This document provides an overview of footprinting and reconnaissance techniques used by hackers to gather sensitive information about target organizations. It discusses various footprinting methods like using search engines, social media, websites, email headers, WHOIS lookups and more to find out details on employees, network infrastructure, systems and technologies used. The document also outlines tools that can be used for footprinting and recommends steps organizations can take to prevent information leakage and footprinting attacks like limiting employee access, filtering website content, encoding sensitive data and conducting regular security assessments.

1. Certified Ethical Hacker - Part 2 -
Footprinting and Reconnaissance
by Riazul H. Rozen Oct. 22, 2017 4 minute read
Table of Contents
What is Footprinting
The methods behind Footprinting
Footprinting through Search engines
Footprinting through advanced Google hacking
Footprinting through social media platforms
Footprinting through website to determine OS
Footprinting through email
Footprinting through competitive intelligence
Footprinting through WHOIS
Footprinting through DNS information
Footprinting through social engineering
Some other tools used for Footprinting
How to prevent Footprinting attacks
What is Footprinting
Footprinting is the science of gathering information on a
target’s network system. It allows the attacker be privy to
certain kinds of sensitive information, which in essence
narrows down the area of attack for the hackers. Footprinting if
pulled of correctly can cause huge financial losses for the
target organization. Footprinting allows the attackers -
To have an idea of the external structure of the target
network system
To narrow down the area of infrastructure that will be
attacked
To find loopholes to take advantage of
To map the organizations’ internal structure, for ease in
stealing information
The aim of Footprinting to the hacker is collecting system
information (routing tables, passwords, and system names
etc.), organization information (employee information, website

2. information, location information and so on) and network
information (domain name, VPN points, authentication means
and so on).
The methods behind Footprinting
There are a couple of methods, which hackers use to get
sensitive data from organizations. These methods in
conjunction with other tools carry out social engineering
manipulations, which ultimately lead to attacks and hacking,
these methods are -
Footprinting through Search engines
Attackers get information such as login pages, employees’
information, internet portals and others from search engines.
Attacks still have access to sensitive information taken off the
internet, through internet archives or search engine caches.
Websites like netcraft.com allow attackers gain access to their
target organizations restricted websites.
Footprinting through advanced Google hacking
Google hacking methods involve using advanced and arduous
queries forms to gain sensitive information from the targets,
discovering venerable targets, and using google search means
to uncover specific string of texts. This method allows
attackers discover sites connected to the company’s website,
extract information on customers, business partners and
vendors, and make the information gathered concise. Several
operators (e.g - [allintitle:], [link:], [cache:] etc.) and filters can
be used in Google to search personal info.
Footprinting through social media platforms
Employees post information about their personal lives, as well
as information regarding their companies. For instance,
employees use social media to reveal things like new clients,
fresh deals, and company news and business partners.
Attackers open new pages, track these employees and try to
gain more information.
Footprinting through website to determine OS

3. Attackers track organizations websites, to discover various
sensitive information that to be used for the main attack.
Hackers source out details like admin contact information,
scripting platform used, version of OS used, software used by
the organization and the file system framework for use during
intrusion. Web spiders are used to gather information on the
employees, which are used in an advanced method of social
engineering and Footprinting to gain more information.
Hackers often use Shodan tool to determine the OS. Shodan is
the world's first search engine for Internet-connected devices.
Shodan
Footprinting through email
This process involves intercepting emails, getting information
from the email headers and using email tracking devices help
the attacker gather sensitive information. Also it is possible to
get lots of info from mail header.

4. HTML view of mail
Mail Header
Footprinting through competitive intelligence
This is a subtle method of gathering information from target
organizations. This is done using internet resources such as
websites, employment advertisements, search engines, client
interviews, socially interacting with employees, patents,
newsletters from organizations and analyst reports. Edgar
database, Hoovers, LexisNexis etc. are some sites from where
a hacker can get lots of info. Also company plans can be
retrived from several sites likes experion, secinfo etc. sites.
Footprinting through WHOIS
This is managed by regulatory agencies and is privy to
sensitive information on domain possessors such as contact
details of domain owner, domain name, servers, domain

5. creation date and Netrange. Attackers gain information
through these means for the sole purpose of advancing to the
social engineering stage. LanWhoIs, CallerIP, WhoIs Analyzer
Pro, Domain Dossier etc are some tools used for WHOIS lookup.
Footprinting through DNS information
Attackers get information through this means for social
engineering attacks, because the DNS has pertinent
information on location and server type, hence target hosts
can be discovered with this method. Domain Dossier, DNS
lookup, DNS watch etc. are some tools can be used for DNS
information.
Footprinting through social engineering
This involves manipulating social interactions with a human
element, for the purpose of gaining delicate information. This
works because most people are unaware they hold sensitive
information, and as such are very lax about keeping it safe.
Social engineering can be done through fake profiles on social
media platforms, dumpster diving, snooping in on interactions,
and shoulder surfing. Attackers gain information like operating
systems, credit card details, and software versions. Hackers
sometimes use - AnyWho.com, ussearch.com, intelius.com,
411.com, privateeye.com, peoplefinders.com etc. to search
personal information.

6. PrivateEye.com
Some other tools used for Footprinting
Recon-ng is a structural powerhouse, fitted with the necessary
tools to allow the user carry out open source reconnaissance
mechanisms.
Recon-ng

7. FOCA is used to source out metadata and sensitive information
that has been hidden. A lot of work can be done using this
application, from DNS snooping, to metadata extraction,
fingerprinting, analyzing networks, and searching open
directories.
Foca Tool
A lot of other tools can be used to gather information on a
target organization. For instance, robtex, TinEye, binging,
searchbug, DNS-digger, GeoTrace, and many others.
Robotex

8. How to prevent Footprinting attacks
Footprinting if done right, can cause a lot of financial damage
to the target organization. It is therefore necessary, to put
structures, policies and regulations in place, to counter the
attacks from malicious individuals. Some policies that will
ensure safety in the long run are -
Limiting the network or websites the employees can
access, by putting restrictions on social media platforms.
Restrict and filter information that goes on the company’s
website
Use anonymous registration services and prevent website
from caching information
Employ Footprinting methods to figure out vulnerabilities
and remove them.
Ensure security regulations are made compulsory, so
employees don’t release more information than necessary
to the public
Encode and protect delicate information with passwords
Use private services on WHOIS lookup services.
Prevent information leakage, by organizing web servers
Penetration testing -This involves gaining information
about the target organizations from the internet and as
many accessible sources as possible. This is done to
figure out how much of the organizations information is
available to the public.
Footprinting is done by an organization for the purpose of
protecting its information, preventing leakage to attackers,
eliminate the possibility of a successful DNS snooping attempt,
and counter social engineering methods. Footprinting pen
testing can be done using a number of steps, first of which is
to gain legal authorization from the administrative personnel.
The remaining steps involved are -
Define the boundaries of the valuation exercise.
Use search engines (google, bing, yahoo) to footprint
Hack google with tools like SiteDigger
Footprint with social networking platforms (Facebook,
twitter, Pinterest, LinkedIn, Instagram)

9. Footprint with email (emailTrackerPro, PoliteTrakcer),
competitive intelligence (Hoovers, BusinessWire), DNS,
WHOIS (SmartWhois, DomainDossier), social engineering
(dumpster diving, eavesdropping and shoulder surfing)
and networking (Path Analyser, VisualRoute).
Report all discoveries made from this evaluation exercise
Published with the express permission of the author.