Ethical

Hacking
Class
Chapter 4: Footprinting & Reconnaissance

presentation slides to accompany

CEHv12 Certified Ethical Hacker Exam Study Guide
author: Ric Messier; © 2023 John Wiley & Sons
Agenda
Open Source Intelligence Footprinting

Web site intelligence Technical intelligence

Using Web Tools for Footprinting (1 of 4)

• Many attackers do “case the joint”

• Look over the location
• Find weaknesses in security systems
• Determine what types of locks and alarm systems are used
• As a security tester
• You must find out as much as you can about an organization that hired you
• Footprinting (may also be called reconnaissance)
• Finding information on a company’s network
• Passive and nonintrusive

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Using Web Tools for Footprinting (2 of 4)

• Active footprinting
• Actually, prodding the target network in ways that might seem suspicious to network defenders
• Includes things such as:
• Port scans
• DNS zone transfers
• Interacting with a target’s web server
• Security tester uses both passive and active techniques
• To discover as much as possible about the organization and its network

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
 Summary of Reconnaissance Tools
(1
Tool
of 4) Function

dig (Command available on all *nix systems; Perform DNS zone transfers; replaces the nslookup command.
can be downloaded for Windows platforms
from the BIND 9 website. dig is contained in
the BIND download, so download BIND.)
Domain Dossier This web tool is useful in gathering IP and domain information
(including whois, DNS, and traceroute).
FOCA Extract metadata from documents on websites to reveal
the document creator’s network logon and email address,
information on IP addresses of internal devices, and more.
Google and Google Hacking Uncover files, systems, sites, and other information about a target
Database (GHDB), also called Google Dorks using advanced operators and specially crafted queries. Some of
these queries can be found at the GHDB (Google Hacking Database).

Google Groups Search for email addresses in technical or nontechnical

newsgroup postings.

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
 Summary of Reconnaissance Tools
(2 of 4)
Tool Function

Maltego Discover relevant files, email addresses, and other important

information with this powerful graphic user interface (GUI) tool.

netcat (command available on all *nix Read and write data to ports over a network.
systems; can be downloaded for Windows
platforms from the N MAP website)
Netcraft Site Report Uncover the underlying technologies that a website operates on.

OSINT Framework A collection of OSINT tools presented in an interactive web-based

mind map that organizes the information visually. You can
expand nodes to find collections of tools suited for the task you
want to accomplish.
Recon-ng Automate footprinting with this powerful, advanced framework
using search engines, social media, and many other sources.

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
 Summary of Reconnaissance Tools
(3 of 4)
Tool Function

SpiderFoot A tool with a graphical user interface (GUI) that queries more than 100 OSINT sources to
grab intelligence on email addresses names, IP addresses, domain names, web servers,
and more.
Spyse Spyse is a cybersecurity search engine. You can use it to search entire domains or
individual systems for vulnerabilities, IPs, DNS records, domains, and more. Spyse claims
to be “the
most complete Internet assets registry for every cybersecurity professional.”
TheHarvester Used for finding email addresses, subdomains, IPs, URLs, employee names, and more.
This is a command line only tool.
WayBackMachine Search through previous versions of the website to uncover historical information about
a target.

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
 Summary of Reconnaissance Tools
(4 of 4)
Tool Function

wget (command available on all *nix systems; Retrieve HTTP, HTTPS, and FTP files over the Internet.
can be downloaded for Windows platforms from
Wget for Windows HTML site)
White Pages Conduct reverse phone number lookups and retrieve address
information.
Whois Gather IP and domain information.

Zed Attack Proxy This is a useful website analysis tool that can crawl through
remote websites and even produce a list of vulnerabilities for a
remote website.

