Skip to main content

Footprinting & Reconnaissance

Module 2: Footprinting & Reconnaissance – In-Depth Guide  

1. Introduction to Footprinting

Footprinting (or reconnaissance) is the first phase of ethical hacking, where attackers gather information about a target before launching an attack. Ethical hackers use the same techniques to identify security weaknesses.  

Objectives:  

- Collect publicly available data about the target.  

- Identify network ranges, domains, IPs, employees, technologies.  

- Build a blueprint of the target’s security posture.  

2. Types of Footprinting 


A. Passive Footprinting  

- No direct interaction with the target.  

- Uses publicly available sources.  

- Examples:  

  - Google searches (Google Dorking)  

  - WHOIS lookup  

  - Social media (LinkedIn, Twitter)  

  - Job postings (revealing tech stacks)  


B. Active Footprinting  

- Direct interaction with the target.  

- More detectable but provides accurate data.  

- Examples:  

  - DNS interrogation (nslookup , dig)  

  - Network scanning (Nmap, Ping)  

  - Social engineering (calls, phishing)  


3. Footprinting Techniques & Tools  


A. Google Dorking (Advanced Search Queries)  

- Finds exposed files, directories, and sensitive data.  

- Examples:  

  - `site:example.com filetype:pdf` (Finds PDFs on a site)  

  - `intitle:"index of" password` (Finds exposed password files)  

  - `inurl:/admin/login.php` (Finds admin login pages)  


B. WHOIS Lookup  

- Retrieves domain registration details:  

  - Owner name, email, phone number  

  - Registrar, DNS servers, creation/expiry dates  

- Tools: 

  - `whois` command (Linux)  

  - [whois.domaintools.com](https://whois.domaintools.com/)  

  - `WHOIS` Kali Linux tools  


C. DNS Enumeration 

- Extracts DNS records(A, MX, TXT, NS).  

- Tools

  - nslookup  

  - dig (Domain Information Groper)  

  -  dnsenum (Kali Linux)  

  - [DNSDumpster](https://dnsdumpster.com/) 

 

D. Social Media & OSINT (Open-Source Intelligence)  

- Gathers employee names, emails, tech stack.  

- Tools:  

  - Maltego (Visual link analysis)  

  - theHarvester (Email, domain scraping)  

  - Sherlock (Username search across platforms)  

  - LinkedIn, GitHub, Twitter (Manual recon) 

 

E. Network Scanning (Preliminary)  

- Identifies live hosts, open ports, services.  

- Tools:

  - ping (Checks host availability)  

  - Nmap (Advanced network scanning)  

  - Masscan (Fast large-scale scans)  


4. Advanced Reconnaissance Techniques  


A. Email Harvesting  

- Collects employee emails for phishing tests.  

- Tools:  

  - Hunter.io  

  - theHarvester (theHarvester -d example.com -b google)  


B. Subdomain Enumeration  

- Finds subdomains (e.g., admin.example.com).  

- Tools:  

  - Sublist3r 

  - Amass (Passive/active subdomain discovery)  

  - OWASP Amass 


C. Metadata Extraction  

- Extracts hidden data from PDFs, Word, Excel files.  

- Tools:  

  - exiftool  

  - Metagoofil (Automates extraction from Google results)  


D. Website Mirroring (Offline Analysis)  

- Downloads a full copy of a website for inspection.  

- Tools: 

  - wget --mirror 

  - HTTrack  


5. Countermeasures Against Footprinting  

Organizations can defend against reconnaissance by:  

- Restricting WHOIS data (Private domain registration).  

- Disabling directory listings on web servers.  

- Monitoring logs for unusual scans.  

- Educating employees on social engineering risks.  


