Certified Ethical Hacker Module 02 : Footprinting and Reconnaissance

Footprinting Concepts

• Footprinting is a part of reconnaissance process which is used for gathering possible information about a target computer system or network.
• In computer Security, “Footprinting” generally refers to one of the pre-attack phases; tasks performed before doing the actual attack.

Objectives of footprinting

• Knowledge of Security Posture – The data gathered will help us to get an overview of the security posture of the company such as details about the presence of a firewall, security configurations of applications etc.
• Reduction of focus Area – Can identify a specific range of systems and concentrate on particular targets only. This will greatly reduce the number of systems we are focusing on.
• Identify vulnerabilities – we can build an information database containing the vulnerabilities, threats, loopholes available in the system of the target organization.
• Draw Network map – helps to draw a network map of the networks in the target organization covering topology, trusted routers, presence of server and other information.

Information Collected through footprinting

In footprinting below informations are collected :

• Network Information : Domain name, Network blocks, IP address of computers in the target network, TCP and UDP services running, details related to IDS running, websites, access control, VPN endpoints, Firewall vendors, IDS systems, Phone System (Analog/VoIP).
• System Information : User and group names, system banners, OS versions, Listening Services, routing tables information, system architecture, remote system names, mobile/iot devices.
• Organization Information : Employee details, organization website details, location details, address and phone numbers, information related to security policies implemented, and any non-technical information about the organization, company history etc, Employee and organization’s email address.

Footprinting Methodology

Collecting information about the target organization from all available resources, for example urls, site/office locations, establishment details, number of employees, specific range of domain names, ip addresses, contact information etc. All this information is collected using publically accessible resources for example search engines, social networking sites, job posting sites, whois databases etc.

types of Footprinting Techniques

• Active : requires attacker to touch the device or network, example Social engineering and other communication that requires interaction with target.
• Passive : measures to collect information from publicly available sources. Websites, DNS records, business information databases.

Footprinting techniques

• Footprinting through Search Engines
• Footprinting through Web Services
• Footprinting through Social Networking Sites
• Website Footprinting
• Email Footprinting
• Whois Footprinting
• DNS Footprinting
• Network Footprinting
• Footprinting through Social Engineering

Footprinting through Search Engines

Job Search Sites

Information about technologies that are currently used, or developed in that company can be obtained from job postings sites such as linkedin.com, naukari.com, monstorjobs.com etc.

Google search (Google dorks)

Google dorks or google query is a search string that uses advanced search operators to find information that is not readily available. Some example of google dorks are :

filetype: - looks for file types
index of - directory listings
info: - contains Google's information about the page
intitle: - string in title
inurl: - string in url
link: - finds linked pages
related: - finds similar pages

GHDB is very good for learn Google Dorks and how it’s done in real world scenario.

More Lists Google Dorks :

Operator	uses
intitle	search page title
allintitle	search page title
inurl	search url
allinurl	search url
filetype	specific files
allintext	search page of text only
site	search specific site
link	search for links to page
inanchor	search link anchor text
allinanchor	Restricts results to only the pages containing all query terms specified in the ancher text on link to the pages.
cache	Searches websites or pages that contain link to the spefcified website or page.
location	find information about specific location
numrange	Locate number
daterange	search in date range
author	group author search
group	group name search
insubject	group suject search
msgid	group msgid search

Some more examples :

// example1
site:target.com ext:php

// example2
site:target.com ext:asp

// example3
site:target.com ext:aspx

// example4
site:target.com ext:js

// example5
site:target.com ext:jsp

// example6
site:target.com ext:sql

// example7
site:target.com ext:jar

// example8
site:target.com ext:html

// example9
site:target.com ext:zip

To get some idea of the target application and architecture.

