Scribd
Upload
20 views22 pages

Ex 2 Kis (EX)

Uploaded by

kishoreg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
20 views22 pages

Ex 2 Kis (EX)

Uploaded by

kishoreg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 22

<Reg No>

Ex No 2 Active and Passive Reconnaissance (Foot printing )


15 Jul 2025

Aim:

To perform active and passive reconnaissance, including:

 performing footprinting with Google Hacking,


 extracting website information,
 retrieving information about archived versions of a website,
 extracting contents of a website, and
 fetching and analyzing DNS information.

Software and Tools Required:

 Whois, archive.org, Netcraft, Google search operators, host, dig, dnsenum, and Nmap to
gather information about a target.

Pre-Requisite Knowledge

Reconnaissance

Reconnaissance is the initial phase of ethical hacking or cyber-attacks, where the


attacker gathers as much information as possible about a target system to find ways to exploit it.
It can include gathering data like IP addresses, domain names, employee details, DNS info, and
open ports.

Active Reconnaissance

Active Reconnaissance involves direct interaction with the target system to collect
information. Tools like ping, nmap, dig, or dnsenum are used, and the target may detect this
activity through its logs or firewall alerts.

Example: Scanning a web server to identify open ports and services.

Passive Reconnaissance

Passive Reconnaissance involves gathering information without directly interacting


with the target, so it is stealthier. This is typically done using publicly available sources (OSINT).

Example: Collecting data from social media, WHOIS records, and search engines.

DNS (Domain Name System)

DNS is like the phonebook of the internet. It translates human-readable domain names (like
example.com) into IP addresses (like 93.184.216.34) that computers use to identify each other
on the network.

 It also includes other record types like A, MX, NS, TXT, etc.

Ex No 2: Page 9
<Reg No>

Mail Servers

Mail servers are responsible for sending, receiving, and storing emails. They use DNS MX
(Mail Exchange) records to route emails to the correct mail server for a domain.

Example: An MX record for example.com might point to mail.example.com.

Procedure:

Perform tasks on a demo target (example.com / test site). Record findings and answer the
questions.
Task 1:nsLookup
Command:
nslookup amazon.org

Questions:
 What is the registrant’s name?
REDACTED (Due to WHOIS privacy protection via PrivacyProtect.org)

Task 2: Using archive.org (Wayback Machine)


Questions:
 Oldest snapshot available?

24 September 2009 (as shown at the top with “7,906 captures” from Sep 2009 – Jul
2025)

Ex No 2: Page 10
<Reg No>

 Directories or files observed in older snapshots?


1. /get started/
2. /developer tools/
3. /ai resources/

These sections are navigable from the top menu bar in the old snapshot.

 How can historical data help an attacker?

1. Old versions may reveal outdated tech stacks, broken or unpatched links.
2. Exposed paths like /admin/, /login/, or early versions of posts/scripts could have
vulnerable code.
3. Leak of internal file structure or forgotten backup files.
4. Insight into the growth, authorship, and technical areas of the site for social
engineering.

Task 3: Using Netcraft

Target Site: https://www.amazon.org


Tool Used: Netcraft Site Report – https://sitereport.netcraft.com/

Questions:
 List subdomains found.
1. practice.amazon.org
2. auth.amazon.org
3. login.amazon.org

 Reported operating system.


Netcraft doesn’t explicitly mention OS here, but...
Since hosting is via Amazon Web Services (AWS) using CloudFront CDN, it is likely using a
Linux-based server.
 Why is knowing the OS important?
Knowing the server operating system is critical for:

Ex No 2: Page 11
<Reg No>

1. Targeted exploitation: Attackers use OS-specific vulnerabilities (e.g., Linux Apache vs


Windows IIS).
2. Tailoring payloads: Tools and payloads like Metasploit modules depend on OS detection.
3. Planning recon: OS helps infer server architecture, firewall behavior, and patching
patterns.

Task 4: Google Hacking & Search Operators


site:amazon.org filetype:pdf

 What PDF documents did you find?