6. Hands-On Lab Exercise  

Task: Perform Passive & Active Recon on a Target  

1. Google Dorking – Find exposed files (site:example.com filetype:pdf).  

2. WHOIS Lookup – Identify domain owner (whois example.com).  

3. DNS Enumeration – List all DNS records (dig example.com ANY).  

4. Subdomain Discovery – Use Sublist3r (sublist3r -d example.com).  

5. Email Harvesting – Use theHarvester (theHarvester -d example.com -b google).  


7. Tools Checklist  

|     Tool              |        Purpose                             |  

|-------------------|--------------------------------------|  

|      Maltego       | Visual link analysis & OSINT         |  

| theHarvester  | Email, domain, and subdomain search  |  

| Nmap          | Network scanning & service detection |  

| Sublist3r     | Subdomain enumeration                |  

| Metagoofil    | Metadata extraction from documents   |  


8. Next Steps 

- Move to Module 3: Scanning & Enumeration (Nmap, Nessus, NetBIOS).  

Module 3: Scanning & Enumeration  click here

- Practice CTF challengeson [TryHackMe](https://tryhackme.com/) or [Hack The Box](https://www.hackthebox.com/).  

Would you like a deeper dive into any specific tool or technique (e.g., Nmap scanning, Maltego, or social engineering recon)?

Comments

Post a Comment

Popular posts from this blog

Bug Bounty Hunter – The Professional Vulnerability Hunter

A Bug Bounty Hunter is a cybersecurity researcher who finds and reports security flaws in websites, apps, and systems in exchange for cash rewards (bounties) from companies like Google , Facebook , and Uber.  💰 How Bug Bounties Work    1. Target Selection – Choose a program (e.g., HackerOne, Bugcrowd).   2. Recon & Testing – Hunt for vulnerabilities (e.g., SQLi, XSS, RCE).   3. Submit a Report – Document the bug with PoC (Proof of Concept).   4. Get Paid – Rewards range from  $50 to $500,000+ per bug.   You can download book from here 🔥 Top Bug Bounty Platforms  |    Platform     |     Popular Programs   |    Avg. Payout |   |-------------|---------------------|------------|   |    HackerOne   | Uber, Twitter, GitHub | $500–$20K |   |     Bugcrowd    | AWS, Tesla, Cisco | $300–$15K | ...
Post a Comment
Read more

Vulnerability Assessor – The Proactive Security Specialist

A Vulnerability Assessor is a cybersecurity professional who identifies, classifies, and prioritizes security weaknesses in systems, networks, and applications before attackers exploit them. Unlike penetration testers (who exploit flaws), assessors focus on discovery and risk analysis.  🔍 Core Responsibilities 1. Vulnerability Scanning       - Run automated scans (Nessus, Qualys, OpenVAS).      - Identify CVEs, misconfigurations, and outdated software.   2. Risk Assessment & Prioritization       - Rate vulnerabilities using CVSS scores.      - Focus on critical risks (e.g., RCE, SQLi).   3. Compliance Auditing     - Check adherence to PCI DSS, HIPAA, NIST.   4. Reporting & Remediation Guidance    - Provide actionable fixes (patching, hardening).  Key Tools & Technologies                ...
Post a Comment
Read more

Red Teamer – The Elite Offensive Security Role

A Red Teamer is an advanced cybersecurity professional who simulates real-world attacks like advanced threat actors (APT groups, nation-states) to test an organization's defenses. Unlike penetration testers (who focus on finding vulnerabilities), Red Teams emulate stealthy, targeted attacks to evade detection.   🔥 Core Responsibilities   1. Adversary Emulation    - Mimic real APTs (MITRE ATT&CK framework).      - Use custom malware, C2 frameworks (Cobalt Strike, Sliver).   2. Physical & Social Engineering      - Phishing, USB drops, impersonation attacks.   3. Evasion & Lateral Movement      - Bypass EDR/XDR, AV, and SIEM detection.      - Privilege escalation, domain persistence.   4. Reporting & Purple Teaming      - Help Blue Team improve detection rules.  🛠️ Top Red Team Tools |   Category...
Post a Comment
Read more