifying specific types of devices or software versions known to have vulnerabilities.

Footprinting Using Advanced Google Hacking Techniques

• Attackers use search engines to extract information about a target, such as employed technology platforms, employee details, login pages, and intranet portals, which help the attacker to perform social engineering and other types of advanced system attacks

• Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information that helps attackers find vulnerable targets

Google Hacking Database Source: https://www.exploit-db.com/google-hacking-database The GHDB is a subset of the Exploit-DB and focuses on using Google search queries (often referred to as "Google Dorks") to find sensitive information inadvertently exposed on the web. These queries exploit advanced Google search operators to uncover the following: 

• Sensitive files: Such as configuration files, database dumps, and log files that may contain usernames, passwords, or other confidential data.
• Exposed directories: Open directories on web servers that might contain sensitive information.
• Error messages: Web server or application error messages that may reveal server configurations or vulnerabilities.
• Vulnerable devices: Identifying specific types of devices or software versions known to have vulnerabilities.

Attackers can also use SearchSploit, which is a command-line search tool for Exploit-DB that allows taking a copy of the Exploit database for remote use. It allows attackers to perform detailed offline searches through their locally checked-out copy of the repository. This capability is particularly useful for security assessments of segregated or air-gapped networks without Internet access.

Google Dork.

VPN Footprinting through Google Hacking Database with AI

Footprinting through SHODAN Search Engine 

Source: https://www.shodan.io

Shodan is a search engine that enables attackers to perform footprinting at various levels. It is used to detect devices and networks with vulnerabilities. A search in Shodan for VoIP and VPN footprinting can deliver various results, which will help gather VPN-and VoIP-related information. 

Other Techniques for Footprinting through Search Engines 

▪ Gathering Information Using Google Advanced Search, Advanced Image Search, and Reverse Image Search

▪ Gathering Information from Video Search Engines

▪ Gathering Information from Meta Search Engines

▪ Gathering Information from File Transfer Protocol (FTP) Search Engines

▪ Gathering Information from IoT Search Engines

        shodan.io/search?query=SCADA

Mjor Search engines:

Google, Bing, Yahoo!, Ask.com, Aol, Baidu, DuckDuckGo

Search through LLM

Directly asking search engine such as : Give me an NMAP command to determine if there is a firewall in the way. 

Google: 

Bing: 

Grok:  https://x.ai/

Perplexity: https://www.perplexity.ai/

Operator: 

https://www.shodan.io/search?query=webcam

inurl:webcam

Google Dork:

3. Footprinting through Internet Research Services

 

Finding a Company’s Top-Level Domains (TLDs) and Sub-domains 

Tools to Search Company’s Sub-domains 

▪ Netcraft Source: https://www.netcraft.com 

▪ DNSdumpster Source: https://dnsdumpster.com

▪ Pentest-Tools Find Subdomains Source: https://pentest-tools.com

Finding a Company’s Top-Level Domains (TLDs) and Sub-domains with AI 

Attackers can leverage AI-powered technologies to enhance and automate their footprinting tasks. With the aid of AI, attackers can effortlessly find the top-level domains and subdomains of the target. Example #1 An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: 

• sgpt --chat domain --shell “Discover all the subdomains of ‘google.com’ using dig command.”
• sgpt --chat footprint --shell “Use Sublist3r to gather a list of subdomains of the target organization eccouncil”

Extracting Website Information from https://archive.org

Archive is an Internet Archive Wayback Machine that explores archived versions of websites. Such exploration allows an attacker to gather information on an organization’s web pages since its creation. As the website https://archive.org keeps track of web pages from the time of their creation, an attacker can retrieve even information removed from the target website, such as web pages, audio files, video files, images, text, and software programs. Attackers use this information to perform phishing and other types of web application attacks on the target organization.

Footprinting through People Search Services 

You can use public record websites to find information about email addresses, phone numbers, house addresses, and other information. Many individuals use online people search services to find information about other people. Generally, online people search services such as Spokeo, Intelius, pipl, BeenVerified, Whitepages, Instant Checkmate, and PeekYou provide people’s names, addresses, contact details, date of birth, photographs, videos, profession, details about their family and friends, social networking profiles, property information, and optional background on criminal checks. Further, online people search services may often reveal the profession of an individual, businesses owned by a person, upcoming projects and operating environment, websites and blogs, contact numbers, important dates, company email addresses, cell phone numbers, fax numbers, and personal e-mail addresses. Using this information, an attacker can try to obtain bank details, credit card details, past history, and so on. This information proves to be highly beneficial for attackers to launch attacks. There are many available online people search services that help in obtaining information regarding people.

