Scribd
Upload
28 views41 pages

CPT 03 Recon

Uploaded by

xerolag230
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
28 views41 pages

CPT 03 Recon

Uploaded by

xerolag230
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 41

Penetration Testing

Reconnaissance

➢ Reconnaissance is the process of gathering the personal or sensitive


information about the target by an attacker to gain unauthorized access to
victim's computer.

➢ Sensitive information can be the vulnerable user accounts, open ports ,


passwords, emails.

➢ Personal information can be the website's URL, IP address, name of the


owner , email of the owner , mobile number of the owner.

NetsBook
Penetration Testing
Reconnaissance

➢ Reconnaissance is further subdivided into three phases.

● Footprinting
● Scanning
● Enumerating

➢ Footprinting is the process of gathering the personal information about the


target using several methods.

➢ Scanning : Scanning is the process of gathering more information about the


target like open ports , vulnerable active users and various services running on
the ports

➢ Enumeration : In this process the attacker utilizes the information gathered


from first two phases to explore more vulnerabilities such as open directories ,
the user accounts that can be hacked easily or the user account whose
password can be guessed easily. NetsBook
Penetration Testing

Active Footprinting

➢ Collect information directly through social engineering skills.

Passive Footprinting

➢ Collect information through public sources (indirectly)

Pseudonymous Footprinting

➢ Collect information from the sources that have been published on the
internet but is not directly linked to the author’s name.The information may be
published under a different name / pen name

Internet Footprinting

➢ Collect information through Search Engines.


NetsBook
Footprinting Methodology
➢ Footprinting through Search Engines

➢ Footprinting through Advanced Google Hacking Techniques

➢ Footprinting through Social Networking Sites

➢ Footprinting through Websites

➢ Footprinting through Email

➢ Footprinting through Social Engineering

➢ Footprinting through DNS

➢ Footprinting through WHOIS

➢ Footprinting through Competitive Intelligence


NetsBook
Footprinting Methodology
Footprinting through Search Engines

➢ Search Engines are used to extract information about a target.

➢ Attackers may gather information such as technology platforms,


employee details, login pages, intranet portals etc

Finding companies public and restricted websites

➢ Company policy may forbid access to certain web sites, but some
employees try creative techniques to view them anyway.

➢ Use trial and error method or Use any service which can fetch
information from web sites (www.netcraft.com)

NetsBook
Footprinting Methodology

Find Domains and Subdomains of the target

❏ nmap --script dns-brute www.certifiedhacker.com

❏ dnsmap certifiedhacker.com

❏ sublist3r -d cisco.com -p 80 -e bing

git clone https://github.com/aboul3la/Sublist3r.git

❏ https://searchdns.netcraft.com

NetsBook
Footprinting Methodology

Find Similar and Parallel domains of the target

❏ urlcrazy -p microsoft.com

apt-get install urlcrazy

Find Geographic Location

Location Information, Neighbouring company, Famous landmarks, Traffic


conditions etc.

❏ Google Earth
❏ Google MAP
❏ Bing MAP
NetsBook
Footprinting Methodology
People Search Online Services

➢ Collect phone number, address and other informations

❏ https://www.privateeye.com
❏ https://www.peoplesearchnow.com

Collect Email address of employees


❏ Manually (Through direct interaction)
❏ Browse Social Networking Sites
❏ Email harvester theHarvester -d logicindia.net -l 500 -b
bing
❏ userrecon.sh

NetsBook
Footprinting Methodology
Gather Information through Financial Services

There are some financial services powered by different search engines


which provide financial information of international known organizations

❏ www.google.com/finance
❏ www.finance.yahoo.com

NetsBook
Footprinting Methodology
Footprinting through Job Sites

➢ Information includes Company location, Industry, Contact, Number of


employees, Job requirements, Employee´s profile, HW and SW
information

❏ www.linkedin.com
❏ www.naukri.com

Monitoring target using Alerts

❏ https://www.google.com/alerts

NetsBook
Footprinting Methodology

NetsBook
Footprinting Methodology

NetsBook
Footprinting Methodology
Information Gathering through Groups, Forums and Blogs

➢ Groups, Forums and Blogs and communities can be a great source of


sensitive information. Join with a fake ID and research target
organization’s group

NetsBook
Footprinting Methodology
Information Gathering through Groups, Forums and Blogs

