Ethical Hacking | Penetration Testing

Ethical Hacking - Footprinting

Footprinting Overview

Footprinting is the blueprinting of the security profile of an organization, undertaken in a methodological manner. Footprinting is a passive process of that is designed to profile an organization with respect to networks (Internet / Intranet / Extranet / Wireless).

Ethical Hacking Footprinting

Footprinting Steps

Internet Footprinting

Get Proper Authorization
Define the Scope of the Assessment
Find Publicly Available Information
Perform WHOIS & DNS Enumeration
Attempt DNS Interrogation
Perform Network Reconnaissance

1: Get Proper Authorization

Ethical Hackers and professional penetration testers must obtain authorization in writing before beginning the security assessment

2: Define the Scope of the Assessment

During discussions with the client you may determine the assessment scope will include:

The entire organization
Only certain locations
Business partner connections
The clients disaster-recovery sites

3: Find Publicly Available Information

The first place to begin the security assessment is the company's web site following an initial review of the website you will next want to examine the following:

Review Archived Information
Examine The Wayback Machine
Ripe the web site tools such as Wget and Teleport Pro
Look for other sites beyond the main site of "www" such as:
- Outlook Web Access
- https://owa.company.com or https://outlook.company.com
- Virtual Private Networks (VPNs)
- http://vpn.company.com or http://www.company.com/vpn
- Examine any related organizations for backend connectivity
Scan the web for:
- Phone Numbers, Contact Names, E-mail Addresses, and Personal Details
- Current Events
- Mergers, scandals, layoffs, etc. create security holes
- Privacy or Security Policies, and Technical Details Indicating the Types of Security Mechanisms in Place
- Extract data from Usenet
- Review Groups.google.com
- Search for Employee Resumes
- Perform Google Hacking
Examine Web 2.0 sites
- Search Facebook
- Examine Blogs
- Find Disgruntled Employee Web Sites
Map the Physical Address
- Google Maps / Google Earth
- Microsoft Live
Visit the Physical Location and consider techniques such as:
- Dumpster-diving
- Surveillance
- Social Engineering

4: Perform WHOIS & DNS Enumeration

Examine Internet Assigned Numbers Authority (IANA) and Regional Internet Registry (RIR) data:

Manual Process - Three Steps:
- Authoritative Registry for top-level domain
- Domain Registrar
- Finds the Registrant
Automated Process - Available Tools
- Whois.com
- Sam Spade
- SuperScan

5: Attempt DNS Interrogation

Perform a Zone Transfer via Windows or Linux. When successful you will obtain a list of all the hosts and IP addresses.

6: Perform Network Reconnaissance

Manual - Traceroute or Tracert
- Windows Tracert uses ICMP
- Linux Traceroute uses UDP by default
Automatic - Neotrace, Trout or other traceroute software.

Footprinting Resources

Some sites useful sites for footprinting during a security assessment and ethical hack are listed here. These sites can be used to help you to find more information about an organization and its employees:

www.trula.com - real estate

www.zillow.com - real estate

www.netronline.com - real estate

www.whosarat.com - informants

www.zabaseach.com - name, address, location info

www.zoominfo.com - person & company data

www.vitalrec.com - people info

www.pipl.com - people search

www.skipease.com/blog/ - people search

www.pretrieve.com - people search

www.publicdata.com - people search

www.urapi.com - people search