Footprinting is the first step of an attack on information systems in which an attacker collects information about a target network for identifying various ways to intrude into the system. Using this, we can find a number of opportunities to penetrate and assess the target organization’s network.
Types of Footprinting:
- Passive Footprinting
- Active Footprinting.
This involves gathering information about the target without direct interaction. It is a type of footprinting gathering that is mainly useful when there is a requirement that the information-gathering activities are not to be detected by the target is not sent to the target organization from a host or from anonymous hosts or services over the Internet. We can just gather the documented and put away data about the target utilizing web crawlers, social networking websites, etc.
Passive footprinting techniques include: –
- Finding the Top-level Domains (TLDs) and sub-domains of an objective through web services
- Gathering area information on the objective through web services
- Performing individuals search utilizing social networking websites and individuals search services
- Stealing monetary data about the objective through various monetary services
- Get-together framework subtleties of the objective association through places of work
- Checking objective utilizing ready services
- Social occasion data utilizing gatherings, discussions, and online journals
- Deciding the working frameworks being used by the objective association
- Extricating data about the objective utilizing Internet documents
- Performing competitive intelligence
- Discovering data through web crawlers
- Monitoring website traffic of the target
- Tracking the online reputation of the target
- Gathering data through social designing on social networking destinations
2. Active Footprinting: –
This involves gathering information about the target with direct interaction. In this type of footprinting, the target may recognize the ongoing information gathering process, as we only interact with the target network.
Active Footprinting techniques include: –
- Querying published name servers of the target
- Extracting metadata of published documents and files
- Stealing a lot of website information using various types of mirroring and web spidering tools
- Gathering information through email tracking
- Performing Whois lookup
- Extracting DNS information
- Performing traceroute analysis
- Performing social engineering
The major goals of footprinting incorporate gathering the organization data, mainframe data, and hierarchical data of the victim. By directing footprinting across various organization levels, we can acquire precious data, for example, network blocks, explicit IP addresses, representative subtleties, etc. Such data can help the network intruders in accessing confidential information or performing different types of hacks on the objective organization.
Methods of footprinting
Hackers can use search engines to find information about the target. They can know about the employee information of an organization, login pages, tech stack used by the website, etc. This sort of footprinting starts with a common search on search engines like Google.
1. Port Scanning
Port scanners are used to determine live hosts on the internet and find out which Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports are listening on each system, as well as which operating system is installed on the host. To identify the relationship of each host and potential security mechanisms between the attacker and targets, they use traceroutes.
- NSLookup – to perform DNS queries and zone transfers
- Tracert – to create network maps of the target.
Once port scanning and trace routing are done, attackers will create a network map that represents the target’s internet footprinting.
2. Google Hacking
Despite what you may infer from the name, this method does not involve hacking Google! This is a means by which you can collect information from the Google search engine in a smart way.
Search engines have many features using which you can get uncommon, but very specific search results from the internet. Using these techniques, hackers and attackers perform a search using advanced operators, examples of which are given below.
These types of operators can uncover much sensitive information that can potentially harm the target and should therefore not be revealed.
Let’s take an example.
Go to google.com and paste this- allinurl:tsweb/default.htm
You will get more than 200 websites that have tsweb/default folder. Using this, the hacker gets a chance to get into the organization’s servers. This is just one example. There is plenty of such information about targets available online, which hackers can take advantage of.
3. Ping Sweep
If the attacker wants to know which are the machines on your network that are currently live, they can perform a ping sweep. Ping uses ICMP packets to send echo requests to the target system, and waits for an echo reply. If the device is not reachable, it will show a “request time out“; but if the device is online and not restricted from responding, it will send an echo reply back. Here are some tools used to perform ping sweeps through a range of devices that determine the active devices on the target network.
- Angry IP scanner
- Super Scan
- Pinger etc.
4. Who is lookup
This method can be used to collect basic database queries like domain name, IP Address block, location, and much more information about the organization.
Example of Footprinting
Let’s see an example of footprinting using the Linux tool p0f.
p0f is a passive TCP/IP stack fingerprinting tool to identify the system running on machines that send network traffic to the box it is running on, or to a machine that shares a medium with the machine on which it is running. p0f can also assist in analyzing other aspects of the remote system. Basically, it is a tool used to perform a forensic investigation of a system that has been compromised or is under attack. Using this tool, you can analyze the structure of TCP/IP packets to determine OS and other configurations of the target host. Let’s check how to do this.
- step 1 – Open Linux Terminal and type p0f
- Step 2 – Explore your target host using any browser
Once the connection is established with the target host, the client will start to interact with the server.
You can see that my client IP 10.0.2.15 has established a connection with the target web server 126.96.36.199 using port 80.