Click to set custom HTML
|
Click to set custom HTML
Click to set custom HTML
Click to set custom HTML
Click to set custom HTML
Learning Objectives
1. Network Scanning Concepts
Network Scanning Concepts
As already discussed, footprinting is the first phase of hacking, in which the attacker gains primary information about a potential target. He/she then uses this information in the scanning phase to gather more details about the target.
Scanning is the process of gathering additional detailed information about the target using highly complex and aggressive reconnaissance techniques. Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network. Network scanning is also used for discovering active machines in a network and identifying the OS running on the target machine. It is one of the most important phases of information gathering for an attacker, which enables him/her to create a profile of the target organization. In the process of scanning, the attacker tries to gather information, including the specific IP addresses that can be accessed over the network, the target’s OS and system architecture, and the ports along with their respective services running on each computer.
The purpose of scanning is to discover exploitable communications channels, probe as many listeners as possible, and track the ones that are responsive or useful to an attacker’s particular needs. In the scanning phase of an attack, the attacker tries to find various ways to intrude into a target system. The attacker also tries to discover more information about the target system to determine the presence of any configuration lapses. The attacker then uses the information obtained to develop an attack strategy.
Types of Scanning
▪ Port Scanning – Lists the open ports and services. Port scanning is the process of checking the services running on the target computer by sending a sequence of messages in an attempt to break in. Port scanning involves connecting to or probing TCP and UDP ports of the target system to determine whether the services are running or are in a listening state. The listening state provides information about the OS and the application currently in use. Sometimes, active services that are listening may allow unauthorized users to misconfigure systems or to run software with vulnerabilities.
▪ Network Scanning – Lists the active hosts and IP addresses. Network scanning is a procedure for identifying active hosts on a network, either to attack them or assess the security of the network.
▪ Vulnerability Scanning – Shows the presence of known weaknesses. Vulnerability scanning is a method for checking whether a system is exploitable by identifying its vulnerabilities. A vulnerability scanner consists of a scanning engine and a catalog. The catalog includes a list of common files with known vulnerabilities and common exploits for a range of servers. A vulnerability scanner may, for example, look for backup files or directory traversal exploits. The scanning engine maintains logic for reading the exploit list, transferring the request to the web server, and analyzing the requests to ensure the safety of the server. These tools generally target vulnerabilities that secure host configurations can fix easily through updated security patches and a clean web document.
TCP Communication Flags
The TCP header contains various flags that control the transmission of data across a TCP connection.
Six TCP control flags manage the connection between hosts and give instructions to the system. Four of these flags (SYN, ACK, FIN, and RST) govern the establishment, maintenance, and termination of a connection. The other two flags (PSH and URG) provide instructions to the system. The size of each flag is 1 bit. As there are six flags in the TCP Flags section, the size of this section is 6 bits. When a flag value is set to “1,” that flag is automatically turned on.
The following are the TCP communication flags:
▪ Synchronize or “SYN”: It notifies the transmission of a new sequence number. This flag generally represents the establishment of a connection (three-way handshake) between two hosts.
▪ Acknowledgement or “ACK”: It confirms the receipt of the transmission and identifies the next expected sequence number. When the system successfully receives a packet, it sets the value of its flag to “1,” thus implying that the receiver should pay attention to it.
▪ Push or “PSH”: When it is set to “1,” it indicates that the sender has raised the push operation to the receiver; this implies that the remote system should inform the receiving application about the buffered data coming from the sender. The system raises the PSH flag at the start and end of data transfer and sets it on the last segment of a file to prevent buffer deadlocks.
▪ Urgent or “URG”: It instructs the system to process the data contained in packets as soon as possible. When the system sets the flag to “1,” priority is given to processing the urgent data first and all the other data processing is stopped.
▪ Finish or “FIN”: It is set to “1” to announce that no more transmissions will be sent to the remote system and the connection established by the SYN flag is terminated.
▪ Reset or “RST”: When there is an error in the current connection, this flag is set to “1” and the connection is aborted in response to the error. Attackers use this flag to scan hosts and identify open ports.
SYN scanning mainly deals with three flags: SYN, ACK, and RST.
TCP/IP Communication
TCP is connection oriented, i.e., it prioritizes connection establishment before data transfer between applications. This connection between protocols is possible through the three-way handshake.
A TCP session initiates using a three-way handshake mechanism:
▪ To launch a TCP connection, the source (10.0.0.2:21) sends a SYN packet to the destination (10.0.0.3:21).
▪ On receiving the SYN packet, the destination responds by sending a SYN/ACK packet back to the source.
▪ The ACK packet confirms the arrival of the first SYN packet to the source. ▪ Finally, the source sends an ACK packet for the ACK/SYN packet transmitted by the destination.
▪ This triggers an "OPEN" connection, thereby allowing communication between the source and destination, which continues until one of them issues a "FIN" or "RST" packet to close the connection.
TCP Session Termination 
2. Scanning ToolsScanning Tools
Scanning tools are used to scan and identify live hosts, open ports, running services on a target network, location info, NetBIOS info, and information about all TCP/IP and UDP open ports. The information obtained from these tools will help an ethical hacker in creating the profile of the target organization and scanning the network for open ports of the devices connected.
▪ Nmap Source: https://nmap.org
▪ Hping3 Source: https://salsa.debian.org
o ICMP ping Ex. hping3 -1 10.0.0.25
o ACK scan on port 80 Ex. hping3 –A 10.0.0.25 –p 80
o UDP scan on port 80 Ex. hping3 -2 10.0.0.25 –p 80
o Collecting Initial Sequence Number Ex. hping3 192.168.1.103 -Q -p 139o Firewalls and Timestamps Ex. hping3 -S 72.14.207.99 -p 80 --tcp-timestamp
o SYN scan on port 50-60 Ex. hping3 -8 50-60 –S 10.0.0.25 –V
o FIN, PUSH and URG scan on port 80 Ex. hping3 –F –P –U 10.0.0.25 –p 80
o Scan entire subnet for live host Ex. hping3 -1 10.0.1.x --rand-dest –I eth0
o Intercept all traffic containing HTTP signature Ex. hping3 -9 HTTP –I eth0
o SYN flooding a victim Ex. hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood
▪ Hping Scan with AI
Attackers can leverage AI-powered technologies to enhance and automate their network scanning tasks. With the aid of AI, attackers can effortlessly perform network scanning using the Hping3 tool to acquire valuable insights about their target.
Example #1:
An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Use Hping3 to perform ICMP scanning on the target IP address 10.10.1.11 and stop after 10 iterations”
The command `hping3 --icmp --count 10 10.10.1.11` is used to execute the Hping3 tool with specific parameters.
Example #2:
An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Run an hping3 ACK scan on port 80 of target IP 10.10.1.11”
The command `sudo hping3 --ack -p 80 10.10.1.11` is used to execute the Hping3 tool with specific parameters.
▪ Metasploit Source: https://www.metasploit.com
Metasploit is an open-source project that provides the infrastructure, content, and tools to perform penetration tests and extensive security auditing. It provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It facilitates the tasks of attackers, exploits writers, and payload writers. A major advantage of the framework is the modular approach, i.e., allowing the combination of any exploit with any payload.
▪ NetScanTools Pro Source: https://www.netscantools.com
NetScanTools Pro is an investigation tool that allows you to troubleshoot, monitor, discover, and detect devices on your network. Using this tool, you can easily gather information about the local LAN as well as Internet users, IP addresses, ports, and so on. Attackers can find vulnerabilities and exposed ports in the target system. It helps the attackers to list IPv4/IPv6 addresses, hostnames, domain names, email addresses, and URLs automatically or manually (using manual tools). NetScanTools Pro combines many network tools and utilities categorized by their functions, such as active, passive, DNS, and local computer.
Some additional scanning tools are listed below: ▪ sx (https://github.com) ▪ RustScan (https://github.com) ▪ MegaPing (http://magnetosoft.com) ▪ SolarWinds®Engineer's Toolset (https://www.solarwinds.com) ▪ PRTG Network Monitor (https://www.paessler.com)
3. Host Discovery
Demonstrate Various Scanning Techniques for Host Discovery
Host Discovery
Scanning is the process of gathering information about systems that are “alive” and responding on the network. Host discovery is considered as the primary task in the network scanning process. To perform a complete scan and identify open ports and services, it is necessary to check for live systems. Host discovery provides an accurate status of the systems in the network, which enables an attacker to avoid scanning every port on every system in a list of IP addresses to identify whether the target host is up. Host discovery is the first step in network scanning. This section highlights how to check for live systems in a network using various ping scan techniques. It also discusses how to ping sweep a network to detect live hosts/systems along with various ping sweep tools.
Host Discovery Techniques Host discovery techniques can be adopted to discover the active/live hosts in the network. As an ethical hacker, you must be aware of the various types of host discovery techniques. Some host discovery techniques are listed below:
▪ ARP Ping Scan
▪ UDP Ping Scan
▪ ICMP Ping Scan
o ICMP ECHO Ping
• ICMP ECHO Ping Sweep
o ICMP Timestamp Ping
o ICMP Address Mask Ping
▪ TCP Ping Scan
o TCP SYN Ping
o TCP ACK Ping
▪ IP Protocol Scan
ARP Ping Scan
In the ARP ping scan, the ARP packets are sent for discovering all active devices in the IPv4 range even though the presence of such devices is hidden by restrictive firewalls. In most networks, many IP addresses are unused at any given time, specifically in the private address ranges of the LAN.
Attackers use the Nmap tool to perform ARP ping scan for discovering live hosts in the network. In Zenmap, the -PR option is used to perform ARP ping scan.
Note: -sn is the Nmap command to disable the port scan. Since Nmap uses ARP ping scan as the default ping scan, to disable it and perform other desired ping scans, you can use --disable-arp-ping.
Advantages:
▪ ARP ping scan is considered to be more efficient and accurate than other host discovery techniques
▪ ARP ping scan automatically handles ARP requests, retransmission, and timeout at its own discretion
▪ ARP ping scan is useful for system discovery, where you may need to scan large address spaces
▪ ARP ping scan can display the response time or latency of a device to an ARP packet
UDP Ping Scan
UDP ping scan is similar to TCP ping scan; however, in the UDP ping scan, Nmap sends UDP packets to the target host. The default port number used by Nmap for the UDP ping scan is 40,125. This highly uncommon port is used as the default for sending UDP packets to the target. This default port number can be configured using DEFAULT_UDP_PROBE_PORT_SPEC during compile time in Nmap. Attackers send UDP packets to the target host, and a UDP response means that the target host is active. If the target host is offline or unreachable, various error messages such as host/network unreachable or TTL exceeded could be returned. In Zenmap, the -PU option is used to perform the UDP ping scan.
Advantages: ▪ UDP ping scans have the advantage of detecting systems behind firewalls with strict TCP filtering, leaving the UDP traffic forgotten.
ICMP ECHO
Ping Scan Attackers use the ICMP ping scan to send ICMP packets to the destination system to gather all necessary information about it. This is because ICMP does not include port abstraction, and it is different from port scanning. However, it is useful to determine what hosts in a network are running by pinging them all. ICMP ECHO ping scan involves sending ICMP ECHO requests to a host. If the host is alive, it will return an ICMP ECHO reply. This scan is useful for locating active devices or determining if ICMP is passing through a firewall.
