Methodologies used in Ethical Hacking
Footprinting refers to the process of collecting as much as information as possible about the
target system to find ways to penetrate into the system. An Ethical hacker spends most of their
time profiling an organization, gathering information about the host, network and people
related to the organization.
1. IP address
2. Whois records
3. DNS information
4. Operating system used
5. Employee Email Id
6. Phone numbers
Footprinting helps to
Know Security Posture – The information gathered will help to get an overview of the security
posture of the company such as details about the presence of a firewall, security configurations
of applications etc.
Reduce Attack Area – Can identify a specific range of systems and concentrate on particular
targets only. This will greatly reduce the number of systems to be focused on.
Identify vulnerabilities – An information database can be built containing the vulnerabilities,
threats, loopholes available in the system of the target organization.
Draw Network map – helps to draw a network map of the networks in the target organization
covering topology, trusted routers, presence of server and other information.
OBJECTIVE OF FOOTPRINTING
1. Network Footprinting
This is the process of collecting information related to a target network. Information like
Domain name, subdomains, network blocks, IP addresses of reachable systems, IDSes
running, Rouge websites/private websites, TCP & UDP services running, VPN points,
networking protocols, ACL's, etc are collected.
2. Collect System Information
The data related to the target system such as user and group names, system banners,
routing tables, SNMP information, system names etc are collected using various
3. Collect Organization's information –
The information related to employee details, organization website, Location details,
security policies implemented, the background of the organization may serve as an
important piece of information for compromising the security of the target using direct
or social engineering attacks.
Various methods are used to collect information about the target organization. They are:
WHOIS (pronounced as the phrase “who is”) is a query and response protocol. Whois
footprinting is a method for information at a glance about ownership of a domain name such
Domain name details
Contact details contain phone no. and email address of the owner
Registration date for the domain name
Expire date for the domain name
Domain name servers
It is broadly used in support of querying databases that store the registered users or assignees
of an Internet resource, such as a domain name, an IP address block, or an autonomous system,
but is also used for a wider range of other information. The protocol stores and delivers
database content in a human-readable format.
As seen below, it has created a whois record for pentestlab.in where it contains details
like email address, IP, registrant Org. From the given record, anybody including attackers can
guess that this domain has some connection to Raj Chandel.
There is so many other tools use for whois footprinting for example:
Whois Analyzer pro
Whois lookup multiple addresses
The attacker performs DNS footprinting in order to catalogue DNS record details and type of
servers. There is 10 types of DNS record which provide important information related to the
It is an online tool used for complete DNS footprinting as well as whois footprinting.
There are so many online tool use for DNS footprinting, using domain dossier we will check for
DNS records of penetstlab.in, select the check box for DNS records and traceroute and then
click on go.
As you can see, the data received from Whois lookup and from domain dossier is the same to
some extent. It has given same email ID as above i.e. [email protected] and moreover
details of DNS records TXT, SOA, NS, MX, A and PTR.
DNS Dumpster: it is also an online use for DNS footprinting.
DNSdumpster.com is a domain research tool that can discover hosts related to a domain. It can
enumerate a domain and pull back up to 40K subdomains. The results are available in an XLS for
Repeating the same process for pentestlab.in, it will search for its DNS record. In the screenshot
below, you can observe we have received the same details as above. This will create a copy as
an output file in from XLS.
You get signal:
It is an online tool used for DNS footprinting as well as for Network footprinting
A reverse IP domain check takes a domain name or IP address pointing to a web server and
searches for other sites known to be hosted on that same web server. Data is gathered from
search engine results, which are not guaranteed to be complete
Hence, we get the IP 188.8.131.52 for pentestlab.in. Moreover, it dumped the name
of 14 other domains hosted on the same web server.
It is a technique used for extracting the details related to the website as following
Archived description of the website
Content management system and framework
Script platform of the website and web server
Extract metadata and contact details from the website
Website and web page monitoring and analyzer
Archive.org: It is an online tool use for visiting the archived version of any website.
