CEHv13 Lab – Module 02: Footprinting and Reconnaissance

Scenario

Reconnaissance refers to collecting information about a target, which is the first step in any attack on a system. It has its roots in military operations, where the term refers to the mission of collecting information about an enemy. Reconnaissance helps attackers narrow down the scope of their efforts and aids in the selection of weapons of attack. Attackers use the gathered information to create a blueprint, or "footprint," of the organization, which helps them select the most effective strategy to compromise the system and network security.

Similarly, the security assessment of a system or network starts with the reconnaissance and footprinting of the target. Ethical hackers and penetration (pen) testers must collect enough information about the target of the evaluation before initiating assessments. Ethical hackers and pen testers should simulate all the steps that an attacker usually follows to obtain a fair idea of the security posture of the target organization. In this scenario, you work as an ethical hacker with a large organization. Your organization is alarmed at the news stories concerning new attack vectors plaguing large organizations around the world. Furthermore, your organization was the target of a major security breach in the past where the personal data of several of its customers were exposed to social networking sites.

ou have been asked by senior managers to perform a proactive security assessment of the company. Before you can start any assessment, you should discuss and define the scope with management; the scope of the assessment identifies the systems, network, policies and procedures, human resources, and any other component of the system that requires security evaluation. You should also agree with management on rules of engagement (RoE)-the "do's and don'ts" of assessment. Once you have the necessary approvals to perform ethical hacking, you should start gathering information about the target organization. Once you methodologically begin the footprinting process, you will obtain a blueprint of the security profile of the target organization. The term "blueprint" refers to the unique system profile of the target organization as the result of footprinting.

The labs in this module will give you a real-time experience in collecting a variety of information about the target organization from various open or publicly accessible sources.

Lab Scenario

As a professional ethical hacker or pen tester, your first step is to gather maximum information about the target organization by performing footprinting using search engines; you can perform advanced image searches, reverse image searches, advanced video searches, etc. Through the effective use of search engines, you can extract critical information about a target organization such as technology platforms, employee details, login pages, intranet portals, contact details, etc., which will help you in performing social engineering and other types of advanced system attacks.

Lab Objectives

• Gather information using advanced Google hacking techniques

Overview of Search Engines

Search engines use crawlers, automated software that continuously scans active websites, and add the retrieved results to the search engine index, which is further stored in a huge database. When a user queries a search engine index, it returns a list of Search Engine Results Pages (SERPs). These results include web pages, videos, images, and many different file types ranked and displayed based on their relevance. Examples of major search engines include Google, Bing, Yahoo, Ask, Aol, Baidu, WolframAlpha, and DuckDuckGo.

Task 1: Gather Information using Advanced Google Hacking Techniques

Advanced Google hacking refers to the art of creating complex search engine queries by employing advanced Google operators to extract sensitive or hidden information about a target company from the Google search results. This can provide information about websites that are vulnerable to exploitation.

Here, we will consider EC-Council as a target organization. However, you can select a target organization of your choice.

1. By default, Windows 11 machine selected, click Ctrl+Alt+Delete and login with Admin/Pa$$w0rd.

   Alternatively, you can also click Ctrl+Alt+Delete button under Windows 11 machine thumbnail in the Resources pane.

   Alternatively, you can also click Pa$$w0rd under Windows 11 machine thumbnail in the Resources pane.

   Networks screen appears, click Yes to allow your PC to be discoverable by other PCs and devices on the network.

2. Launch any web browser, and go to https://www.google.com (here, we are using Mozilla Firefox).

   If a Firefox Software Updater window appears click No.

   • If the Default Browser pop-up window appears, uncheck the Always perform this check when starting Firefox checkbox and click the Not now button.
   • If a notification appears, click Okay, Got it to finish viewing the information.

3. In the search bar search for intitle:login site:eccouncil.org. This search command uses intitle and site Google advanced operators, which restrict results to pages on the eccouncil.org website that contain the login pages. An example is shown in the screenshot below.

   Here, this Advanced Google Search operator can help attackers and pen testers to extract login pages of the target organization's website. Attackers can subject login pages to various attacks such as credential bruteforcing, injection attacks and other web application attacks. Similarly, assessing the login pages against various attacks is crucial for penetration testing.

   

4. Similarly, type the command EC-Council filetype:pdf ceh in the search bar to search your results based on the file extension and the keyword (here, ceh). Click on any link from the results (here, CEH-brochure.pdf) to view the pdf file.

   Here, the file type pdf is searched for the target organization EC-Council. The result might differ when you perform this task.