Other example :

site:DOMAIN ext:FILEEXT intitle:SOME_KEYWORD

Examples :

// example1
site:target.com ext:pdf intitle:setup

// example2
site:target.com ext:pdf intitle:index of

The Pattern for search is

directive:query

• Listing a perticular format files :

ext:file_extension site:website_name

// example
ext:pdf site:hackerone.com

• Finding a particular path in a website url :

inurl:/path_to_find site:website_name

// example
inurl:/downloads site:hackerone.com

• Looking for a particular title

intitle:"User Login" site:hackerone.com

// example
intitle:"User Login" site:co.in

• Looking for a file with particular text in it

backup.sql intext:"SELECT" ext:sql site:net

// another example :
intext:"Powered by WordPress" site:co.in

• Searching something on wildcard subdomains

site:target.com intext:Login intitle:Jira

-, + and | operator :

• - operator remove some specific keywords from result. Example :

Remove the word error from the filtered result pages

site:target.com intext:Login -error

• + operator add specific word in search qurey/condtion

site:target.com intext:Login -error +username

• | operator works as OR login for example

site:target.com intext:userame|email

Some mixed context examples are :

site:target.com intext:login intext:username intext:password

Some example are :

• Dork to find admin panel

site:"*.target.com" intitle:admin intext:login intext:username | email intext:password -help -docs -support -news

• Dork to find PII

site:"*.target.com" intext:"phone"|number intext:"email"|address intext:"personal" intext:address intext:name|last -support -news -vendor -docs -help

Some tips regarding Search Engine Dorking

• You can also try other major search engines like bing, yahoo, ask, aol, Baidu, wolframAlfa, duckduckgo.
• Try to get information regarding target through video streeming sites.
• Gathering information through [meta search engines], for example startpage.com, metager.org, etools.ch.
• Search company details on crunchbase.com
• Gathering information through FTP Search Engine such as naplam ftp indexer, Global FTP Search Engine, freeware web ftp file search.
• For advance google search user can use https://www.google.com/advanced_search.
• For advance image search you can use https://www.google.co.in/advanced_image_search.
• For reverse image search goto https://images.google.com/ search image search and upload your image file.

Footprinting through Web Services

NetCraft

Blueprint a comprehensive list of information about the technologies and information about target website. For example :

https://sitereport.netcraft.com/?url=https://www.infosys.com  

Information returned by netcraft are :

• Background — This includes basic domain information.
• Which OS, Web server is runing; Which ISP;
• Network — This includes information from IP Address to Domain names to nameservers.
• SSL/TLS — This gives the ssl/tls status of the target
• Hosting History – This gives the information on the hosting history of the target
• Sender Policy Framework (SPF) — This describes who can send mail on the domains behalf
• DMARC -This is a mechanism for domain owners to indicate how mail purporting to originate from their domain should be authenticated
• Web Trackers — This trackers can be used to monitor individual user behavior across the web Site Technology. This section includes details on: Cloud & PaaS
  • Server-Side technologies (e.g: PHP)
  • Client-Side technologies (e.g: JavaScript library)
  • CDN Information
  • CMS Information (e.g: WordPress, Joomla, etc)
  • Mobile Technologies
  • Web stats (e.g: Web analytics, collection, etc)
  • Character encoding

ShodanIO Dorking

Shodan Unlike traditional search engines such as Google, use Web crawlers to traverse your entire site, but directly into the channel behind the Internet, various types of port equipment audits, and never stops looking for the Internet and all associated servers, camera, printers, routers, and so on. Shodan gives information about all if the publicly accessible machines/servers with their information like open ports, services, ssl certificates etc.

• Finding login portal    

ssl:"target.com" http.html:"Login, username, password"  

• Finding login portal with removing the result for “403 forbidden”    

ssl:"target.com" http.html:"Login, username, password" -http.html:"403 forbidden"  

• Finding data with page title  

ssl:"target.com" http.title:"Login Portal"  

• Search results by port number

ssl:"target.com" port:"2082"  

• Organization filter  

ssl:"target.com" org:"cloudflare, Inc"  

• Product filter

ssl:"target.com" product:"nginx"  

• Instead of full domain name we can also put target company name  

ssl:"bitdefender" org:"Cloudflare inc." product:"nginx" 200

censys

You can also use censys.io as an alternative to shodan. Go to https://search.censys.io/.