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
 Lots of open, freely available
information about companies
Open
Source The Security and Exchange Commission
hosts the EDGAR database of all filings
Intelligenc from publicly traded companies
e
Maltego is a GUI-based utility for
gathering open source intelligence
 One of the most useful
forms you can find in
EDGAR is Schedule 14A

EDGAR on SEC site, which is a

proxy statement and
will include the annual
report to the
shareholders, which
may include a lot of
useful information for
you. As an example,
Figure 4.2 shows a very
small section of the
annual report to the
shareholders for
Microsoft Corporation.
Other sections that are
not shown include
Corporate Governance
at Microsoft, Board of
Directors, and Audit
Committee Matters.
Maltego for Government

MALTEGO
Whois
Regional Internet
Registries (RIRs)
• Internet Corporation for Assigned Names and
Numbers (ICANN) holds all IP addresses and handed
them out to the RIRs
• Each RIR has a database that can be queried for
information about address blocks and registered
contacts
• The whois utility is used to query these databases
• You can use the whois utility to get the size of the
public IP address block for a company
• American Registry for Internet Numbers (ARIN)
• Réseaux IP Européens Network Coordination Centre
(RIPE)
• Africa Network Information Center (AfriNIC)
• Latin American Network Information Center (LATNIC)
• Asia Pacific Network Information Center (APNIC)

What are the RIRs

 You can gather intelligence about
companies through people

Intelligenc Social networking sites like

e Through LinkedIn and Facebook may
provide details about jobs and
People technology

Job sites can provide a lot of details

about technology in use at target
site
The Harvester TheHarvester is an open-source reconnaissance tool designed to gather
information about targets by querying public data sources. It is widely
used for ethical hacking, penetration testing, and OSINT (Open Source
Intelligence) activities.

Key Features:
• Data Collection: Retrieves email addresses, employee names,
domain names, subdomains, IPs, and more.
• Supported Sources: Queries search engines (e.g., Google, Bing,
DuckDuckGo), social networks, and other platforms like VirusTotal and
ThreatCrowd.
• Customizable Search: Can use API keys for enhanced searches on specific
platforms.
• Command-Line Interface: Offers straightforward usage via a terminal,
allowing users to specify target domains and data sources.

Applications:
• Identifying contact information for potential social engineering.
• Mapping a target organization's online presence.
• Collecting subdomains and associated IPs for vulnerability assessment.

TheHarvester is a versatile and efficient tool for gathering preliminary data

during the reconnaissance phase of penetration testing or OSINT
investigations.
Facebook
Facebook
Username Search Using Sherlock

Sherlock is an open-source tool used to identify usernames across

hundreds of social media platforms and websites. It is particularly useful for
reconnaissance during ethical hacking or OSINT investigations.

Key Features:
Username Searches: Locates specific usernames on platforms like Twitter,
Instagram, GitHub, and many more.
Extensive Coverage: Checks hundreds of websites and platforms for the
existence of the provided usernames.
Command-Line Interface: Users provide one or more usernames, and
Sherlock outputs the results, including links to identified profiles.
Customizable Output: Allows saving results in text files for further analysis.

Applications:
Identifying an individual’s online presence across platforms.
Gathering information for social engineering or deeper reconnaissance.
Supporting investigations into cyber threats or fraudulent accounts.
Sherlock is a straightforward yet powerful tool for uncovering digital
footprints, providing valuable insights during the initial stages of OSINT and
ethical hacking.
Using LinkedIn for OSINT? Here's
1 Tip You MUST KNOW! | Social
Media OSINT

https://youtu.be/Nv_0R7ou1ew
 Hierarchical ‘database’ of all fully qualified domain names
(FQDNs), which are hostname plus domain name (e.g.,
www.wiley.com)

Queries of DNS are recursive – you ask your local DNS server, it
asks the root server for the top level domain (TLD) details,

Domain then the next server for the next level of detail and so on

Name Resolve fully qualified domain names to IP addresses

System
(DNS) Can also resolve IP address to fully qualified domain names or
hostnames

Other resource records – mail exchange (MX), start of

authority (SOA)
DNS Tools

Nslookup is available on
Host will do a lookup of
Windows and Unix-like and
hostname to IP address or
can query any resource
vice versa
record from any server