▪ People Search Service - Spokeo 

Source: https://www.spokeo.com 

Footprinting through Job Sites 

Dark Web Footprinting 

▪ Tor Browser, Source: https://www.torproject.org

Searching the Dark Web with Advanced Search Parameters

Determining the Operating System

▪ Netcraft Source: https://www.netcraft.com

▪ SHODAN Search Engine Source: https://www.shodan.io 

▪ Censys Source: https://censys.io

Competitive Intelligence Gathering

Competitive intelligence helps in determining: 

▪ What the competitors are doing? 

▪ How competitors are positioning their products and services? 

▪ What customers are saying about competitors’ strengths and weaknesses?

Information Resource Sites Information resource sites that help to gain competitive intelligence include: ▪ EDGAR Database Source: https://www.sec.gov/edgar 

▪ D&B Hoovers Source: https://www.dnb.com

▪ LexisNexis Source: https://www.lexisnexis.com

▪ Business Wire Source: https://www.businesswire.com

▪ Factiva Source: https://www.dowjones.com

Competitive Intelligence - What Are the Company's Plans? Information resource sites that help attackers gain a company’s business plans include: 

▪ MarketWatch Source: https://www.marketwatch.com

▪ The Wall Street Transcript Source: https://www.twst.com

▪ Euromonitor Source: https://www.euromonitor.com

▪ Experian Source: https://www.experian.com

▪ The Search Monitor

Competitive Intelligence - What Expert Opinions Say About the Company? Information resource sites that help the attacker to obtain expert opinions about the target company include: 

▪ SEMRush Source: https://www.semrush.com

▪ ABI/INFORM Global Source: https://www.proquest.com

▪ SimilarWeb Source: https://www.similarweb.com

▪ SERanking Source: https://seranking.com

Other Techniques for Footprint ing through Internet Research Services

▪ Finding the Geographical Location of the Target

o Google Earth Source: https://earth.google.com

▪ Gathering Information from Financial Services

o Google Finance Source: https://www.google.com/finance

▪ Gathering Information from Business Profile Sites

Attackers use business profile sites such as opencorporates, Crunchbase, and corporationwiki to gather important information about the target organizations, such as their location, addresses, contact information (such as phone numbers, email addresses), employee database, department names, type of service provided, and type of industry.

▪ Monitoring Targets Using Alerts

Tools such as Google Alerts, X Alerts, and Giga Alerts help attackers to track mentions of the organization’s name, member names, website, or any people or projects that are important. Attackers can gather updated information about the target periodically from the alert services and use it for further attacks.

o Google Alerts Source: https://www.google.com/alerts

▪ Tracking the Online Reputation of the Target 

An attacker may use ORM tracking tools to: o Track a company’s online reputation o Collect a company’s search engine ranking information o Obtain email notifications when a company is mentioned online o Track conversations o Obtain social news about the target organization Mention Source: https://mention.com 

▪ Gathering Information from Groups, Forums, and Blogs

Attackers can register with fake profiles in Google Groups, LinkedIn Groups, and so on. 

▪ Gathering Information from Public Source-Code Repositories

Source code–based repositories are online services or tools available on internal servers or can be hosted on third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. 

Attackers can use tools such as Recon-ng to discover public source-code repositories. o Recon-ng Source: https://github.com

4. Footprinting through Social Networking Sites

 People Search on Social Networking Sites 

Social networking sites such as Facebook, Twitter, LinkedIn, and Instagram allow you to find people by name, keyword, company, school, friends, colleagues, and the people living around them. 

Gathering Inform at ion from LinkedIn •

• Attackers use theHarvester tool to perform enumeration on LinkedIn and find employees of the target company along with their job titles

Attackers can use this information to gather more information, such as current location and educational qualifications, and perform social engineering or other kinds of attacks

Gathering Information from LinkedIn 

LinkedIn is a social networking website for professionals. It connects the world’s human resources to aid productivity and success. The site contains personal information such as name, position, organization name, current location, educational qualifications, and so on. Information gathered from LinkedIn helps an attacker in performing social engineering or other kinds of attacks. Attackers can use theHarvester tool to gather information from LinkedIn based on the target organization name: 

▪ theHarvester Source: https://github.com 

theHarvester -d eccouncil -l 200 -b linkedin

In the above command, -d specifies the domain or company name to search, -l specifies the number of results to be retrieved, and -b specifies the data source as LinkedIn.