Footprinting through Social Networking Sites

• Social networking services such as facebook, twitter, linkedin provide useful information about the individual that helps the attacker in performing social engineering and other attacks.
• The people search can provide critical information about a person or an organization, location, emails, websites, blogs, contact, important dates etc.
• People online search engines such as intelius, pipl, beenverified, whitepages, peekyou provides people’s details.

Footprinting on Finencial websites

• Attacker can collects financial information related to a company such as stock quotes and charts, financial news and portfolios.
• Financial services such as Google finance, msn money, yahoo finance, investing.com etc can provide a large amount of useful information such as the market value of company’s share, company profile, competitor details, stock exchange rates, corporate press releases, financial reports along with news.

Footprinting through Job sites

• Job search sites provideis technical information about a company like Operating system, software versions, company’s network infrastructures, database schema etc.
• For example an organization advertises a network administrator job, it posts the requirements related to that position.
• Attackers can use the technical information obtained through job sites such as Dice, linkedin and simplyhired to detect underlying vulnerabilities in the target IT infrastructures.

Website Footprinting

• Refers to monitoring and analysis of the target organizations website for information such as software used and its version, operating system used and its scripting platforms, sub-directories and parameters, filename, path, database field name or query, technologies used, contact and cms details.
• Some of the populer tools are BurpSuite, ZapProxy, Wappalyzer, website informer etc.
• Some important header to look at is
  • Connection status for content-type
  • Accept renges and last-Modified
  • X-Powered-By information
  • web server in use and its version

Mirroring Website

• Web mirroring|Website Cloning – allows for discrete testing offline
• HTTrack – you can use the CLI version or Web Interface version
• Wget – Linux command

wget -mk -w 10 http://hackthissite.org/   

• Black Widow
• WebRipper
• Teleport Pro
• Backstreet Browser
• Archive.org / Wayback machine : Provides cached websites from various dates which possibly have sensitive information that has been now removed.
• alexa.com : Provides information about websites.

Email Footprinting

Email footprinting is used to monitor the delivery of emails to an intended receipent.

Email Header

• Sender’s mail server
• Date and time of receipt by the originator’s email servers.
• Authentication system used by the senders mail server.
• Date and time of sending message.
• a unique number assigned by mx.google.com to identify the message.
• Sender’s full name
• Sender’s IP address and address from which the message was sent.

All these information can be collected by analyzing email headers.

Link : Detailed analysis of email header

infoga

Infoga is a tool gathering email accounts informations (ip,hostname,country,…) from different public source (search engines, pgp key servers and shodan) and check if emails was leaked using haveibeenpwned.com API. Is a really simple tool, but very effective for the early stages of a penetration test or just to know the visibility of your company in the Internet.

This tools basically search emails of an organization on different search engines/dump sites and if it found any email then try to find if they are leaked or not then if leaked then analyze their email header.

Example Uses :

Check for emails of a particular domain

python infoga.py --domain university.ac.in --source all --breach --report ../university_email_leak.txt -v 2   

Check for an email address information

python infoga.py --info bhaskar.lvks@ggu.ac.in --breach -v 3   

Another tool is email tracker pro, which give geographical location based on ip address as well.

Whois Footprinting

WHOIS database contains personal information of domain owners. for example :

• Domain name details
• Contact details of domain owners
• Domain name servers
• NetRange
• When a domain was created
• Expiry record
• last updated record

The record is maintained by Regional internet registries, which are :

• ARIN : American Registry for Internet Numbers.
• AFRINIC : African Network Information Centre.
• APNIC : Asia-Pacific Network Information Centre.
• RIPE-NCC : Réseaux IP Européens Network Coordination Centre
• LACNIC : Latin American and Caribbean Network Information Centre.

