Explore Courses
course iconScrum AllianceCertified ScrumMaster (CSM) Certification
  • 16 Hours
Best seller
course iconScrum AllianceCertified Scrum Product Owner (CSPO) Certification
  • 16 Hours
Best seller
course iconScaled AgileLeading SAFe 6.0 Certification
  • 16 Hours
Trending
course iconScrum.orgProfessional Scrum Master (PSM) Certification
  • 16 Hours
course iconScaled AgileSAFe 6.0 Scrum Master (SSM) Certification
  • 16 Hours
course iconScaled Agile, Inc.Implementing SAFe 6.0 (SPC) Certification
  • 32 Hours
Recommended
course iconScaled Agile, Inc.SAFe 6.0 Release Train Engineer (RTE) Certification
  • 24 Hours
course iconScaled Agile, Inc.SAFe® 6.0 Product Owner/Product Manager (POPM)
  • 16 Hours
Trending
course iconKanban UniversityKMP I: Kanban System Design Course
  • 16 Hours
course iconIC AgileICP Agile Certified Coaching (ICP-ACC)
  • 24 Hours
course iconScrum.orgProfessional Scrum Product Owner I (PSPO I) Training
  • 16 Hours
course iconAgile Management Master's Program
  • 32 Hours
Trending
course iconAgile Excellence Master's Program
  • 32 Hours
Agile and ScrumScrum MasterProduct OwnerSAFe AgilistAgile CoachFull Stack Developer BootcampData Science BootcampCloud Masters BootcampReactNode JsKubernetesCertified Ethical HackingAWS Solutions Artchitct AssociateAzure Data Engineercourse iconPMIProject Management Professional (PMP) Certification
  • 36 Hours
Best seller
course iconAxelosPRINCE2 Foundation & Practitioner Certificationn
  • 32 Hours
course iconAxelosPRINCE2 Foundation Certification
  • 16 Hours
course iconAxelosPRINCE2 Practitioner Certification
  • 16 Hours
Change ManagementProject Management TechniquesCertified Associate in Project Management (CAPM) CertificationOracle Primavera P6 CertificationMicrosoft Projectcourse iconJob OrientedProject Management Master's Program
  • 45 Hours
Trending
course iconProject Management Master's Program
  • 45 Hours
Trending
PRINCE2 Practitioner CoursePRINCE2 Foundation CoursePMP® Exam PrepProject ManagerProgram Management ProfessionalPortfolio Management Professionalcourse iconAWSAWS Certified Solutions Architect - Associate
  • 32 Hours
Best seller
course iconAWSAWS Cloud Practitioner Certification
  • 32 Hours
course iconAWSAWS DevOps Certification
  • 24 Hours
course iconMicrosoftAzure Fundamentals Certification
  • 16 Hours
course iconMicrosoftAzure Administrator Certification
  • 24 Hours
Best seller
course iconMicrosoftAzure Data Engineer Certification
  • 45 Hours
Recommended
course iconMicrosoftAzure Solution Architect Certification
  • 32 Hours
course iconMicrosoftAzure Devops Certification
  • 40 Hours
course iconAWSSystems Operations on AWS Certification Training
  • 24 Hours
course iconAWSArchitecting on AWS
  • 32 Hours
course iconAWSDeveloping on AWS
  • 24 Hours
course iconJob OrientedAWS Cloud Architect Masters Program
  • 48 Hours
New
course iconCareer KickstarterCloud Engineer Bootcamp
  • 100 Hours
Trending
Cloud EngineerCloud ArchitectAWS Certified Developer Associate - Complete GuideAWS Certified DevOps EngineerAWS Certified Solutions Architect AssociateMicrosoft Certified Azure Data Engineer AssociateMicrosoft Azure Administrator (AZ-104) CourseAWS Certified SysOps Administrator AssociateMicrosoft Certified Azure Developer AssociateAWS Certified Cloud Practitionercourse iconAxelosITIL 4 Foundation Certification
  • 16 Hours
Best seller
course iconAxelosITIL Practitioner Certification
  • 16 Hours
course iconPeopleCertISO 14001 Foundation Certification
  • 16 Hours
course iconPeopleCertISO 20000 Certification
  • 16 Hours
course iconPeopleCertISO 27000 Foundation Certification
  • 24 Hours
course iconAxelosITIL 4 Specialist: Create, Deliver and Support Training
  • 24 Hours
course iconAxelosITIL 4 Specialist: Drive Stakeholder Value Training
  • 24 Hours
course iconAxelosITIL 4 Strategist Direct, Plan and Improve Training
  • 16 Hours
ITIL 4 Specialist: Create, Deliver and Support ExamITIL 4 Specialist: Drive Stakeholder Value (DSV) CourseITIL 4 Strategist: Direct, Plan, and ImproveITIL 4 Foundationcourse iconJob OrientedData Science Bootcamp
  • 6 Months
Trending
course iconJob OrientedData Engineer Bootcamp
  • 289 Hours
course iconJob OrientedData Analyst Bootcamp
  • 6 Months
course iconJob OrientedAI Engineer Bootcamp
  • 288 Hours
New
Data Science with PythonMachine Learning with PythonData Science with RMachine Learning with RPython for Data ScienceDeep Learning Certification TrainingNatural Language Processing (NLP)TensorflowSQL For Data Analyticscourse iconIIIT BangaloreExecutive PG Program in Data Science from IIIT-Bangalore
  • 12 Months
course iconMaryland UniversityExecutive PG Program in DS & ML
