0010 : Footprinting Through Web services
Web Services: Platforms like social networks and job sites reveal organizational data (e.g., infrastructure, employees, location).
Forums & Blogs: Often expose sensitive network, system, or personal details.
Internet Archives: Recover removed sensitive information.
0010.0001 :Domain and Subdomain Discovery with Netcraft
The Netcraft Site Report is an online service that allows users to obtain detailed information about a website. It performs an extensive analysis of a site's infrastructure, security posture, hosting details, and other technical attributes.
Iam using my own blog name to search.
Visit here - https://sitereport.netcraft.com/
the info i found here are ,
OCSP Stapling Response Not Received: Missing OCSP response may prevent certificate revocation verification, risking MITM attacks if the certificate is revoked.
Protocol Support: TLSv1.3 is secure, but ensure older protocols (e.g., TLSv1.1 or SSL) are disabled to prevent downgrade attacks.
Public Key Length: 2048-bit RSA key is secure, but consider updating to 3072 or 4096 bits for future-proofing.
Cipher Suite: TLS_AES_128_GCM_SHA256 is secure, but check that weaker ciphers are disabled to avoid vulnerabilities.
Certificate Revocation URL: Ensure the CRL URL is working and accessible for clients to verify certificate revocation.
0010.0010 :Domain and Subdomain Discovery with sublist3r
Sublist3r is a popular tool used for subdomain enumeration to help identify subdomains of a given domain, which is useful for reconnaissance in penetration testing or security assessments. For a domain like binaryb.blog, Sublist3r can help discover all associated subdomains (such as blog.binaryb.blog, www.binaryb.blog, etc.), which could reveal additional attack surfaces.
Below command to install in linux:
cd Sublist3rpip install -r requirements.txtcommand to perform the scan
sublist3r -v -d binaryb.blog
the output shows the SSL certificates of the domain associated. Do you see a catch? yes scpprod server - PROD server ,vpn server, glidepathuat - UAT server .
We found that this is hosted in AWS and has UAT and PROD server public IP addresses...
0010.0011 :Personal Information Collection Using PeekYou
We are blindly happy to share details in social media in this era . so you can find some inforamtion about the person.
PeekYou.com is an online people search service that aggregates publicly available information about individuals from various sources across the web. It allows users to search for personal data such as names, addresses, phone numbers, social media profiles, and other public records - https://www.peekyou.com/
Spokeo - https://www.spokeo.com/
INTELIUS - https://www.intelius.com/
This one is very sneaky and helped me to narrow down the search , it gave the report of all websites that i signed up.
The dnsdumster - i like the most - DNSDumpster - Find & lookup dns records for recon & research
0010.0101 :OS Identification Through Passive Footprinting
Censys is a cybersecurity tool for discovering and analyzing internet-facing devices and services.
Details Found:
Open ports, protocols, and SSL/TLS data.
Domain info: subdomains, DNS records, and metadata.
Exposure: vulnerabilities, misconfigurations, outdated software.
Network scans: IPv4, ASN, and organizational insights.
Use Case: Assess security exposure, investigate breaches, and research threat infrastructure responsibly.
Censys search - https://search.censys.io/
Guess what i found here , It is in AWS and hosted in RHEL linux . we can use namp scan for further info.
0011 : Footpriting through Social Networking sites
Risks and Information Exposure:
Attackers exploit public profiles or use fake accounts to gather sensitive data.
Users often share personal details (e.g., date of birth, education, employment).
Organizations post updates about partners, events, and news.
For Attackers: Social media can be a goldmine for gathering publicly shared information about individuals or organizations.
0011.0001: Employee Data Collection from LinkedIn
Using LinkedIn, attackers can identify employees and gather their email addresses and other information.
Targeting freshers for phishing emails have greater chance as they are often eager and excited to engage with company communications, making them more likely to fall for such attempts.
0010.0010: Personal Information Retrieval from Social Networks
sherlock:
Sherlock is a powerful tool designed to find social media profiles associated with a given username across multiple platforms. It's a great resource for investigating your online presence or tracking down usernames on various social networks.
git clone https://github.com/sherlock-project/sherlock.git cd sherlock python3 -m pip install -r requirements.txtUse it to search for a specific username and narrow down with your search.
sherlock <username>
Instagram :
Thats a lot of information in the profile.
command:site:instagram.com intext:<exact username>
Likewise For facebook:
site:facebook.com intext:<exact username>Fetching the documents about the target, like somwhere records in institute, events or games etc.
"prabhu perumal" filetype:pdf OR filetype:xIsx OR filetype:docxPaid tools :
0100 : Website Footprinting.
Website footprinting involves analyzing a target organization's website to gather details like software, version, OS, file paths, database fields, contact info, CMS, and technologies used. This data can help plan advanced attacks.
0100.0001 Ping
Ping should be disabled on servers to prevent attackers from using it to find IP addresses and send malicious scripts. It’s an easy way for them to gather info and potentially exploit vulnerabilities.
with Pinging we can find the IPaddress of the target machine
Exposing IP addresses via ping responses can allow attackers to enumerate a network's IP range, which is a potential risk. Disabling ping responses (ICMP) on public-facing servers can help mitigate this.
ping www.binaryb.blog -i 4 -n 1
The command ping www.binaryb.blog -i 4 -n 1 sends a single ping with a 4-second interval. If you see internal NAT IPs, it suggests the server might be behind a NAT or firewall, or there could be a network misconfiguration. This isn’t typical for a publicly accessible server and might require checking its network settings.
0100.0010 Data Collection from Target Website Using Photon
Photon helps gather all internal, external, and document links from a website.
While my blog has limited links, organizational websites typically have a wealth of interconnected links to explore.
git clone https://github.com/s0md3v/Photon.git cd photonpip install -r requirements.txtpython3 photon.py -u <target_url> -o <output_folder>
You can crawl the website links by specifying crawl levels, similar to the levels seen in the ping command section.0100.0011 Website Information Retrieval Using Central Ops
0010.0011 Central ops.net
DNS records are managed through GCP, and the domain uses Microsoft Outlook for email services. It has SPF, DKIM, and TXT records for verification, ensuring secure email and domain handling.
Potential Threats i found through my blog website.
Phishing: CloudFront masking may obscure malicious activity.
Misconfigurations: Improperly configured SPF or TXT records could lead to spoofing risks.
Service Exploits: AWS-hosted services could be targeted for abuse if not properly secured.
0010.0100 Grecon - Gather website Info
GRecon is a Python-based tool that automates Google Dorking, a reconnaissance method used by penetration testers and security researchers to identify sensitive information indexed by search engines
git clone https://github.com/TebbaaX/GRecon.git cd GRecon python3 -m pip install -r requirements.txtpython3 grecon.py
ART : Take the info you’ve got and let’s narrow those results down like a detective on a mission!
Follow me more
Linked in - https://www.linkedin.com/in/prabhu-perumal/
My medium - Prabhu Perumal – Medium
Comentários