WHOIS lookup

using tool whois

whois google.com

or you can use third party services like https://whois.domaintools.com/ for whois data.

Finding geolocation of an IP : you can use third party services like ip2location.com

DNS Footprinting

DNS records provide important information about the location and types of servers.

• Ports
• Name lookup – UDP 53
• Zone transfer – TCP 53
• Zone transfer replicates all records
• Name resolvers answer requests
• Authoritative Servers hold all records for a namespace
• DNS Record Types

Name	Description	Purpose
SRV	Service	Points to a specific service
SOA	Start of Authority	Indicates the authoritative NS for a namespace
PTR	Pointer	Maps an IP to a hostname
NS	Nameserver	Lists the nameservers for a namespace
MX	Mail Exchange	Lists email servers
CNAME	Canonical Name	Maps a name to an A reccord
A	Address	Maps an hostname to an IP address

• DNS Poisoning – changes cache on a machine to redirect requests to a malicious server
• DNSSEC – helps prevent DNS poisoning by encrypting records
• SOA Record Fields
  • Source Host – hostname of the primary DNS
  • Contact Email – email for the person responsible for the zone file
  • Serial Number – revision number that increments with each change
  • Refresh Time – time in which an update should occur
  • Retry Time – time that a NS should wait on a failure
  • Expire Time – time in which a zone transfer is allowed to complete
  • TTL – minimum TTL for records within the zone

• IP Address Management
  • ARIN – North America
  • APNIC – Asia Pacific
  • RIPE – Europe, Middle East
  • LACNIC – Latin America
  • AfriNIC – Africa

• Whois – obtains registration information for the domain from command line or web interface.
• on Kali, whois is pre-installed on CLI; e.g: whois google.com)
• on Windows, you can use SmartWhois GUI software to perform a whois, or any website like domaintools.com
• Nslookup – Performs DNS queries; (nslookup is pre-installed on Kali LinGux)

$ nslookup www.hackthissite.org
Server:         192.168.63.2
Address:        192.168.63.2#53

Non-authoritative answer:
Name:   www.hackthissite.org
Address: 137.74.187.103
Name:   www.hackthissite.org
Address: 137.74.187.102
Name:   www.hackthissite.org
Address: 137.74.187.100
Name:   www.hackthissite.org
Address: 137.74.187.101
Name:   www.hackthissite.org
Address: 137.74.187.104

First two lines shows my current DNS server; The IP addresses returned are ‘A record‘, meaning is the IPv4 address of the domain; Bottom line NsLookup queries the specified DNS server and retrieves the requested records that are associated with the domain.

The following types of DNS records are especially useful to use on Nslookup:

Type	Description
A	the IPv4 address of the domain
AAAA	the domain’s IPv6 address
CNAME	the canonical name — allowing one domain name to map on to another. This allows more than one website to refer to a single web server.
MX	the server that handles email for the domain.
NS	one or more authoritative name server records for the domain.
TXT	a record containing information for use outside the DNS server. The content takes the form name=value. This information is used for many things including authentication schemes such as SPF and DKIM.

Nslookup

• Interactive mode zone transfer (Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain).
  • nslookup
  • server <IP Address>
  • set type = <DNS type>
  • <target domain>

$ nslookup 

> set type=AAAA                                                                                                                                            
> www.hackthissite.org
Server:         192.168.63.2                                                                                                                               
Address:        192.168.63.2#53                                                                                                                            
                                                                                                                                                          
Non-authoritative answer:                                                                                                                                  
Name:   www.hackthissite.org                                                                                                                               
Address: 2001:41d0:8:ccd8:137:74:187:103                                                                                                                   
Name:   www.hackthissite.org                                                                                                                               
Address: 2001:41d0:8:ccd8:137:74:187:102                                                                                                                   
Name:   www.hackthissite.org                                                                                                                               
Address: 2001:41d0:8:ccd8:137:74:187:101                                                                                                                   
Name:   www.hackthissite.org                                                                                                                               
Address: 2001:41d0:8:ccd8:137:74:187:100
Name:   www.hackthissite.org
Address: 2001:41d0:8:ccd8:137:74:187:104

dig

unix-based command like nslookup

dig <target>

$ dig www.hackthissite.org

; <<>> DiG 9.16.2-Debian <<>> www.hackthissite.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51391
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096
;; QUESTION SECTION:
;www.hackthissite.org.          IN      A