Certificates from the Campus Ambassador program such as:

1. Aaditya Tamrakar – Campus Ambassador


2. Aditya Nihal Kumar Singh – Campus Ambassador
Found under: https://www.amazon.org/uploads/Campus...
 Do any contain sensitive information?
No, the certificates contain public acknowledgments, not confidential data.

inurl:admin site: amazon.org

Ex No 2: Page 12
<Reg No>

 List the admin-related URLs discovered.

https://www.amazon.org/php/how-to-create-admin-login-page-using-php/

https://www.amazon.org/javascript/how-to-create-responsive-admin-dashboard-using-
html-css-javascript/

 Are these accessible without authentication?

Yes, both of these pages are publicly accessible without authentication.

intitle:"index of" mp3

Ex No 2: Page 13
<Reg No>

 What directories or files are exposed?


No actual directories or files are exposed.
All results are regular articles/tutorials such as:
 find-the-index-of-an-array-element-in-java
 python-list-index
 index-of-an-extra-element
 Are any confidential?

o No, none of these pages appear confidential.


o They are publicly available tutorials and practice problems from amazon.
o No directory listings or sensitive file paths (like /admin, /config, or /backup)
were revealed.

site:amazon.org inurl:login

Ex No 2: Page 14
<Reg No>

 Identify login portals found.


https://auth.amazon.org/
https://practice.amazon.org/accounts/login/
 What technologies do they appear to use?
Frontend: HTML5, Angular/JS
Backend: Likely PHP/Python on AWS

site: amazon.org filetype:xls

 What Excel files are publicly available?

Ex No 2: Page 15
<Reg No>

Two .xls (Excel) files were found publicly accessible via a Bing search on the annauniv.edu
domain:

1. https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F
%2Fctdt.annauniv.edu%2Fpdfs%2FSTAFF_ENGAGEMENT_FORMAT.xlsx

Title: CSRC - AU

Description: Consolidated list of project / consultancy staff requirements.

2. https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F
%2Fcfr.annauniv.edu%2Finstreco%2Finstrecdept-annexure%2FAnnexure-
7.xlsx

Title: Centre For Research

Description: All India Council for Technical Education (AICTE) – Order copy
(current academic year).

 Do they contain financial or user data?


File 1 (cdt.annauniv.edu) likely contains staff-related data
File 2 (cfr.annauniv.edu) mentions AICTE order copies

cache: amazon.org

 View the cached version of the homepage.

Ex No 2: Page 16
<Reg No>

 Note differences between cached and live versions.

Aspect Cached Version Live Version

Updated modern layout with


Design/Layout Slightly outdated layout.
new banners.

Older academic Latest admission dates for


Announcements
schedules visible. 2025–26 updated.

Current news like rankings,


News/Highlights Missing or outdated.
events, and FDTP shown.

Fewer or compressed Rich visuals with banners,


Visual Elements
images. menus, and rankings.

Simplified or non- Fully functional, dropdown


Navigation Bar
functional in snapshot. menus present.

link:annauniv.edu

Ex No 2: Page 17
<Reg No>

 Find sites linking to the target.

http://www.aurcc.ac.in
https://stucor.in/COE1
https://coe2.annauniv.edu-php.ch/home/index_result.php
 Could these links reveal partnerships or hosting details?

o aurcc.ac.in:
Indicates a legitimate academic affiliation or partnership (as it's a regional
campus of Anna University).
o stucor.in:
Suggests external collaboration or data scraping for academic results. It may not
be an official partner unless explicitly declared by Anna University.
o edu-php.ch:
Raises a red flag. This domain might be:
 A spoofed domain meant to look like coe2.annauniv.edu.
 Possibly used for phishing attacks or stealing student credentials.
 Not affiliated with Anna University and could harm its reputation.

site:annauniv.edu filetype:sql

 Are there any exposed database dump files?


No result
 What could an attacker do with them?
No result

intitle:"password file" filetype:txt

 Do search results show text files containing passwords?


No, the search results do not show actual text files that contain real passwords.

Ex No 2: Page 18
<Reg No>

site:annauniv.edu intext:"confidential"

 Are there pages or documents containing the keyword “confidential”?

