Footprinting
Knowing how the attacker thinks, what tactics they will employ, is your first defense against them.
The cyber criminal does not try to break into your system physically or electronically without doing a bit of homework. Actually a good attacker will do a lot of homework on you or client's company and it's systems. In the end they may know a lot more than you ever wanted them too, maybe even more than you. In this stage of the attack, the attacker is utilizing as many publicly available information resources as they can find. With Footprinting the attacker is attempting to discover information on the target's Internet, Intranet, Remote Access, and Extranet environments. With this information the attacker is able to create a complete profile of the organization's security posture.
Information leakage is the key to this stage of attack. Any information that leaks out to a public format intended or otherwise is information leakage. So as a designer/developer how do you limit this "information leakage"? One step is to be aware of what information is publicly available and whatever you are able to control, you should do so. Remember that misinformation can be of assistance as well.
Reconnaissance
This phase is crucial as it involves deeper scrutiny of the target's digital presence. By examining the company's website, performing open-source searches, and leveraging advanced search engine capabilities, attackers can gather additional insights. This information helps them identify potential vulnerabilities and security weaknesses. For designers and developers, understanding these methods is key to identifying and mitigating potential risks. You'll need to be vigilant about what information is publicly accessible and work proactively to secure or obfuscate it to prevent exploitation.
Web Site
This is a good starting point for reconnaissance on a company. This is where the designer/developer must keep a careful eye on page content, even if the client wishes otherwise. Carefully examine raw HTML code, in particular comment tags. Attackers will often download an entire site for review later at their leisure.
Open Source Searches
Armed with the information from the web site an attacker can the do a public search for news articles, press releases, site references, etc. Each of these resources could provide some information about the security posture of a company. Previous or existing security issues could be mentioned in some of these sources, providing information on another vector of attack. Take the time to see what is out there, finding what information is available to the attacker and make the client aware of what is out there. Some key items to look for here is where an employee may have postings related to the company's security. An example would be a system administrator requesting information on configuring a device that they are having trouble with, thus potentially exposing the company to a breach of security.
Advanced Search Engine Capabilities
Most search engines allow for advanced searching that can list all sites with links back to the site/company. Someone may have created a site within a company without authorization, or even with, that opens a security vulnerability.
Public information must be made available but it can be limited. A careful examination of these same resources that the attacker will use is vital in determining what is available and how that public information can be controlled. Remove or limit any information that you can from these publicly available sources.
Scanning
Once reconnaissance is complete, the focus shifts to Scanning. This phase involves a more technical examination of the target's network and domain to uncover specific details about the infrastructure. Network enumeration, DNS interrogation, and network reconnaissance help identify potential entry points and weaknesses. It's important for system administrators and security professionals to understand these scanning techniques so they can implement effective defenses. By being aware of how attackers gather information and probe for vulnerabilities, you can better secure your systems and ensure that sensitive data remains protected. In the following sections, we'll delve into the technical details of these scanning processes and explore strategies to safeguard against them.
Network Enumeration
The first part of network enumeration is to identify the Domain Name(s) associated with the target organization. The domain name search yields important information such as the register which can then be researched to yield a more focused search. It is important to review the information provided by the register entry. Pay particular attention to the administrative contact information. Here is where a little obfuscation and misdirection can be of use. If this administrative contact information leads to a voice-mail, e-mail, phone number or physical address to a contact that is non-existent or used for any other purpose, then an attacker may spend time trying to utilize this information. This can also act as security trigger to let you know that someone is attempting to gain access or more information to direct a more focused attack, putting the administrator(s) on alert. Be aware that listed numbers in the registry information can be used for attempts at dial in attacks or social engineering as well. Also be aware of the network range listed in the registry information, this is what the attacker will be targeting. Make sure that each network address listed is protected. Often times a portion of the network that is on the periphery and is no longer utilized can provide an attacker with a way around a firewall. One very important consideration with the domain registry is who can make registry changes and how that is accomplished. Without an accurate and secure way of ensuring that the registry information being changed is valid then the target can be subjected to Domain Hijacking.
DNS Interrogation and Network Reconnaissance
Both of these areas fall under the control of the system administrator(s). It is worth your time though to research this area a bit farther so you can discuss these areas with the system administrator(s) of your client's site. One security measure to mention here is a solid NIDS (Network Intrusion Detection System).
In the next tutorials we will get down to the nuts and bolts of the attack. How exactly these attacks are accomplished and what you the designer/developer can do to thwart these attacks.
This page was published on It was last revised on