Certified Ethical Hacker Module 02 : Footprinting and Reconnaissance
- Footprinting is a part of reconnaissance process which is used for gathering possible information about a target computer system or network.
- In computer Security, “Footprinting” generally refers to one of the pre-attack phases; tasks performed before doing the actual attack.
Objectives of footprinting
- Knowledge of Security Posture – The data gathered will help us to get an overview of the security posture of the company such as details about the presence of a firewall, security configurations of applications etc.
- Reduction of focus Area – Can identify a specific range of systems and concentrate on particular targets only. This will greatly reduce the number of systems we are focusing on.
- Identify vulnerabilities – we can build an information database containing the vulnerabilities, threats, loopholes available in the system of the target organization.
- Draw Network map – helps to draw a network map of the networks in the target organization covering topology, trusted routers, presence of server and other information.
Information Collected through footprinting
In footprinting below informations are collected :
- Network Information : Domain name, Network blocks, IP address of computers in the target network, TCP and UDP services running, details related to IDS running, websites, access control, VPN endpoints, Firewall vendors, IDS systems, Phone System (Analog/VoIP).
- System Information : User and group names, system banners, OS versions, Listening Services, routing tables information, system architecture, remote system names, mobile/iot devices.
- Organization Information : Employee details, organization website details, location details, address and phone numbers, information related to security policies implemented, and any non-technical information about the organization, company history etc, Employee and organization’s email address.
Collecting information about the target organization from all available resources, for example urls, site/office locations, establishment details, number of employees, specific range of domain names, ip addresses, contact information etc. All this information is collected using publically accessible resources for example search engines, social networking sites, job posting sites, whois databases etc.
types of Footprinting Techniques
- Active : requires attacker to touch the device or network, example Social engineering and other communication that requires interaction with target.
- Passive : measures to collect information from publicly available sources. Websites, DNS records, business information databases.
- Footprinting through Search Engines
- Footprinting through Web Services
- Footprinting through Social Networking Sites
- Website Footprinting
- Email Footprinting
- Whois Footprinting
- DNS Footprinting
- Network Footprinting
- Footprinting through Social Engineering
Footprinting through Search Engines
Job Search Sites
Information about technologies that are currently used, or developed in that company can be obtained from job postings sites such as linkedin.com, naukari.com, monstorjobs.com etc.
Google search (Google dorks)
Google dorks or google query is a search string that uses advanced search operators to find information that is not readily available. Some example of google dorks are :
filetype: - looks for file types index of - directory listings info: - contains Google's information about the page intitle: - string in title inurl: - string in url link: - finds linked pages related: - finds similar pages
GHDB is very good for learn Google Dorks and how it’s done in real world scenario.
More Lists Google Dorks :
|intitle||search page title|
|allintitle||search page title|
|allintext||search page of text only|
|site||search specific site|
|link||search for links to page|
|inanchor||search link anchor text|
|allinanchor||Restricts results to only the pages containing all query terms specified in the ancher text on link to the pages.|
|cache||Searches websites or pages that contain link to the spefcified website or page.|
|location||find information about specific location|
|daterange||search in date range|
|author||group author search|
|group||group name search|
|insubject||group suject search|
|msgid||group msgid search|
Some more examples :
// example1 site:target.com ext:php // example2 site:target.com ext:asp // example3 site:target.com ext:aspx // example4 site:target.com ext:js // example5 site:target.com ext:jsp // example6 site:target.com ext:sql // example7 site:target.com ext:jar // example8 site:target.com ext:html // example9 site:target.com ext:zip
To get some idea of the target application and architecture.
