Foot Printing

 Process of gathering information

about a target system or organization
in order to understand its structure,
potential vulnerabilities, and security
posture.
Foot printing is typically one of the initial
steps in the reconnaissance phase of a
cyber attack
Forms Of Foot printing
Passive foot printing involves gathering information from publicly
available sources such as websites, social media profiles, news
articles, and public records.
This information might include details about the organization's
employees, technology infrastructure, partners, clients, physical
locations, and more.
Active foot printing, on the other hand, involves more direct
interaction with the target system or organization. This might include
techniques such as network scanning, port scanning, enumeration,
and other methods to gather information about the target's network
architecture, services running on its systems, and potential points of
entry
 Foot printing process includes ;-
Profiling organizations and collecting data about the network,
host, employees and third-party partners.

This information includes;-

 OS used by the organization,
 firewalls,
 network maps,
 IP addresses,
 domain name system information,
 security configurations of the target machine,
 URLs,
 virtual private networks,
 staff IDs, email addresses and phone numbers.
Stages of foot printing
TTarget
Identification

Information
gathering

Result Analysis

Attack planning
Foot printing stages
Target identification – The first step involves recognizing the target
organization and its systems for footprinting. This can be done by
scanning networks for open ports or using IoT search engines such
as Shodan and Censys.
Information gathering – Gathering vital information, including IP
addresses, open ports and services, usernames, and passwords
from the identified target
Result analysis – Extracted data is analyzed for vulnerabilities
across multiple systems, or results are compared against known
exploits.
Attack planning – The final stage is the attack phase, where the
threat actor develops custom exploits or chooses a suitable attack
vector based on the data collected to compromise vulnerable
systems.
T
Advantages of foot printing
 Help businesses identify and secure IT
infrastructure before a threat actor exploits a
vulnerability.
 Helps companies better understand their current
security posture through analysis of data gathered
about the firewall, security configuration and
more.
 Drawing a network map helps cover all trusted
routers, servers and other network topologies.
Users can pursue a reduced attack surface by
narrowing it down to a specific range of systems.
 Foot printing tools

TheHarvester
Dnsenum
Nmap
Maltego
Google Dorks
Sam Spade
Maltego:
SuperScan. Etc
Open source Intelligent platforms such as Virus total. etc
Foot printing with
nmap

What is the Nmap tool?

Nmap is an open-source network exploring
tool. It rapidly scans large networks and
gives back various information.
Major functionality of Nmap, Port scanning.
Open: This means that an application on the target end is actively
accepting TCP connections, UDP datagrams, or SCTP associations on
this port. Open ports are as a hacker as an open vault to a thief.
Closed: Closed ports respond to data requests. However, no application
is listening to them. Nmap uses such ports are used by Nmap to
determine the OS or scan the provided IP address for live hosting.
Filtered: Nmap cannot determine whether such ports are open or not
as they are protected by dedicated firewalls, router rules, etc.
Sometimes these ports respond with ICMP error messages to confuse
the exploiter.
Unfiltered: These ports are accessible but, Nmap cannot determine
whether they are open or closed. This state occurs only for ACK scans.
Open | Filtered: Nmap places a port in this state when it is unable to
determine whether the port falls in the open or filtered category. This
occurs in scan types when an open port does not respond.
Closed | Unfiltered: Nmap is unable to tell whether the port is closed
or unfiltered. This situation occurs in IP ID idle scan.
 Options in Nmap

TCP scan: Used to check and perform a three-way handshake

between sender and target. It is very noisy.
UDP scan: This scan is performed to check whether a UDP port is
open on the target system or not. Unlike TCP scan, this does not
have a positive acknowledgment response so, it might
sometimes give false positive responses.
SYN scan: This is another way of a TCP scan; the Nmap itself
creates the SYN packet only difference being that Nmap itself
creates the SYN packet.
ACK scan: Used to determine whether a post is filtered or not.
FIN scan: It is a kind of stealth scan, which send TCP FIN packets
rather than SYN requests.
Options with scanning techniques
nmap [scan type] [option] {target specifications}

Option Discription

-sS
TCP syn Port scan

-sT
TCP connect port scan

-sA
UDP port scan

-sU
TCP ACK port scan
 Options for detecting OS and
version of running services:
Option Discription

-A
Performs aggressive scan.

-O
Detects the running operating
system of attacked machine.

-sV
Detects the versions of running
services.
 Timing and Performances options:
Option

-T0 Performs paranoid IDS evasion.

-T1 Performs sneaky IDS evasion.

-T2 This is used for polite IDE evasion.

-T3 This option is the normal IDE evasion.

This performs an aggressive speed

-T4
scan.

Performs insane speed scans, fastest of

-T5
all.
 Port specifications:
Option

Used for scanning all ports on a

-p- given network.

-p Used to scan a range of ports.

-F Used for fast port scanning.

 Example of Nmap scan
nmap -T4 -A scanme.nmap.org > nmap_res.txt
 For more Information on NMAP

https://www.geeksforgeeks.org/
footprinting-with-nmap-in-kali-linux/
 DNSENUM
Dnsenum is a multithreaded perl script to enumerate DNS
information of a domain and to discover non-contiguous ip blocks.
The main purpose of Dnsenum is to gather as much information as
possible about a domain.
 DNSENUM performs the
following operations:
 Get the host’s addresses (A record).
 Get the namservers (threaded).
 Get the MX record (threaded).
 Perform axfr queries on nameservers and get BIND versions(threaded).
 Get extra names and subdomains via google scraping (google query =
“allinurl: -www site:domain”).
 Brute force subdomains from file, can also perform recursion on
subdomain that have NS records (all threaded).
 Calculate C class domain network ranges and perform whois queries on
them (threaded).
 Perform reverse lookups on netranges (C class or/and whois netranges)
(threaded).
 Write to domain_ips.txt file ip-blocks.
How to install: dnsenum (Kali)
>>sudo apt install dnsenum
Run the tool
>>dnsenum <target domain>
Get manual for dnsenum
>>dnsenum -h