   The PDF and other documents from a target website may provide sensitive information about the target's products and services. They may help attackers to determine an attack vector to exploit the target.

   

5. The page appears displaying the PDF file, as shown in the screenshot.

   

6. Apart from the aforementioned advanced Google operators, you can also use the following to perform an advanced search to gather more information about the target organization from publicly available sources.

   • cache: This operator allows you to view cached version of the web page. [cache:www.eccouncil.org]- Query returns the cached version of the website www.eccouncil.org

   • allinurl: This operator restricts results to pages containing all the query terms specified in the URL. [allinurl: EC-Council career]-Query returns only pages containing the words "EC-Council" and "career" in the URL

   • inurl: This operator restricts the results to pages containing the word specified in the URL [inurl: copy site:www.eccouncil.org]-Query returns only pages in EC-Council site in which the URL has the word "copy"

   • allintitle: This operator restricts results to pages containing all the query terms specified in the title. [allintitle: detect malware]-Query returns only pages containing the words "detect" and "malware" in the title

   • inanchor: This operator restricts results to pages containing the query terms specified in the anchor text on links to the page. [Anti-virus inanchor:Norton]-Query returns only pages with anchor text on links to the pages containing the word "Norton" and the page containing the word "Anti-virus"

   • allinanchor: This operator restricts results to pages containing all query terms specified in the anchor text on links to the page. [allinanchor: best cloud service provider]-Query returns only pages in which the anchor text on links to the pages contain the words "best," "cloud," "service," and "provider"

   • link: This operator searches websites or pages that contain links to the specified website or page. [link:www.eccouncil.org]-Finds pages that point to EC-Council's home page

   • related: This operator displays websites that are similar or related to the URL specified. [related:www.eccouncil.org]-Query provides the Google search engine results page with websites similar to eccouncil.org

   • info: This operator finds information for the specified web page. [info:eccouncil.org]-Query provides information about the www.eccouncil.org home page

   • location: This operator finds information for a specific location. [location: EC-Council]-Query give you results based around the term EC-Council

7. This concludes the demonstration of gathering information using advanced Google hacking techniques. You can conduct a series of queries on your own by using these advanced Google operators and gather the relevant information about the target organization.

8. Close all open windows and document all the acquired information.

Lab 2: Perform Footprinting Through Internet Research Services

Lab Scenario

As a professional ethical hacker or pen tester, you should be able to extract a variety of information about your target organization from Internet research services. By doing so, you can extract critical information such as a target organization's domains, subdomains, operating systems, geographic locations, employee details, emails, financial information, infrastructure details, hidden web pages and content, etc.

Using this information, you can build a hacking strategy to break into the target organization's network and can carry out other types of advanced system attacks.

Lab Objectives

• Find the company's domains and subdomains using Netcraft and DNSdumpster

Overview of Internet Research Services

Internet research services such as people search services, alerting services, financial services, and job sites, provide information about a target organization; for example, infrastructure details, physical location, employee details, etc. Moreover, groups, forums, and blogs may provide sensitive information about a target organization such as public network information, system information, and personal information. Internet archives may provide sensitive information that has been removed from the World Wide Web (WWW).

Task 1: Find the Company's Domains, Subdomains and Hosts using Netcraft and DNSdumpster

Domains and sub-domains are part of critical network infrastructure for any organization. A company's top-level domains (TLDs) and subdomains can provide much useful information such as organizational history, services and products, and contact information. A public website is designed to show the presence of an organization on the Internet, and is available for free access.

Here, we will extract the company's domains and subdomains using the Netcraft and DNSdumpster tools.

1. Launch any web browser, and go to https://www.netcraft.com (here, we are using Mozilla Firefox).

2. Netcraft page appears, as shown in the screenshot.

   If cookie pop-up appears, click Accept.

   

3. Click on Resources tab and select Research Tools.

   

4. In the Tools | Netcraft page, click on Site Report option.

   If a cookies pop-up appears, click on ACCEPT COOKIES.

   

5. The What's that site running? page appears. To extract information associated with the organizational website such as infrastructure, technology used, sub domains, background, network, etc., type the target website's URL (here, https://www.certifiedhacker.com) in the text field, and then click the LOOK UP button, as shown in the screenshot.

   

6. The Site report for https://www.certifiedhacker.com page appears, containing information related to Background, Network, Hosting History, etc., as shown in the screenshot.

   

7. In the Network section, click on the website link (here, certifiedhacker.com) in the Domain field to view the subdomains.

