Footprinting is the first step in the evaluation of the security posture of the IT infrastructure of a target organization. Through footprinting and reconnaissance, one can gather maximum information about a computer system or a network and about any device connected to that network. In other words, footprinting provides a security profile blueprint for an organization and should be undertaken in a methodological manner.
Topics:
Explain Footprinting Concepts
Demonstrate Footprinting through Search Engines
Demonstrate Footprinting through Internet Research Services
Demonstrate Footprinting through Social Networking Sites
Use Different Techniques for Whois Footprinting
Use Different Techniques for DNS Footprinting
Use Different Techniques for Network and Email Footprinting
Demonstrate Footprinting through Social Engineering
Automate Footprinting Tasks using Advanced Tools and AI
Reconnaissance (also known as footprinting) refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack. An essential aspect of footprinting is identifying the level of risk associated with the organization’s publicly accessible information. Footprinting, the first step in ethical hacking, refers to the process of collecting information about a target network and its environment. Using footprinting, you can find a number of opportunities to penetrate and assess the target organization’s network.
Types of Reconnaissance
Passive
Gathering information about the target without direct interaction
It involves:
• Open-source Intelligence (OSINT) gathering
• Proprietary databases and paid services
• Sharing intelligence with partner organizations or industry groups
Active
Gathering information about the target with direct interaction It involves: • DNS interrogation • Social engineering • Network/port scanning • User and service enumeration
Information Obtained in Footprinting
Organization information
• Employee details
• Telephone numbers
• Branch and location details
• Background of the organization
• Web technologies
• News articles, press releases, and related documents
Network information
• Domain and sub-domains
• Network blocks
• Network topology, trusted routers, and firewalls
• IP addresses of the reachable systems
• Whois records
• DNS records
System Information
• Web server OS
• Location of web servers
• Publicly available email addresses
• Usernames and passwords
2. Demonstrate Footprinting through Search Engines
Footprint ing Using Advanced Google Hacking Techniques
• Attackers use search engines to extract information about a target, such as employed technology platforms, employee details, login pages, and intranet portals, which help the attacker to perform social engineering and other types of advanced system attacks
• Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information that helps attackers find vulnerable target
Attackers can use advanced search operators available with these search engines and create complex queries to find, filter, and sort specific information regarding the target. Search engines
are also used to find other sources of publicly accessible information. For example, you can type “top job portals” to find major job portals that provide critical information about the target organization.
Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information.
What can a Hacker Do with Google Hacking? An attacker can create complex search-engine queries to filter large amounts of search results to obtain information related to computer security. The attacker can use Google operators to locate specific strings of text within search results. Thus, the attacker can not only detect websites and web servers that are vulnerable to exploitation but also locate private and sensitive information about the target. Once a vulnerable site is identified, attackers attempt to launch various possible attacks, such as buffer overflow and SQL injection, which compromise information security. Examples of sensitive information on public servers that an attacker can extract with the help of Google Hacking Database (GHDB) queries include:
▪ Error messages that contain sensitive information
▪ Files containing passwords
▪ Sensitive directories
▪ Pages containing logon portals
▪ Pages containing network or vulnerability data, such as IDS, firewall logs, and configurations
▪ Advisories and server vulnerabilities
▪ Software version information
▪ Web application source code
▪ Connected IoT devices and their control panels, if unprotected
▪ Hidden web pages such as intranet and VPN services
Example: Use Google Advance Operator syntax [intitle:intranet inurl:intranet +intext:”human resources”] to find sensitive information about a target organization and its employees. Attackers use the gathered information to perform social engineering attacks.
An attacker can also leverage AI-powered ChatGPT or other generative AI technology to perform this task by using an appropriate prompt such as: “Use filetype search operator to obtain pdf files on the target website eccouncil.org and store the result in the recon1.txt file”
Shell-gpt / sgpt : https://github.com/tbckr/sgpt
The following shell command is designed to conduct advanced Google hacking using the “filetype” operator to specifically target PDF files within the eccouncil.org domain. The command
then saves the obtained results to a file named “recon1.txt”:
▪ `lynx –dump “http://www.google.com/search?q=site:eccouncil.org+filetype:pdf”`: Initiates the Lynx web browser in dump mode to access Google’s search results for PDF files within the eccouncil.org domain.
▪ `| grep “http”`: Filters out lines containing the string “http” from the Lynx output. ▪ `| cut -d “=” -f2`: Splits each line using the “=” delimiter and selects the second field.
▪ `| grep -o “http[^&]*”`: Searches for patterns starting with “http” followed by any characters except “&”.
▪ `> recon1.txt`: Redirects the final output to a file named “recon1.txt” for storage.
Google Hacking Database
Source: https://www.exploit-db.com/google-hacking-database The GHDB is a subset of the Exploit-DB and focuses on using Google search queries (often referred to as “Google Dorks”) to find sensitive information inadvertently exposed on the web. These queries exploit advanced Google search operators to uncover the following: ▪ Sensitive files: Such as configuration files, database dumps, and log files that may contain usernames, passwords, or other confidential data.
▪ Exposed directories: Open directories on web servers that might contain sensitive information.
▪ Error messages: Web server or application error messages that may reveal server configurations or vulnerabilities.
▪ Vulnerable devices: Identifying specific types of devices or software versions known to have vulnerabilities.
Footprinting Using Advanced Google Hacking Techniques
• Attackers use search engines to extract information about a target, such as employed technology platforms, employee details, login pages, and intranet portals, which help the attacker to perform social engineering and other types of advanced system attacks
• Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information that helps attackers find vulnerable targets
Google Hacking Database Source: https://www.exploit-db.com/google-hacking-database The GHDB is a subset of the Exploit-DB and focuses on using Google search queries (often referred to as “Google Dorks”) to find sensitive information inadvertently exposed on the web. These queries exploit advanced Google search operators to uncover the following:
Sensitive files: Such as configuration files, database dumps, and log files that may contain usernames, passwords, or other confidential data.
Exposed directories: Open directories on web servers that might contain sensitive information.
Error messages: Web server or application error messages that may reveal server configurations or vulnerabilities.
Vulnerable devices: Identifying specific types of devices or software versions known to have vulnerabilities.
Attackers can also use SearchSploit, which is a command-line search tool for Exploit-DB that allows taking a copy of the Exploit database for remote use. It allows attackers to perform detailed offline searches through their locally checked-out copy of the repository. This capability is particularly useful for security assessments of segregated or air-gapped networks without Internet access.
Google Dork.
VPN Footprinting through Google Hacking Database with AI
Footprinting through SHODAN Search Engine
Source: https://www.shodan.io
Shodan is a search engine that enables attackers to perform footprinting at various levels. It is used to detect devices and networks with vulnerabilities. A search in Shodan for VoIP and VPN footprinting can deliver various results, which will help gather VPN-and VoIP-related information.
