# Module 02: Footprinting and Reconnaissance

## **Objective**

The objective of the lab is to extract information about the target organization that includes, but is not limited to:

* **Organization Information** Employee details, addresses and contact details, partner details, weblinks, web technologies, patents, trademarks, etc.
* **Network Information** Domains, sub-domains, network blocks, network topologies, trusted routers, firewalls, IP addresses of the reachable systems, the Whois record, DNS records, and other related information
* **System Information** Operating systems, web server OSes, location of web servers, user accounts and passwords, etc.

## Overview of Footprinting

Footprinting refers to the process of collecting information about a target network and its environment, which helps in evaluating the security posture of the target organization’s IT infrastructure. It also helps to identify the level of risk associated with the organization’s publicly accessible information.

Footprinting can be categorized into passive footprinting and active footprinting:

* **Passive Footprinting**: Involves gathering information without direct interaction. This type of footprinting is principally useful when there is a requirement that the information-gathering activities are not to be detected by the target.
* **Active Footprinting**: Involves gathering information with direct interaction. In active footprinting, the target may recognize the ongoing information gathering process, as we overtly interact with the target network. \</aside>

***

## Lab-1 - Task 1: Gather Information using Advanced Google Hacking Techniques

* Type **`intitle:login site:eccouncil.org`** and press **Enter**. This search command uses **intitle** and **site** Google advanced operators, which restrict results to pages on the **eccouncil.org** website that contain the **login** pages. An example is shown in the screenshot below.
* In the search bar, type the command **`EC-Council filetype:pdf ceh`** and press **Enter** to search your results based on the file extension and the keyword (here, **ceh**).
* Apart from the aforementioned advanced Google operators, you can also use the following to perform an advanced search to gather more information about the target organization from publicly available sources.
  * **`cache`**: This operator allows you to view cached version of the web page. \[cache:[www.eccouncil.org\]-](https://blog.rootkid.in/exam-prep-notes/certified-ethical-hacker-v12-practical-notes/http:/www.eccouncil.org]-) Query returns the cached version of the website [www.eccouncil.org](http://www.eccouncil.org)
  * **`allinurl`**: This operator restricts results to pages containing all the query terms specified in the URL. \[allinurl: EC-Council career]—Query returns only pages containing the words “EC-Council” and “career” in the URL
  * **`inurl`**: This operator restricts the results to pages containing the word specified in the URL \[inurl: copy site:[www.eccouncil.org\]—Query](https://blog.rootkid.in/exam-prep-notes/certified-ethical-hacker-v12-practical-notes/http:/www.eccouncil.org]—Query) returns only pages in EC-Council site in which the URL has the word “copy”
  * **`allintitle`**: This operator restricts results to pages containing all the query terms specified in the title. \[allintitle: detect malware]—Query returns only pages containing the words “detect” and “malware” in the title
  * **`inanchor`**: This operator restricts results to pages containing the query terms specified in the anchor text on links to the page. \[Anti-virus inanchor:Norton]—Query returns only pages with anchor text on links to the pages containing the word “Norton” and the page containing the word “Anti-virus”
  * **`allinanchor`**: This operator restricts results to pages containing all query terms specified in the anchor text on links to the page. \[allinanchor: best cloud service provider]—Query returns only pages in which the anchor text on links to the pages contain the words “best,” “cloud,” “service,” and “provider”
  * **`link`**: This operator searches websites or pages that contain links to the specified website or page. \[link:[www.eccouncil.org\]—Finds](https://blog.rootkid.in/exam-prep-notes/certified-ethical-hacker-v12-practical-notes/http:/www.eccouncil.org]—Finds) pages that point to EC-Council’s home page
  * **`related`**: This operator displays websites that are similar or related to the URL specified. \[related:[www.eccouncil.org\]—Query](https://blog.rootkid.in/exam-prep-notes/certified-ethical-hacker-v12-practical-notes/http:/www.eccouncil.org]—Query) provides the Google search engine results page with websites similar to [eccouncil.org](http://eccouncil.org)
  * **`info`**: This operator finds information for the specified web page. \[info:eccouncil.org]—Query provides information about the [www.eccouncil.org](http://www.eccouncil.org) home page
  * **`location`**: This operator finds information for a specific location. \[location: EC-Council]—Query give you results based around the term EC-Council

