Beginner Guide to Footprinting

There are many saying about know your enemy, time and time again these saying have proved to be true. Today we hear all around the work of hackers and many-a-times we fail to protect ourselves. This happens because we are not familiar of their working process. Therefore, in this article we are here to make to accustomed to the first step of the process i.e. Footprinting.

In the world of Cyber Security, Footprinting is the first step which lets penetration testers gather information about hardware or network. It is basically an exploration process which helps us to know our enemy. In order to complete penetration process, one ought to gather as much information as possible.  Footprinting can be done either actively or passively. Assessing a company’s website with their permission is an illustration of passive footprinting and trying to access sensitive information through social engineering is an illustration of active information gathering.

Types of Footprinting:

·         Footprinting through Search Engine
·         Footprinting through social engineering
·         Footprinting through Social Networking sites
·         Website Footprinting
·         Competitive Intelligence
·         WHOIS Footprinting
·         Footprinting using advanced Google hacking techniques
·         Email Footprinting
·         DNS Footprinting
·         Network Footprinting

As this is the first part of our footprinting series, we will discuss first three types of footprinting.

Footprinting through Search Engine

Footprinting through search engine is unambiguous in itself. People often wonder what one can find through search engine as the common concept of search engine is basic exploring. But results given by search engine can be used to hacker’s advantage as they are vast in nature.

Attackers use search to gather information about their target such as technology platforms, employee details, log in pages, intranet portals, etc. which helps in performing social engineering and/or other types of advanced system attacks.

Even search engine cache and internet archives may provide sensitive information that has been removed from World Wide Web (WWW).

There are many search engines where you can find anything that desire from finding a meaning of the word to finding a person. Such search engines are:



Now let’s take example of google.com. If I search “Raj Chandel” in Google, then it will give me every possible result associated with the said person.


Same will be the result from other search engines. But different search engines are often used for particular searches. As shown above Google is good for general information. If you want to know that which websites are hosted on a particular server then you can use Bing search engine. To know an IP address of any website just ping the website as shown below


Now, open bing.com and type the IP in the search tab and press enter.


So like this, Bing can give you details about websites which are hosted in same server


Another search engine is shodan.io, it helps to locate various open ports, vulnerable IP’s, and effected digital-ware all over the world.  Open shodan.io in your browser and search for port or IP.


For a detailed tutorial of shodan.io please follow this link:

http://www.hackingarticles.in/shodan-search-engine-hackers-beginner-tutorial/


Footprinting through jobs seeking sites

Similarly, you can collect abundance of information through job sites. You can know about company’s infrastructure details, employee’s profile, hardware information, software information. Some of such sites are:


Footprinting through Alerts

There is also a feature of adding alerts. This feature gives you an alert if anything is changed in particular website; given that you have added an alert to the said website. To do so, open google.com/alerts and type the name of the website that you wanted to alerted about. And then click on create alert.


And this way an alert will be created.



Footprinting through Social Networking sites

Attackers use social networking sites like Facebook, Twitter, and Pinterest etc. to gain important and sensitive data about their target. They often create fake profiles through these social media to lure their target and extract vulnerable information.

Employees may post personal information such as DOB, educational and employment background, spouse’s names, etc. and information about their company such as potential clients and business partners, trade secrets of business, websites, company’s upcoming news, mergers, acquisitions, etc.
Even the information about the employee’s interest is tracked and then they are trick into revealing more information.

Now if you want to search particular person using just their name or email then there are specialized websites for it like pipl.com and lullar.com

Open pipl.com and type the name of the person you want to search about. For instance I have searched my own name and as you can see in the image below we get positive result.


Now open lullar.com, here you can search for people using their email and much more. Here, I have searched through email (using my own email) and there are positive result in the image below.


Footprinting through social engineering

Social engineering is an art of manipulating human behavior to our own advantage. This proves most helpful when the need of extraction of confidential information. To do so, we have to depend on the fact that people are unaware of their valuable information and have no idea about being exploited. The most common example for this is when people call as fake credit/debit card companies and try to extract information.

Techniques used for social engineering are:

Eavesdropping
Shoulder surfing
Dumpster diving

Impersonation on social networking sites

This is how footprinting is done through search engines, social networking sites and social engineering. As white hat hackers we should know about it but we should also be aware try to protect ourselves from black hat hackers against footprinting.

Vulnerability Analysis in Web Application using Burp Scanner

Hello friends! Today we are going to use Burp Suite Scanner which is use for website security testing to identify certain vulnerability inside it. It is the first phase for web penetration tesing  for every security tester.

Burp Scanner is a tool for automatically finding security vulnerabilities in web applications. It is designed to be used by security testers, and to fit in closely with your existing techniques and methodologies for performing manual and semi-automated penetration tests of web applications.

Target:  www.testphp.vulnweb.com
Lets Start with burp proxy in order to intercept request between browser and website. From screenshot you can perceive that we have forwarded the intercepted data for “an active scan”.


Note: Always configure your browser proxy while making use of burp suite to intercept the request.


Through a window alert it will ask to confirm your action for active scan; press YES to begin the active scan on targeted website.


Issue Activity
The issue activity tab contains a sequential record of the Scanner's activity in finding new issues and updating existing issues. This is useful for various purposes:

·         An index number for the item, reflecting the order in which items were added.
·         The time that the activity occurred.
·         The action that was performed.
·         The issue type.
·         The host and URL path for the issue.
·         The insertion point for the issue, where applicable.
·         The severity and confidence of the issue.

