Footprinting & Reconnaissance - Chapter 3

Footprinting & Reconnaissance

What is Footprinting

Refers to the process of collecting as much as information as possible about the target system to find ways to penetrate into the system. An Ethical hacker has to spend the majority of his time in profiling an organization, gathering information about the host, network and people related to the organization.

Information such as ip address, Whois records, DNS information, an operating system used, employee email id, Phone numbers etc is collected.

Footprinting helps to

Know Security Posture – The data gathered will help us to get an overview of the security posture of the company such as details about the presence of a firewall, security configurations of applications etc.

Reduce Attack Area – Can identify a specific range of systems and concentrate on particular targets only. This will greatly reduce the number of systems we are focusing on.

Identify vulnerabilities – we can build an information database containing the vulnerabilities, threats, loopholes available in the system of the target organization.

Draw Network map – helps to draw a network map of the networks in the target organization covering topology, trusted routers, presence of server and other information.

Reconnaissance takes place in two parts − Active Reconnaissance and Passive Reconnaissance.

Active Reconnaissance

In this process, you will directly interact with the computer system to gain information. This information can be relevant and accurate. But there is a risk of getting detected if you are planning active reconnaissance without permission. If you are detected, then system admin can take severe action against you and trail your subsequent activities.

Passive Reconnaissance

In this process, you will not be directly connected to a computer system. This process is used to gather essential information without ever interacting with the target systems.

Objectives of Footprinting

Network Footprinting

This is the process of collecting information related to a target network. Information like Domain name, subdomains, network blocks, IP addresses of reachable systems, IDSes running, Rouge websites/private websites, TCP & UDP services running, VPN points, networking protocols, ACL's, etc are collected.

Collect System Information

The information related to the target system like user and group names, system banners, routing tables, SNMP information, system names etc are collected using various methods.

Collect Organization's information –

The information related to employee details, organization website, Location details, security policies implemented, the background of the organization may serve as an important piece of information for compromising the security of the target using direct or social engineering attacks.

Footprinting Methodology

Various methods used to collect information about the target organization. They are:

Footprinting through Search Engines:

This is a passive information gathering process where we gather information about the target from social media, search engines, various websites etc. Information gathered includes name, personal details, geographical location detrails, login pages, intranet portals etc. Even some target specific information like Operating system details, IP details, Netblock information, technologies behind web application etc can be gathered by searching through search engines

Eg: collecting information from Google, Bingo etc

Google Hacking:

Google hacking refers to collecting information using google dorks (keywords) by constructing search queries which result in finding sensitive information.details collected include compromised passwords, default credentials, competitor information, information related to a particular topic etc.

Eg:inurl:, site:, allintitle etc

Examining HTML Source and Examining Cookies:

Html source codes of a web application may give us an understanding of the application functionality, hidden fields, comments, variable names etc. Cookies are used to identify a user in his session. these cookies may be stored in the browser or passed in the URL, or in the HTTP header.

The entire website can be mirrored using tools like HTTtracker to gather information at our own phase.

Extract website Archives: older versions of website can be obtained

which may reveal some information related to the target.

eg: www.archive.org

Email Footprinting:

email header reveals information about the mail server, original sender’s email id, internal IP addressing scheme, as well as the possible architecture of the target network

Competitive Intelligence:

Competitive intelligence gathering is the process of gathering information about the competitors from resources such as the Internet.

Eg: company website, search engine, internet, online databases, press releases, annual reports, trade journals

Google Hacking/Google Dorks:

This is a process of creating search queries to extract hidden information by using Google operators to search specific strings of text inside the search results.

Some google operators, site, allinurl, inurl, allintitle

Whois Footprinting:

Whois databases and the servers are operated by RIR - Regional Internet Registries. These databases contain the personal information of Domain Owners. Whois is a Query response protocol used for querying Whois databases and its protocol is documented in RFC 3912. Whois utility interrogates the Internet domain name administration system and returns the domain ownership, address, location, phone numbers, and other details about a specified domain name.

DNS Footprinting:

DNS is a naming system for computers that converts human-readable domain names into computer readable IP-addresses and vice versa.DNS uses UDP port 53 to serve its requests. A zone subsequently stores all information, or resource records, associated with a particular domain into a zone file; Resource records responded by the name servers should have the following fields:

Domain Name — Identifying the domain name or owner of the records

Record Types — Specifying the type of data in the resource record

Record Class — Identifying a class of network or protocol family in use

Time to Live (TTL) — Specifying the amount of time a record can be stored in cache before discarded.

Record Data — Providing the type and class dependent data to describe the resources.

A (address)—Maps a hostname to an IP address

SOA (Start of Authority)—Identifies the DNS server responsible for the domain information

CNAME (canonical name)—Provides additional names or aliases for the address record

MX (mail exchange)—Identifies the mail server for the domain

SRV (service)—Identifies services such as directory services

PTR (pointer)—Maps IP addresses to hostnames

NS (name server)—Identifies other name servers for the domain

HINFO = Host Information Records

DNS servers perform zone transfers to keep themselves up to date with the latest information. A zone transfer of a target domain gives a list of all public hosts, their respective IP addresses, and the record type.

Footprinting through Social Engineering:

Social media like twitter, facebook are searched to collect information like personal details, user credentials, other sensitive information using various social engineering techniques. Some of the techniques include

Eavesdropping:

It is the process of intercepting unauthorized communication to gather information

Shoulder surfing: Secretly observing the target to gather sensitive information like passwords, personal identification information, account information etc

Dumpster Diving: This is a process of collecting sensitive information by looking into the trash bin. Many of the documents are not shredded before disposing them into the trash bin . Retrieving these documents from trash bin may reveal sensitive information regarding contact information, financial information, tender information etc.

Footprinting countermeasures:

Creating awareness among the employees and users about the dangers of social engineering

Limiting the sensitive information

encrypting sensitive information

using privacy services on whois lookup database

Disable directory listings in the web servers

Enforcing security policies