Other Techniques for Footprinting through Search Engines
▪ Gathering Information Using Google Advanced Search, Advanced Image Search, and Reverse Image Search
▪ Gathering Information from Video Search Engines
▪ Gathering Information from Meta Search Engines
▪ Gathering Information from File Transfer Protocol (FTP) Search Engines
Finding a Company’s Top-Level Domains (TLDs) and Sub-domains with AI
Attackers can leverage AI-powered technologies to enhance and automate their footprinting tasks. With the aid of AI, attackers can effortlessly find the top-level domains and subdomains of the target. Example #1 An attacker can use ChatGPT to perform this task by using an appropriate prompt such as:
sgpt –chat domain –shell “Discover all the subdomains of ‘google.com’ using dig command.”
sgpt –chat footprint –shell “Use Sublist3r to gather a list of subdomains of the target organization eccouncil”
Extracting Website Information from https://archive.org
Archive is an Internet Archive Wayback Machine that explores archived versions of websites. Such exploration allows an attacker to gather information on an organization’s web pages since its creation. As the website https://archive.org keeps track of web pages from the time of their creation, an attacker can retrieve even information removed from the target website, such as web pages, audio files, video files, images, text, and software programs. Attackers use this information to perform phishing and other types of web application attacks on the target organization.
Footprinting through People Search Services
You can use public record websites to find information about email addresses, phone numbers, house addresses, and other information. Many individuals use online people search services to find information about other people. Generally, online people search services such as Spokeo, Intelius, pipl, BeenVerified, Whitepages, Instant Checkmate, and PeekYou provide people’s names, addresses, contact details, date of birth, photographs, videos, profession, details about their family and friends, social networking profiles, property information, and optional background on criminal checks. Further, online people search services may often reveal the profession of an individual, businesses owned by a person, upcoming projects and operating environment, websites and blogs, contact numbers, important dates, company email addresses, cell phone numbers, fax numbers, and personal e-mail addresses. Using this information, an attacker can try to obtain bank details, credit card details, past history, and so on. This information proves to be highly beneficial for attackers to launch attacks. There are many available online people search services that help in obtaining information regarding people.
▪ People Search Service – Spokeo
Source: https://www.spokeo.com
Footprinting through Job Sites
Dark Web Footprinting
▪ Tor Browser, Source: https://www.torproject.org
Searching the Dark Web with Advanced Search Parameters
▪ How competitors are positioning their products and services?
▪ What customers are saying about competitors’ strengths and weaknesses?
Information Resource Sites Information resource sites that help to gain competitive intelligence include: ▪ EDGAR Database Source: https://www.sec.gov/edgar
▪ D&B Hoovers Source: https://www.dnb.com
▪ LexisNexis Source: https://www.lexisnexis.com
▪ Business Wire Source: https://www.businesswire.com
▪ Factiva Source: https://www.dowjones.com
Competitive Intelligence – What Are the Company’s Plans? Information resource sites that help attackers gain a company’s business plans include:
▪ MarketWatch Source: https://www.marketwatch.com
▪ The Wall Street Transcript Source: https://www.twst.com
▪ Euromonitor Source: https://www.euromonitor.com
▪ Experian Source: https://www.experian.com
▪ The Search Monitor
Competitive Intelligence – What Expert Opinions Say About the Company? Information resource sites that help the attacker to obtain expert opinions about the target company include:
▪ SEMRush Source: https://www.semrush.com
▪ ABI/INFORM Global Source: https://www.proquest.com
▪ SimilarWeb Source: https://www.similarweb.com
▪ SERanking Source: https://seranking.com
Other Techniques for Footprint ing through Internet Research Services
▪ Finding the Geographical Location of the Target
o Google Earth Source: https://earth.google.com
▪ Gathering Information from Financial Services
o Google Finance Source: https://www.google.com/finance
▪ Gathering Information from Business Profile Sites
Attackers use business profile sites such as opencorporates, Crunchbase, and corporationwiki to gather important information about the target organizations, such as their location, addresses, contact information (such as phone numbers, email addresses), employee database, department names, type of service provided, and type of industry.
▪ Monitoring Targets Using Alerts
Tools such as Google Alerts, X Alerts, and Giga Alerts help attackers to track mentions of the organization’s name, member names, website, or any people or projects that are important. Attackers can gather updated information about the target periodically from the alert services and use it for further attacks.
o Google Alerts Source: https://www.google.com/alerts
▪ Tracking the Online Reputation of the Target
An attacker may use ORM tracking tools to: o Track a company’s online reputation o Collect a company’s search engine ranking information o Obtain email notifications when a company is mentioned online o Track conversations o Obtain social news about the target organization Mention Source: https://mention.com
▪ Gathering Information from Groups, Forums, and Blogs
Attackers can register with fake profiles in Google Groups, LinkedIn Groups, and so on.
▪ Gathering Information from Public Source-Code Repositories
Source code–based repositories are online services or tools available on internal servers or can be hosted on third-party websites such as GitHub, GitLab, SourceForge, and BitBucket.
Attackers can use tools such as Recon-ng to discover public source-code repositories. o Recon-ng Source: https://github.com
4. Footprinting through Social Networking Sites
People Search on Social Networking Sites
Social networking sites such as Facebook, Twitter, LinkedIn, and Instagram allow you to find people by name, keyword, company, school, friends, colleagues, and the people living around them.
Gathering Inform at ion from LinkedIn •
• Attackers use theHarvester tool to perform enumeration on LinkedIn and find employees of the target company along with their job titles
Attackers can use this information to gather more information, such as current location and educational qualifications, and perform social engineering or other kinds of attacks
Gathering Information from LinkedIn
LinkedIn is a social networking website for professionals. It connects the world’s human resources to aid productivity and success. The site contains personal information such as name, position, organization name, current location, educational qualifications, and so on. Information gathered from LinkedIn helps an attacker in performing social engineering or other kinds of attacks. Attackers can use theHarvester tool to gather information from LinkedIn based on the target organization name:
▪ theHarvester Source: https://github.com
theHarvester -d eccouncil -l 200 -b linkedin
In the above command, -d specifies the domain or company name to search, -l specifies the number of results to be retrieved, and -b specifies the data source as LinkedIn.
