Unit2 - Subjective Questions

Footprinting is the first step in the ethical hacking or penetration testing process. It involves gathering as much information as possible about a target network, system, or organization to identify various ways to intrude into the system.

Primary Objectives of Footprinting:

1. Know Security Posture: To analyze the target's security posture and understand their external visibility.
2. Reduce Focus Area: By identifying specific ranges of IP addresses and domain names, the attacker can narrow down the target area.
3. Identify Vulnerabilities: To find loopholes such as open ports, running services, and unpatched systems.
4. Draw Network Map: To construct a network diagram depicting the target's network architecture.

Passive Information Gathering:

• Definition: Gathering information without directly interacting with the target system. The target is unaware of the reconnaissance.
• Method: Relies on public records, archived data, and third-party databases.
• Examples: Browsing the company website, searching Whois databases, checking social media profiles, and using search engines (OSINT).

Active Information Gathering:

• Definition: Involves direct interaction with the target system. This activity creates logs on the target's firewall or servers and can be detected.
• Method: Sending packets or requests to the target.
• Examples: Ping sweeps, traceroute, extracting DNS zone information, and mirroring the target website.

OSINT (Open Source Intelligence) refers to the collection and analysis of information that is gathered from public, open sources.

Role in Footprinting:

• Data Availability: It allows penetration testers to gather vast amounts of data without alerting the target (passive reconnaissance).
• Sources:
  • Public Government Data: Reports, budgets, and hearings.
  • Professional and Academic Publications: Journals, conferences, and academic papers.
  • Commercial Data: Financial reports and corporate databases.
  • The Internet: Social media, blogs, discussion groups, and user directories.
• Utility: It helps in mapping the organizational structure, finding email addresses, identifying physical locations, and understanding the technologies used by the organization.

Google Hacking, or Google Dorking, involves using advanced search operators in Google Search to locate specific strings of text within search results. It is used to find security holes, configuration files, passwords, and other sensitive data that has been indexed by Google.

Common Operators:

1. site:: Restricts the search to a specific domain or site.
   • Example: site:example.com
2. filetype:: Searches for specific file extensions (e.g., pdf, xls, doc, sql).
   • Example: filetype:pdf confidential
3. intitle:: Restricts results to pages containing the specified term in the title.
   • Example: intitle:"index of" (often used to find directory listings).

Website Information Gathering involves analyzing a target's web presence to identify underlying technologies, ownership, and structure.

Data Extracted via Tools:

1. Whois Lookup:

   • Data: Domain registrar details, registrant contact info (name, email, phone), registration/expiry dates, and Name Server details.
   • Purpose: Helps in social engineering and identifying the network range.

2. Burp Suite (or similar HTTP proxies):

   • Data: HTTP headers, server types (e.g., Apache, IIS), cookie attributes, hidden form fields, and application logic.
   • Purpose: Identifying software versions to check for known vulnerabilities (CVEs).

3. Additional Data:

   • Robots.txt: Reveals hidden directories the admin doesn't want crawled.
   • Sitemaps: Reveals the structure of the website.

Social Engineering is the art of manipulating people so they give up confidential information. It exploits human psychology rather than technical hacking techniques.

Phases of a Social Engineering Attack:

1. Research: The attacker gathers information about the target organization or individual (footprinting).
2. Hook: The attacker initiates a relationship or interaction with the victim (e.g., creating a backstory or pretext).
3. Play: The attacker executes the attack, manipulating the victim to reveal information or perform an action (e.g., asking for a password to "fix" an account).
4. Exit: The attacker ends the interaction without raising suspicion and removes traces of the interaction if possible.

Attackers exploit the human psyche by targeting cognitive biases and natural human tendencies to trust or help others. They create scenarios that trigger an automatic, unthinking response.

