Meritshot Tutorials

  1. Home
  2. »
  3. Footprinting and Reconnaissance
SQL
R-Overview
Python
Cyber Security

Cyber Security Tutorial

Footprinting and Reconnaissance

Table of contents

  1. Introduction to Footprinting and Reconnaissance
  2. Ethical Considerations and Legal Implications
  3. Types of Footprinting
  4. Methodologies for Footprinting
  5. Tools for Footprinting and Reconnaissance
  6. Information Gathering Techniques
  7. Reconnaissance in Network and Infrastructure
  8. Common methods used in network reconnaissance
  9. Tools for Reconnaissance Automation
  10. Mitigating Footprinting Risks

Introduction to Footprinting and Reconnaissance

Refers to the process of collecting as much information as possible about the target system to find ways to penetrate into the system. An Ethical hacker has to spend the majority of his time in profiling an organization, gathering information about the host, network and people related to the organization.

Information such as ip address, Whois records, DNS information, an operating system used, employee email id, Phone numbers etc is collected.

Footprinting helps to

Know Security Posture – The data gathered will help us to get an overview of the security posture of the company such as details about the presence of a firewall, security configurations of applications etc.

Reduce Attack Area – Can identify a specific range of systems and concentrate on particular targets only. This will greatly reduce the number of systems we are focussing on.

Identify vulnerabilities – we can build an information database containing the vulnerabilities, threats, loopholes available in the system of the target organization.

Draw Network map – helps to draw a network map of the networks in the target organization covering topology, trusted routers, presence of server and other information.

Ethical Considerations and Legal Implications

Types of Hacking

Ethical considerations in footprinting and reconnaissance are critical because these activities involve accessing and gathering information about systems or organizations. The boundary between legitimate information gathering and invasive or harmful behavior must be respected.

  1. Authorization: Always ensure you have explicit permission from the organization or individual before conducting reconnaissance. Operating without consent can compromise trust and is considered unethical.
  2. Respect for Privacy: Be mindful of the data you are collecting. Avoid obtaining or handling personal or sensitive information unless explicitly authorized to do so.
  3. Minimizing Impact: Even when authorized, limit activities to what is necessary and avoid actions that could disrupt operations or compromise security.
  4. Intent and Purpose: The intent behind reconnaissance should always be constructive, such as identifying vulnerabilities to improve security, rather than exploiting them.
  5. Transparency: Maintain clear communication with stakeholders about the scope, methods, and goals of your activities to prevent misunderstandings.

The legality of footprinting and reconnaissance varies depending on the jurisdiction, methods used, and whether explicit authorization has been granted.

  1. Jurisdictional Laws: Different countries have distinct laws governing unauthorized access, data collection, and network probing. For instance, in the U.S., the Computer Fraud and Abuse Act (CFAA) prohibits unauthorized access to computers and networks.
  2. Consent and Scope: Conducting reconnaissance without explicit permission can lead to criminal or civil penalties. Even with consent, exceeding the agreed-upon scope of activities can result in legal action.
  3. Regulatory Compliance: Actions like data collection may need to comply with regulations such as GDPR, HIPAA, or other industry-specific guidelines. Non- compliance can lead to hefty fines or legal consequences.
  4. Tools and Techniques: The use of certain tools or techniques, such as port scanning, packet sniffing, or web scraping, may be restricted or outright illegal in some regions if performed without proper authorization.
  5. Documentation and Record-Keeping: Ethical hackers and security professionals should maintain detailed records of their activities to demonstrate that their actions were conducted within the bounds of the law and agreed-upon terms.

Types of footprinting

  1. Active footprinting
  2. Passive footprinting

Active footprinting

Active footprinting involves directly interacting with the target system or network to gather information. This can include scanning for open ports, conducting network scans, and probing for vulnerabilities. One of the key attributes of active footprinting is that it is more intrusive compared to passive footprinting. By actively engaging with the target, the attacker leaves a footprint that can be detected by security measures.

Another attribute of active footprinting is that it requires more technical expertise and tools. Attackers need to have a good understanding of networking protocols and security tools to effectively gather information through active means. This method is often used when the attacker needs real-time data or wants to identify vulnerabilities that may not be visible through passive techniques.