Harvesting Email Lists 

Gathering email addresses related to the target organization acts as an important attack vector during the later phases of hacking. Attackers can use automated tools such as theHarvester and Email Spider to collect publicly available email addresses of the employees of the target organization. These tools harvest email lists related to a specified domain using search engines such as Google, Bing, and Yahoo. Attackers use these email lists and usernames to perform social engineering and brute force attacks on the target organization. ▪ theHarvester

Source: https://github.com

Attackers use theHarvester tool to extract email addresses related to the target domain. For example, attackers use the following command to extract email addresses of microsoft.com using the Baidu search engine: 

theharvester -d microsoft.com -l 200 -b baidu

In the above command, -d specifies the domain used for harvesting the emails, -l will limit the results to 200, and -b tells theHarvester to extract the results from the Baidu search engine; alternatively, you can use Google, Bing, etc.

Harvesting Email Lists with AI 

Attackers can leverage AI-powered technologies to enhance and automate their footprinting tasks. With the aid of AI, attackers can effortlessly find valuable email details of their target organization. For example, An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Use theHarvester to gather email accounts associated with 'microsoft.com', limiting results to 200, and leveraging 'baidu' as a data source”

sgpt --chat fp --shell “Use theHarvester to gather email accounts associated with 'microsoft.com', limiting results to 200, and leveraging 'baidu' as a data source”

Analyzing Target Social Media Presence 

Several online services and resources are available to gather valuable information about a target from one or more social media sites. These services allow attackers to discover most shared content across social media sites by using hashtags or keywords, track accounts and URLs on various social media sites, obtain a target’s email address, etc. This information helps attackers to perform phishing, social engineering, and other types of attacks. Attackers use tools such as BuzzSumo, Google Trends, Hashatit, and Ubersuggest to locate information on social media sites: 

▪ BuzzSumo Source: https://buzzsumo.com

Tools for Footprinting through Social Networking Sites 

Attackers use various tools such as Sherlock and Social Searcher to footprint social networking sites such as Twitter, Instagram, Facebook, and Pinterest to gather sensitive information about the target such as the date of birth, educational qualification, employment status, name of relatives, and information about the organization that they are working for, including the business strategy, potential clients, and upcoming project plans. 

▪ Sherlock Source: https://github.com

Sherlock "Elon Musk"

▪ Social Searcher Source: https://www.social-searcher.com 

Footprinting through Social Networking Sites with AI

For example, An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Use Sherlock to gather personal information about Sundar Pichai and save the result in recon2.txt”

sgpt --chat footprint --shell “Use Sherlock to gather personal information about Sundar Pichai and save the result in recon2.txt”

5. Whois Footprinting

 Whois Lookup

Three types of data models exist to store and lookup Whois information: ▪ Thick Whois (Distributed Model) - Stores the complete Whois information from all the registrars for a particular set of data.

▪ Thin Whois (Centralized Model) - Stores only the name of the Whois server of the registrar of a domain, which in turn holds complete details on the data being looked up.

▪ Decentralized Whois - Stores complete WHOIS information and has multiple independent entities to manage the WHOIS database.

Whois query returns the following information: ▪ Domain name details ▪ Domain registrar ▪ Contact details of the domain owner ▪ Domain name servers ▪ NetRange ▪ When a domain has been created ▪ Expiry records ▪ Records last updated ▪ Domain status (available, registered, or suspended) ▪ IP address information

Regional Internet Registries (RIRs) The RIRs include the following: 

▪ American Registry for Internet Numbers (ARIN) (https://www.arin.net) 

▪ African Network Information Center (AFRINIC) (https://www.afrinic.net) 

▪ Asia Pacific Network Information Center (APNIC) (https://www.apnic.net) 

▪ Réseaux IP Européens Network Coordination Centre (RIPE) (https://www.ripe.net) 

▪ Latin American and Caribbean Network Information Center (LACNIC) (https://www.lacnic.net)

Whois services such as https://whois.domaintools.com and https://www.tamos.com 

Batch IP Converter, available at http://www.sabsoft.com

Finding IP Geolocation Information 

IP geolocation helps to obtain information regarding a target such as its country, region/state, city, latitude and longitude of its city, ZIP/postal code, time zone, connection speed, ISP (hosting company), domain name, IDD country code, area code, weather station code and name, mobile carrier, and elevation. 

IP Geolocation Lookup Tools 

▪ IP2Location Source: https://www.ip2location.com 

6. DNS Footprintin

 DNS Footprinting

After collecting the Whois records of the target, the next phase of the footprinting methodology is Domain Name System (DNS) footprinting. Attackers perform DNS footprinting to gather information about DNS servers, DNS records, and the types of servers used by the target organization. This information helps attackers identify the hosts connected in the target network and further exploit the target organization. This section describes how to extract DNS information and perform reverse DNS lookups using various DNS interrogation tools

DNS footprinting helps in determining the following records about the target DNS:

DNS Interrogation Tools

Attackers use DNS interrogation tools such as SecurityTrails, Fierce, DNSChecker, zdns and DNSdumpster.com to perform DNS footprinting. These tools can extract a range of IP addresses using IP routing lookup. If the target network allows unknown, unauthorized users to transfer DNS zone data, it is easy for an attacker to obtain DNS information with the help of a DNS interrogation tool.

