Footprinting, or reconnaissance, is the first phase of the ethical hacking process and is the preparatory phase. This phase consists of passively gaining information about a target prior to attack. The goal is to gather as much information as possible about a potential target with the objective of getting enough information to make later attacks more accurate. The end result should be a profile of the target that is a rough picture but one that gives enough data to plan the next phase of scanning. So it is a method of observing and collecting information about a potential target with the intention of finding a way to attack the target. Footprinting takes advantage of the information that is carelessly exposed or disposed of inadvertently. In footprinting we look for information and later analyze it, looking for weaknesses or potential vulnerabilities.
Information that can be gathered during this phase includes but is not limited to
Job information
When you conduct footprinting, as with all phases and processes, you must be quite methodical. A careless or hap-hazard process of collecting information can waste time when moving forward or, in a worst-case scenario, cause an attack to fail. The smart or careful attacker spends a good amount of time in this phase gathering and confirming information.
Footprinting generally entails the following steps to ensure proper information retrieval
Footprinting is about gathering information and formulating a hack strategy. With proper care you, as the attacking party, may be able to uncover the path of least resistance into an organization. Passively gathering information is by far the easiest and most effective method. If done by a skilled, inventive, and curious party, the amount of information that can be passively gathered is staggering.
Expect to obtain information such as
Before you start doing footprinting, you must set some expectations as to what you are looking for and what you should have in your hands at the end of the process. Keep in mind that the list of information here is not exhaustive, nor should you expect to be able to obtain all the items from every target. The idea is for you to get as much information in this phase as you possibly can, but take your time.
Here is what you should look for
On the network side of things a lot of information is invaluable; if you can get a hold of the data. Amazingly, much of the network information that is useful to you in starting the initial phase of an attack is easily available or can be easily obtained with a little investigation. During the footprinting phase, keep your eyes open for the following items:
The operating system is one of the most important areas you must gain information about. When sorting through the wealth of information that typically is available about a target, keep an eye out for anything that provides technical details:
Not all information is technical, so look for information about how an organization works. Information that provides details about employees, operations, projects, or other details is vital. This includes:
Generally there are more types of footprinting. Internal versus external footprinting. External is what ever information you can find from outside the target organization where internal footprinting is what information you can find from inside the organization. During i white box test, you will usually be inside the organization, and have access to a wealth of information. In a black box test, you will, at least initially only have whatever information available that is open source and publicly available.
There is also active versus passive footprinting where passive is what information you can retrieve passively, that is without being too intrusive, and active is the more intrusive way of gathering information. In reality it is much about information gathered using search engines and the like, to source code browsing, to what information you can collect by actively interact with the target. For instance you might send the target organization emails which is considered active information gathering.
This was written from CEHv8 material but the process applies to the process and concepts for most any CEH version.
Information that can be gathered during this phase includes but is not limited to
- IP address ranges
- Namespaces
- Employee information
- Phone numbers
- Facility information
Job information
When you conduct footprinting, as with all phases and processes, you must be quite methodical. A careless or hap-hazard process of collecting information can waste time when moving forward or, in a worst-case scenario, cause an attack to fail. The smart or careful attacker spends a good amount of time in this phase gathering and confirming information.
Footprinting generally entails the following steps to ensure proper information retrieval
- Collect information that is publicly available about the target. For instance host and network information.
- Ascertain the operating system(s) in use in the environment, including web server and web application data where possible.
- Issue queries such as Whois, DNS, network, and organizational queries.
- Locate existing or potential vulnerabilities or exploits that exists in the current infrastructure that may be conductive to launching later attacks.
Footprinting is about gathering information and formulating a hack strategy. With proper care you, as the attacking party, may be able to uncover the path of least resistance into an organization. Passively gathering information is by far the easiest and most effective method. If done by a skilled, inventive, and curious party, the amount of information that can be passively gathered is staggering.
Expect to obtain information such as
- Information about an organization's security posture and where potential loopholes may exist. This information will allow for adjustments to the hacking process that make it more productive.
- A database that paints a detailed picture with the maximum amount of information possible about the target.
- A network map using tools such as the tracert utility to construct a picture of a target's Internet presence or Internet connectivity.
Before you start doing footprinting, you must set some expectations as to what you are looking for and what you should have in your hands at the end of the process. Keep in mind that the list of information here is not exhaustive, nor should you expect to be able to obtain all the items from every target. The idea is for you to get as much information in this phase as you possibly can, but take your time.
Here is what you should look for
- Network information
- Operating system information
- Organization information, such as CEO and employee information, office information and contact numbers and email.
- Network blocks
- Network services
- Application and web application data and configuration information
- System architecture
- Intrusion detection and prevention systems
- Employee names
- Work experience
- Target organization clients
On the network side of things a lot of information is invaluable; if you can get a hold of the data. Amazingly, much of the network information that is useful to you in starting the initial phase of an attack is easily available or can be easily obtained with a little investigation. During the footprinting phase, keep your eyes open for the following items:
- Domain names the company uses to conduct business or other functions, including research and customer relations.
- Internal domain name information
- IP addresses of available systems
- Rogue or unmonitored websites that are used for testing or other purposes
- Private websites
- TCP/UDP services that are running
- Access control mechanisms, including firewalls and ACLs
- Virtual private network information
- Intrusion detection and prevention information as well as configuration data
- Telephone numbers, including analog and Voice over Internet Protocol
- Authentication mechanisms and systems
The operating system is one of the most important areas you must gain information about. When sorting through the wealth of information that typically is available about a target, keep an eye out for anything that provides technical details:
- User and group information and names
- Banner grabbing
- Routing tables
- SNMP
- System architecture
- Remote system data
- System names
- Passwords
Not all information is technical, so look for information about how an organization works. Information that provides details about employees, operations, projects, or other details is vital. This includes:
- Employee details
- Organization's website
- Company directory
- Location details
- Address and phone numbers
- Comments in HTML source code
- Security policies implemented
- Web server links relevant to the organization
- Background of the organization
- News articles and press releases
Generally there are more types of footprinting. Internal versus external footprinting. External is what ever information you can find from outside the target organization where internal footprinting is what information you can find from inside the organization. During i white box test, you will usually be inside the organization, and have access to a wealth of information. In a black box test, you will, at least initially only have whatever information available that is open source and publicly available.
There is also active versus passive footprinting where passive is what information you can retrieve passively, that is without being too intrusive, and active is the more intrusive way of gathering information. In reality it is much about information gathered using search engines and the like, to source code browsing, to what information you can collect by actively interact with the target. For instance you might send the target organization emails which is considered active information gathering.
This was written from CEHv8 material but the process applies to the process and concepts for most any CEH version.