Harvesting Email Lists
Gathering email addresses related to the target organization acts as an important attack vector during the later phases of hacking. Attackers can use automated tools such as theHarvester and Email Spider to collect publicly available email addresses of the employees of the target organization. These tools harvest email lists related to a specified domain using search engines such as Google, Bing, and Yahoo. Attackers use these email lists and usernames to perform social engineering and brute force attacks on the target organization. ▪ theHarvester
Source: https://github.com
Attackers use theHarvester tool to extract email addresses related to the target domain. For example, attackers use the following command to extract email addresses of microsoft.com using the Baidu search engine:
theharvester -d microsoft.com -l 200 -b baidu
In the above command, -d specifies the domain used for harvesting the emails, -l will limit the results to 200, and -b tells theHarvester to extract the results from the Baidu search engine; alternatively, you can use Google, Bing, etc.
Harvesting Email Lists with AI
Attackers can leverage AI-powered technologies to enhance and automate their footprinting tasks. With the aid of AI, attackers can effortlessly find valuable email details of their target organization. For example, An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Use theHarvester to gather email accounts associated with ‘microsoft.com’, limiting results to 200, and leveraging ‘baidu’ as a data source”
sgpt –chat fp –shell “Use theHarvester to gather email accounts associated with ‘microsoft.com’, limiting results to 200, and leveraging ‘baidu’ as a data source”
Analyzing Target Social Media Presence
Several online services and resources are available to gather valuable information about a target from one or more social media sites. These services allow attackers to discover most shared content across social media sites by using hashtags or keywords, track accounts and URLs on various social media sites, obtain a target’s email address, etc. This information helps attackers to perform phishing, social engineering, and other types of attacks. Attackers use tools such as BuzzSumo, Google Trends, Hashatit, and Ubersuggest to locate information on social media sites:
▪ BuzzSumo Source: https://buzzsumo.com
Tools for Footprinting through Social Networking Sites
Attackers use various tools such as Sherlock and Social Searcher to footprint social networking sites such as Twitter, Instagram, Facebook, and Pinterest to gather sensitive information about the target such as the date of birth, educational qualification, employment status, name of relatives, and information about the organization that they are working for, including the business strategy, potential clients, and upcoming project plans.
▪ Sherlock Source: https://github.com
Sherlock “Elon Musk”
▪ Social Searcher Source: https://www.social-searcher.com
Footprinting through Social Networking Sites with AI
For example, An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Use Sherlock to gather personal information about Sundar Pichai and save the result in recon2.txt”
sgpt –chat footprint –shell “Use Sherlock to gather personal information about Sundar Pichai and save the result in recon2.txt”
5. Whois Footprinting
Whois Lookup
Three types of data models exist to store and lookup Whois information: ▪ Thick Whois (Distributed Model) – Stores the complete Whois information from all the registrars for a particular set of data.
▪ Thin Whois (Centralized Model) – Stores only the name of the Whois server of the registrar of a domain, which in turn holds complete details on the data being looked up.
▪ Decentralized Whois – Stores complete WHOIS information and has multiple independent entities to manage the WHOIS database.
Whois query returns the following information: ▪ Domain name details ▪ Domain registrar ▪ Contact details of the domain owner ▪ Domain name servers ▪ NetRange ▪ When a domain has been created ▪ Expiry records ▪ Records last updated ▪ Domain status (available, registered, or suspended) ▪ IP address information
Regional Internet Registries (RIRs) The RIRs include the following:
▪ American Registry for Internet Numbers (ARIN) (https://www.arin.net)
▪ African Network Information Center (AFRINIC) (https://www.afrinic.net)
▪ Asia Pacific Network Information Center (APNIC) (https://www.apnic.net)
▪ Réseaux IP Européens Network Coordination Centre (RIPE) (https://www.ripe.net)
▪ Latin American and Caribbean Network Information Center (LACNIC) (https://www.lacnic.net)
Whois services such as https://whois.domaintools.com and https://www.tamos.com
Batch IP Converter, available at http://www.sabsoft.com
Finding IP Geolocation Information
IP geolocation helps to obtain information regarding a target such as its country, region/state, city, latitude and longitude of its city, ZIP/postal code, time zone, connection speed, ISP (hosting company), domain name, IDD country code, area code, weather station code and name, mobile carrier, and elevation.
IP Geolocation Lookup Tools
▪ IP2Location Source: https://www.ip2location.com
6. DNS Footprintin
DNS Footprinting
After collecting the Whois records of the target, the next phase of the footprinting methodology is Domain Name System (DNS) footprinting. Attackers perform DNS footprinting to gather information about DNS servers, DNS records, and the types of servers used by the target organization. This information helps attackers identify the hosts connected in the target network and further exploit the target organization. This section describes how to extract DNS information and perform reverse DNS lookups using various DNS interrogation tools
DNS footprinting helps in determining the following records about the target DNS:
DNS Interrogation Tools
Attackers use DNS interrogation tools such as SecurityTrails, Fierce, DNSChecker, zdns and DNSdumpster.com to perform DNS footprinting. These tools can extract a range of IP addresses using IP routing lookup. If the target network allows unknown, unauthorized users to transfer DNS zone data, it is easy for an attacker to obtain DNS information with the help of a DNS interrogation tool.
When an attacker queries a DNS server using a DNS interrogation tool, the server responds with a record structure that contains information about the target DNS. DNS records provide important information regarding the locations and types of servers.
Attackers can use the following commands to perform DNS reconnaissance using the Fierce tool:
Run the following command to start a basic scan on the target domain (certifiedhacker.com) without any additional options: fierce –domain certifiedhacker.com
Run the following command to scan the target domain to obtain specific subdomains (here, subdomains containing words such as write, admin, and mail): fierce –domain certifiedhacker.com –subdomains write admin mail
Run the following command to scan domains near the discovered records of the targeted domain: fierce –domain certifiedhacker.com –subdomains mail –traverse 10
Run the following command to attempt an HTTP connection on the discovered domains of the target: fierce –domain certifiedhacker.com –subdomains mail –connect
Run the following command to scan all the discovered records of the target domain, i.e., a full detailed scan: fierce –domain certifiedhacker.com –wid
DNS Lookup with AI
Attackers can leverage AI-powered technologies to enhance and automate their footprinting tasks. With the aid of AI, attackers can effortlessly perform reverse DNS lookup activities on a target and acquire valuable insights. For example, Attackers can use ChatGPT to execute this task by using an appropriate prompt such as: “Install and use DNSRecon to perform DNS enumeration on the target domain www.certifiedhacker.com”
The following shell command is designed to perform DNS enumeration using the “dnsrecon” tool on the www.certifiedhacker.com domain:
sudo apt-get update && sudo apt-get install -y dnsrecon && dnsrecon -d certifiedhacker.com -t std Explanation of the command:
▪ sudo apt-get update: Updates the package lists for upgrades and new package installations.
▪ &&: Concatenates commands to execute them sequentially.
