Footprinting In Ethical Hacking is the first step which means gathering all the information about the target and network. Information gathering helps an attacker to be closer to the target.
If the target is an organization then how many employees work in that organization their employee id, email id, their name, etc and if the target is any system then what is the OS the target is using the IP, the version, about the ports, etc. We can gather info either actively or passively as these are the types of Footprinting In Ethical Hacking.
During this phase, a hacker can collect the following information −
- Domain name
- IP Addresses
- Namespaces
- Employee information
- Phone numbers
- E-mails
- Job Information
Objectives of Footprinting In Ethical Hacking:
- To know security posture.
- thus, To reduce focus area.
- Identify vulnerabilities.
- also, Draw network map.
Types of Footprinting:
Similar to Reconnaissance, Footprinting In Ethical Hacking can however be divided into two types:
- Active Footprinting
- Passive Footprinting
1. Active Footprinting:-
Active Footprinting is the type of Footprinting where you gather information about the system/ application by directly interacting with the system. When you use Active Footprinting, there is a high chance that some information like your IP address is saved by the system you are trying to gather the information about.
2. Passive Footprinting:
In the case of Passive Footprinting, you gather information without interacting with the system/ application you are trying to know about. so, You gather information through search engines or public records. When you use Passive Footprinting, there is no way that the system would save your IP address.
There are different methods and tools for information gathering:
1. Search engine:
we can get the information about any organization or anyone from Wikipedia like when the org. Established, who is the owner, what are the services they provide, etc.
therefore, There are differences. websites for info gathering for n/w and DNS footprinting and they are:
- Netcraft: it helps in finding the record of an organization
- whois.com: https://whois.domaintools.com/
- centralops.net: https://centralops.net/co/
- lookip.net: https://www.lookip.net/
2. Google dork:
Google dork is also known as Google hacking.it is the different another way of using the google search engine which hackers and PT use for
gathering info in a more efficient manner.
- Site: search for the result in the given domain.
- Related: search for similar websites.
- Intext: find the specific word in the document
- Allintitle: finds the specific keyword in the website.
- Intitle: search for the specific keyword in the title inside the documents
- Allintitle: search for the specific keyword in the title inside the websites.
- filetype:search for the specilic files like,pdf,docs,exe,etc
3. Email footprinting:
Ultratool.com : https://www.ultratools.com/tools/ipWhoisLookup
Email tracker pro which we need to download.
SPF: a sender policy framework.
TOOLS ON KALI:
Maltego, The Harvester
Domain Name Information
You can use http://www.whois.com/whois website to get detailed information about a domain name information including its owner, its registrar, date of registration, expiry, name server, owner’s contact information, etc.
Finding Hosting Company
Once you have the website address, you can get further detail by using the ip2location.com website. Following is the example to find out the details of an IP address −
Here the ISP row gives you the details about the hosting company because IP addresses are usually provided by hosting companies only.
IP Address Ranges
Small sites may have a single IP address associated with them, but larger websites usually have multiple IP addresses serving different domains and subdomains.
You can obtain a range of IP addresses assigned to a particular company using the American Registry for Internet Numbers (ARIN).
You can enter the company name in the highlighted search box to find out a list of all the assigned IP addresses to that company.
History of the Website
It is very easy to get a complete history of any website using www.archive.org.
Port Scanning
We have just seen information given by the Nmap command. This command lists down all the open ports on a given server.
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql
You can also check if a particular port is opened or not using the following command −
$nmap -sT -p 443 xyz.com
It will produce the following result −
Starting Nmap 5.51 ( http://nmap.org ) at 2015-10-04 10:19 CDT
Nmap scan report for xyz.com (66.135.33.172)
Host is up (0.000067s latency).
PORT STATE SERVICE
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
Article By: Sayan Chatterjee
If you are Interested In Machine Learning You Can Check Machine Learning Internship Program
Also Check Other Technical And Non Technical Internship Programs
