Module 02 - Footprinting and Reconnaissance¶
Footprinting Concepts¶
| Term | Description |
|---|---|
| Reconnaissance | Gathering information about a target to identify vulnerabilities and plan an attack |
| Passive Footprinting | No direct interaction: public records, social media, search engines, OSINT |
| Active Footprinting | Direct interaction: port scanning, network mapping, DNS interrogation, enumeration |
Footprinting through Search Engines¶
Google Dorks¶
| Dork | Description |
|---|---|
| intitle: / allintitle: | Pages with specific words in the title |
| inurl: / allinurl: | Pages with specific words in the URL |
| intext: / allintext: | Pages with specific words in the body |
| filetype: | Specific file types |
| site: | Pages within a specific domain |
| cache: | Cached versions of web pages |
| link: | Pages linking to a specific URL |
| related: | Pages similar to a specific URL |
| allinanchor: | Pages with specified words in anchor text |
| info: | Information about a specific URL |
| location: | Pages from a specific location |
| source: | News articles from a specific source |
| before: / after: | Pages published before/after a date |
Search Types¶
| Type | Description |
|---|---|
| Advanced Search | Filters: language, region, last update, site/domain |
| Reverse Image Search | Find source, similar images, content info |
| Video Search Engines | Search videos by keywords, categories |
| Meta Search Engines | Aggregate results from multiple search engines |
Reconnaissance Tools¶
| Tool | What can you retrieve |
|---|---|
| Shodan | Internet-connected devices, OS, vulnerabilities |
| Censys | IP addresses, domains, vulnerabilities, device info |
| Netcraft | IP addresses, domains, hosting providers, OS |
| Archive.org | Historical website snapshots |
| Photon | Web crawling (uses Archive.org) |
| lynx | Website content (text-only, no scripts/images) |
Competitive Intelligence¶
| Approach | Description |
|---|---|
| Direct | Trade shows, social engineering, direct interactions |
| Indirect | Analyzing products, services, marketing, public info |
Resources by Category¶
| Category | Resources | Info Gathered |
|---|---|---|
| Financial Reports | EDGAR (SEC), D&B Hoovers, Factiva | SEC filings, financial data, company profiles |
| News & Legal | LexisNexis, Business Wire | Legal cases, press releases, news |
| Market Research | MarketWatch, Euromonitor, Wall Street Transcript | Industry reports, trends, CEO interviews |
| Online Marketing | SEMRush, SimilarWeb, SERanking, Experian | Keywords, traffic, competitors, PPC |
| Brand Monitoring | The Search Monitor | Trademark use, advertisers |
| Patents | USPTO | Patent and trademark info |
Other Footprinting Techniques¶
| Technique | Information Gathered | Tools |
|---|---|---|
| People Search | Personal info, contacts, social profiles | Pipl, Spokeo, Whitepages |
| Job Sites | Job postings, company info, employees | LinkedIn, Indeed, Glassdoor |
| Dark Web | Forums, marketplaces, illicit activities | Tor Browser |
| Geographical | Building entrances, cameras, gates, weak spots | Google Earth/Maps, Wikimapia |
| Alerts/Monitoring | Organization mentions, website updates | Google Alerts, Giga Alerts |
| Reputation | Search rankings, mentions, social news | Mention, ReviewPush, Reputology |
| Groups/Forums | Network info, system info, personal info | Google Groups, LinkedIn Groups |
| Source Code Repos | Config files, SSH/SSL keys, source code | Recon-ng, GitHub |
Social Network Footprinting¶
| Tool | What can you retrieve |
|---|---|
| theHarvester | Emails, subdomains, hosts, employee names, open ports (search engines, PGP, SHODAN) |
| Sherlock | Social media profiles across platforms |
| BuzzSumo | Content performance, engagement, influencers |
| Social-Searcher | Mentions, sentiment analysis, influencers |
Whois Footprinting¶
| Information Returned |
|---|
| Domain name details, Registrant information |
| Domain owner contact, Name servers |
| NetRange, IP address |
| Creation/Expiry/Last update dates |
| Domain status |
Regional Internet Registries (RIRs)¶
| RIR | Region |
|---|---|
| ARIN | North America |
| AFRINIC | Africa |
| APNIC | Asia-Pacific |
| LACNIC | Latin America & Caribbean |
| RIPE NCC | Europe, Middle East, Central Asia |
Geolocation Tool: IP2Location
DNS Footprinting¶
DNS Records¶
| Record | Description |
|---|---|
| A / AAAA | Domain → IPv4 / IPv6 address |
| CNAME | Domain → another domain (alias) |
| MX | Mail servers for the domain |
| NS | Authoritative name servers |
| TXT | Arbitrary text (SPF, DKIM verification) |
| SOA | Administrative info (primary NS, contact) |
| SRV | Service locations (SIP, XMPP) |
| PTR | IP → domain (reverse lookup) |
| RP | Responsible person |
| HINFO | General domain information |
DNS Tools¶
| Tool | What can you retrieve |