▪ sudo apt-get install -y dnsrecon: Installs the dnsrecon tool with automatic “yes” to all prompts.
▪ dnsrecon -d certifiedhacker.com -t std: Initiates the dnsrecon tool to perform DNS enumeration on the certifiedhacker.com domain using standard enumeration techniques.
Reverse DNS Lookup
DNS lookup is used to find the IP addresses for a given domain name, and a reverse DNS operation is performed to obtain the domain name of a given IP address. When looking for a domain by entering the domain name in a browser, the DNS converts the domain name into an IP address and forwards the request for further processing. This conversion of a domain name into an IP address is performed using a record. Attackers perform a reverse DNS lookup on the IP range to locate a DNS PTR record for such IP addresses.
Attackers use various tools such as DNSRecon, Reverse Lookup, puredns, Reverse IP Domain Check, and Reverse IP Lookup to perform reverse DNS lookup on the target host. When we obtain an IP address or a range of IP addresses, we can use these tools to obtain the domain name.
▪ DNSRecon
Source: https://github.com
As shown in the screenshot, attackers use the following command to perform a reverse DNS lookup on the target host:
dnsrecon -r 162.241.216.0-162.241.216.255
In the above command, the -r option specifies the range of IP addresses (first to last) for a reverse lookup by brute force.
▪ Reverse Lookup Source: https://mxtoolbox.com
7. Network and Email Footprinting
Network and Email Footprinting
The next step after retrieving DNS information is to gather network-related information and track email communications. This section describes the method to locate the network range, traceroute analysis, and traceroute tools. It also describes how to track email communications, how to collect information from email headers, and email tracking tools.
Obtaining private IP addresses can be useful to attackers. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP address space for private internets: 10.0.0.0–10.255.255.255 (10/8 prefix), 172.16.0.0–172.31.255.255 (172.16/12 prefix), and 192.168.0.0–192.168.255.255 (192.168/16 prefix).
Traceroute
Finding the route of the target host on the network is necessary to test against man-in-the-middle attacks and other related attacks. Most operating systems come with a Traceroute utility to perform this task. It traces the path or route through which the target host packets travel in the network. Traceroute uses the ICMP protocol and Time to Live (TTL) field of the IP header to find the path of the target host in the network.
TCP Traceroute
Many devices in any network are generally configured to block ICMP traceroute messages. In this scenario, an attacker uses TCP or UDP traceroute, which is also known as Layer 4 traceroute. Go to the terminal in Linux operating system and type the tcptraceroute command along with the destination IP address or domain name as follows:
sudo tcptraceroute www.google.com
UDP Traceroute
Like Windows, Linux also has a built-in traceroute utility, but it uses the UDP protocol for tracing the route to the destination. Go to the terminal in the Linux operating system and type the traceroute command along with the destination IP address or domain name as follows: traceroute www.google.com
Traceroute with AI
Attackers can leverage AI-powered technologies to enhance and automate their footprinting operations. With the aid of AI, attackers can effortlessly perform tracerouting on a target. For example, Attackers can use ChatGPT to execute this task by using an appropriate prompt such as: “Perform network tracerouting to discover the routers on the path to a target host www.certifiedhacker.com”
The following shell command is designed to perform network tracerouting using the “traceroute” tool to discover the routers on the path to the www.certifiedhacker.com host: traceroute www.certifiedhacker.com
Explanation of the command: ▪ traceroute www.certifiedhacker.com: Initiates the traceroute tool to discover the routers on the path to the www.certifiedhacker.com host by sending packets to the destination with increasing time to live (TTL) values and analyzing the responses received from intermediate routers.
Traceroute Tools
Traceroute tools such as NetScanTools Pro, PingPlotter, Traceroute NG, and tracert are useful for extracting information about the geographical location of routers, servers, and IP devices in a network. Such tools help us to trace, identify, and monitor the network activity on a world map. Some of the features of these tools are as follows: ▪ Hop-by-hop traceroutes ▪ Reverse tracing ▪ Historical analysis ▪ Packet loss reporting ▪ Reverse DNS
▪ NetScanTools Pro Source: https://www.netscantools.com
▪ PingPlotter Source: https://www.pingplotter.com
Tracking Email Communications
Email tracking monitors the email messages of a particular user. This kind of tracking is possible through digitally time-stamped records that reveal the time and date when the target receives and opens a specific email. Email tracking tools allow an attacker to collect information such as IP addresses, mail servers, and service providers involved in sending the email. Attackers can use this information to build a hacking strategy and to perform social engineering and other attacks. Examples of email tracking tools include IP2LOCATION’s Email Header Tracer, MxToolbox, DNS Checker Email Header Analyzer, and Social Catfish.
Collecting Information from Email Header An email header contains the details of the sender, routing information, addressing scheme, date, subject, and recipient. Email headers also help attackers to trace the routing path taken by an email before it is delivered to the recipient. Each email header is a useful source of information for an attacker to launch attacks against the target. The process of viewing the email header varies with different email programs. Commonly used email programs: ▪ eM Client ▪ Mailbird ▪ Hiri ▪ Mozilla Thunderbird ▪ Spike ▪ Claws Mail
▪ SmarterMail Webmail ▪ Outlook ▪ Apple Mail ▪ ProtonMail ▪ AOL Mail ▪ Tuta
The email header contains the following information: ▪ Sender’s mail server ▪ Date and time of receipt by the originator’s email servers ▪ Authentication system used by the sender’s mail server ▪ Data and time of sending the message ▪ A unique number assigned by mx.google.com to identify the message ▪ Sender’s full name ▪ Sender’s IP address and address from which the message was sent
The attacker can trace and collect all this information by performing a detailed analysis of the complete email header.
Email tracking tools such as IP2LOCATION’s Email Header Tracer, MxToolbox, eMailTrackerPro, Holehe, DNS Checker Email Header Analyzer, and Social Catfish allow an attacker to track an email and extract information such as sender identity, mail server, sender’s IP address, location, and so on. Attackers use the extracted information to track the email path from the attacker’s location to the target mail server using IP addresses in the email header.
• Credit card details and social security number • Usernames and passwords • Security products in use • Operating systems and software versions • Network layout information • IP addresses and names of servers
Collecting Information Using Eavesdropping, Shoulder Surfing, Dumpster Diving, and Impersonation
Eavesdropping, shoulder surfing, dumpster diving, and impersonation are social engineering techniques widely used to collect information from people.
▪ Eavesdropping Eavesdropping is the act of intercepting communication in any form, such as audio, video, or text, without the consent of the communicating parties. It also includes reading confidential messages from communication media such as instant messaging or fax transmissions. The attacker can gain information by tapping phone conversations or intercepting audio, video, or written communications.