  • 12 Months
course iconMaryland UniversityCertificate Program in DS and BA
  • 31 Weeks
course iconIIIT BangaloreAdvanced Certificate Program in Data Science
  • 8+ Months
course iconLiverpool John Moores UniversityMaster of Science in ML and AI
  • 750+ Hours
course iconIIIT BangaloreExecutive PGP in ML and AI
  • 600+ Hours
Data ScientistData AnalystData EngineerAI EngineerData Analysis Using ExcelDeep Learning with Keras and TensorFlowDeployment of Machine Learning ModelsFundamentals of Reinforcement LearningIntroduction to Cutting-Edge AI with TransformersMachine Learning with PythonMaster Python: Advance Data Analysis with PythonMaths and Stats FoundationNatural Language Processing (NLP) with PythonPython for Data ScienceSQL for Data Analytics CoursesAI Advanced: Computer Vision for AI ProfessionalsMaster Applied Machine LearningMaster Time Series Forecasting Using Pythoncourse iconDevOps InstituteDevOps Foundation Certification
  • 16 Hours
Best seller
course iconCNCFCertified Kubernetes Administrator
  • 32 Hours
New
course iconDevops InstituteDevops Leader
  • 16 Hours
KubernetesDocker with KubernetesDockerJenkinsOpenstackAnsibleChefPuppetDevOps EngineerDevOps ExpertCI/CD with Jenkins XDevOps Using JenkinsCI-CD and DevOpsDocker & KubernetesDevOps Fundamentals Crash CourseMicrosoft Certified DevOps Engineer ExperteAnsible for Beginners: The Complete Crash CourseContainer Orchestration Using KubernetesContainerization Using DockerMaster Infrastructure Provisioning with Terraformcourse iconTableau Certification
  • 24 Hours
Recommended
course iconData Visualisation with Tableau Certification
  • 24 Hours
course iconMicrosoftMicrosoft Power BI Certification
  • 24 Hours
Best seller
course iconTIBCO Spotfire Training
  • 36 Hours
course iconData Visualization with QlikView Certification
  • 30 Hours
course iconSisense BI Certification
  • 16 Hours
Data Visualization Using Tableau TrainingData Analysis Using Excelcourse iconEC-CouncilCertified Ethical Hacker (CEH v12) Certification
  • 40 Hours
course iconISACACertified Information Systems Auditor (CISA) Certification
  • 22 Hours
course iconISACACertified Information Security Manager (CISM) Certification
  • 40 Hours
course icon(ISC)²Certified Information Systems Security Professional (CISSP)
  • 40 Hours
course icon(ISC)²Certified Cloud Security Professional (CCSP) Certification
  • 40 Hours
course iconCertified Information Privacy Professional - Europe (CIPP-E) Certification
  • 16 Hours
course iconISACACOBIT5 Foundation
  • 16 Hours
course iconPayment Card Industry Security Standards (PCI-DSS) Certification
  • 16 Hours
course iconIntroduction to Forensic
  • 40 Hours
course iconPurdue UniversityCybersecurity Certificate Program
  • 8 Months
CISSPcourse iconCareer KickstarterFull-Stack Developer Bootcamp
  • 6 Months
Best seller
course iconJob OrientedUI/UX Design Bootcamp
  • 3 Months
Best seller
course iconEnterprise RecommendedJava Full Stack Developer Bootcamp
  • 6 Months
course iconCareer KickstarterFront-End Development Bootcamp
  • 490+ Hours
course iconCareer AcceleratorBackend Development Bootcamp (Node JS)
  • 4 Months
ReactNode JSAngularJavascriptPHP and MySQLcourse iconPurdue UniversityCloud Back-End Development Certificate Program
  • 8 Months
course iconPurdue UniversityFull Stack Development Certificate Program
  • 9 Months
course iconIIIT BangaloreExecutive Post Graduate Program in Software Development - Specialisation in FSD
  • 13 Months
Angular TrainingBasics of Spring Core and MVCFront-End Development BootcampReact JS TrainingSpring Boot and Spring CloudMongoDB Developer Coursecourse iconBlockchain Professional Certification
  • 40 Hours
course iconBlockchain Solutions Architect Certification
  • 32 Hours
course iconBlockchain Security Engineer Certification
  • 32 Hours
course iconBlockchain Quality Engineer Certification
  • 24 Hours
course iconBlockchain 101 Certification
  • 5+ Hours
NFT Essentials 101: A Beginner's GuideIntroduction to DeFiPython CertificationAdvanced Python CourseR Programming LanguageAdvanced R CourseJavaJava Deep DiveScalaAdvanced ScalaC# TrainingMicrosoft .Net Frameworkcourse iconSalary Hike GuaranteedSoftware Engineer Interview Prep
  • 3 Months
Data Structures and Algorithms with JavaScriptData Structures and Algorithms with Java: The Practical GuideLinux Essentials for Developers: The Complete MasterclassMaster Git and GitHubMaster Java Programming LanguageProgramming Essentials for BeginnersComplete Python Programming CourseSoftware Engineering Fundamentals and Lifecycle (SEFLC) CourseTest-Driven Development for Java ProgrammersTypeScript: Beginner to Advanced
Agile Management