### Lab-1 - Task 2: Gather Information from Video Search Engines

* After the video link is copied, open a new tab in **Mozilla Firefox**, place your mouse cursor in the address bar and click <https://mattw.io/youtube-metadata/> and press **Enter**.
* You can use other video search engines such as
  * **Google videos** (<https://www.google.com/videohp>),
  * **Yahoo videos** (<https://in.video.search.yahoo.com>),
  * **EZGif** (<https://ezgif.com>),
  * [**VideoReverser.com**](http://videoreverser.com) (<https://www.videoreverser.com>)
  * **TinEye Reverse Image Search** (<https://tineye.com>),
  * **Yahoo Image Search** (<https://images.search.yahoo.com>),

### Lab-1 - Task 3: Gather Information from FTP Search Engines

* You can use FTP search engines such as [**FreewareWeb FTP**](https://www.freewareweb.com/) **File Search** to gather crucial FTP information about the target organization or [**NAPALM FTP**](https://www.searchftps.net/)

### Lab-1 - Task 4: Gather Information from IoT Search Engines

IoT search engines crawl the Internet for IoT devices that are publicly accessible. These search engines provide crucial information, including control of SCADA (Supervisory Control and Data Acquisition) systems, traffic control systems, Internet-connected household appliances, industrial appliances, CCTV cameras, etc.

* [**Shodan**](https://www.shodan.io/)
* [**Censys**](https://search.censys.io/)

### Lab-2 - Task 1: Find the Company’s Domains and Sub-domains using Netcraft

* **Netcraft -** [**https://www.netcraft.com**](https://www.netcraft.com)
* **Sublist3r -** [**https://github.com**](https://github.com)
* **Pentest-Tools Find Subdomains -** [**https://pentest-tools.com**](https://pentest-tools.com)

### Lab-2 - Task 2: Gather Personal Information using PeekYou Online People Search Service

* **PeekYou -** [**https://www.peekyou.com**](https://www.peekyou.com)
* **Spokeo -** [**https://www.spokeo.com**](https://www.spokeo.com)
* **pipl -** [**https://pipl.com**](https://pipl.com)
* **Intelius -** [**https://www.intelius.com**](https://www.intelius.com)
* **BeenVerified -** [**https://www.beenverified.com**](https://www.beenverified.com)

### Lab-2 - Task 3: Gather an Email List using theHarvester

* [**theHarvester**](https://github.com/laramies/theHarvester): This tool gathers emails, subdomains, hosts, employee names, open ports, and banners from different public sources such as search engines, PGP key servers, and the SHODAN computer database as well as uses Google, Bing, SHODAN, etc. to extract valuable information from the target domain. This tool is intended to help ethical hackers and pen testers in the early stages of the security assessment to understand the organization’s footprint on the Internet. It is also useful for anyone who wants to know what organizational information is visible to an attacker.

### **Lab-2 - Task 4: Gather Information using Deep and Dark Web Searching**

* You can also anonymously explore the following onion sites using Tor Brower to gather other relevant information about the target organization:
  * **The Hidden Wiki** is an onion site that works as a Wikipedia service of hidden websites. (<http://zqktlwiuavvvqqt4ybvgvi7tyo4hjl5xgfuvpdf6otjiycgwqbym2qad.onion/wiki>)
  * **FakeID** is an onion site for creating fake passports (<http://ymvhtqya23wqpez63gyc3ke4svju3mqsby2awnhd3bk2e65izt7baqad.onion>)
  * **Cardshop** is an onion site that sells cards with good balances (<http://s57divisqlcjtsyutxjz2ww77vlbwpxgodtijcsrgsuts4js5hnxkhqd.onion>)
* You can also use tools such as:
  * **ExoneraTor** (<https://metrics.torproject.org>)
  * **OnionLand Search engine** (<https://onionlandsearchengine.com>),

