CEH Lab Manual Footprinting and Reconnaissance Module 02© Vatuable A Test your knowinige B Weenie BD Workbook review (CeH Lab Manual Page 2 ‘Module 02 - Footprinting and Reconnaissance Footprinting and Reconnaissance Frotprinting refers to collecting as much information as possible regarding a target nevork from publily accessible sourees. Lab Scenario Reconnaissance refers to collecting information about a target, which is the first step in any attack on a system. It has its roots in military operations, where the term refers to the mission of collecting information about an enemy. Reconnaissance helps attackers narrow down the scope of their efforts and aids in the selection of weapons of attack. Attackers use the gathered information to create a blueprint, or “footprint,” of the oganization, which helps them select the most effective strategy to compromise the system and network security Similarly, the security assessment of a system or network starts with the reconnaissance and footprinting of the target. Hthical hackers and penetration (pen) testers must collect enough information about the target of the evaluation before initiating assessments. Ethical hackers and pen testers should simulate all the steps that an attacker usually follows to obtain a fair idea of the security posture of the target organization. Jn this scenario, you work as an ethical hacker with a large organization. Your organization is alarmed at the news stories concerning new attack vectors plaguing large organizations around the world. Furthermore, your organization was the target of a major security breach in the past where the personal data of severil of its customers were exposed to social networking sites. You have been asked by senior managers to perform a proactive security assessment of the company. Before you ean start any assessment, you should discuss and define the scope with management; the scope of the assessment identifies the systems, network, policies and procedures, human resources, and any other component of the system that requires security evaluation. You should also agree with management on rules of engagement (RoH)—the “do's and don'ts” of assessment. Once you have the necessary approvals to perform ethical hacking, you should start gathering information about the target organization. ‘Once you methodologically begin the footprinting process, you will obtain a blueprint of the security profile of the target organization. The term “blueprine” refers to the unique system profile of the target organization as the result of footprinting. ‘The labs in this module will give you real-time experience in collecting a variety of information about the target organization from various open or publicly accessible sources. ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.& Tots demonstrated in this lab are available in EACEH- ToolsiCEHvt4 Module 02 Footprinting and (CoH Lab Manual Page 3 ‘Module 02 - Footprinting and Reconnaissance Lab Objectives ‘The objective of the lab is to extenct information about the target organization that includes, but is not limited to: © Organization Information Employce details, partner details, weblinks, web technologies, patents, trademarks, ete. © Network Information Domains, sub-domains, network blocks, network topologies, trusted routers, firewalls, IP addresses of the reachable systems, the Whois record, DNS records, and other related information * System Information Operating systems, web server OSes, user accounts and passwords, ete. Lab Environment ‘To carry out this lab, you need: # Windows 10 virtual machine # Paerot Security vietual machine Web browsers with an Internet connection © Administrator privileges to run the tools Lab Duration “Time: 200 Minutes Overview of Footprinting Foorprinting refers t0 the process of collecting information about a target network and its environment, which helps in evaluating the security posture of the target organization’s FT infrastructure. Italso helps to identify the level of risk associated with the organization's publicly accessible information. Fooiprinting can be categorized into passive footprinting and active footprinting: © Passive Footprinting: Involves guthering information without direct interaction. This type of footprinting is principally useful when there is a requirement that the information-gathering activities are not to be detected by the target. + Active Footprinting: Involves gathering information with dircct interaction, In active footprinting, the target may recognize the ongoing. information gathering process, as we overtly interact with the target nctwork. ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Manual Page 4 ‘Module 02 - Footprinting and Reconnaissance Lab Tasks Ethical hackers or pen testers use aumerous tools and techniques to collect information about the target. Recommended labs that will assist you in leaning, various footprinting techniques include: Pree 1 | Peto Foompaning though Seach 1 1 1 1 Gather Tafonmation using Advanced y Google Hacking Techniques Y 1.2. Gather Information from Video Search. v V 13. Gather Information from FTP Search : Engines ‘ Y 1A Gather Information from lo Search 7 y 2__| Pexfom Footpsinting Through Web Services | _V q 7 2.1 Find the Company’s Domains and Sub domains using Netcraft q * 22. Gather Personal Information using 1 1 PeekYou Online People Search Service 23. Gather an Email List using : theHarvester, ‘ * 24 Gather Information using Deep and 1 y Dark Web Searching 25. Determine Target OS Through Passive : Footprinting ‘ ¥ Perform Foorprinting Through Social : 3 | Networking Sites q * ‘ 3:1 Gather Fimployees? Information From LinkedIn using the arvester y * 32 Gather Personal Information from : Various Social Networking Sites using v V Shedlock 33. Gather Infomation using , Followerwonk ‘ : 4__| Perform Website Footprinting v v v 41 Gather Information About a Target Website using Ping Command Line y y Utility Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance 42. Gather Inform: jon About a Target A i Website using Website Informer ‘ Y 43. Exact a Gompany's Data using Web y 7 Data Extractor 44 Mirror Target Website using HT Track | ' Web Site Copiet ¥ 45 v v 5 _| Perform Email Footprinting v v 5.1 Gather Information Abouta Target by | v ‘Tracing Pnmails using eMailTrackerPro 6 _| Perform Whois Footprinting v v 61 Perform Whois Lookup using / DomainTools y v 7 _| Perform DNS Fooiprinting v v v Ta Gather DNS Information using rslookup Command Line Usiity and y q Online Too! 7.2 Perform Reverse DNS Lookup using Reverse IP Domain Check and v y DNSRecon 8 _| Pesform Network Footprinting v v v 8_Locate the Network Range q T 82. Perform Network Tracerouting in Y 1 Windows and Linux Machines 83. Perform Advanced Network Route 7 “Tracing using Path Analyzer Pro. Perform Footprinting using Various 7 ) 9 | Footprinting Toots q ‘ 9.4 Foorprinting a Target using Reconng | _V v 92. Footprinting a Target using Maltego v Vv 93, Fooiprinting a Target using 7 7 OSRFramework 9.4 Footprinting a Target using FOCA v Vv 95 Fooiprinting a Target using BillCipher q T 9.6 Fooiprinting a Parget using OSINT 7 1 Framework Remark [FC-Counci nas prepared considered amennt of ab exercises For stent to practice rng the Sy class snd ot Gate Bee Ge bo ember eww: sd se (CoH Lab Manual Pages ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Manual Page 6 ‘Module 02 - Footprinting and Reconnaissance *$Core «Labs exerine(s) marked under Core ate recommended by EC-Counel to be priced ding the S.day cas ‘s8Selfatudy - Lab excises) marked under self-stay sFor stent access the adiiona ab excches eam be Fund in the Bet page oF CE practi at their fee time Steps At volume 1 book ‘s+8;Labs - Lab exercises) marked unde Labs ae available in on Labs soltion, Labs is «clon: based ‘irwal ib exeonment preconfigured with vulnerabilities expt, nls and script, an ean be acces from anywhere with an Inemet connection. Ifyou ate imterewed to learn more about out iLabs solution, please contset your training contr or vist hups//lkbs.cecounciLoey. Lab Analysis Analyze and document ll the results discovered in the lab exercise. Give your opinion ‘on your target's security posture and exposure through free public information, PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS ABOUT THIS LAB. ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.ON KEY © Vatuaie Information A Test Your Knowledge BL Web tren BD Workbook Review & Toots domonstrated in this lab are available in ‘ToolsiCEHvt1 Module 02 Footprinting and (CoH Lab Manual Page? ‘Module 02 - Footprinting and Reconnaissance Perform Footprinting Through Search Engines Search engines are the main information sonrees to extract eral information about a target organization from the Interne. Lab Scenario Asa professional ethical hacker of pen tester, your first step is to gather maximum information about the target organization by performing footprinting using search engines; you can perform advanced image searches, reverse image searches, advanced video searches, ete. Through the effective use of search engines, you can extract critical information about a target organization such as technology platforms, employee details, login pages, intranct portals, contact details, etc., which will help you in performing social engineering and other types of advanced system attacks. Lab Objectives © Gather information using advanced Google hacking techniques © Gather information from video search engines, * Gather information from FTP search engines * Gather information from IoT search engines Lab Environment ‘To carry out this lab, you need: © Windows 10 vietual machine Administrator privileges to run the tools Web browsers with an Internet connection Lab Duration “Time: 20 Minutes ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance Overview of Search Engines