Certifications

Advanced Certifications

Masters

On-Demand Courses

Roles

Tech Courses and Bootcamps

Certifications

course icon
Scrum AllianceCertified ScrumMaster (CSM) Certification
  • 16 Hours
Best seller
course icon
Scrum AllianceCertified Scrum Product Owner (CSPO) Certification
  • 16 Hours
Best seller
course icon
Scaled AgileLeading SAFe 6.0 Certification
  • 16 Hours
Trending
course icon
Scrum.orgProfessional Scrum Master (PSM) Certification
  • 16 Hours
course icon
Scaled AgileSAFe 6.0 Scrum Master (SSM) Certification
  • 16 Hours

Advanced Certifications

course icon
Scaled Agile, Inc.Implementing SAFe 6.0 (SPC) Certification
  • 32 Hours
Recommended
course icon
Scaled Agile, Inc.SAFe 6.0 Release Train Engineer (RTE) Certification
  • 24 Hours
course icon
Scaled Agile, Inc.SAFe® 6.0 Product Owner/Product Manager (POPM)
  • 16 Hours
Trending
course icon
Kanban UniversityKMP I: Kanban System Design Course
  • 16 Hours
course icon
IC AgileICP Agile Certified Coaching (ICP-ACC)
  • 24 Hours
course icon
Scrum.orgProfessional Scrum Product Owner I (PSPO I) Training
  • 16 Hours

Masters

course icon
Agile Management Master's Program
  • 32 Hours
Trending
course icon
Agile Excellence Master's Program
  • 32 Hours