### **Lab-2 -** Task 5: Determine Target OS Through Passive Footprinting

* **Censys** **(**[**https://search.censys.io/**](https://search.censys.io/**)**)**
* **Netcraft (**[**https://www.netcraft.com**](https://www.netcraft.com)**)**
* **Shodan (**[**https://www.shodan.io**](https://www.shodan.io)**)**

### **Lab-3 -** Task 2: Gather Personal Information from Various Social Networking Sites using Sherlock

* Type **`python3 sherlock satya nadella`** and press **Enter**. You will get all the URLs related to Satya Nadella, as shown in the screenshot. Scroll down to view all the results.
* [**Social Searcher**](https://www.social-searcher.com/)
* [**UserRecon**](https://github.com/wishihab/userrecon)

### **Lab-4 -** Task 2: Gather Information about a Target Website using Photon

Photon is a Python script used to crawl a given target URL to obtain information such as URLs (in-scope and out-of-scope), URLs with parameters, email addresses, social media accounts, files, secret keys and subdomains. The extracted information can further be exported in the JSON format.

* Type **`python3 photon.py -u http://www.certifiedhacker.com`** and press **`Enter`** to crawl the target website for internal, external and scripts URLs.
* Now, type `python3 photon.py -u http://www.certifiedhacker.com -l 3 -t 200 --wayback` and press `Enter` to crawl the target website using URLs from archive.org.

### **Lab-4 -** Task 3: Gather Information About a Target Website using Central Ops

* **The Central Ops website -** [**https://centralops.net**](https://centralops.net)
* **Website Informer** (<https://website.informer.com>)
* **Burp Suite** (<https://portswigger.net>)
* **Zaproxy** (<https://www.zaproxy.org>)

### **Lab-4 -** Task 4: Extract a Company’s Data using Web Data Extractor

Web data extraction is the process of extracting data from web pages available on the company’s website. A company’s data such as contact details (email, phone, and fax), URLs, meta tags (title, description, keyword) for website promotion, directories, web research, etc. are important sources of information for an ethical hacker. Web spiders (also known as a web crawler or web robot) such as Web Data Extractor perform automated searches on the target website and extract specified information from the target website.

* The **Web Data Extractor Pro** main window appears. Click new session to start a new session.
* The Session window appears; type a URL (here, <https://www.certifiedhacker.com>) in the Start URL field. Check all the options, as shown in the screenshot.
* Web Data Extractor will start collecting information (Session, Meta tags, Emails, Phones, Faxes, Links, and Domains).
* **ParseHub** (<https://www.parsehub.com>)
* **SpiderFoot** (<https://www.spiderfoot.net>)

### **Lab-4 -** Task 5: Mirror a Target Website using HTTrack Web Site Copier

Website mirroring is the process of creating a replica or clone of the original website; this mirroring of the website helps you to footprint the web site thoroughly on your local system, and allows you to download a website to a local directory, analyze all directories, HTML, images, flash, videos, and other files from the server on your computer.

You can duplicate websites by using website mirroring tools such as HTTrack Web Site Copier. HTTrack is an offline browser utility that downloads a website from the Internet to a local directory, builds all directories recursively, and transfers HTML, images, and other files from the webserver to another computer.

Here, we will use the HTTrack Web Site Copier tool to mirror the entire website of the target organization, store it in the local system drive, and browse the local website to identify possible exploits and vulnerabilities.

* **Cyotek WebCopy** (<https://www.cyotek.com>),

### **Lab-4 -** Task 6: Gather Information About a Target Website using GRecon

* [**GRecon** ](https://github.com/TebbaaX/GRecon)searches for available subdomains, sub-subdomains, login pages, directory listings, exposed documents, WordPress entries and pasting sites and displays the results.