It has searches options from way back and is like a time machine for any website. It contains
entire information from past till present scenario of any website. Their layout or content,
everything related to the website is present inside. In simple words, it contains the history of
For example, below is a search for the site hackingarticles.in the archived record of 2012.
Built With: It is an online tool used for identifying the techniques and framework involved
inside a running website.
BuiltWith.com technology tracking includes widgets, frameworks, analytics, content
management systems, content delivery networks, advertisers, web standards, and web servers
to name a few of the technology categories.
Taking the example of hackingarticles.in again we found the following things:
Content Management system: WordPress
Developed by Xavier Roche, HTTrack is a free and open source Web crawler and offline
browser. It allows you to download a World Wide Web site from the Internet to a local
directory, building recursively all directories, getting HTML, images, and other files from the
server to your computer. HTTrack arranges the original site’s relative link-structure.
Give target URL for copy the web site as www.pentestlab.in which starts downloading the
Web Data Extractor
Web Data Extractor Pro is a web scraping tool specifically designed for gathering of various data
types on a massive scale. It can harvest URLs, email addresses, phone and fax numbers, as well
as meta tag information and body text. Custom extraction of structured data is a special feature
of WDE Pro
Start new project Type target URL as ignitetechnologies.in and select folder to save the output
and click on ok.
Now, this tool will extract metadata, email ids, contact information and such from inside the
From given screenshot, you can see it found 40 meta tags1 email 84-phone number from
Footprinting through Search Engines
This is a passive information gathering process where we gather information about the target
from social media, search engines, various websites etc. Information gathered includes name,
personal details, geographical location details, login pages, intranet portals etc. Even some
target specific information like Operating system details, IP details, Netblock information,
technologies behind web application etc can be gathered by searching through search engines
Example: collecting information from Google, Bingo etc.
Google hacking refers to collecting information using google dorks (keywords) by constructing
search queries which result in finding sensitive information. Details collected include
compromised passwords, default credentials, competitor information, information related to a
specific topic etc.
Examples: inurl:, site:, allintitle:, etc
Examining HTML Source and Examining Cookies:
Html source codes of a web application may give us an understanding of the application
functionality, hidden fields, comments, variable names etc. Cookies are used to identify a user
in their session. These cookies may be stored in the browser or passed in the URL, or in the
The entire website can be mirrored using tools like HTTtracker to gather information at our own
pace. Using extract website Archives, older versions of website can be obtained
which may reveal some information related to the target.
Email headers reveal information about the mail server, original sender’s email id, internal IP
addressing scheme, and possibly the architecture of the target network.
Searching through browsers for personal information of employees:
The attacker/penetration tester can use Google, Yahoo people search, Yahoo finance, Google
finance, etc. for gathering personal details.
Vulnerability assessment enables recognizing, categorizing and characterizing the security
holes, known as vulnerabilities, among computers, network infrastructure, software, and
There is a need for vulnerability disclosures if vulnerabilities are detected as part of any
vulnerability assessment. Such disclosures are usually executed by individual teams like the
organization which has discovered the vulnerability or Computer Emergency Readiness Team
(CERT). These vulnerabilities could be the main source for malicious activities like cracking the
websites, systems, LANs etc.
Vulnerability scanners automate security auditing and can play a vital part in your IT security by
scanning your network and websites for different security risks. These scanners are also capable
of generating a prioritized list of those you should patch, and they also describe the
vulnerabilities and provide steps on how to remediate them. It is also possible for some to even
automate the patching process.
Nikto is a popular and open source web scanner employed for assessing the probable
issues and vulnerabilities.
It is also used for verifying whether the server versions are outdated, and also
checks for any particular problem that affects the functioning of the server.
Nikto is used to perform a variety of tests on web servers in order to scan
different items like a few hazardous files or programs
It is not considered as a quiet tool however is used to test a web server in the
fastest possible time.
It is used for scanning different protocols like HTTPS, HTTPd, HTTP etc. This tool
allows scanning multiple ports of a specific server.
