Footprinting; often simply called recon (short for reconnaissance) is the uninteresting part for some people when it comes to attacking systems. Many want to start exploiting as soon as possible, if not looting or post exploitation. Well those parts are certainly the best if a target is compromised… BUT: The pre-attack phase is crucial for a successful attack.
What is essential for good reconing?
Much patience and above all thorough work! Now and then also a good portion of creativity. Often it takes quite a while to gather enough information about your target in the reconing phase. Sometimes small details are overlooked, that is why thorough work and exact analysis is extremely important.
Here are a few examples
- Not all hosts in the network were scanned
- Not all ports were scanned with nmap
- UDP1 ports were not scanned
- Overlooking interesting hosts in large IP ranges
There are two methods of information gathering:
Information is collected without performing targeted scans against a system. For example, one can search through the targets website or for entries in the public WHOIS registry. Social media accounts like facebook, twitter or LinkedIn are also very popular targets. This variant is essentially more stealthy, since no intrusion detection systems (IDS) are being triggered.
Active information gathering generates much more “noise” in the network and especially firewalls/IDS are not very happy if ping sweeps are performed. Therefore it is important to set up the used scanners in a way that they produce as little “noise” as possible. The lower the scan aggressiveness is set (e.g. T parameter in nmap) the “quieter” such scans can be performed. The disadvantage is that these scans take much more time than aggressive ones.
Can be very time consuming. But even here, important information such as host names, network size, subnets or domain controllers can be found out. For a neat overview and easy filtering I would recommend wireshark. If no GUI is available, you can alternatively use the wireshark-cli or tcpdump.
Of course the right toolset always depends which target is being choosed. So if you were to attack a wireless network you would use the Aircrack-ng suite. For local networks both nmap and wireshark are indispensable.
A list of common tools as they can be found in Kali Linux
UDP scans take much longer and are less accurate, but open ports can still be found ↩︎