;; ANSWER SECTION:
www.hackthissite.org.   5       IN      A       137.74.187.104
www.hackthissite.org.   5       IN      A       137.74.187.101
www.hackthissite.org.   5       IN      A       137.74.187.100
www.hackthissite.org.   5       IN      A       137.74.187.102
www.hackthissite.org.   5       IN      A       137.74.187.103

;; Query time: 11 msec
;; SERVER: 192.168.63.2#53(192.168.63.2)
;; WHEN: Tue Aug 11 15:05:01 EDT 2020
;; MSG SIZE  rcvd: 129

• To get email records specify -t MX
  • dig <target> -t MX
• To get zone transfer specify axfr

More Detailed Explanation on DNS Footprinting

Network Footprinting

• IP address range can be obtained from regional registrar (e.g: ARIN for America, RIPE for Europe, etc)
• Use traceroute to find intermediary servers
  • Traceroute program work on the concept of ICMP protocol and use the TTL field in the header of ICMP packets –
  • traceroute uses ICMP echo in Windows (tracert)
  • traceroute is good for detect Firewalls and the network path

traceroute

Usage example:

• traceroute -I nsa.gov
  • Specify target: traceroute <target>
  • In this case is used ICMP ECHO for tracerouting: -I

$ traceroute -I nsa.gov

traceroute to nsa.gov (104.83.73.99), 30 hops max, 60 byte packets
 1  192.168.63.2 (192.168.63.2)  0.194 ms  0.163 ms  0.150 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  a104-83-73-99.deploy.static.akamaitechnologies.com (104.83.73.99)  42.742 ms  42.666 ms  25.176 ms

Windows command – tracert
Linux Command – traceroute

Reverse DNS Lookup

• Attackers perform a reverse DNS lookup on IP ranges in an attempt to locate a DNS PTR record for those IP addresses.
• Attackers use various tools, such as DNSRecon, to perform the reverse DNS Lookup on the target host.
• Attackers can also find the other domains that share the same web server, using tools such as Reverse IP Domain Check.
• It basically gives the information about how many other website are hosted or shared on that same IP address.

Tools :

• For revers IP Domain Check : https://reverseip.domaintools.com/
• dnsrecon

$ ping ggu.ac.in
PING ggu.ac.in (164.100.150.79) 56(84) bytes of data.

dnsrecon

$ dnsrecon -d ggu.ac.in -r 164.100.150.0-164.100.150.255
[*] Reverse Look-up of a Range
[*] Performing Reverse Lookup from 164.100.150.0 to 164.100.150.255
[+] PTR ua.nic.in 164.100.150.34
[+] PTR kerala.nic.in 164.100.150.100
[+] PTR keralancrms.nic.in 164.100.150.105
[+] PTR mum.nic.in 164.100.150.162
[+] PTR hp.nic.in 164.100.150.194
[+] PTR webjk.nic.in 164.100.150.240
[+] 6 Records Found

Footprinting through Social Engineering

• Social engineering is an art of exploiting human behavour to extract confidential information.
• Social engineers depend on the fact that people are unaware of their valuable information and are careless about protecting it.
• By social engineering attacker can gather below information :
  • Credit card details and Social security numbers
  • user names and passwords
  • Security products in use
  • Operating systems and software versions
  • network layout information
  • IP addresses and names of servers

Social Engineering attacks techniques

Eavesdropping

• Unauthorized listening of conversations or reading of messages.
• It is the interaction of any form of communocation, such as audio, video or text.

