Certified Ethical Hacker - Part 2 - Footprinting and Reconnaissance

by Riazul H. Rozen
Oct. 22, 2017 1 comment 4 minute read Certifications CEH EthicalHacking
Download PDF

What is Footprinting

Footprinting is the science of gathering information on a target’s network system. It allows the attacker be privy to certain kinds of sensitive information, which in essence narrows down the area of attack for the hackers. Footprinting if pulled of correctly can cause huge financial losses for the target organization. Footprinting allows the attackers -

  • To have an idea of the external structure of the target network system
  • To narrow down the area of infrastructure that will be attacked
  • To find loopholes to take advantage of
  • To map the organizations’ internal structure, for ease in stealing information

The aim of Footprinting to the hacker is collecting system information (routing tables, passwords, and system names etc.), organization information (employee information, website information, location information and so on) and network information (domain name, VPN points, authentication means and so on).

The methods behind Footprinting

There are a couple of methods, which hackers use to get sensitive data from organizations. These methods in conjunction with other tools carry out social engineering manipulations, which ultimately lead to attacks and hacking, these methods are -

Footprinting through Search engines

Attackers get information such as login pages, employees’ information, internet portals and others from search engines. Attacks still have access to sensitive information taken off the internet, through internet archives or search engine caches. Websites like netcraft.com allow attackers gain access to their target organizations restricted websites.

Footprinting through advanced Google hacking

Google hacking methods involve using advanced and arduous queries forms to gain sensitive information from the targets, discovering venerable targets, and using google search means to uncover specific string of texts. This method allows attackers discover sites connected to the company’s website, extract information on customers, business partners and vendors, and make the information gathered concise. Several operators (e.g - [allintitle:], [link:], [cache:] etc.) and filters can be used in Google to search personal info.

Footprinting through social media platforms

Employees post information about their personal lives, as well as information regarding their companies. For instance, employees use social media to reveal things like new clients, fresh deals, and company news and business partners. Attackers open new pages, track these employees and try to gain more information.

Footprinting through website to determine OS

Attackers track organizations websites, to discover various sensitive information that to be used for the main attack. Hackers source out details like admin contact information, scripting platform used, version of OS used, software used by the organization and the file system framework for use during intrusion. Web spiders are used to gather information on the employees, which are used in an advanced method of social engineering and Footprinting to gain more information. Hackers often use Shodan tool to determine the OS. Shodan is the world's first search engine for Internet-connected devices.


Footprinting through email

This process involves intercepting emails, getting information from the email headers and using email tracking devices help the attacker gather sensitive information. Also it is possible to get lots of info from mail header.

HTML view of mail
Mail Header

Footprinting through competitive intelligence

This is a subtle method of gathering information from target organizations. This is done using internet resources such as websites, employment advertisements, search engines, client interviews, socially interacting with employees, patents, newsletters from organizations and analyst reports. Edgar database, Hoovers, LexisNexis etc. are some sites from where a hacker can get lots of info. Also company plans can be retrived from several sites likes experion, secinfo etc. sites.

Footprinting through WHOIS

This is managed by regulatory agencies and is privy to sensitive information on domain possessors such as contact details of domain owner, domain name, servers, domain creation date and Netrange. Attackers gain information through these means for the sole purpose of advancing to the social engineering stage. LanWhoIs, CallerIP, WhoIs Analyzer Pro, Domain Dossier etc are some tools used for WHOIS lookup.

Footprinting through DNS information

Attackers get information through this means for social engineering attacks, because the DNS has pertinent information on location and server type, hence target hosts can be discovered with this method. Domain Dossier, DNS lookup, DNS watch etc. are some tools can be used for DNS information.

Footprinting through social engineering

This involves manipulating social interactions with a human element, for the purpose of gaining delicate information. This works because most people are unaware they hold sensitive information, and as such are very lax about keeping it safe. Social engineering can be done through fake profiles on social media platforms, dumpster diving, snooping in on interactions, and shoulder surfing. Attackers gain information like operating systems, credit card details, and software versions. Hackers sometimes use - AnyWho.com, ussearch.com, intelius.com, 411.com, privateeye.com, peoplefinders.com etc. to search personal information.


Some other tools used for Footprinting

Recon-ng is a structural powerhouse, fitted with the necessary tools to allow the user carry out open source reconnaissance mechanisms.


FOCA is used to source out metadata and sensitive information that has been hidden. A lot of work can be done using this application, from DNS snooping, to metadata extraction, fingerprinting, analyzing networks, and searching open directories.

Foca Tool

A lot of other tools can be used to gather information on a target organization. For instance, robtex, TinEye, binging, searchbug, DNS-digger, GeoTrace, and many others.


How to prevent Footprinting attacks

Footprinting if done right, can cause a lot of financial damage to the target organization. It is therefore necessary, to put structures, policies and regulations in place, to counter the attacks from malicious individuals. Some policies that will ensure safety in the long run are -

  • Limiting the network or websites the employees can access, by putting restrictions on social media platforms.
  • Restrict and filter information that goes on the company’s website
  • Use anonymous registration services and prevent website from caching information
  • Employ Footprinting methods to figure out vulnerabilities and remove them.
  • Ensure security regulations are made compulsory, so employees don’t release more information than necessary to the public
  • Encode and protect delicate information with passwords
  • Use private services on WHOIS lookup services.
  • Prevent information leakage, by organizing web servers
  • Penetration testing -This involves gaining information about the target organizations from the internet and as many accessible sources as possible. This is done to figure out how much of the organizations information is available to the public.

Footprinting is done by an organization for the purpose of protecting its information, preventing leakage to attackers, eliminate the possibility of a successful DNS snooping attempt, and counter social engineering methods. Footprinting pen testing can be done using a number of steps, first of which is to gain legal authorization from the administrative personnel. The remaining steps involved are -

  • Define the boundaries of the valuation exercise.
  • Use search engines (google, bing, yahoo) to footprint
  • Hack google with tools like SiteDigger
  • Footprint with social networking platforms (Facebook, twitter, Pinterest, LinkedIn, Instagram)
  • Footprint with email (emailTrackerPro, PoliteTrakcer), competitive intelligence (Hoovers, BusinessWire), DNS, WHOIS (SmartWhois, DomainDossier), social engineering (dumpster diving, eavesdropping and shoulder surfing) and networking (Path Analyser, VisualRoute).
  • Report all discoveries made from this evaluation exercise

Published with the express permission of the author.

Mitchell Rowton moderator 7 months ago

Their organization took a credibility hit this year... then bumped the price of their exams to boot. I dont know if that was related to Pearson VUE getting stingy...

1st) EC-Council site was hacked...
2nd) Their site was hacked again... and told to "Change the passwords" on their servers.

3) "Thirsty Exam Fees" For $100 eligibility fee + $950 exam fee OR.... $950 training + $850 Exam fee... you could just as easily take the OSCP w/ the Pentesting With Kali course @ Offensive Security. It's more respectable as a hands-on examination.
If you don't know your stuff, that 24 hours is going to go fast and you'll be empty handed. Hands-on proof of working knowledge definitely trumps a multi-choice exam.