# FootPrinting

### Website Footprinting

#### Online Tools for Websites

Finding domains and IP addresses, DNS records, traceroute, nslookup, whois searches etc

{% embed url="<https://centralops.net/co/>" %}

{% embed url="<https://sitereport.netcraft.com/>" %}

#### Kali Tools

* **Photon** is a Python script used to crawl a given target URL to obtain information such as URLs (in-scope and out-of-scope), URLs with parameters, email addresses, social media accounts, files, secret keys and subdomains
* **theHarvester:** This tool gathers emails, subdomains, hosts, employee names, open ports, and banners from different public sources

#### Windows Tools

* **Web Data Extractor Pro**
* **HTTrack** a Website Cloner

#### Web Servers OpenPorts

{% embed url="<https://www.shodan.io/>" %}

{% embed url="<https://censys.com/>" %}

### Banner Grabbing

#### Nmap

&#x20;Identifying the services running on the target system

Now that we have identified the target's IP address, we can perform a quick Nmap service version detection scan to identify the open ports running on the target and the corresponding services.

This can be done by running the following command:

```
nmap -sV -O 192.8.94.3
```

As shown in the following screenshot, this scan reveals that the target only has port 22 open running SSH.

<figure><img src="https://assets-ine-com.s3.us-east-1.amazonaws.com/content/labs/cyber/sme/newproc/2aff2c0afc34cbfef8e52e5f5a34329e14debf42f2ca89ef00f70b632a17be66.png" alt=""><figcaption></figcaption></figure>

**Banner grabbing with Nmap scripts**

In certain cases, a traditional Nmap service version detection scan may not reveal accurate information about the exact version of a service that is running on a target system.

As a result, you may need to manually interact with a port to identify the exact service version.

Banner grabbing can be automated through the use of an Nmap script. In this case, we will be using the **banner.nse** script.

You can run the Nmap script when performing an Nmap scan on the target system by running the following command:

```
nmap -sV --script=banner 192.8.94.3
```

As shown in the following screenshot, the **banner.nse** script does not reveal any new information regarding the version of OpenSSH running on port 22.

<figure><img src="https://assets-ine-com.s3.us-east-1.amazonaws.com/content/labs/cyber/sme/newproc/2534de4f3504e554818c2846cdbdfcb8ad43936f6de8d39fdd98ac271eb8eb60.png" alt=""><figcaption></figcaption></figure>

While banner grabbing may not reveal any new information about a service running on a target, in certain cases where Nmap cannot detect the exact version of a service running on a port, you will need to revert to manual banner grabbing.

#### Banner grabbing with Netcat

Netcat can be used to perform banner grabbing manually on a port by directly connecting to it.

This can be done by running the following command:

```
nc 192.8.94.3 22
```

Netcat will connect to the port and will display the banner of the service running on that port.

As shown in the following screenshot, we can confirm that **OpenSSH 7.2p2** is running on port 22 on the target.

<figure><img src="https://assets-ine-com.s3.us-east-1.amazonaws.com/content/labs/cyber/sme/newproc/2817de2b26b8115c78a3820357e745145effe90c0feefb8d89a5b1c0e5dff977.png" alt=""><figcaption></figcaption></figure>