|---|---|
| dig | DNS records and information |
| DNSdumpster | DNS mapping, subdomains |
| DNSRecon | Subdomains, zone transfers, brute-force, reverse lookup |
| SecurityTrails | Historical DNS, subdomains, IP info |
| Fierce | Non-contiguous IP space, hostnames |
| Sublist3r | Subdomain enumeration (OSINT) |
| Pentest-Tools | Subdomain discovery |
| MXToolbox | Reverse DNS lookup |
Network Footprinting¶
Traceroute Techniques¶
| Technique | Description |
|---|---|
| Traceroute | Maps the path packets take to reach a target, revealing network topology and potential vulnerabilities (Time-to-Live, hops). |
| ICMP Traceroute | Uses ICMP packets to perform traceroute, which may be blocked by firewalls, but can provide insights into network structure and potential vulnerabilities. |
| TCP Traceroute/UDP Traceroute | Uses TCP (tool: tcptraceroute) or UDP (tool: traceroute) packets to perform traceroute, which can bypass certain firewall rules and provide insights into network structure and potential vulnerabilities. |
Tracerout Tools
| Tool | Description |
|---|---|
| NetScanTools Pro | Provides various network scanning and traceroute capabilities. |
| PingPlotter | Visualizes traceroute results and network performance. |
| VisualRoute | Combines traceroute with geolocation and network diagnostics. |
Email Footprinting¶
| Information Gathered | Description |
|---|---|
| Recipient's System IP Address | Can be obtained from email headers, revealing the sender's location and potential vulnerabilities. |
| Geolocation | Can be determined from the IP address, providing insights into the sender's physical location. |
| Email Received and Reading Time | Indicates when the email was received and opened, useful for tracking user activity. |
| Read Duration | Shows how long the email was read, providing insights into user engagement. |
| Proxy detection | Identifies if the email was accessed through a proxy, which can obscure the sender's location. |
| Links | Tracks links clicked within the email, useful for phishing and tracking analysis. |
| Operating System and Browser | Can be determined from email headers, providing insights into the sender's environment. |
| Forward Email | Can be tracked to see if the email was forwarded to others, which can indicate the spread of a phishing attack. |
| Device Type | Can be determined from email headers, providing insights into the sender's device (e.g., mobile, desktop). |
| Path Traveled | Shows the path the email took from sender to recipient via transfer agents, providing insights into the email's journey and potential vulnerabilities. |
Email Headers¶
| Some Tools |
|---|
| eM Client |
| Mailbird |
| Hiri |
| Mozilla Thunderbird |
| Spike |
| Claws Mail |
| SmarterMail Webmail |
| Outlook |
| Apple Mail |
| ProtonMail |
| AOL Mail |
| Tuta |
| Info in Headers |
|---|
| Sender's mail server |
| Date and time of receipt by the originator's email servers |
| Authentication system used by the sender's mail server |
| Date and time of sending the message |
| A unique number assigned by mx.google.com to identify the message |
| Sender's full name |
| Sender's IP address and address from which the message was sent |
Email Tracking Tools¶
| Tool | Description |
|---|---|
| eMailTrackerPro | Tracks email opens, clicks, and other engagement metrics. |
| IP2Location's Email Header Tracer | Analyzes email headers to determine the sender's location and other information. |
Social Engineering Footprinting¶
| Technique | Description |
|---|---|
| Eavesdropping | Listening to conversations to gather information about the target. |
| Dumpster Diving | Searching through trash to find sensitive information. |
| Shoulder Surfing | Observing someone to gather information, such as passwords or PINs. |
| Impersonation | Pretending to be someone else to gain information or access. |
Footprinting using Advanced Tools¶
| Tool | Description |
|---|---|
| OSINT Framework | A collection of OSINT tools categorized by type and purpose. T (to install), D (Google dork), R (registration required), M (Manual URL modification) |
| Recon-ng | A reconnaissance framework with various modules for gathering information. |
| Maltego | A data mining tool that allows for the visualization of relationships between entities using graphical graphs. |
| FOCA | A tool for finding metadata and hidden information in documents (Office, PDF, etc.). |
| subfinder | A subdomain enumeration tool that discovers valid subdomains for websites. |
| Recon-Dog | An all-in-one reconnaissance tool that performs various OSINT tasks, such as subdomain enumeration, port scanning, and vulnerability assessment. Contains:CensysNS lookupPort ScanDetect CMSWhois lookupDetect honeypotFind subdomainsReverse IP lookupDetect technologies (wappalyzer)All (all utilities) |