Shoulder Surfing

• Secretly observing the target to gather critical information, such as passwords, personal identfication nuber, account numbers and credit card information.

Dumpster Diving

• Looking for treasure in someone else’s trash.
• It onvolvs the collection of phone bills, contact information, financial information, operations-related information, etc. from the target company’s trash bins, printer trash bins, user desk for sticky notes etc.

Impersonation

• pretending to be a legitimate or authorized person and using the phone or other communication medium to mislead targets and trick them into revealing information.

Footprinting Tools

Metagoofil

Search and download specific filetype for a given website using google searches/dorks.

metagoofil -d accenture.com -n 20 -t pdf,doc,xls,ppt,xlsx -o ResultDir   

theHarvester

theHarvester is a simple to use, yet powerful tool designed to be used during the reconnaissance stage of a red team assessment or penetration test. It performs open source intelligence (OSINT) gathering to help determine a domain’s external threat landscape. The tool gathers names, emails, IPs, subdomains, and URLs by using multiple public resources.

theHarvester -d certifiedhacker.com -l 300 -b baidu,bing,certspotter,dnsdumpster,duckduckgo,github-code,google,linkedin,netcraft,twitter,yahoo -f report

OSRF Framework

OSRFramework is a set of libraries to perform Open Source Intelligence tasks. They include references to a bunch different applications related to username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction, and many others.

OSRFramework CLI subcommands:

Subcommands	Description
usufy.py	This tool that verifies if a username exists in 249 social platforms.
mailfy.py	This module checks if a username has been registered in up to 22 email providers.
searchfy.py	This module looks for profiles using full names and other info in 7 platforms.
domainfy.py	This module checks the existence of a given domain in up to 879 different TLD.
phonefy.py	This module checks if a phone number has been linked to spam practices in 4 platforms.
entify.py	This module looks for regular expressions using 13 patterns.

Using usufy.py

Checks for the existence of a profile for a given user details in different platforms.

usufy.py -n cehuser us -p twitter facebook youtube

Using searchfy.py

Checks with the existing users of pages/handlers for a given details in the all social networks.

searchfy.py -q "ECCouncil"

Sublist3r

Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS

Usage example:

python3 sublist3r.py -d hackthissite.org

sherlok

Find social media accounts by username across multiple social networks.

python3 sherlock.py ajaytekam                                                                                                                                                         2 ⨯
[*] Checking username ajaytekam on:


[+] Academia.edu: https://independent.academia.edu/ajaytekam
[+] Asciinema: https://asciinema.org/~ajaytekam
[+] Behance: https://www.behance.net/ajaytekam
[+] BitBucket: https://bitbucket.org/ajaytekam/
[+] Blogger: https://ajaytekam.blogspot.com
[+] Docker Hub: https://hub.docker.com/u/ajaytekam/
[+] Duolingo: https://www.duolingo.com/profile/ajaytekam
[+] Ello: https://ello.co/ajaytekam
[+] EyeEm: https://www.eyeem.com/u/ajaytekam
[+] Facebook: https://www.facebook.com/ajaytekam
[+] Fiverr: https://www.fiverr.com/ajaytekam
[+] Flipboard: https://flipboard.com/@ajaytekam
[+] Freelancer: https://www.freelancer.com/u/ajaytekam
[+] GitHub: https://www.github.com/ajaytekam
[+] GitHub Support Community: https://github.community/u/ajaytekam/summary
[+] GuruShots: https://gurushots.com/ajaytekam/photos
[+] Instagram: https://www.instagram.com/ajaytekam
[+] Kaggle: https://www.kaggle.com/ajaytekam
[+] Linktree: https://linktr.ee/ajaytekam
[+] Periscope: https://www.periscope.tv/ajaytekam/
[+] Reddit: https://www.reddit.com/user/ajaytekam
[+] Roblox: https://www.roblox.com/user.aspx?username=ajaytekam
[+] SlideShare: https://slideshare.net/ajaytekam
[+] Smule: https://www.smule.com/ajaytekam
[+] Snapchat: https://www.snapchat.com/add/ajaytekam
[+] Star Citizen: https://robertsspaceindustries.com/citizens/ajaytekam
[+] TryHackMe: https://tryhackme.com/p/ajaytekam
[+] Twitch: https://www.twitch.tv/ajaytekam
[+] Twitter: https://twitter.com/ajaytekam
[+] Wattpad: https://www.wattpad.com/user/ajaytekam
[+] Whonix Forum: https://forums.whonix.org/u/ajaytekam
[+] Wikipedia: https://en.wikipedia.org/wiki/Special:CentralAuth/ajaytekam?uselang=qqx
[+] xHamster: https://xhamster.com/users/ajaytekam