Dig can also be used to

Web-based tools also exist
query any resource record
for these tasks
from any server
Using Domain Name System Zone Transfers (1 of
3)
• Domain Name System (DNS)
• Resolves host names to IP addresses and vice versa
• People prefer URLs to IP addresses
• DNS is a major area of potential vulnerability for network attacks
• Uses name servers to resolve names
• Once you determine what name server a company is using:
o
You can attempt to transfer all the records for which the DNS server is responsible
o
Process is called a zone transfer
o
Can be done with the dig command

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Using Domain Name System Zone Transfers (2 of
3)
• Recommended zone transfer tool
• The dig command
• Determining primary DNS server
• Start of Authority (S O A) record
• Shows for which zones or IP addresses the DNS server is responsible
• Zone transfer gives an organization’s network diagram
• This information can be used to attack other servers or computers that are part of the
network infrastructure

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Using Domain Name System Zone Transfers (3 of
3)

Source: Kali Linux

Figure 4-14 Using the dig command

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
 Passive Reconnaissance

• Network information is very telling

• Lots of details can be extracted from
network headers
• You can get OS information, services
running and other details
• p0f is a utility that will watch
network traffic and provide details
about the network traffic passing by
Using Other Footprinting Tools
• Whois utility
• Commonly used web tool
• Gathers IP address and domain information
• Unfortunately, attackers can also use this information
• Gives information on a company’s IP addresses
• And any other domains the company might be part of

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Using Email Addresses
• Email address
• Knowing a user’s email address can help retrieve even more information
• Find out a company’s email address format
• You might be able to find other employees’ email accounts
• By acquiring a company phone directory
• By searching the Internet for any @companyname.com references
• Tool to find corporate employee information
• Groups

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
 BROWSING WEB SITES CAN HTTP HEADERS CAN REVEAL OTHER HEADERS CAN

Web Site REVEAL A LOT ABOUT THE

TECHNOLOGY RUNNING
SERVER TYPE AND VERSION PROVIDE TECHNOLOGY
DETAILS (E.G., PHP,
JAVA, .NET, ETC)

Intelligenc
e
SOURCE CODE CAN PROVIDE BROWSER PLUGINS CAN BE
FRAMEWORKS AND USED TO GATHER ANALYZE
LIBRARIES IN USE (E.G., ALL THIS INFORMATION
SPRING, STRUTS, ETC) (E.G., WAPPALYZER)
Using HTTP Basics (1 of 3)
• HTTP operates on port 80 and HTTPS operates on port 443
• Both versions use HTTP commands
• Security testers can pull information from a web server using these commands
• A basic understanding of HTTP
• Beneficial for security testers
• Return codes
• Reveal information about OS used on the computer where a security test is being conducted
• Most basic HTTP method
• GET / HTTP/1.1.

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
 HTTP Client Errors (1 of 2)
Error Description
400 Bad Request Request not understood by server
401 Unauthorized Request requires authentication
402 Payment Required Reserved for future use
403 Forbidden Server understands the request but refuses to comply
404 Not Found Unable to match request
405 Method Not Allowed (Note: Methods are covered Request not allowed for the resource
later in this module.)
406 Not Acceptable Resource doesn’t accept the request
407 Proxy Authentication Required Client must authenticate with proxy
408 Request Timeout Request not made by client in allotted time
409 Conflict Request couldn’t be completed because of an
inconsistency

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
 HTTP Client Errors (2 of 2)

Error Description
410 Gone Resource is no longer available
411 Length Required Content length not defined
412 Precondition Failed Request header fields evaluated as false
413 Request Entity Too Large Request is larger in volume than the server can process
414 Request-URI (uniform resource identifier) Too Request-URI is longer than the server is willing to accept
Long

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
HTTP Server Errors
Error Description
500 Internal Server Error Request couldn’t be fulfilled by the server
501 Not Implemented Server doesn’t support the request
502 Bad Gateway Server received invalid response from the upstream server

504 Gateway Timeout Server didn’t receive a timely response

505 HTTP Version Not HTTP version not supported by the server
Supported

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
HTTP Methods
Error Description
GET Retrieves data by URI
HEAD Same as the GET method, but retrieves only the header information of an HTML document,
not the document body
OPTIONS Requests information on available options
TRACE Starts a remote Application-layer loopback of the request message
CONNECT Used with a proxy that can dynamically switch to a tunnel connection, such as Secure
Sockets Layer (SSL) or Transport Layer Security (TLS)

