Beginner Guide to Website Footprinting

In our previous article we have discussed a brief introduction of footprinting for gathering information related to the specific person. As we had discussed that there are so many type of footprinting and today we are going to talk about DNS footprinting, website footprinting and whois footprinting.

Browsing the target Website may Providing

Whos is Details

Software used and version

OS Details

Sub Domains

File Name and File Path

Scripting Platform & CMS Details

Contact Details

Let’s start!!

From Wikipedia 

Whois footprinting

WHOIS (pronounced as the phrase who is) is a query and response protocol and whois footprinting is a method for glance information about ownership of a domain name as following:

  • Domain name details
  • Contact details contain phone no. and email address of owner
  • Registration date for domain name
  • Expire date for domain name
  • Domain name servers

Whois Lookup

It is broadly used in support of querying databases that store the registered users or assignees of an Internet resource, such as domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format.

Browse given URL http://whois.domaintools.com/in browser and type any domain name.

For example: let’s search pentestlab.in

Now you can see it has created a whois record for pentestlab.in where it contains details like: email address,IP, registrant Org. From given record anyone can guess that this domain have some connection to raj chandel. Then attacker needs to perform footprinting on raj chandel taking help from previous article.

There is so many other tools use for whois footprinting for example:

  • Caller IP
  • Whois Analyzer pro
  • Whois lookup multiple address

DNS Footprinting

Attacker performs DNS footprinting in order to enumerate DNS record details and type of servers. There are 10 type of DNS record which provide important information related to target location.

  1. A/AAAA
  2. SVR
  3. NS
  4. TXT
  5. MX
  6. CNAME
  7. SOA
  8. RP
  9. PTR
  10. HINFO

Domain Dossier: it is an online tool use for complete DNS footprinting as well as whois footprinting.

There are so many online tool use for DNS footprinting , using domain dossier we will check for DNS records of penetstlab.in, select the check box for DNS records and traceroute  and then click on go.

You can observe that, the data which we received from whois lookup and from domain dossier is same in some extent. It has given same email ID as above i.e. [email protected]and moreover details of DNS records TXT, SOA, NS, MX, A and PTR.

DNS Dumpster: it is also an online use for DNS footprinting.

DNSdumpster.com is a FREE domain research tool that can discover hosts related to a domain. Enumerate a domain and pull back up to 40K subdomains, results are available in a XLS for easy reference.

Repeating same process for pentestlab.in, it will search for its DNS record. From given screenshot you can observe we have received same details as above. More it will create a copy as output file in from XLS. 

You get signal: it is also an online tool use for DNS footprinting as well as for Network footprinting

A reverse IP domain check takes a domain name or IP address pointing to a web server and searches for other sites known to be hosted on that same web server. Data is gathered from search engine results, which are not guaranteed to be complete

Hence we get the IP 72.52.229.111 for pentestlab.inmoreover it dumped the name of 14 other domain which are hosted on same web server.

Website Footprinting

It is technique use for extracting the details related to website as following

  1. Archived description of website
  2. Content management system and framework
  3. Script and platform of the website and webserver
  4. Web crawling
  5. Extract meta data and contact details from website
  6. Website and web page monitoring and analyzer

Archive.org: It is an online tool use for visiting archived version of any website.

Archive.org has search option as wayback machine which is like a time machine for any website. It contains entire information from past till present scenario of any website either their layout or content everything related to website is present inside. In simple words it contains history of any website.

For example I had search for hackingarticles.in archived record of 2012.

 

Built With: It is an online tool use for detecting techniques and framework involved inside running website.

BuiltWith.com technology tracking includes widgets, analytics, frameworks, content management systems, advertisers, content delivery networks, web standards and web servers to name some of the technology categories.

 Taking example of hackingarticles.in again we found following things:

  • Content Management system: wordPress
  • Framework: PHP

Whatweb

Whatweb can identify all sorts of information about a live website, like: Platform, CMS platform, Type of Script, Google Analytics, Webserver Platform, and IP address Country. A pentester can use this tool as both a recon tool & vulnerability scanner.

Open the terminal in kali Linux and type following command

Whatweb www.pentestlab.in

As result we receive same information as above

Web crawling

HTTrack is a free and open source Web crawler and offline browser, developed by Xavier Roche

It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site’s relative link-structure. 

 Give target URL for copy the web site as www.pentestlab.in which starts downloading the website.

http://www.hackingarticles.in/5-ways-crawl-website/

 Web Data Extractor

Web Data Extractor Pro is a web scraping tool specifically designed for mass-gathering of various data types. It can harvest URLs, phone and fax numbers, email addresses, as well as meta tag information and body text. Special feature of WDE Pro is custom extraction of structured data.

Start new project Type target URL as ignitetechnologies.in and select folder to save the output and click on ok.

Now this tool will extract meta data, email contact no. and etc from inside the target URL.

From given screenshot you can see it found 40 meta tags1 email 84-phone number from ignitetechnologies.in website.

Similarly there other tool use as web data extractor:

Web spider

Competitive Intelligence

Website-Watcher is a powerful yet simple website-monitoring tool, perfectly suited to the beginner and advanced user alike.  You can download it from here.

Using new tab and enter target URL which start monitoring the target website.

For example I enter URL hackingarticles.in for monitoring this website.

Similarly there are some other tool uses for monitoring:

On web change

Follow that page

Informinder

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

5 ways to Banner Grabbing

Banner are refers as text message that received from host. Banners usually contain information about a service, such as the version number.

From Wikipedia

Banner grabbing is a process to collect details regarding any remote PC on a network and the services running on its open ports. An attacker can make use of banner grabbing in order to discover network hosts and running services with their versions on their open ports and more over operating systems so that he can exploits it.

Nmap

A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.

The banner will be shortened to fit into a single line, but an extra line may be printed for every increase in the level of verbosity requested on the command line.

 Type following command which will fetch banner for every open port in remote PC.

nmap -sV –script=banner 192.168.1.106

From screenshot you can read the services and their version for open ports fetched by NMAP Script to grab banner for the target 192.168.1.106

Following command will grab the banner for selected port i.e. 80 for http service and version.

nmap -Pn -p 80 -sV –script=banner 192.168.1.106

As result it will dumb “http-server-header: Apache/2.2.8 (Ubuntu) DAV/2”

CURL

Curl –I is use for head in order to shown document information only; type following command to grab HTTP banner of remote PC.

curl -s -I 192.168.1.106 | grep -e “Server: “

As result it will dumb “http-server-header: Apache/2.2.8 (Ubuntu) DAV/2”

Telnet

Type following command to grab SSH banner of remote PC.

telnet 192.168.1.106 22

As result it will dumb “SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1”

Netcat

Type following command to grab SSH banner of remote PC.

nc –v 192.168.1.106 22

As result it will dumb “SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1”

Dmitry

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C. DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more.

Dmitry –b is use for banner grabbing for all open ports; Type following command to grab SSH banner of remote PC.

dmitry -b 192.168.1.106

From screenshot you can see it has shown banner for open port 21, 22, 23 and 25.

In this way Attacker can grab the services and their version for open ports on remote PC

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...