[*] Results: 33

[!] End:  The processing has been finished.

DIRB

It is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack/brute force attack against a web server and analyzing the response. Useful to find subdirectories on web application. Usage example:

dirb https://www.hackthissite.org/ /usr/share/wordlists/dirb/small.txt  

Recon-ng

Recon-ng is a web-based open-source reconnaissance tool used to extract information from a target organization and its personnel. Provides a powerful environment in which open source web-based reconnaissance can be automated conducted, quickly and thoroughly.

Usage : Link

Maltego

Maltego is a powerful OSINT tool, you can extract a broad type of information through the network, technologies and personnel(email, phone number, twitter).

You able to:

• Identify IP address
• Identify Domain and Domain Name Schema
• Identify Server Side Technology
• Identify Service Oriented Architecture (SOA) information
• Identify Name Server
• Identify Mail Exchanger
• Identify Geographical Location
• Identify Entities
• Discover Email addresses and Phone numbers

FOCA

FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents it scans. These documents may be on web pages, and can be downloaded and analysed with FOCA.

It is capable of analysing a wide variety of documents, with the most common being Microsoft Office, Open Office, or PDF files, although it also analyses Adobe InDesign or SVG files, for instance.

These documents are searched for using three possible search engines: Google, Bing, and DuckDuckGo. The sum of the results from the three engines amounts to a lot of documents. It is also possible to add local files to extract the EXIF information from graphic files, and a complete analysis of the information discovered through the URL is conducted even before downloading the file.

Social Engineering Framework (SEF)

It’s a open source Social Engineering Framework (SCRIPT) that helps generate phishing attacks and fake emails. and it’s includes phishing pages, fake email, fake email with file attachment and other stuff that helps you in Social Engineering Attack.

cewl

A custom wordlist generator from a website, basically scrap the website for words. default depth is 2.

Simple run with saving wordlist in a file.

cewl https://target-website.com/ -w wordlist.txt

• Create a certain length of wordlist -m 8
• Get emails from a website -e
• Verbose mode -v
• hide the cralled wordlist from displaying on the screen -n
• Increase the depth -d 3, default is 2
• run on debug mode -debug
• Count the total number of appearance of a word in website -c
• Allow numbers to be included in wordlist--with-numbers

Footprinting Countermeasures

1. Develop and Enforce security policies to regulate the information that employees can reveal to third parties.
2. Set apart internal and external DNS or use split DNS and restrict zone transfer to authorized servers.
3. Disable Directory listing in web servers.
4. Encrypt and password protect sensitive information.
5. place critical documents, such as business plans and proprietary documents offline to protect exploitation.
6. Train employees to detect social engineering techniques and attacks and defend themselves.
7. Sanitize the details provided to internet registrars to hide the direct contact details of the organization.
8. Disable the geo-tagging functionality on cameras to prevent geolocation tracking.
9. Avoid revealing ones location or travel plans on social networking sites.
10. Turn-off geo-location access on all mobile devices when not required.
11. Ensure that no critical information is displayed on notice boards or walls.
12. Avoid Domain level cross-linking for critical assets.
13. Opt for privacy services on whois lookup database.
14. Conduct pariodic security awareness training to educate employees about various social engineering tricks and risks.