2/26/2024

Hacking Techniques and Intrusion

Detection

Chapter 2
Footprinting and Reconnaissance

Prof. Jaafer Al Saraireh

Objectives
• Identify various techniques for performing footprinting and reconnaissance.
• Identify the methodology of footprinting and reconnaissance.
• Understanding the use of whois, and nslookup
• Describing DNS record types
• Defining and describing Google hacking

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 2

1
 2/26/2024

What is Footprinting?
• Footprinting is a part of the reconnaissance process, which is used to gather
possible information about a target computer system or network.
• The Phase of footprinting involves to:
– Profiling organizations
– Collecting data about the network
– Collecting data about the host
– Collecting data about the employees and third-party partners.
– This information includes the OS used by the organization, firewalls, network
maps, IP addresses, domain name system information, security configurations of
the target machine, URLs, virtual private networks, email addresses, and phone
numbers.:
Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 3

What is Footprinting? (Continued)

• Footprinting is the process of collecting as much information as possible
about a target network for identifying various ways to intrude into an
organization's network system
• Footprinting is the first step of any attack on an information system; the attacker
gathers publicly available sensitive information.
• In the case of network attacks, our main goal would be to gather information
on the network. The same applies to web application attacks.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 4

2
 2/26/2024

What is Footprinting? (Continued)

• Footprinting is a part of the Ethical Hacking in which you gather information
about the system/ application. The main aim of Footprinting is to gather as
much information as possible about the system/ application to narrow down
the areas and techniques of attack.
• Most of people find Footprinting boring, but it is a very important part of
Ethical Hacking.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 5

Footprinting Types
• (1) Active Footprinting: It is the type of Footprinting where you gather information about the
system/ application by directly interacting with the system. It describes the process of using tools
and techniques, like using the traceroute commands or a ping sweep -- Internet Control Message Protocol
sweep -- to collect data about a specific target, etc.
– When you use Active Footprinting, there is a high chance that some information, like your IP address,
is saved by the system you are trying to gather the information about.
– This often triggers the target's intrusion detection system (IDS). It takes a certain level of stealth and
creativity to evade detection successfully.
• (2) Passive Footprinting: We do not directly engage with the target. Instead, we use
search engines, social media, other websites, and Whois command to gather information
about the target.
– This method is recommended since it does not generate any log of presence on the target system
– It is a stealthier approach to footprinting because it does not trigger the target's IDS.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 6

3
 2/26/2024

Footprinting Types (Continued)

• (1) Active Footprinting and Reconnaissance can include the following methods:
– Performing IP or Port scanning
– Perform operating system scanning
– Conduct Footprinting of existing services in a system
– Perform zone transfer on an internal DNS server
– Spider the public Webpages
– Conduct Social Engineering
• (2) Passive Footprinting and Reconnaissance can include the following methods:
– Search the Whois database
– Browse through a target’s website
– Perform Social Network scraping
– Search Google or any search engine
– Extract DNS information
– Review blogs, public forums, and Websites
– Search breach databases and DarkWeb about a target

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 7

Source of Information Gathering

• Social Media
• JOB websites
• Search Engine such as Google.
• Social Engineering: There are various techniques that fall in this category. A few of them are:
– Eavesdropping.
– Shoulder Surfing:
• Archive.org: The Archived version refers to the older version of the website, which existed a time
before, and many features of the website have been changed.
• An Organization’s Website.
• NeoTrace: It is a powerful tool for getting path information. The graphical display displays the route
between you and the remote site, including all intermediate nodes and their information.
• Whois: This is a website that serves a good purpose for Hackers. Through this website, information
about the domain name, email, domain owner, etc.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 8

4
 2/26/2024

Why Footprinting?
• (1) Know Security Posture: Footprinting allows attackers to know the external security
posture of the target organizations.
• (2) Reduce Focus Area: It reduces the attacker’s focus area to the specific range of IP
addresses, networks, domain names, remote access, etc.
• (3) Identify Vulnerabilities: It allows the attacker to identify vulnerabilities in the target system
to select appropriate exploits.
• (4) Draw Network Map: It allows the attacker to draw a map of the target organization’s
network infrastructure to know about the actual environment that they are going to break

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 9

Domain Name Service or System (DNS)

• Domain Name Service (DNS) makes navigation easy. DNS provides a name-to-IP-
address (and vice versa) mapping service, allowing us to type in a name for a resource
as opposed to its address.
• The DNS system is made up of servers all over the world. Each server holds and
manages the records for its own little corner of the world, known in the DNS world as a
namespace. Each of these records gives directions to or for a specific type of resource.
• Some records provide IP addresses for individual systems within your network,
whereas others provide addresses for your e-mail servers. Some provide pointers to
other DNS servers, which are designed to help people find what they’re looking for.
• DNS Footprinting Tools: whois, nslookup, host, and dig

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 10

5
 2/26/2024

DNS System
• In total, there are 13 main DNS root
servers, each of which is named with
the letters ‘A’ to ‘M’.
• Managing the root server is ICANN’s
responsibility (Internet Corporation
for Assigned Names and Numbers).