ICMP ECHO Ping Sweep
A ping sweep (also known as an ICMP sweep) is a basic network scanning technique that is adopted to determine the range of IP addresses that map to live hosts (computers). Although a single ping will tell the user whether a specified host computer exists on the network, a ping sweep consists of ICMP ECHO requests sent to multiple hosts. If a specified host is active, it will return an ICMP ECHO reply. Ping sweeps are among the oldest and slowest methods used to scan a network. This utility is distributed across nearly all platforms, and it acts as a roll call for systems; a system that is active on the network answers the ping query that another system sends out.
ICMP ECHO Ping Sweep Using Nmap Source: https://nmap.org Nmap helps an attacker to perform a ping sweep that determines live hosts from a range of IP addresses. In Zenmap, the -PE option with a list of IP addresses is used to perform ICMP ECHO ping sweep.
ICMP Timestamp Ping Scan
Besides the traditional ICMP ECHO ping, there are some other types of ICMP pinging techniques such as ICMP timestamp ping scan and ICMP address mask ping scan, which an attacker can adopt in specific conditions.
ICMP Address Mask Ping Scan
ICMP address mask ping is another alternative to the traditional ICMP ECHO ping, where the attackers send an ICMP address mask query to the target host to acquire information related to the subnet mask. However, the address mask response from the destination host is conditional, and it may or may not respond with the appropriate subnet value depending on its configuration by the administrator at the target’s end. This type of ping method is also effective in identifying the active hosts similarly to the ICMP timestamp ping, specifically when the administrator blocks the traditional ICMP Echo ping. In Zenmap, the -PM option is used to perform an ICMP address mask ping scan.
TCP SYN Ping Scan TCP SYN ping is a host discovery technique for probing different ports to determine if the port is online and to check if it encounters any firewall rule sets. In this type of host discovery technique, an attacker uses the Nmap tool to initiate the three-way handshake by sending the empty TCP SYN flag to the target host. After receiving SYN, the target host acknowledges the receipt with an ACK flag. After reception of the ACK flag, the attacker confirms that the target host is active and terminates the connection by sending an RST flag to the target host machine (since his/her objective of host discovery is accomplished). Port 80 is used as the default destination port. A range of ports can also be specified in this type of pinging format without inserting a space between -PS and the port number (e.g., PS22-25,80,113,1050,35000), where the probe will be performed against each port parallelly. In Zenmap, the -PS option is used to perform a TCP SYN ping scan.
IP Protocol Ping Scan IP protocol ping is the latest host discovery option that sends IP ping packets with the IP header of any specified protocol number. It has the same format as the TCP and UDP ping. This technique tries to send different packets using different IP protocols, hoping to get a response indicating that a host is online.
Host Discovery with AI
An attacker can also leverage AI-powered ChatGPT or other generative AI technology to perform this task by using an appropriate prompt such as
Ping Sweep Tools
Ping sweep tools ping an entire range of network IP addresses to identify the live systems. The following are ping sweep tools that enable one to determine live hosts on the target network by sending multiple ICMP ECHO requests to various hosts on the network at a time.
▪ Angry IP Scanner Source: https://angryip.org
▪ SolarWinds Engineer’s Toolset (https://www.solarwinds.com)
▪ NetScanTools Pro (https://www.netscantools.com)
▪ Colasoft Ping Tool (https://www.colasoft.com)
▪ Advanced IP Scanner (https://www.advanced-ip-scanner.com)
▪ OpUtils (https://www.manageengine.com)
4. Port and Service DiscoveryThe next step in the network scanning process involves checking the open ports and services in live systems. This discovery of open ports and services can be performed via various port scanning techniques. Administrators often use port scanning techniques to verify the security policies of their networks, whereas attackers use them to identify open ports and running services on a host with the intent of compromising the network. Moreover, sometimes, users unknowingly keep unnecessary open ports on their systems. An attacker takes advantage of such open ports to launch attacks.
Commom ports.
Port Scanning Techniques
Port scanning techniques are further categorized as described below. This categorization is based on the type of protocol used for communication in the network.
TCP Connect/Full-Open Scan
Source: https://insecure.org
TCP Connect/Full Open Scan is one of the most reliable forms of TCP scanning. In TCP Connect scanning, the OS’s TCP connect() system call tries to open a connection to every port of interest on the target machine. If the port is listening, the connect() call will result in a successful connection with the host on that particular port; otherwise, it will return an error message stating that the port is not reachable.
Stealth Scan (Half-Open Scan)
The stealth scan involves resetting the TCP connection between the client and the server abruptly before completion of the three-way handshake signals, hence making the connection half-open. A stealth scan sends a single frame to a TCP port without any TCP handshaking or additional packet transfers. This type of scan sends a single frame with the expectation of a single response. The half-open scan partially opens a connection but stops halfway through. The stealth scan is also called a “SYN scan,” because it only sends the SYN packet. This prevents the service from notifying the incoming connection. TCP SYN or half-open scanning is a stealth method of port scanning. The stealth scan also implements the three-way handshake methodology. In the last stage, it examines the packets entering the interface and terminates the connection before triggering a new initialization to identify remote ports.
Inverse TCP Flag Scan
Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags. When the port is open, the attacker does not get any response from the host, whereas when the port is closed, he or she receives the RST from the target host.
Xmas Scan
Xmas scan is a type of inverse TCP scanning technique with the FIN, URG, and PUSH flags set to send a TCP frame to a remote device. If the target has opened the port, then you will receive no response from the remote system. If the target has closed the port, then you will receive a remote system reply with an RST. You can use this port scanning technique to scan large networks and find which host is up and what services it is offering. This technique describes all TCP flag sets. When all flags are set, some systems hang; hence, the flags are often set in the nonsense pattern URG-PSH-FIN. Attackers use the TCP Xmas scan to determine if ports are closed on the target machine via the RST packet. This scan only works when systems are compliant with RFC 793-based TCP/IP implementation. It will not work against any current version of Microsoft Windows.
BSD Networking Code
This method relies on the BSD networking code. Thus, you can use this only for UNIX hosts; it does not support Windows NT. If the user scans any Microsoft system, it will show that all the ports on the host are open.
You can initialize all the flags when transmitting the packet to a remote host. If the target system accepts the packet and does not send any response, it means that the port is open. If the target system sends an RST flag, then it implies that the port is closed.
In Zenmap, the -sX option is used to perform Xmas scan whereas the -sF and -sN options are used to perform FIN scan and NULL scan, respectively.
nmap -sX -v 192.168.2.79
TCP Maimon Scan
This scan technique is very similar to NULL, FIN, and Xmas scan, but the probe used here is FIN/ACK. In most cases, to determine if the port is open or closed, the RST packet should be generated as a response to a probe request. However, in many BSD systems, the port is open if the packet gets dropped in response to a probe.
5. OS Discovery (Banner Grabbing/OS Fingerprinting)
An attacker uses OS discovery or banner grabbing techniques to identify network hosts running applications and OS versions with known exploits. This section introduces you to banner grabbing, its types, and banner grabbing tools.
▪ Active Banner Grabbing
Active banner grabbing applies the principle that an OS’s IP stack has a unique way of responding to specially crafted TCP packets. This happens because of different interpretations that vendors apply while implementing the TCP/IP stack on a particular OS. In active banner grabbing, the attacker sends a variety of malformed packets to the remote host, and the responses are compared with a database. Responses from different OS vary because of differences in TCP/IP stack implementation.
For instance, the scanning utility Nmap uses a series of nine tests to determine an OS fingerprint or banner grabbing. The tests listed below provide some insights into an active banner grabbing attack, as described at https://nmap.org/book/osdetect-methods.html#osdetect-probes
▪ Passive Banner Grabbing Source: https://www.broadcom.com
Like active banner grabbing, passive banner grabbing also depends on the differential implementation of the stack and the various ways in which an OS responds to packets. However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host via sniffing to study telltale signs that can reveal an OS.
How to Identify Target System OS
Identifying the target OS is one of the important tasks for an attacker to compromise the target network/machine. In a network, various standards are implemented to allow different OSs to communicate with each other. These standards govern the functioning of various protocols such as IP, TCP, UDP, etc. By analyzing certain parameters/fields in these protocols, one can reveal the details of the OS. Parameters such as Time to Live (TTL) and TCP window size in the IP header of the first packet in a TCP session help identify the OS running on the target machine. The TTL field determines the maximum time that a packet can remain in a network, and the TCP window size determines the length of the packet reported. These values vary among OSs, as described in the following table:
Attackers can use various tools to perform OS discovery on the target machine, including Wireshark, Nmap, Unicornscan, and Nmap Script Engine. Attackers can also adopt the IPv6 fingerprinting method to grab the target OS details.
OS Discovery using Wireshark Source: https://www.wireshark.org
OS Discovery using Nmap and Unicornscan
OS Discovery using Nmap Source: https://nmap.org
To exploit the target, it is highly essential to identify the OS running on the target machine. Attackers can employ various tools to acquire the OS details of the target. Nmap is one of the effective tools for performing OS discovery activities. In Zenmap, the -O option is used to perform OS discovery, which displays the OS details of the target machine.
OS Discovery using Unicornscan
Source: https://sourceforge.net In Unicornscan, the OS of the target machine can be identified by observing the TTL values in the acquired scan result. To perform Unicornscan, the syntax #unicornscan <target IP address> is used. As shown in the screenshot, the ttl value acquired after the scan is 128; hence, the OS is possibly Microsoft Windows.
OS Discovery using Nmap Script Engine
Source: https://nmap.org Nmap Scripting Engine (NSE) in Nmap can be used to automate a wide variety of networking tasks by allowing users to write and share scripts. These scripts can be executed parallelly with the same efficiency and speed as Nmap. Attackers can also use various scripts in the Nmap Script Engine for performing OS discovery on the target machine. For example, in Nmap, smb-os-discovery is an inbuilt script used for collecting OS information on the target machine through the SMB protocol. In Zenmap, NSE can be generally activated using the -sC option. If the custom scripts are to be specified, then attackers can use the --script option. The NSE results will be displayed with both the Nmap normal and XML outputs.
OS Discovery using IPv6 Fingerprinting Source: https://nmap.org IPv6 Fingerprinting is another technique used to identify the OS running on the target machine. It has the same functionality as IPv4, such as sending probes, waiting and collecting the responses, and matching them with the database of fingerprints. The difference between IPv6 and IPv4 fingerprinting is that IPv6 uses several additional advanced IPv6-specific probes along with a separate IPv6-specifc OS detection engine. Nmap sends nearly 18 probes in the following order to identify the target OS using the IPv6 fingerprinting method. ▪ Sequence generation (S1–S6) ▪ ICMPv6 echo (IE1) ▪ ICMPv6 echo (IE2) ▪ Node Information Query (NI) ▪ Neighbor Solicitation (NS) ▪ UDP (U1) ▪ TCP explicit congestion notification (TECN) ▪ TCP (T2–T7)
In Zenmap, the -6 option along with -O option is used to perform OS discovery using the IPv6 fingerprinting method.
