Schedule a meeting
  • Cybersecurity

Understanding Footprinting & reconnaissance and Scanning

Picture of Aliu B. Sanusi

Aliu B. Sanusi

Cybersecurity Awareness Coach || IT Instructor || Cybersecurity Mentor|| Ethical hacker|| App Developer || HTML & CSS || Python

In this guide, I’ll walk through the practical steps for passive and active footprinting, scanning with Nmap, and using Netdiscover to find endpoints. We’ll simulate a target, www.infocusqa.com, and assume we’re performing an authorized penetration test for an organization.

Step 1: Footprinting and Reconnaissance

Footprinting is the first step where we gather information about the target without directly interacting with it (passive) or with interaction (active). Let’s start with passive and active footprinting.

1.1 Passive Footprinting

This involves gathering information without interacting directly with the target website. Passive tools rely on public data and do not touch the target’s systems.

Tools for Passive Footprinting:
  • WHOIS Lookup: To find out information about the domain, IP, hosting, and more.
  • Google Dorking: Use advanced search queries to discover vulnerabilities, public documents, and more.
Steps for Passive Footprinting:
  1. WHOIS Lookup (Passive Footprinting)

A WHOIS lookup allows you to gather information about the domain, such as its registrar, registration dates, and contact details, without directly interacting with the target server.

Steps for WHOIS Lookup:

  1. Visit whois.com.
  2. In the search bar, enter the target domain, in this case, infocusqa.com, and click “Search”.
  3. The WHOIS results will show details such as:
    • Domain registrar.
    • Registration and expiration dates.
    • Registrant’s contact details (if not hidden by privacy services).
    • Nameservers associated with the domain.
  4. Google Dorking:
  5. In the Google search bar, use queries like:
site:infocusqa.com filetype:pdf
  1. This query searches for PDF files hosted on the infocusqa.com domain. You can try other queries such as:
intitle:index.of "backup" site:infocusqa.com

1.2 Active Footprinting

This involves directly interacting with the target website to gather information.

Tools for Active Footprinting:
  • Ping
  • Traceroute
  • DNS Enumeration Tools: such as dnsenum or nslookup.
Steps for Active Footprinting:
  1. Ping the Target:
ping infocusqa.com
  1. This helps check if the target is online and responding.
  2. Traceroute:
traceroute infocusqa.com
  1. This will show the path packets take from your machine to the target.
  2. DNS Enumeration:
  3. Use nslookup to gather DNS records of the domain:
 
nslookup
settype=any
infocusqa.com
settype=any
  • Gathering Subdomains:
  1. Use Sublist3r to enumerate subdomains:
sublist3r -d infocusqa.com

Step 2: Scanning with Nmap

Once footprinting is done, we move to scanning, where we map out the target for open ports and services. We use Nmap for vulnerability assessment.

2.1 Scanning for Open Ports and Services:

nmap -sS -Pn infocusqa.com
  • -sS: This is a TCP SYN scan, which is faster.
  • -A: Agressive scan
  • -p1-10000 (scans port from 1 to 10,000) you can always change the range or choose specifics
  • -Pn: Skips the ping sweep and assumes the host is up.
  • This will give you a list of open ports, the services running on those ports, and possibly their versions.

2.2 Vulnerability Scanning:

  • Use the -sV option in Nmap to detect versions of services, and --script vuln to run vulnerability detection scripts:
nmap -sV --script vuln infocusqa.com
  • This checks for vulnerabilities on known services.

2.3 Additional Tools:

  • Nikto: A web server scanner to find known vulnerabilities.
nikto -h infocusqa.com
  • OpenVAS: A full vulnerability scanner.
openvas-start
openvas-check-setup

Step 3: Discovering Endpoints with Netdiscover

When conducting penetration tests for a company, discovering all devices connected to the network is essential. For this, we use Netdiscover.

Steps for Using Netdiscover:

  1. Open your terminal and start Netdiscover in passive mode to identify active hosts on your network:
sudo netdiscover -r 192.168.1.0/24
  1. Replace 192.168.1.0/24 with the network range you want to scan.
  2. This will show all live hosts and their MAC addresses on the network.
  3. Once you have a list of live IP addresses, proceed to map the devices with Nmap:
sudo nmap -sP 192.168.1.0/24
  1. This pings all devices in the specified subnet to list active hosts.

3.1 Scanning Discovered IP Addresses:

After discovering the endpoints, we can scan them for open ports and vulnerabilities as a group instead of one-by-one.

Steps:
  1. Create an IP list
    • touch iplist.txt
    • edit the iplist.txt with mouse pad and type all the intended ip addressess in it
      • mousepad iplist.txt
2. run the command:
       sudo nmap -A -p1-10000 -T5 -iL iplist.txt

Summary of Steps

Watch the video below to get more clarity….

Share the Post:

Related Posts

© All rights reserved by Aliu B. Sanusi