Learn how Footprinting and Reconnaissance are used to obtain data from a system. Realize that information is found everywhere. Lisa Bock explains how Footprinting and Reconnaissance can use low tech methods such as Google hacking, along with tools and utilities such as Maltego and Nmap. Recognize the importance of documenting the discovery findings.
- [Voiceover] Before actually launching any attacks or using advanced tools, a thorough information-gathering exercise must be completed. The first phase in ethical hacking is footprinting and reconnaissance, which is all about obtaining as much information about the target as possible. This phase is probably the most time consuming, taking weeks or even months to complete. The two terms, footprinting and reconnaissance, are used together in ethical hacking, and they are essentially a method of discovery.
Footprinting is learning as much as possible about the target, including remote access capabilities, open ports and services, and what security mechanisms are in place. Reconnaissance is a military reference that deals with gathering information about the location of a target but scouting or setting up covert observation points. Footprinting and reconnaissance are the first steps in a commonly recognized sequence of steps in order to drill down into an organization. We start by gathering information, then locating the network range, finding out what machines are active and will talk to us, finding open ports and determining the operating systems, see what services are running, and then map the network.
What is happening during footprinting and reconnaissance? Imagine you are on a mission. The fact is, information is found everywhere. On the public side, we want to find out as much about the target we can on public resources on the internet, such as websites, directories, email addresses, job sites, and, of course, social networking. On the logical side, we use network mapping in order to give us an accurate picture of our target, such as network architecture, defense mechanisms such as firewalls, intrusion detection, or any other security devices that would be in place that would block us from finding out information.
Also, operating systems and applications. All those things that help us to put together a better picture of our target. The key is to narrow the scope so that the recon is more targeted. Questions to ask are the following. Who is the target? Is it a company, a cell phone service, a car, or a local business? What is the target? Once we get in, what are we looking for? Social security numbers, bank account numbers, social media accounts, or even medical information? Identifying what the target is might help in locating the target.
If there's no actual target, it's more of a dumpster diving attempt, searching until something interesting is found. Where's the target? Start with the IP address and the IP address range. Any domain name information, including physical addresses and DNS records. When should we attack? Now when the stakes are high? Get in, obtain the target? Or late at night? Do you have the persistence to test at odd hours? And how? Well, how we do the attack is really going to be after we do the recon.
The more information gleaned from a well-conducted reconnaissance exercise will help determine just how the attack is launched. Keep in mind that gathering information is both passive and active. In addition, footprinting and reconnaissance uses low-tech methods, such as Google hacking, along with tools and utilities such as Maltego and Nmap. During the information gathering, it is very important to document your findings. This will help you in developing the best method of attack.
Develop a template such as this one where you can record the results and get a complete picture of your target. We can document corporate information, take a look at infrastructure assets, and financial data. As we find the information, document it. It will help, again, to create a complete picture of our target.
Note: Our Ethical Hacking series maps to the 18 parts of the EC-Council's certification exam. This course maps to the 02 Footprinting and Reconnaissance domain.
- Using competitive intelligence
- Hacking with search engines
- Using email for footprinting
- Getting social
- Mirroring websites
- Using Ping, Tracert, nslookup, and dig
- Taking footprinting countermeasures
- Pen testing for footprinting