Footprinting can be executed passively (without directly interacting with the target systems) or actively (through direct engagement with the systems). The aim is to construct a complete profile that includes network ranges, domain details, security posture, points of entry, and even employee information. Tools and techniques used in footprinting include public records searches, DNS queries, network enumeration, and social engineering.
Understanding footprinting is essential for cybersecurity because it helps organisations anticipate and protect against the types of information attackers can gather to exploit their systems or network.
What is footprinting and reconnaissance?
Footprinting is the process of identifying security risks in an organisation. During the process, you mainly focus on gathering information about the target organisation, which can be gathered from public or intrusive sources. With this information, you can identify vulnerabilities in their security.
Reconnaissance is another step in profiling an organisation’s security as it involves leaving digital footprints. Data on the target system’s network infrastructure and personnel information are gathered during this process to locate potential attack routes and vulnerabilities present in the system. The type of information gathered during reconnaissance is security policies, network specifics, and host information.
Examples of footprinting (Penetration Testing)
Below are some common examples of footprinting when conducting a penetration test or asset discovery:
HTTP Examples
Fetching HTTP Headers with curl:
curl -I http://example.comRetrieves the HTTP headers from the web server, revealing information like server type, content type, and caching policies.
Checking for Hidden Directories with dirb:
dirb http://example.com/Scans for common hidden directories and files on a web server that might not be publicly listed.
Accessing robots.txt File:
curl http://example.com/robots.txtObtains the robots.txt file, which can contain paths to sensitive directories that are disallowed for web crawlers but accessible via direct URL.
Nmap Commands
Basic Port Scan:
nmap example.comPerforms a default scan to discover open ports on the target host.
Aggressive Scan with OS and Service Detection:
nmap -A -T4 example.comConducts an aggressive scan that includes OS detection, version detection, script scanning, and traceroute.
Scanning Specific Ports:
nmap -p 80,443,22 example.comScans only ports 80 (HTTP), 443 (HTTPS), and 22 (SSH) on the target.
UDP Scan:
nmap -sU example.comScans for open UDP ports on the target system.
Netcat Examples
Banner Grabbing on Port 80:
nc example.com 80Establishes a connection to port 80 to interact with the web server and potentially retrieve its banner.
Port Scanning with Netcat:
nc -zv example.com 20-25Scans ports 20 to 25 to check which are open (-z for scanning, -v for verbose).
Listening on a Local Port:
nc -l -p 1234Sets up Netcat to listen on local port 1234, useful for testing connections or setting up a simple server.
Additional Reconnaissance Techniques
WHOIS Lookup:
whois example.comRetrieves domain registration details, including registrant information and name servers.
DNS Enumeration with dig:
dig example.com ANYFetches all DNS records associated with the domain.
Using theHarvester for Email and Subdomain Gathering:
theharvester -d example.com -b googleCollects emails and subdomains related to the target domain from public sources.
Email Server Enumeration with smtp-user-enum:
smtp-user-enum -M VRFY -U userlist.txt -t mail.example.comAttempts to verify user accounts on an SMTP server using a list of common usernames.
Social Engineering Recon
LinkedIn Company Profiling:
Gathering information about employees, job titles, and company structure to identify potential targets for phishing attacks.Public Social Media Monitoring:
Analyzing posts on platforms like Twitter and Facebook for information leaks or insights into company operations.Key Characteristics:
- Information Gathering: Systematic collection of information about a target to prepare for subsequent attacks or assessments.
- Non-intrusive: Primarily conducted without directly affecting the target, thereby reducing the chance of detection.
- Scope Definition: Helps in defining the scope and focus areas of a security assessment or penetration test.
- Data Sources: Utilises various sources, including public records, domain registration data, network surveys, and social media.
Examples:
- Real-World Example: An ethical hacker hired by a company uses footprinting to identify exposed details about the company’s network infrastructure, aiding in the development of a more robust security strategy.
- Hypothetical Scenario: A cybercriminal performs footprinting on an e-commerce website, uncovering details about server software versions and network topology to plan for an SQL injection attack.
Related Terms:
- Reconnaissance: The broader category of intelligence-gathering activities in cybersecurity, where footprinting is the initial stage.
- Social Engineering: An attack vector that relies on human interaction to obtain or compromise information; often incorporates techniques utilised in footprinting.
- Enumeration: A process closely related to footprinting, which involves extracting detailed user names, machine names, network resources, and other services from a system.
