UNIT-2

FOOTPRINTING:
Footprinting is the first step of an attack on information systems in which an
attacker collects information about a target network for identifying various ways
to intrude into the system.

Using this, we can find a number of opportunities to penetrate and assess the
target organization’s network.

Types of Footprinting:
1. Passive Footprinting
2. Active Footprinting.

1. Passive Footprinting:

This involves gathering information about the target without direct

interaction. It is a type of footprinting gathering that is mainly useful when
there is a requirement that the information-gathering activities are not to be
detected by the target is not sent to the target organization from a host or
from anonymous hosts or services over the Internet.

Passive footprinting techniques include:

1. Finding the Top-level Domains (TLDs) and sub-domains of an objective

through web services
2. Gathering area information on the objective through web services
3. Performing individuals search utilizing social networking websites and
individuals search services
4. Stealing monetary data about the objective through various monetary
services
2. Active Footprinting:

This involves gathering information about the target with direct interaction. In
this type of footprinting, the target may recognize the ongoing information
gathering process, as we only interact with the target network.

Active Footprinting techniques include:

1. Querying published name servers of the target

2. Extracting metadata of published documents and files
3. Stealing a lot of website information using various types of mirroring and web
spidering tools
4. Gathering information through email tracking

ping command:
Now let’s examine one of the most popular utilities related to network
connectivity.

Probably the first command that every computer user runs on the command line
when having connectivity problems is the “ping” command.

This will quickly show you if can send and receive packets (icmp packets to be
exact) from your computer and hence shows whether you have network
connectivity or not.

Note also that “ping” is useful for testing connectivity for both the local computer
from where you execute the command and also for a remote computer or server
which you try to reach
nslookup command:
“nslookup” stands for “Name System Lookup” and is very useful in obtaining
Domain Name System (DNS) related information about a domain or about an IP
address (reverse DNS lookup).

nslookup [domain name]: The most popular usage of this command is to

find quickly the IP address of a specific domain name (A-record) as shown
below:

nslookup [IP Address]: This will perform a reverse-DNS lookup and will try to
match the given IP address in the command with its corresponding domain
name.

 scanning attacks:
Scanning in ethical hacking is a network exploration technique used to identify
the systems connected to an organization’s network.

It provides information about the accessible systems, services, and resources

on a target system. Some may refer to this type of scan as an active scan
because it can potentially disrupt services on those hosts that are susceptible.

Scanning is often used during vulnerability assessment when probing

weaknesses in existing defenses.
There are two ways of scanning:
 Active Scanning
 Passive Scanning

Scanning is more than just port scanning, but it is a very important part of this
process.

Scanning allows you to identify open ports on the target system and can be
used for port mapping, performing an interactive session with the operating
system via those ports, or even redirecting traffic from these open ports.
There are many tasks that can be performed with a scanning tool.

Active Scanning:
Active scanning is a type of network scanning technique that is used to gather
information about a target system or network.
Unlike passive scanning, which only gathers information that is readily
available, active scanning actively interacts with the target system to gather
information.
It involves sending requests or packets to a target system and analyzing the
responses to gather information about the target.
This type of scanning is more aggressive and intrusive than passive scanning
and is often used to identify vulnerabilities and weaknesses in a target system
or network.
Passive Scanning:
Passive scanning is a type of network scanning technique that is used to gather
information about a target system or network without actively interacting with
the target.
Unlike active scanning, which sends requests or packets to the target and
analyzes the responses, passive scanning only gathers information that is
readily available, such as information transmitted over the network or stored in
system logs.
It is used to gather information about a target system or network for a variety of
purposes, including network mapping, vulnerability assessment, and
compliance testing.
By analyzing network traffic and system logs, passive scanning can provide
valuable information about a target’s infrastructure, servers, and devices, as
well as the types of services and applications that are running.

 Types of Scanning Techniques :

1. TCP connect scan: This is a scan that sends TCP SYN packets to each
port on the target system, waiting for an RST/ACK.
This is a steal their type of scan because it does not show the open ports on
the target system.
The last port that responds is its open port, and you can use this to your
advantage to determine which ports are open.

2. TCP syn port scan: This is a similar type of scan, but the packets are TCP
SYN packets and not TCP ACK.
This type of scan sends packets to ports that are open and waiting for a
reply.

3. Network Scanning: Network scanning is used to identify the devices and

services that are running on a target network, determine their operating
systems and software versions, and identify any potential security risks or
vulnerabilities.
Network scanning can be performed manually or automated using software
tools, and can target specific systems or an entire network
.
4. Vulnerability Scanning: Vulnerability scanning is a process of identifying,
locating, and assessing the security vulnerabilities of a computer system,
network, or application.
This process is performed using automated software tools that scan for
known vulnerabilities, as well as weaknesses in the configuration or
implementation of the system being tested

 DNS ENUMARATION:
Domain Name System(DNS) is nothing but a program that converts or
translates a website name into an IP address and vice versa.

Example: A user enters www.geeksforgeeks.org in a browser, now the

DNS will intercept this request and will fetch the corresponding IP address
and connect the user to that fetched IP address.
 DNS Enumeration is a technique used for Reconnaissance for better
understanding of surface area of the Target systems(i.e. IP addresses).

The process of DNS Enumeration returns various important information

about the target like DNS record types, host names, IP addresses and much
more depending upon the configuration of that target system.
To perform DNS enumeration there are various open source tools, scripts
available like Nmap, DNS recon etc.

Importance and Impacts:

Importance:
 It helps in discovering the various services and hosts that are running on the
domain.
 It makes the target surface larger as we enumerate further.
 Furthermore, it exposes the critical information about the target.
Impact:
 The attacker can read about the system data and also can modify it.
 It can also lead to various other potential DNS attacks.
 It gives the Threat actor very critical details about the system that the attack
can leverage to other attacks.

Steps of DNS Enumeration:

There are various tools to do DNS Enumeration, you are free to explore them
by doing a simple web search about DNS Enumeration tools, but here we are
going to use Nmap as an example:-
Nmap:
It is a tool used to discover host and services that are currently running of a
computer network. Nmap provides an extensive Script by the name dns-nsec-
enum.
 Conclusion:
 DNS enumeration is very powerful for target mapping.
 You can simply do DNS Enumeration by your Linux or Windows terminal.
 DNS Enumeration exposes many attack surfaces.
 It is not possible to hide yourself from DNS Enumeration 100%.