Active footprinting can also be more time-consuming and resource-intensive compared to passive footprinting. Since the attacker is actively probing the target system, there is a higher risk of detection, which may require additional measures to avoid being detected. However, active footprinting can provide more detailed and accurate information about the target system, making it a valuable technique in certain scenarios.

Passive footprinting

Passive footprinting, on the other hand, involves gathering information about the target system without directly interacting with it. This can include collecting publicly available information, analyzing social media profiles, and monitoring network traffic passively.

One of the key attributes of passive footprinting is that it is less intrusive and less likely to be detected by security measures.

Another attribute of passive footprinting is that it is more stealthy and discreet compared to active footprinting. Since the attacker is not actively engaging with the target system, there is a lower risk of detection, making passive footprinting a preferred method for reconnaissance in many cases. Attackers can gather information without alerting the target to their presence.

Passive footprinting also requires less technical expertise and tools compared to active footprinting. Attackers can use readily available tools and resources to gather information passively, making it a more accessible technique for beginners or less experienced hackers. While passive footprinting may not provide real-time data, it can still yield valuable insights into the target system.

Methodologies for footprinting

Various methods used to collect information about the target organization. They are

Footprinting through Search Engines

This is a passive information gathering process where we gather information about the target from social media, search engines, various websites etc. Information gathered includes name, personal details, geographical location details, login pages, intranet portals etc. Even some target specific information like Operating system details, IP details, Netblock information, technologies behind web application etc can be gathered by searching through search engines

Eg: collecting information from Google, Bingo etc

Google Hacking:

Google hacking refers to collecting information using google dorks (keywords) by constructing search queries which result in finding sensitive information.details collected include compromised passwords, default credentials, competitor information, information related to a particular topic etc.

Eg:inurl:, site:, allintitle etc

Examining HTML Source and Examining Cookies:

Html source codes of a web application may give us an understanding of the application functionality, hidden fields, comments, variable names etc. Cookies are used to identify a user in his session. these cookies may be stored in the browser or passed in the URL, or in the HTTP header.

The entire website can be mirrored using tools like HTTtracker to gather information at our own phase.

Extract website Archives: older versions of website can be obtained which may reveal some information related to the target.

eg: www.archive.org

Email Footprinting

email header reveals information about the mail server, original sender’s email id, internal IP addressing scheme, as well as the possible architecture of the target network.

Competitive Intelligence

Competitive intelligence gathering is the process of gathering information about the competitors from resources such as the Internet.

Eg: company website, search engine, internet, online databases, press releases, annual reports, trade journals.

Google Hacking/Google Dorks

This is a process of creating search queries to extract hidden information by using Google operators to search specific strings of text inside the search results.

Some google operators, site, allinurl, inurl, allintitle

Whois Footprinting

Whois databases and the servers are operated by RIR – Regional Internet Registries. These databases contain the personal information of Domain Owners. Whois is a Query response protocol used for querying Whois databases and its protocol is documented in RFC 3912. Whois utility interrogates the Internet domain name administration system and returns the domain ownership, address, location, phone numbers, and other details about a specified domain name.

DNS Footprinting

DNS is a naming system for computers that converts human-readable domain names into computer readable IP-addresses and vice versa.DNS uses UDP port 53 to serve its requests. A zone subsequently stores all information, or resource records, associated with a particular domain into a zone file; Resource records responded by the name servers should have the following fields:

Domain Name — Identifying the domain name or owner of the records Record Types — Specifying the type of data in the resource record Record Class — Identifying a class of network or protocol family in use

Time to Live (TTL) — Specifying the amount of time a record can be stored in cache before discarded.

Record Data — Providing the type and class dependent data to describe the resources. A (address)—Maps a hostname to an IP address

SOA (Start of Authority)—Identifies the DNS server responsible for the domain information

CNAME (canonical name)—Provides additional names or aliases for the address record MX (mail exchange)—Identifies the mail server for the domain

SRV (service)—Identifies services such as directory services PTR (pointer)—Maps IP addresses to hostnames

NS (name server)—Identifies other name servers for the domain HINFO = Host Information Records

DNS servers perform zone transfers to keep themselves up to date with the latest information. A zone transfer of a target domain gives a list of all public hosts, their respective IP addresses, and the record type.

