CERTIFIED INFORMATION SECURITY

EXPERT

Topic: Footprinting and Scanning

FOOTPRINTING
What is footprinting??
“Process of collecting as much information as possible about target or victim”

Footprinting  Also known as Reconnaissance or information gathering. This is the

preparatory phase where we collect as much information as possible about the target.
We usually collect information about 3 groups:
1. Network
2. Host
3. People Involved
There are 2 types of footprinting:
a. Active
b. Passive

Active Footprinting  Direct interaction with the target to gather the information.
Eg: Using NMAP tool to scan the target.
Passive Footprinting  Trying to collect the information of the target without directly
accessing the target. This involves information collection using social media, websites, etc.

Methodology of Footprinting
1. Network Footprinting
2. Domain Footprinting
3. Social Networking Information
4. Google Footprinting
5. Website and Database Footprinting
6. Footprinting through Social Engineering

NETWORK FOOTPRINTING
“It is the process of accumulating data regarding a specific. network environment,
usually for the purpose of finding ways to intrude into the. environment.”
How to find the IP address of own system?
1. Windows
i) Open CMD
CMD stands for Command Prompt. And is used to execute entered commands
and perform advanced administrative functions. This was made in batch
programming. This was the first OS Disk Operating System (DOS) was also
made using batch programming.
ii) Type ipconfig and then hit enter.

iii) This shows both ip address IPV4(32 bits) and IPV6(128 bits).
iv) Here IPv4 is 192.168.1.206

2. Linux
a. Ifconfig is the command for getting the IPV4 of the system.

How to check the mac address of own system?

MAC (Media Access Control) is the physical address of the system.
It is divided into 6 parts, in the form is hexa decimal.
Command to find MAC address of the system (windows) is getmac.
There is a new mac address to all the new technology
We connect to ethernet, wifi, Bluetooth, etc which have their own mac address.
For getting in detail information
Type ipconfig /all this will give a in-detail information of the system

Command to find MAC address of the system (linux) is ifconfig -a.

3. PING (Packet Internet Network Gropher)

This can be used to check if internet is working or not.
But this is used to check the details of the target like on which platform is the system
working.

TTL  means "time to live". It is a value on an ICMP packet that prevents that packet
from propagating back and forth between hosts ad infinitum.  It's also a measure of how
many hops the packet took.

To know the operating system using TTL value:

1. 0 – 64  Linux based platform or server
2. 65 – 128  Windows based platform
3. >128  Cloud based platform

4. Domain Footprinting
What is domain?
A domain name is your website name. A domain name is the address where Internet
users can access your website. A domain name is used for finding and identifying
computers on the Internet. Computers use IP addresses, which are a series of number.
However, it is difficult for humans to remember strings of numbers.
Eg of domains:
.com, .in, .org, .net, .gov etc.

The following groups of top-level domains:

 infrastructure top-level domain (ARPA)
 generic top-level domains (gTLD)
 generic-restricted top-level domains (grTLD)
 sponsored top-level domains (sTLD)
 country code top-level domains (ccTLD)
 test top-level domains (tTLD)

1. Generic Domain  Generic domain names are domain names comprised solely of

a common word or phrase, real estate - if available, generic domains can be
registered.
.com
.org
.net
.gov
.mil
.example
.biz
.info
.int
Etc…

2. Country  A country code top-level domain (ccTLD) is an Internet top-

level domain generally used or reserved for a country, sovereign state, or
dependent territory identified with a country code.
.uk
.in
.eu
.ma
.ae
.pk
Etc…

DOMAIN FOOTPRINTING

DNS (domain name system)  The Domain Name System is a hierarchical and
decentralized naming system for computers, services, or other resources connected to
the Internet or a private network. It associates various information with domain names
assigned to each of the participating entities.
This is used because we cannot remember the ip address of all websites so DNS helps
was redirecting to the website using the domain name and .com is the domain, this binds
both of them to the ip address.
1. Registrant  A domain name registrant is an individual or entity who registers
a domain name. Upon registration of a domain name, a registrant enters into
a contract with a registrar.

2. Registrar  A domain name registrar is a company that manages the

reservation of Internet domain names. A domain name registrar must be
accredited by a generic top-level domain (gTLD) registry or a country code top-
level domain (ccTLD) registry.
Some examples of registrars are as follows:

 Bluehost
 HostGator
 GoDaddy
 Namecheap
 DreamHost
 Shopify
 ETC …..

3. Registry  A registry operator is an organization that maintains the

administrative data for one or more top-level or lower-level domains. 
For example;
Verisign is responsible for several top-level domains like .com, .net, .name
domains.
Affilias is responsible for .info domain.
Nixi is responsible for .in domain.

4. ICANN  The Internet Corporation for Assigned Names and Numbers is an

American multi-stakeholder group and nonprofit organization responsible for
coordinating the maintenance and procedures of several databases related to the
namespaces and numerical spaces of the Internet, ensuring the network's stable and
secure operation.

PROCESS 
Registrant  Registrar  Registry  ICANN

How to do footprinting using domain?

Whois.domaintools.com  This is a database which has all the details of all the
domains.
Put the domain url in the search bar given in the site and check for the details
you need of the target.
 GOOGLE FOOTPRINTING

Google Dork  Google hacking, also named Google dorking, is a hacker technique that
uses Google Search and other Google applications to find security holes in the configuration
and computer code that websites are using. Google dorking could also be used for OSINT
(Open Source Intelligence).