| BillCipher | A tool for analyzing and visualizing the relationships between entities, such as domains, IP addresses, and email addresses, to identify potential threats and vulnerabilities. It works on any Python 2, Python 3, or Ruby supported operating system. |
| Sudomy | A subdomain enumeration tool that discovers valid subdomains for websites using various techniques, such as brute-force, search engines, and certificate transparency logs. |
| theHarvester | A reconnaissance tool that gathers information about email addresses, subdomains, hosts, employee names, and open ports from various sources, such as search engines, PGP key servers, and SHODAN. |
| whatweb | A web application fingerprinting tool that identifies technologies used by websites, such as web servers, programming languages, and content management systems. |
| Raccoon | A reconnaissance tool that gathers information about domains, IP addresses, and email addresses from various sources, such as search engines, social media, and public databases. |
AI-Powered OSINT Tools¶
| Tool | Description |
|---|---|
| Taranis AI | An AI-powered OSINT tool that provides real-time threat intelligence and analysis by aggregating data from various sources, such as social media, news, and dark web. |
| OSS Insight | An AI-driven OSINT platform that offers advanced data collection (Github events, analysis, and visualization capabilities to help organizations identify and mitigate threats) |
| DorkGPT / DorkGenius | An AI-powered tool that generates Google Dorks based on user input, allowing for more efficient and targeted OSINT searches. |
| Google Word Sniper | An AI-powered tool that helps to refine search queries and identifies target keywords, phrases, and trends for more effective OSINT investigations. |
| Cylect.io | An AI-powered OSINT tool that provides real-time threat intelligence and analysis by aggregating data from various sources, such as social media, news, and dark web. |
| ChatPDF | An AI-powered tool that allows users to interact with PDF documents using natural language queries, making it easier to extract information and insights from large documents. |
| Bardeen.ai | An AI-powered automation tool that can be used for OSINT tasks, such as data collection, analysis, and reporting, by automating repetitive tasks and integrating with various data sources. |
| DarkGPT | An AI-powered tool that provides insights and analysis of dark web activities, helping organizations to identify potential threats and vulnerabilities. |
| Penlink Cobwebs | An AI-powered OSINT tool that provides real-time threat intelligence and analysis by aggregating data from various sources, such as social media, news, and dark web. |
| Explore AI | An AI-powered Youtube search engine that extracts information from video content for OSINT investigations. |
| AnyPicker | An AI-powered web scraping tool that can be used for OSINT tasks, such as data collection and analysis, by automating the extraction of information from websites. |
Footprinting Countermeasures¶
| Countermeasure |
|---|
| Restrict access to social network sites |
| Configure web servers to avoid information leakage (e.g., disable directory listing, remove server banners) |
| Educate employees to use pseudonyms and avoid sharing sensitive information on social media and public forums. |
| Do not reveal critical information in press releases, annual reports, products catalogs etc. |
| Limit the amount of information published on a website or the Internet |
| Use footprinting techniques to discover and remove any sensitive information that may have been inadvertently published on the Internet. |
| Prevent search engines from caching a web page and use anonymous registration services |
| Develop and enforce security policies such as information security and password policies to regulate the information othat emplotyees can eveal to third parties. |
| Implement multi-factor authentication (MFA) to protect against unauthorized access. |
| Set apart internal and external DNS or use split DNS and restrict zone transfer to authorized personnel. |
| Conduct Security Awareness Training |
| Whois privacy protection |
| Avoid domain-level cross-linking for critical assets |
| Encrypt and password-protect sensitive information |
| Implement rate limit and captcha on public-facing forms |
| Not enable not required protocols and services (e.g., SNMP, NetBIOS) |
| IPSec filters to block unauthorized access |
| Configure IIS to prevent information leakage (e.g., disable directory listing, remove server banners) |
| Use a VPN to mask IP addresses and encrypt internet traffic |
| Request archive.org to remove cached pages containing sensitive information |
| Keep domain name profile private |
| Deploy Honeypots to detect and analyze reconnaissance activities |