Footprinting - Enumeration and Information Gathering Notes

Overview

Enumeration is a systematic approach to gathering information about target systems through both active (scanning) and passive (third-party sources) means. Unlike OSINT, which relies exclusively on passive collection, enumeration can involve direct interaction with the target infrastructure.

Core Principles

  1. Look beyond the obvious - there's always more than meets the eye

  2. Distinguish between visible and hidden information

  3. Continuously seek additional information for complete understanding

  4. Plan strategically before taking action

  5. Avoid common pitfalls like rushing into brute-force attempts

Methodology Layers

1. Internet Presence

  • Focus: External infrastructure visible on the internet

  • Key elements: Domains, subdomains, vHosts, ASN, netblocks, IP addresses, cloud instances

  • Goal: Map complete external attack surface

2. Gateway

  • Focus: Security measures and protective infrastructure

  • Elements: Firewalls, DMZ, IPS/IDS, EDR, proxies, NAC, network segmentation

  • Goal: Understand security posture and defensive layers

3. Accessible Services

  • Focus: Available services and interfaces

  • Elements: Service types, functionality, configurations, ports, versions

  • Goal: Identify potential entry points and vulnerabilities

4. Processes

  • Focus: Internal processes and relationships

  • Elements: PIDs, processed data, tasks, source/destination relationships

  • Goal: Understand system interactions and dependencies

5. Privileges

  • Focus: Access controls and permissions

  • Elements: Groups, users, permissions, restrictions

  • Goal: Identify potential privilege escalation paths

6. OS Setup

  • Focus: Operating system configuration

  • Elements: OS type, patch level, network config, sensitive files

  • Goal: Understand internal security posture

Key Areas of Investigation

Domain Information

  • Initial website analysis

  • SSL certificate examination

  • Subdomain enumeration

  • Company-hosted server identification

  • DNS record analysis

Cloud Resources

  • Focus on AWS, GCP, and Azure resources

  • Watch for misconfigured storage access

  • Check DNS records for cloud resources

  • Monitor for exposed SSH keys

Staff Information

  • LinkedIn profiles and job posts

  • Social media presence

  • GitHub repositories

  • Team structure and roles

Command Reference

SSL Certificate Enumeration

# Get JSON output of SSL certificates
curl -s "https://crt.sh/?q=domain.com&output=json" | jq .

# List unique subdomains from certificates
curl -s "https://crt.sh/?q=domain.com&output=json" | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u

DNS and Host Resolution

# Resolve subdomains to IP addresses
for i in $(cat subdomainlist); do host $i | grep "has address" | grep domain.com | cut -d" " -f1,4; done

# Get all DNS records
dig any domain.com

Shodan Reconnaissance

# Get information about multiple IP addresses
for i in $(cat ip-addresses.txt); do shodan host $i; done

Best Practices

  1. Document all findings systematically

  2. Verify information from multiple sources

  3. Keep track of scope boundaries

  4. Note unusual patterns or anomalies

  5. Maintain stealth when required by using passive techniques

Red Team Tips

  • Always consider the broader context of discovered information

  • Look for interconnections between different pieces of data

  • Document potential attack vectors for later testing

  • Keep track of access points that might be useful in later phases

  • Note default configurations and common misconfigurations for discovered services

PreviousNetwork Mapping and Security Auditing ToolNextFTP Pentesting Notes