### **Lab-4 -** Task 7: Gather a Wordlist from the Target Website using CeWL

* In the terminal window, type **`cewl -d 2 -m 5 https://www.certifiedhacker.com`** and press **Enter**.
* A unique wordlist from the target website is gathered, as shown in the screenshot.

### **Lab-5 -** Task 1: Gather Information about a Target by Tracing Emails using eMailTrackerPro

* [**eMailTrackerPro**](https://emailtracker.website/pro)

### **Lab-6 -** Task 1: Perform Whois Lookup using DomainTools

* [**http://whois.domaintools.com**](http://whois.domaintools.com)
* **SmartWhois** (<https://www.tamos.com>)
* **Batch IP Converter** (<http://www.sabsoft.com>)

### **Lab-7 -** Task 1: Gather DNS Information using nslookup Command Line Utility and Online Tool

nslookup is a network administration command-line utility, generally used for querying the DNS to obtain a domain name or IP address mapping or for any other specific DNS record. This utility is available both as a command-line utility and web application.

* In the **Windows 11** machine, launch a **Command Prompt**, type **nslookup** and press **Enter**. This displays the default server and its address assigned to the **Windows 11** machine.
* In the nslookup **interactive** mode, type **set type=a** and press **Enter**. Setting the type as “**a”** configures nslookup to query for the IP address of a given domain.

Other Tools:

* **DNSdumpster** (<https://dnsdumpster.com>)
* **DNS Records** (<https://network-tools.com>)

### **Lab-7 -** Task 2: Perform Reverse DNS Lookup using Reverse IP Domain Check and DNSRecon

* [**https://www.yougetsignal.com**](https://www.yougetsignal.com)
* [**dnsrecon**](https://github.com/darkoperator/dnsrecon)

### **Lab-7 -** Task 3: Gather Information of Subdomain and DNS Records using SecurityTrails

SecurityTrails is an advanced DNS enumeration tool that is capable of creating a DNS map of the target domain network. It can enumerate both current and historical DNS records such as A, AAAA, NS, MX, SOA, and TXT, which helps in building the DNS structure. It also enumerates all the existing subdomains of the target domain using brute-force techniques.

* [https://securitytrails.com/](https://securitytrails.com/**)
* **DNSChecker** (<https://dnschecker.org>)
* **DNSdumpster** (<https://dnsdumpster.com>)

### **Lab-8 -** Task 1: Locate the Network Range

* [https://www.arin.net/about/welcome/region](https://www.arin.net/about/welcome/region**)

### **Lab-8 -** Task 2: Perform Network Tracerouting in Windows and Linux Machines

* **tracert**
* **VisualRoute** (<http://www.visualroute.com>)
* **Traceroute NG** (<https://www.solarwinds.com>)

### **Lab-9 -** Task 1: Footprinting a Target using Recon-ng

[**`Recon-ng`**](https://github.com/lanmaster53/recon-ng) is a web reconnaissance framework with independent modules and database interaction that provides an environment in which open-source web-based reconnaissance can be conducted. Here, we will use Recon-ng to perform network reconnaissance, gather personnel information, and gather target information from social networking sites.

### **Lab-9 -** Task 2: Footprinting a Target using Maltego

[**Maltego**](https://www.maltego.com/) is a footprinting tool used to gather maximum information for the purpose of ethical hacking, computer forensics, and pentesting. It provides a library of transforms to discover data from open sources and visualizes that information in a graph format, suitable for link analysis and data mining. Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate, and even making it possible to see hidden connections.

### **Lab-9 -** Task 3: Footprinting a Target using OSRFramework

[**OSRFramework**](https://github.com/i3visio/osrframework) is a set of libraries that are used to perform Open Source Intelligence tasks. They include references to many different applications related to username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction, and many others. It also provides a way of making these queries graphically as well as several interfaces to interact with such as OSRFConsole or a Web interface.

