Category: Footprinting

Posted on by

Beginners guide to Shodan

Hello, aspiring ethical hackers. In one of our previous blogposts, you learnt in detail about footprinting or information gathering and the various methods of reconnaissance. In another blogpost, you learnt what is OSINT. In this blogpost, you will learn about a resource that falls into the above categories. Its named Shodan, I prefer to call it the hackers search engine

What is Shodan?

You know about Google search engine and its power. It allows you search for images, videos, news etc. what if there was a search engine to search for various types of devices connected to the internet. These devices can be webcams, routers and different servers like web server, FTP server, Telnet, SSH, SNMP, IMAP, SMTP etc. In fact, everything connected to internet. Well, the answer is Shodan.

Let’s learn more about it. Go to the official website of it here and in the search field, search for Apache.

It will start displaying all the Apache servers connected to internet as shown below.

But as you try to go to the next page to see more entries, you should see the below error.

You can search for anything you want but the results are limited if you are not registered. You can create an account on Shodan by going to the Register page. Registration is free and after you confirm your registration from your email, you are ready to use the power of this awesome search engine.

You can login into your Shodan account and search for whatever you want.

Let’s search for SSH servers running on ports 22 and 3333.

Sometimes, administrators just change the operating port of a server to prevent hacking attacks. We can even search for them. For example, let’s search for SSH servers running on ports other than 22 and 3333.

Let’s search for Redis servers.

In fact, you can search for anything connected to the internet using Shodan. Seeing the use of this tool for pen testers, the makers of Kali Linux have included Shodan-cli, a command line version in their repository.

Before using the command line version of Shodan, you need to add the API key of Shodan. It can be added as shown below.

This key can be seen in the Account section of Shodan. Once the API key is entered, you can use Shodan-cli.  This API key can also be used with tools like SpiderFoot used for OSINT. Note that the features are dependent on the types of account you have at Shodan. Free account has limited features. Let’s see how many open SSH and Filezilla servers are exposed to the internet.

After seeing all this, you may wonder how Shodan works or is it legal to use it. Shodan works by using a technique called banner grabbing. It captures banners of all the devices connected to the internet and then stores them in its database. Although it is legal to use Shodan for querying, it is not to do anything on the exposed servers without their permission. It is used by pen testers to see what devices are exposed and what information they are leaking to the internet.

Posted on by

Beginners guide to SpiderFoot

Hello, aspiring ethical hackers. In one of our previous blogposts, you learnt in detail about what is OSINT, types of OSINT etc. In this blogpost, you will learn about a tool named SpiderFoot. SpiderFoot is an open-source intelligence (OSINT) automation tool.

Spiderfoot is a python script and can be run on any machine with Python installed. Using spiderfoot, we can gather information from almost any open source data source available. For this tutorial, we will be using Kali Linux as spiderfoot is installed by default on it. Spiderfoot has an embedded web server and hence has a web-based interface.

To start spiderfoot on Kali, all you have to do is use the “-l” option and then specify a IP address and port on which you want the web server to listen on.  The “-l” option stands for listen. Here we have configured spiderfoot to listen on the port 5500 of localhost.

Now, browse to the above highlighted URL using your favorite browser. You should see this.

Since we have not yet performed any scans yet. There is no scan history. To start a new scan, click on “New scan”.

Spiderfoot can gather information from domain name, IPV4 or IPV6 address, host names, sub-domains, subnet, Bitcoin address, E-mail address, phone number, human names, usernames and networks. Let’s start our search with a domain name first.

After entering the name of the scan and the scan target scroll down a bit.

There are various ways you can search with for any target using SpiderFoot. You can also search based on what you require about the target.

You can also search based on required module (more about modules later).

I select “All” and click on “Run scan now”. The scan starts and may look empty at the beginning.

As the scan progresses, your screen will be filled with bars as shown below.

While the scan is still running, you can view the findings of the scan by going to the “Browse” tab as shown below.

You can view each of the entries to find out what spiderfoot has detected.

For example, in this case, the target website is hosted in USA. Now, let’s search for a “Name” say “kalyan”. The good thing about spiderfoot is that it will automatically detect the type of target based on format of your input.

Here’s the result.

You can see all the scans you performed in the “scans” section.

Another important tab here is the “settings” tab. It consists of settings for this tool. But just not that. Remember, I told you at the beginning of this article that Spiderfoot can collect information from almost all data sources. These data sources are listed here to the left in settings section.

Almost all sources are free, but some need APIs belonging to that particular service (Did you see the lock sign next to some services?).

Posted on by

Beginners guide to OSINT

Hello, aspiring ethical hackers. In this blogpost, you will learn what is OSINT. In our previous articles, you learnt about the 5 phases of ethical hacking, you learnt the importance of footprinting of ethical hacking. OSINT is a part of footprinting.

What is OSINT?

OSINT stands for Open Source Intelligence. OSINT is a method of gathering information from all open sources. Open sources are those which are publicly available and are free to access. OSINT is used by hackers, pen testers and Red-Team professionals to collect information about an organization or people that can be used in gaining access or performing social engineering.

These sources of OSINT can be social media sites like Instagram, LinkedIN etc, newspapers, news sites, blogs or shopping sites, search engines, metadata, Google docs, forums, etc.