Other example :
site:DOMAIN ext:FILEEXT intitle:SOME_KEYWORD
// example1 site:target.com ext:pdf intitle:setup // example2 site:target.com ext:pdf intitle:index of
The Pattern for search is
- Listing a perticular format files :
ext:file_extension site:website_name // example ext:pdf site:hackerone.com
- Finding a particular path in a website url :
inurl:/path_to_find site:website_name // example inurl:/downloads site:hackerone.com
- Looking for a particular title
intitle:"User Login" site:hackerone.com // example intitle:"User Login" site:co.in
- Looking for a file with particular text in it
backup.sql intext:"SELECT" ext:sql site:net // another example : intext:"Powered by WordPress" site:co.in
- Searching something on wildcard subdomains
site:target.com intext:Login intitle:Jira
| operator :
-operator remove some specific keywords from result. Example :
Remove the word error from the filtered result pages
site:target.com intext:Login -error
+operator add specific word in search qurey/condtion
site:target.com intext:Login -error +username
|operator works as OR login for example
Some mixed context examples are :
site:target.com intext:login intext:username intext:password
Some example are :
- Dork to find admin panel
site:"*.target.com" intitle:admin intext:login intext:username | email intext:password -help -docs -support -news
- Dork to find PII
site:"*.target.com" intext:"phone"|number intext:"email"|address intext:"personal" intext:address intext:name|last -support -news -vendor -docs -help
Some tips regarding Search Engine Dorking
- You can also try other major search engines like bing, yahoo, ask, aol, Baidu, wolframAlfa, duckduckgo.
- Try to get information regarding target through video streeming sites.
- Gathering information through [meta search engines], for example startpage.com, metager.org, etools.ch.
- Search company details on crunchbase.com
- Gathering information through FTP Search Engine such as naplam ftp indexer, Global FTP Search Engine, freeware web ftp file search.
- For advance google search user can use
- For advance image search you can use
- For reverse image search goto
https://images.google.com/search image search and upload your image file.
Footprinting through Web Services
Blueprint a comprehensive list of information about the technologies and information about target website. For example :
Information returned by netcraft are :
- Background — This includes basic domain information.
- Which OS, Web server is runing; Which ISP;
- Network — This includes information from IP Address to Domain names to nameservers.
- SSL/TLS — This gives the ssl/tls status of the target
- Hosting History – This gives the information on the hosting history of the target
- Sender Policy Framework (SPF) — This describes who can send mail on the domains behalf
- DMARC -This is a mechanism for domain owners to indicate how mail purporting to originate from their domain should be authenticated
- Web Trackers — This trackers can be used to monitor individual user behavior across the web Site Technology. This section includes details on: Cloud & PaaS
- Server-Side technologies (e.g: PHP)
- CDN Information
- CMS Information (e.g: WordPress, Joomla, etc)
- Mobile Technologies
- Web stats (e.g: Web analytics, collection, etc)
- Character encoding
Shodan Unlike traditional search engines such as Google, use Web crawlers to traverse your entire site, but directly into the channel behind the Internet, various types of port equipment audits, and never stops looking for the Internet and all associated servers, camera, printers, routers, and so on. Shodan gives information about all if the publicly accessible machines/servers with their information like open ports, services, ssl certificates etc.
- Finding login portal
ssl:"target.com" http.html:"Login, username, password"
- Finding login portal with removing the result for “403 forbidden”
ssl:"target.com" http.html:"Login, username, password" -http.html:"403 forbidden"
- Finding data with page title
ssl:"target.com" http.title:"Login Portal"
- Search results by port number
- Organization filter
ssl:"target.com" org:"cloudflare, Inc"
- Product filter
- Instead of full domain name we can also put target company name
ssl:"bitdefender" org:"Cloudflare inc." product:"nginx" 200
You can also use censys.io as an alternative to shodan. Go to https://search.censys.io/.
Footprinting through Social Networking Sites
- Social networking services such as facebook, twitter, linkedin provide useful information about the individual that helps the attacker in performing social engineering and other attacks.
- The people search can provide critical information about a person or an organization, location, emails, websites, blogs, contact, important dates etc.
- People online search engines such as intelius, pipl, beenverified, whitepages, peekyou provides people’s details.
Footprinting on Finencial websites
- Attacker can collects financial information related to a company such as stock quotes and charts, financial news and portfolios.
- Financial services such as Google finance, msn money, yahoo finance, investing.com etc can provide a large amount of useful information such as the market value of company’s share, company profile, competitor details, stock exchange rates, corporate press releases, financial reports along with news.
Footprinting through Job sites
- Job search sites provideis technical information about a company like Operating system, software versions, company’s network infrastructures, database schema etc.
- For example an organization advertises a network administrator job, it posts the requirements related to that position.
- Attackers can use the technical information obtained through job sites such as Dice, linkedin and simplyhired to detect underlying vulnerabilities in the target IT infrastructures.