2. Nessus Professional
Nessus tool is a branded and patented vulnerability scanner created by Tenable
It protects the networks from the penetrations made by hackers by assessing the
vulnerabilities at the earliest
It can scan the vulnerabilities which permit remote hacking of sensitive data
from a system
It supports an wide range of OS, Dbs, applications and several other devices
among cloud infrastructure, virtual and physical networks
It has been installed and used by millions of users all over the world for
vulnerability assessment, configuration issues etc.
3. Nexpose Community
Nexpose vulnerability scanner, developed by Rapid7, is an open source tool used for
scanning the vulnerabilities and carrying out a wide range of network checks.
Nexpose can be incorporated into a Metasploit framework
It takes into account the age of the vulnerability like which malware kit is
employed in it, what advantages are used by it etc. as well as fixes the issue
based on its priority
It is able to automatically detect and scan new devices and evaluate the
vulnerabilities when they access the network
It monitors the exposure of vulnerabilities in real-time, familiarizing itself to
latest hazards with new data
Most of the vulnerability scanners usually categorize the risks employing a
medium or high or low scale
This is an open source tool serving as a central service that provides vulnerability
assessment tools for both vulnerability scanning and vulnerability management.
It supports various operating systems
The scan engine of OpenVAS is constantly updated with the Network
OpenVAS scanner is a complete vulnerability assessment tool by identifying
issues related to security in the servers and other devices of the network
OpenVAS services are usually licensed under GNU General Public License (GPL)
and are free of cost.
5. Comodo HackerProof
Comodo’s HackerProof is considered to be a revolutionary vulnerability scanning and
trust building tool that enables overcoming the security concerns of your visitors. A few
key benefits are:
Reducing cart abandonment
Daily vulnerability scanning
Inclusion of PCI scanning tools
Prevention of Drive-by attacks
Apart from the above-mentioned benefits, HackerProof also provides the visual
indicator needed by your customers to feel safe transacting with you. It helps decrease
shopping cart abandonment, enhance conversion rates, and drive your overall revenue
up. Finally, it includes patent-pending scanning technology, SiteInspector, which is
capable of eliminating drive-by attacks, thus providing a new level of security for all
those who proudly display the HackerProof logo.
6. Microsoft Baseline Security Analyzer (MBSA)
MBSA is a free Microsoft tool ideal for securing a Windows computer based on the
specifications or guidelines set by Microsoft.
MBSA allows enhancing their security process by examining a group of
computers for any misconfiguration, missing updates, and any security patches
It can only scan for security updates, service packs and update rollups putting
aside the Critical and Optional updates
It is used by medium-sized and small-sized organizations for managing the
security of their networks
After scanning a system, MBSA will present a few solutions or suggestions
related to fixing of the vulnerabilities
Identify Entry Points and Attack surface:
As the number of endpoints and applications within an enterprise surges, so do the threats.
This expanded attack surface has the potential to create millions of potential points of ingress
for cyber criminals.
The threat lies beyond the network, where endpoint vulnerabilities may put corporate
data or network access at risk.
Attacks can come from anywhere. They are internal or external. They target the
network, software or even the users themselves. Most involve more than one type of
Effectively protecting a moving target requires tools that give you visibility across all
endpoints. Control over the device becomes paramount with features like remote
capabilities to monitor data, device and user activity and lock down devices or data at
A layered approach to security is the ideal framework to improve data security, along
with education and processes to support the solutions in place.
The entry points like login screens, URLs, cookies, and output points like display
screens, reports, etc.
We need to find vulnerabilities to bypass the access controls and break into the
All the above discussed attacks should be tested for the possibility.
Always validate the input fields.
Limit the entry in the input fields.
Check for arbitrary inputs like scripts, SQL injection codes, etc.
Use a Web application firewall.
Run database accounts with minimal access rights.
Use input/output encoding.
Use prepared statements and parameterised sql queries to avoid Sql injection.
Configure the firewall with strict rules.
Use secure protocols.
Use random numbers for cookies and proper session expiry.
The Five Phases of Penetration Testing and Prevention
A security manager must understand black hat tools and techniques and use this knowledge to
design countermeasures into the information defense frameworks.
