Footprinting & Reconnaissance

Cybersume

Module 2: Footprinting & Reconnaissance – In-Depth Guide  

1. Introduction to Footprinting

Footprinting (or reconnaissance) is the first phase of ethical hacking, where attackers gather information about a target before launching an attack. Ethical hackers use the same techniques to identify security weaknesses.  

Objectives:  

- Collect publicly available data about the target.  

- Identify network ranges, domains, IPs, employees, technologies.  

- Build a blueprint of the target’s security posture.  

2. Types of Footprinting 


A. Passive Footprinting  

- No direct interaction with the target.  

- Uses publicly available sources.  

- Examples:  

  - Google searches (Google Dorking)  

  - WHOIS lookup  

  - Social media (LinkedIn, Twitter)  

  - Job postings (revealing tech stacks)  


B. Active Footprinting  

- Direct interaction with the target.  

- More detectable but provides accurate data.  

- Examples:  

  - DNS interrogation (nslookup , dig)  

  - Network scanning (Nmap, Ping)  

  - Social engineering (calls, phishing)  


3. Footprinting Techniques & Tools  


A. Google Dorking (Advanced Search Queries)  

- Finds exposed files, directories, and sensitive data.  

- Examples:  

  - `site:example.com filetype:pdf` (Finds PDFs on a site)  

  - `intitle:"index of" password` (Finds exposed password files)  

  - `inurl:/admin/login.php` (Finds admin login pages)  


B. WHOIS Lookup  

- Retrieves domain registration details:  

  - Owner name, email, phone number  

  - Registrar, DNS servers, creation/expiry dates  

- Tools: 

  - `whois` command (Linux)  

  - [whois.domaintools.com](https://whois.domaintools.com/)  

  - `WHOIS` Kali Linux tools  


C. DNS Enumeration 

- Extracts DNS records(A, MX, TXT, NS).  

- Tools

  - nslookup  

  - dig (Domain Information Groper)  

  -  dnsenum (Kali Linux)  

  - [DNSDumpster](https://dnsdumpster.com/) 

 

D. Social Media & OSINT (Open-Source Intelligence)  

- Gathers employee names, emails, tech stack.  

- Tools:  

  - Maltego (Visual link analysis)  

  - theHarvester (Email, domain scraping)  

  - Sherlock (Username search across platforms)  

  - LinkedIn, GitHub, Twitter (Manual recon) 

 

E. Network Scanning (Preliminary)  

- Identifies live hosts, open ports, services.  

- Tools:

  - ping (Checks host availability)  

  - Nmap (Advanced network scanning)  

  - Masscan (Fast large-scale scans)  


4. Advanced Reconnaissance Techniques  


A. Email Harvesting  

- Collects employee emails for phishing tests.  

- Tools:  

  - Hunter.io  

  - theHarvester (theHarvester -d example.com -b google)  


B. Subdomain Enumeration  

- Finds subdomains (e.g., admin.example.com).  

- Tools:  

  - Sublist3r 

  - Amass (Passive/active subdomain discovery)  

  - OWASP Amass 


C. Metadata Extraction  

- Extracts hidden data from PDFs, Word, Excel files.  

- Tools:  

  - exiftool  

  - Metagoofil (Automates extraction from Google results)  


D. Website Mirroring (Offline Analysis)  

- Downloads a full copy of a website for inspection.  

- Tools: 

  - wget --mirror 

  - HTTrack  


5. Countermeasures Against Footprinting  

Organizations can defend against reconnaissance by:  

- Restricting WHOIS data (Private domain registration).  

- Disabling directory listings on web servers.  

- Monitoring logs for unusual scans.  

- Educating employees on social engineering risks.  


6. Hands-On Lab Exercise  

Task: Perform Passive & Active Recon on a Target  

1. Google Dorking – Find exposed files (site:example.com filetype:pdf).  

2. WHOIS Lookup – Identify domain owner (whois example.com).  

3. DNS Enumeration – List all DNS records (dig example.com ANY).  

4. Subdomain Discovery – Use Sublist3r (sublist3r -d example.com).  

5. Email Harvesting – Use theHarvester (theHarvester -d example.com -b google).  


7. Tools Checklist  

|     Tool              |        Purpose                             |  

|-------------------|--------------------------------------|  

|      Maltego       | Visual link analysis & OSINT         |  

| theHarvester  | Email, domain, and subdomain search  |  

| Nmap          | Network scanning & service detection |  

| Sublist3r     | Subdomain enumeration                |  

| Metagoofil    | Metadata extraction from documents   |  


8. Next Steps 

- Move to Module 3: Scanning & Enumeration (Nmap, Nessus, NetBIOS).  

Module 3: Scanning & Enumeration  click here

- Practice CTF challengeson [TryHackMe](https://tryhackme.com/) or [Hack The Box](https://www.hackthebox.com/).  

Would you like a deeper dive into any specific tool or technique (e.g., Nmap scanning, Maltego, or social engineering recon)?

0 Comments