▪ Shoulder Surfing
Shoulder surfing is a technique whereby attackers secretly observe the target to gain critical information. In the shoulder surfing technique, an attacker stands behind the victim and secretly observes the victim’s activities on the computer, such as keystrokes while entering usernames, passwords, and so on. The technique is effective in gaining passwords, personal identification numbers, security codes, account numbers, credit card information, and similar data. Attackers can easily perform shoulder surfing in a crowded place, as it is relatively easy to stand behind and watch the victim without his or her knowledge.
▪ Dumpster Diving
This uncouth technique, also known as trashing, involves the attacker rummaging for information in garbage bins. The attacker may gain vital information such as phone bills, contact information, financial information, operations-related information, printouts of source codes, printouts of sensitive information, and so on from the target company’s trash bins, printer waste bins, sticky notes at users’ desks, and so on. The attacker may also gather account information from ATM trash bins. The information can help the attacker to commit attacks.
▪ Impersonation
Impersonation is a technique whereby an attacker pretends to be a legitimate or authorized person. Attackers perform impersonation attacks personally or use phones or other communication media to mislead targets and trick them into revealing information. The attacker might impersonate a courier/delivery person, janitor, businessman, client, technician, or he/she may pretend to be a visitor. Using this technique, an attacker gathers sensitive information by scanning terminals for passwords, searching important documents on desks, rummaging bins, and so on. The attacker may even try to overhear confidential conversations and “shoulder surf” to obtain sensitive information.
9. Automate Footprinting Tasks using Advanced Tools and AI
Footprint ing Tools: Maltego and Recon-ng
Maltego
Maltego can be used to determine the relationships and real world links between people, groups of people, organizations, websites, Internet infrastructure, documents, etc.
Maltego is an automated tool that can be used to determine the relationships and real-world links between people, groups of people, organizations, websites, Internet infrastructure, documents, etc. Attackers can use different entities available in the tool to obtain information such as email addresses, a list of phone numbers, and a target’s Internet infrastructure (domains, DNS names, Netblocks, IP addresses information).
Recon-ng
Recon-ng is a Web Reconnaissance framework with independent modules and database interaction, which provides an environment in which open source, web-based reconnaissance can be conducted
FOCA
FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents it scans
Fingerprinting Organizations with Collected Archives (FOCA) is a tool used mainly to find metadata and hidden information in the documents that its scans. FOCA is capable of scanning and analyzing a wide variety of documents, with the most common ones being Microsoft Office, Open Office, or PDF files. Features:
o Web Search – Searches for hosts and domain names through URLs associated with the main domain. Each link is analyzed to extract information from its new host and domain names.
o DNS Search – Checks each domain to ascertain the host names configured in NS, MX, and SPF servers to discover the new host and domain names.
o IP Resolution – Resolves each host name by comparison with the DNS to obtain the IP address associated with this server name. To perform this task accurately, the tool performs analysis against the organization’s internal DNS.
o PTR Scanning – Finds more servers in the same segment of a determined address; IP FOCA executes a PTR log scan
o Bing IP – Launches FOCA, which is a search process for new domain names associated with that IP address for each IP address discovered.
o Common Names – Perform dictionary attacks against the DNS.
subfinder
subfinder is a subdomain discovery tool that helps attackers find valid subdomains for websites. It supports multiple output formats (JSON, file, stdout).
Footprint ing Tools: OSINT Fram ework
• OSINT Framework is an open source intelligence gathering framework that is focused on gathering information from free tools or resources
•It provides a simple web interface that lists various OSINT tools arranged by categories and is shown as OSINT tree structure on the web interface
• Tools listed includes the following indicators: ▪ (T) – Indicates a link to a tool that must be installed and run locally ▪ (D) – Google Dork ▪ (R) – Requires registration
▪ (M) – Indicates a URL that contains the search term and the URL itself must be edited manuall
Other Tools:
Sudomy https://github.com
BillCipher https://github.com
BillCipher is an information gathering tool for a website or IP address. It can work on any operating system that supports Python 2, Python 3, and Ruby. This tool includes various options such as DNS lookup, Whois lookup, port scanning, zone transfer, host finder, and reverse IP lookup, which help to gather critical information.
whatweb https://github.com
Raccoon https://github.com
Recon-Dog https://github.com
Recon-Dog is an all-in-one tool for all basic information gathering needs. It uses APIs to collect information about the target system. Features:
o Censys: Uses censys.io to gather a massive amount of information about an IP address.
o NS lookup: Performs name server lookup o Port scan: Scans most common TCP ports o Detect CMS: Can detect 400+ content management systems o Whois lookup: Performs a Whois lookup o Detect honeypot: Uses shodan.io to check if the target is a honeypot
o Find subdomains: Uses findsubdomains.com to find subdomains
o Reverse IP lookup: Performs a reverse IP lookup to find domains associated with an IP address
o Detect technologies: Uses wappalyzer.com to detect 1000+ technologies o All: Runs all utilities against the target
Web Check https://web-check.xyz
OSINT.SH https://osint.sh
AI-Powered OSINT Tools
AI has revolutionized open-source intelligence (OSINT) by significantly enhancing investigative capabilities through advanced data collection, analysis, and prediction. AI automates data processing, extracts relevant insights, delivers actionable intelligence more efficiently than traditional methods, and enhances the OSINT tools. AI-powered tools offer numerous advantages for OSINT. The following are some key use cases in which AI can significantly benefit OSINT researchers. ▪ Web Scraping: AI techniques utilize online data from sources such as social media, blogs, forums, and deep web databases. This data enables the tracking of entities over time or the monitoring of public behavior. Machine-learning models can automate the extraction of specific information such as social media comments and replies.
▪ Pattern Recognition: Machine learning (ML) techniques can identify entities within large datasets and analyze files to identify the relationships between different entities. These entities include names, company details, addresses, emails, phone numbers, and relevant data.
▪ Content Summarization: NLP algorithms can summarize large volumes of data. OSINT gatherers can utilize this capability to extract pertinent information from extensive datasets. For example, an AI summarization tool can extract company names from a set of PDF files spanning hundreds of pages.
▪ Sentiment Analysis: AI technology can interpret human emotions through text analysis, which is particularly useful for understanding public sentiment. OSINT researchers can use AI to assess the emotional state of users based on social media posts and comments or to predict consumer behavior based on reviews.
▪ Image Recognition: Computer vision, a subset of AI, can analyze digital media files such as images and videos. In OSINT investigations, computer vision can assist in:
o Face Recognition: Identifying and tracking individuals across different media. o Metadata Analysis: Extracting metadata from digital files.
o Reverse Image Search: Enhancing reverse image search capabilities and detecting deepfake images.
