Module 01 - Introduction to Ethical Hacking¶

Element of Information Security¶

Name	Description
Confidentiality	Only authorized users can access information
Integrity	Data is accurate and unaltered
Availability	Resources accessible when needed
Authentication	Verify identity of user/device
Non-repudiation	Cannot deny authorship of an action

Vulnerabilities, Threats, and Risks¶

Term	Description
Vulnerability	Weakness exploitable by an attacker
Threat	Potential cause of harm
Risk	Likelihood of harm if threat exploits vulnerability

Common Reasons for Vulnerabilities¶

Reason
Hardware/software misconfiguration
Insecure or poor design
Inherent technology weakness
End-user carelessness
Intentional end-user actions

Examples of Vulnerabilities¶

Technological	Configuration
TCP/IP (HTTP, FTP, ICMP, SNMP, SMTP)	User accounts – insecure transmission
OS – unpatched/insecure	System accounts – weak passwords
Network devices – no auth, weak routing	Internet services – misconfigured IIS/Apache/FTPDefault credentialsMisconfigured routers/firewalls

Classification of Attacks¶

Type	Examples
Passive	Traffic analysis, footprinting, sniffing
Active	DoS, MitM, privilege escalation, injections
Close-in	Shoulder surfing, eavesdropping, physical tampering
Insider	Data theft, sabotage, malware planting, Pod Slurping
Distribution	Hardware/software tampering during supply chain

Information Warfare (InfoWar) – Libicki's 7 Categories¶

Type	Description
C2 Warfare	Control over a compromised system/network
Intelligence-based	Sensor-based; design, protect, deny intel systems to dominate battlespace
Electronic	Radio/cryptographic techniques to degrade communication
Psychological	Propaganda and terror to demoralize adversaries
Hacker	Cyberattacks to disrupt/destroy systems (viruses, trojans, logic bombs)
Economic	Block information flow to damage economy
Cyber	Broadest form; includes info terrorism, semantic attacks, simula-warfare

Hacker Classes¶

Class	Background	Motivations	Activity	Targets
Script Kiddies	Inexperienced, use pre-made tools	Thrill, fun	DDoS, defacement	Small websites, games
White Hat	Cybersecurity professionals	Improve security, salary	Pentest, vuln assessment	Corporations, governments
Black Hat	Extraordinary computing skills	Financial gain, harm	Malware, phishing, ransomware	Banks, enterprises
Gray Hat	Between ethical and unethical	Recognition, curiosity	Unauth vuln discovery	High-profile orgs
Hacktivists	Politically/socially motivated	Promote a cause	DDoS, defacement, leaks	Governments, corporations
State-Sponsored	Gov-trained professionals	Espionage, national security	Cyber espionage, sabotage	Foreign agencies, corporations
Cyber Terrorists	Extremists	Fear, ideology	Critical infrastructure attacks	Infrastructure, public services
Corporate Spies	Hired intel gatherers	Competitive advantage	Industrial espionage	Competitor companies
Blue Hat	Temp security testers	Product security	Security audits, pentest	Tech/software companies
Red Hat	Vigilantes vs black hats	Cyber justice	Attack black hats	Cybercriminals
Green Hat	Newcomers, learning	Curiosity, recognition	Simple attacks, experimenting	Low-risk targets

Other Hackers Types¶

Class	Description
Suicide Hackers	Individuals who carry out attacks with no regard for personal consequences, often motivated by ideology or revenge
Hacker Teams	Groups of hackers who collaborate on attacks, often sharing knowledge, tools, and resources, found vulnerabilities
Insiders	Employees or trusted individuals who exploit their access for malicious purposes
Criminal Syndicates	Organized groups that engage in cybercrime for financial gain
Organized Hackers	Group of hackers working to criminal activities

Explain Ethical Hacking Concepts and Scope¶

Do only authorized activities by contract, Nondisclosure agreements, and legal boundaries. They perform DoS only if they have previously agreed with the client.

Skills of an Ethical Hacker¶

Skill	Description
Technical Skill	Proficiency in various technologies, systems, and networks to identify and exploit vulnerabilities. Knowledge of programming, networking, security tools, OS and applications.
Non-Technical Skill	Quick learning, ethical mindset, problem-solving, communication, and analytical skills.