* Use **domainfy** to check with the existing domains using words and nicknames. Type **domainfy -n \[Domain Name] -t all** (here, the target domain name is **ECCOUNCIL**) and press **Enter**.
* Use **searchfy** to check for the existence of a given user details on different social networking platforms such as Github, Instagram and Keyserverubuntu. Type **searchfy -q "target user name or profile name"** (here, the target user name or profile is **Tim Cook** and it is searched in all the social media platforms) and press **Enter**.
* Similarly, you can use following OSRFramework packages to gather more information about the target:
  * **usufy** - Gathers registered accounts with given usernames.
  * **mailfy** – Gathers information about email accounts
  * **phonefy** – Checks for the existence of a given series of phones
  * **entify** – Extracts entities using regular expressions from provided URLs

### **Lab-9 -** Task 4: Footprinting a Target using FOCA

[**FOCA (Fingerprinting Organizations with Collected Archives)**](https://github.com/ElevenPaths/FOCA) is a tool that reveals metadata and hidden information in scanned documents. These documents are searched for using three search engines: Google, Bing, and DuckDuckGo. The results from the three engines amounts to a lot of documents. FOCA examines a wide variety of records, with the most widely recognized being Microsoft Office, Open Office and PDF documents. It may also work with Adobe InDesign or SVG files. These archives may be on-site pages and can be downloaded and dissected with FOCA.

* The FOCA new project wizard appears, follow the steps below:
  * Enter a project name in the **Project name** field (here, **Project of [www.eccouncil.org](http://www.eccouncil.org)**).
  * Enter the domain website in the **Domain website** field (here, **[www.eccouncil.org](http://www.eccouncil.org)**).
  * You can leave the optional **Alternative domains** field empty.
  * Under the **Folder where to save documents** field, click on the **Folder** icon. When the **Browse For Folder** pop up window appears, select the location to save the document that is extracted by FOCA (here, **Desktop**) and click **OK**.
  * Leave the other settings to default and click the **Create** button.

### **Lab-9 -** Task 5: Footprinting a Target using BillCipher

[**BillCipher**](https://github.com/bahatiphill/BillCipher) is an information gathering tool for a Website or IP address. Using this tool, you can gather information such as DNS Lookup, Whois lookup, GeoIP Lookup, Subnet Lookup, Port Scanner, Page Links, Zone Transfer, HTTP Header, etc. Here, we will use the BillCipher tool to footprint a target website URL.

* BillCipher displays various available options that you can use to gather information regarding a target website.

### **Lab-9 -** Task 6: Footprinting a Target using OSINT Framework

[**OSINT Framework**](https://osintframework.com/) is an open source intelligence gathering framework that helps security professionals for performing automated footprinting and reconnaissance, OSINT research, and intelligence gathering. It is focused on gathering information from free tools or resources. This framework includes a simple web interface that lists various OSINT tools arranged by category and is shown as an OSINT tree structure on the web interface.

The OSINT Framework includes the following indicators with the available tools:

* (T) - Indicates a link to a tool that must be installed and run locally
* (D) - Google Dork
* (R) - Requires registration
* (M) - Indicates a URL that contains the search term and the URL itself must be edited manually

***

* **Recon-Dog** (<https://www.github.com>)
* **Grecon** (<https://github.com>)
* **Th3Inspector** (<https://github.com>)
* **Raccoon** (<https://github.com>)
* **Orb** (<https://github.com>)

***

***

***

**`Hacker's Mantra:`**`A hacker is someone who enjoys playful cleverness, not necessarily with computers. The programmers in the old MIT free software community of the 60s and 70s referred to themselves as hackers. Around 1980, journalists who discovered the hacker community mistakenly took the term to mean "security breaker." - Richard Stallman`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.rootkid.in/exam-prep-notes/certified-ethical-hacker-v12-practical-notes/module-02-footprinting-and-reconnaissance.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.