▪ AI Detection: AI can also identify content generated by other AI tools, which is crucial for detecting malicious activities facilitated by AI.
AI-Powered OSINT Tool: Taranis AI Source: https://taranis.ai
Taranis AI is an advanced OSINT tool uses AI to enhance information gathering and situational analyses. It uses NLP and AI to improve the quality of data received from data sources, such as websites, to gather unstructured news articles. Analysts then transform these AI-enhanced articles into organized reports that are used as the basis for deliverables such as PDF files that are eventually published.
OSS Insight leverages AI to delve deep into the GitHub ecosystem by analyzing an extensive dataset of over five billion GitHub events. This capability enables it to offer comprehensive insights and tools to enhance the understanding and navigation of the open-source world. From detailed repository analytics encompassing metrics such as stars, forks, and commits to insights into developer productivity and collaboration patterns, OSS Insight is equipped with powerful resources for informed decision-making and strategic planning in open-source software development.
Additional AI-Powered OSINT Tools
AI OSINT tools that leverage artificial intelligence to enhance the efficiency and accuracy of open-source intelligence gathering are as follows: ▪ DorkGPT Source: https://dorkgpt.com DorkGPT is an AI-powered tool designed to assist Google Dorking, a technique used to find information that is not easily accessible through regular search queries. It leverages the capabilities of GPT (Generative Pre-trained Transformer) models to generate and refine search queries, helping users uncover sensitive information, hidden pages, and other data that may be relevant to cybersecurity, ethical hacking, or research purposes.
▪ DorkGenius Source: https://dorkgenius.com DorkGenius is an AI-powered tool that automates Google Dorking and helps users
generate advanced search queries to find specific information on the internet. It is useful for uncovering hidden files, directories, sensitive information, and security vulnerabilities, particularly in the case of ethical hackers.
▪ Google Word Sniper Source: https://googlewordsniper.eu
Google Word Sniper helps to refine search queries for more effective Google results. It identifies targeted keywords and phrases, making it easier to find specific information, hidden content, and niche data. This tool is valuable for researchers, marketers, and cybersecurity professionals, as it enhances their ability to uncover valuable buried information in search results.
▪ Cylect.io Source: https://cylect.io
Cylect.io is an advanced AI-powered OSINT tool that integrates multiple databases into a user-friendly interface, providing a vast collection of resources for ethical hackers and enabling efficient and confident OSINT investigations. Developed to address the inefficiencies of traditional search engines, Cylect.io simplifies the search process and enhances the speed and accuracy of data collection in investigative contexts.
▪ ChatPDF Source: https://chatpdf.com
ChatPDF is an OSINT tool that leverages AI to analyze and extract information from PDF documents through a conversational interface. Users can upload PDF files and interact with the tool to quickly retrieve specific data, summaries, and insights, making it a valuable resource for ethical hacking.
▪ Bardeen.ai Source: https://www.bardeen.ai
Bardeen.ai is an automation tool that can be used for OSINT by enabling users to streamline and automate data collection and analysis processes from various online sources. This enhances the speed and accuracy of OSINT activities, making them useful assets for cybersecurity professionals, researchers, and investigators.
DarkGPT is an AI assistant that uses GPT-4-200K to query leaked databases, aiding in efficient and targeted searches within compromised data sources. This enables users to extract vital information and insights, enhancing the OSINT capabilities of cybersecurity analysts and researchers.
▪ PenLink Cobwebs Source: https://cobwebs.com
PenLink Cobwebs is an advanced AI-powered OSINT tool that specializes in gathering and analyzing data from various online sources. It offers comprehensive capabilities for collecting, processing, and visualizing information to support cybersecurity investigations.
▪ Explore AI Source: https://exploreai.vercel.app
Explore AI is an AI-powered YouTube search engine that uses artificial intelligence to search for and extract information from YouTube videos, making it easier to access information for ethical hacking purposes.
▪ AnyPicker Source: https://app.anypicker.com
AnyPicker is a powerful visual web scraper and AI OSINT tool designed to extract data from websites without requiring coding skills. This tool supports scraping multiple pages simultaneously and provides a real-time preview of the extraction results, offering flexibility and efficiency in web data collection.
Create and Run Custom Python Script to Automate Footprinting Tasks with AI
Attackers can leverage AI-powered technologies to enhance and automate their footprinting tasks. With the aid of AI, attackers can effortlessly create and run custom footprinting scripts and acquire valuable insights about their targets. By developing custom scripts empowered by artificial intelligence (AI), attackers can efficiently execute a series of website footprinting commands to gather information about a target domain for cybersecurity assessments. For example, Attackers can use ChatGPT to guide the development of such a script by using an appropriate prompt such as: “Develop a Python script which will accept the domain name www.microsoft.com as input and execute a series of website footprinting commands, including DNS lookups, WHOIS records retrieval, email enumeration, and more, to gather information about the target domain.”
10. Footprinting Countermeasures
Footprint ing Counterm easures
Restrict the employees’ access to social networking sites from the organization’s network
Configure web servers to avoid information leakage
Educate employees to use pseudonyms on blogs, groups, and forums
Do not reveal critical information in press releases, annual reports, product catalogues, etc.
Limit the amount of information published on a website or the Internet
Use footprinting techniques to discover and remove any sensitive information that is publicly available
Prevent search engines from caching a web page and use anonymous registration services
Develop and enforce security policies such as information security and password policies to regulate the information that employees can reveal to third parties.
Implement multi-factor authentication mechanisms to enhance the security of the organization’s systems and resources.
Set apart internal and external DNS or use split DNS, and restrict zone transfer to authorized servers.
▪ Disable directory listings in the web servers. ▪ Conduct security awareness training periodically to educate employees about various social engineering tricks and risks.
▪ Opt for privacy services on a Whois lookup database. ▪ Avoid domain-level cross-linking for critical assets. ▪ Encrypt and password-protect sensitive information. ▪ Implement captchas and rate limiting on public-facing services to prevent automated tools from collecting information at a rapid pace.
▪ Do not enable protocols that are not required. ▪ Always use TCP/IP and IPsec filters for defense in depth. ▪ Configure Internet Information Services (IIS) to avoid information disclosure through banner grabbing.
▪ Hide the IP address and related information by implementing a VPN or keeping the server behind a secure proxy.
▪ Request archive.org to delete the history of the website from the archive database. ▪ Keep the domain name profile private. ▪ Place critical documents such as business plans and proprietary documents offline to prevent exploitation.
▪ Train employees to thwart social engineering techniques and attacks. ▪ Sanitize the details provided to the Internet registrars to hide the direct contact details of the organization.