AI Driven Hacking¶

Benefits	Description
Efficiency	Automates repetitive tasks, faster vulnerability scanning and exploitation
Accuracy	Reduces human error, identifies complex patterns and vulnerabilities
Scalability	Can analyze large datasets and systems, enabling comprehensive security assessments
Cost-Effectiveness	Reduces time and resources needed for security testing, making it more accessible
Automation of Repetitive Tasks	Frees up human hackers to focus on more complex and creative aspects of ethical hacking
Predictive Analysis	Anticipates potential attack vectors and vulnerabilities based on historical data and trends
Advanced Threat Detection	Identifies sophisticated threats that may evade traditional security measures, enhancing overall security posture (zero-day vulnerabilities, anomaly detection)
Enhanced Decision-Making	Provides insights and recommendations based on data analysis, helping ethical hackers make informed decisions during security assessments
Adaptive Learning	Continuously learns from new data and attack techniques, improving its effectiveness over time
Enhanced Reporting	Generates detailed reports and visualizations of security assessments, making it easier for stakeholders to understand vulnerabilities and risks
Simulation and Testing	Simulates attacks and tests defenses in a controlled environment, allowing ethical hackers to evaluate the effectiveness of security measures and identify weaknesses
Scalability	Can analyze large datasets and systems, enabling comprehensive security assessments that may be impractical for human hackers alone
Continuous Monitoring	Provides real-time monitoring and alerts for potential security threats, allowing ethical hackers to respond quickly to emerging risks
Adaptive Defense Mechanism	AI can adapt its defense strategies based on evolving threats, making it more effective in protecting against new and emerging attack techniques

Explain Hacking Methodologies and Frameworks¶

Phases of Ethical Hacking Framework¶

Phase	Description
Reconnaissance	Gathering information about the target system or network to identify potential vulnerabilities. Port scanning, enumeration
Vulnerability Scanning	Identifying and analyzing vulnerabilities in the target system or network. Automated tools, manual testing
Gaining Access	Exploiting identified vulnerabilities to gain unauthorized access to the target system or network. Exploitation techniques, social engineering and privilege escalation
Maintaining Access	Establishing a persistent presence on the target system or network to ensure continued access. Backdoors, rootkits, trojans, services or registry modifications
Clearing Tracks	Removing evidence of the attack to avoid detection and maintain anonymity. Log manipulation, file deletion, anti-forensics techniques

Cyber Kill Chain (Lockheed Martin)¶

Phase	Description
Reconnaissance	Attacker gathers information about the target to identify vulnerabilities and plan the attack.
Weaponization	Attacker creates a malicious payload (e.g., malware, exploit) to deliver to the target.
Delivery	Attacker transmits the weaponized payload to the target (e.g., email, drive-by download).
Exploitation	Attacker exploits a vulnerability in the target system to execute the payload.
Installation	Attacker installs malware or establishes a foothold on the target system.
Command and Control (C2)	Attacker establishes communication with the compromised system to control it remotely.
Actions on Objectives	Attacker achieves their goals (e.g., data exfiltration, system disruption) using the compromised system.

Tactic, Techniques, and Procedures (TTPs)¶

Term	Description
Tactic	The overall goal or objective of an attack (e.g., data exfiltration, system disruption). It defines the way an attacker operates to achieve their objectives.
Technique	The specific method or approach used by an attacker to achieve a tactic (e.g., phishing, SQL injection). It describes how an attacker accomplishes a particular task.
Procedure	The detailed steps or actions taken by an attacker to execute a technique (e.g., crafting a phishing email, exploiting a SQL injection vulnerability). It outlines the specific actions an attacker takes to carry out a technique.

Adversary Behavior Identification¶

Behavior	Description
Internal Reconnaissance	Attacker gathers information about the internal network and systems after gaining access.
Use of PowerShell	Attacker utilizes PowerShell for various tasks, such as reconnaissance, exploitation, and maintaining access.
Unspecified Proxy Activties	An attacker can create and configure multiple domains pointing to the same host, making it difficult to identify the true source of the attack.
Use of Command-line Interface	Attacker uses command-line tools to execute commands and perform actions on the target system.
HTTP User Agent Manipulation	Attacker modifies the HTTP User-Agent header to disguise their identity or evade detection.
Command and control (C2) Communication	Attacker establishes communication with the compromised system to control it remotely.
DNS Tunneling	Attacker uses DNS queries and responses to exfiltrate data or establish communication with the compromised system.
Web Shells	Attacker deploys web shells to maintain access and control over the compromised system.
Data Staging	Attacker prepares and organizes data for exfiltration from the compromised system.