Syntax: # nmap -6 -O <target>
OS Discovery with AI
An attacker can also leverage AI-powered ChatGPT or other generative AI technology to perform this task by using an appropriate prompt such as
• “Use TTL to identify the operating system running on the target IP address 10.10.1.11”
ping -c 1 10.10.1.11 && echo "Check the TTL value from the response to infer the OS (Linux/Unix: 64, Windows: 128)"
• “Use TTL to identify the operating system running on the target IP address 10.10.1.9”
ping -c 1 10.10.1.9 | grep "ttl"
• “Use Nmap script engine to perform OS discovery on the target IP addresses in scan1.txt”
nmap -iL scan1.txt -O --script=default --script-args=newtargets -oN os_discovery_results.txt
Create and Run Custom Script to Automate Network Scanning Tasks With AI Attackers can leverage AI-powered technologies to enhance and automate their network scanning tasks. With the aid of AI, attackers can effortlessly create and run custom network scanning scripts and acquire valuable insights about their targets. By developing such custom scripts, attackers can efficiently execute a series of network scanning commands to gather information about a target domain. With this script, attackers can discover live systems, open ports, running services, service versions, and more on the target IP ranges.
For instance, Attackers can use ChatGPT to guide the development of a script by using an appropriate prompt such as: "Develop a script that will automate network scanning efforts and find out live systems, open ports, running services, service versions, etc. on target IP range 10.10.1.0/24"
The following bash script is designed to automate network scanning efforts on the target IP range 10.10.1.0/24:
#!/bin/bash
nmap -sP 10.10.1.0/24 -oG - | awk '/Up$/{print $2}' > live_hosts.txt && nmap -iL live_hosts.txt -sV -oA scan_results && cat scan_results.nmap
6. Scanning Beyond IDS and Firewall
Intrusion detection systems (IDS) and firewalls are security mechanisms intended to prevent an attacker from accessing a network. However, even IDS and firewalls have some security limitations. Attackers try to launch attacks to exploit these limitations. This section highlights various IDS/firewall evasion techniques such as packet fragmentation, source routing, IP address spoofing, etc.
Although firewalls and IDS can prevent malicious traffic (packets) from entering a network, attackers can send intended packets to the target that evade the IDS/firewall by implementing the following techniques: ▪ Packet Fragmentation ▪ Source Routing ▪ Source Port Manipulation ▪ IP Address Decoy ▪ IP Address Spoofing ▪ MAC Address Spoofing ▪ Creating Custom Packets ▪ Randomizing Host Order ▪ Sending Bad Checksums ▪ Proxy Servers ▪ Anonymizers
Packet Fragmentation
Packet fragmentation refers to the splitting of a probe packet into several smaller packets (fragments) while sending it to a network. When these packets reach a host, the IDS and firewalls behind the host generally queue all of them and process them one by one. However, since this method of processing involves greater CPU and network resource consumption, the configuration of most IDS cause them to skip fragmented packets during port scans. Therefore, attackers use packet fragmentation tools such as Nmap to split the probe packet into smaller packets that circumvent the port-scanning techniques employed by IDS. Once these fragments reach the destined host, they are reassembled to form a single packet.
SYN/FIN Scanning
Using IP Fragments SYN/FIN scanning using IP fragments is not a new scanning method but a modification of previous techniques. This process of scanning was developed to avoid false positives generated by other scans because of a packet filtering device on the target system. The TCP header splits into several packets to evade the packet filter. For any transmission, every TCP header must have the source and destination port for the initial packet (8-octet, 64-bit). The initialized flags in the next packet allow the remote host to reassemble the packets upon receipt via an Internet protocol module that detects the fragmented data packets using field-equivalent values of the source, destination, protocol, and identification.
Source Routing
An IP datagram contains various fields, including the IP options field, which stores source routing information and includes a list of IP addresses through which the packet travels to its destination. As the packet travels through the nodes in the network, each router examines the destination IP address and chooses the next hop to direct the packet to the destination. When attackers send malformed packets to a target, these packets hop through various routers and gateways to reach the destination. In some cases, the routers in the path might include configured firewalls and IDS that block such packets. To avoid them, attackers enforce a loose or strict source routing mechanism, in which they manipulate the IP address path in the IP options field so that the packet takes the attacker-defined path (without firewall-/IDS-configured routers) to reach the destination, thereby evading firewalls and IDS.
Source Port Manipulation
Source port manipulation is a technique used for bypassing the IDS/firewall, where the actual port numbers are manipulated with common port numbers for evading certain IDS and firewall rules. The main security misconfigurations occur because of blindly trusting the source port number. The administrator mostly configures the firewall by allowing the incoming traffic from well-known ports such as HTTP, DNS, FTP, etc. The firewall can simply allow the incoming traffic from the packets sent by the attackers using such common ports.
IP Address Decoy
The IP address decoy technique refers to generating or manually specifying IP addresses of the decoys to evade IDS/firewalls. It appears to the target that the decoys as well as the host(s) are scanning the network. This technique makes it difficult for the IDS/firewall to determine which IP address is actually scanning the network and which IP addresses are decoys. The Nmap scanning tool comes with a built-in scan function called a decoy scan, which cloaks a scan with decoys. This technique generates multiple IP addresses to perform a scan, thus making it difficult for the target security mechanisms such as IDS, firewalls, etc., to identify the original source from the registered logs. The target IDS might report scanning from 5–0 IP addresses; however, it cannot differentiate between the actual scanning IP address and the innocuous decoy IPs.
▪ nmap -D RND:10 [target]
▪ nmap -D decoy1,decoy2,decoy3,...,ME,... [target
IP Address Spoofing
Most firewalls filter packets based on the source IP address. These firewalls examine the source IP address and determine whether the packet is coming from a legitimate source or an illegitimate source. The IDS filters packets from illegitimate sources. Attackers use IP spoofing technique to bypass such IDS/firewalls.
MAC Address Spoofing
Network firewalls filter packets based on the source media access control (MAC) address. They examine the MAC address in the packet header and determine whether the packets originate from a legitimate source. Firewalls allow traffic from specific sources using MAC filtering rules and restrict packets that do not satisfy the filtering rules. To avoid these restrictions, attackers use MAC spoofing techniques, in which they employ fake MAC addresses and masquerade as legitimate users to scan the hosts located behind the firewall.
▪ nmap -sT -Pn --spoof-mac 0 [Target IP]
▪ nmap -sT -Pn --spoof-mac [Vendor] [Target IP]
▪ nmap -sT -Pn --spoof-mac [new MAC] [Target IP]
Creating Custom Packets
The attacker creates and sends custom packets to scan the intended target beyond the IDS/firewalls. Various techniques are used to create custom packets. Some of them are mentioned below:
▪ Creating Custom Packets by using Packet Crafting Tools Attackers create custom TCP packets to scan the target by bypassing the firewalls. Attackers use various packet crafting tools such as Colasoft packet builder (https://www.colasoft.com), NetScanTools Pro (https://www.netscantools.com), etc., to scan the target that is beyond the firewall. Packet crafting tools craft and send packet streams (custom packets) using different protocols at different transfer rates.
Randomizing Host Order
The attacker scans the number of hosts in the target network in a random order to scan the intended target that is lying beyond the firewall. The option used by Nmap to scan with a random host order is --randomize-hosts. This technique instructs Nmap to shuffle each group of 16384 hosts before scanning with slow timing options, thus making the scan less notable to network monitoring systems and firewalls. If larger group sizes are randomized, the PING_GROUP_SZ should be increased in nmap.h and it should be compiled again. Another method can be followed by generating the target IP list with the list scan command -sL -n -oN <filename> and then randomizing it with a Perl script and providing the whole list to Nmap using the -iL command.
Sending Bad Checksums
The attacker sends packets with bad or bogus TCP/UDP checksums to the intended target to avoid certain firewall rule sets. TCP/UDP checksums are used to ensure data integrity. Sending packets with incorrect checksums can help attackers to acquire information from improperly configured systems by checking for any response. If there is a response, then it is from the IDS or firewall, which did not verify the obtained checksum. If there is no response or the packets are dropped, then it can be inferred that the system is configured. This technique instructs Nmap to send packets with invalid TCP, UDP, or SCTP checksums to the target host. The option used by Nmap is --badsum.
Proxy Servers
A proxy server is an application that can serve as an intermediary for connecting with other computers. A proxy server is used:
▪ As a firewall and to protect the local network from external attacks. ▪ As an IP address multiplexer that allows several computers to connect to the Internet when you have only one IP address (NAT/PAT).
▪ To anonymize web surfing (to some extent). ▪ To extract unwanted content, such as ads or “unsuitable” material (using specialized proxy servers).
▪ To provide some protection against hacking attacks. ▪ To save bandwidth.
Free Proxy Servers
Some free proxy servers available on the Internet, which can help you to access restricted sites without revealing your IP address. In the Google search engine, type “Free Proxy Servers" to see a list of such servers. Select one from this list and download and install it to browse anonymously without revealing your legitimate IP address.
Proxy Chaining
Proxy chaining helps an attacker to increase his/her Internet anonymity. Internet anonymity depends on the number of proxies used for fetching the target application; the larger the number of proxy servers used, the greater is the attacker’s anonymity.
Proxy Tools
Proxy tools are intended to allow users to surf the Internet anonymously by keeping their IP hidden through a chain of SOCKS or HTTP proxies. These tools can also act as HTTP, mail, FTP, SOCKS, news, telnet, and HTTPS proxy servers.
▪ Proxy Switcher Source: https://www.proxyswitcher.com
▪ CyberGhost VPN Source: https://www.cyberghostvpn.com
In addition to the proxy tools mentioned above, there are many other proxy tools intended to allow users to surf the Internet anonymously. Some additional proxy tools are listed below: ▪ Burp Suite (https://www.portswigger.net) ▪ Tor (https://www.torproject.org) ▪ Hotspot Shield (https://www.hotspotshield.com) ▪ Proxifier (https://www.proxifier.com) ▪ IPRoyal Residential Proxy (https://iproyal.com)
Anonymizers
An anonymizer is an intermediate server placed between an end user and a website that accesses the website on their behalf and makes web surfing activities untraceable. Anonymizers allow users to bypass Internet censorship. An anonymizer eliminates all identifying information (IP address) from the system while surfing the Internet, thereby ensuring privacy. It encrypts the data transferred from a computer to the Internet service provider (ISP). Most anonymizers can anonymize web (HTTP:), File Transfer Protocol (FTP:), and gopher (gopher:) Internet services.
Anonymizer tools use various techniques such as SSH, VPN, and HTTP proxies, which allow access to blocked or censored content on the Internet with advertisements omitted.
▪ Whonix Source: https://www.whonix.org
Some additional anonymizers are listed below:
▪ Psiphon (https://psiphon.ca) ▪ TunnelBear (https://www.tunnelbear.com) ▪ Invisible Internet Project (I2P) (https://geti2p.net) ▪ Bright Data Proxy API (https://brightdata.com)
Censorship Circumvention Tools
▪ AstrillVPN Source: https://www.astrill.com
▪ Tails Source: https://tails.net
7. Network Scanning Countermeasures
Ping Sweep Countermeasures
Some countermeasures for preventing ping sweep attempts are as follows: ▪ Configure firewalls to block incoming ICMP echo requests from unknown or untrusted sources.