   

8. The result will display the subdomains of the target website along with netblock and operating system information, as shown in the screenshot.

   

9. Now, we will find company's DNS Servers along with Geo IP and domain mapping using DNSdumpster website.

10. Open a new tab in Firefox browser and go to https://dnsdumpster.com/. Search for certifiedhacker.com in the search box.

    

11. The website displays the GEOIP of Host Locations, as shown in the screenshot.

    

12. Scroll down to view the list of DNS Servers, MX Records, Host Record (A) along with their IP addresses.

    

13. Further, scroll down to view the domain mapping of the website.

    Click on the map to view the full-size image.

    Click back to exit from full-size image.

    

14. Click on Download .xlsx of Hosts button to download the list of hosts.

    

15. Navigate to the Downloads folder and double-click on certifiedhacker.com-xxxxxxx.xlsx file to view the list of Hosts.

    In the Microsoft Office Activation Wizard window, click on Close.

    At the top of the Excel sheet, click on Enable Editing.

    

16. The Excel sheet displays the details such as Hostname, IP Address, Reverse DNS, Netblock Owner, Country, HTTP /Title, etc.

    

17. This concludes the demonstration of finding the company's domains and subdomains and Hosts using the Netcraft tool and DNSdumpster. The attackers can use this collected list of subdomains to perform web application attacks on the target organization such as injection attacks, brute-force attack, and denial-of-service (DoS) attacks.

18. You can also use tools such as Pentest-Tools Find Subdomains (https://pentest-tools.com), to identify the domains and subdomains of any target website.

19. Close all open windows and document all the acquired information.

Question 2.2.1.1

Question 2.2.1.2

Lab 3: Perform Footprinting Through Social Networking Sites

Lab 6: Perform Network Footprinting

Lab 8: Perform Footprinting using Various Footprinting Tools

Lab Scenario

The information gathered in the previous steps may not be sufficient to reveal the potential vulnerabilities of the target. There could be more information available that could help in finding loopholes in the target. As an ethical hacker, you should look for as much information as possible about the target using various tools. This lab activity will demonstrate what other information you can extract from the target using various footprinting tools.

Lab Objectives

• Footprinting a target using Recon-ng

Overview of Footprinting Tools

Footprinting tools are used to collect basic information about the target systems in order to exploit them. Information collected by the footprinting tools contains the target's IP location information, routing information, business information, address, phone number and social security number, details about the source of an email and a file, DNS information, domain information, etc.

Task 1: Footprinting a Target using Recon-ng

Recon-ng is a web reconnaissance framework with independent modules and database interaction that provides an environment in which open-source web-based reconnaissance can be conducted. Here, we will use Recon-ng to perform network reconnaissance, gather personnel information, and gather target information from social networking sites.

Here, we will consider www.certifiedhacker.com as a target website. However, you can select a target domain of your choice.

The results obtained might differ when you perform this lab task.

1. In the Parrot Security machine, open a Terminal window and execute sudo su to run the programs as a root user (When prompted, enter the password toor).

   The password that you type will not be visible.

2. Now, run cd command to jump to the root directory and run recon-ng command to launch the application.

   

3. Run help command to view all the commands that allow you to add/delete records to a database, query a database, etc.

   

4. Run marketplace install all command to install all the modules available in recon-ng.

   Ignore the errors while running the command.

   

5. After the installation of modules, run modules search command. This displays all the modules available in recon-ng.

   

6. You will be able to perform network discovery, exploitation, reconnaissance, etc. by loading the required modules.

7. Run workspaces command to view the commands related to the workspaces.

   

8. Create a workspace in which to perform network reconnaissance. In this task, we shall be creating a workspace named CEH.

9. To create the workspace, run workspaces create CEH command. This creates a workspace named CEH.

   

10. Enter workspaces list. This displays a list of workspaces (along with the workspace added in the previous step) that are present within the workspaces databases.

    

11. Add a domain in which you want to perform network reconnaissance.

12. Issue the command db insert domains.

13. Under domain (TEXT) option type certifiedhacker.com and press Enter. In the notes (TEXT) option press Enter. This adds certifiedhacker.com to the present workspace.

14. You can view the added domain by issuing the show domains command, as shown in the screenshot.

    

15. Harvest the hosts-related information associated with certifiedhacker.com by loading network reconnaissance modules such as brute_hosts, Netcraft, and Bing.

16. Issue modules load brute command to view all the modules related to brute forcing. In this task, we will be using the recon/domains-hosts/brute_hosts module to harvest hosts.