Ø Phase 1: Reconnaissance
Ø Phase 2: Scanning
Ø Phase 3: Gaining Access
Ø Phase 4: Maintaining Access
Ø Phase 5: Covering Tracks
Phase 1| Reconnaissance
Reconnaissance is probably the longest phase, sometimes lasting weeks or months. An attacker
uses a variety of sources to learn as much as possible about the target business and how it
operates, such as
Domain name management/search services
Non-intrusive network scanning
It is not easy to defend against activities in this phase. Information about an organization finds
its way to the Internet via various routes. Employees are often easily tricked into providing
tidbits of information which, over time, act to complete a complete picture of processes,
organizational structure, and potential soft-spots. There are some things you can do which
make it much harder for an attacker, including
Ensure your systems don’t leak information to the Web, including information about:
§ Software versions and patch levels
§ Email addresses
§ Names and positions of key personnel
Ensure proper disposal of printed information
Provide generic contact information for domain name registration lookups
Prevent perimeter LAN/WAN devices from responding to scanning attempts
Phase 2 | Scanning
After the attacker has gathered enough information to understand how the organization works
and what information of value might be available, they begin the process of scanning the
perimeter and internal network devices looking for weaknesses such as:
Vulnerable applications, including operating systems
Weak protection of data in transit
Make and model of each piece of LAN/WAN equipment
Scans of perimeter and internal devices can often be detected with the help of intrusion
detection (IDS) or prevention (IPS) solutions. However, this doesn’t always work. Veteran
attackers know ways around these controls. In any case, there are some steps you can take to
prevent scans like:
Shutting down all unneeded ports and services
Allowing critical devices or devices storing or processing sensitive information to only
respond to approved devices
Closely manage system design, resisting attempts to allow direct external access to
servers except under special circumstances and constrained by end-to-end rules defined
in access control lists
Maintain proper patch levels on endpoint and LAN/WAN systems.
Phase 3| Gaining Access
The whole objective of a modern-day attack is to gain access to resources. The usual goal is to
either extract valuable information or use the network as a launch site for attacks against other
targets. In both situations, the attacker must gain some level of access to one or more network
In addition to the defensive measures, security managers should make every effort to ensure
end-user devices and servers are not easily accessible by unauthenticated users. This includes
denying local administrator access to business users and closely monitoring domain and local
admin access to servers. Further, physical security controls should detect attempts at a hands-
on attack, and delay an intruder long enough to allow effective internal or external human
response (i.e., security guards or law enforcement).
Also, encrypt highly sensitive information and protect keys. Even if network security is weak,
when all other controls fail, scrambling information and denying attacker access to encryption
keys is a good final defense. However, do not solely rely on encryption. There are other risks
due to weak security, such as system unavailability or use of your network for criminal
Phase 4 |Maintaining Access
Having gained access, an attacker must maintain access long enough to accomplish their
objectives. Although an attacker reaching this phase has successfully avoided security controls,
this phase can increase the attacker’s chance of detection.
You can use IDS and IPS devices to detect intrusions as well as extrusions. A few
intrusion/extrusion detection methods include:
Detect and filter file transfer content to external sites or internal devices
Prevent/detect direct session initiation between servers in your data center and
networks/systems not under your control
Look for connections to odd ports or nonstandard protocols
Detect sessions of unusual duration, frequency, or amount of content
Detect anomalous network or server behavior, including traffic mix per time interval
Phase 5 |Covering Tracks
After achieving their objectives, the attacker typically takes steps to hide the intrusion and
possible controls left behind for future visits. In addition to anti-malware, personal firewalls and
host-based IPS solutions deny business users local administrator access to desktops. Alert on
any unusual activity such as any activity not expected based on your knowledge of how the
business works. To make this work, the security and network teams must have at least as much
knowledge of the network as the attacker has obtained during the attack process.
Beginner Guide to Website Footprinting- Raj Chandel
Your endpoint is an entry point for attack- Shin Fujikawa
The five phases of a successful network penetration – Tom Olzak