Search engines use crawlers, automated software that continuously scans active websites, and add the retrieved results to the search engine index, which is further stored in a huge database. When a user queries a search engine index, it returns a list of Search Engine Results Pages (SERPS). These results include web pages, videos, images, and many different file types ranked and displayed based on their relevance. Examples of major search engines include Google, Bing, Yahoo, Ask, Aol, Baidu, ‘Wolfram Alpha, and DuckDuckGo. Lab Tasks Gather Information using Advanced Google Hacking SB TASK Techniqui Note: Here, we will consider £¢-Counel a target organi 2 dvaecs Gogetaagaten 1. Turn on Windows 40 virtual machine hettofecaty compl sah engine 2. Login to the Windows 40 virtual machine with Username: Admin and ques by empl, Password: PaS$wOrd. raced Gurge seat orhulden info bout a ns company Fe Google tec ek This ea provide ‘webs thet ae Shera expitation 3. Open any web browser (here, Mozilla Firefox) and navigate to hittpszlwww.google.com. Note: If the Default Browser pop-up window appears, uncheck the Always perform this check when starting burton, (CoH Lab Manual Page Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance + Ifa New in Firefox: Content Blocking pop-up window appears, follow the step and click Get it co finish viewing the information, Daauk Brower ba ee ces a rae sans ee Wasp mae yes suo eer [Einayspertorm this check when stating ireox. “Wateermy aoa) Fipee L12: Def base popup window 4. Once the Google search engine appears, you should sce a search bar. Note: If any pop-up window appears atthe top-right comer, click No, thanks igure 1.1.5: Google Sere bar 5. Type intitlespassword site:www.eccouncil.org and press Enter. This search command uses intitle and site Google advanced operators, which restrict results to pages on the www.eecouncil.org vicbsite that contain the term password in the ttle. An example is shown in the screenshot below. SS Google [Faemnnavenrramnntay xia GA Bias Olles ine OW [Besszzzdjess authentication (PLA) Archives EC-Coune! +9 eo + [Paseword) cracking archives - EC-Counci Figure 1.14 Sach ase withaeanced goog apes (CoH Lab Manual Page 9 ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance 6. Now, navigate back to ttpssiwww-google.com. In the search bar, type the command E€-Couneil filetyperpdf anc! press Enter to search your results based on the file extension, ‘teeta ta por Note: Here, the file type pafis searched for the target organization wane Hacking for PDF Note: Here, the file type pdf ched for the targ EC-Council. Files 7. Now, click on any link from the results (here, first link) to view the pal ile Frama a EC-Council Figure 1.15: Rel having varios pl i The page appears displaying the PDF file, as shown in the screenshot. (CoH Lab Manual Page 10 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance 9. Apact from the aforementioned advanced Google operators, you can also use the following to perform an advanced search to gather more information about the target organization from publicly available sources. "cache: This operator allows you to view cached version of the web Page. [cache: www.google.com] Query returns the cached version of the website www.google.com © allinurl: This operator restricts results to pages containing all the ‘query terms specified in the URL. [allinuel: google carcer|—Query returns only pages containing the words “google” and “carcer” in the URL * inurl: This operator restricts the results to pages containing the word specified in the URL. inurl: copy sitewww.google.com]-Query returns only pages in Google site in which the URL has the word “copy” = allintitle: ‘This operator restricts results to pages containing all the ‘query terms specified in the title. [allintitle: detect malware]—Query returns only pages containing, the words “detect” and “malware” in the title * inanchor: ‘This operator restricts results to pages containing the ‘query teems specified in the anchor text on links to the page. [Anti-virus inanchor!Norton]—Query retuens only pages with anchor text on links to the pages containing the word “Norton” and the page containing the word “Anti-virus” = allinanchor: ‘This operator restricts results to pages containing all ‘query teems specified in the anchor text on links to the page. [allinanchor: best cloud service provider|—Query returns only pages in which the anchor text on links to the pages contain the words “best,” “cloud,” “service,” and “provider” © ink: This operator searches websites or pages that contain links to the specified website or page. [linkwww.googleguide.com]—Finds pages that point to Google Guide’s home page "related: This operator displays websites that are similar or related to the URL specified. [related.www.certifiedhacker.com|—Query provides the Google search engine results page with websites similar to certifiedhacker.com (CoH Lab Mana Page 12 ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.TASK 2 ‘Module 02 - Footprinting and Reconnaissance © info: This operator finds information for the specified web page. [inforgothotel.com|—Query provides information about the national hotel directory Got! otel.com home page © location: ‘I s operator finds information for a specific location. [location: 4 seasons restaurant]—Query give you results based around the term 4 seasons restaurant 10. ‘This concludes the demonstration of gathering information using advanced Google hacking techniques. You can conduct. series of queries on your own by using these advanced Google operators and gather the relevant information about the target organization, 11. Close all open windows and document all the acquired information. Gather Information from Video Search Engines 2 Video wach engines ate ltemec- based search engines thar eat the web leaking For video content. These seach enagnes ether provide the fanctioaly of uploading anid hosing the deo Ccantent on tin web server thy cn pene the vide antes whic isos extemal. (CoH Lab Mana age 12 Here, we will perform an advanced video search and reverse image search using the YouTube search engine and Youtube DataViewer video analysis ool. 1. In the Windows 40 virtual machine, open any web browser (here, Mozilla Firefox) anc navigate to httpsviwww.youtube.com! 2, In the search bar, search for your target onganization (here, ee-couneil). You will sce all the latest videos uploaded by the target organization, ee Biaviie™ UrbanPre.com Ec counell, Latest tom EC Coun ‘Top Sttuggles with IGA by Bll lyon and Mike Lynch gn 121 YarTube search sl for cecounel qty ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance 3. Select any video of your choice, right-click on the video title, and click Copy Link Location. (here, Top 3 Struggles with IGA by Bill Glynn and Mike Lynch) Bove coun Latest om ES Cane top omni than an Lye Head__correerae eer Hated pee 22 Copy Link Latin om 4, After the video link is copied, open another browser tab in Mozilla Firefox, and then navigate to https:/citizenevidence.amnestyusa.org). In the Enter YouTube URL search box, paste the copied You'lube video link and click Go Youtube DataViewer ferernseaneaote aeons]! Fag 125: Pe coped Vobe Link 5. In the search result, you can observe the details related to the video such as Topic Abstract, Video ID, Upload Date, Upload Time, cic. You can also find ‘Thumbnails to perform a reverse image search. Click on the reverse image seareh option for any thumbnail (CoH Lab Mana age 13 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Youcmuse ‘other vdeo seach engines sch ss Google videos (hips /siden pleco 1), Yahoo ideos (aps: /ideosearc yah duups://easteon), ‘VideoReverser.com, cic and everse mage seatch tole suchas Tinkye Reverse Image Search Quaps://souyecon), ‘Yahoo Image Search (hep / images seach how com) ce to pther ‘roi mation set the we ongrization (CoH Lab Mana age 16 6 Youtube DataViewer esitemyoabecomveter-usnba-s 0) Go Typ 3 Suygdles wit IGA by Bll Ghyn ane MeL eit coma os etc 2 Suggs se cc poe as romano, 23368 lat Tie ey ees eam ‘Thumbratte: Figs 124: Youtube DsVeweeResdt A new tab in Google opens, and the results for the reverse image search are displayed. ‘Screenshot - Apps on Google Play apenpay ogo comstorppsttaiAd-cm geodon = How to tako a soreonshot in Windows - Tako per nacre endo n= Scroonshot.org ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance 7. This concludes the demonstration of gathering information from the advanced video search and reverse image search using, the YouTube search ceagine and Youtube DataViewer video analysis tool 8. Closeall open windows and document all acquired information. TASK 3_ Gather Information from FTP Search Engines Here, we will use the NAPALM FTP indexer PIP scarch engine to extract critical FTP information about the target organization. Fac Transter Protocol (FTP) search 1. In the Windows 10 virnal machine, open any web browser (here, Moilia erage are usd to search and navigate to httpsywww.searchft reins as ws se Firefox) and navigate t ps.netl FTP sever these les 2. In the search bar, type microsoft and click Search. smay hl valble intbemation about the tant ongiieation. Many ‘industees, institubons, € en © B hupsimnsearcht v = O noe Compania tad vein oe FTP Ontey Coe I) STS) Logi sSrectohr ne snoaes NAPALM FT Pindexer [eo] [mares & vr seach eeepc epee Searching 684614278 tes (670.28 8) n 4861 FTP seers Soar Solon poate baste seae et documents, employee's Ml FIP indexer lets Jes located on publ todotker conden © >> ponte etcoint3eacnceoorieraaexecarazHen << @ ‘ea saat | Fon | Coma | Tamas | Pag Pee Fes StNAPAIMFTP heron aa cova rants ‘hal ating nd Countaraszares cong yO mel "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance 3. You will get the search results with the details of the FIP in the target ‘organization, as shown in the screens EF SB [ODM mmpsimnscrn “Of MOS = (© hteey Googie TBE Was) Sata Ss) Loon wn autne words~ _@ Search Youem sows FPTP search engines sch 18 Global FTP Search Engine (tap /dobldescach.c om), FreewareWeb FTP File Search (spawn saa) gue ‘cucal FIP information sour the agct ‘orppization gue 142 FIP seach salt 4. This concludes the demonstration of gathering information from the FTP search engine. 