Footprinting through Social Engineering:

Social media like twitter, facebook are searched to collect information like personal details, user credentials, other sensitive information using various social engineering techniques. Some of the techniques include

Eavesdropping: It is the process of intercepting unauthorized communication to gather information

Shoulder surfing: Secretly observing the target to gather sensitive information like passwords, personal identification information, account information etc

Dumpster Diving: This is a process of collecting sensitive information by looking into the trash bin. Many of the documents are not shredded before disposing of them into the trash bin . Retrieving these documents from the trash bin may reveal sensitive information regarding contact information, financial information, tender information etc.

Footprinting countermeasures:

Creating awareness among the employees and users about the dangers of social engineering

Limiting the sensitive information encrypting sensitive information

using privacy services on whois lookup database Disable directory listings in the web servers Enforcing security policies

Types of Ethical Hacking

It is no big secret that any system, process, website, device, etc., can be hacked. In order to understand how the hack might happen and what the damage could be, ethical hackers must know how to think like malicious hackers and know the tools and techniques they are likely to use.

Hacking the network: involves testing the infrastructure of the network in order to find flaws in the protocols, configurations, and devices of the network

Hacking Web Applications: Centers around distinguishing shortcomings in web applications, for example, SQL injection or cross-website prearranging (XSS) weaknesses

Hacking the system: Targets working frameworks and programming to find security defects that could be taken advantage of.

Social Designing: attempts to manipulate individuals into revealing confidential information or performing actions that could compromise security, putting the human element to the test.

Hacking into wireless networks: involves identifying potential dangers in wireless communications and evaluating the security of wireless networks.

Tools for Footprinting and Reconnaissance

Google Hacking

Google Hacking doesn’t mean hacking Google itself. Instead, it involves using Google search in creative ways to uncover information that isn’t easily accessible. Hackers use specific search queries and techniques to locate hidden or sensitive data about an organization’s systems or networks.

Whois Lookup

Whois Lookup is a tool used to gather basic details about a website. It can provide information such as:

  • The owner of the website
  • The physical location of the server
  • Additional organizational details Steps to use Whois Lookup:
    1. Open your browser and visit domaintools.com.
    2. Enter the domain name or IP address you want to
    3. Click on ‘Search.’
    4. The tool will display key details about the

Social Engineering

Social engineering is a tactic used to manipulate people into revealing confidential information. Hackers first gather information about their target to build trust. They then use this trust to deceive the person and trick them into providing sensitive data.

NeoTrace

NeoTrace is a software program that provides detailed information about networks. It can reveal:

  • IP addresses
  • Geographic locations of devices
  • Information about network components

Hackers often use NeoTrace to gain a deeper understanding of a network’s structure before planning their next steps.

Information Gathering Techniques

Information gathering, also called reconnaissance, is the process of collecting data about a target system, network, or organization. This step is fundamental in both ethical hacking and malicious attacks, as it helps understand the target’s environment and identify potential vulnerabilities. Information gathering techniques can be broadly categorized into passive and active methods, each with its own advantages and risks.

Passive Information Gathering

Passive information gathering involves collecting data without directly interacting with the target. This ensures that the activities remain undetected by the target organization.

Common methods include analyzing publicly available information, such as website content, social media profiles, and online forums. Hackers may also use tools like Google Hacking to perform advanced searches for sensitive data. Public records, such as domain registration details obtained via Whois Lookup, can reveal ownership, server locations, and administrative contacts. These passive techniques are often used to build an initial understanding of the target without raising suspicion.

Active Information Gathering

Active techniques involve directly engaging with the target’s systems or network. This approach typically yields more detailed and specific information but comes with a higher risk of detection. Examples include scanning for open ports, sending ping requests, or using tools like Nmap to map network services. Traceroute tools, such as NeoTrace, can provide detailed insights into the network’s structure and the geographical location of devices. While active methods are more intrusive, they allow attackers or ethical hackers to pinpoint vulnerabilities with greater accuracy.

Social Engineering

Social engineering is another critical technique that relies on human interaction rather than technical tools. It involves manipulating individuals into revealing sensitive information, often by exploiting their trust. For instance, a hacker might impersonate a trusted colleague to obtain login credentials. This technique is particularly effective because it targets the human element of security, which is often the weakest link.

Combining Techniques

Effective information gathering typically combines both passive and active methods, along with social engineering tactics, to create a comprehensive profile of the target. The gathered data can include details about network architecture, software versions, security measures, and even employee behavior. For ethical hackers, this information is

invaluable for identifying vulnerabilities and crafting strategies to secure systems. For malicious attackers, it serves as the foundation for planning an intrusion or exploit.