Indicator of Compromise (IoC)¶

IoC	Description
Email IoC	Indicators related to email-based attacks, such as phishing emails, malicious attachments, or suspicious sender addresses.
Network IoC	Indicators related to network-based attacks, such as unusual traffic patterns, unauthorized access attempts, or communication with known malicious IP addresses, malware delivery, URLs, domain names.
Host-Based IoC	Indicators related to host-based attacks, such as filenames, file hashes, registry keys, DLLs, mutex.
Behavioral IoC	Indicators related to attacker behavior, such as unusual user activity, unauthorized access attempts, or suspicious command execution. Malicious IP, viruses signatures, MD5 hash, domain names, use of PowerShell and RCE.

MITRE ATT&CK Framework¶

Tactic	Description
Reconnaissance	Gathering information about the target to identify vulnerabilities and plan the attack.
Resource Development	Attacker creates or acquires resources (e.g., infrastructure, tools) to support the attack.
Initial Access	Attacker gains initial access to the target system or network.
Execution	Attacker executes malicious code or commands on the target system.
Persistence	Attacker establishes a persistent presence on the target system to maintain access.
Privilege Escalation	Attacker elevates their privileges on the target system to gain more control.
Defense Evasion	Attacker employs techniques to evade detection and avoid defenses.
Credential Access	Attacker attempts to steal or access credentials to gain further access.
Discovery	Attacker gathers information about the target system and network after gaining access.
Lateral Movement	Attacker moves laterally within the target network to access additional systems.
Collection	Attacker gathers data from the target system for exfiltration.
Command and Control	Attacker establishes communication with the compromised system to control it remotely.
Exfiltration	Attacker exfiltrates data from the target system.
Impact	Attacker achieves their goals (e.g., data destruction, system disruption) using the compromised system.

Diamond Model of Intrusion Analysis¶

Component	Description
Adversary	The individual or group responsible for the attack.
Victim	The target of the attack, which can be an individual, organization, or system.
Capability	The skills, knowledge, and resources possessed by the adversary to execute the attack.
Infrastructure	The tools, techniques, and resources used by the adversary to carry out the attack.

Additional Event Meta-Features:¶

Meta-Feature	Description
Timestamp	The date and time when the attack event occurred.
Phase	The stage of the attack lifecycle (e.g., reconnaissance, weaponization, delivery, exploitation) during which the event took place.
Result	The outcome or impact of the attack event (e.g., successful compromise, failed attempt, data exfiltration).
Direction	The direction of the attack (e.g., inbound, outbound) indicating whether the attack is targeting the victim or originating from the victim.
Methodology	The specific techniques or tactics used by the adversary during the attack event (e.g., phishing, SQL injection, lateral movement).
Resources	The tools, infrastructure, or resources utilized by the adversary during the attack event (e.g., malware, command and control servers).

Extended Diamond Model¶

This model extend the original model by adding Socio-Political and Technology features | Component | Description | |---|---| | Socio-political | The political context or motivations behind the attack, such as geopolitical tensions, ideological beliefs, or state-sponsored activities. | | Technology | Describes the relationship between the infrastructure and capability and how technology can enable both infrastructure and capability for communication, coordination, and execution of attacks. |

Summarize the Techniques used in Information Security Controls¶

Information Assurance¶

Processes
Developing local policy, process, and guidance
Designing network and user authentication strategies
Identifying network vulnerabilities and threats
Identifying problem and resource requirements
Creating plans for identified resource requirements
Applying appropriate information assurance controls
Performing certification and accreditation
Providing information assurance training

Continual/Adaprive Security Strategy¶

Strategy	Description
Protection	Implementing security measures to prevent attacks and protect assets. Policies, physical security, host security, firewall and IDS
Detection	Implementing measures to identify and respond to attacks in a timely manner. SIEM, IDS, honeypots, anomaly detection
Response	Developing and implementing plans to respond to security incidents and mitigate their impact. Incident response plans, communication protocols, containment strategies
Prediction	Utilizing threat intelligence and analytics to anticipate and proactively defend against potential attacks. Threat modeling, vulnerability assessments, predictive analytics

