Reconnaissance and Footprinting

Reconnaissance and Footprinting


Reconnaissance and footprinting is the primary phase of the ethical hacking process. Although this phase does not constitute breaking into a network or system, it is still fun and quite possibly the most important. I will discuss some of the tools and techniques I use for actively and passively footprinting a target during the reconnaissance phase of a penetration test. Of course, this will be very top level and not inclusive of all the techniques used to recon and footprint a target.

Tip – According to EC Council, footprinting is a part of recon.

During recon, it is important to learn as much about your target as possible. The more you know about your target, the better prepared you can be when you engage in your attack. It is imperative that you begin to research and understand the security posture of the target. Doing so will allow you to reduce your attack surface and have a more focused attack with a better success rate. It may help to start building an information database containing possible strengths and weaknesses of your target along with a network map. Again, the more detail oriented you are, typically the more success you will have during the later stages of the ethical hack. I found that starting with search engines/websites is a good first step so I will start with that.


Search Engines, Websites, Google Hacking

Now I am not just talking about some simple google searches,¬†there are so many engines for various types of content that can really help your recon. Google earth can search the location of any address and often give you street view access to your target. This aids in¬†any social engineering attack or wireless access point attacks. With a map of the physical property, I now can see where your trash is stored, where people enter and exit, and possibly see any security cameras. People searches are pretty easy now¬†as most people feel the need to share and post every aspect about their lives to the world. Again this will assist with social engineering as you build a profile against your targets personality and relationships. I do not think I need to provide any examples of widely known social media sites…¬†Job sites websites liked LinkedIn or monster can be some of the most important sources of information. You would not believe the type of information can be obtained about an organizations infrastructure, simply by reviewing the required skills on some of their job postings. While writing this up I did some quick browsing to find a “Lead Security Engineer” position in healthcare industry¬†posted 3 days ago.

Just by reading their job posting I can see they are mostly windows systems behind some Cisco and Checkpoint firewalls. They also monitor the network using Snort and scan for vulnerabilities using Nessus. That is some pretty good stuff to know when I am going to be trying to bypass and evade those products!


Another technique is to use your search operators and advanced search capabilities of google, and other sites…aka google hacking There are many sites that have pre-baked search queries to find specific vulnerable websites or unique products. Take use of them and set up alerts if any show up within the public domain of your target organization. One of the most up to date databases of these queries is the google hacking database found at¬† While browsing over some of the example searches I could see one that allowed me to search for UPS tracking and shipping notifications. With the delivery and time information¬†I could man-in-the-middle, compromising the integrity of any package they receive.

Google search: intitle:”Ups Package tracking” intext:”1Z ### ### ## #### ### #”


Email, WHOIS

Email to this day is still one of the most widely used form of communication. Knowing how to track where an email has been or if it has been viewed can be very helpful. I am not going to re-discuss how to view an email header since it was a blog topic of mine previously. If you want more in-depth description on the breakdown of an email header, I encourage you to take a look at my previous post which is an introductory examination into email forensics:

WHOIS however is a skill I continue to use and improve on. In case you do not know what WHOIS information is, in short, WHOIS databases contain personal contact information of the domain owners. Knowing who manages the domain, what domains are registered to that owner, and their IP address ranges are some of the most critical pieces of information you can retrieve. Especially if you are performing a black-box pentest. More and more tools and resources are becoming available that take standard WHOIS queries, and expand on them by providing histories of that domains ownership, geolocatin of IPs and more. I like to use because it provides information about the server, registrar, domain history and more. Take a look at this query and see what type of information you can find out about!



Footprinting through Social Engineering

Really, social engineering is a topic in itself and I plan to go into detail about it in later posts. For now though, I am just going to touch on a few key take-aways from this attack vector and focus on its use during footprinting. Social Engineering is the art of convincing people to reveal sensitive information. It is based solely on the presumption that most people remain unaware of their valuable information, and do not take precaution in protecting it. EC Council has three terms that are supposed to be showing up on the test so I will define them below

  • Eavesdropping – Unauthorized listening of conversations or reading of messages
  • Shoulder Surfing – Attacker looks over someones shoulder to gain information
  • Dumpster Diving – Looking for treasure in someones trash.

I find social engineering to be one of the most fun aspects while collecting information because you get to troll people for sensitive info without them knowing. You can use¬†jedi mind tricks to convince another person to tell you their¬†passwords, social security numbers, financial info, or more… Though of course you should only be doing this for ethical purposes, don’t be a jerk! The synopsis is that you are exploiting human-error, which is the biggest vulnerability in security today. There are even entire tool-kits that can help automate social engineering attack scenarios, and increase your success rates at retrieving information. I encourage you to play with the Social Engineering Toolkit (SET) made by @hackingdave¬†of TrustedSec.¬†

Just look at what important information can be obtained by looking in windows of local businesses.


Well, its late and this should be it for the Reconnaissance and Footprinting module of my CEH studying. I took the end of chapter quiz and scored a 100%. Pretty basic stuff so far. Next week I will get into some Network Scanning which I plan on having a video demo using my own PowerShell tool ūüôā


Thanks for reading!

Tags// ,