Google dorks has some payloads :

1. Inurl:
For eg:
www.bank.com is the website and we need to find the admin panel of this
site. But sometimes the panels are hidden in the list of folders, this
becomes difficult to find the admin panel.
So here .inurl: comes in picture as it helps in finding the admin panel
using this syntax

Inurl: www.bank.com adminlogin

Website admin page can be made in .php , .asp , .jsp , etc…

Searching using this syntax will provide the full path of adminlogin panel.

2. Filetype:
This can be used to search sensitive data of the website of the company

This dork can be used using this syntax:

Filetype:xls www.bank.com bank information

WEBSITE AND DATABASE FOOTPRINTING

1. Banner Grabbing  Banner Grabbing is a technique used to gain information

about a computer system on a network and the services running on its open
ports. Administrators can use this to take inventory of the systems and services
on their network.

Eg:
Consider this website as target
www.abc.com
Type the whole url and in the end type anything like
www.abc.com/anything
This will throw the error of ERROR 404 (which is page not found) and will also
give some other information like server on which website is hosted, open port in
website, which is the web server and its version, etc…

2. Database Footprinting 
List of some database:
Mysql
Mongodb
 Mariadb
Oracle
Postgresql
ETC…

How to find the database of a website using database footprinting?

www.soccerfield.pk/pages.php?id=2 in this put a single quote and hit enter to see
the results.

This website throws the error stating the name of database which is a
vulnerability.

3. Social Engineering  In the context of information security, social engineering is

the psychological manipulation of people into performing actions or divulging
confidential information. This differs from social engineering within the social
sciences, which does not concern the divulging of confidential information.
Footprinting through Social Engineering:
 Eavesdropping  Eavesdropping is the act of secretly or stealthily
listening to the private conversation or communications of others without
their consent in order to gather information.

 Shoulder Surfing   shoulder surfing is a type of social

engineering technique used to obtain information such as personal
identification numbers (PINs), passwords and other confidential data by
looking over the victim's shoulder, either from keystrokes on a device or
sensitive information being spoken and heard.

 Dumpster Diving  In the world of information technology, dumpster

diving is a technique used to retrieve information that could be used to
carry out an attack on a computer network. Dumpster diving isn't limited
to searching through the trash for obvious treasures like access codes or
passwords written down on sticky notes.

 Impersonation on Social Networking Sites  Capturing social media

activities and keeping an eye on the target using social media.
 SCANNING

What is scanning?
Scanning is a set of procedures for identifying live hosts, ports and services, discovering
Operating systems and architecture of target system, identifying vulnerabilities and threats in
the network.

For hacking a device u need to find the technical information like

Live hosts
Open ports
Open Virtual ports
OS
Architecture of system (32 bit or 64 bit)
Running services

Scanning Methodology:
1. Check for Live Systems
2. Check for Running Services and Open Ports
3. Vulnerability Scanning

Ports:
There are two types of ports
1. Physical ports
This can be ports of audio jack, usb connection port, hdmi, projector, ethernet port, etc
2. Logical ports / Virtual ports
In a system we have 65635 virtual ports.
1000 ports are used for running services
Some list of ports
 FTP 20, 21
 SSH 22
 TELNET 23
 SMTP 25
 HTTP 80
 HTTPS 443
 DNS 53
 SMB 445
 NETBIOS 139
 MYSQL 3306

NETWORK SCANNING
1. Discover Live Host in Network
a. In windows (can be done using tools)
b. In linux (can be used doing commands)

How to scan hosts in WINDOWS using ADVANCED IP SCANNER?

NOTE: This tools wont work if there are firewalls in the company.
Advanced IP Scanner uses ICMP (Internet Control Message Protocol).
Firewall blocks ICMP so this doesn’t scan properly.
This scans subnet Ips ranging from 0 – 255.
Open Advanced IP Scanner  Click SCAN  IP and MAC address are displayed after
the scan.
If you want to deep scanning IP address and MAC address are compulsory.

In linux to scan ip address the command is

arp-scan –l

If there is a firewall present and how to bypass it?

We can use angryipscanner.
We have commands in linux for bypassing firewalls.

2. System Scanning  Scanning multiple device for in depth scanning of files present
in the system.
a. Zenmap (in windows)  This is the GUI version of Nmap.
b. Nmap (in linux)  50+ commands to scan devices.

Open Zenmap  in Target (enter IP or DOMAIN)  Hit Enter  Select Intense Scan
(deep scan)  This will display OPEN PORTS and can be hacked using servers.
In topology it shows the devices present in between the main system and sever
In ports / hosts it shows the open ports and services that are running.

3. Website Vulnerability Scanning

a. Acunetix (in windows)
b. Uniscan & W3af (in linux)

Open Acunetix  Enter Website URL  click NEXT  Displays the WEBSERVER
 Displays vulnerability levels (high/medium/low)

4. Content Management System Scanning

a. Wordpress
b. Joomla

5. Cybersecurity Market Sector

a. Antivirus / Firewall
b. Encryption / Privacy
c. Mobile Device Security
d. Website Protection
e. IoT Security
f. Cloud Security Services
g. RT Log / Event Analysis
h. Network Security
i. Software and Application Security
j. Risk and Compliance
 Thank you
Nikhil Shingade
www.nikhilshingade.info
Founder of Cybergravity Solutions
www.cybergravitysolutions.com
C.T.O. Hackbraininfo Pvt, Ltd.
www.hackbraininfo.com
Technical Head at Ignicia Technologies
www.igniciatechnologies.com