➢ Groups, Forums and Blogs and communities can be a great source of


sensitive information. Join with a fake ID and research target
organization’s group

NetsBook
Footprinting Methodology
Web Search Using Basic Operators

"" Put any phrase in quotes to force Google to use exact-


match

OR logical OR

| The pipe (|) operator is identical to "OR"

() Use parentheses to group operators and control the order


in
which they execute. Eg. (tesla OR edison) alternating current

- Put minus (-) in front of any term (including operators) to


exclude NetsBook
Footprinting Methodology
Web Search Using Basic Operators

* An asterisk (*) acts as a wild-card and will match


on any word.
Eg. tesla "rock * roll"

#..# Match on any integer in that range of numbers.


Eg.tesla announcement 2015..2017

+ Force exact-match on a single phrase.


Deprecated with the
launch of Google+ Eg.+cars

NetsBook
Footprinting Methodology
Web Search Using Advanced Operators

https://www.google.com/advanced_search

NetsBook
Footprinting Methodology
Web Search Using Advanced Operators

https://www.google.com/advanced_search

NetsBook
Footprinting Methodology
Web Search Using Advanced Operators

❏ site:microsoft.com filetype:pdf

❏ related:pdfdrive.com

❏ cache:pdfdrive.com

❏ link:www.linkedin.com

❏ allintext:books download

❏ intext:books

❏ allintitle:books download
NetsBook
Footprinting Methodology
Google hacking or Google dorking

❏ Technique that uses Google Search to find security holes in the


configuration and computer code that websites use.

❏ "Google hacking" involves using advanced operators in the Google


search engine to locate specific strings of text within search results.

Examples:-

❏ allintext:username filetype:log Search Log files


❏ intitle:"index of" inurl:ftp open FTP Servers
❏ filetype:log username putty SSH user names
❏ filetype:xls inurl:"email.xls" Email lists
❏ inurl:top.htm inurl:currenttime Live cameras
❏ intitle: index of mp3 MP3 files
❏ intext: .mp4 videos
NetsBook
Footprinting Methodology
❏ https://www.exploit-db.com/google-hacking-database

NetsBook
Footprinting Methodology
Shodan
❏ Shodan is a search engine lets the user find specific types of devices
(webcams, routers, servers, etc.) connected to the internet using a
variety of filters.

❏ port: Search by specific port


❏ net: Search based on an IP/CIDR
❏ hostname: Locate devices by hostname
❏ os: Search by Operating System
❏ city: Locate devices by city
❏ country: Locate devices by country
❏ geo: Locate devices by coordinates
❏ org: Search by organization
❏ before/after: Time frame delimiter
❏ hash: Search based on banner hash
❏ title: Search based on text within the title
Example:-

❏ apache city:”ernakulam” Find Apache servers in Ernakulam


NetsBook
Footprinting Methodology

Website footprinting

❏ Software used and version


❏ OS Details
❏ Sub Domains
❏ File Name and File Path
❏ Scripting Platform
❏ Contact Details

Determining Operating System

❏ https://www.netcraft.com

NetsBook
Footprinting Methodology
Web Spiders or Web Crawlers

❏ A Web crawler or spider, systematically browses the web sites, for Web
indexing and extract details.

Example: webdata extractor

Mirroring Entire Web Site Example: HTTrack Website Copier

Check for updates and changes Example: Website-


Watcher

Examine HTML source of webpage

Use web investigation tools to extract sensitive data

NetsBook
Example http://www.webinvestigatorservice.com/investigate/
Footprinting Methodology
www.Archive.org/web

❏ Archive.org has search option as way back machine which is like a


time machine for any website.

https://builtwith.com

❏ It is an online tool used for detecting techniques and


framework involved inside running website.
Whatweb

❏ Identify information like Platform, CMS platform, Type of


Script, Google Analytics, Web server Platform, and IP
address Country.

❏ Example: whatweb www.certifiedhacker.com NetsBook


Footprinting Methodology
Email Footprinting

❏ Recipient’s system IP address


❏ Geo location
❏ Operating system and Browser information
❏ Forward Email
❏ Device Type
❏ Path through which email travelled
❏ Active ports

Email tracking and Tracing

❏ Tracing refers to movement in backward direction while tracking


refers to movement in forward direction

NetsBook
Footprinting Methodology
Email Header

NetsBook
Footprinting Methodology

Email tracking tools:

❏ PoliteMail(http://www. polite mail. corn)

❏ Yesware(http://mm.yesware. corn)

❏ Read Notify (http://vvviIAA recrdnotify.corn)

❏ DidTheyReadlt(http://www.didtheyreadit. corn)

❏ WhoReadN1 e (http://whoreadme.com)

NetsBook
Footprinting Methodology

Competitive Intelligence

❏ Competitive Intelligence is the process of capturing and


analyzing information about your competitors

Basic source of Competitive Intelligence

❏ Official websites
❏ Job Advertisements
❏ Press release
❏ Annual reports
❏ Product catalogs
❏ Analysis report
❏ Regulatory report
NetsBook
Footprinting Methodology

Competitive Intelligence

❏ EDGAR https://www.sec.gov/edgar.shtml
❏ Business Wire https://www.businesswire.com/portal/site/home

Penetration testers can identify:

❏ When did the company begin


❏ Evolution of the company
❏ Authority of the company
❏ Background of an organization
❏ Strategies and planning
❏ Financial Statistics

NetsBook
Footprinting Methodology

Monitoring Website traffic

❏ Monitis https://www.monitis.com
❏ Web-start https://www.web-stat.com
❏ Alexa https://www.alexa.com

Tracking Online Reputation of the target

Rankur https://rankur.com
Social mention http://www.socialmention.com

NetsBook
Footprinting Methodology
WHOIS Footprinting

Whois footprinting is a method for gather information about

❏ Ownership of a domain name


❏ Domain name details
❏ Contact details contain phone NO
❏ Email address of the owner
❏ Registration date for the domain name
❏ Expire date for the domain name
❏ Domain name servers

https://www.whois.com
https://whois.domaintools.com
smartwhois tool
NetsBook
Footprinting Methodology
WHOIS Footprinting

# whois evil.com

# nmap -sn --script whois-* evil.com

Find IP Address block allocated to the Organization

❏ http://wq.apnic.net/static/search.html
❏ https://www.ultratools.com/tools/ipWhoisLookup

# nslookup
# set type=ns
# microsoft.com
NetsBook
Footprinting Methodology
DNS Footprinting

❏ https://tools.dnsstuff.com

❏ https://centralops.net/co/DomainDossier.aspx

❏ https://network-tools.com

# dnsrecon -d www.evil.com
# dnsenum --enum evil.com
# dig google.com -t soa
# whois google.com

NetsBook
Footprinting Methodology
DNS Footprinting

❏ https://www.ultratools.com/tools/dnsLookup

Find Other Web sites hosted on the same Web server

❏ https://www.yougetsignal.com/tools/web-sites-on-web-server/

DNS Zone Transfer

# dig ns certifiedhacker.com
# dig @ns1.bluehost.com certifiedhacker.com axfr
# nslookup -type=any certifiedhacker.com
# dnsrecon -t axfr -d certifiedhacker.com
NetsBook
Footprinting Methodology

Network footprinting

❏ Ping

❏ Traceroute / tracert

❏ Nslookup

❏ Path Analyzer Pro

❏ Visualroute

NetsBook
Social Engineering (SE)

Skill required to perform SE pen Test

NetsBook
Footprinting Methodology

Footprinting through Social Engineering

❏ Credit card information


❏ Username & Password
❏ Security device & Technology information
❏ OS information
❏ Software information
❏ Network information
❏ IP address & name server’s information

NetsBook
Social Engineering (SE)
Common target of SE pen Test

NetsBook
Social Engineering (SE)
SE Penetration Testing Steps

❏ Attempt SE using email


❏ Attempt SE using Phishing [ Phishing Frenzy LUCY GOPHISH ]
❏ Attempt SE using Vishing
❏ Visit the company as enquirer and extract Privileged information
❏ Visit the company Locality
❏ Attempt to use fake ID to gain access
❏ Attempt Piggybacking
❏ Attempt Tailgating
❏ Listen employees conversations
❏ Engage conversation to extract Privileged Information
❏ Attempt Eavesdropping
❏ Attempt shoulder surfing
❏ Attempt Media dropping
❏ Attempt Dumpster diving

NetsBook
Footprinting Methodology

Draw Network diagram and a Topology Map

Tools to automate OSINT


❏ Moltego

❏ Recon-ng

❏ FOCA

NetsBook

You might also like