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 11

DNS System (Continued)

• DNS operated by different institutions that ensure that data exchange in the root zone always remains
correct, available, and secure.
• The following table displays the individual root name servers. (13 main DNS root servers)

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 12

6
 2/26/2024

How DNS Work

1. Users open a web browser and enter
example.com in the address bar.
2. The request, for example.com, is routed to a
DNS resolver, which is managed by the user’s
Internet service provider.
3. The DNS resolver forwards the request, for
example.com, to a root DNS server.
4. The DNS resolver again forwards the request,
for example.com, this time to one of the TLD 6. The website's name server looks in the example.com hosted zone for the example.com a
name servers for .com domains. The name record, to get the associated value, such as the IP address for a web server, 34.72.102.28,
server for .com domains responds to the and returns the IP address to the DNS resolver.
request with the 2 or 4 name servers 7. Finally, The DNS resolver for the ISP has the IP address that the user needs. The resolver
associated with the example.com domain. returns that value to the web browser. The DNS resolver can store the IP address, for
5. The DNS resolver chooses an example.com, example.com.
the authoritative name server, and forwards 8. The web browser sends a request, for example.com using the IP address that it got from
the request for example.com to that name the DNS resolver. This is where the actual content is.
server.
9. The web server or other resource at 34.72.102.28 returns the web page, for example.com
to the web browser, and the web browser displays the page

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 13

How DNS Work (Example)

1. A user opens a web browser, enters www.example.com in
the address bar,
2. The request for www.example.com is routed to a DNS
resolver, which is typically managed by the user's Internet
service provider (ISP), such as a cable Internet provider, a
DSL broadband provider, or a corporate network.
3. The DNS resolver for the ISP forwards the request for
www.example.com to a DNS root name server.
4. The DNS resolver for the ISP forwards the request for 6. The Amazon Route 53 name server looks in the example.com hosted zone for the
www.example.com again, this time to one of the TLD name www.example.com record, gets the associated value, such as the IP address for a web server,
servers for .com domains. The name server for .com 192.0.2.44, and returns the IP address to the DNS resolver.
domains responds to the request with the names of the four
7. The DNS resolver for the ISP finally has the IP address that the user needs. The resolver returns
Amazon Route 53 name servers that are associated with the
that value to the web browser. The DNS resolver also caches (stores) the IP address for
example.com domain.
example.com for an amount of time that you specify so that it can respond more quickly the
5. The DNS resolver for the ISP chooses an Amazon Route 53 next time someone browses to example.com. For more information, see time to live (TTL).
name server and forwards the request for www.example.com
8. The web browser sends a request for www.example.com to the IP address that it got from the
to that name server.
DNS resolver. This is where your content is, for example, a web server running on an Amazon
EC2 instance or an Amazon S3 bucket that's configured as a website endpoint.
9. The web server or other resource at 192.0.2.44 returns the web page for www.example.com to
the web browser, and the web browser displays the page.
Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 14

7
 2/26/2024

How DNS Work (Example)

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 15

DNS Record Types

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 16

8
 2/26/2024

Footprinting Methodology

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 17

Footprinting Methodology (Continued)

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 18

9
 2/26/2024

Footprinting Methodology (Continued)

• Footprinting is a method of collecting information about a target. The information can be of
different types, such as:
– IP address – Domain and subdomain names
– Email address – Contact information
– Geolocations

• An attacker can use various techniques as part of the Footprinting methodology to collect
information. These techniques are:
– Search Engines Footprinting – Whois Footprinting
– Web Services Footprinting – DNS Footprinting
– Social Networking Sites Footprinting – Network Footprinting
– Website Footprinting – Social Engineering Footprinting
– Email Footprinting – Whois Footprinting

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 19

Footprinting Tools
• Various tools can be used in reconnaissance or footprinting, such as:
– Whois — Queries for domain names (command line win/Linux or online such as
https://www.whois.com/whois/ , https://whois.domaintools.com/
– Nslookup — Queries DNS
– MxToolBox online: https://mxtoolbox.com/
– FOCA — Enumeration for users, files, folders, and OS information
– theHarvester — Information gathering for an Email address, subdomains, hostnames,
banners
– Shodan — Information search engine using metadata. Shodan is a search engine designed to
scan and index devices and systems connected to the internet. Unlike traditional search
engines like Google, which index web pages.
– Maltego — Information gathering
– Recon-ng — Web reconnaissance
– Censys — Search engine for information about devices on the Internet

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 20

10
 2/26/2024

Footprinting Tools (Continued)

• Kali Linux also includes reconnaissance or Footprinting tools under different categories,
• which are:
– DNS Analysis
– IDS/IPS Identification
– Live Host Identification
– Network & Port Scanners
– OSINT Analysis
– Route Analysis
– Etc.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 21

11