Full Report
We were asked to contribute an article to PenTest magazine, and chose to write up an introductory how-to on footprinting. We’ve republished it here for those interested. Network foot printing is, perhaps, the first active step in the reconnaissance phase of an external network security engagement. This phase is often highly automated with little human interaction as the techniques appear, at first glance, to be easily applied in a general fashion across a broad range of targets. As a security analyst, footprinting is also one of the most enjoyable parts of my job as I attempt to outperform the automatons; it is all about finding that one target that everybody forgot about or did not even know they had, that one old IIS 5 webserver that is not used, but not powered off.
Analysis Summary
# Best Practices: External Network Footprinting and Reconnaissance
## Overview
These practices are derived from advanced external reconnaissance methodologies (footprinting) used in security engagements. Their primary purpose, from a defensive perspective, is to help an organization understand the "attack surface" it presents to the public internet, identify forgotten assets, and continuously monitor for exposure stemming from outdated or unmanaged infrastructure.
## Key Recommendations
### Immediate Actions
1. **Establish Continuous Monitoring:** Recognize that footprinting is iterative. Implement a system (even manual checks initially) to frequently re-run key discovery steps, as the external footprint changes rapidly.
2. **Review Public Announcements and Reports:** Immediately gather and analyze all publicly available corporate documents (financial reports, press releases, community involvement) to understand the organization's structure, core business units, and assumed technology stacks.
3. **Initiate Basic DNS Asset Discovery:** Begin enumerating all known domains and perform initial Top-Level Domain (TLD) expansion checks to identify potential duplicate domain names across various TLDs (e.g., searching for `target.com`, `target.org`, `target.net`).
### Short-term Improvements (1-3 months)
1. **Social Media and Third-Party Data Sweep:** Systematically sweep major professional and social platforms (LinkedIn, Twitter) for employee listings, stated projects, technology mentions, and lists of suppliers/partners. This helps identify shadow IT or misrepresented external relationships.
2. **Credentials Exposure Investigation:** Search Pastebin and similar code-sharing sites, as well as compromised credential databases (if legally and ethically permissible for monitoring), for evidence of corporate email domains or infrastructure names being exposed through credential reuse.
3. **Reverse Whois Implementation:** Begin using Regional Internet Registry (RIR) interfaces (ARIN, RIPE, APNIC, LACNIC) for reverse Whois lookups using known organization names or contacts to identify unpublicized network ranges ($\text{CIDR}$ blocks) registered to the entity.
### Long-term Strategy (3+ months)
1. **Formalize the Footprinting Methodology:** Document a repeatable, iterative footprinting lifecycle that integrates data from all sources (DNS, RIRs, social media, active checks) and defines triggers for re-running the entire process (e.g., quarterly, or upon major corporate change).
2. **SSL Certificate Inventory Maintenance:** Implement automated checks against public SSL certificate transparency logs or use certificate services to discover all hosts (by Common Name) that have certificates issued to the organization. This acts as an inventory of current and recently decommissioned HTTPS endpoints.
3. **IP-to-Host Name Correlation Process:** Establish a continuous process to perform reverse lookups on all discovered public IP addresses. Where a reverse entry is missing, use HTTP(S) access combined with inspecting the presented SSL certificate's Common Name to definitively map the IP to a host name, addressing 'forgotten' infrastructure.
## Implementation Guidance
### For Small Organizations
- **Focus on Owner Accountability:** Assign a single administrator or IT contact the responsibility of reviewing all domain registrations and public IPs quarterly.
- **Tool Limitation Acceptance:** Rely primarily on free, publicly available discovery tools and manual checks against RIR websites, given limited resource allocation for automated platforms.
### For Medium Organizations
- **Implement Basic Automation:** Utilize scripting to automate TLD expansion and systematic checks against RIR databases weekly. Store resulting asset lists in a centralized Configuration Management Database ($\text{CMDB}$).
- **Develop Internal Awareness Training:** Train technical staff on the dangers of reusing corporate email or infrastructure details on public-facing, non-corporate accounts/sites (e.g., personal GitHub, Pastebin).
### For Large Enterprises
- **Deploy Dedicated Reconnaissance Monitoring Tools:** Invest in specialized tooling to continuously monitor DNS changes, certificate transparency logs, and dark web exposure across all known domains and IP spaces.
- **Integrate Footprint Data into $\text{CMDB}$/Asset Management:** Ensure that infrastructure discovered via external footprinting (especially old $\text{IP}$ ranges or hosts associated with old SSL certificates) is cross-referenced against internal asset inventories to rapidly retire or secure unknown assets.
## Configuration Examples
**SSL Certificate Discovery (Conceptual)**
When accessing an unknown IP presenting an HTTPS service, observe the browser's certificate error message (e.g., Firefox warning about mismatched issuer/hostname) to extract the "Common Name" or Subject Alternative Names ($\text{SAN}$s). This discovered name (e.g., `internal-dev-server.corp.local`) must be added to the official external asset inventory.
*Actionable Step:* If an $\text{IP}$ address yields a certificate with the Common Name `old-iis5.targetcorp.com`, immediately search internal systems for a host matching that $\text{CN}$ and decommission or patch it.
## Compliance Alignment
The practices align strongly with the reconnaissance and asset management domains within major security frameworks:
- **NIST $\text{SP}$ 800-53 ($\text{AC}-2$, $\text{RA}-5$):** Focuses on accountability, access enforcement, and external/internal vulnerability scanning and monitoring. Footprinting directly informs the scope of $\text{RA}-5$ (Vulnerability Monitoring and Scanning).
- **ISO/IEC 27001 ($\text{A.8.2.1}$):** Relates to the identification and inventory of information assets. Continuous external footprinting ensures the inventory of externally-facing assets is current.
- **CIS Critical Security Controls (Control 1: Inventory and Control of Enterprise Assets):** Actively identifying assets that the organization did not realize it owned (e.g., forgotten web servers) is foundational to this control.
## Common Pitfalls to Avoid
1. **Trusting Single-Source Output:** Never rely solely on the output of one automated tool for initial reconnaissance. Footprinting requires synthesizing data from disparate sources (DNS, RIRs, public search engines, social media).
2. **Assuming Footprint Finality:** Treating the discovered information as a static, complete snapshot. Information changes daily; failure to continuously re-verify data leads to outdated security assessments.
3. **Ignoring Unused, Unpatched Systems:** Overlooking infrastructure simply because it appears old (e.g., an IIS 5 server) or unused. If it is reachable externally and powered on, it is part of the active threat surface.
## Resources
- **Regional Internet Registries ($\text{RIR}$s) Reverse Whois Interfaces:** (e.g., ARIN, RIPE, APNIC) for searching network allocations based on organization name.
- **Public TLD Lists:** Sources like the Mozilla TLD list for comprehensive domain expansion testing.
- **Certificate Transparency Logs:** Publicly accessible logs used to monitor newly issued SSL/TLS certificates across the internet.