Footprinting - Enumeration and Information Gathering Notes

Overview

Enumeration is a systematic approach to gathering information about target systems through both active (scanning) and passive (third-party sources) means. Unlike OSINT, which relies exclusively on passive collection, enumeration can involve direct interaction with the target infrastructure.

Core Principles

Look beyond the obvious - there's always more than meets the eye
Distinguish between visible and hidden information
Continuously seek additional information for complete understanding
Plan strategically before taking action
Avoid common pitfalls like rushing into brute-force attempts

Methodology Layers

1. Internet Presence

Focus: External infrastructure visible on the internet
Key elements: Domains, subdomains, vHosts, ASN, netblocks, IP addresses, cloud instances
Goal: Map complete external attack surface

2. Gateway

Focus: Security measures and protective infrastructure
Elements: Firewalls, DMZ, IPS/IDS, EDR, proxies, NAC, network segmentation
Goal: Understand security posture and defensive layers

3. Accessible Services

Focus: Available services and interfaces
Elements: Service types, functionality, configurations, ports, versions
Goal: Identify potential entry points and vulnerabilities

4. Processes

Focus: Internal processes and relationships
Elements: PIDs, processed data, tasks, source/destination relationships
Goal: Understand system interactions and dependencies

5. Privileges

Focus: Access controls and permissions
Elements: Groups, users, permissions, restrictions
Goal: Identify potential privilege escalation paths

6. OS Setup

Focus: Operating system configuration
Elements: OS type, patch level, network config, sensitive files
Goal: Understand internal security posture

Key Areas of Investigation

Domain Information

Initial website analysis
SSL certificate examination
Subdomain enumeration
Company-hosted server identification
DNS record analysis

Cloud Resources

Focus on AWS, GCP, and Azure resources
Watch for misconfigured storage access
Check DNS records for cloud resources
Monitor for exposed SSH keys

Staff Information

LinkedIn profiles and job posts
Social media presence
GitHub repositories
Team structure and roles

Command Reference

SSL Certificate Enumeration

# Get JSON output of SSL certificates
curl -s "https://crt.sh/?q=domain.com&output=json" | jq .

# List unique subdomains from certificates
curl -s "https://crt.sh/?q=domain.com&output=json" | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u

DNS and Host Resolution

# Resolve subdomains to IP addresses
for i in $(cat subdomainlist); do host $i | grep "has address" | grep domain.com | cut -d" " -f1,4; done

# Get all DNS records
dig any domain.com

Shodan Reconnaissance

# Get information about multiple IP addresses
for i in $(cat ip-addresses.txt); do shodan host $i; done

Best Practices

Document all findings systematically
Verify information from multiple sources
Keep track of scope boundaries
Note unusual patterns or anomalies
Maintain stealth when required by using passive techniques

Red Team Tips

Always consider the broader context of discovered information
Look for interconnections between different pieces of data
Document potential attack vectors for later testing
Keep track of access points that might be useful in later phases
Note default configurations and common misconfigurations for discovered services

PreviousNetwork Mapping and Security Auditing Tool NextFTP Pentesting Notes

hashtagOverview

hashtagCore Principles

hashtagMethodology Layers

hashtag1. Internet Presence

hashtag2. Gateway

hashtag3. Accessible Services

hashtag4. Processes

hashtag5. Privileges

hashtag6. OS Setup

hashtagKey Areas of Investigation

hashtagDomain Information

hashtagCloud Resources

hashtagStaff Information

hashtagCommand Reference

hashtagSSL Certificate Enumeration

hashtagDNS and Host Resolution

hashtagShodan Reconnaissance

hashtagBest Practices

hashtagRed Team Tips