When an attacker queries a DNS server using a DNS interrogation tool, the server responds with a record structure that contains information about the target DNS. DNS records provide important information regarding the locations and types of servers. 

▪ SecurityTrails Source: https://securitytrails.com

▪ Fierce Source: https://github.com

Attackers can use the following commands to perform DNS reconnaissance using the Fierce tool:

• Run the following command to start a basic scan on the target domain (certifiedhacker.com) without any additional options: fierce --domain certifiedhacker.com
• Run the following command to scan the target domain to obtain specific subdomains (here, subdomains containing words such as write, admin, and mail): fierce –domain certifiedhacker.com –subdomains write admin mail
• Run the following command to scan domains near the discovered records of the targeted domain: fierce –domain certifiedhacker.com –subdomains mail –traverse 10
• Run the following command to attempt an HTTP connection on the discovered domains of the target: fierce --domain certifiedhacker.com --subdomains mail --connect
• Run the following command to scan all the discovered records of the target domain, i.e., a full detailed scan: fierce --domain certifiedhacker.com --wid

DNS Lookup with AI 

Attackers can leverage AI-powered technologies to enhance and automate their footprinting tasks. With the aid of AI, attackers can effortlessly perform reverse DNS lookup activities on a target and acquire valuable insights. For example, Attackers can use ChatGPT to execute this task by using an appropriate prompt such as: "Install and use DNSRecon to perform DNS enumeration on the target domain www.certifiedhacker.com"

The following shell command is designed to perform DNS enumeration using the “dnsrecon” tool on the www.certifiedhacker.com domain:

sudo apt-get update && sudo apt-get install -y dnsrecon && dnsrecon -d certifiedhacker.com -t std Explanation of the command:

▪ sudo apt-get update: Updates the package lists for upgrades and new package installations.

▪ &&: Concatenates commands to execute them sequentially. 

▪ sudo apt-get install -y dnsrecon: Installs the dnsrecon tool with automatic “yes” to all prompts.

▪ dnsrecon -d certifiedhacker.com -t std: Initiates the dnsrecon tool to perform DNS enumeration on the certifiedhacker.com domain using standard enumeration techniques.

Reverse DNS Lookup 

DNS lookup is used to find the IP addresses for a given domain name, and a reverse DNS operation is performed to obtain the domain name of a given IP address. When looking for a domain by entering the domain name in a browser, the DNS converts the domain name into an IP address and forwards the request for further processing. This conversion of a domain name into an IP address is performed using a record. Attackers perform a reverse DNS lookup on the IP range to locate a DNS PTR record for such IP addresses.

Attackers use various tools such as DNSRecon, Reverse Lookup, puredns, Reverse IP Domain Check, and Reverse IP Lookup to perform reverse DNS lookup on the target host. When we obtain an IP address or a range of IP addresses, we can use these tools to obtain the domain name. 

▪ DNSRecon

Source: https://github.com

As shown in the screenshot, attackers use the following command to perform a reverse DNS lookup on the target host: 

dnsrecon -r 162.241.216.0-162.241.216.255 

In the above command, the -r option specifies the range of IP addresses (first to last) for a reverse lookup by brute force.

▪ Reverse Lookup Source: https://mxtoolbox.com

7. Network and Email Footprinting

 

Network and Email Footprinting

The next step after retrieving DNS information is to gather network-related information and track email communications. This section describes the method to locate the network range, traceroute analysis, and traceroute tools. It also describes how to track email communications, how to collect information from email headers, and email tracking tools.

Obtaining private IP addresses can be useful to attackers. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP address space for private internets: 10.0.0.0–10.255.255.255 (10/8 prefix), 172.16.0.0–172.31.255.255 (172.16/12 prefix), and 192.168.0.0–192.168.255.255 (192.168/16 prefix). 

Traceroute

Finding the route of the target host on the network is necessary to test against man-in-the-middle attacks and other related attacks. Most operating systems come with a Traceroute utility to perform this task. It traces the path or route through which the target host packets travel in the network. Traceroute uses the ICMP protocol and Time to Live (TTL) field of the IP header to find the path of the target host in the network. 