Defense in Depth¶

Risk¶

Term	Description
Risk	The potential for loss or damage to an organization's assets, operations, or individuals due to threats exploiting vulnerabilities. Is calculated by a formula: Risk = Threat x Vulnerability x ImpactRisk = Threat x Vulnerability x Asset Value

Risk Level¶

Risk Level	Description
Low	Risk is acceptable and can be tolerated without significant impact.
Medium	Risk is moderate and may require additional controls or mitigation strategies. No immediate action is required but action should be implemented quickly.
Extreme or High	Risk is unacceptable and requires immediate attention and mitigation to prevent significant impact. Identify controls to reduce risk to a reasonably low level.

Risk Matrix¶

Probability	Likelihood	Insignificant	Minor	Moderate	Major	Severe
81 - 100%	Very High Probability	Low	Medium	High	Extreme	Extreme
61 - 80%	High Probability	Low	Medium	High	High	Extreme
41 - 60%	Equal Probability	Low	Medium	Medium	High	High
21 - 40%	Low Probability	Low	Low	Medium	Medium	High
1 - 20%	Very Low Probability	Low	Low	Medium	Medium	High

Risk Management¶

Step	Description
Identify	Identify and categorize assets, threats, and vulnerabilities.
Assess	Assess the likelihood and impact of identified risks.
Treatment	Develop and implement strategies to mitigate or manage identified risks.
Risk Tracking and Review	Continuously monitor and review risks to ensure that mitigation strategies are effective and to identify new risks.

Threat Intelligence¶

Type	Description
Strategic	High-level information about threat actors, their motivations, capabilities, potential targets, geopolitical context. Used for long-term planning and decision-making.
Tactical	Information about specific attack techniques, tactics, and procedures (TTPs) used by threat actors. Used for operational planning and defense.
Operational	Information about specific threats, such as indicators of compromise (IoCs), attack patterns, and vulnerabilities. Used for immediate response and mitigation.
Technical	Information about specific technical details of threats, such as malware signatures, IP addresses, domain names, and file hashes. Used for detection and prevention.

Threat Intelligence Lifecycle¶

Phase	Description
Planning and Direction	Define intelligence requirements, set objectives, and allocate resources for threat intelligence activities.
Collection	Gather raw data from various sources, such as open-source intelligence (OSINT), human intelligence (HUMINT), technical intelligence (TECHINT), and social media intelligence (SOCMINT), measurement and signature intelligence (MASINT), and imagery intelligence (IMINT).
Processing and Exploitation	Analyze and process collected data to extract relevant information and identify patterns, trends, and relationships to use them in data analysis and decision-making.
Analysis and Production	Analyze processed data to produce actionable intelligence, such as threat assessments, attack patterns, and vulnerability reports. Objective, Timely, Accurate, and Actionable.
Dissemination and Integration	Share and disseminate produced intelligence to relevant stakeholders, such as security teams, management, and external partners, to inform decision-making and enhance security posture. Strategic, Tactical, Operational, Technical

Threat Modeling¶

Methodology	Description
Indentify Security Objectives	Define the security goals and objectives for the system or application being analyzed and how much effort should be allocated to achieve them.
Application Overview	Create a high-level overview of the system or application, including its components, data flows, and interactions with external entities.
Decompose the Application	Break down the system or application into smaller components and analyze each component for potential vulnerabilities and attack vectors.
Identify Threats	Identify potential threats and attack vectors that could exploit vulnerabilities in the system or application.
Identify Vulnerabilities	Identify vulnerabilities in the system or application that could be exploited by identified threats.

Incident Handling and Response¶

Phase	Description
Preparation	Establish and maintain an incident response capability, including policies, procedures, tools, and training.
Incident Recording and Assignment	Record and categorize incidents, this phase handles identifying an incident and defining proper incident communication plans for the employees.
Incident Triage	Assess the severity and impact of the incident, attack type, severity, target, propagation methods to prioritize response efforts.
Notification	Notify appropriate stakeholders, such as management, legal, and external partners, about the incident.
Containment	Implement measures to contain the incident and prevent further damage, such as isolating affected systems, blocking malicious traffic, and disabling compromised accounts.
Evidence Collection and Analysis	Collect and analyze evidence related to the incident to determine the cause, scope, and impact of the attack.
Eradication	Remove the root cause of the incident and any related artifacts, such as malware, backdoors, and unauthorized access.
Recovery	Restore affected systems and services to normal operation, ensuring that vulnerabilities are addressed
Post-Incident Activity	Conduct a post-incident review to identify lessons learned, improve incident response processes, and enhance overall security posture.