5. Close all open windows and document all the acqpired information & task 4 Gather Information from IoT Search Engines Here, we will search for information about any vulnerable 1oT device in the target ‘organization using the Shodan IoT search engine. 1. In the Windows 40 virtual machine, open any web browser (here, Moailia Firefox) and navigate to httpsilwww.shodan.iol. 2. In the scarch bar, type amazon and press Enter. You will obtain the search results with the details of all the vulnerable Io'T devices related to amazon in various countries, as shown in the screenshot. (CoH Lab Manwal Page 16 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Io-cach erpiscarel the Intel for Io devices that ane ppb accesible, These Search engines prewie enc inloanaten, iectng eotclot SCADA Supaviey Control and Data Aciision) stems, tetBc contd stem, Tower connec houschld eppkances, indutal appliance, CCTV eames ct e Comyn Quip foeysio, Youem ako use (hsp /wsthingil net Dest, which are Ta search ges, to ahr infoematon suchas smenufscurs dts, ‘rapa lesion IP ies hentai pe pom ae (CoH Lab Mana age 17 ‘Module 02 - Footprinting and Reconnaissance Note: he screenshot might differ in your lab environment. [2 zenotech Ltd| Simulation Untimitea CF ig AL Shodan scar dt 3. ‘This concludes the demonstration of gathering vulnerable Jo'T information using the Shodan search engine. 4, ‘lose all open windows and document all the aequired information. 5, ‘Tur off the Windows 10 virtual machine, Lab Analysis ‘Analyze and document all the results discovered in the lab exercise. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS ABOUT THIS LAB beverage Seri) Byes ONo Platform Supported Classroom BiLabs ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.© vate P Tex youn ede B Weberece DD Workbook review & Toots domonstrated in this lab are available in ‘ToolsiCEHvt1 Module 02 Footprinting and (CoH Lab Mana Page 18 ‘Module 02 - Footprinting and Reconnaissance Perform Footprinting Through Web Services Web services are online applications or sources that provide a variety of publicly accessible information related to the target organization, Lab Scenario As a professional cthical hacker or pen tester, you should be able to extract a variety of information about your target organization from web services. By doing so, you can extract critical information such as a target organization’s domains, sub-domains, operating systems, geographic locations, employee etails, emails, financial information, infrastructure details, hidden web pages and content, ete. Using this information, you can build a hacking strategy to break into the target organization’s network and can carry out other types of advanced system attacks. Lab Objectives Find the company’s domains and sub-domains using Netcraft * Gather personal information using PeekYou online people search service Gather an email list using thel farvester * Gather information using deep and dark web searching, * Determine target OS through passive footprinting Lab Environment To carry out this lab, you need: Windows 10 virtual machine * Parrot Security virtual machine Administrator privileges to run the tools © Web browsers with an Internet connection ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance * Tor Browser located at EACEH-Tools\CEHV11 Module 02 Footprinting and Reconnaissance\Deep and Dark Web Footprinting Tools\Tor Browser * You can also download the latest version of ‘Tor Browser from its official website. If you decide to download the latest version, the screenshots shown in the lab might differ Lab Duration ‘Time: 25 Minutes Overview of Web Services Web services such as social networking sites, people search services, alerting services, financial services, and job sites, provide information about a target organization; for cxample, infrastructure details, physical location, employee details, ete. Moreover, groups, forums, and blogs may provide sensitive information about a target ‘organization such as public network information, system information, and pessonal information. Intemet archives may provide sensitive information that has been removed from the World Wide Web (WWW). Lab Tasks Find the Company’s Domains and Sub-domains using SG task 1 Netcraft Here, we will exteact the company’s domains and sub-domains using the Netceaft web service, © Demis and sibdominacprcf 1. ‘Turn on the Windows 40 virtual machine. ste nee infetructare for any ‘oaganizison A campany’s top level domains (TLDs) and adndomins en proc mach wef {nfommation such = ‘organization hist, secs and produc and ‘contact infemstion. A pubic webste fede te dune presence ‘an onpmsation onthe Invert and is avalale for fre acces (CoH Lab Manual Page 19 2. Login to the Windows 40 virtual machine with Username: Admin and Password: PaS$wOrd. Open a web browser (here, Mozilla Firefox), type the URL. inttps:iwww.neteraft.com in the address bas, and press Enter. ‘The site appears, as shown in the screenshot. SR ey eee gure 21.1 Nterat website ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance 4. Click the Resources tab from the menu bar and click on the Site Report link under the Teols section. eo ee Ore AURTORERE vce come ten Conse [Femme] Resources Ee ec Ten» oie Protection Ape = Prwnies oumes » a neporer»| Prete oer» ‘Steen » Preiss Cerne Aso © ‘each ONS > Pring Map »| Mon Poplar Wests © Tahesowr Map» Neer wee Reems ub options 5, ‘The What's that site running? page appears. ‘To extract information associated with the organizational website such as infrastructure, technology used, sub domains, background, network, etc., type the target website's URL (here, httpsiwww.eccounetl.org) in the textfield, ancl then click the Lookup bution, as shown in the screenshot. ce 0 @ rreinienston ar nog PURI ence Sacome time Comnye mee Oo EE EES Peo a un eee eae ned aa owning aap pein nc ‘Fgue 2 15 Bane the eget website (CeH Lab Mana Page 20 ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Mana Page 22 ‘Module 02 - Footprinting and Reconnaissance 6. ‘The Site report for https:iwww.eccounell.org page appears, containing, information related 10 Background, Network, Hosting History, ctc., 0s shown in the sercenshot. TE Ta S Tas aa ll ale B Background gue 21.4: Report emcated by Neterat ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.2 Youemakous ton sch Subst Chips) Pentest-Tooks Find ‘Subdomains haps! /petest tonsa, cte widens teedomnee dace domains of ay apse webs. (CoH Lab Mana Page 22 ‘Module 02 - Footprinting and Reconnaissance 7. In the Network section, click on the website link (here, eeeouneil.org) in the Domain fieki to view the subdomains etter titel ao = ie 215 Rept ently Naot bing drain ration 8. The sesult will display subdomains of the target website along with netblock and operating system information, as shown in the screenshot. Hostnames matching *.eccouncil.org V7 results ge 2. Rep generate by Natt showing soon 9, This concludes the demonstration of finding the company’s domains and sub-domains using the Netcraft tool 10. Close all open windows and document all the acquired information. ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.TASK 2 online pale serch even, eed pei romd ety ae tied by mary nia to nd pena information sont thes thew pe names aden ont ‘ka de obi oregano, Profs, dtd about pair series) vetworingptl, ‘pen sama and {pon background on cfr chek (CoH Lab Mana age 23 ‘Module 02 - Footprinting and Reconnaissance Gather Personal Information using PeekYou Online People Search Service Here, ‘we will gather information about a person from the target organization by performing people search using the PeckYou online people search service. In the Windows 10 vierual machine, open any web browser (here, Mexia Firefox) and navigate to httpsvlwww.peekyou.com. In the First Name and Last Name fics, type Satya and Nadella, respectively. In the Location drop-down box, select Washington, DC. ‘Then, click the Seareh icon Doce [eammnm er Need Free People Search Made Easy ey & c Ps nS What is PeekYou? ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Mana age 26 ‘Module 02 - Footprinting and Reconnaissance 3. ‘The people search begins, and the best matches for the provided search ¢ ee oa (peekyou.com, of. Y) Twiaer GB Ema [3 images Public Records & Background Checks Says Sekhar ace, Marca land FL I Sty Sekhar cet, Marco Ilan FL Arrest Records & Driving Infractions OB soyeneene Seon) Phonebook Ye Found Sty Kaeo 0.1) sary naaotsrs Prone & Curont Asaress @ view eta Figuse 222: PekVou Serch Bar 4. You can further click on the appropriate result to view the detailed information about the target person to see a detailed information about the target person. Note: After you click on any result, you will be redizected to a different website and it will take some time to load the information about the target ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance 5. Seroll down to view the entire information about the target person. 