Reconnaissance Part 1: Footprinting Tutorial

Footprinting is the first phase of hacking. Here an attacker tries to gather as much information as possible about his target without necessarily coming in contact with it.It is the most important, but being technically less challenging, is also the most overlooked hacking phase. A superior penetration tester spends considerable amount of time profiling the target organization. Information procured in this phase is vital to subsequent phases of penetration testing.Footprinting itself houses a number of stages.

Though, there”s no fixed approach, the general flow of execution is this:
A)Website Searches

B) Google Hacking

C) WHOIS lookup

D) DNS Interrogation

A) Website Searches

Web embodies a wealth of information. Searching proper websites could provide an attacker with heaps of sensitive information pertaining to a target.

• The attacker usually commences with the target organization”s website. Sometimes organizations inadvertently publish sensitive information on their websites like technologies in use, security configuration details etc. The attacker also documents information like employee contact details, office locations, business partners etc.• Attacker then makes use of jobsites (, social networking sites (facebook, myspace, linkedin), newsgroups etc. Frequently, a lot of important information is available on these websites.

B)Google Hacking

Google hacking is the process of employing complex search engine queries to locate sensitive information.Because of various web server misconfigurations, sensitive information gets indexed by the search engines when spiders crawl them.The sensitive information may include:password files, confidential directories, logon portals, log files etc.More details regarding Google hacking can be found here.

C)Whois Lookup

Whois lookup involves finding additional information associated with a domain.Whois lookup consists of two steps:

• Finding the domain name registration information.

• Finding the IP address range.

Finding the domain name registration information

While registering a domain, the domain registrar gathers additional information about the registrant. This information is normally available for public access.The general steps are:

• Querying the InterNIC website to find the registrar associated with a domain. Normally InterNIC performs a Whois lookup and provides the result.

• The attacker then queries the domain registrar”s Whois database to get the registration information.

Finding the IP address range.

The attacker then needs to find the IP addresses associated with an organization. For this he queries the organization”s name against the Whois database of an appropriate Regional Internet Registry (RIR). There are five RIR each associated with a specific geographic location: APNIC (Asia-Pacific region), ARIN (North America), LACNIC (Latin America and Caribbean), RIPE (Europe, Central Asia, Middle East regions), AfriNIC (Africa).

D)Zone Transfer

Zone transfer is the process where a name server lists all of its DNS information in response to a query by some other computer.Zone transfer is essentially used by secondary name server to update its zone database by requesting information from the primary name server. Albeit, zone transfer should only be allowed from the primary name server to the secondary name server, because of not properly configuring them, some name servers allow zone transfers to external systems too. This represents a serious security hole as an attacker could query the authoritative name servers to harvest domains and I.P addresses associated with the target organization.To learn more about zone transfer read this article.

Footprinting Defences

1) Carefully evaluate the information before publishing it on the internet.

2) Perform various footprinting techniques against your organization and try to remove any sensitive details found.

3) Directory listings give away too much information than a visitor needs. Disabling it is always a good option.

4) You can prevent search engines from caching a webpage by employing the ‘noarchive’ meta tag.

5) Make use of the anonymous registration services to prevent leaking registration information.

6) Configure your name servers such that only primary name server accepts zone transfer requests, and that too, from only secondary and tertiary name servers.

7) Consider using split-DNS — an architecture, where internal and external DNS servers are run separately


One Response to Reconnaissance Part 1: Footprinting Tutorial

  1. Maida says:

    I savor, result in I discovered just what I was having a look for. You’ve ended my 4 day lengthy hunt! God Bless you man. Have a great day. Bye

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: