CEH: Reconnaissance / Footprinting

CEH logo on black background

The second module of Pluralsights Ethical Hacking course is reconnaissance and footprinting. This module is focused on information gathering about the “target” and finding out as much as you can about it. You accomplish this via reconnaissance/footprinting, this is the initial stage in gaining a blueprint of the security profile of a target, and it is accomplished in an organised manner.

Reconnaissance is one of the 3 pre-attack phases and results in a profile of an organisation’s networks and systems. Reconning an organisation is necessary in order to systematically gather all the related data in regards to the technologies deployed within the network but be aware that reconnaissance can take up to 90% of the time during penetration testing or an actual attack.

Tools used in this module are Ping, nslookup, tracert etc as well as on web services

ping www.hackthissite.org -f -l 1300
-f means don’t fragment and -l means the buffer size
 use this to see what the largest size packet you can get through a router
nslookup yahoo.com – non interactive mode
nslookup – interactive mode
> set type=mx – look at mx records
> {returns list of mx records}
> set type=a
> set type=cname
> hackthissite.org – returns details about domain
> server – change dns server to local
> set type=a
> set type=soa
> hackthissite.org – returns info about domain
> exit
ping ns1.hackthissite.org
> server
> set type=any
> ls -d hackthissite.org – attempt zone transfer
Netcraft to find out what platform your running.
Way back machine: archive.org/web
Job sites, linkedin profiles
Google Searches
Google Syntax
Search for exact words = “use quotes”
OR = type or between all the words you want
-Solar = put a minus before words you don’t want
Google Operators
“dark Knight” batman = exact words
batman and “dark knight” = using AND operator
batman -joker = not looking for joker
batman | “dark knight” = OR operator
water heaters -used “natural gas” = look for water heaters that are not used and have to be natural gas
Advanced Google Operators
No space between the operator and search term
intitle:batman =
intitle:”index of” is the same as intitle:index.of
intitle:”index of” private
cache: = displays google’s cached version
link: = shows list of pages that have links to your target
related: = similar web pages
info: = view info google has on target
site: = limits results to just the domain listed
allintitle: = limits results to those websites with ALL the search words in the title
intitle: = limits results to documents that contain the search word in the title
allinurl: = limits results to only those webpages with ALL search words in url
inurl: = limits results to documents that contain the search word in the url
Some examples of google hacking
inurl: “/root/etc/passwd” intext:”home/*:”
intext:”access denied for” intitle:”shopping cart”
inurl:”printer/main.html” intext:”settings” = brother printers
inurl:root.asp?acs=anon = public folders on exchange
ext:sql intext:”alter user” intext:”identified by” = show files that have sql instructions where the sql admin has set the password for the user.
inurl:”weblogin.htm” intitle:”Vigor Login Page”
inurl:embed.html inurl:dvr
intitle:”web viewer for samsung dvr”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.