- Refers to monitoring and analysis of the target organizations website for information such as software used and its version, operating system used and its scripting platforms, sub-directories and parameters, filename, path, database field name or query, technologies used, contact and cms details.
- Some of the populer tools are BurpSuite, ZapProxy, Wappalyzer, website informer etc.
- Some important header to look at is
- Connection status for content-type
- Accept renges and last-Modified
- X-Powered-By information
- web server in use and its version
- Web mirroring|Website Cloning – allows for discrete testing offline
- HTTrack – you can use the CLI version or Web Interface version
- Wget – Linux command
wget -mk -w 10 http://hackthissite.org/
- Black Widow
- Teleport Pro
- Backstreet Browser
- Archive.org / Wayback machine : Provides cached websites from various dates which possibly have sensitive information that has been now removed.
- alexa.com : Provides information about websites.
Email footprinting is used to monitor the delivery of emails to an intended receipent.
- Sender’s mail server
- Date and time of receipt by the originator’s email servers.
- Authentication system used by the senders mail server.
- Date and time of sending message.
- a unique number assigned by mx.google.com to identify the message.
- Sender’s full name
- Sender’s IP address and address from which the message was sent.
All these information can be collected by analyzing email headers.
Infoga is a tool gathering email accounts informations (ip,hostname,country,…) from different public source (search engines, pgp key servers and shodan) and check if emails was leaked using haveibeenpwned.com API. Is a really simple tool, but very effective for the early stages of a penetration test or just to know the visibility of your company in the Internet.
This tools basically search emails of an organization on different search engines/dump sites and if it found any email then try to find if they are leaked or not then if leaked then analyze their email header.
Example Uses :
Check for emails of a particular domain
python infoga.py --domain university.ac.in --source all --breach --report ../university_email_leak.txt -v 2
Check for an email address information
python infoga.py --info firstname.lastname@example.org --breach -v 3
Another tool is email tracker pro, which give geographical location based on ip address as well.
WHOIS database contains personal information of domain owners. for example :
- Domain name details
- Contact details of domain owners
- Domain name servers
- When a domain was created
- Expiry record
- last updated record
The record is maintained by Regional internet registries, which are :
- ARIN : American Registry for Internet Numbers.
- AFRINIC : African Network Information Centre.
- APNIC : Asia-Pacific Network Information Centre.
- RIPE-NCC : Réseaux IP Européens Network Coordination Centre
- LACNIC : Latin American and Caribbean Network Information Centre.
using tool whois
or you can use third party services like
https://whois.domaintools.com/ for whois data.
Finding geolocation of an IP : you can use third party services like ip2location.com
DNS records provide important information about the location and types of servers.
- Name lookup – UDP 53
- Zone transfer – TCP 53
- Zone transfer replicates all records
- Name resolvers answer requests
- Authoritative Servers hold all records for a namespace
- DNS Record Types
|SRV||Service||Points to a specific service|
|SOA||Start of Authority||Indicates the authoritative NS for a namespace|
|PTR||Pointer||Maps an IP to a hostname|
|NS||Nameserver||Lists the nameservers for a namespace|
|MX||Mail Exchange||Lists email servers|
|CNAME||Canonical Name||Maps a name to an A reccord|
|A||Address||Maps an hostname to an IP address|
- DNS Poisoning – changes cache on a machine to redirect requests to a malicious server
- DNSSEC – helps prevent DNS poisoning by encrypting records
- SOA Record Fields
- Source Host – hostname of the primary DNS
- Contact Email – email for the person responsible for the zone file
- Serial Number – revision number that increments with each change
- Refresh Time – time in which an update should occur
- Retry Time – time that a NS should wait on a failure
- Expire Time – time in which a zone transfer is allowed to complete
- TTL – minimum TTL for records within the zone
- IP Address Management
- ARIN – North America
- APNIC – Asia Pacific
- RIPE – Europe, Middle East
- LACNIC – Latin America
- AfriNIC – Africa
- Whois – obtains registration information for the domain from command line or web interface.
- on Kali, whois is pre-installed on CLI; e.g:
- on Windows, you can use SmartWhois GUI software to perform a whois, or any website like domaintools.com
- Nslookup – Performs DNS queries; (nslookup is pre-installed on Kali LinGux)
$ nslookup www.hackthissite.org Server: 192.168.63.2 Address: 192.168.63.2#53 Non-authoritative answer: Name: www.hackthissite.org Address: 188.8.131.52 Name: www.hackthissite.org Address: 184.108.40.206 Name: www.hackthissite.org Address: 220.127.116.11 Name: www.hackthissite.org Address: 18.104.22.168 Name: www.hackthissite.org Address: 22.214.171.124
First two lines shows my current DNS server; The IP addresses returned are ‘A record‘, meaning is the IPv4 address of the domain; Bottom line NsLookup queries the specified DNS server and retrieves the requested records that are associated with the domain.
The following types of DNS records are especially useful to use on Nslookup:
|A||the IPv4 address of the domain|
|AAAA||the domain’s IPv6 address|
|CNAME||the canonical name — allowing one domain name to map on to another. This allows more than one website to refer to a single web server.|
|MX||the server that handles email for the domain.|
|NS||one or more authoritative name server records for the domain.|
|TXT||a record containing information for use outside the DNS server. The content takes the form name=value. This information is used for many things including authentication schemes such as SPF and DKIM.|
- Interactive mode zone transfer (Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain).
server <IP Address>
set type = <DNS type>
$ nslookup > set type=AAAA > www.hackthissite.org Server: 192.168.63.2 Address: 192.168.63.2#53 Non-authoritative answer: Name: www.hackthissite.org Address: 2001:41d0:8:ccd8:137:74:187:103 Name: www.hackthissite.org Address: 2001:41d0:8:ccd8:137:74:187:102 Name: www.hackthissite.org Address: 2001:41d0:8:ccd8:137:74:187:101 Name: www.hackthissite.org Address: 2001:41d0:8:ccd8:137:74:187:100 Name: www.hackthissite.org Address: 2001:41d0:8:ccd8:137:74:187:104
unix-based command like nslookup
$ dig www.hackthissite.org ; <<>> DiG 9.16.2-Debian <<>> www.hackthissite.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51391 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096 ;; QUESTION SECTION: ;www.hackthissite.org. IN A ;; ANSWER SECTION: www.hackthissite.org. 5 IN A 126.96.36.199 www.hackthissite.org. 5 IN A 188.8.131.52 www.hackthissite.org. 5 IN A 184.108.40.206 www.hackthissite.org. 5 IN A 220.127.116.11 www.hackthissite.org. 5 IN A 18.104.22.168 ;; Query time: 11 msec ;; SERVER: 192.168.63.2#53(192.168.63.2) ;; WHEN: Tue Aug 11 15:05:01 EDT 2020 ;; MSG SIZE rcvd: 129
- To get email records specify
dig <target> -t MX
- To get zone transfer specify
More Detailed Explanation on DNS Footprinting
- IP address range can be obtained from regional registrar (e.g: ARIN for America, RIPE for Europe, etc)
tracerouteto find intermediary servers
- Traceroute program work on the concept of ICMP protocol and use the TTL field in the header of ICMP packets –
- traceroute uses ICMP echo in Windows (tracert)
- traceroute is good for detect Firewalls and the network path
traceroute -I nsa.gov
- Specify target:
- In this case is used ICMP ECHO for tracerouting:
- Specify target:
$ traceroute -I nsa.gov traceroute to nsa.gov (22.214.171.124), 30 hops max, 60 byte packets 1 192.168.63.2 (192.168.63.2) 0.194 ms 0.163 ms 0.150 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 a104-83-73-99.deploy.static.akamaitechnologies.com (126.96.36.199) 42.742 ms 42.666 ms 25.176 ms
Windows command –
Linux Command –
Reverse DNS Lookup
- Attackers perform a reverse DNS lookup on IP ranges in an attempt to locate a DNS PTR record for those IP addresses.
- Attackers use various tools, such as DNSRecon, to perform the reverse DNS Lookup on the target host.
- Attackers can also find the other domains that share the same web server, using tools such as Reverse IP Domain Check.
- It basically gives the information about how many other website are hosted or shared on that same IP address.
- For revers IP Domain Check :
$ ping ggu.ac.in PING ggu.ac.in (188.8.131.52) 56(84) bytes of data.