Yes, the screenshot shows that there are pages and documents on the annauniv.edu domain
that contain the keyword "confidential". Specifically:

1. HostelConnect page mentions "a confidential and empathetic ear..."

2. Academic Regulations – 2023 mentions "Any confidential / Intellectual Property


Rights matters..."

3. Staff News from the College of Engineering Guindy mentions "Confidential Survey... This
is completely Confidential..."

4. Centre for Composite Materials mentions "Preferred to have experience working with
confidential data..."

Ex No 2: Page 19
<Reg No>

site:*.annauniv.edu -www

 Discover subdomains of example.com.

1. onlinecde.annauniv.edu
2. cfa.annauniv.edu

 Which subdomains might be interesting for further exploration?

o onlinecde.annauniv.edu:
 Might include login portals, learning materials, past papers, and internal
announcements.
 Good place to look for e-learning or distance program resources.
o cfa.annauniv.edu:
 If you’re researching admission procedures, cutoffs, or forms for 2025-
2026, this is a key place to look.
 Can also reveal G.O.s, official circulars, and counseling rules.

filetype:bak OR filetype:old OR filetype:backup site:annauniv.edu

No Result

Ex No 2: Page 20
<Reg No>

site:annauniv.edu filetype:pdf "question paper"

 What backup files are publicly exposed?


None are publicly exposed using this search.
 Could these reveal source code or database dumps?
No, because no backup files were found in this search.

Ex No 2: Page 21
<Reg No>

intitle:"restricted" site:annauniv.edu

 Do any pages indicate restricted or private access?


No

Task 5: Active Reconnaissance using Host/dig/enum

host annauniv.edu

 What is the IP address of the target?


14.139.161.7
 Are there any aliases or mail servers listed?
annauniv-edu.mail.protection.outlook.com

Ex No 2: Page 22
<Reg No>

dig annauniv.edu

dig annauniv.edu NS

 Record the A record and NS records.


A record is: 14.139.161.7
NS record is: ns1.annauniv.edu
 What does the TTL value tell you?
TTL = 3600 seconds

Ex No 2: Page 23
<Reg No>

dig annauniv.edu MX

 What mail servers (MX records) are found?


annauniv-edu.mail.protection.outlook.com with priority 0.
 Are they hosted internally or by a third party?

o The mail server is hosted by Microsoft Outlook (Office 365) — this is a third-
party service used for email protection and delivery.
o So, the mail services are not hosted internally, but are managed via Outlook's
email security infrastructure (Microsoft 365).

dig annauniv.edu ANY

 List all available DNS records returned.


 A record (IPv4 address):

Ex No 2: Page 24
<Reg No>

annauniv.edu. 2874 IN A 14.139.161.7


 AAAA record (IPv6 address):
annauniv.edu. 2874 IN AAAA 64:ff9b::e8b:a107
 MX record (Mail Exchange):
annauniv.edu. 3388 IN MX 0 annauniv-edu.mail.protection.outlook.com.

 Do you see TXT, SPF, or DKIM records?


No record are available.

dnsenum annauniv.edu

Ex No 2: Page 25
<Reg No>

 List discovered subdomains.


Subdomain IP Address
CNAME to autodiscover.outlook.com →
autodiscover.annauniv.edu
[40.99.34.232, 40.104.107.152, etc.]
dev.annauniv.edu 14.139.161.86
ns.annauniv.edu 14.139.161.5
ns1.annauniv.edu 14.139.161.6
ns2.annauniv.edu 14.139.161.252
www.annauniv.edu 14.139.161.7
cs.annauniv.edu 14.139.161.14
qlab.annauniv.edu 14.139.161.17
ceap.annauniv.edu 14.139.161.21
rcell.annauniv.edu 14.139.161.22
aurecruitment.annauniv.edu 14.139.161.22
ceapcollegeinfo.annauniv.edu 14.139.161.24
idp.annauniv.edu 14.139.161.25
moodle.annauniv.edu 14.139.161.26
fbonline.annauniv.edu 14.139.161.27
alumni.annauniv.edu 14.139.161.33
csrc.annauniv.edu 14.139.161.34
elearn.annauniv.edu 14.139.161.35
cfr1.annauniv.edu 14.139.161.37
cfd.annauniv.edu 14.139.161.38
cde.annauniv.edu 14.139.161.40
cfr.annauniv.edu 14.139.161.41
cdefee.annauniv.edu 14.139.161.43
rccserver.annauniv.edu 14.139.161.44
acoe.annauniv.edu 14.139.161.45
sems.annauniv.edu 14.139.161.46
cac.annauniv.edu 14.139.161.52
vrl.annauniv.edu 14.139.161.54
cai1.annauniv.edu 14.139.161.55
biometric.annauniv.edu 14.139.161.58
placement.annauniv.edu 14.139.161.59
aulib.annauniv.edu 14.139.161.63
webopac.annauniv.edu 14.139.161.64
irepose.annauniv.edu 14.139.161.65
cironline.annauniv.edu 14.139.161.66
cir.annauniv.edu 14.139.161.67

