3CS204ME24

Ethical Hacking and Vulnerability

Assessment
Foot printing and Reconnaissance
• Footpringing Concepts
• Footpringing Methodologies/Techniques
• Footpringing Tools
• Footprinting countermeasures
Footprinting
• Collecting information about organization to identify various ways to
intrude the into systems.
• Objectives
• Security postures
• Identifying level of Risk
• Reduction of focus areas
• Identifying vulnerabilities
• Drawing network map

• Active Footprinting –Target is aware about information gathering

• Passive Footprinting- Target is not aware about it.
 Passive Footprinting Technique
Search Engine Queries
Publicly Available Information
Whois Lookup
DNS Interrogation
Public Code Repositories
PF Publicly Accessible Documents
Techniques Social Engineering (Indirect Methods)
Public Network Information
Website Analysis
Job Postings
Competitive Intelligence Tools
Public Forums and Mailing Lists
Description
Use search engines and Google Dorking to
find specific information.
Gather data from company websites, social
media, press releases, etc.
Obtain domain registration details, including
owner, contact info, and DNS data.
Perform DNS lookups and reverse DNS
lookups to gather domain and IP info.
Explore public repositories like GitHub for
exposed code, credentials, or data.
Extract metadata from publicly available
documents for additional details.
Monitor forums, social media, and
community spaces for leaked information.
Analyze BGP and ASN data, and use tools like
Shodan for network intelligence.
Examine website source code and archived
versions for hidden or historical info.
Analyze job listings for insights into the
target's technology stack and structure.
Use tools like Hoovers or Bloomberg to
gather financial and market data.
Monitor discussions where employees may
reveal technical or organizational info.
 Active Footprinting Technique Description
Scanning a target’s network to identify
Port Scanning
open ports and running services.
Identifying live hosts on a network by
Network Sweeping sending ping requests to multiple IP
addresses.
Retrieving information from services
running on open ports, such as web
Banner Grabbing
servers, to identify software versions
and configurations.
AF OS Fingerprinting
Identifying the operating system of a
target machine using tools like Nmap.
Techniques Sending emails or using tools to gather
Email Harvesting information about an organization's
email server and structure.
Querying SNMP to extract information
SNMP (Simple Network Management
about network devices, software
Protocol) Enumeration
versions, and configurations.
Attempting to obtain a copy of the DNS
DNS Zone Transfer zone file from a DNS server, which can
reveal internal network structure.
 Active Footprinting Technique
Social Engineering (Direct
Interaction)
Traceroute Analysis
AF
Techniques Website Mirroring
Wireless Network Scanning
Maltego Analysis
Description
Engaging directly with employees
or systems to gather information,
such as calling help desks to extract
details.
Mapping the path data takes to
reach a target, revealing
intermediate devices and network
structure.
Downloading a copy of a website
for offline analysis, which may
reveal hidden pages, scripts, or
metadata.
Scanning for wireless networks to
identify their security settings,
SSIDs, and access points.
Using tools like Maltego to map
relationships and information about
a target organization through active
queries and interactions.
Google Hacking
Google Dork Description
site:example.com Restricts the search to pages within the specified domain.
Searches for specific file types, which may contain sensitive
filetype:xls OR filetype:doc OR filetype:pdf
information.
Finds open directories on the target site that might contain
intitle:"index of" site:example.com
exposed files.
Searches for admin login pages or control panels within the
inurl:admin
domain.
Finds login pages that could be targeted for brute force or
inurl:login
other attacks.
inurl:wp-admin Specifically targets WordPress admin login pages.
Looks for documents or pages containing the word
site:example.com intext:"confidential"
"confidential."
Searches for pages where passwords might be stored or
site:example.com intext:"password"
discussed.
site:example.com ext:bak OR ext:old OR Finds backup files that may have been left accessible on the
ext:backup server.
Looks for pages displaying database error messages, which
site:example.com "database error"
might reveal SQL queries or other database information.
• Reference website
• https://www.exploit-db.com/
How to protect from Google Hacking
• To protect your organization from being vulnerable to Google
Dorking, you can implement several measures to reduce the exposure
of sensitive information and prevent unauthorized access.
• Secure Sensitive Files and Directories
• Configure your robots.txt file to instruct search engines not to index certain
parts of your website.
• Password Protection: Protect sensitive directories and files with strong
passwords and ensure they are not accessible without authentication.
• NoIndex Meta Tags: Use the noindex meta tag on pages that should not be
indexed by search engines.
• Example: <meta name="robots" content="noindex">
How to protect from Google Hacking
• Use Proper File Permissions
• Restrict Access: Ensure that sensitive files (like .xls, .doc, .pdf, .bak) are not
publicly accessible. Set correct file permissions on the server to limit access to
authorized users only.
• Avoid Exposing Backup Files: Remove or secure backup files, such as those
with extensions .bak, .old, .backup, from being publicly accessible.
• Implement Web Application Firewalls (WAF)
• Filter Malicious Queries: A WAF can be configured to detect and block
suspicious queries, including those typical of Google Dorking attempts.
• Rate Limiting: Implement rate limiting to reduce the risk of automated tools
being used to scrape your site.
Foot printing with Specialized IoT search
engine (https://www.shodan.io/)
• Shodan is a specialized search engine that scans and indexes devices
connected to the internet.
• Unlike traditional search engines like Google, which index websites
and content, Shodan focuses on discovering the various devices that
are exposed to the internet, such as servers, routers, webcams,
industrial control systems, and IoT devices.
• Shodan uses metadata which are called banners.
• Example: 220 kcg.cz FTP server (Version 6.00LS) ready.
• This tells us a potential name of the server (kcg.cz), the type of FTP server
(Solaris ftpd) and its version (6.00LS).
Key Features
• Device Discovery
• Security Assessment
• Search Filters
• Real-Time Monitoring
• API Integration
Use Cases
• Security Auditing: Organizations use Shodan to audit their external-
facing infrastructure, ensuring that only intended devices are
accessible and identifying any potential security gaps.
• Research: Researchers use Shodan to study the global distribution of
specific devices, understand the exposure of industrial control
systems, or analyze the security posture of IoT devices.
• Threat Intelligence: Shodan provides valuable data for threat
intelligence, helping security teams understand potential attack
vectors by analyzing exposed devices and services.
Areas
• Network Security: keep an eye on all devices at your company that
are facing the Internet
• Market Research: find out which products people are using in the
real-world
• Cyber Risk: include the online exposure of your vendors as a risk
metric
• Internet of Things: track the growing usage of smart devices
• Tracking Ransomware: measure how many devices have been
impacted by ransomware
Example of Banner
• {
• "data": "Moxa Nport Device
• Status: Authentication disabled
• Name: NP5232I_4728
• MAC: 00:90:e8:47:10:2d",
• "ip_str": "46.252.132.235",
• "port": 4800,
• "org": "SingTel Mobile",
• "location": {
• "country_code": "SG"
• }
• }
The information for each service is
stored in an object called the banner.
•data: the main response from
the service itself
•ip_str: IP address of the device
•port: port number of the
service
•org: the organization that owns
this IP space
•location.country_code: the
country where the device is
located
Other techniques of Footprinting
• Footprinting through Web Services
• Top Level Domains and Sub-domains
• Netcrapft
• Sublist3r
• Geographic location of target
• Google Earth
• Gathering information LinkedIn
• theHarvester
• Footprinting through Job Sites