▪ Use intrusion detection systems (IDSes) and intrusion prevention systems (IPSes), such as Snort (https://www.snort.org), to detect and prevent ping-sweep attempts.
▪ Carefully evaluate the type of Internet Control Message Protocol (ICMP) traffic flowing through enterprise networks.
▪ Terminate the connection with any host sending more than 10 ICMP ECHO requests. ▪ Use a demilitarized zone (DMZ) and allow only commands such as ICMP ECHO_REPLY, HOST UNREACHABLE, and TIME EXCEEDED in the DMZ.
▪ Limit ICMP traffic with access-control lists (ACLs) to the ISP’s specific IP addresses. ▪ Implement rate limiting for ICMP packets to reduce the efficacy of ping sweeps and other ICMP-based scanning techniques.
▪ Break the network into smaller, isolated segments. This limits the scope of what an attacker can discover through a ping sweep and makes lateral movement more difficult if the network is compromised.
▪ Utilize private IP address ranges for internal network devices and implement network address translation (NAT) at the network boundary. This hides internal IP addresses from external observers.
Port Scanning Countermeasures
As discussed previously, port scanning provides a large amount of useful information to attackers, such as IP addresses, host names, open ports, and services running on ports. Open ports specifically offer an easy means for an attacker to break into the network. However, there is no cause for concern, provided that the system or network is secured against port scanning by adopting the following countermeasures: ▪ Configure firewall and intrusion detection system (IDS) rules to detect and block probes. ▪ The firewall should be capable of detecting the probes sent by attackers using port-scanning tools. It should not allow traffic to pass through after simply inspecting the TCP header. The firewall should be able to examine the data contained in each packet before allowing traffic to pass through it.
▪ Run the port scanning tools against hosts on the network to determine whether the firewall accurately detects the port scanning activity.
▪ Ensure that the router, IDS, and firewall firmware are updated with their latest releases/versions.
▪ Configure commercial firewalls to protect the network against fast port scans and SYN floods.
▪ Hackers use tools such as Nmap and perform OS detection to sniff the details of a remote OS. Thus, it is important to employ an IDS in such cases. Snort (https://www.snort.org) is a very useful intrusion detection and prevention technology, mainly because signatures are frequently available from public authors.
▪ Keep as few ports open as possible and filter the rest, as an intruder may attempt to enter through any open port. Use a custom rule set to lock down the network, block unwanted ports at the firewall, and filter the following ports: 135–159, 256–258, 389, 445, 1080, 1745, and 3268.
▪ Block unwanted services running on the ports and update the service versions. ▪ Ensure that the versions of services running on the ports are non-vulnerable. ▪ Block inbound ICMP message types and all outbound ICMP type-3 unreachable messages at border routers arranged in front of the company’s main firewall.
▪ Attackers attempt to perform source routing and send packets to the targets, which may not be reachable via the Internet, using an intermediate host that can interact with the target. Hence, it is necessary to ensure that the firewall and router can block such source-routing techniques.
▪ Ensure that the mechanisms used for routing and filtering at the routers and firewalls, respectively, cannot be bypassed using a particular source port or source routing methods.
▪ Test the IP address space using TCP and UDP port scans as well as ICMP probes to determine the network configuration and accessible ports.
▪ Ensure that the anti-scanning and anti-spoofing rules are configured. ▪ If a commercial firewall is in use, then ensure the following: o It is patched with the latest updates. o It has correctly defined anti-spoofing rules. o Its fast-mode services are unusable.
▪ Ensure that TCP wrappers limit access to the network based on domain names or IP addresses.
▪ Use proxy servers to block fragmented or malformed packets. ▪ Ensure that the firewalls forward open port scans to empty hosts or honeypots to make the port-scanning task difficult and time-consuming.
▪ Employ an intrusion prevention system (IPS) to identify port scan attempts and blacklist IP addresses.
▪ Implement port knocking to hide open ports. ▪ Use network address translation (NAT) to hide the IP addresses of internal systems. ▪ Implement egress filtering to control outbound traffic, which can help in identifying and stopping malicious internal hosts from scanning external targets.
▪ Implement virtual local area networks (VLANs) to isolate different types of traffic and restrict access between them.
Banner Grabbing Countermeasures
▪ Disabling or Changing Banner An open port indicates that a service/banner is running on it. When attackers connect to an open port using banner grabbing techniques, the system presents a banner containing sensitive information such as the OS, server type, and version. Using the information gathered, the attacker identifies specific vulnerabilities to exploit and then launches attacks. The countermeasures against banner grabbing attacks are as follows: o Display false banners to mislead or deceive attackers. o Turn off unnecessary services on the network host to limit information disclosure. o Use server masking tools to disable or change banner information. o Remove unnecessary HTTP headers and response data and camouflage the server by providing false signatures. This also provides the option of eliminating file extensions such as .asp and .aspx, which clearly indicate that the site is running on a Microsoft server.
o For Apache 2.x with the mod_headers module, use a directive in the httpd.conf file to change the banner information header and set the server as New Server Name.
o Alternatively, change the ServerSignature line to ServerSignatureOff in the httpd.conf file.
o Disable the details of the vendor and version in the banners.
o Modify the value of Server Tokens from Full to Prod in Apache’s httpd.conf file to prevent disclosure of the server version.
o Modify the value of RemoveServerHeader from 0 to 1 in the UrlScan.ini config file found at C: WindowsSystem32inetservUrlscan. This method prevents disclosure of the server version.
o Trick attackers by modifying the value of AlternateServerName to values such as xyz or myserver.
o Disable HTTP methods such as Connect, Put, Delete, and Options from web application servers.
o Remove the X-Powered-By header only with the customHeaders option in the <system.webServer> section of the web.config file.
▪ Hiding File Extensions from Web Pages
File extensions reveal information about the underlying server technology that an attacker can use to launch attacks. The countermeasures against such banner grabbing attacks are as follows:
o Hide file extensions to mask the web technology.
o Replace application mappings such as .asp with .htm, .foo, etc. to disguise the identities of servers.
o Apache users can use mod_negotiation directives.
▪ Other Banner Grabbing Countermeasures
o Use packet filtering to block or restrict access to ports that might reveal banner information unnecessarily.
o Use IDS/IPS systems to monitor and alert on scanning activities that could indicate banner grabbing attempts.
o Replace protocols that send clear-text banners (such as HTTP, FTP, and Telnet) with their secure counterparts (HTTPS, SFTP/FTPS, SSH) to encrypt the connection and banner information.
o Use transport layer security (TLS) for services to encrypt the banner information during the handshake process, making it more difficult for unauthorized parties to grab banners.
Note: It is preferable to not use file extensions at all.
IP Spoofing Detection Techniques
▪ Direct TTL Probes
In this technique, you initially send a packet (ping request) to the legitimate host and wait for a reply. Check whether the TTL value in the reply matches with that of the packet you are checking. Both will have the same TTL if they are using the same protocol. Although the initial TTL values vary according to the protocol used, a few initial TTL values are commonly used. For TCP/UDP, the values are 64 and 128; for ICMP, they are 128 and 255.
If the reply is from a different protocol, then you should check the actual hop count to detect the spoofed packets. Deduct the TTL value in the reply from the initial TTL value to determine the hop count. The packet is a spoofed packet if the reply TTL does not match the TTL of the packet. It will be very easy to launch an attack if the attacker knows the hop count between the source and the host. In this case, the test result is a false negative. This technique is successful when the attacker is in a different subnet from that of the victim.
Note: Normal traffic from one host can contrast TTLs depending on traffic patterns.
▪ IP Identification Number
Users can identify spoofed packets by monitoring the IP identification (IPID) number in the IP packet headers. The IPID increases incrementally each time a system sends a packet. Every IP packet on the network has a unique "IP identification" number, which is increased by one for every packet transmission. To identify whether a packet is spoofed, send a probe packet to the source IP address of the packet and observe the IPID number in the reply. The IPID value in the response packet must be close to but slightly greater than the IPID value of the probe packet. The source address of the IP packet is spoofed if the IPID of the response packet is not close to that of the probe packet. This method is effective even when both the attacker and the target are on the same subnet.
▪ TCP Flow Control Method
The TCP can optimize the flow control on both the sender’s and the receiver’s end with its algorithm. The algorithm accomplishes flow control using the sliding window principle. The user can control the flow of IP packets by the window size field in the TCP header. This field represents the maximum amount of data that the recipient can receive and the maximum amount of data that the sender can transmit without acknowledgement. Thus, this field helps to control data flow. The sender should stop sending data whenever the window size is set to zero.
In general flow control, the sender should stop sending data once the initial window size is exhausted. The attacker, who is unaware of the ACK packet containing window size information, might continue to send data to the victim. If the victim receives data packets beyond the window size, they are spoofed packets. For effective flow control and early detection of spoofing, the initial window size must be very small.
Most spoofing attacks occur during the handshake, as it is challenging to build multiple spoofing replies with the correct sequence number. Therefore, apply the flow control spoofed packet detection method to the handshake. In a TCP handshake, the host sending the initial SYN packet waits for SYN-ACK before sending the ACK packet. To check whether you are getting the SYN request from a genuine client or a spoofed one, set SYN-ACK to zero. If the sender sends an ACK with any data, it means that the sender is a spoofed one. This is because when SYN-ACK is set to zero, the sender must respond to it only with the ACK packet, without additional data.
Attackers sending spoofed TCP packets will not receive the target's SYN-ACK packets. Attackers cannot respond to changes in the congestion window size. When the received traffic continues after a window size is exhausted, the packets are most likely spoofed.
IP Spoofing Countermeasures
As mentioned previously, IP spoofing is a technique adopted by a hacker to break into a target network. Therefore, to protect the network from external hackers, IP spoofing countermeasures should be applied in network security settings. Some IP spoofing countermeasures that can be applied are as follows: ▪ Avoid Trust Relationships Do not rely on IP-based authentication. Attackers may masquerade as trusted hosts and
send malicious packets. If these packets are accepted under the assumption that they are “clean” because they are from a trusted host, malicious code will infect the system. Therefore, it is advisable to test all packets, even when they originate from a trusted host. This problem can be avoided by implementing password authentication along with trust relationship–based authentication.
▪ Use Firewalls and Filtering Mechanisms
As stated above, all incoming and outgoing packets should be filtered to avoid attacks and loss of sensitive information. A firewall can restrict malicious packets from entering a private network and prevent severe data loss. Access-control lists (ACLs) can be used to block unauthorized access. However, the possibility of an insider attack also exists. Inside attackers can send sensitive information about the business to competitors, which could lead to financial loss and other issues. Another risk of outgoing packets is that an attacker may succeed in installing a malicious sniffing program running in a hidden mode on the network. These programs gather and send all the network information to the attacker without any notification after filtering out the outgoing packets. Therefore, the scanning of outgoing packets must be assigned the same importance as that of incoming packets.