1B) Satya Nadel in Distict OF Co € ee OB hitos://peekyou.com/usa/dis Phonebook te ound Satya Gn satra cote’ mone & cement Assess © vew anoeats 9 Socal ea Profies 8 More 0 vew tetas . © saya saceta's Mone» Address & tore view anoetats ee ele pereais © sayasacet's Coast ns, Soca Profiee& Hore view anorate Pipl pepo, Inte theps://wowinckose Email Addresses tm) BeenVerifcd Chine er beens Moonee ae 9 ew Sig's en Poison Factnk nd Oe Newark sya ope sch sevice 0 8) Wiew satys's inaden Profiles on Facebook and 60+ Networks, satya™"@yshoo tomato okey ewe sys en Pots on Facebook an Hato, ayaa certo ee €. Vow say's ten Profiles on Facebook andy Network, ate” Get (0 View Sues ten Profi on Facebook nd > Hetworks, sabe" outlok Contact information & Address History satya naa ge 2.2.3: Poko Search ee 6. This conchides the demonstration of gathering personal information using the PeekYou online people search service. “lose all open windows and document all the acquired information, & task 3 Gather an Email List using theHarvester Here, we will gather the list of email IDs related to a target organization using thel larvester tool. 1, Turn on Parrot Security virtual machine. 2. In the login page, the attacker username will be selected by default. Enter password as toor in the Password ficld and press Enter to log in to the machine. (CoH Lab Mana Page 25 ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting attacker * Ifa Parrot Updater pop-up appears at the top-right comer of cn peor SEomanoecioge Desktop, ignore and close it. Ema ID is considered by es + If a Question pop-up window appears asking you to update the pono nen machine, click Ne to close the window vpbreoer sansa Tu, 3. Click the MATE Terminal icon at the top of the Desktop window to open a sang ome Ds of Terminal window ctl poconnd ie of the hey ack of ethics feces 4. A Parrot Terminal window appears. In the terminal window, type sudo su and press Biter (0 run the programs as a root user. 5. In the [sudo] password for attacker ficld, type tear as a password and press Enter. Note: The password that you type will not be visible. 6. Now, type ed and press Enter to jump to the root directory CEH Lab Manual Pose 26 Ethical Hacking and Countermeasures Copyigh © by EE-Counell "Al RightsReserved. Reproduction fSrcty Prohibited.ploy poms and banoes fram (disc public su PGP ke SHODAN computer dbabaseas wales uses ‘Gong Big, SHODAN, erat valuable imation fom th intent hep ete Ickes and pe testi the cathy stages of he testa the oa he Laer I ao ‘wef foeanyone wo iS ei won aches (EH Lab Manual Page 27 Module 02 - Footprinting and Reconnaissance In the terminal window, type theHarvester -d microsoft.com -1 200 -b baidu and press Enter. Note: In this command, -d specifies the domain or company name to search, 4 specifies the number of results to be retrieved, and - specifies the data source. istian Martorella aie Seer Note: Here, we specify Baidu search engine as a data source. You can specify different data sources (cg., Baidu, bing, bingapi, dogpile, Google, GoogleCSE, 3s, inkedin, pgp, twitter, vhost, vieustotal,threatcrowd, shoo, all) 1 gather information about the targe Googleplus, Google-proiil cxtsh, netera 8. theHarv ter starts extracting the details and displays them on the screen, Scroll down to see the email [Ds related to the target company from the Baidu source. It will also extract the target company hosts. ‘Note: Screcashots shown in this lab might differ. Figure 23.5 theater secon eal Bit Ethical Hacking and Countermeasures Copyright © by E-Coumell ‘A RightsReserved. Reproduction Suit Prohited.S TASK 4 ZH tredapwed coms of wb pas nd ‘cont het a en ral wnindexed wal cmt belocatd using 2 teadional we browser 2nd sewch engines. lean Temes by ech cegenes ich a Toe Benescr an! The WWW Vir Liber 2 Tredakvedor dak nt iva sine of ‘ep web where amen ‘ean navigue monymously ‘without being ced. Deep and dirk web search ean prove xia infoematon suchas cet cand ders, paspors infbematin,dentifeation card deta, mes eens seal mak accounts, Socal Sect Number @SN9}, ee (CoH Lab Mana Page 28 ‘Module 02 - Footprinting and Reconnaissance 9. This concludes the demonstration of gathering an email st using theHarvester. 10, Close all open windows and document all the acquired information. "1 ‘urn off the Parrot Seeurity vistual machine. Gather Information using Deep and Dark Web Searching Here, we will understand the difference between surface web search and dark web search using Mozilla Firefox and Tor Browser. 1, Switch to the Windews 10 virtual machine. Login to the Windows 10 virtual machine with Uscrname: Admin and Password: PaS$wOrd, i" Open a File Explorer, navigate to EACEH-Tools\CEHV11 Module 02 Footprinting and Reconnaissance\Deep and Dark Web Footprinting Tools\Tor Browser, and double-click torbrowser-install-winé4- If the Open File - Security Warning window appears, click Run. cS If the User Account Control pop-up appears, click Yes. If the Installer Language window appears, select your preferred language (here, English) and click OK. 6. ‘The Tor Browser Setup window appears. Follow the wizard steps (by selecting default options) to install Tor Browscr. After the installation is complete, click the Finish button to launch Tor Browser. oS Tor Browser Setup ‘Completing Tor Browser Setup ‘Tor Browser has been inetaled on your computer (krish to dose Setup Run Tor Browser Add Start Meru & Desktop shortcuts ge 24.1: Tor Drover intaltion complete ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance 8. ‘The Connect to Tor window appears. Click the Gonneet button 10 directly browse through Tor Browser’s default settings, ‘Note: If Tor is censored in your country or if you want to connect through Proxy, click the Configure button and continue. T5el Browser (ce Cameco connect To (ok congue ta nek sas fou rena sue canes Tr (sch a aye Cnr Trey or youre conning Fem pve reek ot ees 8 Pes =] cote Fig 242: Toe Browser Connet ton 9. After a few seconds, the Tor Browser home page appears. The main advantage of Tor Browser is that it maintains the anonymity of the user throughout the session, Explore. Privately. Figure 243: Tor Browser Honne Page (CoH Lab Mana Page 29 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.SB tasw a4 Perform Surface Web Search Stasn aa Perform Deep and Dark Web (CeH Lab Mana Page 20 ‘Module 02 - Footprinting and Reconnaissance 10. As an ethical hacker, you need to collect all possible information related to the target organization from the dark web. Before doing so, you must know the difference between surface web scarching and dark web searching. 11. To understand susface web searching, first, minimize Ter Browser and open Mozilla Firefox. Navigate to www.google.com; in the Google search bar, search for information related to hacker for hire. You will be presented with much irrelevant data, as shown in the screenshot. CREEL ce 2 Papa geegeamene On Bie Oomme @ Hire An Hacker - #1 Best place to Hire Hackers isimeeamacier com = Hackers Group Online| Hire @ Hacker Online | Hire Professional tos. shackorarowporine com + [Need a Professional Hacker? Hire InsideHackers igs aah» 27 Bast Freelance Hackers For Hite In August 2019 - Upwork™ ipsa pork coms he hacks + igre 244 Normal earch sk 12. Now switch to Tar Browser and search for the same (ic., haeker for hire). You will find the relevant links related to the professional hackers who operate underground through the dark web. Note: Tor uses the DuekDuekGe scarch engine to perform a dark web search, ‘The results may vary in your environment, 13. Now, click on the toggle button thar specifies the country of VPN/Proxy (here, by default Germany is selected) and select a relevant country (here, Australia). ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance ‘Note: ‘The default country of VPN/Proxy may vary in your environment, since itis randomly chosen by "Tor while initiating a session, TRSTRIIE fe) > © 08 rtemanen ns 2/00 fF @ ==] B ’ Ommem + & hoe Seovhing Tie Potessional Hackers? Hie Central Hacer igure 2.45: VPN Proxy sing foe serch 14, Search results for hacker for hire will be loaded, as shown in the screenshot, Click to open any of the search results (here, https:i/hackerforhire.com) ‘Note: Screenshots shown in this lab might differ. © 08 mimmangrencnem = #00 5 Q [rem a v= Pi hacker frie Pression hacking services Figae246: Tor dak wa scare result (CoH Lab Mana Page 22 ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.Youcm shows tons suchas EnooersTor hap /nceescompe tong), Oniont-and ‘Search (haps://onionland-carche gine com), te t0 perform dep al dk SShonme, (CoH Lab Mana Page 22 ‘Module 02 - Footprinting and Reconnaissance 15. The https:hackerforhire.com webpage opens up, as shown in the screenshot. You can see that the site belongs to professional hackers who a ee eT Figure 247: hakerftine com website 16, Hackerforhire.com is an example. These search results will help you in identifying professional hackers. However, as an ethical hacker, you can gather critical and sensitive information about your target organization using, deep and dark web search, 17. You can also anonymously explore the following onion sites using Tor Brower to gather other relevant information about the target organization: "The Hidden Wiki is an onion site that works as a Wikipedia service ‘of hidden websites. (atep://zqktlwis fecvo6ri.onion/wiki/index.php/Main_Page) = FakelD is an onion site for ereating fake passports (hup://fakeidskhfik46ux.onion/) The Paypal Gent is an onion site that sells PayPal accounts with good balances (http:/ /nare7pqnmnojs2pe.onion/) 18, ‘This concludes the demonstration of gathering information using deep and dark web searching using Tor Browser. 19, Closeall open windows and document all the acquired information. ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance B rasx 6 Determine Target OS Through Passive Footprinting Here, we will gather target OS information through passive footprinting using the Censys web service, en himashienaie 1. In the Windows 40 virtual machine, open any web browser (here, Mila exp eter Firefox) aad navigate to nttpsseensys.toldomain?ge acquire dnl of the 2. In the Websites scarch bar, type the target website (here, eecouncil.org) peeing sen cing and press Enter. Hom the results, click any result (here, eeeaunell.org) oh ecg nace by > aha from which you want to gather the OS details. Pes fet ‘Note: Screenshots shown inthis ab might ifr Chicks ates ve st 2 Sst nn te nn HS. | aint tics femmes Arcus mt 0 zen ssp step ee At Ame acetone Qo ea Oger cocoate Sinai 028 sp i mA hy Crna cp ery he incor Tig 25:1 Ces wel dhe ut website 3. ‘The eceounelliorg page appears, as shown in the sereenshot. Under the Basie Information section, you can observe that the OS is Windows. Apart from this, you can also observe that the Server on which the HTTP is running is cloudtfare. Note: Screenshots shown in this lab might differ. ‘entab Mom! Pape 33 {thal ctng and cuntemensares Copy © by Comma "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance Cuncder car loo ce DOB hirtembtrn c = eccouncil.org asic normation 80/HTTP Eee Page Tae cere incl ater Sc Ses) Crest] ECan © Youemabous eee ‘ech sis sch st Netcrat gue 252 Comps ea 8 dels — 4. This concludes the demonstration of gathering OS information through: Cpe mesos passive footprinting using the Censys web service. information of tgs 5, Closeall open windows and document all the acquired information. nga ough ‘passive fooepeincng, 6. Tur off the Windows 40 virtual machine. Lab Analysis Analyze and document all the results discovered in the lab exercise, PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS ABOUT THIS LAB eet cemees ete) Yes No Platform Supported © Classroom Dilabs (en tab Manual Page 34 ‘Ethical Hacking and Countermessures Copight © by &€-Comnel "Al RightsReserved. Reproduction fSrcty Prohibited.oN KEY © valuable Boman PF Toso nol Bi Webererie BD Workbook review © Toots ‘demonstrated in this lab are available in ToolsiCEHv11 Module 02 Footprinting and (CoH Lab Manual Page 25 ‘Module 02 - Footprinting and Reconnaissance Perform Footprinting Through Social Networking Sites Social networking services are online services, platforms, or sites that focus on facilitating ‘the buon of socal networks or socal relations among pple Lab Scenario Asa professional cthical hacker, ducing information gathering, you nced to gather personal information about employees working in critical positions in the target organization; for example, the Chief Information Security Officer, Security Architect, or Network Administrator. By footprinting throngh social networking sites, you can extract personal information such as name, position, organization name, current location, and educational qualifications. Further, you can find professional information such as company or business, current location, phone number, email ID, photos, videos, etc. The information gathered can be useful to perform social engincering and other types of advanced attacks Lab Objectives "Gather employces’ information from LinkedIn using theHarvester "Gather personal information from various social networking sites using Sherlock "Gather information using Followerwonk Lab Environment ‘To casry out this lab, you need: *® Windows 10 virtual machine © Parrot Security vietual machine * Web browsers with an Internet connection * Administrator privileges to run the tools ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance Lab Duration Time: 15 Minutes Overview of Social Networking Sites Social networking sites are online services, platforms, or other sites that allow people to connect and build interpersonal relations, People usually maintain profiles on social networking sites to provide basic information about themselves and to help make and maintain connections with others; the profile generally contains information such as ame, contact information (cellphone number, email address), friends informatic information about family members, their interests, activities, etc. On social neiworking sites, people Iso post their personal information such as date of birth, educational information, employment background, spouse’s names, etc. Organizations often post information such as potential partners, websites, and upcoming news about the company. Thus, social networking sites often prove to be valuable information resources. Examples of such sites include LinkedIn, Facebook, Instagram, Twitter, Pinterest, YouTube, etc Lab Tasks Gather Employees’ Information from LinkedIn using Task 1_ theHarvester Here, we will gather information about the employees (name and job title) of a target organization that is available on LinkedIn using thel farvester tool. 2 Linkotniss serial neswocking website for industry professionals eonnccs the word's hom The ste ns poral such = nam, postion rome, caren eatin, heatonal qulcations, CoH Lab Mana Page 26 1. Tum on Parrot Security virtual machine, 2. In the login page, the attacker username will be selected by default Enter password as teer in the Password ficld and press Enter to log in to the machine Note: "If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and close it. Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance "Ifa Question pop-up window appears asking you to update the machine, click Ne to close the window 3. Click the MATE Terminal icon at the top of the Besktop window to open a Terminal window. ATE Tesi eon arrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user, In the [sudo] password for attacker field, (ype toor as a password ancl press Enter. Note: The password that you type will not be visible. 6. Now, type ed and press Enter to jump to the soot directory In the terminal window, type the Harvester -d eccouncil - 200 -b linkedin and press Enter to sce 2(X) results of EC-Counel from the LinkedIn source. Scroll down to view all the 200 zesults of the employees of the EC-Council ‘Note: In this command, «d specifies the domain or company name to search, specifies the number of results to be retrieved, and -b specifies the data source as Linked (EH Lab Manual Page 37 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 02 - Footprinting and Reconnaissance rca oem eee Pees Petes 8. This concludes the demonstration of LinkedIn using thel larvester. athering employees information from 9. sc all open windows and document all the acquired information. Gather Personal Information from Various Social Networking S_TASK 2 Sites using Sherlock at the In the Parrot Security virtual machine, click the MATE Terminal ic top of the Desktop window to open a Terminal window paren PF Ey ema i the person, and displays temple URL Ws 9) pgeroe Terminal winxiow appears. In the terminal window, type sudo su and press Enter to run the progrums as a root user. CEH Lab Manual Page 38 Ethical Hacking and Countermeasures Copyright © by E-Coumell ‘A RightsReserved. Reproduction Suit Prohited.‘Module 02 - Footprinting and Reconnaissance 3. In the [sudo] password for attacker ficld, ype toor as a password and press Enter. Note: ‘The password that you type will not be visible 4. Now, type ed and press Enter to jump to the root ditcetory 5. Inthe Parrot Terminal window, type git clone httpsi/github.comishertock- projectisherlock.git and press Enter. gure 325: Cloning Shebock to Note: You can also access the tool repository from the GEH-Teels folder available in Windows 10 virtual machine, in case, the Gitl Tub link does not exist, or youare unable to clone the tool repository. Follow the steps below in order to access CEH-Tools folder from the Parrot Security virtual machine: © Open any explorer window and press Gtrl4L, "The Location field appears; type Smbz/10.10.10.10 and press Enter to access Windows 40 shared folders. CEH Lab Manual Page 39 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 02 - Footprinting and Reconnaissance Figs 32 Accening Wid 10 ded Ser "The sccurity pop-up appears; enter the Windows 10 virtual machine credentials (Username: Admin anc Password: PaS$wOrd) and click Connect. Password required for 10.10.10.10 WORKGROUP CEH Lab Manual Page 40 Ethical Hacking and Countermeasures Copyright © by E-Coumell ‘A RightsReserved. Reproduction Suit Prohited.(CeH Lab Manual Page 42 ‘Module 02 - Footprinting “The Windows shares on 10.10.10.10 window appears; navigate to the location CEH-ToolsiCEHv11 Module 02 Footprinting and ReconnaissanceiGitHub Tools! and copy the sherlock folder. =r psec ed Paste the copied sherloek folder on the location Ihomelattacker/. In the terminal window, type mv homelattackerisherlock iroot /attacker/sherlock /root Ethical Hacking and Countermeasures Copyright © by E-Coumell ‘A RightsReserved. Reproduction Suit Prohited.CEH Lab Manual Page 42 ‘Module 02 - Footprinting and Reconnaissance 6. ‘Type ed sherlock and press Enter to navigate to the sherloek folder. ‘To install the python-pip requirements, type pythan3 -m pip install -r requirements.txt and press Enter. sherl reat ACEO OE CEE OR an coe Oe ee ttensn= sree mest) Sree tere eneirraT eT) ptt reste esse SOP ae: rae sa: 4.5.2) rete Te} : ae ar ceaeeTTS Sees eee Pee arene Ses nea eae meena ee erst? arent tx se eet Once the installation is complete, type ed shertock and press Enter. Ethical Hacking and Countermeasures Copyright © by E-Coumell ‘A RightsReserved. Reproduction Suit Prohited.2 Youein shows tools such a Socal Searcher raps: forsee UserRecon Quip: /gab eo to gale aden infemationreltd othe tage company an its employes from soc networking ses TASK 3 é — online oo that dps spore and acre mph sing Sener nin Toe seis for exemple Who ae your follower Where ae they locate When do they tweet? Thi embe used toe Twine information abou sy tomato oe (EH Lab Manual Page 43 ‘Module 02 - Footprinting and Reconnaissance 8. Now, type python3 sherlock.py satya nadella and press Enter. You will get all the URLs related to Satya Nadel to view all the sesults. a,as shown in the screenshot, Scroll down, SE aCe N) er ea eee aa ome at eee st pene eee er a eee ee er pres Res ares Weary Nea en sey Pret ese TM steve ne eee) Alik.c2: Net Found Career) ean One ee ees) aot k Fedora: Not Found! pears er] eto ce ‘audiojungle.net/u vizo: Not Four Pee ebeyy Stree Coat Cee See si fren Perea igure 3.2.11: hedoek seareh rele 9. ‘This concludes the demonstration of gathering person information from various social networking sites using Sherlock. 