Psychological Triggers (Cialdini’s Principles):

1. Authority: People tend to obey authority figures. Attackers impersonate executives or IT support to demand compliance.
2. Urgency/Scarcity: Creating a sense of panic (e.g., "Your account will be deleted in 5 minutes") forces the victim to act quickly without critical thinking.
3. Reciprocity: People feel obliged to return a favor. An attacker might provide a small "help" to induce the victim to share information.
4. Social Proof: People do what they see others doing. Attackers might claim, "Everyone else in your department has updated their password."

• Phishing:

  • Target: Mass audience (broad).
  • Method: Sending generic emails (e.g., "Update your bank details") to thousands of users hoping a small percentage will click.
  • Customization: Low.

• Spear Phishing:

  • Target: Specific individual or department.
  • Method: Emails are tailored with specific details about the target (name, job title) to increase credibility.
  • Customization: High.

• Whaling:

  • Target: High-profile targets (C-level executives, politicians, celebrities).
  • Method: Highly sophisticated spear phishing aimed at "big fish" to steal sensitive corporate data or large sums of money.
  • Customization: Very High.

Physical Vulnerabilities refer to weaknesses in the physical security measures of an organization, such as unlocked doors, lack of security guards, poor badge access systems, or improper disposal of sensitive documents.

Dumpster Diving:

• Definition: The practice of sifting through commercial or residential trash to find items that have been discarded by their owners.
• Objective: To find information that can be used for an attack, such as:
  • Phone bills (to find contact numbers).
  • Organizational charts.
  • Employee manuals.
  • Sticky notes with passwords.
  • Hardware manuals or software CDs.
• Prevention: Shredding documents and using locking trash bins.

DNS Footprinting involves querying the Domain Name System (DNS) servers to identify the structure of the target organization's network.

Information from DNS Records:

• A (Address) Record: Maps a domain name to an IPv4 address. It reveals the IP address of the web server.
• MX (Mail Exchange) Record: Specifies the mail server responsible for accepting email messages on behalf of a domain. It reveals the email infrastructure.
• NS (Name Server) Record: Indicates the authoritative name servers for the domain. It reveals the DNS provider or internal DNS servers.
• CNAME (Canonical Name): Aliases for a domain. It can reveal if a site is hosted on a third-party service (e.g., AWS, Akamai).

Tailgating (or Piggybacking):

• Definition: An unauthorized person follows an authorized person into a restricted area without the authorized person's consent or knowledge (Tailgating), or with their consent due to social pressure (Piggybacking).
• Scenario: An attacker waits for an employee to open a secure door with an RFID badge and catches the door before it closes to walk in behind them.

Prevention:

1. Man-traps: A small space with two interlocking doors where only one can open at a time.
2. Security Guards: To visually inspect badges.
3. Anti-passback Systems: Prevents a card from being used to enter twice without an exit record.
4. Employee Awareness Training: instructing staff not to hold doors for strangers.

Website Mirroring is the process of creating an offline replica of a website by downloading all its pages, images, and directory structures to a local drive.

Assistance in Intelligence Gathering:

1. Offline Analysis: The tester can browse the site without sending requests to the live server, avoiding detection (after the initial download).
2. Source Code Inspection: Allows for detailed analysis of HTML and JavaScript source code to find comments, hidden fields, or developer notes.
3. Directory Structure: helps in understanding the hierarchy of the website.
4. Tools: Common tools include HTTrack and Wget.

Pretexting is a form of social engineering where an attacker creates a fabricated scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions.

Difference from Simple Phishing:

• Scenario Building: Pretexting relies heavily on a complex, invented backstory. For example, an attacker might pretend to be a survey conductor, an HR representative, or a tech support agent needing to verify details.
• Dialogue: It usually involves a dialogue (voice or email chain) to build trust, whereas simple phishing is often a "spray and pray" one-way message containing a malicious link.
• Verification: The attacker often establishes credibility by citing some known information (gathered via footprinting) to make the pretext believable.

Competitive Intelligence is the process of gathering and analyzing information about competitors, their products, customers, and market strategies.