$ dnsrecon -d ggu.ac.in -r 184.108.40.206-220.127.116.11 [*] Reverse Look-up of a Range [*] Performing Reverse Lookup from 18.104.22.168 to 22.214.171.124 [+] PTR ua.nic.in 126.96.36.199 [+] PTR kerala.nic.in 188.8.131.52 [+] PTR keralancrms.nic.in 184.108.40.206 [+] PTR mum.nic.in 220.127.116.11 [+] PTR hp.nic.in 18.104.22.168 [+] PTR webjk.nic.in 22.214.171.124 [+] 6 Records Found
Footprinting through Social Engineering
- Social engineering is an art of exploiting human behavour to extract confidential information.
- Social engineers depend on the fact that people are unaware of their valuable information and are careless about protecting it.
- By social engineering attacker can gather below information :
- Credit card details and Social security numbers
- user names and passwords
- Security products in use
- Operating systems and software versions
- network layout information
- IP addresses and names of servers
Social Engineering attacks techniques
- Unauthorized listening of conversations or reading of messages.
- It is the interaction of any form of communocation, such as audio, video or text.
- Secretly observing the target to gather critical information, such as passwords, personal identfication nuber, account numbers and credit card information.
- Looking for treasure in someone else’s trash.
- It onvolvs the collection of phone bills, contact information, financial information, operations-related information, etc. from the target company’s trash bins, printer trash bins, user desk for sticky notes etc.
- pretending to be a legitimate or authorized person and using the phone or other communication medium to mislead targets and trick them into revealing information.
Search and download specific filetype for a given website using google searches/dorks.
metagoofil -d accenture.com -n 20 -t pdf,doc,xls,ppt,xlsx -o ResultDir
theHarvester is a simple to use, yet powerful tool designed to be used during the reconnaissance stage of a red team assessment or penetration test. It performs open source intelligence (OSINT) gathering to help determine a domain’s external threat landscape. The tool gathers names, emails, IPs, subdomains, and URLs by using multiple public resources.
theHarvester -d certifiedhacker.com -l 300 -b baidu,bing,certspotter,dnsdumpster,duckduckgo,github-code,google,linkedin,netcraft,twitter,yahoo -f report
OSRFramework is a set of libraries to perform Open Source Intelligence tasks. They include references to a bunch different applications related to username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction, and many others.
OSRFramework CLI subcommands:
|usufy.py||This tool that verifies if a username exists in 249 social platforms.|
|mailfy.py||This module checks if a username has been registered in up to 22 email providers.|
|searchfy.py||This module looks for profiles using full names and other info in 7 platforms.|
|domainfy.py||This module checks the existence of a given domain in up to 879 different TLD.|
|phonefy.py||This module checks if a phone number has been linked to spam practices in 4 platforms.|
|entify.py||This module looks for regular expressions using 13 patterns.|
Checks for the existence of a profile for a given user details in different platforms.
usufy.py -n cehuser us -p twitter facebook youtube
Checks with the existing users of pages/handlers for a given details in the all social networks.
searchfy.py -q "ECCouncil"
Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS
python3 sublist3r.py -d hackthissite.org
Find social media accounts by username across multiple social networks.
