Footprinting starts with determining the intrusion’s location and goal. Once this is known, non-intrusive methods are used to gather specific information about the organization. For example, if the hacker needs to use social engineering to achieve the goal, the organization’s Web page may provide a personnel directory or employee bios. A whois query on the Internet returns the domain names and associated networks associated with a specific company.
Other data gathered could include learning about Internet technologies, operating systems, and hardware, IP addresses, e-mail addresses, and phone numbers, as well as policies and procedures.
Footprinting is the process of collecting data about a specific network environment on a computer, usually to find ways to intrude into the environment. Footprinting can reveal system flaws and make it easier to exploit them.
During the footprinting phase, a hacker can collect the following information –
Domain name
IP Addresses
Namespaces
Employee information
Phone numbers
E-mails
Job Information
How can attackers benefit from footprinting?
Footprinting allows attackers to learn about the target organization’s security posture.
It assists attackers in narrowing their focus to a specific range of IP addresses, networks, domain ranges, and so on.
It can also assist attackers in choosing appropriate exploits by allowing them to identify vulnerabilities in target systems.
It may enable attackers to draw a network map or outline the target organization’s network infrastructure to gain a better understanding of the environment they will breach.
It all begins with our web browsers. Everything about any website can be found on the internet. If you want information about any site, you just have to search it on the browser. All you have to do is open your browser and type the name of the site into the address bar. The URL, which is the first piece of information you have, will now appear.
Not only this proper search can help attackers extract information about a target such as technology platforms, employee details, login pages, intranet portals, and other types of advanced system attacks, but it can also help them perform social engineering and other types of advanced system attacks.
Ping
Now that you have the URL of your target, you can use the Ping command to get the ip of the URL:
ping target.com
Whoois Lookup
Whois Lookup is a tool for determining DNS, domain names, name servers, and IP addresses, among other things. Simply click here and type in your desired IP address.
Alternatively, you can use Kali Linux’s whois command.
whoistarget.com
Nslookup
NsLookup makes a query to the specified DNS server and retrieves the requested records for the domain name you specified. This command displays information such as the IP addresses associated with a domain name.
nslookuptarget.com
What Web
The purpose of this tool is to answer the question, “What is that Website?” Platform, Type of script, Google Analytics, Web Server Platform, IP Address, Country, Server Headers, Cookies, and much more can be gathered. In your Linux console, simply type the following command:
whois target.com
p0f
It’s a method for determining the operating system and other configuration properties of a remote host by analysing the structure of TCP/IP packets. p0f is a forensic tool that can be used to examine a compromised or infected system. Running p0f is as simple as this:
Enter p0f in a Linux terminal.
In any browser, open your target host and begin exploring it.
The client will begin interacting with the server once the connection has been established.
With its independent modules, keys list, and other modules, Recon-ng, a Python tool, is specifically used for information gathering.
Now let’s see if we can use one of the modules that don’t require an API key. There are several, but we’ll use XSSposed to scan for XSS (cross-site scripting) vulnerabilities.
Simply type recon-ng in your Linux command line or Go to Application-Information Gathering- recon ng.
For any help, you can simply enter:
recon-ng > help
Now, we need to load the module:
recon-ng > use recon/domains-vulnerabilities/xssposed
The only option we need is the website we want to scan, as you can see above. Let’s take a look at microsoft.com. To do so, we must first set the source.
recon-ng > set SOURCE microsoft.com
After that, tell Recon-ng to go:
recon-ng > run
Google Dork:
The query string can be used as a search term and as a keyword. To gather information about the target host, Google Advanced Search Operators can also be used. You can find more information about Google Dork by following this link.
You can also lookup different search terms that have been found to reveal sensitive data exposed by vulnerable servers and web applications in the Google Hacking Database (GHD).
Nikto is a Web Server Scanner that looks for potentially dangerous files and out-of-date service software, all of which can be exploited and used to hack a network. These findings can be used to determine the network or application’s weaknesses, from which you can select appropriate attacks to hack the network.
Enter nikto in your Kali Linux Terminal to run Nikto.
To learn more about the commands, open the help file:
nikto –help
Lastly, scan the target host:
nikto -h targetIP
command
nikto -h targetc.com -o nikto_results -F txt
-o stands for Output and -F for File Type, which in this case is txt. Press Enter to save the result txt file to your desktop.