10. Close all open windows and document all the acquired information. 11. Turn off the Frat Security virtual machine Gather Information using Followerwonk 1. Tum on the Windows 10 virtual machine. 2. Login to the Windows 10 virtual machine with Username: Admin and Password: PaS$wOrd, Ethical Hacking and Countermeasures Copyright © by E-Coumell ‘Al Rights Reserved. Reproduction ls Suit Prohed(CoH Lab Mana Page 44 ‘Module 02 - Footprinting and Reconnaissance 3. Open any web browser (here, Mozilla Firefox) and navigate to httpszifollowerwonk.com/analyze. In the screen name search bar, (ype your target individual's twitter tag (here, @satyanadelta) and click the Do it bbutton to analyze the users whom the target person follows. ‘You're using a fre version of Followerwonk. igure 34: Fllowerwank sench esa 4, Scroll down to view the detailed analysis, as shown in the screenshot. Figute 12 Followers deed search ress ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance © Ymemtoue 3 This concludes the demonsttion of gathering information using Hootie Followenwonk, ape/oomiveco), 6. Close all open windows and document all the acquired information. freeren"© 7. ‘Turn off che Windows 49 vierual machine $a etrmason . selaced co dhe ant Lab Analysis fompeny ants saps femocil_ Analyze and document all the results discovered in the lab exercise. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS ABOUT THIS LAB. ONo HliLabs (CoH Lab Mana age 45 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.© Vatabie A Test your knowledge B Wobesercise 1D Workbook review & Tools demonstrated in this lab are available in EACEH- ToolsiCEHVt4 Module 02 Footprinting and (CoH Lab Mana Page 46 ‘Module 02 - Footprinting and Reconnaissance Perform Website Footprinting Website footprinting refers to monitoring and analyzing the target organization’ website for information. Lab Scenario ‘As a professional ethical hacker, you should be able to extract a variety of information about the target organization from its website; by performing website footprinting, you can extract important information related to the target organization’s website such as the software used and the version, operating system details, filenames, paths, database field names, contact details, C details, the technology used to build the website, scripting platform, etc. Using this information, you can further plan to launch advanced attacks on the target organization. Lab Objectives * Gather information about a target website using ping command line utility * Gather information about a target website using Website Informer © Extracta company’s data using Web Data Extractor © Mirror the target website using HTTrack Web Site Copier "Gather a wordlist from the target website using CeWL Lab Environment To carry out this lab, you need: Windows 10 virtual machine © Parrot Security vietual machine * Web browsers with an Internet connection © Administrator privileges to run the tools * Web Data Extractor located at EACEH-Tools\CEHv11 Module 02 Footprinting and ReconnaissancelWeb Spiders\Web Data Extractor ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance *[ITTrack Web Site Copier located at EACEH-Tools\CEHV11 Module 02 Footprinting and Reconnsissance\Website Mirroring Tools\HTTrack Web Site Copier * You can also download the latest versions of Web Data Extractor and HTTrack Web Site Copier from their official websites. If you decide to download the latest versions, the sercenshots shown in the lab might differ. Lab Duration Time: 35 Minutes Overview of Website Footprinting Website footprinting is a technique used to collect information regarding, the target oxganization’s website. Website footprinting can provide sensitive information associated with the website such as registered names and addresses of the domain owner, domain names, host of the sites, OS details, IP details, registrar details, emails, filenames, etc. Lab Tasks Gather Information About a Target Website using Ping _& TASK 4 Command Line Utility 1 ‘urn on the Windows 10 virtual machine 2. Login to the Windows 10 virtual machine with Username: Admin and Password: PaSSwOrd. Dlrase a7 3. Open the Command = Prompt window. Type ing Tang mew wwnw.certifiedhacker.com and press Enter to find its ID address. ‘The ——o played response should be similar to the one shown in the screenshot faarece ot __vhye esponse should he smi (othe one shown hy hot Target Domain [EH civmniooWsumtemiAandne ay 2 ings ment administra iy used to est the reachability of host on an IP nenvoch arate ae enh trp time for mesages sent from the onan host ma destination compute Fie 1: The ping ormand to ext the Pade fr wor: etd (EH Lab Manual Page 47 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance 4. Note the target domain’s IP address in the result above (here, 162.241.216.41). You also obi packets sent, packets recei in information on Ping Statisties such as , packets lost, and approximate zound-trip Note: ‘The IP address of the target website may differ in your lab environment = 5. Inthe Command Prompt window, type ping www.certifiedhack —SitasK 4.2 £41500 and press Enter. Finding Maximum Frane Size [BE CAWNDOWStemsncmdae theping 6. ‘The response, Packet needs to be fragmented but DF set, mcans that olan CMP the frame is too large to be on the network and needs to be fragmented earphone ‘The pucket wns not sent as we used the-tsuiteh with the ping 1G sponse Dace command, and the ping command returned this error. onpaoees 7. Inthe Command Prompt window, type ping www.certifiedhacker.com then om 4414300 and press Enter. transmission to cep Irom asin ip and conde any los of NiNDOWSiyetemsDicmd oe pockets The pang, command ass bing dommin| infemation and the IP addres ofthe tt 8. Observe that the n than 1300 bytes. aximum packet size is less than 4500 bytes and more CEH Lab Manual Page 48 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance 9. Now, tey different values until you find the maximum frame size. For instance, ping www.certifiedhacker.com - 1 4473 replies with Packet needs to be fragmented but DF set, and ping www.certifiedhacker.com -f-1 1472 replies with a successful ping. It indicates that 1472 bytes are the maximum frame size on this machine's nctwork. Note: The maximum frame size will differ depending upon the target network [Howonsracre a Fipee 414 The png command for wn cmebactecom wih -1473 opine Figs 415 The ping command Sow ceteacecorn with 1472 opine 10. Now, discover what happens when TTL (Lime to Live) expires. Every frame on the network has TTL defined. If’ TTL reaches 0, the router discards the packet. This mechanism prevents the loss of packets. > 11, In Command Prompt, type ping www.certifiedhack press Enter. This option sets the time to live BrasK Finding Hop Count co , . using TTLVaiue Note: The maximum value you can set for TTL is 255 (EH Lab Manual Page 49 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance WINDOWS eysem’2.emd oe ly from 100.65.231.150: TTL expired in transit means that the router (100.65.231.150, students will have some other IP-address) discarded the frame because its TTL has expired (reached 0). Note: The IP address 100.65.231.150 may vary in your lab environment. Note: If you get the Request timed out reply for the above query, then use Command Prompt of your host machine instcad of the Windows 10 vietual machine to run the query. 13. Minimize the command prompt shown above and launch a new ‘command prompt. ‘Ipc ping www.certifiedhacker.com i 2 -n 4 and press Enter. Herc, we set the TTL value to 2 and the «m value to 1 to check the life span of the packet. Note: «n specifies the number of echo requests to be sent to the target (DOWSytemiavemd xe Fine 17: Thepagoonmond fo wou ctietackerconswith-12-a | opon 14. Type ping www.certifiedhacker.com -13 -n 4. This sets the TTL. value wos BE C\WINDOWS\aystems2\cmd oe (EH Lab Manual Page 50 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 02 - Footprinting and Reconnaissance 15, Observe that there is a reply coming from the IP address 162.241.216.44, and there is no packet loss. Note: ‘The result displayed in the above step might differ in your lab 16. Now, change the time to live va luc to 4 by typing, ping www.certifiedhacker.com i 4-n 1 and prcss Ent [cane ] 17. Repeat the above step until you reach the IP-address for www.certifiedhacker.com (in this casc, 162.241.216.11) 18, Here, the successful pny 0 reach www.certifiedhacker.com is27 hops. WINDOWS eystem wv cnibacercom wih 27-21 (EH Lab Manual Page 52 Ethical Hacking and Countermeasures Copyright © by E-Coumell ‘A RightsReserved. Reproduction Suit Prohited.‘Module 02 - Footprinting and Reconnaissance 19. This implies that, ata time to live value of 27, the reply is received from the destination host (162.241.216.11) ‘Note: The result might vary in your lab environment. 20. ‘This concludes the demonstration of gathering information about a target website using Ping command-line utility (such as the IP address of the target website, hop count to the target, and value of maximum frame size allowed ‘on the target network). 