Role of AI and ML in Cyber Security¶

Application	Description
Supervised Learning	AI models are trained on labeled datasets to classify and detect known threats, such as malware, phishing emails, and network intrusions. Classification identifies class from test sample, regression predicts labels of continuous values.
Unsupervised Learning	AI models analyze unlabeled data to identify patterns, anomalies, and potential threats without prior knowledge of specific attack signatures. Clustering groups similar data points, anomaly detection identifies outliers.

How AI and ML Prevents Cyber Attacks¶

Application	Description
Password protection and authentication	AI can analyze biometric data, user behavior, and other authentication factors to enhance security and prevent unauthorized access.
Phishing detection	AI can analyze email content, sender information, and other factors to identify and block phishing attempts.
Threat detection and response	AI can analyze network traffic, system logs, and other data to identify and respond to potential threats in real-time.
Vulnerability management	AI can analyze software and systems to identify vulnerabilities and prioritize them for remediation.
Behavioral analysis	AI can analyze user behavior and network activity to identify anomalies that may indicate a potential attack.
Network Security	AI can analyze network traffic to identify and block malicious activity, such as DDoS attacks, malware communication, and unauthorized access attempts.
AI-based Antivirus	AI can analyze files and processes to identify and block malware, including zero-day threats that may not have known signatures.
Botnet Detection	AI can analyze network traffic and behavior to identify and block botnet activity, which is often used for large-scale attacks such as DDoS.
AI-driven Threat Intelligence	AI can analyze vast amounts of data to identify emerging threats, attack patterns, and vulnerabilities, providing actionable intelligence for proactive defense.

Security Laws and Standards¶

Law/Standard	Description	Keywords
Payment Card Industry Data Security Standard (PCI DSS)	A set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.	Credit cards, ATM, POS
Health Insurance Portability and Accountability Act (HIPAA)	A US law that sets standards for the protection of sensitive patient health information, including requirements for data security, privacy, and breach notification.	Healthcare, patient data, privacy, National Provider Identifier Standard (NPI)
Sarbanes-Oxley Act (SOX)	A US law (2002) that establishes requirements for financial reporting and corporate governance, including provisions for data security and internal controls.	Financial reporting, corporate governance, internal controls, stakeholders, 2002
The Digital Millennium Copyright Act (DMCA)	A US law (1998) that criminalizes the unauthorized distribution and reproduction of copyrighted material, including provisions for online service providers and digital rights management.	Copyright, intellectual property, online service providers, digital rights management, 1998
Federal Information Security Management Act (FISMA)	A US law (2002) that requires federal agencies to implement information security programs to protect government information and systems.	Federal agencies, information security programs, government information, systems.
General Data Protection Regulation (GDPR)	A European Union regulation (2018) that sets standards for the protection of personal data and privacy, including requirements for data processing, consent, and breach notification.	Personal data, privacy, data processing, consent, breach notification, 2018
Data protection Act (DPA)	A UK law (2018) that sets standards for the protection of personal data and privacy, including requirements for data processing, consent, and breach notification.	Personal data, privacy, data processing, consent, breach notification, 2018

ISO/IEC 27000 Series¶

Standard	Description	Keywords
ISO/IEC 27001:2022	An international standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).	Information security management, risk management, controls
ISO/IEC 27701:2019	Extends ISO/IEC 27001 to include privacy information management, providing guidelines for managing personal data and ensuring compliance with privacy regulations.	Privacy management, personal data, GDPR
ISO/IEC 27002:2022	Provides best practive and control for critical areas such as access control, cryptography, physical security, and incident management.	Information security controls, best practices
ISO/IEC 27005:2022	Provides guidelines for information security risk management, including risk assessment, risk treatment, and risk acceptance.	Risk management, risk assessment, risk treatment
ISO/IEC 27018:2019	Focuses on the protection of personally identifiable information (PII) in public cloud computing environments, providing guidelines for implementing controls to protect PII.	Cloud security, PII protection, privacy
ISO/IEC 27032:2023	Explain the relationship between internet, web, network security, and cybersecurity.	Internet security, web security, network security, cybersecurity
ISO/IEC 27033-7:2015	Provides guidelines for the implementation of network virtualization security.	Network virtualization, security
ISO/IEC 27036-3:2023	Provides guidelines for information security in supplier relationships.	Supplier relationships, information security
ISO/IEC 27040:2024	Provides guidelines for storage security, including data storage, backup, and recovery.	Storage security, data storage, backup, recovery

