Footprinting Techniques | Reconnaissance | Information Gathering
Footprinting is an information gathering process, also known as passive reconnaissance. In this process, different tools and techniques are used to collect every possible information against the target and its environment. This is a pre-attack stage and stealth operations are executed and target can never trace back.
A hacker uses several freely available resources to gather maximum information passively. In this process no direct contact is made with the target. Footprinting plays a crucial role in determining the success in later steps/hacking attempts.
Table of Contents [Quick Links]
- Footprinting Techniques – Reconnaissance
- Final Words on Footprinting | Reconnaissance
Footprinting Techniques – Reconnaissance
There are several tools and techniques used in Information Gathering. Also, there is no predefined sequence of instructions in Footprinting to be performed. In this article, we’ll perform following 10 information gathering task.
- Websites Footprinting
- Whois Database Lookup
- Search Engines Hacking
- Similar Domain Search
- Negative Website Search
- Social & Business Networking Websites
- Classified/Job Websites
- Internet History – Achieve Pages
- DNS Footprinting – MX Entry
Just by visiting the target’s website a hacker can collect great amount of information, such as their emails addresses, partners, client’s list, physical addresses of their offices and HR openings etc.
Website can be further analyzed for error pages. Errors can appear if you put invalid data in search boxes or contact forms. Errors can reveal details about website content management system software, its version, scripting and type of server used– Linux or Windows etc.
Whois Database Lookup
Whois lookup is an important step in information gathering process. Whois lookup against any website can reveal information about servers on which website is hosted & its location. Whois lookup also displays name, address and contact numbers of technical staff, domain owner and domain registrar.
WHOIS Lookup Websites:
Search Engines Hacking
Making a search query against your target in search engines (Google, Yahoo, Bing etc.) can also reveal great amount of information. Google Advance search | Google Hacking can help a hacker to locate detailed information like company policies, employee’s details & online hidden pages etc.
Company’s details and reviews can also be found on different blogs, website, reviews portal, forums etc.
Following is an example of Google Hacking:
Google Search Command: site:facebook.com “himanshu negi” + “hacking”
The above Google search query target facebook.com for all the persons having name Himanshu Negi and talking about “Hacking”.
Similar Domain Search
If example.com is your target’s website domain then you can look at example.in, example.net, example.org for a worldwide variety sources. Further, looking for in.example.com, uk.example.com (country basis) or en.example.com (language basis) can reveal more useful information.
Same company may have different works at different countries and may be presenting different information in different languages.
Try: touch.facebook.com, mbasic.facebook.com, facebook.com.
Negative Website Search
This type of search against any targets website can reveal some other websites. These negative websites sometimes provide insight into the problems which exist inside target organization.
Suppose, your target is example.com then you may find example-is-fraud.com as a valuable resource.
Paypal.com is a payment gateway company that helps to buy/sell stuff online and facilitate money transaction across borders- worldwide. But below is the image of website that tells different story.
Social & Business Networking Websites
If you want more detailed information about a company or person then you must take a look at some social-professional sites. Websites like Linkedin.com and Google+ can reveal great deal of business information such as professional connections and clients list.
Facebook website might have some fake profiles and unofficial groups of a company. But professional social networking website like Linkedin.com usually have trusted and frequently updated information about individual/company or clients.
Top Social Professional Websites: https://www.linkedin.com
People search and look-up websites are also very helpful when combined with above mentioned social professional websites.
If you really wish to know what a company actually offers and services they provide. Then, you must search popular classified websites. You’ll find some real working contact addresses and insight information such as the technology they work on and expertise their employee have.
Classified sites always have new openings listed, most of them stating the software and technologies they work on and the expertise they look for.
Some Websites to Try:
Internet History – Archive Pages
Passive Reconnaissance also includes looking for information that was deleted from the website. Internet way-back machine can help you to find those deleted pages that are now history. Archive.org is a website established in 1996 which manages to achieve webpages of almost all websites.
Information or pages deleted from a website might have information about ex-employees. These ex-employees can be called and can disclose some information about the company, their environment and work strategy.
DNS Footprinting – MX Entry
DNS (Domain Name System) records look can reveal information about MX entry which indicates where and which email application services are being used. This information can be used later to exploit mail services and email accounts.
DNS Lookup Websites
Tracert is a command that can used in both linux and windows which is used to trace path between a user and target system’s machine. Some websites also facilitate tracert and trace-routing.
Final Words on Footprinting | Reconnaissance
- Footprinting (or Passive Reconnaissance) includes some easy-to perform techniques to gather information passively.
- Of course, there exist some more sources from where information can be collected. We’ll surely perform some footprinting and Reconnaissance in our later tutorials.
- Most Information Gathering techniques are legal as long as you don’t misuse the collected information. These steps and techniques are very easy and even non-technical person can perform them.
You can protect yourself (and your organization) against reconnaissance by performing footprinting on yourself. Locate the sensitive and disclosed information and try to limit, hide or delete it.