21. Close all open windows and document all the acquired information, & task 2_ Gather Information about a Target Website using Website Informer 1. In the Windows 10 vietual machine, open a web browser (here, Mozilla 2 Website tfeanee Firefox), ‘ype httpstiwebsite.informer.com in the address bar, and press isamotn tol ht Enter. The Website Informer website appears, as shown ia the others deed screenshot. ivematon ona website such ssa website's tafe rank, dil vistors ate Doge views te Wa Informer daeovers the sain competizors ofthe ‘websi, ewes DNS seovers ined by the ee Complete information about Teturaode Ae ey tanger wie, Get a quick aggregated view of everthing the Web can Fin 421: Web lor wee 2. To extract information associated with the target organization website, type the targer website’s URI. (here, www.certifiedhacker.com) in the text ficld, and then click on the Seareh button, as shown in the screenshot below, (CoH Lab Mana Page 52 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Ce CMC LUE L reli g any website Sedat eee Figure 422: Bane the eget website 3, A search result for WWW.CERTIFIEDHACKER.COM containing information such as General Info, Stats & Details, Whois, and IP Whois is displayed, as shown in the sercenshot. Ko ee ‘Search or domain or keywors:_cerneshackorom WWW.CERTIFIEDHACKER.COM. (CoH Lab Mana age 53 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.2 Youen stows tools such as Burp Suite ups: fpocswigaee), Zaproxy Ups //wowosspon), ce topes web fooxpantingon a tat wbste (CoH Lab Manual age 54 ‘Module 02 - Footprinting and Reconnaissance 4. In the General Info tab, information such as Greated, Expires, Owner, Hosting company, Registrar, IPs, DNS, and Email associated with the target website is displayed as shown in the screenshot. gue 424 Web lformer Gener I 5. Click on the Whols tab 10 view detailed Whois information about the target website, as shown in the sercenshot. gee 425: Wibte lnfemes Wha inormatn 6. Similarly, you can click on the Stats & Details and IP Wheis tabs to view the detailed information of the target website. 7. This concludes the demonstration of gathering information about a target ‘website using the Website Informer online tool. 8. Close all open windows and document all the acquired information. ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance B tasK s_ Extract a Company's Data using Web Data Extractor Here, we will gather the target company’s data using the Web Data Extractor tool 1. In the Windows 10 virtual machine, navigate to EACEH-ToolsiCEHv11 Module 02 Footprinting and Reconnalssance\Web Spiders\Web Data Extractor and double-click wele.exe, 2. If the User Account Control pop-up appears, click Yes. Note: If the Open File - Security Warning pop-up appears, click Run. 3. Follow the wizard steps to install Web Data Extractor and click Finish. Ip Web Dats Earactor BSS = x wean esaraton isthe proces ofextneting daa from vey page se on the ‘Completed the Web Data Extractor 8.3 Setup Wizard campanys webie. A ‘company’s data sch ax fommet deals (ral, Phone and is), URLs ct ag (ke descr kejword) oe “website prion, dinero (lek the Fish button to ext the Setup Wizard, ethical ack (Cte web ot exact Ce Figae 43: Web Data Ere Sep Pop op Wiad > Webspites oko 4,-_Afier installation, launch Web Data Extractor from Desktop. non asa web erder cx web robo such as Web Daa Exxmene perform axtomated Reaches on the tnt Neb al ext spesied information ftom the sapere gues 4.3.2: Inala app in Windows 10 Selecting Web Data Estate (CoH Lab Mana Page SS Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance = 5. ‘The Web Data Extractor main window appears. Click New to start a new Configure Web Data Extractor session, Feee| Fo ce Figae43.5: The Web Data Exrctr man window 6. The Session settings window appears; type a URI. (here, httpuiwww.certifiedhacker.com) in the Starting URL fickd. Check all the options, as shown in the sercenshot, and click OK. Tonveine Seuce Ofte eke lec URL Fer Toe FteOsa Poser Canesten Seach, Ste (Oren / Groot UAL saoun [Tamneniorere] y : j Resets © Pete Tipe cthecke cn O Frees ct acuta Seve dea noe ite autos sere een wing Sr Yauco sve cin Rodtzetlonarnnshestgsor oon on tc caesar ete cao neae Feat, ([CiPeamn Fs pci weetinssarOaaicaregacieom (enc Neate Zia al PAsweatstebeg) eat hn (ieee URL a [bow UBL Cea toee Figure 4.34: Web Data Exroctr- Seton setigs window tan 7. Click Start to initiate the data extraction Extract Target, Website Data B) SEV) a femme . eso [i ‘igure 43.5: Web Data Extracto initing the da eatntion ‘Ethical Hacking and Countermessures Copyright © by EC Count (CoH Lab Mana age 56 "Al RightsReserved. Reproduction fSrcty Prohibited.SB task Examine the Collected Data (CoH Lab Manwsl Page 57 ‘Module 02 - Footprinting and Reconnaissance 8. Web Data Extractor will start collecting information (Session, Meta tags, Emails, Phones, Faxes, Merged list, URLs, aril Inactive sites) igure 43.6 Wel Data Estat electing information 9. Once the data extraction process is completed, an Information dialog box appears; click OK. _ =oa =e Be giee| *22 .o oo Sov Mat) Pare Foes] Meee Pata BS | igre 4.37: Web Data Eatactor Data Fxttetion information widow 10. View the extracted information by clicking the tabs. TEASED ERNE Pen eT Fam ET Mega EST ao] a Tete! 5] Figure 4.34: Web Data Extnctor Data Exeition window ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance 11. Select the Meta tags tab to view the URL, Title, Keywords, Description, Host, Domain, page size, ete. eae +90 soe Seale ee eae igure 4.29: Web Data Estacion Meta tgs ab 12, Select the Emails tab to view information related to emails such as Email address, Name, URL, Title, ete. 2eeige| 2 ee est [ ah Jer Pom eos US| Pct re gre 4.340. Web Data Estracce- Ema tb ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited. (CoH Lab Manwal Page SE‘Module 02 - Footprinting and Reconnaissance 13. Select the Phones tab to view the Phone, Source, Tag, URL, etc <— ee oe] ed sp ed ee By gure 4.3.1: Web Data Estat: Phones tb 14. Checl for more information under the Faxes, Merged list, URLs, and Inactive sites tabs, Bras 15. To save the session, choose File and click Save session. Save a Session pn Figue 43.12: Web Data Eatsetor eton sting window (CoH Lab Manual Page 59 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.(CeH Lab Manual Page 60 ‘Module 02 - Footprinting and Reconnaissance 16. Specify the session name (here, certifiedhacker.com) in the Save session dialog box and click OK. eae Soe Cle BO) PVE) ones (comme tow £8 Com | Sit ‘ve see [Satine] Sess 3) Ena) Pw 7) Fawn (2) Marist UA (6) Ivete ee 1/1 Te 1 news Le Ta ce [85D Figure 43.15: Web Data Extractor ping the session name 17. Click the Meta tags tab, and then click the floppy icon. igi 43.14 Web Data Fatactoe Meta tags tab ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.© voce tou ‘other web spider such a ParscHub (hips /sonparchube ‘om, SpiderFeot (haps! fw epidetoot rudy cte wo exact the test onpciatons dats, (CoH Lab Manual Pag 62 ‘Module 02 - Footprinting and Reconnaissance 18. An Information pop-up may appear with the message You cannot save more than 10 records in Demo Version; click OK. eg agi Figur 43.15: Web Data Exner saving information window 19. The Save Meta tags window appears. In the File name ficld, click on the folder leon, select the location where you want to save the file, choose File format, and click Save. View te x Flenone [Essai Dasctinbacecorinate tase fe] en — hse OTestfallin ine) OHTML OEncel @Abiows O Selected rove Feld deenter @line OT Ocsv (Other char @uAL Figue 43.16: Web Data Eats sting window 20. By default, the session will be saved at C:\Program Files (%86)\ WebExtractoriDatalcertifiedhacker.com. You cin choose your desired location to save the file. 21. This concludes the demonstration of extracting a company’s data using the Web Data Extractor tool 22. Close all open windows and document all the acquired information. ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.SG TASK 4 SB tasn 4.1 Install HTTrack Web Site Copier Wetsite mincringi the proceso ‘creating ep o coe fol the oneal wie, this mio of the ‘website hap you Foompint the web st thong on your bal system, an alow you > downloada website ma Toca dicey, analy al) sdrsctores, TEM, ages, lsh, vite are fon your computer, Jes rom the sever (CoH Lab Mana Page 62 ‘Module 02 - Footprinting and Reconnaissance Mirror a Target Website using HTTrack Web Site Copier Here, we will use the HT Track Web Site Copier tool to mirror the entire website of the target organization, store it in the local system drive, and browse the local website t0 identify possible exploits and vulnerabilities. 1. In the Windows 40 virtual machine, navigate to E:ACEH-Tools\CEHV11 Module 02 Footprinting and Reconnaissance\Website Mirroring ToolsiHtT Track Web Site Gopler and double-click httrack-3.49.2.exe. 2. If the User Account Control pop-up appears, click We Note: If the Open File - Security Warning pop-up appears, click Run. 5. Follow the wizard steps to install HT Track Web Site Copier. 4, In the last step of the installation wizard, uncheck the View history.txt file option and click Finish. Setup - WinkiT Track Website Copier Completing the WinHT Track Website Copier Setup Wizard ‘Setup has fished instaling WinkTTrack Website Copier on ‘your computer. The appication may be launched by salectng the nstaled cons. (Ck Finch to exit Setup. Launch WintsTTrack Webste Copier CD vew history. fle igure 44.1: 11 rack Website Copier Sep Papp Wiad ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Mirror the ‘Target Website 2 Youn deplete nics ty rg mete moungtoub sec Itt Web See opie tT rk san ‘tne ber hat ‘tnndoats svete fom ihclnenst sod ‘Eco eal feces wana ed tr TMI sre alter Ba fem he Concer ane (CoH Lab Mana age 62 ‘Module 02 - Footprinting and Reconnaissance 5. ‘The WinktT Track Website Copier window appears. Click OK in the pop- up window, and then click Next > Co create a New Project. ‘Note: If the application does not launch, you can launch it manually from the Apps screen. 