Reconnaissance in Network and Infrastructure

Network reconnaissance is the process through which threat actors collect information about target networks before mounting an attack. It typically involves the use of techniques such as networking scanning and probing to identify potentially exploitable vulnerabilities. To proactively defend against reconnaissance, organizations often implement Continuous Threat Exposure Management (CTEM), a framework that continuously monitors and strengthens cyber defenses against evolving threats.

Common methods used in network reconnaissance

During this process, threat actors employ a variety of different techniques to help them uncover network vulnerabilities. These include the following:

Port scanning: A threat actor scans a target system to identify open ports and services on endpoints.

OS fingerprinting: An attacker analyzes data packets from a network to determine the type and version of an OS.

Ping sweeps: An attacker sends ICMP echo requests to various IP addresses, using responses to identify active endpoints.

Packet sniffing: A threat actor detects and observes data passing through a particular segment of a network and analyzes them to collect information about network protocols or credentials.

DNS digging: An attacker queries DNS servers to gather information about domain names, IP addresses, and network zones.

Phishing: A threat actor sends misleading emails to trick individuals at an organization into disclosing sensitive information or credentials that will facilitate unauthorized access. Many of these techniques overlap with OSINT techniques, as they rely on gathering publicly available or easily accessible data to map out an organization’s network

Tools for Reconnaissance Automation

  1. R3C0Nizer— an automatic reconnaissance tool that performs footprinting and enumeration to gather information about a target.
  2. scant3r— a web application scanner that automates the process of identifying vulnerabilities in web applications.
  3. ReconFTW — a reconnaissance framework that automates the process of footprinting and information gathering about a target.
  4. MagicRecon — an automated reconnaissance tool that uses open-source intelligence (OSINT) to gather information about a target.
  5. LazyRecon — an automation framework that helps with reconnaissance, information gathering, and vulnerability scanning.
  6. BugBountyScanner — an automated web application vulnerability scanner that helps with finding security vulnerabilities in web applications.
  7. AutoRecon — a multi-threaded reconnaissance tool that automates the process of gathering information about a target.
  8. s1mr3c— an automated reconnaissance tool that helps with footprinting, subdomain enumeration, and information gathering about a target.
  9. ReconPi — a portable Raspberry Pi-based reconnaissance tool that automates the process of gathering information about a target.
  10. Bba — a web-based application that automates the process of information gathering and reconnaissance for bug bounty hunters.

Mitigating Footprinting Risk

The top 4 ways to mitigate risks through digital footprint monitoring are

  1. Understand Your Digital Exposure & Shadow IT
  2. Mitigate Shadow IT Risks
  3. Prioritize Your Remediation Efforts
  4. Monitor Continuously

Attackers have their techniques to exploit the exposed digital assets and ineffective security solutions. Digital attacks expose the organization’s sensitive information, and sometimes these attackers trade this information in Dark Web forums.

➢     Understand Your Digital Exposure & Shadow IT:

Attackers focus on the digital presence to gain access to customer’s credentials and the organization’s sensitive data. You need to have continuous visibility into your entire digital ecosystem. You need to discover an organization’s ever-changing digital footprint including shadow IT, unknown exposed databases, cloud buckets, code leaks, exposed credentials, risky cloud assets and open ports, etc. This means you must be able to validate and manage your digital footprint across a complex environment.

➢     Mitigate Shadow IT Risks:

As an organization, you need to track all the exposed digital assets and internet-facing digital assets including Identifying exposed documents & files, Identifying compromised

/ malicious infrastructure and Identifying exposed services like APIs and RDP.

➢     Prioritize Your Remediation Efforts

You need to prioritize digital risks to focus efforts on the vulnerabilities that are most likely to be exploited. Having a dashboard summarizing the high, medium, and low priority risks and mitigation recommendation steps is very useful. For example, you should prioritize remediating any incidents that involve crown jewels or a critical asset with a high risk of breach.

➢     Monitor Continuously

Continuous monitoring provides a near real-time view of your digital footprint and risks associated. Monitoring the deep, dark and surface web using nation-state grade reconnaissance techniques and real-time alerts to the right teams help you to identify risks and mitigate them before being exploited.

❮ Previous
Next ❯
ads website