Footprinting - Paiet/SEC-335 GitHub Wiki

Objectives:

There are different ways to enumerate a Windows host. Using enumeration, you can discover information, such as:

A Windows host can be enumerated using different methods. For example, you can enumerate a Windows host using:

Built-in commands
Nmap
Rpcclient
Metasploit Framework
You can use Nmap to scan networks:
- Scan for a single IP: nmap 192.168.0.1
- Scan for a host by using its name: nmap host1.sec335.local
- Scan an entire subnet: nmap sec335.local/24, nmap 192.168.0.0/24, nmap 192.168.0.*
- Scan for a range of IP addresses: nmap 192.168.0.1-10
- Scan for a range and a system outside the range: nmap 192.168.0.1, 1.10
Nmap Paramaters:
What is Footprinting?
- Passive
  - No direct interaction with the target
    - Kind of like 'eavesdropping' on a conversation
    - Looking for freely available/public info
      - May get lucky and find unsecured sensitive info
  - Difficult/impossible to detect
- Active
  - Direct interaction with target
    - Interrogation vs. eavesdropping
  - Detection possible
What kinds of information are attackers looking for?
- System Info
  - OS type
  - Services
  - Usernames/Passwords
- Network Info
  - DNS
  - Domain/Sub-domains
  - Firewall rules
- Organizational Info
  - Contact info
  - Employee info
  - Location info
How does this information help attackers?
- May reveal security controls
- Helps them focus on live targets
- Vulnerability identification
So, does Footprinting directly lead to target compromise?
- Usually not directly, but it is a crucial step towards those ends
- It supports compromise attacks like
  - Social Engineering
  - Sensitive Data Exposure
  - System/Network Hacking ...