Lesson 3 – Footprinting

• Footprinting is essential for scoping your target, as it will give you an idea of what sort of systems you’re attacking, what public IP ranges your target owns (attack surface), what domains
• Footpringint is focused on *passive* reconnaissance.  You will learn as much as you can indirectly about the target first.  Then, you will have very controlled direct interaction with the target in the semi-passive phase.  Semi-passive footprinting should be largely indistinguishable from normal traffic (eg, do some DNS queries or look at their webpage, but don’t do brute-force reverse DNS lookups or hardcore crawling of every page, etc.)

• The idea is not to touch the target organization until you’ve gathered enough info indirectly

• CDN = content delivery network

• http://www.sec.org/edgar.shtml

• For example, if you see the target company is looking to hire Oracle DBA’s on LinkedIn or Dice, then you can guess what sort of databases their running 🙂

• http://whois.icann.org
• http://whois.domaintools.com
• https://www.whois.net
• https://who.is

• ARIN = American Registry for Internet Numbers
• RIPE NCC = Réseaux IP Européens Network Coordination Centre
• APNIC = Asia Pacific Network Information Centre
• LACNIC = Latin American and Carribean Network Information Center
• AfriNIC = African Network Information Center

• ARIN – http://whois.arin.net
• RIPE NCC – https://apps.db.ripe.net/search/query.html
• APNIC – http://wq.apnic.net/apnic-bin/whois.pl
• LACNIC – http://lacnic.net/cgi-bin/lacnic/whois
• AfriNIC – http://www.afrinic.net/services/whois-query

• http://bgp.he.net

• http://searchdns.netcraft.com
• http://www.shodan.io

• For some nice video tutorials, go to HakTip’s YouTube page: https://www.youtube.com/show/haktip/ and search for videos titled “Maltego 101”
• A good text tutorial can be found here:
• https://www.ethicalhacker.net/columns/gates/maltego-part-i-intro-and-personal-recon
• https://www.ethicalhacker.net/columns/gates/maltego-part-ii-infrastructure-enumeration