▪ Use Random Initial Sequence Numbers
Most devices choose their initial sequence numbers (ISNs) based on timed counters. This makes the ISNs predictable, as it is easy for an attacker to determine the concept of generating an ISN. The attacker can determine the ISN of the next TCP connection by analyzing the ISN of the current session or connection. If the attacker can predict the ISN, then they can establish a malicious connection to the server and sniff network traffic. To avoid this risk, use random ISNs.
▪ Ingress Filtering
Ingress filtering prevents spoofed traffic from entering the Internet. It is applied to routers because it enhances the functionality of the routers and blocks spoofed traffic. Configuring and using ACLs that drop packets with a source address outside the defined range is one method of implementing ingress filtering.
▪ Egress Filtering
Egress filtering is a practice that aims to prevent IP spoofing by blocking outgoing packets with a source address from the outside.
▪ Use Encryption
To maximize network security, use strong encryption for all traffic placed on transmission media without considering its type and location. This is the best method to prevent IP spoofing attacks. IPSec can be used to drastically reduce the IP spoofing risk, as it provides data authentication, integrity, and confidentiality. Encryption sessions should be enabled on the router so that trusted hosts can communicate securely with local hosts. Attackers tend to focus on targets that are easy to compromise. If an attacker desires to break into an encrypted network, they must decrypt the entire slew of encrypted packets, which is a difficult task. Therefore, an attacker is likely to move on and attempt to find another target that is easy to compromise or simply abort the attempt. Moreover, use the latest encryption algorithms that provide strong security.
▪ SYN Flooding Countermeasures Countermeasures against SYN flooding attacks can also help avoid IP spoofing attacks. ▪ Other IP Spoofing Countermeasures
o Enhance the integrity and confidentiality of websites by migrating from IPv4 to IPv6 during development.
o Implement digital certificate authentication mechanisms such as domain and two-way auth certificate verification.
o Use a secure VPN while accessing any type of public Internet service such as free Wi-Fi and hotspots.
o Employ application-specific mitigation devices such as Behemoth scrubbers for deep-level packet investigation at a high speed of nearly 100 million packets/s.
reduce the time of active vulnerability.
o Configure routers to send encoded information about fragmented packets entering the network.
o Configure routers to verify the data packets using their signatures by storing the arriving data packet digests.
o Configure routers to hide intranet hosts from the external network by implementing modifications to the network address translation (NAT).
o Configure internal switches to table the DHCP static addresses to filter malicious spoofed traffic.
o Use secure versions of communication protocols (such as HTTPS, SFTP, and SSH) that offer encryption and authentication.
Scanning Detection and Prevention Tools Security professionals use various sophisticated tools such as ExtraHop and Splunk Enterprise Security to detect active networks and port scanning attempts initiated by attackers.
▪ ExtraHop Source: https://www.extrahop.com
Some of the additional scanning detection and prevention tools are listed below: ▪ Splunk Enterprise Security (https://www.splunk.com) ▪ Scanlogd (https://github.com) ▪ Vectra Detect (https://www.vectra.ai) ▪ IBM Security QRadar XDR (https://www.ibm.com) ▪ Cynet 360 AutoXDRTM (https://www.cynet.com)
ReferencesVia https://blog.51sec.org/2025/02/cehv13-notes-module-03-scanning-networks.html Shell GPT (SGPT) is a command-line tool that integrates with OpenAI’s GPT-4 models to enable natural language processing (NLP) from your Linux shell. It’s designed to simplify repetitive tasks, generate scripts, and assist with coding, all from within the terminal environment. SGPT is a powerful tool that brings the capabilities of OpenAI’s GPT models directly into the Linux command line.
Requirements
Install SGPTStep 1: Install PythonSGPT requires Python to run. Most Linux distributions come with Python pre-installed, but if not, you can install it using:sudo apt install python3 Step 2: Install pip (Python Package Installer)You’ll need a pip to install SGPT. Install it using the following command:sudo apt install python3-pip Step 3: Install SGPTNow that Python and pip are installed, you can install SGPT using pip:pip install shell-gpt --break-system-packages note: you will need to add --break-system-packages at the end of command. Else, you will get some warning messages and installation will be stopped.
You can use pip3 install shell-gpt as well.
Step 4: Verify InstallationOnce the installation is complete, verify that SGPT has been installed correctly by running:
┌──(root㉿kali)-[~/.config/shell_gpt]
└─# sgpt --version
ShellGPT 1.4.4
This should ask you to enter openai api key, then return the installed version of SGPT, confirming that it’s ready for use. Setting up OpenAI API KeyStep 1: Get the OpenAI API Key
After you set up your account, click on your account name at the top right and go to your profile. You will then set up billing and limits to fund your account.
You will want to fund your account. As a beginner or hobbyist, $5 USD is more than enough for most people to get started. I would also recommend disabling auto billing/funding and setting limits. If you don't want any surprises, set up your account properly.
Usage: 
Step 2: Set API Key in Environment Variableszsh and bash are different shells that can be used on macOS and other Unix style OSes (Linux, BSD, macOS …). zsh is similar to bash but has some additional features.zsh is the default shell in more recent macOS versions while bash is the default for older ones. You can change what shell gets used when you open an new tab or window in Terminal by going to the Terminal preferences. Both zsh and bash have a number of different shell files that get run at different times. The one you want to edit is either .zshrc or .bashrc (depending on your choice of shell) - these specific files contain shell commands that are run every time you open a new Terminal window or tab.
Alternatively, you can add this line to your ~/.zshrc to persist the key across sessions:
Configuring SGPT for Usage
Config File:SGPT creates a configuration file at ~/.config/shell_gpt/config.yaml where you can adjust default behaviour like:
sgpt usage Examples: QueryFull list of arguments
--model TEXT OpenAI model name. [default: text-davinci-003]
Query Examples:
sgpt usage Examples:Execute the shell code:
sgpt --shell --execute "make all files in current directory read only"
-> chmod 444 * -> Execute shell command? [y/N]: y ...
Outputs:
──(root㉿kali)-[~] Usage Examples for Vulnerability Scanningexample 1: Scan for open ports sgpt --shell "Scan 192.168.2.22 for open ports"
example 2: Scan for vulnerabilities sgpt --shell "Scan 192.168.2.21 for vulnerabilities"
example 3: Use Nikto to scan for web vulnerabilities
sgpt --shell "use Nikto scan 192.168.2.20 for vulnerabilities"
VideosReferences
Via https://blog.51sec.org/2025/02/using-ai-to-generate-commands-and-run.html Footprinting is the first step in the evaluation of the security posture of the IT infrastructure of a target organization. Through footprinting and reconnaissance, one can gather maximum information about a computer system or a network and about any device connected to that network. In other words, footprinting provides a security profile blueprint for an organization and should be undertaken in a methodological manner. Topics:
1. Explain Footprinting ConceptsReconnaissance
Reconnaissance (also known as footprinting) refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack. An essential aspect of footprinting is identifying the level of risk associated with the organization’s publicly accessible information. Footprinting, the first step in ethical hacking, refers to the process of collecting information about a target network and its environment. Using footprinting, you can find a number of opportunities to penetrate and assess the target organization’s network.
Types of Reconnaissance
Gathering information about the target without direct interaction
It involves:
• Open-source Intelligence (OSINT) gathering
• Proprietary databases and paid services
• Sharing intelligence with partner organizations or industry groups
Gathering information about the target with direct interaction It involves: • DNS interrogation • Social engineering • Network/port scanning • User and service enumeration
Information Obtained in Footprinting
Organization information
• Employee details
• Telephone numbers
• Branch and location details
• Background of the organization
• Web technologies
• News articles, press releases, and related documents
Network information
• Domain and sub-domains
• Network blocks
• Network topology, trusted routers, and firewalls
• IP addresses of the reachable systems
• Whois records
• DNS records
• Web server OS
• Location of web servers
• Publicly available email addresses
• Usernames and passwords
2. Demonstrate Footprinting through Search EnginesFootprint ing Using Advanced Google Hacking Techniques
• Attackers use search engines to extract information about a target, such as employed technology platforms, employee details, login pages, and intranet portals, which help the attacker to perform social engineering and other types of advanced system attacks
• Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information that helps attackers find vulnerable target
Attackers can use advanced search operators available with these search engines and create complex queries to find, filter, and sort specific information regarding the target. Search engines
are also used to find other sources of publicly accessible information. For example, you can type “top job portals” to find major job portals that provide critical information about the target organization.
Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information.
What can a Hacker Do with Google Hacking? An attacker can create complex search-engine queries to filter large amounts of search results to obtain information related to computer security. The attacker can use Google operators to locate specific strings of text within search results. Thus, the attacker can not only detect websites and web servers that are vulnerable to exploitation but also locate private and sensitive information about the target. Once a vulnerable site is identified, attackers attempt to launch various possible attacks, such as buffer overflow and SQL injection, which compromise information security. Examples of sensitive information on public servers that an attacker can extract with the help of Google Hacking Database (GHDB) queries include:
▪ Error messages that contain sensitive information
▪ Files containing passwords
▪ Sensitive directories
▪ Pages containing logon portals
▪ Pages containing network or vulnerability data, such as IDS, firewall logs, and configurations
▪ Advisories and server vulnerabilities
▪ Software version information
▪ Web application source code
▪ Connected IoT devices and their control panels, if unprotected
▪ Hidden web pages such as intranet and VPN services
Example: Use Google Advance Operator syntax [intitle:intranet inurl:intranet +intext:”human resources”] to find sensitive information about a target organization and its employees. Attackers use the gathered information to perform social engineering attacks.
An attacker can also leverage AI-powered ChatGPT or other generative AI technology to perform this task by using an appropriate prompt such as: “Use filetype search operator to obtain pdf files on the target website eccouncil.org and store the result in the recon1.txt file”
Shell-gpt / sgpt : https://github.com/tbckr/sgpt
The following shell command is designed to conduct advanced Google hacking using the “filetype” operator to specifically target PDF files within the eccouncil.org domain. The command
then saves the obtained results to a file named "recon1.txt":
▪ `lynx --dump "http://www.google.com/search?q=site:eccouncil.org+filetype:pdf"`: Initiates the Lynx web browser in dump mode to access Google's search results for PDF files within the eccouncil.org domain.
▪ `| grep "http"`: Filters out lines containing the string "http" from the Lynx output. ▪ `| cut -d "=" -f2`: Splits each line using the "=" delimiter and selects the second field.
▪ `| grep -o "http[^&]*"`: Searches for patterns starting with "http" followed by any characters except "&".
▪ `> recon1.txt`: Redirects the final output to a file named "recon1.txt" for storage.
Google Hacking Database
Source: https://www.exploit-db.com/google-hacking-database The GHDB is a subset of the Exploit-DB and focuses on using Google search queries (often referred to as "Google Dorks") to find sensitive information inadvertently exposed on the web. These queries exploit advanced Google search operators to uncover the following: ▪ Sensitive files: Such as configuration files, database dumps, and log files that may contain usernames, passwords, or other confidential data.
▪ Exposed directories: Open directories on web servers that might contain sensitive information.
▪ Error messages: Web server or application error messages that may reveal server configurations or vulnerabilities.
▪ Vulnerable devices: Identifying specific types of devices or software versions known to have vulnerabilities.
