Skip to content
CEH Practical Guide

🕵️ Footprinting and Reconnaissance

The first step in the penetration testing process is footprinting and reconnaissance.

This phase involves gathering as much information as possible about the target system or network to identify potential vulnerabilities.

Information gathering can be done through various methods, including:

  • Passive Footprinting: Collecting information without directly interacting with the target system.
  • Active Footprinting: Actively probing the target system to gather information.

Footprinting with search engines

Section titled “Footprinting with search engines”

Google hacking

Section titled “Google hacking”

Google hacking techniques are advanced search techniques that can be used to find specific information on the internet.

Google Hacking Cheat Sheet A comprehensive cheat sheet for Google hacking techniques
Google Hacking Database A database of interesting queries and exploits that can be used to find sensitive information

Image search engines

Section titled “Image search engines”

Image search engines can be used to find images related to a specific topic or similar to a given image.

Images can contain metadata that can be useful for footprinting.

TinEye Reverse Image Search A reverse image search engine that can be used to find similar images or track the origin of an image

Video search engines

Section titled “Video search engines”

Video search engines can be used to find videos related to a specific topic or keyword.

Videos like images can contain metadata that can be useful for footprinting.

YouTube Metadata A tool to extract metadata from YouTube videos
Video Reverser A tool to play video backwards

FTP search engines

Section titled “FTP search engines”

FTP search engines can be used to find files and directories on FTP servers.

Like web pages also FTP servers can be indexed by search engines.

NAPALM FTP Indexer A search engine for finding files on FTP servers
Freeware Web FTP Search A search engine for finding files on FTP servers

IoT search engines

Section titled “IoT search engines”

IoT search engines can be used to find Internet of Things (IoT) devices connected to the internet.

These search engines can be used to find devices like webcams, routers, and other IoT devices.

Shodan
Censys

Footprinting with web services

Section titled “Footprinting with web services”

Website discovery tools

Section titled “Website discovery tools”
Netcraft A web service that provides information about websites, including hosting information and technologies used
BuiltWith A web service that provides information about the technologies used on a website

People search tools

Section titled “People search tools”

There are many web services that provide information about people, including social media profiles and contact information.

PeekYou
Pipl
BeenVerified
BeenVerified

Dark and deep web searching

Section titled “Dark and deep web searching”

The deep web refers to parts of the internet that are not indexed by traditional search engines.

The dark web is a small part of the deep web that is intentionally hidden and inaccessible through standard web browsers.

The dark web is often associated with illegal activities, but it can also be used for legitimate purposes.

The Hidden Wiki A directory of hidden services on the Tor network
FakeID An online marketplace for fake identification documents
OnionLand A directory of hidden services on the Tor network
Ahmia A search engine for the Tor network that indexes hidden services

Footprinting With Social Networks

Section titled “Footprinting With Social Networks”
Sherlock A tool to find usernames across many social networks
Followerwonk A tool to analyze Twitter accounts and find information about followers

Footprinting for web servers

Section titled “Footprinting for web servers”

Ping

Section titled “Ping”

It is possible to gather information about a target website using the ping command line utility.

Information such as the IP address, hostname, and response time can be obtained.

Terminal window
ping TARGET
Operating Systems Can Be Detected Using Ping Command gbhackers.com
Identify Operating System using Ping Command yeahhub.com

Other tools

Section titled “Other tools”
  • Web Data Extractor: A tool for extracting data from websites.
  • HTTrack Web Site Copier: A tool for downloading websites to your local machine.
Photon A fast crawler designed for OSINT
Central Ops A web service that provides information about websites, including hosting information and technologies used
GRecon An open-source reconnaissance tool that gathers information about a target website
CeWL A custom word list generator based on the words found on a website

Email footprinting

Section titled “Email footprinting”

Emails, email addresses, and email servers can be used to gather information about a target.

Hunter A web service that provides information about email addresses, including the source of the email address
theHarvester A tool for gathering email addresses and subdomains from various public sources
Infoga A tool for gathering information about email addresses from different public sources
Mailtrack A tool for tracking email opens and clicks

DNS and Whois footprinting

Section titled “DNS and Whois footprinting”

Whois is a protocol used to query databases that store registered users or assignees of a domain name or an IP address block.

Whois databases are maintained by various organizations, including domain registrars and regional internet registries (RIRs).

DNS (Domain Name System) is a hierarchical naming system used to translate domain names into IP addresses.

Whois Lookup A web service that provides information about domain names, including registration information and DNS records
DNS Dumpster A domain research tool that can discover hosts related to a domain
DNSRecon A DNS enumeration tool that can be used to gather information about a target's DNS records
SecurityTrails A web service that provides information about domain names, including registration information and DNS records
DNS Checker A free DNS propagation check service to check Domain Name System records

nslookup

Section titled “nslookup”

nslookup is a command-line tool used to query DNS servers for information about domain names and IP addresses.

nslookup can be used to gather information about a target’s DNS records, including A records, MX records, and NS records.

Terminal window
nslookup TARGET

Network footprinting

Section titled “Network footprinting”

Network footprinting is the process of gathering information about a target network, including IP addresses, subnets, and network devices.

ARIN A web service that provides information about IP address allocations and registrations

traceroute

Section titled “traceroute”

traceroute is a command-line tool used to trace the path that packets take from one host to another.

On Linux, the command is traceroute, while on Windows, it is tracert.

Terminal window
traceroute TARGET
Traceroute A command-line tool used to trace the path that packets take from one host to another

Other footprinting tools

Section titled “Other footprinting tools”

There are many tools that integrate multiple footprinting techniques.

Maltego A tool for gathering and analyzing information about a target
BillCipher A tool for gathering information about a target using various techniques
OSRFramework A set of libraries to perform OSINT collection tasks
Recon-ng A full-featured Web Reconnaissance framework written in Python
FOCA A tool for gathering information about a target by analyzing metadata in documents
OSINT Framework A collection of OSINT tools and resources