TCP Traceroute

Many devices in any network are generally configured to block ICMP traceroute messages. In this scenario, an attacker uses TCP or UDP traceroute, which is also known as Layer 4 traceroute. Go to the terminal in Linux operating system and type the tcptraceroute command along with the destination IP address or domain name as follows:

 sudo tcptraceroute www.google.com

UDP Traceroute

Like Windows, Linux also has a built-in traceroute utility, but it uses the UDP protocol for tracing the route to the destination. Go to the terminal in the Linux operating system and type the traceroute command along with the destination IP address or domain name as follows: traceroute www.google.com

Traceroute with AI

Attackers can leverage AI-powered technologies to enhance and automate their footprinting operations. With the aid of AI, attackers can effortlessly perform tracerouting on a target. For example, Attackers can use ChatGPT to execute this task by using an appropriate prompt such as: "Perform network tracerouting to discover the routers on the path to a target host www.certifiedhacker.com"

The following shell command is designed to perform network tracerouting using the “traceroute” tool to discover the routers on the path to the www.certifiedhacker.com host: traceroute www.certifiedhacker.com

Explanation of the command: ▪ traceroute www.certifiedhacker.com: Initiates the traceroute tool to discover the routers on the path to the www.certifiedhacker.com host by sending packets to the destination with increasing time to live (TTL) values and analyzing the responses received from intermediate routers.

Traceroute Tools

Traceroute tools such as NetScanTools Pro, PingPlotter, Traceroute NG, and tracert are useful for extracting information about the geographical location of routers, servers, and IP devices in a network. Such tools help us to trace, identify, and monitor the network activity on a world map. Some of the features of these tools are as follows: ▪ Hop-by-hop traceroutes ▪ Reverse tracing ▪ Historical analysis ▪ Packet loss reporting ▪ Reverse DNS

▪ Ping plotting ▪ Port probing ▪ Detect network problems ▪ Performance metrics analysis ▪ Network performance monitoring

▪ NetScanTools Pro Source: https://www.netscantools.com

▪ PingPlotter Source: https://www.pingplotter.com

Tracking Email Communications 

Email tracking monitors the email messages of a particular user. This kind of tracking is possible through digitally time-stamped records that reveal the time and date when the target receives and opens a specific email. Email tracking tools allow an attacker to collect information such as IP addresses, mail servers, and service providers involved in sending the email. Attackers can use this information to build a hacking strategy and to perform social engineering and other attacks. Examples of email tracking tools include IP2LOCATION’s Email Header Tracer, MxToolbox, DNS Checker Email Header Analyzer, and Social Catfish. 

Collecting Information from Email Header An email header contains the details of the sender, routing information, addressing scheme, date, subject, and recipient. Email headers also help attackers to trace the routing path taken by an email before it is delivered to the recipient. Each email header is a useful source of information for an attacker to launch attacks against the target. The process of viewing the email header varies with different email programs. Commonly used email programs: ▪ eM Client ▪ Mailbird ▪ Hiri ▪ Mozilla Thunderbird ▪ Spike ▪ Claws Mail

▪ SmarterMail Webmail ▪ Outlook ▪ Apple Mail ▪ ProtonMail ▪ AOL Mail ▪ Tuta

The email header contains the following information: ▪ Sender’s mail server ▪ Date and time of receipt by the originator’s email servers ▪ Authentication system used by the sender’s mail server ▪ Data and time of sending the message ▪ A unique number assigned by mx.google.com to identify the message ▪ Sender’s full name ▪ Sender’s IP address and address from which the message was sent

The attacker can trace and collect all this information by performing a detailed analysis of the complete email header.

Email tracking tools such as IP2LOCATION’s Email Header Tracer, MxToolbox, eMailTrackerPro, Holehe, DNS Checker Email Header Analyzer, and Social Catfish allow an attacker to track an email and extract information such as sender identity, mail server, sender’s IP address, location, and so on. Attackers use the extracted information to track the email path from the attacker's location to the target mail server using IP addresses in the email header. 

▪ eMailTrackerPro Source: http://www.emailtrackerpro.com 

▪ IP2LOCATION’s Email Header Tracer Source: https://www.ip2location.com

8. Footprint ing through Social Engineering

 

Social engineers attempt to gather 

• Credit card details and social security number • Usernames and passwords • Security products in use • Operating systems and software versions • Network layout information • IP addresses and names of servers

Social engineering techniques include

• Eavesdropping • Shoulder surfing • Dumpster diving • Impersonation

Footprinting through Social Engineering

Collecting Information Using Eavesdropping, Shoulder Surfing, Dumpster Diving, and Impersonation

Eavesdropping, shoulder surfing, dumpster diving, and impersonation are social engineering techniques widely used to collect information from people. 

▪ Eavesdropping Eavesdropping is the act of intercepting communication in any form, such as audio, video, or text, without the consent of the communicating parties. It also includes reading confidential messages from communication media such as instant messaging or fax transmissions. The attacker can gain information by tapping phone conversations or intercepting audio, video, or written communications.