For example, LinkedIN company pages reveal information about all the employees of the organization. These employees have their job description listed in their profile. Let’s say there is an employee whose role is “Solaris admin”. From this, you can say that the particular company is using Solaris as they have an employee for that job (unless that particular company is using ADVANCED TO THE POWER OF 100 trade craft to hide the original software they are using.

Now a hacker group creates a fake profile of a company on LinkedIN, connects with this user, sends a proposal for a job with increased salary for the same role. They ask his/her email for further communication.

Top OSINT tools

Here are some of the top OSINT Tools used by Cyber security professionals.

  1. Maltego: Maltego is link analysis software that is used to gather real-world relationship between roles, groups, domains, email addresses, webpages, social media accounts etc. Learn more about this tool here.
  2. Google Dorks: Often underestimated, Google dorks also can be useful to gather more information about a person or companhy. Learn more about it here.
  3. Spiderfoot: Spiderfoot is an OSINT tool written in Python that queries over 100 public data sources to gather information about any IP address, domain name, names of person and email address.
  4.  Shodan: Popularly called the hackers search engine, Shodan lets users search for various or types of servers connected to the internet using a variety of filters.
  5. Metagoofil: Metagoofil is tool used to extract metadata from publicly available documents like PDFs, DOC, XLS, PPTX, DOCX, PPTXS.

Posted on by

Google Dorking for hackers – Part 2

Hello, aspiring ethical hackers. This blogpost is Part 2 of Google Dorking. In our Part 1 of Google hacking, you learnt what Google hacking or Google Dorking is, what google operators are and different Google operators. In this Part 2. You will learn how hackers use Google Dorking for gathering whatever they want. If someone is a Black Hat Hacker, you will definitely not use Google to show different google operators. They will be looking for information that can make their hack successful. what could that information be?

Google dorking

This information can be credentials, login pages, backup files, database dumps, email lists, various types of files, open FTP servers & SSH servers etc. How nice it would be for hackers if they got passwords and credentials file by using just a simple google dork instead of using password cracking. In real world, we do get them. All we have to do is combine some of the Google dorks you have learnt about in Part 1 of Google hacking.

allintext:password filetype:log

allintext:username filetype:log

In the above dork, we are searching for log files with passwords in them. You will be surprised how many results you get.

Well, what is the next thing you do once you successfully get credentials. You search for a page where you can use those credentials. I mean login pages. We can search for login pages using the Google dork below.

intitle:login

You can even search specifically for WordPress login pages using the dork below.

intitle: “Index of” WP-admin

Sometimes, not just single passwords, you can also get files which are a collection of credentials. These are files where passwords are collected and stored. For example, this Google dork.

intext:”Index of” intext:”password.zip”

You learnt about the functions of a database while learning web server hacking. Sometimes users make a backup of their databases for safety purpose and unfortunately store that backup on the web server only. What if we can find this database. It can be found using the Google dork as shown below.

“index of” “database.sql.zip”

Or by using this query.

inurl: backup filetype:sql

We can find other backups too.

intitle: “index of” “backup.zip”

We can also find email lists of an organization using Google dorking. Most of the organizations make and save a list of emails as excel files. They can be found using the Google dork as shown below.

filetype:xls inurl:”email.xls”

Once we have the list of emails, we can perform social engineering attacks on them. Websites don’t just have credentials, emails and backups stored on them. They have different types of files like PDF’s, word documents, images etc. Sometimes they are not meant for viewers of the website but they are nonetheless on web server. Even these files can be found by Google dorking.

site: <> f iletype:pdf

site: <> f iletype: doc

These files can be used to find any metadata that can reveal more information. What if you are trying to hack a particular software and need its source code to find if it has any vulnerabilities. We have a dork for that too.

intitle: “index of” “sourcecode”

A software has a specific vulnerability disclosed and hackers work to find it. For example, take a particular version of Power CMS V2. This can be done using the below query.

intitle: “Installation Wizard – PowerCMS v2”

You know how many websites still use FTP and how many of them are still expose to internet. They can be found using below Google dork.

intitle: “index of” inurl:ftp

site:sftp.*.*/ intext:”login” intitle:”server login”

inurl:/web-ftp .cgi

You can also find specific database managers like for example, phpmyadmin

“index of” inurl:phpmyadmin

Posted on by

Beginners guide to footprinting websites: Part 2

Hello aspiring ethical hackers. In Part-1 of website footprinting, you learnt how to gather information about a website by using methods like grabbing banners, directory scanning and spidering. In this Part-2, you will learn about some more techniques for footprinting websites.

4. Website mirroring

Either you are directory scanning or spidering, you are sending a lot of requests to the website (especially if the website is very large) which may raise suspicions or on the target side or you will be blocked. What if there was an effective workaround for this. Actually, there is. Instead of sending requests to the target website, we can download the entire website to your local device. This is known as website mirroring. For example, let’s mirror a website using wget as shown below.

5. Footprinting websites using online services

A website is constantly updated. The information that is displayed on the website last year may not be there today. What if there was a way to go back in time to view the past versions of a website for gathering information. Actually, there is a way for this. By using the website archive.org. Archive.org collects the snapshot of the website at different points in time from the time the website existed and stores it. So, you can go there and view how the website looked 10 years back ago or three years ago. For example, this is how our website looked way back in 2018.

Better, you can constantly monitor the updates being made to the websites using a website known as website watcher.

Website watcher automatically checks webpages for any updates and changes.