Module 02 - Footprinting and Reconnaissance¶

Footprinting Concepts¶

Term	Description
Reconnaissance	Gathering information about a target to identify vulnerabilities and plan an attack
Passive Footprinting	No direct interaction: public records, social media, search engines, OSINT
Active Footprinting	Direct interaction: port scanning, network mapping, DNS interrogation, enumeration

Footprinting through Search Engines¶

Google Dorks¶

Dork	Description
intitle: / allintitle:	Pages with specific words in the title
inurl: / allinurl:	Pages with specific words in the URL
intext: / allintext:	Pages with specific words in the body
filetype:	Specific file types
site:	Pages within a specific domain
cache:	Cached versions of web pages
link:	Pages linking to a specific URL
related:	Pages similar to a specific URL
allinanchor:	Pages with specified words in anchor text
info:	Information about a specific URL
location:	Pages from a specific location
source:	News articles from a specific source
before: / after:	Pages published before/after a date

Search Types¶

Type	Description
Advanced Search	Filters: language, region, last update, site/domain
Reverse Image Search	Find source, similar images, content info
Video Search Engines	Search videos by keywords, categories
Meta Search Engines	Aggregate results from multiple search engines

Reconnaissance Tools¶

Tool	What can you retrieve
Shodan	Internet-connected devices, OS, vulnerabilities
Censys	IP addresses, domains, vulnerabilities, device info
Netcraft	IP addresses, domains, hosting providers, OS
Archive.org	Historical website snapshots
Photon	Web crawling (uses Archive.org)
lynx	Website content (text-only, no scripts/images)

Competitive Intelligence¶

Approach	Description
Direct	Trade shows, social engineering, direct interactions
Indirect	Analyzing products, services, marketing, public info

Resources by Category¶

Category	Resources	Info Gathered
Financial Reports	EDGAR (SEC), D&B Hoovers, Factiva	SEC filings, financial data, company profiles
News & Legal	LexisNexis, Business Wire	Legal cases, press releases, news
Market Research	MarketWatch, Euromonitor, Wall Street Transcript	Industry reports, trends, CEO interviews
Online Marketing	SEMRush, SimilarWeb, SERanking, Experian	Keywords, traffic, competitors, PPC
Brand Monitoring	The Search Monitor	Trademark use, advertisers
Patents	USPTO	Patent and trademark info

Other Footprinting Techniques¶

Technique	Information Gathered	Tools
People Search	Personal info, contacts, social profiles	Pipl, Spokeo, Whitepages
Job Sites	Job postings, company info, employees	LinkedIn, Indeed, Glassdoor
Dark Web	Forums, marketplaces, illicit activities	Tor Browser
Geographical	Building entrances, cameras, gates, weak spots	Google Earth/Maps, Wikimapia
Alerts/Monitoring	Organization mentions, website updates	Google Alerts, Giga Alerts
Reputation	Search rankings, mentions, social news	Mention, ReviewPush, Reputology
Groups/Forums	Network info, system info, personal info	Google Groups, LinkedIn Groups
Source Code Repos	Config files, SSH/SSL keys, source code	Recon-ng, GitHub

Tool	What can you retrieve
theHarvester	Emails, subdomains, hosts, employee names, open ports (search engines, PGP, SHODAN)
Sherlock	Social media profiles across platforms
BuzzSumo	Content performance, engagement, influencers
Social-Searcher	Mentions, sentiment analysis, influencers

Whois Footprinting¶

Information Returned
Domain name details, Registrant information
Domain owner contact, Name servers
NetRange, IP address
Creation/Expiry/Last update dates
Domain status