Footprinting Using Advanced Google Hacking Techniques
• Attackers use search engines to extract information about a target, such as employed technology platforms, employee details, login pages, and intranet portals, which help the attacker to perform social engineering and other types of advanced system attacks
• Google hacking refers to the use of advanced Google search operators for creating complex search queries to extract sensitive or hidden information that helps attackers find vulnerable targets
Google Hacking Database Source: https://www.exploit-db.com/google-hacking-database The GHDB is a subset of the Exploit-DB and focuses on using Google search queries (often referred to as "Google Dorks") to find sensitive information inadvertently exposed on the web. These queries exploit advanced Google search operators to uncover the following:
Attackers can also use SearchSploit, which is a command-line search tool for Exploit-DB that allows taking a copy of the Exploit database for remote use. It allows attackers to perform detailed offline searches through their locally checked-out copy of the repository. This capability is particularly useful for security assessments of segregated or air-gapped networks without Internet access.
Google Dork.
VPN Footprinting through Google Hacking Database with AI
Footprinting through SHODAN Search EngineSource: https://www.shodan.io
Shodan is a search engine that enables attackers to perform footprinting at various levels. It is used to detect devices and networks with vulnerabilities. A search in Shodan for VoIP and VPN footprinting can deliver various results, which will help gather VPN-and VoIP-related information.
Other Techniques for Footprinting through Search Engines
▪ Gathering Information Using Google Advanced Search, Advanced Image Search, and Reverse Image Search
▪ Gathering Information from Video Search Engines
▪ Gathering Information from Meta Search Engines
▪ Gathering Information from File Transfer Protocol (FTP) Search Engines
▪ Gathering Information from IoT Search Engines
shodan.io/search?query=SCADA
Mjor Search engines:
Google, Bing, Yahoo!, Ask.com, Aol, Baidu, DuckDuckGo
Search through LLM
Directly asking search engine such as : Give me an NMAP command to determine if there is a firewall in the way.
Google:
Bing:
Grok: https://x.ai/
Perplexity: https://www.perplexity.ai/
Operator:
https://www.shodan.io/search?query=webcam
inurl:webcam
Google Dork:
3. Footprinting through Internet Research ServicesFinding a Company’s Top-Level Domains (TLDs) and Sub-domains
Tools to Search Company’s Sub-domains
▪ Netcraft Source: https://www.netcraft.com
▪ DNSdumpster Source: https://dnsdumpster.com
▪ Pentest-Tools Find Subdomains Source: https://pentest-tools.com
Finding a Company’s Top-Level Domains (TLDs) and Sub-domains with AI
Attackers can leverage AI-powered technologies to enhance and automate their footprinting tasks. With the aid of AI, attackers can effortlessly find the top-level domains and subdomains of the target. Example #1 An attacker can use ChatGPT to perform this task by using an appropriate prompt such as:
Extracting Website Information from https://archive.org
Archive is an Internet Archive Wayback Machine that explores archived versions of websites. Such exploration allows an attacker to gather information on an organization’s web pages since its creation. As the website https://archive.org keeps track of web pages from the time of their creation, an attacker can retrieve even information removed from the target website, such as web pages, audio files, video files, images, text, and software programs. Attackers use this information to perform phishing and other types of web application attacks on the target organization.
Footprinting through People Search Services
You can use public record websites to find information about email addresses, phone numbers, house addresses, and other information. Many individuals use online people search services to find information about other people. Generally, online people search services such as Spokeo, Intelius, pipl, BeenVerified, Whitepages, Instant Checkmate, and PeekYou provide people’s names, addresses, contact details, date of birth, photographs, videos, profession, details about their family and friends, social networking profiles, property information, and optional background on criminal checks. Further, online people search services may often reveal the profession of an individual, businesses owned by a person, upcoming projects and operating environment, websites and blogs, contact numbers, important dates, company email addresses, cell phone numbers, fax numbers, and personal e-mail addresses. Using this information, an attacker can try to obtain bank details, credit card details, past history, and so on. This information proves to be highly beneficial for attackers to launch attacks. There are many available online people search services that help in obtaining information regarding people.
▪ People Search Service - Spokeo
Source: https://www.spokeo.com
Footprinting through Job Sites
Dark Web Footprinting
▪ Tor Browser, Source: https://www.torproject.org
Searching the Dark Web with Advanced Search Parameters
Determining the Operating System
▪ Netcraft Source: https://www.netcraft.com
▪ SHODAN Search Engine Source: https://www.shodan.io
▪ Censys Source: https://censys.io
Competitive Intelligence Gathering
Competitive intelligence helps in determining:
▪ What the competitors are doing?
▪ How competitors are positioning their products and services?
▪ What customers are saying about competitors’ strengths and weaknesses?
Information Resource Sites Information resource sites that help to gain competitive intelligence include: ▪ EDGAR Database Source: https://www.sec.gov/edgar
▪ D&B Hoovers Source: https://www.dnb.com
▪ LexisNexis Source: https://www.lexisnexis.com
▪ Business Wire Source: https://www.businesswire.com
▪ Factiva Source: https://www.dowjones.com
Competitive Intelligence - What Are the Company's Plans? Information resource sites that help attackers gain a company’s business plans include:
▪ MarketWatch Source: https://www.marketwatch.com
▪ The Wall Street Transcript Source: https://www.twst.com
▪ Euromonitor Source: https://www.euromonitor.com
▪ Experian Source: https://www.experian.com
▪ The Search Monitor
Competitive Intelligence - What Expert Opinions Say About the Company? Information resource sites that help the attacker to obtain expert opinions about the target company include:
▪ SEMRush Source: https://www.semrush.com
▪ ABI/INFORM Global Source: https://www.proquest.com
▪ SimilarWeb Source: https://www.similarweb.com
▪ SERanking Source: https://seranking.com
Other Techniques for Footprint ing through Internet Research Services
▪ Finding the Geographical Location of the Target
o Google Earth Source: https://earth.google.com
▪ Gathering Information from Financial Services
o Google Finance Source: https://www.google.com/finance
▪ Gathering Information from Business Profile Sites
Attackers use business profile sites such as opencorporates, Crunchbase, and corporationwiki to gather important information about the target organizations, such as their location, addresses, contact information (such as phone numbers, email addresses), employee database, department names, type of service provided, and type of industry.
▪ Monitoring Targets Using Alerts
Tools such as Google Alerts, X Alerts, and Giga Alerts help attackers to track mentions of the organization’s name, member names, website, or any people or projects that are important. Attackers can gather updated information about the target periodically from the alert services and use it for further attacks.
o Google Alerts Source: https://www.google.com/alerts
▪ Tracking the Online Reputation of the Target
An attacker may use ORM tracking tools to: o Track a company’s online reputation o Collect a company’s search engine ranking information o Obtain email notifications when a company is mentioned online o Track conversations o Obtain social news about the target organization Mention Source: https://mention.com
▪ Gathering Information from Groups, Forums, and Blogs
Attackers can register with fake profiles in Google Groups, LinkedIn Groups, and so on.
▪ Gathering Information from Public Source-Code Repositories
Source code–based repositories are online services or tools available on internal servers or can be hosted on third-party websites such as GitHub, GitLab, SourceForge, and BitBucket.
Attackers can use tools such as Recon-ng to discover public source-code repositories. o Recon-ng Source: https://github.com
4. Footprinting through Social Networking SitesPeople Search on Social Networking Sites
Social networking sites such as Facebook, Twitter, LinkedIn, and Instagram allow you to find people by name, keyword, company, school, friends, colleagues, and the people living around them.
Gathering Inform at ion from LinkedIn •
• Attackers use theHarvester tool to perform enumeration on LinkedIn and find employees of the target company along with their job titles
Attackers can use this information to gather more information, such as current location and educational qualifications, and perform social engineering or other kinds of attacks
Gathering Information from LinkedIn
LinkedIn is a social networking website for professionals. It connects the world’s human resources to aid productivity and success. The site contains personal information such as name, position, organization name, current location, educational qualifications, and so on. Information gathered from LinkedIn helps an attacker in performing social engineering or other kinds of attacks. Attackers can use theHarvester tool to gather information from LinkedIn based on the target organization name:
▪ theHarvester Source: https://github.com
theHarvester -d eccouncil -l 200 -b linkedin
In the above command, -d specifies the domain or company name to search, -l specifies the number of results to be retrieved, and -b specifies the data source as LinkedIn.
Harvesting Email Lists
Gathering email addresses related to the target organization acts as an important attack vector during the later phases of hacking. Attackers can use automated tools such as theHarvester and Email Spider to collect publicly available email addresses of the employees of the target organization. These tools harvest email lists related to a specified domain using search engines such as Google, Bing, and Yahoo. Attackers use these email lists and usernames to perform social engineering and brute force attacks on the target organization. ▪ theHarvester
Source: https://github.com
Attackers use theHarvester tool to extract email addresses related to the target domain. For example, attackers use the following command to extract email addresses of microsoft.com using the Baidu search engine:
theharvester -d microsoft.com -l 200 -b baidu
In the above command, -d specifies the domain used for harvesting the emails, -l will limit the results to 200, and -b tells theHarvester to extract the results from the Baidu search engine; alternatively, you can use Google, Bing, etc.
Harvesting Email Lists with AI
Attackers can leverage AI-powered technologies to enhance and automate their footprinting tasks. With the aid of AI, attackers can effortlessly find valuable email details of their target organization. For example, An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Use theHarvester to gather email accounts associated with 'microsoft.com', limiting results to 200, and leveraging 'baidu' as a data source”
sgpt --chat fp --shell “Use theHarvester to gather email accounts associated with 'microsoft.com', limiting results to 200, and leveraging 'baidu' as a data source”
Analyzing Target Social Media Presence
Several online services and resources are available to gather valuable information about a target from one or more social media sites. These services allow attackers to discover most shared content across social media sites by using hashtags or keywords, track accounts and URLs on various social media sites, obtain a target’s email address, etc. This information helps attackers to perform phishing, social engineering, and other types of attacks. Attackers use tools such as BuzzSumo, Google Trends, Hashatit, and Ubersuggest to locate information on social media sites:
▪ BuzzSumo Source: https://buzzsumo.com
Tools for Footprinting through Social Networking Sites
Attackers use various tools such as Sherlock and Social Searcher to footprint social networking sites such as Twitter, Instagram, Facebook, and Pinterest to gather sensitive information about the target such as the date of birth, educational qualification, employment status, name of relatives, and information about the organization that they are working for, including the business strategy, potential clients, and upcoming project plans.
▪ Sherlock Source: https://github.com
Sherlock "Elon Musk"
▪ Social Searcher Source: https://www.social-searcher.com
Footprinting through Social Networking Sites with AI
For example, An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: “Use Sherlock to gather personal information about Sundar Pichai and save the result in recon2.txt”
sgpt --chat footprint --shell “Use Sherlock to gather personal information about Sundar Pichai and save the result in recon2.txt”
5. Whois FootprintingWhois Lookup
Three types of data models exist to store and lookup Whois information: ▪ Thick Whois (Distributed Model) - Stores the complete Whois information from all the registrars for a particular set of data.
