Footprinting - First Step to Hacking (Summary and Tools)

One way to begin planning an ethical hack on your business is through a process often called footprinting or Information Gathering Recon. Footprinting means gathering information about a target system that can be used to execute a successful cyber-attack. An Ethical Hacker must spend most of his/her time profiling an organization, gathering information about the host, network, and people related to the organization.

Information such as:

  • IP address
  • Domain name info
  • Technologies used
  • Other websites on the same server
  • DNS records
  • Unlisted files, sub-domains, and directories
can be collected.

    Two types of footprinting:

    • Passive Footprinting: Passive footprinting means collecting information about a system at a remote distance from the attacker.
    • Active Footprinting: Active footprinting means performing footprinting by directly touching the target machine.

      Possible Ways:

      • Who Is: The best starting point is to perform a Whois lookup using any of the Whois tools available on the Internet. Whois databases and the servers are operated by RIR - Regional Internet Registries. It is used to query databases such as IP address block, domain name, location, email-id, phone numbers, domain owner, etc. Website for Whois Lookup Query: Whois Lookup
      • Google Hacking refers to collecting information using Google Dorks. They are keywords that can be used to google search a target in an optimized way. These searches can be helpful in finding sensitive information like compromised passwords, default credentials, competitor information, information related to a topic, etc. Website for Commands or Keywords: Google Hacking Database.
      • Organization's Website: This can also be the best place to begin. You can find open-source information, which is freely provided to clients, customers, or the public.
      • DNS Lookup: DNS is the Internet's system for converting alphabetic names into numeric IP addresses. For example, when a URL is typed into a browser, DNS servers return the IP address of the Web server associated with that name. DNS lookup query stores all information, or resource records, associated with a domain into a file. Website for DNS Lookup:
        • Robtex (Shows comprehensive info about the target website)
        • DNS Dumpster (Enumerate a domain and pull back up to 40K subdomains, results are available in an XLS for easy reference)
      • JOB Websites: Organizations can share some confidential data unknowingly on many JOB websites. For example, a company posted on a website: “Job Opening for Apache 2.0 Server Administrator”. From this information, we can gather that an organization uses Apache web server 2.0.
      • Social Engineering: Social media like Twitter and Facebook are searched to collect information like personal details, user credentials, and other sensitive information. Most people have the tendency to release most of their information online. Hackers use this sensitive information as a big deal.
      • Competitive Intelligence: Competitive intelligence gathering is the process of gathering information about competitors from resources such as the Internet. Examples: company website, search engine, internet, online databases, press releases, annual reports, trade journals. Useful tools/websites:
      • Useful Websites:
        • Netcraft Site Report: tells which server-side or client-side technologies are in use.
        • It is like a time machine for any website. The Archived version refers to the older version of the website which existed at a time. It is a website that collects snapshots of all the websites at regular intervals of time.
        • WhatWeb: It is a tool available in Kali Linux. WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. WhatWeb recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb can be stealthy and fast, or thorough but slow.
        • HTTrack: It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer.
        • BuiltWith: It displays information like widgets, analytics, frameworks, content management systems, advertisers, content delivery networks, web standards, and web servers.
      • Subdomains: One server can serve several websites. Gaining access to one can help to gain access to others. For example, is the main domain but,, etc are the sub-domain of A tool useful to get subdomains: 
        • KNOCK
          • Clone the repository
          • Redirect to the knockpy directory
          • Run the program using python <target_website>.
        • DIRB: DIRB is a Web Content Scanner. DIRB's main purpose is to help in professional web application auditing. Especially in security-related testing. It covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that other generic CGI scanners cannot look for. It does not search for vulnerabilities, nor does it look for web content that can be vulnerable. It basically works by launching a dictionary-based attack against a web server and analyzing the response.
        • VirusTotal is also a good easy and fast way to get the subdomains of a website.
      • Geolocation: IP geolocation and domain information can also be helpful. Website for getting the geolocation:
      • Maltego can be used to determine the linkages and real-world connections between individuals, groups of individuals, organisations, websites, Internet infrastructure, documents, and so on.
      • Recon-ng is an online reconnaissance framework with independent modules and a database interface that provides a platform for open-source, web-based reconnaissance. 
      • FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents it scans. Common features include, 
        • Web Search: Searches for hosts and domain names using URLs related to the primary domain. Each link is examined to collect data regarding its new host and domain names. 
        • DNS Search
        • IP Resolution
        • Common Names - Perform dictionary attacks against the DNS. 
      • OSRFramework includes applications related to username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction, etc. Framework includes,
        • - Checks for a user profile up to 290 different platforms
        • - Check for the existence of a given email.
        • - Performs a query on the platforms in OSRFramework
        • - Checks for the existence of domains
        • - Checks for the existence of a given series of phones
        • - Uses regular expressions to extract entities. 
      • OSINT Framework is an open-source intelligence-gathering framework that is focused on gathering information from free tools or resources. Indicators you should know:
        • (T) - Indicates a link to a tool that must be installed and run locally
        • (D) - Google Dork
        • (R) - Requires Registration
        • (M) - Indicates a URL that contains the search term and the URL itself must be edited manually. 
      • Recon-Dog is an all-in-one tool for information-gathering needs, which uses APIs to collect information about the target system. A few notable features are:
        • Uses to gather information about IP addresses. 
        • NS Lookup
        • Port Scan
        • Can detect 400+ content management systems
        • Whois Lookup
        • Detect Honeypot
        • Find Subdomains
        • Reverse IP lookup
        • Uses to detect 1000+ technologies. 
      • BillCipher is an information-gathering tool for a Website or IP address. 
      • theHarvester
      • Th3Inspector
      • Raccoon will do everything from fetching DNS records, retrieving WHOIS information, obtaining TLS data, detecting WAF presence and up to threaded dir busting and subdomain enumeration.
      • Orb can analyze network traffic, run synthetic network probes, and connect the resulting telemetry directly to your existing observability stacks with OpenTelemetry.
      • PENTMENU is a bash select menu for quick and easy network recon and DOS attacks

      You might be interested in, 

      No comments:

      Post a Comment