python3 sherlock.py ajaytekam 2 ⨯ [*] Checking username ajaytekam on: [+] Academia.edu: https://independent.academia.edu/ajaytekam [+] Asciinema: https://asciinema.org/~ajaytekam [+] Behance: https://www.behance.net/ajaytekam [+] BitBucket: https://bitbucket.org/ajaytekam/ [+] Blogger: https://ajaytekam.blogspot.com [+] Docker Hub: https://hub.docker.com/u/ajaytekam/ [+] Duolingo: https://www.duolingo.com/profile/ajaytekam [+] Ello: https://ello.co/ajaytekam [+] EyeEm: https://www.eyeem.com/u/ajaytekam [+] Facebook: https://www.facebook.com/ajaytekam [+] Fiverr: https://www.fiverr.com/ajaytekam [+] Flipboard: https://flipboard.com/@ajaytekam [+] Freelancer: https://www.freelancer.com/u/ajaytekam [+] GitHub: https://www.github.com/ajaytekam [+] GitHub Support Community: https://github.community/u/ajaytekam/summary [+] GuruShots: https://gurushots.com/ajaytekam/photos [+] Instagram: https://www.instagram.com/ajaytekam [+] Kaggle: https://www.kaggle.com/ajaytekam [+] Linktree: https://linktr.ee/ajaytekam [+] Periscope: https://www.periscope.tv/ajaytekam/ [+] Reddit: https://www.reddit.com/user/ajaytekam [+] Roblox: https://www.roblox.com/user.aspx?username=ajaytekam [+] SlideShare: https://slideshare.net/ajaytekam [+] Smule: https://www.smule.com/ajaytekam [+] Snapchat: https://www.snapchat.com/add/ajaytekam [+] Star Citizen: https://robertsspaceindustries.com/citizens/ajaytekam [+] TryHackMe: https://tryhackme.com/p/ajaytekam [+] Twitch: https://www.twitch.tv/ajaytekam [+] Twitter: https://twitter.com/ajaytekam [+] Wattpad: https://www.wattpad.com/user/ajaytekam [+] Whonix Forum: https://forums.whonix.org/u/ajaytekam [+] Wikipedia: https://en.wikipedia.org/wiki/Special:CentralAuth/ajaytekam?uselang=qqx [+] xHamster: https://xhamster.com/users/ajaytekam [*] Results: 33 [!] End: The processing has been finished.
It is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack/brute force attack against a web server and analyzing the response. Useful to find subdirectories on web application. Usage example:
dirb https://www.hackthissite.org/ /usr/share/wordlists/dirb/small.txt
Recon-ng is a web-based open-source reconnaissance tool used to extract information from a target organization and its personnel. Provides a powerful environment in which open source web-based reconnaissance can be automated conducted, quickly and thoroughly.
Usage : Link
Maltego is a powerful OSINT tool, you can extract a broad type of information through the network, technologies and personnel(email, phone number, twitter).
You able to:
- Identify IP address
- Identify Domain and Domain Name Schema
- Identify Server Side Technology
- Identify Service Oriented Architecture (SOA) information
- Identify Name Server
- Identify Mail Exchanger
- Identify Geographical Location
- Identify Entities
- Discover Email addresses and Phone numbers
FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents it scans. These documents may be on web pages, and can be downloaded and analysed with FOCA.
It is capable of analysing a wide variety of documents, with the most common being Microsoft Office, Open Office, or PDF files, although it also analyses Adobe InDesign or SVG files, for instance.
These documents are searched for using three possible search engines: Google, Bing, and DuckDuckGo. The sum of the results from the three engines amounts to a lot of documents. It is also possible to add local files to extract the EXIF information from graphic files, and a complete analysis of the information discovered through the URL is conducted even before downloading the file.
Social Engineering Framework (SEF)
It’s a open source Social Engineering Framework (SCRIPT) that helps generate phishing attacks and fake emails. and it’s includes phishing pages, fake email, fake email with file attachment and other stuff that helps you in Social Engineering Attack.
A custom wordlist generator from a website, basically scrap the website for words. default depth is 2.
Simple run with saving wordlist in a file.
cewl https://target-website.com/ -w wordlist.txt
- Create a certain length of wordlist
- Get emails from a website
- Verbose mode
- hide the cralled wordlist from displaying on the screen
- Increase the depth
-d 3, default is 2
- run on debug mode
- Count the total number of appearance of a word in website
- Allow numbers to be included in wordlist
- Develop and Enforce security policies to regulate the information that employees can reveal to third parties.
- Set apart internal and external DNS or use split DNS and restrict zone transfer to authorized servers.
- Disable Directory listing in web servers.
- Encrypt and password protect sensitive information.
- place critical documents, such as business plans and proprietary documents offline to protect exploitation.
- Train employees to detect social engineering techniques and attacks and defend themselves.
- Sanitize the details provided to internet registrars to hide the direct contact details of the organization.
- Disable the geo-tagging functionality on cameras to prevent geolocation tracking.
- Avoid revealing ones location or travel plans on social networking sites.
- Turn-off geo-location access on all mobile devices when not required.
- Ensure that no critical information is displayed on notice boards or walls.
- Avoid Domain level cross-linking for critical assets.
- Opt for privacy services on whois lookup database.
- Conduct pariodic security awareness training to educate employees about various social engineering tricks and risks.