On-Demand Courses

Agile and Scrum

Roles

Scrum Master
Product Owner
SAFe Agilist
Agile Coach

Tech Courses and Bootcamps

Full Stack Developer Bootcamp
Data Science Bootcamp
Cloud Masters Bootcamp
React
Node Js
Kubernetes
Certified Ethical Hacking
AWS Solutions Artchitct Associate
Azure Data Engineer

    Domains

  • Agile Management
  • Project Management
  • Cloud Computing
  • IT Service Management
  • Data Science
  • DevOps
  • BI And Visualization
  • Cyber Security
  • Web Development
  • Blockchain
  • Programming
  • Home
  • Blog
  • Security
  • Introduction to Footprinting and Reconnaissance in Ethical Hacking

Introduction to Footprinting and Reconnaissance in Ethical Hacking

By Vitesh Sharma

Updated on Dec 01, 2020 | 8 min read | 12.0k views

Share:

Footprinting is one of the most convenient ways for hackers to collect information about targets such as computer systems, devices, and networks. Using this method, hackers can unravel information on open ports of the target system, services running, and remote access probabilities.

Since it is the initial phase of hacking it is really important to develop an accurate understanding of the entire process. The systematic footprinting of a target enables the attacker to get a blueprint of the target's security posture.

In this article, we will get to know how malicious hackers perform footprinting on the organization or target's system, what all they can do, and how it will be harmful to businesses and individuals. On the other hand, white hat hackers who are well versed in footprinting will be able to improve the security of the organizations they work for. With systematic methodology, businesses can identify their vulnerabilities so they can patch and make changes in policy accordingly.

Types of footprinting:

  • Who is footprinting
  • Network footprinting
  • DNS footprinting
  • Competitive intelligence
  • Email footprinting
  • Website footprinting
  • Social Engineering
  • Google Hacking

How to perform footprinting?

Footprinting is the first step, during which the hacker gathers as much information as possible to find ways to enter a target system. For successful footprinting, the attacker needs to first check the visibility of the target and see how to gather related information on the internet through open sources. Through careful analysis, the attacker can determine the scope of potential entry points. The following information can be collected:

  • Company names
  • Domain names
  • Business subsidiaries  
  • IP Addresses
  • Business emails  
  • Network phone numbers  
  • Key employees

and so on.

In hacking terms, we can call it the "Front Door" of the castle on target.  

The first step of footprinting is to determine what to attack to obtain the "footprint" of the target network which includes, but is not limited to the following:

  • Hostnames
  • Network address ranges
  • Exposed hosts  
  • Exposed applications  
  • OS and its versions
  • Application and its versions

and many more.

Apart from this, the attackers have to decide the scope of the target with regards to the entire organization or certain subsidiaries or locations. Based on the scope, they start to dig deep into the information like company web-pages, related organizations, employee details, contacts, e-mail addresses, currents events, locations, news, policies, disgruntled employees, mergers, acquisitions, or events to garner some clues, opportunities, and contacts for attackers.

Methods of footprinting

1. Port Scanning

Port scanners are used to determine live hosts on the internet and find out which Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports are listening on each system, as well as which operating system is installed on the host. To identify the relationship of each host and potential security mechanisms between the attacker and targets, they use traceroutes.

Tools:

  • NSLookup - to perform DNS queries and zone transfers
  • Tracert - to create network maps of the target.

Once port scanning and trace routing are done, attackers will create a network map that represents the target's internet footprinting.

2. Google Hacking

Despite what you may infer from the name, this method does not involve hacking Google! This is a means by which you can collect information from the Google search engine in a smart way.

Search engines have many features using which you can get uncommon, but very specific search results from the internet. Using these techniques, hackers and attackers perform a search using advanced operators, examples of which are given below.

Master Right Skills & Boost Your Career

Avail your free 1:1 mentorship session

These types of operators can uncover much sensitive information that can potentially harm the target and should therefore not be revealed.

Let's take an example. 

Go to google.com and paste this- allinurl:tsweb/default.htm

You will get more than 200 websites that have tsweb/default folder. Using this, the hacker gets a chance to get into the organization's servers. This is just one example. There is plenty of such information about targets available online, which hackers can take advantage of.