▪ Thin Whois (Centralized Model) - Stores only the name of the Whois server of the registrar of a domain, which in turn holds complete details on the data being looked up.
▪ Decentralized Whois - Stores complete WHOIS information and has multiple independent entities to manage the WHOIS database.
Whois query returns the following information: ▪ Domain name details ▪ Domain registrar ▪ Contact details of the domain owner ▪ Domain name servers ▪ NetRange ▪ When a domain has been created ▪ Expiry records ▪ Records last updated ▪ Domain status (available, registered, or suspended) ▪ IP address information
Regional Internet Registries (RIRs) The RIRs include the following:
▪ American Registry for Internet Numbers (ARIN) (https://www.arin.net)
▪ African Network Information Center (AFRINIC) (https://www.afrinic.net)
▪ Asia Pacific Network Information Center (APNIC) (https://www.apnic.net)
▪ Réseaux IP Européens Network Coordination Centre (RIPE) (https://www.ripe.net)
▪ Latin American and Caribbean Network Information Center (LACNIC) (https://www.lacnic.net)
Whois services such as https://whois.domaintools.com and https://www.tamos.com
Batch IP Converter, available at http://www.sabsoft.com
Finding IP Geolocation Information
IP geolocation helps to obtain information regarding a target such as its country, region/state, city, latitude and longitude of its city, ZIP/postal code, time zone, connection speed, ISP (hosting company), domain name, IDD country code, area code, weather station code and name, mobile carrier, and elevation.
IP Geolocation Lookup Tools
▪ IP2Location Source: https://www.ip2location.com
6. DNS FootprintinDNS Footprinting
After collecting the Whois records of the target, the next phase of the footprinting methodology is Domain Name System (DNS) footprinting. Attackers perform DNS footprinting to gather information about DNS servers, DNS records, and the types of servers used by the target organization. This information helps attackers identify the hosts connected in the target network and further exploit the target organization. This section describes how to extract DNS information and perform reverse DNS lookups using various DNS interrogation tools
DNS footprinting helps in determining the following records about the target DNS:
DNS Interrogation Tools Attackers use DNS interrogation tools such as SecurityTrails, Fierce, DNSChecker, zdns and DNSdumpster.com to perform DNS footprinting. These tools can extract a range of IP addresses using IP routing lookup. If the target network allows unknown, unauthorized users to transfer DNS zone data, it is easy for an attacker to obtain DNS information with the help of a DNS interrogation tool. When an attacker queries a DNS server using a DNS interrogation tool, the server responds with a record structure that contains information about the target DNS. DNS records provide important information regarding the locations and types of servers. ▪ SecurityTrails Source: https://securitytrails.com
▪ Fierce Source: https://github.com
Attackers can use the following commands to perform DNS reconnaissance using the Fierce tool:
DNS Lookup with AI
Attackers can leverage AI-powered technologies to enhance and automate their footprinting tasks. With the aid of AI, attackers can effortlessly perform reverse DNS lookup activities on a target and acquire valuable insights. For example, Attackers can use ChatGPT to execute this task by using an appropriate prompt such as: "Install and use DNSRecon to perform DNS enumeration on the target domain www.certifiedhacker.com"
The following shell command is designed to perform DNS enumeration using the “dnsrecon” tool on the www.certifiedhacker.com domain:
sudo apt-get update && sudo apt-get install -y dnsrecon && dnsrecon -d certifiedhacker.com -t std Explanation of the command:
▪ sudo apt-get update: Updates the package lists for upgrades and new package installations.
▪ &&: Concatenates commands to execute them sequentially.
▪ sudo apt-get install -y dnsrecon: Installs the dnsrecon tool with automatic “yes” to all prompts.
▪ dnsrecon -d certifiedhacker.com -t std: Initiates the dnsrecon tool to perform DNS enumeration on the certifiedhacker.com domain using standard enumeration techniques.
Reverse DNS Lookup
DNS lookup is used to find the IP addresses for a given domain name, and a reverse DNS operation is performed to obtain the domain name of a given IP address. When looking for a domain by entering the domain name in a browser, the DNS converts the domain name into an IP address and forwards the request for further processing. This conversion of a domain name into an IP address is performed using a record. Attackers perform a reverse DNS lookup on the IP range to locate a DNS PTR record for such IP addresses.
Attackers use various tools such as DNSRecon, Reverse Lookup, puredns, Reverse IP Domain Check, and Reverse IP Lookup to perform reverse DNS lookup on the target host. When we obtain an IP address or a range of IP addresses, we can use these tools to obtain the domain name.
▪ DNSRecon
Source: https://github.com
As shown in the screenshot, attackers use the following command to perform a reverse DNS lookup on the target host:
dnsrecon -r 162.241.216.0-162.241.216.255
In the above command, the -r option specifies the range of IP addresses (first to last) for a reverse lookup by brute force.
▪ Reverse Lookup Source: https://mxtoolbox.com
7. Network and Email Footprinting
Network and Email Footprinting
The next step after retrieving DNS information is to gather network-related information and track email communications. This section describes the method to locate the network range, traceroute analysis, and traceroute tools. It also describes how to track email communications, how to collect information from email headers, and email tracking tools.
Obtaining private IP addresses can be useful to attackers. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP address space for private internets: 10.0.0.0–10.255.255.255 (10/8 prefix), 172.16.0.0–172.31.255.255 (172.16/12 prefix), and 192.168.0.0–192.168.255.255 (192.168/16 prefix).
Traceroute
Finding the route of the target host on the network is necessary to test against man-in-the-middle attacks and other related attacks. Most operating systems come with a Traceroute utility to perform this task. It traces the path or route through which the target host packets travel in the network. Traceroute uses the ICMP protocol and Time to Live (TTL) field of the IP header to find the path of the target host in the network.
TCP Traceroute
Many devices in any network are generally configured to block ICMP traceroute messages. In this scenario, an attacker uses TCP or UDP traceroute, which is also known as Layer 4 traceroute. Go to the terminal in Linux operating system and type the tcptraceroute command along with the destination IP address or domain name as follows:
sudo tcptraceroute www.google.com
UDP Traceroute
Like Windows, Linux also has a built-in traceroute utility, but it uses the UDP protocol for tracing the route to the destination. Go to the terminal in the Linux operating system and type the traceroute command along with the destination IP address or domain name as follows: traceroute www.google.com
Traceroute with AI
Attackers can leverage AI-powered technologies to enhance and automate their footprinting operations. With the aid of AI, attackers can effortlessly perform tracerouting on a target. For example, Attackers can use ChatGPT to execute this task by using an appropriate prompt such as: "Perform network tracerouting to discover the routers on the path to a target host www.certifiedhacker.com"
The following shell command is designed to perform network tracerouting using the “traceroute” tool to discover the routers on the path to the www.certifiedhacker.com host: traceroute www.certifiedhacker.com
Explanation of the command: ▪ traceroute www.certifiedhacker.com: Initiates the traceroute tool to discover the routers on the path to the www.certifiedhacker.com host by sending packets to the destination with increasing time to live (TTL) values and analyzing the responses received from intermediate routers.
Traceroute Tools
Traceroute tools such as NetScanTools Pro, PingPlotter, Traceroute NG, and tracert are useful for extracting information about the geographical location of routers, servers, and IP devices in a network. Such tools help us to trace, identify, and monitor the network activity on a world map. Some of the features of these tools are as follows: ▪ Hop-by-hop traceroutes ▪ Reverse tracing ▪ Historical analysis ▪ Packet loss reporting ▪ Reverse DNS
▪ Ping plotting ▪ Port probing ▪ Detect network problems ▪ Performance metrics analysis ▪ Network performance monitoring
▪ NetScanTools Pro Source: https://www.netscantools.com
▪ PingPlotter Source: https://www.pingplotter.com
Tracking Email Communications
Email tracking monitors the email messages of a particular user. This kind of tracking is possible through digitally time-stamped records that reveal the time and date when the target receives and opens a specific email. Email tracking tools allow an attacker to collect information such as IP addresses, mail servers, and service providers involved in sending the email. Attackers can use this information to build a hacking strategy and to perform social engineering and other attacks. Examples of email tracking tools include IP2LOCATION’s Email Header Tracer, MxToolbox, DNS Checker Email Header Analyzer, and Social Catfish.
Collecting Information from Email Header An email header contains the details of the sender, routing information, addressing scheme, date, subject, and recipient. Email headers also help attackers to trace the routing path taken by an email before it is delivered to the recipient. Each email header is a useful source of information for an attacker to launch attacks against the target. The process of viewing the email header varies with different email programs. Commonly used email programs: ▪ eM Client ▪ Mailbird ▪ Hiri ▪ Mozilla Thunderbird ▪ Spike ▪ Claws Mail
▪ SmarterMail Webmail ▪ Outlook ▪ Apple Mail ▪ ProtonMail ▪ AOL Mail ▪ Tuta
The email header contains the following information: ▪ Sender’s mail server ▪ Date and time of receipt by the originator’s email servers ▪ Authentication system used by the sender’s mail server ▪ Data and time of sending the message ▪ A unique number assigned by mx.google.com to identify the message ▪ Sender’s full name ▪ Sender’s IP address and address from which the message was sent
The attacker can trace and collect all this information by performing a detailed analysis of the complete email header.
Email tracking tools such as IP2LOCATION’s Email Header Tracer, MxToolbox, eMailTrackerPro, Holehe, DNS Checker Email Header Analyzer, and Social Catfish allow an attacker to track an email and extract information such as sender identity, mail server, sender’s IP address, location, and so on. Attackers use the extracted information to track the email path from the attacker's location to the target mail server using IP addresses in the email header.
▪ eMailTrackerPro Source: http://www.emailtrackerpro.com
▪ IP2LOCATION’s Email Header Tracer Source: https://www.ip2location.com
8. Footprint ing through Social Engineering
Social engineers attempt to gather
• Credit card details and social security number • Usernames and passwords • Security products in use • Operating systems and software versions • Network layout information • IP addresses and names of servers
Social engineering techniques include
• Eavesdropping • Shoulder surfing • Dumpster diving • Impersonation
Footprinting through Social Engineering
Collecting Information Using Eavesdropping, Shoulder Surfing, Dumpster Diving, and Impersonation
Eavesdropping, shoulder surfing, dumpster diving, and impersonation are social engineering techniques widely used to collect information from people.
▪ Eavesdropping Eavesdropping is the act of intercepting communication in any form, such as audio, video, or text, without the consent of the communicating parties. It also includes reading confidential messages from communication media such as instant messaging or fax transmissions. The attacker can gain information by tapping phone conversations or intercepting audio, video, or written communications.
▪ Shoulder Surfing
Shoulder surfing is a technique whereby attackers secretly observe the target to gain critical information. In the shoulder surfing technique, an attacker stands behind the victim and secretly observes the victim’s activities on the computer, such as keystrokes while entering usernames, passwords, and so on. The technique is effective in gaining passwords, personal identification numbers, security codes, account numbers, credit card information, and similar data. Attackers can easily perform shoulder surfing in a crowded place, as it is relatively easy to stand behind and watch the victim without his or her knowledge.