Relation to Footprinting:

• Context: In ethical hacking, the techniques used for competitive intelligence are identical to footprinting. Organizations often expose sensitive data while trying to market themselves.
• Data Points:
  • Job Postings: Reveal technologies used (e.g., "Hiring a PostgreSQL DB Admin" implies they use PostgreSQL).
  • Press Releases: Reveal future projects and partnerships.
  • Annual Reports: Reveal financial health and key stakeholders.
• Usage: A hacker uses this publicly available business data to build a profile of the target's infrastructure and personnel.

Email Footprinting involves monitoring and analyzing emails to gather information about a target organization.

Analyzing Email Headers:

• Path Tracing: The Received fields in an email header show the path the email took from the sender to the recipient, revealing the IP addresses of the mail servers.
• Sender IP: It can reveal the original IP address of the sender, which can be geolocated.
• Mail Software: Headers like X-Mailer can reveal the email client or server software used (e.g., Outlook, Zimbra), which may have specific vulnerabilities.
• Internal Network Info: Sometimes, internal IP addresses or hostnames leak into headers if the mail server is not configured to strip them.

Shoulder Surfing is a direct observation technique where an attacker looks over a person's shoulder to get information such as passwords, PINs, security codes, or sensitive data displayed on a screen.

Environments where it occurs:

1. Public Transport/Commute: People working on laptops in trains or airplanes often have their screens visible to neighbors.
2. ATMs/Payment Terminals: Attackers watch victims enter PINs.
3. Coffee Shops/Co-working Spaces: Users typing passwords or viewing confidential emails in open seating arrangements.
4. Office Desks: An insider threat walking by a colleague's desk.

Whois Lookup:
It is a query and response protocol used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name or an IP address block. The output includes registrant details, administrative contacts, and name servers.

Significance of TLD:

• Jurisdiction: The TLD (e.g., .com, .de, .gov) indicates the geographical or organizational jurisdiction, which dictates legal frameworks for hacking or reporting.
• Registry Details: Different TLDs are managed by different registries. Some country-code TLDs (ccTLDs like .cn or .ru) might have different privacy policies regarding data disclosure compared to generic TLDs (gTLDs like .com).

Shodan is a search engine specifically designed for Internet-connected devices (IoT).

Difference from Google:

1. Content:
   • Google: Crawls websites looking for content (text, images) to index for human reading.
   • Shodan: Crawls the Internet (IPv4 space) looking for devices (servers, routers, webcams, SCADA systems) and indexes their service banners (metadata sent by the server).
2. Search Query:
   • Google: You search for "Best pizza recipe".
   • Shodan: You search for specific headers, ports, or operating systems (e.g., Apache city:"London" port:80).
3. Purpose: Shodan is critical for discovering physical vulnerabilities (open webcams) and unpatched servers.

Vishing (Voice Phishing):

• Definition: Using the telephone system to manipulate users into disclosing confidential information. Attackers often use Caller ID spoofing to appear as a legitimate entity.
• Example: An attacker calls pretending to be from the "Bank Fraud Department," claiming there is suspicious activity on the victim's card and asking for the CVV number to "verify" the card.

Smishing (SMS Phishing):

• Definition: Using SMS (text messages) to send malicious links or requests for information.
• Example: A text message saying: "URGENT: Your package delivery failed. Click this link [malicious URL] to reschedule," which leads to a fake login page to steal credentials.

Footprinting Methodology Flow:

1. Define Scope: Determine the target (domain, organization name).
2. Search Engines & Social Media (OSINT):
   • Use Google Dorks to find sensitive files.
   • Check LinkedIn for employee names and roles.
3. Website Footprinting:
   • Analyze the website structure (Mirroring).
   • Check robots.txt and cookies.
4. Email Footprinting:
   • Trace email headers to find IP addresses.
5. Whois & DNS Interrogation:
   • Get registrar info.
   • Map the network using DNS records (, , ).
6. Network Footprinting:
   • Locate network ranges (IP blocks).
   • Traceroute to map the path.
7. Social Engineering (Recon):
   • Gather personal data for potential phishing.
8. Documentation: Compile all gathered intelligence into a matrix to assist in the scanning phase.

This flow moves from passive public data to active network data.