3. Ping Sweep

If the attacker wants to know which are the machines on your network that are currently live, they can perform a ping sweep. Ping uses ICMP packets to send echo requests to the target system,  and waits for an echo reply. If the device is not reachable, it will show a "request time out"; but if the device is online and not restricted from responding, it will send an echo reply back. Here are some tools used to perform ping sweeps through a range of devices that determine the active devices on the target network.

  • Nmap
  • Angry IP scanner
  • Super Scan
  • Pinger etc.

4.  Who is lookup

This method can be used to collect basic database queries like domain name, IP Address block, location, and much more information about the organization.

Example of Footprinting

Let's see an example of footprinting using the Linux tool p0f.

p0f is a passive TCP/IP stack fingerprinting tool to identify the system running on machines that send network traffic to the box it is running on, or to a machine that shares a medium with the machine on which it is running. p0f can also assist in analyzing other aspects of the remote system. Basically, it is a  tool used to perform a forensic investigation of a system that has been compromised or is under attack. Using this tool, you can analyze the structure of TCP/IP packets to determine OS and other configurations of the target host. Let's check how to do this.

  • step 1 - Open Linux Terminal and type p0f
  • Step 2 - Explore your target host using any browser

Once the connection is established with the target host, the client will start to interact with the server.

You can see that my client IP 10.0.2.15 has established a connection with the target web server 72.163.4.185 using port 80.

How to prevent Footprinting?

Your every move, each activity, or data available on the internet is a potential footprint that can open layers of information for attackers.

Now let's discuss preventive steps to avoid threats and reduce the security risk of the organization and individual.

1. Delete or De-activate old accounts

Once your account is assigned online, it can be shared anywhere with your full name, email address, pictures, location, and other information. Official email accounts provided to the employees are also available online. Once the employee has left the organization, the email account must be deleted to avoid fraudulent transactions using the same.  

2. Unsubscribe from unwanted mails

All of us keep subscribing to newsletters, events registrations, offers and to many other mail lists. While some of these lists may be useful, most of them result in unnecessary clutter in our mailbox. Unsubscribe to all unnecessary emails so that you can reduce your digital footprinting on the internet.

3. Use stealth mode

There are many browsers which help you to surf with privacy. This is how you can search online with ease and avoid websites from tracking your interests, location, etc. Using browsers like TOR, Duck Duck Go with some advance settings in your regular browser can restrict the sharing of your information online.

4. Use a VPN

There are many VPNs, or Virtual Private Networks, available that you can use for privacy.  A VPN provides you with an extra layer of security to protect your privacy over the internet. This will prevent others from tracking your web activity and being able to collect data by watching your surfing patterns.

5. SEO

Prevent search engines from crawling through your cached webpages and user anonymous registration details, and minimize unwanted footprints.

6. Configure Web servers

Configure your web servers to avoid information leakage and block all unwanted protocols to prevent any unethical external scans. Use TCP/IP and IPSec Protocols.  Always maintain a separation between the internal and external DNS.

7.  Do it yourself

Perform footprinting techniques as we have discussed above and do a check to see whether any sensitive or unwanted information of yours is available on the internet. Use the OSINT framework to delve deeper, and remove posted/ shared data that reveals any kind of sensitive information which can be a potential threat. Share tips and tricks to avoid fraud calls and social engineering.

What is Reconnaissance

Similar to footprinting, Reconnaissance is a very important stage in the initial hacking process. In this stage, attackers gather information, much like a detective does! This process involves gathering information about the target flaws, vulnerabilities that can be used in penetration testing, and the beginning of any data breaches.

Any information gathered about the target may be a crucial piece of the jigsaw, needed to reveal the critical vulnerabilities of the target.

What critical information can be revealed in the reconnaissance phase?

1) Network Information

  • IP addresses
  • subnet mask
  • network topology
  • domain names

2) Host Information

  • user- names
  • group names
  • architecture type
  • operating system family and version
  • TCP and UDP services running with versions

3) Security Policies

  • password complexity requirements
  • password change frequency
  • expired/disabled account retention
  • physical security (e.g. access badges, door locks, etc.)
  • firewalls
  • intrusion detection systems

4) Personnel details

  • designations
  • telephone number
  • social hangouts
  • computer skills

There are two types of reconnaissance.

