Scribd
Upload
128 views2 pages

Kali Footprinting Techniques for Pen Testing

This document provides instructions for using various open-source tools and web services to gather information that could aid in targeting an organization. The key steps include: 1. Using DNS enumeration tools like dnsenum and dig to identify DNS records like mail servers, subdomains, and zone transfers. 2. Using metadata extraction tools like exiftool and strings on files from the target to find personally identifiable information like user names, email addresses, and internal details. 3. Leveraging automated tools like Shodan, Spiderfoot, and IPNeighbour to discover services, subdomains, geolocation and other technical details about domains and IP addresses. 4. Employing domain enumeration via the Recon-

Uploaded by

Tarik Ameziane
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
128 views2 pages

Kali Footprinting Techniques for Pen Testing

This document provides instructions for using various open-source tools and web services to gather information that could aid in targeting an organization. The key steps include: 1. Using DNS enumeration tools like dnsenum and dig to identify DNS records like mail servers, subdomains, and zone transfers. 2. Using metadata extraction tools like exiftool and strings on files from the target to find personally identifiable information like user names, email addresses, and internal details. 3. Leveraging automated tools like Shodan, Spiderfoot, and IPNeighbour to discover services, subdomains, geolocation and other technical details about domains and IP addresses. 4. Employing domain enumeration via the Recon-

Uploaded by

Tarik Ameziane
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

PRACTICAL DAY 1 - Using Kali, free tools and web services for footprinting

1. DNS HARVESTING:
Execute the following command and observe the output. What useful informations can you find that can be used
for attack? NOTE: For this practical we will be using [Link], which is intentionally made for pen test learning

a) DNS Enumeration
dnsenum [Link]
b) Zone transfer:
dig axfr @[Link] [Link]

2. Metadata Extraction

In this lab we will learn how to find valuable data for structuring our attack in documents belonging to
the target company. The files you will examine in this lab are:

[Link]

[Link]

[Link]

You can use any tools you want but all you really need is exiftool and strings (if some of these are not
installed please install first).

ExifTool syntax:

exiftool filename

To run strings:

strings filename

Try this for each of the files, and answers the following questions:

a) What is the full name of user Bob? What is Bob’s nickname?


b) What is Bob’s email address?
c) What Personally Identifiable Information is located in the spreadsheet (.xls) file?
d) What information is associated with the organization’s firewall ruleset?
e) Look through the files to find all file system paths and URLs.

3. Automated Tools and Services for Data Collection


a) Go to [Link] and create an account. Research [Link] domain. What useful
information can you see? Explore Shodan to learn more about its capabilities
b) In your Kali please start Spiderfoot tool. Research [Link] domain. What useful
information can you see? Put all informations you believe can be used for the attack in a
separate file! You can start the software with:
spiderfoot -l [Link]:8000 (you can use any port that you choose)
c) Go to [Link] and do a query on 3 domains of your choice. What data did we
saw here?

4. RECON-NG for Domain enumeration

We will use Bing Web hostname enumerator module and try to find additional subdomains on the
[Link] website:
a) Load the module:
• recon/domainshosts/bing_domain_web
• show info c (displays the information about the module)
b) Set the target and execute (you can also use some of the domains identified in the previous
practical)
• load recon/domains-hosts/bing_domain_web
• run

5. Execute the command below using nmap. Check the output and assess the relevance to a
potential penetration test.
nmap --script dns-brute --script-args [Link]=[Link]

6. Go to [Link] and enter a domain of your choice. Use all available options and
let centralops do the scaning for you. Observe the output and analyze it.
7.

8. Search GitHub for MegaCorpOne account. Within this account let us try and find some sensitive
information. Search for any files with the word “users” in the name: filename:users

Try similar searches across entire GitHub (note, you will need to register and login)

Common questions

Powered by AI

Metadata extraction can unveil sensitive information such as usernames, software versions used to create documents, or even GPS data. This information is useful in social engineering attacks or in finding vulnerabilities related to outdated software. For instance, metadata in documents analyzed with tools such as exiftool and strings can reveal user names (e.g., 'Bob'), directories paths, or even email addresses which can be leveraged for phishing attacks .

Ensuring a secure software development lifecycle is crucial as metadata could expose details such as software versions or creator usernames, potentially hinting at other software components and their vulnerabilities. If an attacker can track this information, they may exploit version-specific vulnerabilities or conduct targeted social engineering attacks against known individuals .

GitHub searches can reveal files with sensitive information that developers accidentally commit, such as configuration files, API keys, or passwords. Terms like 'filename:users' might locate user management documents or scripts, exposing usernames, passwords, or other confidential information. Such leakage can be exploited by attackers to gain unauthorized access to systems .

An Nmap DNS brute-force scan attempts to discover DNS records that aren't publicly listed by querying widely-used subdomains and hostnames systematically. For a penetration tester, this can identify misconfigured or forgotten subdomains that may lead to unintended data exposure or serve as weak links in the security chain, offering new attack vectors .

Shodan can provide insights into the types of devices and services exposed to the internet, including potential vulnerabilities, while Spiderfoot can perform passive intelligence gathering and correlate data across multiple sources. Both tools together can give a penetration tester a comprehensive view of the target's security posture by identifying open ports, connected devices, and publicly available sensitive information, which could be exploited in later stages of a penetration test .

Data from DNS harvesting, metadata extraction, and GitHub searches can identify key infrastructure, possible entry points, and sensitive information, forming the backbone of a comprehensive attack strategy. It allows penetration testers to tailor their tactics specific to the vulnerabilities and exposures identified, facilitating a targeted approach to testing the integrity of the organization's security posture .

DNS enumeration and zone transfers can reveal important information about the domain architecture such as subdomains, mail servers, and other DNS records, which can be critical for an attacker to navigate the network. By collecting detailed DNS records, penetration testers can map out the organization's network structure and identify potential attack vectors .

RECON-NG automates the process of subdomain discovery through its various modules like "recon/domainshosts/bing_domain_web." This tool leverages search engine APIs, such as Bing, to discover subdomains by querying with domain-specific search terms, scraping the results, and efficiently organizing the findings. This systematic approach can uncover subdomains not easily found with manual methods, providing a fuller picture of a domain's infrastructure .

CentralOps provides a suite of domain scan tools that help identify DNS records, Whois data, traceroutes, and more, which are fast and easy to use. However, they also rely on the availability and completeness of public records, which may not always be exhaustive or include private or internal data, potentially limiting the depth of the reconnaissance in more secure environments .

IP Neighbourhood queries reveal nearby hosts and shared hosting configurations, providing insights into digital footprint extent and potential collateral vulnerabilities if neighbouring sites are compromised. Pen testers should use this information to map potential cross-domain attack vectors, ensuring a strategy that investigates the implications of shared resources and services .

You might also like