▪ Dumpster Diving
This uncouth technique, also known as trashing, involves the attacker rummaging for information in garbage bins. The attacker may gain vital information such as phone bills, contact information, financial information, operations-related information, printouts of source codes, printouts of sensitive information, and so on from the target company’s trash bins, printer waste bins, sticky notes at users’ desks, and so on. The attacker may also gather account information from ATM trash bins. The information can help the attacker to commit attacks.
▪ Impersonation
Impersonation is a technique whereby an attacker pretends to be a legitimate or authorized person. Attackers perform impersonation attacks personally or use phones or other communication media to mislead targets and trick them into revealing information. The attacker might impersonate a courier/delivery person, janitor, businessman, client, technician, or he/she may pretend to be a visitor. Using this technique, an attacker gathers sensitive information by scanning terminals for passwords, searching important documents on desks, rummaging bins, and so on. The attacker may even try to overhear confidential conversations and “shoulder surf” to obtain sensitive information.
9. Automate Footprinting Tasks using Advanced Tools and AIFootprint ing Tools: Maltego and Recon-ng
Maltego
Maltego can be used to determine the relationships and real world links between people, groups of people, organizations, websites, Internet infrastructure, documents, etc.
Maltego is an automated tool that can be used to determine the relationships and real-world links between people, groups of people, organizations, websites, Internet infrastructure, documents, etc. Attackers can use different entities available in the tool to obtain information such as email addresses, a list of phone numbers, and a target’s Internet infrastructure (domains, DNS names, Netblocks, IP addresses information).
Recon-ng
Recon-ng is a Web Reconnaissance framework with independent modules and database interaction, which provides an environment in which open source, web-based reconnaissance can be conducted
FOCA
FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents it scans
Fingerprinting Organizations with Collected Archives (FOCA) is a tool used mainly to find metadata and hidden information in the documents that its scans. FOCA is capable of scanning and analyzing a wide variety of documents, with the most common ones being Microsoft Office, Open Office, or PDF files. Features:
o Web Search - Searches for hosts and domain names through URLs associated with the main domain. Each link is analyzed to extract information from its new host and domain names.
o DNS Search - Checks each domain to ascertain the host names configured in NS, MX, and SPF servers to discover the new host and domain names.
o IP Resolution - Resolves each host name by comparison with the DNS to obtain the IP address associated with this server name. To perform this task accurately, the tool performs analysis against the organization’s internal DNS.
o PTR Scanning - Finds more servers in the same segment of a determined address; IP FOCA executes a PTR log scan
o Bing IP - Launches FOCA, which is a search process for new domain names associated with that IP address for each IP address discovered.
o Common Names - Perform dictionary attacks against the DNS.
subfinder
subfinder is a subdomain discovery tool that helps attackers find valid subdomains for websites. It supports multiple output formats (JSON, file, stdout).
Footprint ing Tools: OSINT Fram ework
• OSINT Framework is an open source intelligence gathering framework that is focused on gathering information from free tools or resources
•It provides a simple web interface that lists various OSINT tools arranged by categories and is shown as OSINT tree structure on the web interface
• Tools listed includes the following indicators: ▪ (T) - Indicates a link to a tool that must be installed and run locally ▪ (D) - Google Dork ▪ (R) - Requires registration
▪ (M) - Indicates a URL that contains the search term and the URL itself must be edited manuall
Other Tools:
Sudomy https://github.com
BillCipher https://github.com
BillCipher is an information gathering tool for a website or IP address. It can work on any operating system that supports Python 2, Python 3, and Ruby. This tool includes various options such as DNS lookup, Whois lookup, port scanning, zone transfer, host finder, and reverse IP lookup, which help to gather critical information.
whatweb https://github.com
Raccoon https://github.com
Recon-Dog https://github.com
Recon-Dog is an all-in-one tool for all basic information gathering needs. It uses APIs to collect information about the target system. Features:
o Censys: Uses censys.io to gather a massive amount of information about an IP address.
o NS lookup: Performs name server lookup o Port scan: Scans most common TCP ports o Detect CMS: Can detect 400+ content management systems o Whois lookup: Performs a Whois lookup o Detect honeypot: Uses shodan.io to check if the target is a honeypot
o Find subdomains: Uses findsubdomains.com to find subdomains
o Reverse IP lookup: Performs a reverse IP lookup to find domains associated with an IP address
o Detect technologies: Uses wappalyzer.com to detect 1000+ technologies o All: Runs all utilities against the target
Web Check https://web-check.xyz
OSINT.SH https://osint.sh
AI-Powered OSINT Tools
AI has revolutionized open-source intelligence (OSINT) by significantly enhancing investigative capabilities through advanced data collection, analysis, and prediction. AI automates data processing, extracts relevant insights, delivers actionable intelligence more efficiently than traditional methods, and enhances the OSINT tools. AI-powered tools offer numerous advantages for OSINT. The following are some key use cases in which AI can significantly benefit OSINT researchers. ▪ Web Scraping: AI techniques utilize online data from sources such as social media, blogs, forums, and deep web databases. This data enables the tracking of entities over time or the monitoring of public behavior. Machine-learning models can automate the extraction of specific information such as social media comments and replies.
▪ Pattern Recognition: Machine learning (ML) techniques can identify entities within large datasets and analyze files to identify the relationships between different entities. These entities include names, company details, addresses, emails, phone numbers, and relevant data.
▪ Content Summarization: NLP algorithms can summarize large volumes of data. OSINT gatherers can utilize this capability to extract pertinent information from extensive datasets. For example, an AI summarization tool can extract company names from a set of PDF files spanning hundreds of pages.
▪ Sentiment Analysis: AI technology can interpret human emotions through text analysis, which is particularly useful for understanding public sentiment. OSINT researchers can use AI to assess the emotional state of users based on social media posts and comments or to predict consumer behavior based on reviews.
▪ Image Recognition: Computer vision, a subset of AI, can analyze digital media files such as images and videos. In OSINT investigations, computer vision can assist in:
o Face Recognition: Identifying and tracking individuals across different media. o Metadata Analysis: Extracting metadata from digital files.
o Reverse Image Search: Enhancing reverse image search capabilities and detecting deepfake images.
▪ AI Detection: AI can also identify content generated by other AI tools, which is crucial for detecting malicious activities facilitated by AI.
AI-Powered OSINT Tool: Taranis AI Source: https://taranis.ai
Taranis AI is an advanced OSINT tool uses AI to enhance information gathering and situational analyses. It uses NLP and AI to improve the quality of data received from data sources, such as websites, to gather unstructured news articles. Analysts then transform these AI-enhanced articles into organized reports that are used as the basis for deliverables such as PDF files that are eventually published.
AI-Powered OSINT Tool: OSS Insight Source: https://ossinsight.io
OSS Insight leverages AI to delve deep into the GitHub ecosystem by analyzing an extensive dataset of over five billion GitHub events. This capability enables it to offer comprehensive insights and tools to enhance the understanding and navigation of the open-source world. From detailed repository analytics encompassing metrics such as stars, forks, and commits to insights into developer productivity and collaboration patterns, OSS Insight is equipped with powerful resources for informed decision-making and strategic planning in open-source software development.
Additional AI-Powered OSINT Tools
AI OSINT tools that leverage artificial intelligence to enhance the efficiency and accuracy of open-source intelligence gathering are as follows: ▪ DorkGPT Source: https://dorkgpt.com DorkGPT is an AI-powered tool designed to assist Google Dorking, a technique used to find information that is not easily accessible through regular search queries. It leverages the capabilities of GPT (Generative Pre-trained Transformer) models to generate and refine search queries, helping users uncover sensitive information, hidden pages, and other data that may be relevant to cybersecurity, ethical hacking, or research purposes.
▪ DorkGenius Source: https://dorkgenius.com DorkGenius is an AI-powered tool that automates Google Dorking and helps users
generate advanced search queries to find specific information on the internet. It is useful for uncovering hidden files, directories, sensitive information, and security vulnerabilities, particularly in the case of ethical hackers.
▪ Google Word Sniper Source: https://googlewordsniper.eu
Google Word Sniper helps to refine search queries for more effective Google results. It identifies targeted keywords and phrases, making it easier to find specific information, hidden content, and niche data. This tool is valuable for researchers, marketers, and cybersecurity professionals, as it enhances their ability to uncover valuable buried information in search results.
▪ Cylect.io Source: https://cylect.io
Cylect.io is an advanced AI-powered OSINT tool that integrates multiple databases into a user-friendly interface, providing a vast collection of resources for ethical hackers and enabling efficient and confident OSINT investigations. Developed to address the inefficiencies of traditional search engines, Cylect.io simplifies the search process and enhances the speed and accuracy of data collection in investigative contexts.
▪ ChatPDF Source: https://chatpdf.com
ChatPDF is an OSINT tool that leverages AI to analyze and extract information from PDF documents through a conversational interface. Users can upload PDF files and interact with the tool to quickly retrieve specific data, summaries, and insights, making it a valuable resource for ethical hacking.
▪ Bardeen.ai Source: https://www.bardeen.ai
Bardeen.ai is an automation tool that can be used for OSINT by enabling users to streamline and automate data collection and analysis processes from various online sources. This enhances the speed and accuracy of OSINT activities, making them useful assets for cybersecurity professionals, researchers, and investigators.
▪ DarkGPT Source: https://github.com/luijait/DarkGPT
DarkGPT is an AI assistant that uses GPT-4-200K to query leaked databases, aiding in efficient and targeted searches within compromised data sources. This enables users to extract vital information and insights, enhancing the OSINT capabilities of cybersecurity analysts and researchers.
▪ PenLink Cobwebs Source: https://cobwebs.com
PenLink Cobwebs is an advanced AI-powered OSINT tool that specializes in gathering and analyzing data from various online sources. It offers comprehensive capabilities for collecting, processing, and visualizing information to support cybersecurity investigations.
▪ Explore AI Source: https://exploreai.vercel.app
Explore AI is an AI-powered YouTube search engine that uses artificial intelligence to search for and extract information from YouTube videos, making it easier to access information for ethical hacking purposes.
▪ AnyPicker Source: https://app.anypicker.com
AnyPicker is a powerful visual web scraper and AI OSINT tool designed to extract data from websites without requiring coding skills. This tool supports scraping multiple pages simultaneously and provides a real-time preview of the extraction results, offering flexibility and efficiency in web data collection.
Create and Run Custom Python Script to Automate Footprinting Tasks with AI
Attackers can leverage AI-powered technologies to enhance and automate their footprinting tasks. With the aid of AI, attackers can effortlessly create and run custom footprinting scripts and acquire valuable insights about their targets. By developing custom scripts empowered by artificial intelligence (AI), attackers can efficiently execute a series of website footprinting commands to gather information about a target domain for cybersecurity assessments. For example, Attackers can use ChatGPT to guide the development of such a script by using an appropriate prompt such as: "Develop a Python script which will accept the domain name www.microsoft.com as input and execute a series of website footprinting commands, including DNS lookups, WHOIS records retrieval, email enumeration, and more, to gather information about the target domain."
10. Footprinting Countermeasures
Via https://blog.51sec.org/2025/02/cehv13-notes-module-02-footprinting-and.html |
|
RSS Feed