6. Enter the name of the project (here, Test Project) in the New project name: ficld. Sclect the Base path: to store the copied files; click Next >. eA Ta RCFE RAFAT [Aaa wotTinct Wet Cop x ain ate ice 2082 (Resonating rie) eee cae ——— ease SS Hiliashaccay igue 442: LFF Track Website Copier main wow Log Weden He ~ —_——, oe CET] om | sre 44.5 INT tack Website Cope selecting a New Project ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance ‘er a target URI. (here, www.certifiedhacker.com) in the Web Addresses: (URL) fic! and click Set options... Figure 44 Seng opis in 8. WinktT Track window appears, click the Seam Rules tab and sclect the checkboxes for the file types as shown in the following screenshot; click oK. Track Wabsite Cope WinkTTrack MME: Browser ID Prom its Use wideari o exchde or!nclude URLs ornks. Yu can put several scan singe onthe seme ine. Use spaces as separator. Bxarple: "2p ww “com sew." edulog bin 29h [Eb .bea. ono fe. tart, ere ‘Tp: Tohave ALL GIF fies nce. use something ike www soneweb com” (FoF / “of wi ncude excude ALL GIFs rom ALL stes) * Ca comet] tee _| gure 4.5 Sean Rakes a in hack Website Cope (CEH Lab Mana Page 64 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance 9. Click the Next > button. Figure 46: HT Tack Webte Cope Set pret window 10, By default, the radio button will be selected for Please adjust ‘connection parameters if necessary, then press FINISH to launch the mirroring operation, Check Disconnect when finished and click Finish to start mirroring the website. [mesasicemmeenrac | Figure 447: HT Track Website Copic cen missoring operation (CoH Lab Mana age 65 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance 11. Site mirroring progress will be displayed, as shown in the screenshot. igue 448 1 Teck Website Copier dplying ste ior pues 12, Once the site mirroring is completed, WinH’T Track displays the message Mirroring operation complete; click on Browse Mirrored Website. Te rSTay eR Wes SRT Pence Mee Lag Window Hale Figure 449: HT Tack Website Copier diplaying ste miosis complete (CoH Lab Mana Page 66 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance 13. If the How do you want to open this file? pop up appears, select any web browser (here, Mozilla Firefox) and click OK. SB task Browse the Mirrored Website - How do you want to open this file? Keep using this app oes eer Other options Default Host Application New Firefox Nes Google Chrome G meme Borer Always use this app to open html files Figure 44.10, Scag Mola Flo 14, The microred website for www.certifiedhacker.com launches. The URL. displayed in the address bar indicates that the website's image is stored on the local machine. certifiedhacker.com Figure 4.4.1: HT Tack Website Copice Mion Website mage (CoH Lab Manual Page 67 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Yowenskowse (ip: frww calla software, Cyt W (heaps //wereyorck com )yete to maroea ant webnic. (CoH Lab Manual Page 68 ‘Module 02 - Footprinting and Reconnaissance 15. Analyze all directories, HTML, images, flash, videos, and other files available on the mirrored target website. You can also check for possible exploits and vulnerabilities. The site will work like a live hosted website. Note: If the webpage does not open, navigate to the directory where you ‘mirrored the website and open index.html with any browser, 16. Once done with your analysis, close the Firefox window and click Finish on the WinHTTrack window fo complete the process EG RT TAROT je Prdweres Met Log Wino Hep = leak > Sarai, Spintec Scout eg OK Te (ek ine eee nary rors gue 4412 HT Teack Website Copie dsp ste minosing compete RTS CPT NS POAT Peteerees ier Lab Window ele cots Wok Vat el set ew ni Fipae 44.15 HT Teck Webute Copier dling mimored website oetion 17. Some websites are very large, and it might take a long time to mirror the complete site. ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance is concludes the demonstration of misroring a target website using HI Track Web Site Copier. 19, Close all open windows and document all the acquired information. 20. ‘Turn off the Windows 40 vieual machine B task 6 Gather a Wordlist from the Target Website using CeWL a 1. ‘Turn on Parrat Security virtual machine avalible onthe ts 2. In the login page, the attacker username will be selected by default. SS Enter password as toor in the Password ficld and press Enter to log in in performing further esplation, OsWLisa ruby app tha ised spider joe tpt URL speeiied depth, col follwing cea as, an eens unique woes hat coer (EH Lab Manual Page 69 to the machine, Note: "Ifa Parrot Updater pop-up appears at the top-right comer of Desktop, ignore and close it "Ifa Question pop-up window appears asking you to update the machine, click Ne to close the window 3. Click the MATE Terminal icon at the top of the Desktop window to open a Terminal window. Figure 45: MATE Tenia eon 4, A Parrot Terminal window appeus. In the terminal window, type sudo su and press Enter to run the programs as a root user, 5. In the [sudo] password for attacker field, type toor as a password and press Enter. Note: ‘The password that you type will not be visible 6. Now, ype ed and press Enter fo jump to the root directory Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 02 - Footprinting and Reconnaissance In the Parrot Terminal window, ype com 2 m 5 wwnw.certifiedhacker.com ind press Enter. Note: -d represents the depth to spider the website (here, 2) and -mn represents minimum word length (here, 8). 8A unique wordlist from the target website is gathered, as shown in the Note: ‘The minimum word length is 5, and the depth to spider the target website (EH Lab Manual Page 70 Ethical Hacking and Countermeasures Copyright © by E-Coumell ‘Al Rights Reserved. Reproduction ls Suit ProhedModule 02 - Footprinting and Reconnaissance Altematively, this unique wordlist can be written dirvetly t0 a text file by 9, yping eewl -w wordlist.xt -d 2-m 5 www.certifiedhacker.com. Note: -w - Write the output to the file (here, wordlist.bxt) 10. By default, the wordli saved in the reet directory. ‘Type pluma wordlisttxt and press Enter to view the extracted wordlist. Figure 45.6 Open worst jique wordlist extracted from the target website opens, 11. ‘The file containing: as shown in the seree hot. (EH Lab Manual Page 72 Ethical Hacking and Countermeasures Copyright © by E-Coumell ‘Al Rights Reserved. Reproduction ls Suit Prohed(CoH Lab Mana Page 72 ‘Module 02 - Footprinting and Reconnaissance 12. ‘This wordlist can be used farther to perform brute-force attacks against the previously obtained emails of the target organization’s employees. 13, This concludes the demonstration of gathering wordlist from the target website using CWL. 14, Closeall open windows and document all the acquired information. 15, Turn off the Parrot Seeurity virtual machine. Lab Analysis Analyze and document all the results discovered in the lab exercise. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS ABOUT THIS LAB ONo HiLabs ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.© Vaabe information AF Ves your Iknowlede Bi Webererie DB Workbook review & Toots demonstrated in this lab are available in ACEH. ToolsiCEHV11 Module 02 Footprinting and Reconnaissance (CoH Lab Mana Page 73 ‘Module 02 - Footprinting and Reconnaissance Perform Email Footprinting Enmail footprinting or tracing emails involves analyzing the email header to discover details abwat the sender: Lab Scenario Asa professional cthical hacker, you need to be able to track emails of individuals (employees) from a target organization for gathering. critical information that can help in building an effective hacking strategy. Email tracking allows you to collect information such as IP addresses, mail servers, OS details, geolocation, information about service providers involved in sending the mail etc. By using this information, you can perform social enginccring and other advanced attacks. Lab Objectives "Gather information about a target by tracing emails using eMail ackerPro, Lab Environment To carey out this lab, you nced: Windows 10 virtual machine # Web browsers with an Internet connection Administrator privileges to run the tools * cMaifl'rackerPro located at EACEH-Tools\GEHV14 Module 02 Footprinting ‘and Reconnaissance\Email Tracking Tools\eMailTrackerPro You can also download the latest version of eMaifTrackerPro from its official website. If you decide to download the latest version, the screenshots shown in the lab might differ. Lab Duration ‘Time: 10 Minutes ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.‘Module 02 - Footprinting and Reconnaissance Overview of Email Footprinting E-mail foorpeinting, of tracking, is a method to monitor or spy on email delivered to the intended recipient. This kind of tracking is possible through digitally time- stamped records that reveal the time and date when the target receives and opens a specific email. Email footprinting reveals information such as: * Recipient's system IP address * The GPS coordinates and map location of the recipient When an email message was received and read ‘Type of server used by the recipient "Operating system and browser information # [fa destructive email was sent The time spent reading the email + Whether o not the recipient visited any links sent in the email * PDPs and other types of attachments If messages were set to expire after a specified time Lab Tasks Gather Information about a Target by Tracing Emails using S_TASK 4 eMailTrackerPro Here, we will gather information by analyzing the email header using eMail rackerPro, 1, ‘Turn on the Windows 10 virtual machine. 2. Login to the Windows 40 virtual machine with Username: Admin and Password: PaS$wOrd. Open File Explorer and navigate to EACEH-Tools\CEHv11 Module 02 Footprinting and Reconnaissance\Email Tracking Install Tools\eMailTrackerPro and double-click emt.exe. eMallTrackerPro BS tasK a. If the User Account Control pop-up appears, click Yes. ‘The eMailTrackerPro Setup window appears. Follow the wizard steps (by selecting default options) to install eMailTrackesPro, (CoH Lab Mana age 74 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.