Regional Internet Registries (RIRs)¶

RIR	Region
ARIN	North America
AFRINIC	Africa
APNIC	Asia-Pacific
LACNIC	Latin America & Caribbean
RIPE NCC	Europe, Middle East, Central Asia

Geolocation Tool: IP2Location

DNS Footprinting¶

DNS Records¶

Record	Description
A / AAAA	Domain → IPv4 / IPv6 address
CNAME	Domain → another domain (alias)
MX	Mail servers for the domain
NS	Authoritative name servers
TXT	Arbitrary text (SPF, DKIM verification)
SOA	Administrative info (primary NS, contact)
SRV	Service locations (SIP, XMPP)
PTR	IP → domain (reverse lookup)
RP	Responsible person
HINFO	General domain information

DNS Tools¶

Tool	What can you retrieve
dig	DNS records and information
DNSdumpster	DNS mapping, subdomains
DNSRecon	Subdomains, zone transfers, brute-force, reverse lookup
SecurityTrails	Historical DNS, subdomains, IP info
Fierce	Non-contiguous IP space, hostnames
Sublist3r	Subdomain enumeration (OSINT)
Pentest-Tools	Subdomain discovery
MXToolbox	Reverse DNS lookup

Network Footprinting¶

Traceroute Techniques¶

Technique	Description
Traceroute	Maps the path packets take to reach a target, revealing network topology and potential vulnerabilities (Time-to-Live, hops).
ICMP Traceroute	Uses ICMP packets to perform traceroute, which may be blocked by firewalls, but can provide insights into network structure and potential vulnerabilities.
TCP Traceroute/UDP Traceroute	Uses TCP (tool: tcptraceroute) or UDP (tool: traceroute) packets to perform traceroute, which can bypass certain firewall rules and provide insights into network structure and potential vulnerabilities.

Tracerout Tools

Tool	Description
NetScanTools Pro	Provides various network scanning and traceroute capabilities.
PingPlotter	Visualizes traceroute results and network performance.
VisualRoute	Combines traceroute with geolocation and network diagnostics.

Email Footprinting¶

Information Gathered	Description
Recipient's System IP Address	Can be obtained from email headers, revealing the sender's location and potential vulnerabilities.
Geolocation	Can be determined from the IP address, providing insights into the sender's physical location.
Email Received and Reading Time	Indicates when the email was received and opened, useful for tracking user activity.
Read Duration	Shows how long the email was read, providing insights into user engagement.
Proxy detection	Identifies if the email was accessed through a proxy, which can obscure the sender's location.
Links	Tracks links clicked within the email, useful for phishing and tracking analysis.
Operating System and Browser	Can be determined from email headers, providing insights into the sender's environment.
Forward Email	Can be tracked to see if the email was forwarded to others, which can indicate the spread of a phishing attack.
Device Type	Can be determined from email headers, providing insights into the sender's device (e.g., mobile, desktop).
Path Traveled	Shows the path the email took from sender to recipient via transfer agents, providing insights into the email's journey and potential vulnerabilities.

Email Headers¶

Some Tools
eM Client
Mailbird
Hiri
Mozilla Thunderbird
Spike
Claws Mail
SmarterMail Webmail
Outlook
Apple Mail
ProtonMail
AOL Mail
Tuta

Info in Headers
Sender's mail server
Date and time of receipt by the originator's email servers
Authentication system used by the sender's mail server
Date and time of sending the message
A unique number assigned by mx.google.com to identify the message
Sender's full name
Sender's IP address and address from which the message was sent

Email Tracking Tools¶

Tool	Description
eMailTrackerPro	Tracks email opens, clicks, and other engagement metrics.
IP2Location's Email Header Tracer	Analyzes email headers to determine the sender's location and other information.

Technique	Description
Eavesdropping	Listening to conversations to gather information about the target.
Dumpster Diving	Searching through trash to find sensitive information.
Shoulder Surfing	Observing someone to gather information, such as passwords or PINs.
Impersonation	Pretending to be someone else to gain information or access.