▪ Disable the geo-tagging functionality on cameras to prevent geolocation tracking. ▪ Avoid revealing one’s location or travel plans on social networking sites. ▪ Turn off geolocation access on all mobile devices when not required. ▪ Ensure that no critical information, such as strategic plans, product information, or sales projections, is displayed on notice boards or walls.
▪ Disable or delete the accounts of employees who left the organization. ▪ Configure mail servers to ignore mails from anonymous individuals. ▪ Deploy honeypots or honeynets within the network to attract and detect attackers that can divert potential footprinters away from critical systems.
Labs
Scenario
Reconnaissance refers to collecting information about a target, which is the first step in any attack on a system. It has its roots in military operations, where the term refers to the mission of collecting information about an enemy. Reconnaissance helps attackers narrow down the scope of their efforts and aids in the selection of weapons of attack. Attackers use the gathered information to create a blueprint, or “footprint,” of the organization, which helps them select the most effective strategy to compromise the system and network security.
Similarly, the security assessment of a system or network starts with the reconnaissance and footprinting of the target. Ethical hackers and penetration (pen) testers must collect enough information about the target of the evaluation before initiating assessments. Ethical hackers and pen testers should simulate all the steps that an attacker usually follows to obtain a fair idea of the security posture of the target organization. In this scenario, you work as an ethical hacker with a large organization. Your organization is alarmed at the news stories concerning new attack vectors plaguing large organizations around the world. Furthermore, your organization was the target of a major security breach in the past where the personal data of several of its customers were exposed to social networking sites.
You have been asked by senior managers to perform a proactive security assessment of the company. Before you can start any assessment, you should discuss and define the scope with management; the scope of the assessment identifies the systems, network, policies and procedures, human resources, and any other component of the system that requires security evaluation. You should also agree with management on rules of engagement (RoE)—the “do’s and don’ts” of assessment. Once you have the necessary approvals to perform ethical hacking, you should start gathering information about the target organization. Once you methodologically begin the footprinting process, you will obtain a blueprint of the security profile of the target organization. The term “blueprint” refers to the unique system profile of the target organization as the result of footprinting.
The labs in this module will give you a real-time experience in collecting a variety of information about the target organization from various open or publicly accessible sources.
Objective
The objective of the lab is to extract information about the target organization that includes, but is not limited to:
Organization Information Employee details, addresses and contact details, partner details, weblinks, web technologies, patents, trademarks, etc.
Network Information Domains, sub-domains, network blocks, network topologies, trusted routers, firewalls, IP addresses of the reachable systems, the Whois record, DNS records, and other related information
System Information Operating systems, web server OSes, location of web servers, user accounts and passwords, etc.
Overview of Footprinting
Footprinting refers to the process of collecting information about a target network and its environment, which helps in evaluating the security posture of the target organization’s IT infrastructure. It also helps to identify the level of risk associated with the organization’s publicly accessible information.
Footprinting can be categorized into passive footprinting and active footprinting:
Passive Footprinting: Involves gathering information without direct interaction. This type of footprinting is principally useful when there is a requirement that the information-gathering activities are not to be detected by the target.
Active Footprinting: Involves gathering information with direct interaction. In active footprinting, the target may recognize the ongoing information gathering process, as we overtly interact with the target network.
Lab Tasks
Ethical hackers or pen testers use numerous tools and techniques to collect information about the target. Recommended labs that will assist you in learning various footprinting techniques include:
Perform footprinting through search engines
Gather information using advanced Google hacking techniques
Perform footprinting through Internet Research Services
Find the company’s domains, sub-domains, and Hosts using Netcraft and DNSdumpster
Perform footprinting through social networking sites
Gather personal information from various social networking sites using Sherlock
Perform Whois footprinting
Perform Whois lookup using DomainTools
Perform DNS footprinting
Gather DNS information using nslookup command line utility and online tool
Perform network footprinting
Perform network tracerouting in Windows and Linux Machines
Perform email footprinting
Gather information about a target by tracing emails using eMailTrackerPro
Perform footprinting using various footprinting tools
Footprinting a target using Recon-ng
Perform Footprinting using AI
Footprinting a target using Shellgpt
In the search bar search for intitle:login site:eccouncil.org. This search command uses intitle and site Google advanced operators, which restrict results to pages on the eccouncil.org website that contain the login pages.
Similarly, type the command EC-Council filetype:pdf ceh in the search bar to search your results based on the file extension and the keyword (here, ceh).
Apart from the aforementioned advanced Google operators, you can also use the following to perform an advanced search to gather more information about the target organization from publicly available sources.
cache: This operator allows you to view cached version of the web page. [cache:www.eccouncil.org]- Query returns the cached version of the website www.eccouncil.org
allinurl: This operator restricts results to pages containing all the query terms specified in the URL. [allinurl: EC-Council career]—Query returns only pages containing the words “EC-Council” and “career” in the URL
inurl: This operator restricts the results to pages containing the word specified in the URL [inurl: copy site:www.eccouncil.org]—Query returns only pages in EC-Council site in which the URL has the word “copy”
allintitle: This operator restricts results to pages containing all the query terms specified in the title. [allintitle: detect malware]—Query returns only pages containing the words “detect” and “malware” in the title
inanchor: This operator restricts results to pages containing the query terms specified in the anchor text on links to the page. [Anti-virus inanchor:Norton]—Query returns only pages with anchor text on links to the pages containing the word “Norton” and the page containing the word “Anti-virus”
allinanchor: This operator restricts results to pages containing all query terms specified in the anchor text on links to the page. [allinanchor: best cloud service provider]—Query returns only pages in which the anchor text on links to the pages contain the words “best,” “cloud,” “service,” and “provider”
link: This operator searches websites or pages that contain links to the specified website or page. [link:www.eccouncil.org]—Finds pages that point to EC-Council’s home page
related: This operator displays websites that are similar or related to the URL specified. [related:www.eccouncil.org]—Query provides the Google search engine results page with websites similar to eccouncil.org
info: This operator finds information for the specified web page. [info:eccouncil.org]—Query provides information about the www.eccouncil.org home page
location: This operator finds information for a specific location. [location: EC-Council]—Query give you results based around the term EC-Council
Task 1: Find the Company’s Domains, Subdomains and Hosts using Netcraft and DNSdumpster
Launch any web browser, and go to https://www.netcraft.com (here, we are using Mozilla Firefox).
Click on menu icon from the top-right corner of the page and navigate to the Resources -> Research Tools. In the Tools | Netcraft page, click on Site Report option.
Open a new tab in Firefox browser and go to https://dnsdumpster.com/. Search for certifiedhacker.com in the search box.