Ex No 2: Page 26
<Reg No>

Subdomain IP Address
ceg.annauniv.edu 14.139.161.68
cqm.annauniv.edu 14.139.161.70
ctdt.annauniv.edu 14.139.161.73
ctdtproj.annauniv.edu 14.139.161.74
library.annauniv.edu 14.139.161.82
auwifi.annauniv.edu 14.139.161.85
tancet.annauniv.edu 14.139.161.90
reimbursement.annauniv.edu 14.139.161.91
cfa.annauniv.edu 14.139.161.92
irs.annauniv.edu 14.139.161.98
civil.annauniv.edu 14.139.161.98
fb.annauniv.edu 14.139.161.98
estateoffice.annauniv.edu 14.139.161.98
contact.annauniv.edu 14.139.161.98
auvpn.annauniv.edu 14.139.161.105
iqacserver.annauniv.edu 14.139.161.106
aucoe.annauniv.edu 14.139.161.113
acz.annauniv.edu 14.139.161.114
admissions.annauniv.edu 14.139.161.116

 What other domains or IP ranges are identified?


Mail Server IPs (Office 365):
 52.101.144.0
 52.101.144.3
 52.101.145.0
 52.101.145.2

dig -x <target_ip>

Ex No 2: Page 27
<Reg No>

 What is the reverse DNS lookup result?

NXDOMAIN indicates "Non-Existent Domain" — meaning no PTR (reverse DNS) record


exists for 14.139.161.7.

 Does it reveal a meaningful hostname?


No, it does not reveal a meaningful hostname.

 What is a DNS zone transfer?

o A DNS Zone Transfer (AXFR) is a mechanism to replicate DNS databases


between DNS servers — commonly used between master and slave name
servers.
o Security risk: If a DNS server allows zone transfers to unauthorized users,
attackers can retrieve all DNS records for a domain, which can expose
subdomains, IP addresses, and services.
 Use dig or host to attempt a zone transfer:

dig axfr zonetransfer.me ansztml.digi.ninja.

Ex No 2: Page 28
<Reg No>

host -l zonetransfer.me nsztml.digi.ninja.

dig AXFR example.com @ns1.example.com

 Was the zone transfer successful?


No, the zone transfer was not successful.
 What records or data did you discover?
Since the AXFR (zone transfer) failed, no DNS records were retrieved.
 Why could a successful zone transfer pose a security risk?

A successful zone transfer would expose the entire DNS zone file, which can include:

Type of Record Potential Risk


A, AAAA Reveal internal IPs or hidden servers
MX, TXT Expose email routing, SPF/DKIM settings

Ex No 2: Page 29
<Reg No>

Type of Record Potential Risk


CNAME, NS Show dependencies on external services
Subdomains Expose staging, admin, or development portals
TXT Notes Sometimes contain sensitive or internal comments

Result

Thus information gathering using active and passive reconnaissance (footprinting) was
successfully executed.

Rubric for Evaluation

Parameter Max Marks Marks Obtained


Exploration of all commands 10
Originality of the work 10
Sub Total 20
Completion of experiment on time 5
Documentation 5
Sub Total 10
Signature of the faculty with Date

Ex No 2: Page 30

You might also like