CEH Basics - The Art of Reconnaissance

Created in January 06, 2024

2024   ·   cybersecurity   CEH   ·   cyber-security

In the world of cybersecurity, Footprinting or Reconnaissance form the foundational step of any ethical hacking process. This phase involves gathering critical information about the target system or organization, which can be used to identify potential vulnerabilities. In this blog, we’ll break down the core concepts, techniques, tools, and countermeasures associated with this essential stage of ethical hacking.

What is Footprinting?

Footprinting, also called reconnaissance, is the preparatory phase where an attacker or ethical hacker collects as much information as possible about a target system or organization before launching an attack. The aim is to map out the organization’s infrastructure, networks, and potential entry points.

Types of Reconnaissance

  1. Passive Reconnaissance:

    • Involves gathering information without directly interacting with the target.
    • Examples include Open-Source Intelligence (OSINT) tools like Shodan, proprietary databases, and Google Dorks.

  2. Active Reconnaissance:

    • Involves direct interaction with the target, which may leave traces in logs.
    • Examples include DNS Interrogation, network port scanning, and user enumeration.

Information Gathered During Reconnaissance

The information obtained during reconnaissance can be broadly categorized into three domains:

  • Organization Information: Employee details, organizational structure, and internal policies.
  • Network Information: DNS records, IP addresses, and open ports.
  • System Information: OS versions, server locations, and software details.

Footprinting Techniques

1. Search Engine Exploitation

  • Google Hacking:
    • Use Google Dorks like filetype:pdf site:eccouncil.org to find specific files or information.
    • Reference the Google Hacking Database (GHDB) for pre-defined queries.
  • Shodan Search Engine:
    • Discover internet-connected devices, web services, and port details using Shodan.io.

2. Finding Subdomains

  • Use commands and tools like:
    • dig google.com – Lists DNS records.
    • Sublist3r – Enumerates subdomains for further investigation.
  • Why Subdomains Matter:
    • Abandoned or unsecured subdomains can become a weak link, leading to potential breaches.

3. Archival Tools

  • Wayback Machine:
    • Retrieve historical versions of websites.
  • Photon:
    • Automate the extraction of archived URLs.

4. People Services

  • Platforms like LinkedIn, Indeed, and Naukri can be leveraged for gathering employee details. Sometimes, fake job postings are used for social engineering.

5. Competitive Intelligence Gathering

  • Collect insights about competitors’ locations, financial reports, online reputations, and activities on platforms like GitHub and news portals.

6. DNS and Network Footprinting

  • Tools like mxtoolbox.com for DNS lookups and reverse lookups.
  • Use traceroute to identify hops between servers to the target.

7. Email Header Analysis

  • Extract sender server, IP address, and domain details from email headers.

Automating Footprinting

Modern reconnaissance tools can automate much of the work:

  • Maltego: Visual link analysis for OSINT.
  • recon-ng: Web reconnaissance framework.
  • FOCA: Metadata analysis.
  • Subfinder: Finds subdomains.
  • OSINT Framework: Collection of open-source intelligence tools.

The Role of the Dark Web

The dark web often serves as a hub for malicious actors to buy and sell sensitive data. Tools like Tor provide access to these hidden layers of the internet. Ethical hackers must stay vigilant by monitoring forums and marketplaces for leaked information. One can buy datasets, zero-day vulns and information from various chat servers in the darkweb. One of the such markets is breached.vc which was taken down in the beginning of this year.

Countermeasures Against Reconnaissance

Organizations can mitigate the risks of reconnaissance with the following steps:

  1. Encrypt Data: Protect sensitive data with encryption.
  2. Identity Verification: Regularly authenticate and verify users.
  3. Update Infrastructure: Remove outdated domains and software versions.
  4. Employee Training: Educate employees on social engineering tactics.
  5. Social Media Awareness: Restrict location tagging and minimize sensitive disclosures.

Footprinting and reconnaissance are critical in both offensive and defensive cybersecurity strategies. By understanding these techniques, ethical hackers can identify vulnerabilities before attackers do, while organizations can implement robust defenses to mitigate risks. Stay tuned for the next blog in our CEH Basics series, where we’ll dive deeper into the technical tools and real-world applications of ethical hacking.



Enjoy Reading This Article?

Here are some more articles you might like to read next:

  • Create Your Own Neural Network from Scratch
  • CEH Basics - Network Scanning
  • CEH Basics - Information Security - Terms and Concepts
  • Understanding KNN with Malware File Prediction