Task 1: Gather Personal Information from Various Social Networking Sites using Sherlock
Run sherlock “Elon Musk” command and you will get all the URLs related to Elon Musk, as shown in the screenshot. Scroll-down to view all the results.
You can also use tools such as Social Searcher (https://www.social-searcher.com) to gather additional information related to the target company and its employees from social networking sites.
Task 1: Perform Whois Lookup using DomainTools
go to https://whois.domaintools.com
You can also use other Whois lookup tools such as SmartWhois (https://www.tamos.com), Batch IP Converter (http://www.sabsoft.com), etc. to extract additional target Whois information.
Task 1: Gather DNS Information using nslookup Command Line Utility and Online Tool
In the nslookup interactive mode, type set type=a and press Enter. Setting the type as “a” configures nslookup to query for the IP address of a given domain.
set type =cname
set type =
Go to http://www.kloth.net/services/nslookup.php
You can also use DNS lookup tools such as DNSdumpster (https://dnsdumpster.com) to extract additional target DNS information.
Task 1: Perform Network Tracerouting in Windows and Linux Machines
Run tracert www.certifiedhacker.com command to view the hops that the packets made before reaching the destination.
Run tracert /? command to view the different options for the command, as shown in the screenshot.
Run tracert -h 5 www.certifiedhacker.com command to perform the trace, but with only 5 maximum hops allowed.
You can also use other traceroute tools such as PingPlotter (https://www.pingplotter.com/), Traceroute NG (https://www.solarwinds.com), etc. to extract additional network information of the target organization.
Task 1: Gather Information about a Target by Tracing Emails using eMailTrackerPro
You can also use email tracking tools such as MxToolbox (https://mxtoolbox.com/), Social Catfish (https://socialcatfish.com/), IP2Location Email Header Tracer (https://www.ip2location.com/) etc. to track an email and extract target information such as sender identity, mail server, sender’s IP address, location, etc.
Task 1: Footprinting a Target using Recon-ng
run recon-ng command to launch the application.
Run marketplace install all command to install all the modules available in recon-ng.
After the installation of modules, run modules search command. This displays all the modules available in recon-ng.
Run workspaces command to view the commands related to the workspaces.
To create the workspace, run workspaces create CEH command. This creates a workspace named CEH.
Enter workspaces list. This displays a list of workspaces (along with the workspace added in the previous step) that are present within the workspaces databases.
Add a domain in which you want to perform network reconnaissance.
Issue the command db insert domains.
Under domain (TEXT) option type certifiedhacker.com and press Enter. In the notes (TEXT) option press Enter. This adds certifiedhacker.com to the present workspace.
You can view the added domain by issuing the show domains command, as shown in the screens
Harvest the hosts-related information associated with certifiedhacker.com by loading network reconnaissance modules such as brute_hosts, Netcraft, and Bing.
Issue modules load brute command to view all the modules related to brute forcing. In this task, we will be using the recon/domains-hosts/brute_hosts module to harvest hosts.
To load the recon/domains-hosts/brute_hosts module, issue modules load recon/domains-hosts/brute_hosts command.
Issue run command. This begins to harvest the hosts, as shown in the screenshot.
Observe that hosts have been added by running the recon/domains-hosts/brute_hosts module.
To resolve hosts using the Bing module, use the following commands:
back
modules load recon/domains-hosts/bing_domain_web
run
Now, perform a reverse lookup for each IP address (the IP address that is obtained during the reconnaissance process) to resolve to respective hostnames.
Execute modules load reverse_resolve command to view all the modules associated with the reverse_resolve keyword. In this task, we will be using the recon/hosts-hosts/reverse_resolve module.
Run the modules load recon/hosts-hosts/reverse_resolve command to load the module.
Issue the run command to begin the reverse lookup.
Once done with the reverse lookup process, run the show hosts command. This displays all the hosts that are harvested so far, as shown in the screenshot.
Now, use the back command to go back to the CEH attributes terminal.
Now, that you have harvested several hosts, we will prepare a report containing all the hosts.
Execute modules load reporting command to view all the modules associated with the reporting keyword. In this lab, we will save the report in HTML format. So, the module used is reporting/html.
Run the modules load reporting/html command.
Observe that you need to assign values for CREATOR and CUSTOMER options while the FILENAME value is already set, and you may change the value if required. To do so, run the below commands:
options set FILENAME /home/attacker/Desktop/results.html. By issuing this command, you are setting the report name as results.html and the path to store the file as Desktop.
options set CREATOR [your name] (here, Jason).
options set CUSTOMER Certifiedhacker Networks (since you have performed network reconnaissance on certifiedhacker.com domain).
Use the run command and press Enter to create a report for all the hosts that have been harvested.
The generated report is saved to /home/attacker/Desktop/.
Navigate to /home/attacker/Desktop/, right-click on the results.html file, click on Open With, and select the Firefox ESR Web Browser browser from the available options.
The generated report appears in the Firefox browser, displaying the summary of the harvested hosts.
You can expand the Hosts node to view all the harvested hosts, as shown in the screenshot.
Task 1: Footprinting a Target using ShellGPT
After incorporating the ShellGPT API in Parrot Security machine, we will use ShellGPT for harvesting emails pertaining to a target organization. To do so, run sgpt –chat footprint –shell “Use theHarvester to gather email accounts associated with ‘microsoft.com’, limiting results to 200, and leveraging ‘baidu’ as a data source” command.
In the prompt type E and press Enter to execute the command.
ShellGPT will harvest the emails using theHarvester tool and displays the email and host list.
We will perform footprinting through social networking sites using ShellGPT, to do so run sgpt –chat footprint –shell “Use Sherlock to gather personal information about ‘Sundar Pichai’ and save the result in recon2.txt” command.
In the prompt type E and press Enter to execute the command.
After the execution of the command, in the terminal run ls command to view the contents in the present working directory.
We can see that recon2.txt file is created by previous command. In the terminal window, run pluma recon2.txt command to view its contents. Close the text editor window.
ls
We will perform DNS lookup using ShellGPT, to do so, run sgpt –chat footprint –shell “Install and use DNSRecon to perform DNS enumeration on the target domain www.certifiedhacker.com” command.
In the prompt type E and press Enter to execute the command.
In the terminal run sgpt –chat footprint –shell “Perform network tracerouting to discover the routers on the path to a target host www.certifiedhacker.com” command to perform Traceroute to a target.
In the prompt type E and press Enter to execute the command.
Now run sgpt –chat footprint –shell “Develop a Python script which will accept domain name microsoft.com as input and execute a series of website footprinting commands, including DNS lookups, WHOIS records retrieval, email enumeration, and more to gather information about the target domain” command to run a python script to automate footprinting tasks.
ls