1. Passive reconnaissance

This is when the attacker gathers information about the target through openly available sources. There are multiple sources available free on the internet which may provide a blueprint of the organization or individual.

2. Active reconnaissance

Here, the attacker directly interacts with the target's computer system to gain information using scanning, eavesdropping, and packet capturing techniques. The advantage of active reconnaissance is that the collected information is quite accurate and relevant; however, there is a risk of getting detected.

Netcat, Nmap are the best tools for this.

What is Enumeration?

Once an attacker creates an active connection with the target, they are able to perform directed queries to gain more information. For example,

  • Usernames
  • hostnames
  • IP address
  • Passwords (or strength)
  • configuration

The information gathered about the target can be used to identify vulnerabilities in the target system. Once an attacker gains this information, they can steal private data and sometimes, even worse, change the configuration.

Types of Enumeration

There are multiple types of enumeration. Let’s take a look at one example.

DNS Enumeration

DNS enumeration is the technique employed to find all the DNS servers and their corresponding records for an organization. A list of DNS records provides an overview of database records.

DNS zone transfer will allow replication of DNS data or DNS files. The user will perform a DNS zone transfer query from the name server. If the name server allows transfer by any other unauthorized user than all DNS names and IP addresses hosted by the name server will return in ASCII Test.

Some of the tools that can be for this include nslookup, maltego, dnenum,  dnsrecon, etc.

Here is an example that uses nslookup.

NSlookup queries DNS servers for machine names and addresses.

For example, if we want to find the IP address of Google's web server by entering nslookup, we will enter the below command.

nslookup www.google.com

and then the output will be like this.

C:\>nslookup www.google.com
Server:  dnsr1.sbcglobal.net
Address:  68.94.156.1
Non-authoritative answer:
Name:    www.1.google.com
Addresses:  64.233.187.99, 64.233.187.104
Aliases:  www.google.com

The first two lines of output tell us which DNS servers are being queried. In this case, it’s dnsr1.sbcglobal.net in Texas. The non-authoritative answer lists two IP addresses for the Google web servers.

Responses from non-authoritative servers do not contain copies of any domains. They have a cache file that is constructed from all the DNS lookups it has performed in the past, for which it has received an authoritative response.

In the interactive mode, the user will be given a prompt of >; at which point, the user can enter a variety of options, including attempts to perform a zone transfer.

The hackers can enumerate other information like network resources and sharing, routing tables, machine names, applications and banners, users, and groups, etc.

There are other types of enumeration.

  • Windows enumeration
  • Linux enumeration
  • LDAP enumeration
  • NetBios enumeration  
  • SNMP enumeration
  • NTP enumeration etc.

Steps to prevent enumeration:

  1. Use centralized network administration contact details in the NIC (Network Information Center) database to prevent social engineering against IT departments.
  2. Configure Name servers to disable DNS zone transfer for untrusted hosts.
    Configure web servers to prevent indexing of directories without index files and avoid keeping sensitive files and documents on publicly accessible hosts like FTP, HTTP, etc.
  3. Configure SMTP servers to ignore emails from unknown recipients.
  4. Disable SMB
  5. Use NTLM or basic authentication to limit access for authorized users only.
    Implement the group policy security option named "access restrictions for anonymous connections."

Looking to boost your career? Discover the power of ITIL 4 certification levels. Enhance your skills and open doors to new opportunities. Join now!

Conclusion

In this article, you have learned about the initial steps involved in hacking, during the pre-attack phase, including information gathering, scanning, and mapping the network.

The more information the hacker is able to gather, the higher are their chances of a successful attack. If you increase your security right from the initial phase, it will reduce the possibilities for an attacker to get into your system. By controlling your digital footprint, you can increase your security posture and keep your data safe from hackers.

Vitesh Sharma

Vitesh Sharma

221 articles published

Get Free Consultation

By submitting, I accept the T&C and
Privacy Policy

Suggested Blogs

Explore all