Back to Subject

Unit 2 - Notes

INT245 7 min read

Unit 2: Footprinting and Gathering Intelligence

1. Introduction to Footprinting

Footprinting is the initial phase of the penetration testing lifecycle (often referred to as the Pre-Attack Phase). It involves collecting as much information as possible about a targeted network, system, or organization to identify various ways to intrude into the system.

Objective: To create a detailed blueprint of the target's security posture. The more information gathered, the higher the probability of a successful penetration test.

Goals of Footprinting

  • Know the Security Posture: Understand the existing security architecture and potential loopholes.
  • Reduce the Focus Area: Narrow down specific ranges of IP addresses, domain names, and remote access points.
  • Identify Vulnerabilities: Find specific weaknesses in the target's systems (e.g., outdated software, unpatched OS).
  • Draw a Network Map: Visualize how the target's network infrastructure is connected.

2. Types of Information Gathering

Information gathering is categorized based on the interaction level with the target system.

A. Passive Information Gathering (Indirect)

Collecting information without directly interacting with the target. The target is unaware of the information gathering process because no logs are generated on their systems.

  • Method: Using public resources, search engines, and social media.
  • Risk: Low/Zero risk of detection.
  • Examples: Browsing the company website, WHOIS lookups, checking LinkedIn employees, looking up DNS records.

B. Active Information Gathering (Direct)

Involves direct interaction with the target system. This method generates traffic and logs on the target server, which may trigger Intrusion Detection Systems (IDS).

  • Method: Sending packets to the target.
  • Risk: High risk of detection.
  • Examples: Ping sweeps, traceroute, banner grabbing, port scanning.

3. Open Source Intelligence (OSINT)

OSINT refers to intelligence collected from publicly available sources to be used in an intelligence context.

A. Search Engine Hacking (Google Dorks)

Using advanced search operators to locate sensitive information indexed by search engines.

Common Operators:

  • site: Restricts results to a specific domain (e.g., site:target.com).
  • filetype: Searches for specific file extensions (e.g., filetype:pdf, filetype:xls).
  • intitle: Searches for pages with specific text in the title.
  • inurl: Searches for URLs containing specific text (e.g., inurl:admin).

Example: site:target.com filetype:pdf confidential (Searches for PDF files on the target site containing the word "confidential").

B. WHOIS Lookup

A query and response protocol used for querying databases that store the registered users or assignees of an Internet resource (domain name, IP address block).

  • Data Retrieved: Registrar details, Admin email, Tech contact, Creation/Expiration dates, Name servers.
  • Utility: Provides contact info for social engineering or physical locations.

C. DNS Enumeration

The process of locating all the DNS servers and their corresponding records for an organization.

  • A Record: Maps hostname to IPv4 address.
  • MX Record: Mail Exchange (shows email server).
  • NS Record: Name Server (authoritative DNS).
  • CNAME: Canonical Name (alias).
  • Tools: nslookup, dig, dnsenum.

D. The IoT Search Engine (Shodan)

Unlike Google, which crawls web pages, Shodan crawls the Internet for devices (webcams, routers, servers, SCADA systems).

  • It allows testers to find specific devices with specific vulnerabilities connected to the internet (e.g., Apache/2.4.49).

E. Social Media and People Search

  • LinkedIn: Identifies organizational structure, employee roles, and technologies used (e.g., a SysAdmin listing "Expert in Cisco ASA 5500" reveals the firewall model).
  • Job Boards: Job postings often reveal the specific software versions, operating systems, and databases used internally (e.g., "Looking for SQL Server 2019 Administrator").

4. Website Information Gathering

Analyzing the target's web presence to identify underlying technologies and potential entry points.

A. Analyzing robots.txt

A text file at the root of a website that instructs web crawlers which pages not to index.

  • Pentest Value: Often reveals sensitive directories the admin wants to hide (e.g., /admin/, /backup/, /dev/).
  • Access: http://www.target.com/robots.txt

B. Technology Stack Detection

Identifying the CMS (Content Management System), web server software, and frameworks used.

  • Tools: Wappalyzer (browser extension), BuiltWith.
  • Significance: If a target uses an outdated plugin (e.g., WordPress) or server version (e.g., Apache 2.2), known exploits can be used.

C. Website Mirroring

Copying the entire website to a local drive for offline analysis. This allows the tester to inspect directory structures and source code without generating constant traffic.