▪ Shoulder Surfing

Shoulder surfing is a technique whereby attackers secretly observe the target to gain critical information. In the shoulder surfing technique, an attacker stands behind the victim and secretly observes the victim’s activities on the computer, such as keystrokes while entering usernames, passwords, and so on. The technique is effective in gaining passwords, personal identification numbers, security codes, account numbers, credit card information, and similar data. Attackers can easily perform shoulder surfing in a crowded place, as it is relatively easy to stand behind and watch the victim without his or her knowledge.

▪ Dumpster Diving

This uncouth technique, also known as trashing, involves the attacker rummaging for information in garbage bins. The attacker may gain vital information such as phone bills, contact information, financial information, operations-related information, printouts of source codes, printouts of sensitive information, and so on from the target company’s trash bins, printer waste bins, sticky notes at users’ desks, and so on. The attacker may also gather account information from ATM trash bins. The information can help the attacker to commit attacks.

▪ Impersonation

Impersonation is a technique whereby an attacker pretends to be a legitimate or authorized person. Attackers perform impersonation attacks personally or use phones or other communication media to mislead targets and trick them into revealing information. The attacker might impersonate a courier/delivery person, janitor, businessman, client, technician, or he/she may pretend to be a visitor. Using this technique, an attacker gathers sensitive information by scanning terminals for passwords, searching important documents on desks, rummaging bins, and so on. The attacker may even try to overhear confidential conversations and “shoulder surf” to obtain sensitive information.

9. Automate Footprinting Tasks using Advanced Tools and AI

 

Footprint ing Tools: Maltego and Recon-ng 

Maltego

Maltego can be used to determine the relationships and real world links between people, groups of people, organizations, websites, Internet infrastructure, documents, etc.

Maltego is an automated tool that can be used to determine the relationships and real-world links between people, groups of people, organizations, websites, Internet infrastructure, documents, etc. Attackers can use different entities available in the tool to obtain information such as email addresses, a list of phone numbers, and a target’s Internet infrastructure (domains, DNS names, Netblocks, IP addresses information).

Recon-ng

Recon-ng is a Web Reconnaissance framework with independent modules and database interaction, which provides an environment in which open source, web-based reconnaissance can be conducted

FOCA

FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents it scans

Fingerprinting Organizations with Collected Archives (FOCA) is a tool used mainly to find metadata and hidden information in the documents that its scans. FOCA is capable of scanning and analyzing a wide variety of documents, with the most common ones being Microsoft Office, Open Office, or PDF files. Features:

o Web Search - Searches for hosts and domain names through URLs associated with the main domain. Each link is analyzed to extract information from its new host and domain names.

o DNS Search - Checks each domain to ascertain the host names configured in NS, MX, and SPF servers to discover the new host and domain names.

o IP Resolution - Resolves each host name by comparison with the DNS to obtain the IP address associated with this server name. To perform this task accurately, the tool performs analysis against the organization’s internal DNS.

o PTR Scanning - Finds more servers in the same segment of a determined address; IP FOCA executes a PTR log scan

o Bing IP - Launches FOCA, which is a search process for new domain names associated with that IP address for each IP address discovered.

o Common Names - Perform dictionary attacks against the DNS.

subfinder

subfinder is a subdomain discovery tool that helps attackers find valid subdomains for websites. It supports multiple output formats (JSON, file, stdout). 

Footprint ing Tools: OSINT Fram ework

• OSINT Framework is an open source intelligence gathering framework that is focused on gathering information from free tools or resources

•It provides a simple web interface that lists various OSINT tools arranged by categories and is shown as OSINT tree structure on the web interface

• Tools listed includes the following indicators: ▪ (T) - Indicates a link to a tool that must be installed and run locally ▪ (D) - Google Dork ▪ (R) - Requires registration

▪ (M) - Indicates a URL that contains the search term and the URL itself must be edited manuall

Other Tools:

Sudomy https://github.com

BillCipher https://github.com

BillCipher is an information gathering tool for a website or IP address. It can work on any operating system that supports Python 2, Python 3, and Ruby. This tool includes various options such as DNS lookup, Whois lookup, port scanning, zone transfer, host finder, and reverse IP lookup, which help to gather critical information.

whatweb https://github.com

Raccoon https://github.com

Recon-Dog https://github.com

Recon-Dog is an all-in-one tool for all basic information gathering needs. It uses APIs to collect information about the target system. Features:

o Censys: Uses censys.io to gather a massive amount of information about an IP address.

o NS lookup: Performs name server lookup o Port scan: Scans most common TCP ports o Detect CMS: Can detect 400+ content management systems o Whois lookup: Performs a Whois lookup o Detect honeypot: Uses shodan.io to check if the target is a honeypot

o Find subdomains: Uses findsubdomains.com to find subdomains

o Reverse IP lookup: Performs a reverse IP lookup to find domains associated with an IP address

o Detect technologies: Uses wappalyzer.com to detect 1000+ technologies o All: Runs all utilities against the target