    

17. To load the recon/domains-hosts/brute_hosts module, issue modules load recon/domains-hosts/brute_hosts command.

18. Issue run command. This begins to harvest the hosts, as shown in the screenshot.

    

19. Observe that hosts have been added by running the recon/domains-hosts/brute_hosts module.

    

20. You have now harvested the hosts related to certifiedhacker.com using the brute_hosts module. You can use other modules such as Netcraft and Bing to harvest more hosts.

    Use the back command to go back to the CEH attributes terminal.

    To resolve hosts using the Bing module, use the following commands:

    • back
    • modules load recon/domains-hosts/bing_domain_web
    • run

21. Now, perform a reverse lookup for each IP address (the IP address that is obtained during the reconnaissance process) to resolve to respective hostnames.

22. Execute modules load reverse_resolve command to view all the modules associated with the reverse_resolve keyword. In this task, we will be using the recon/hosts-hosts/reverse_resolve module.

23. Run the modules load recon/hosts-hosts/reverse_resolve command to load the module.

24. Issue the run command to begin the reverse lookup.

    

25. Once done with the reverse lookup process, run the show hosts command. This displays all the hosts that are harvested so far, as shown in the screenshot.

    

26. Now, use the back command to go back to the CEH attributes terminal.

27. Now, that you have harvested several hosts, we will prepare a report containing all the hosts.

28. Execute modules load reporting command to view all the modules associated with the reporting keyword. In this lab, we will save the report in HTML format. So, the module used is reporting/html.

29. Run the modules load reporting/html command.

30. Observe that you need to assign values for CREATOR and CUSTOMER options while the FILENAME value is already set, and you may change the value if required. To do so, run the below commands:

    • options set FILENAME /home/attacker/Desktop/results.html. By issuing this command, you are setting the report name as results.html and the path to store the file as Desktop.
    • options set CREATOR [your name] (here, Jason).
    • options set CUSTOMER Certifiedhacker Networks (since you have performed network reconnaissance on certifiedhacker.com domain).

31. Use the run command and press Enter to create a report for all the hosts that have been harvested.

    

32. The generated report is saved to /home/attacker/Desktop/.

33. Navigate to /home/attacker/Desktop/, right-click on the results.html file, click on Open With, and select the Firefox ESR Web Browser browser from the available options.

    

34. The generated report appears in the Firefox browser, displaying the summary of the harvested hosts.

35. You can expand the Hosts node to view all the harvested hosts, as shown in the screenshot.

    

36. Close all open windows.

37. Until now, we have used the Recon-ng tool to perform network reconnaissance on a target domain

38. Now, we will use Recon-ng to gather personnel information.

39. Open a Terminal window and execute sudo su to run the programs as a root user (When prompted, enter the password toor).

    The password that you type will not be visible.

40. Run cd command to jump to the root directory and run recon-ng command.

41. Add a workspace by issuing the command workspaces create reconnaissance and press Enter. This creates a workspace named reconnaissance.

    

42. Set a domain and perform footprinting on it to extract contacts available in the domain.

43. Execute modules load recon/domains-contacts/whois_pocs command. This module uses the ARIN Whois RWS to harvest POC data from Whois queries for the given domain.

44. Run the info command command to view the options required to run this module.

45. Run options set SOURCE facebook.com command to add facebook.com as a target domain.

    Here, we are using facebook.com as a target domain to gather contact details.

    

46. Execute the run command. The recon/domains-contacts/whois_pocs module extracts the contacts associated with the domain and displays them, as shown in the screenshot

    Results might differ when you perform the lab.

    

47. Until now, we have obtained contacts related to the domains. Note down these contacts' names. Close all the open windows.

48. Now, we will use Recon-ng to extract a list of subdomains and IP addresses associated with the target URL.

49. Open a Terminal window and execute sudo su to run the programs as a root user (When prompted, enter the password toor).

    The password that you type will not be visible.

50. Now, run cd command to jump to the root directory and run recon-ng command.

51. To extract a list of subdomains and IP addresses associated with the target URL, we need to load the recon/domains-hosts/hackertarget module.

52. Run the modules load recon/domains-hosts/hackertarget command and run options set SOURCE certifiedhacker.com command.

53. Execute the run command. The recon/domains-hosts/hackertarget module searches for list of subdomains and IP addresses associated with the target URL and returns the list of subdomains and their IP addresses.

    

54. This concludes the demonstration of gathering host information of the target domain and gathering personnel information of a target organization.

55. Close all open windows and document all the acquired information.

Question 2.8.1.1