  • Tool: HTTrack.

D. Banner Grabbing

A technique used to glean information about a computer system on a network and the services running on its open ports.

  • Example: Connecting via Telnet or Netcat to Port 80 often returns the server version header.
    BASH
        nc target.com 80
    HEAD / HTTP/1.0

    Response might include: Server: Apache/2.4.1 (Unix)

5. Discovering the Target (Network Level)

Before scanning specifically for vulnerabilities, one must define the network scope.

A. Traceroute / Tracert

Diagnostic tool for displaying the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network.

  • Pentest Value: Maps the network topology and identifies intermediate routers/firewalls.

B. Ping Sweeps

Sending ICMP ECHO requests to a range of IP addresses to determine which hosts are live (active).

  • Goal: To avoid wasting time scanning empty IP addresses.

6. Social Engineering (Human Vulnerabilities)

Social Engineering is the art of manipulating people into performing actions or divulging confidential information. It targets the "weakest link" in security: the human element.

Exploiting the Human Psyche

Social engineers exploit cognitive biases and psychological triggers. Dr. Robert Cialdini’s principles of persuasion are often cited in this context:

  1. Authority: People tend to obey authority figures (e.g., an attacker posing as the CEO or IT Director).
  2. Scarcity/Urgency: Creating a rush to bypass critical thinking (e.g., "Your account will be deleted in 10 minutes if you don't verify").
  3. Reciprocity: People feel obliged to return favors (e.g., "I fixed your login issue, can you just give me the code sent to your phone?").
  4. Curiosity: Leaving a temptation (e.g., a USB drive labeled "Payroll Bonuses").
  5. Trust/Likability: Building rapport to lower defenses.

Types of Social Engineering Attacks

1. Human-Based (Interaction)

  • Impersonation: Pretending to be a legitimate employee, repairman, or delivery person.
  • Vishing (Voice Phishing): Over-the-phone scams to extract sensitive info.
  • Shoulder Surfing: Observing someone entering credentials or viewing sensitive data over their shoulder.
  • Dumpster Diving: Searching through trash to find discarded documents (memos, sticky notes with passwords, organizational charts).

2. Computer-Based

  • Phishing: Sending fraudulent emails appearing to come from a reputable source to steal data.
  • Spear Phishing: Highly targeted phishing aimed at a specific individual or organization, often using personal details gathered via OSINT.
  • Whaling: Phishing aimed at high-profile targets (C-suite executives).
  • Baiting: Offering something enticing (free download, music) that is actually malware.

7. Physical Security and Vulnerabilities

Physical security ensures the protection of the building, hardware, and employees. If a physical attack is successful, digital security controls (firewalls, encryption) are often rendered useless.

Common Physical Attacks

  1. Tailgating (Piggybacking):

    • An attacker seeks entry to a restricted area without proper authentication by following closely behind a legitimate authority figure.
    • Remedy: Mantraps, turnstiles, and security awareness training ("Stop and verify").

  2. Lock Picking:

    • The manipulation of lock components to open a lock without the original key.
    • Significance: Demonstrates that physical barriers are often just delaying mechanisms, not absolute prevention.

  3. Badge Cloning (RFID Attacks):

    • Using a portable RFID reader to read the frequency of a legitimate employee's proximity card (often from a few feet away) and cloning it to a blank card.

  4. Hardware Keyloggers:

    • Physical devices plugged between the keyboard and the computer to record keystrokes. Unlike software keyloggers, these are OS-independent and undetectable by antivirus software.

Physical Security Controls to Assess

  • Perimeter: Fences, gates, lighting, CCTV.
  • Access Control: Biometrics, smart cards, guards.
  • Environmental: Fire suppression, HVAC (to prevent overheating), power backups (UPS).

8. Summary of Intelligence Data

By the end of the Footprinting and Intelligence Gathering phase, the penetration tester should possess:

  1. Network Range: IP addresses and subnet masks.
  2. Domain Information: Registrar data, DNS records.
  3. OS and Architecture: Probable operating systems and network topology.
  4. Services: Web servers (Apache/IIS), Email servers.
  5. Employee Data: Names, email formats, positions (for social engineering).
  6. Physical Location: Address, satellite imagery (Google Maps) for physical entry points.
Previous
Unit 1
Next
Unit 3