Web Check https://web-check.xyz

OSINT.SH https://osint.sh

AI-Powered OSINT Tools

AI has revolutionized open-source intelligence (OSINT) by significantly enhancing investigative capabilities through advanced data collection, analysis, and prediction. AI automates data processing, extracts relevant insights, delivers actionable intelligence more efficiently than traditional methods, and enhances the OSINT tools. AI-powered tools offer numerous advantages for OSINT. The following are some key use cases in which AI can significantly benefit OSINT researchers. ▪ Web Scraping: AI techniques utilize online data from sources such as social media, blogs, forums, and deep web databases. This data enables the tracking of entities over time or the monitoring of public behavior. Machine-learning models can automate the extraction of specific information such as social media comments and replies.

▪ Pattern Recognition: Machine learning (ML) techniques can identify entities within large datasets and analyze files to identify the relationships between different entities. These entities include names, company details, addresses, emails, phone numbers, and relevant data.

▪ Content Summarization: NLP algorithms can summarize large volumes of data. OSINT gatherers can utilize this capability to extract pertinent information from extensive datasets. For example, an AI summarization tool can extract company names from a set of PDF files spanning hundreds of pages.

▪ Sentiment Analysis: AI technology can interpret human emotions through text analysis, which is particularly useful for understanding public sentiment. OSINT researchers can use AI to assess the emotional state of users based on social media posts and comments or to predict consumer behavior based on reviews.

▪ Image Recognition: Computer vision, a subset of AI, can analyze digital media files such as images and videos. In OSINT investigations, computer vision can assist in:

o Face Recognition: Identifying and tracking individuals across different media. o Metadata Analysis: Extracting metadata from digital files.

o Reverse Image Search: Enhancing reverse image search capabilities and detecting deepfake images.

▪ AI Detection: AI can also identify content generated by other AI tools, which is crucial for detecting malicious activities facilitated by AI.

AI-Powered OSINT Tool: Taranis AI Source: https://taranis.ai

Taranis AI is an advanced OSINT tool uses AI to enhance information gathering and situational analyses. It uses NLP and AI to improve the quality of data received from data sources, such as websites, to gather unstructured news articles. Analysts then transform these AI-enhanced articles into organized reports that are used as the basis for deliverables such as PDF files that are eventually published.

AI-Powered OSINT Tool: OSS Insight Source: https://ossinsight.io

OSS Insight leverages AI to delve deep into the GitHub ecosystem by analyzing an extensive dataset of over five billion GitHub events. This capability enables it to offer comprehensive insights and tools to enhance the understanding and navigation of the open-source world. From detailed repository analytics encompassing metrics such as stars, forks, and commits to insights into developer productivity and collaboration patterns, OSS Insight is equipped with powerful resources for informed decision-making and strategic planning in open-source software development.

Additional AI-Powered OSINT Tools

AI OSINT tools that leverage artificial intelligence to enhance the efficiency and accuracy of open-source intelligence gathering are as follows: ▪ DorkGPT Source: https://dorkgpt.com DorkGPT is an AI-powered tool designed to assist Google Dorking, a technique used to find information that is not easily accessible through regular search queries. It leverages the capabilities of GPT (Generative Pre-trained Transformer) models to generate and refine search queries, helping users uncover sensitive information, hidden pages, and other data that may be relevant to cybersecurity, ethical hacking, or research purposes.

▪ DorkGenius Source: https://dorkgenius.com DorkGenius is an AI-powered tool that automates Google Dorking and helps users

generate advanced search queries to find specific information on the internet. It is useful for uncovering hidden files, directories, sensitive information, and security vulnerabilities, particularly in the case of ethical hackers.

▪  Google Word Sniper Source: https://googlewordsniper.eu

Google Word Sniper helps to refine search queries for more effective Google results. It identifies targeted keywords and phrases, making it easier to find specific information, hidden content, and niche data. This tool is valuable for researchers, marketers, and cybersecurity professionals, as it enhances their ability to uncover valuable buried information in search results.

▪ Cylect.io Source: https://cylect.io

Cylect.io is an advanced AI-powered OSINT tool that integrates multiple databases into a user-friendly interface, providing a vast collection of resources for ethical hackers and enabling efficient and confident OSINT investigations. Developed to address the inefficiencies of traditional search engines, Cylect.io simplifies the search process and enhances the speed and accuracy of data collection in investigative contexts.

▪ ChatPDF Source: https://chatpdf.com

ChatPDF is an OSINT tool that leverages AI to analyze and extract information from PDF documents through a conversational interface. Users can upload PDF files and interact with the tool to quickly retrieve specific data, summaries, and insights, making it a valuable resource for ethical hacking.