From screenshot you can observe that it highlighted 8 types of issues found inside website from scanning result as following:
1.       Cross-site scripting (reflected)
2.       Flash cross-domain policy
3.       SQL injection
4.       Unencrypted communications
5.       Cross-domain Referer leakage
6.       Email addresses disclosed
7.       Frameable response (potential Clickjacking)
8.       Path-relative style sheet import


Active Scan Queue

Active scanning typically involves sending large numbers of requests to the server for each base request that is scanned, and this can be a time consuming process. When you send requests for active scanning, these are added to the active scan queue, in which they are processed in turn.

·         An index number for the item, reflecting the order in which items were added.
·         The destination protocol, host and URL.
·         The current status of the item, including percentage complete.
·         The number of scan issues identified for the item.
·         The number of requests made while scanning the item.
·         The number of network errors encountered.
·         The number of insertion points created for the item.
·         The start and end times of the item's scanning.

One by one we are going to demonstrate these vulnerabilities in details using request and response.


 Advisory on Cross-site scripting (reflected)

It gave your brief detail of vulnerability and idea to exploit it.
Issue:  
Cross-site scripting (reflected)
Severity:  
High
Confidence:  
Certain
Host:  
http://testphp.vulnweb.com
Path:  
/listproducts.php

The value of the cat request parameter is copied into the HTML document as plain text between tags. The payload was submitted in the cat parameter. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

 Inside request tab we will get Inject payload with intercepted data in order to receive certain response of generated request. In given image you can observe that it has injected JavaScript inside URL with Cat parameter

As response we can see the injected payload get submitted inside database. Now it will generate an alert prompt on screen when get executed on website.


Let’s verify it manually on running website.
Execute following script inside URL with cat parameter As result you will receive prompt 1 as alert window.

 Advisory on SQL injection
Similarly test for other vulnerability
Issue:  
SQL injection
Severity:  
High
Confidence:  
Firm
Host:  
http://testphp.vulnweb.com
Path:  
/listproducts.php

The cat parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the cat parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether vulnerability is present.

The database appears to be MySQL.

 Under request tab single code () will pass with cat parameter to break the SQL statement in order to receive database error as response. 

Under response tab you can read the highlighted text which is clearly point towards SQL vulnerability inside database.

 Advisory on Flash cross-domain policy

Issue:  
Flash cross-domain policy
Severity:  
High
Confidence:  
Certain
Host:  
http://testphp.vulnweb.com
Path:  
/crossdomain.xml

The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.



Similarly as above it has generated the request through GET method using crossdomain.xml

 It has receive successful response over its GET request , inside highlighted text you can read it has allow to access this site from any domain with any port number and security is set as False.
In this way we can see how the burp suite scanner tests the security loop holes in a website.

3 ways to scan Eternal Blue Vulnerability in Remote PC

Hello Friends! As we all known that Microsoft windows 7 are exploitable by eternal blue with SMBv1. Then Microsoft patches this vulnerability by updating the SMB version. Still there are a large number of windows 7 users who didn’t update their system. Now if a security tester wants to separate vulnerable system from update system he requires some scanning to identify vulnerable system.

Eternal scanner is an network scanner for Eternal Blue exploit CVE-2017-0144 .

Target: Windows 7
Attacker: Kali Linux

Open the terminal in your kali Linux and type following command to download it from github.


git clone https://github.com/peterpt/eternal_scanner.git && cd eternal_scanner


After then when it gets successfully install you need run the script for in Oder to lunch the scanner on terminal by typing following:
./escan

Once the scanner is lunched inside the terminal further it will ask to enter target IP or you can also add a range of IPs for scanning.

We have given only single IP for scanning i.e. 192.168.1.106 as target.

Then it will start scanning and dumb those IP which are vulnerable in given IP range; from screenshot you can observe it has dump 192.168.1.106:445 as vulnerable IP with SMB port 445 and save the output inside /root/eternal_scanner/vulnr.txt


When you will open the output file you will observe vulnerable IP as well as name of exploit “MS17 -010”as shown in given image.
Similarly you can scan the target using NMAP and Metasploit


NMAP

Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.

The script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to determine if the target is not patched against ms17-010. Additionally it checks for known error codes returned by patched systems.
Tested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016.

Following command will scan the SMB vulnerability using in-built certain scripts and report according to the output result.
nmap -T4 -p445 --script vuln 192.168.1.106

You can observe from given screenshot that port 445 is open and vulnerable. The target is exploitable to MS17-010 moreover Rate of Risk is High which mean it is easily vulnerable.


We can direct scan for SMB vulnerability for MS17-010 using NMAP script using following NMAP command:

nmap -T4 -p445 --script smb-vuln-ms17-010 192.168.1.106

From given screenshot you will observe that it has only scan for MS17-010 and found target is vulnerable against it.

From both result of NMAP we have concluded that, the target is vulnerable due to Microsoft SMBv1


METASPLOIT
Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user "\" and connect to IPC$.

msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(smb_ms17_010) > set rhosts 192.168.1.106
msf auxiliary(smb_ms17_010) > set lhost 192.168.1.104
msf auxiliary(smb_ms17_010) > set rport 445
msf auxiliary(smb_ms17_010) > exploit

From screenshot you can perceive that host is vulnerable to MS17-010
Great!!! Now use MS17-010 to exploit your target.