Footprinting using Advanced Tools¶

Tool	Description
OSINT Framework	A collection of OSINT tools categorized by type and purpose. T (to install), D (Google dork), R (registration required), M (Manual URL modification)
Recon-ng	A reconnaissance framework with various modules for gathering information.
Maltego	A data mining tool that allows for the visualization of relationships between entities using graphical graphs.
FOCA	A tool for finding metadata and hidden information in documents (Office, PDF, etc.).
subfinder	A subdomain enumeration tool that discovers valid subdomains for websites.
Recon-Dog	An all-in-one reconnaissance tool that performs various OSINT tasks, such as subdomain enumeration, port scanning, and vulnerability assessment. Contains:CensysNS lookupPort ScanDetect CMSWhois lookupDetect honeypotFind subdomainsReverse IP lookupDetect technologies (wappalyzer)All (all utilities)
BillCipher	A tool for analyzing and visualizing the relationships between entities, such as domains, IP addresses, and email addresses, to identify potential threats and vulnerabilities. It works on any Python 2, Python 3, or Ruby supported operating system.
Sudomy	A subdomain enumeration tool that discovers valid subdomains for websites using various techniques, such as brute-force, search engines, and certificate transparency logs.
theHarvester	A reconnaissance tool that gathers information about email addresses, subdomains, hosts, employee names, and open ports from various sources, such as search engines, PGP key servers, and SHODAN.
whatweb	A web application fingerprinting tool that identifies technologies used by websites, such as web servers, programming languages, and content management systems.
Raccoon	A reconnaissance tool that gathers information about domains, IP addresses, and email addresses from various sources, such as search engines, social media, and public databases.

AI-Powered OSINT Tools¶

Tool	Description
Taranis AI	An AI-powered OSINT tool that provides real-time threat intelligence and analysis by aggregating data from various sources, such as social media, news, and dark web.
OSS Insight	An AI-driven OSINT platform that offers advanced data collection (Github events, analysis, and visualization capabilities to help organizations identify and mitigate threats)
DorkGPT / DorkGenius	An AI-powered tool that generates Google Dorks based on user input, allowing for more efficient and targeted OSINT searches.
Google Word Sniper	An AI-powered tool that helps to refine search queries and identifies target keywords, phrases, and trends for more effective OSINT investigations.
Cylect.io	An AI-powered OSINT tool that provides real-time threat intelligence and analysis by aggregating data from various sources, such as social media, news, and dark web.
ChatPDF	An AI-powered tool that allows users to interact with PDF documents using natural language queries, making it easier to extract information and insights from large documents.
Bardeen.ai	An AI-powered automation tool that can be used for OSINT tasks, such as data collection, analysis, and reporting, by automating repetitive tasks and integrating with various data sources.
DarkGPT	An AI-powered tool that provides insights and analysis of dark web activities, helping organizations to identify potential threats and vulnerabilities.
Penlink Cobwebs	An AI-powered OSINT tool that provides real-time threat intelligence and analysis by aggregating data from various sources, such as social media, news, and dark web.
Explore AI	An AI-powered Youtube search engine that extracts information from video content for OSINT investigations.
AnyPicker	An AI-powered web scraping tool that can be used for OSINT tasks, such as data collection and analysis, by automating the extraction of information from websites.

Footprinting Countermeasures¶

Countermeasure
Restrict access to social network sites
Configure web servers to avoid information leakage (e.g., disable directory listing, remove server banners)
Educate employees to use pseudonyms and avoid sharing sensitive information on social media and public forums.
Do not reveal critical information in press releases, annual reports, products catalogs etc.
Limit the amount of information published on a website or the Internet
Use footprinting techniques to discover and remove any sensitive information that may have been inadvertently published on the Internet.
Prevent search engines from caching a web page and use anonymous registration services
Develop and enforce security policies such as information security and password policies to regulate the information othat emplotyees can eveal to third parties.
Implement multi-factor authentication (MFA) to protect against unauthorized access.
Set apart internal and external DNS or use split DNS and restrict zone transfer to authorized personnel.
Conduct Security Awareness Training
Whois privacy protection
Avoid domain-level cross-linking for critical assets
Encrypt and password-protect sensitive information
Implement rate limit and captcha on public-facing forms
Not enable not required protocols and services (e.g., SNMP, NetBIOS)
IPSec filters to block unauthorized access
Configure IIS to prevent information leakage (e.g., disable directory listing, remove server banners)
Use a VPN to mask IP addresses and encrypt internet traffic
Request archive.org to remove cached pages containing sensitive information
Keep domain name profile private
Deploy Honeypots to detect and analyze reconnaissance activities