Footprinting and Reconnaissance

10 Sep 2019


Ethical hacking helps system administrators understand how to better protect the assets they manage.

Footprinting and Reconnaissance (method of discovery) is the first stage and involves gathering information about the target.

Footprinting: learning as much as possible about the target, including remote access capabilities, open ports and services, and what security mechanisms are in place.

Reconnaissance: gathering information about the location of a target by scouting or by setting up covert observation points.

Sequence of Steps

  • Gather information
  • Locate the network range
  • Discover active machines
  • Determine operating systems
  • Define running services
  • Map the network

Competitive Intelligence

Competitive Intelligence (legal) to dig public information can be a great nontechnical approach to footprinting and reconnaissance.

Used in business to help a company learn about its competitors in order to make better business decisions.

Finding information

  • Public Resources
    • Websites
    • Directories
    • Email Addresses
    • Job Sites (idea of systems via tech job postings)
    • Social Networks
  • Logical Side
    • Network architecture
    • Defence mechanisms
    • Operating systems
    • Applications

Questions before beginning

  • Who is the target?
  • What is the target?
  • Where is the target?
  • When is the best time for an attack?
  • How? (learnt after footprinting)

Document the Findings: Its important to document any informations to help build a profile.

Search Engine Hacking

Using advanced operators and keywords that may possibly yield pages that contain sensitive information such as protected login screens.

Google hacking

The Google hacking database

  • ext:pdf
  • filetype:txt

Social Engineering

Manipulating people to perform actions or reveal confidential information.

  • Telephone,
  • Online,
  • Dumpster diving,
  • Shoulder surfing,
  • Eavesdropping,
  • Phishing, Pharming
  • Simple persuasion,
  • Impersonation.

Defence: User Education, Authenication Mechanisms, Simply Questioning.

Dangers of Social Media:

  • No autentication of users (acceptance)
  • Forging someone’s identity
  • Revealing information (travel plans)
  • Sharing of unsafe links

Examples of Public Search Engines

Tracking Reputation

Email and Websites


Finding email addresses on public records/websites, crafting an email lists using gained knowledge of username conventions to target for phishing.


  • Sender Policy Framework (SPF) = ‘The From’ field spoofing
  • Virus filtering and Antivirus techniques
  • Strong Spam Filtering
  • User Education

Email investigation

Reputation-based solutions for investigating email.

Email headers, tell the story of the journey, the stops etc

Website Mirroring

Download the entire website to examine the content, obtaining emails, phone number and other information.

You can sometimes see concealed comments, directories, links to protected content.

Free and Paid Tools for Website Mirroring/Extracting:


Open-source intelligence gathering tools

Generates a more targeted discovery

  • Maltego
    • Open-source Data Analysis Software
    • Harvests Domain Names, Whois Information and IP Addresses
    • Person Specific Information: Websites and Associated Companies.
  • Shodan
    • Discovers Devices are Connected to the Internet
  • Metagoofil
    • Extracts Metadata from the Target
  • FOCA
    • Examines Metadata
  • theHarvester
    • Harvests Info from Public Sources


DNS uses port 53 over UDP or TCP (zone transfers only)

Common Types

  • A = IPv4 Address of Host
  • AAAA = IPv6 Address of Host
  • PTR = Reverse DNS lookup
  • MX = Mail Exchange record

Dangers of DNS

  • Exposed Zone File
  • Flood Attack
    • Similar to a denial of service (DOS).
  • Cache Poisoning
    • Changes the DNS Cache on the local name server to point toward a bogus server.
  • DNS Footprinting
    • Find information managed by the SOA (Start of Authority).

Good Practice

  • Restrict zone transfers to authorized servers
  • Deny all inbound connection requests to TCP Port 53
  • Consider using DNS security (authentication mechanisms)

Domain Name Generators

When phishing, spoofing the brand in the hyperlink may get someone to click on the link.

Domain names and subdomain names can be used to trick a DNS server into transferring its zone file.

Domain Name Analyzer is an example of a domain name generator tool.


Internet Control Message Protcol (ICMP) resides in the network layer (OSI Layer 3), used by routers and intermediary devices to communicate updates or error information.

Also used for network troubleshooting and to test if a device is alive/available on the network.


Traces the route and provides the path and transit times.

Returns the FQDN and the IP address of each gate, used to help paint a picture of the network.


Combines features of ping and tracert.

Shows packet loss at any given router or link by computing statistics at the end.


Non-interactive mode nslookup

Interactive mode nslookup and then enter what you want to search after

You can also set other options such as set type=mx then and you’ll get the MX records.

Domain Information Groper (DIG)

tool used to querying the DNS, native to Linux, installation is required for Windows machine and there are online tools such as

Steps to Reduce Exposure

  • Administrators should use a non-standard format email address
  • Keep patches up to date
  • Monitor for scanning activity
  • Shutdown all unnecessary services
  • Use strong autentication methods
  • Segment the network
  • Shed paper based information
Back to Top