▪ Bardeen.ai Source: https://www.bardeen.ai

Bardeen.ai is an automation tool that can be used for OSINT by enabling users to streamline and automate data collection and analysis processes from various online sources. This enhances the speed and accuracy of OSINT activities, making them useful assets for cybersecurity professionals, researchers, and investigators.

▪ DarkGPT Source: https://github.com/luijait/DarkGPT

DarkGPT is an AI assistant that uses GPT-4-200K to query leaked databases, aiding in efficient and targeted searches within compromised data sources. This enables users to extract vital information and insights, enhancing the OSINT capabilities of cybersecurity analysts and researchers.

▪ PenLink Cobwebs Source: https://cobwebs.com

PenLink Cobwebs is an advanced AI-powered OSINT tool that specializes in gathering and analyzing data from various online sources. It offers comprehensive capabilities for collecting, processing, and visualizing information to support cybersecurity investigations.

▪ Explore AI Source: https://exploreai.vercel.app

Explore AI is an AI-powered YouTube search engine that uses artificial intelligence to search for and extract information from YouTube videos, making it easier to access information for ethical hacking purposes.

▪  AnyPicker Source: https://app.anypicker.com

AnyPicker is a powerful visual web scraper and AI OSINT tool designed to extract data from websites without requiring coding skills. This tool supports scraping multiple pages simultaneously and provides a real-time preview of the extraction results, offering flexibility and efficiency in web data collection.

Create and Run Custom Python Script to Automate Footprinting Tasks with AI 

Attackers can leverage AI-powered technologies to enhance and automate their footprinting tasks. With the aid of AI, attackers can effortlessly create and run custom footprinting scripts and acquire valuable insights about their targets. By developing custom scripts empowered by artificial intelligence (AI), attackers can efficiently execute a series of website footprinting commands to gather information about a target domain for cybersecurity assessments. For example, Attackers can use ChatGPT to guide the development of such a script by using an appropriate prompt such as: "Develop a Python script which will accept the domain name www.microsoft.com as input and execute a series of website footprinting commands, including DNS lookups, WHOIS records retrieval, email enumeration, and more, to gather information about the target domain."

10. Footprinting Countermeasures

 Footprint ing Counterm easures

• Restrict the employees’ access to social networking sites from the organization’s network 
• Configure web servers to avoid information leakage 
• Educate employees to use pseudonyms on blogs, groups, and forums 
• Do not reveal critical information in press releases, annual reports, product catalogues, etc.
•  Limit the amount of information published on a website or the Internet 
• Use footprinting techniques to discover and remove any sensitive information that is publicly available 
• Prevent search engines from caching a web page and use anonymous registration services
• Develop and enforce security policies such as information security and password policies to regulate the information that employees can reveal to third parties.
• Implement multi-factor authentication mechanisms to enhance the security of the organization's systems and resources.
• Set apart internal and external DNS or use split DNS, and restrict zone transfer to authorized servers.
• ▪ Disable directory listings in the web servers. ▪ Conduct security awareness training periodically to educate employees about various social engineering tricks and risks.
• ▪ Opt for privacy services on a Whois lookup database. ▪ Avoid domain-level cross-linking for critical assets. ▪ Encrypt and password-protect sensitive information. ▪ Implement captchas and rate limiting on public-facing services to prevent automated tools from collecting information at a rapid pace.
• ▪ Do not enable protocols that are not required. ▪ Always use TCP/IP and IPsec filters for defense in depth. ▪ Configure Internet Information Services (IIS) to avoid information disclosure through banner grabbing.
• ▪ Hide the IP address and related information by implementing a VPN or keeping the server behind a secure proxy.
• ▪ Request archive.org to delete the history of the website from the archive database. ▪ Keep the domain name profile private. ▪ Place critical documents such as business plans and proprietary documents offline to prevent exploitation.
• ▪ Train employees to thwart social engineering techniques and attacks. ▪ Sanitize the details provided to the Internet registrars to hide the direct contact details of the organization.
• ▪ Disable the geo-tagging functionality on cameras to prevent geolocation tracking. ▪ Avoid revealing one’s location or travel plans on social networking sites. ▪ Turn off geolocation access on all mobile devices when not required. ▪ Ensure that no critical information, such as strategic plans, product information, or sales projections, is displayed on notice boards or walls.
• ▪ Disable or delete the accounts of employees who left the organization. ▪ Configure mail servers to ignore mails from anonymous individuals. ▪ Deploy honeypots or honeynets within the network to attract and detect attackers that can divert potential footprinters away from critical systems.

References

• CEHv13 Notes - Module 1: Introduction to Ethical Hacking