Footprinting is the process of gathering data about an organization and its infrastructure. It is not an attack in the literal sense, but it is a technique used in planning other attacks. Footprinting is a systematic exploration of a system's defenses and vulnerabilities. The common expression is to "case the joint". Understanding the details of a system facilitates other attacks and can especially useful in facilitating social engineering.

An attacker engaging in footprinting might seek to discover what servers are visible on the network, explore an organization's security procedures (both online and offline), watch for activity patterns which occur daily, weekly, or monthly, or examine an organization's waste and information disposal practices.

Personnel can be footprinted too. It can be helpful to know the names, roles, locations, or contact information of individuals inside an organization. Learning details about personnel can provide valuable insights, but often even just a name is enough to facilitate search engine research to discover more details. Their accounts on social media or other services could be vulnerable to attacks. Information about the individual or their friends could be valuable for social engineering attacks such as pretexting and spear phishing. Every piece of information such as phone numbers, email addresses, mailing addresses, photographs, and information about other affiliations with colleges, clubs, or hobbies is potentially useful to an attacker.

Network Enumeration is a subtype of footprinting which involves compiling lists of available network and server information. Often it is performed as an automated process using scripts or discovery tools. Data enumerated might include hostnames, IP addresses, network details, open server ports, and valid usernames.

Network enumeration is similar to the fundamental security principle Map data movement and exposure but, instead of looking for vulnerabilities to build defenses, it is done from an attacker's point of view, looking for vulnerabilities to exploit. Mapping vulnerabilities is an important step because network enumeration is often where an attacker begins their discovery work.

Fingerprinting, a subtype of footprinting, is the process of building a profile of specific details about a server. It is a natural next step after enumeration—develop a list of servers, then fingerprint each one to discover as many details as possible.

A fingerprint profile of a server would include information such as:

  • Hardware
  • Operating system
  • Installed software
  • Configurations
  • IP address
  • Open ports
  • Features enabled/disabled

Footprinting Preventions

The best defenses against footprinting are two of the fundamental security prinicples: Map data movement and exposure and Security through obscurity. It is important to know what an attacker can see and understand about systems through observation. Their observation could be from outside the network and outside the organization's walls, or it could be observation from a compromised network or computer with access to the network. In both cases, the less information that is public and visible, the less information that will be available for footprinting.

Try to expose as few details as possible. On servers, conceal which operating systems are being used and what the installed software and configurations are. On the public website or in published directories and marketing materials, disclose as little information as possible about personnel in the organization. It may be an unavoidable, business requirement to publish some information, in which case details should be as limited as possible. Never disclose non-public infrastructure locations such as physical locations of servers, networking equipment, or software code in development.

Fork me on GitHub