DELETE Requests that the origin server delete the identified resource
PUT Requests that the entity be stored under the Request-URI
POST Allows data to be posted (i.e., sent to a web server)

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Using HTTP Basics (2 of 3)

Figure 4-8 Using the OPTIONS HTTP

method

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Using HTTP Basics (3 of 3)
• If you know HTTP methods:
• You can send a request to a web server
• From the generated output, you can determine what OS the web server is using
• Other information can be determined that could be used in an attack
• Such as vulnerabilities of operating systems (OSs) and other software

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Netcraft.com
Wappalayzer Wappalyzer is a popular open-source reconnaissance tool designed to identify
technologies used on websites. It is widely used by developers, ethical hackers,
and researchers to gain insights into the frameworks, libraries, and platforms
that power a web application.

Key Features:
Technology Detection:
Identifies web servers, programming languages, frameworks, CMS
platforms, and analytics tools.
Detects libraries, advertising networks, payment processors, and more.
Browser Extensions:
Available as an extension for Chrome and Firefox.
Provides real-time analysis of a website with a simple click, displaying all
detected technologies in a user-friendly interface.
Command-Line Interface (CLI):
Allows users to automate technology identification via scripts for bulk
analysis of multiple websites.
Extensive Database:
Continuously updated with new technologies to ensure comprehensive
coverage.

How It Works:
Scanning Mechanisms: Wappalyzer analyzes:
HTTP headers.
JavaScript variables.
Cookies and meta tags.
HTML and CSS content.
Results: Outputs detected technologies with categories such as:
Web server (e.g., Apache, Nginx, IIS).
Programming language (e.g., PHP, Python).
Frameworks (e.g., Django, React).
CMS (e.g., WordPress, Joomla).
Other Methods of Gathering
Information
• With just a URL, you can determine the following that a company is using:
• Web server
• OS
• Names of IT personnel
• Other unscrupulous methods:
• Cookies
• Web beacons

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Conducting Competitive Intelligence
• Numerous resources are available to find information legally
• Competitive intelligence
• Gathering information on a higher level using technology
• Security professionals must:
• Explain to their clients the methods used by competitors to gather confidential information

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Analyzing a Company’s Website (1 of 8)

• Webpages are an easy source of critical information

• Websites are often referred to as web applications
• Many available tools for this type of information gathering
• Zed Attack Proxy (ZAP)
• Powerful tool for Linux, macOS, and Windows
• Requires Java to be installed

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Analyzing a Company’s Website (2
of 8)

Source: OWASP.ORG
Figure 4-1 ZAP main window

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Analyzing a Company’s Website (3 of 8)

• ZAP has a feature called Launch Browser on its Quick Start tab
• Automatically edits the configuration of a web browser
• To direct traffic through ZAP proxy
• Allows the ZAP tool to intercept and manipulate traffic sent between your web browser and
the target web server
• To use this feature:
• Select the Quick Start tab
• Choose the browser from the drop-down menu
o
Next to the Launch Browser button
• Click the Launch Browser button

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Analyzing a Company’s Website (4
of 8)

Source OWASP.ORG
Figure 4-2 ZAP launch browser
Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Analyzing a Company’s Website (5
of 8)
• Once the browser is configured:
• The attacker can use the browser to navigate the target site
• Target site will be listed on the History tab in the lower pane and in the Sites list in the left pane
• Site can be selected for spidering
• Spidering (or crawling) is an automated way to discover pages of a website by following
links
• Within seconds, the filenames of webpages on the “spidered” site are displayed on the
URLs tab

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Analyzing a Company’s Website (6
of 8)
• After the site has been “spidered”:
• You can actively scan the site using the ZAP Attack feature
• Sends the web server a series of requests designed to identify vulnerabilities
• Vulnerabilities will display under the Alerts tab
o
Indicated in the Risk Level column as either High, Medium, Low, or Informational

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Analyzing a Company’s Website (7 of 8)

Source OWASP.ORG
Figure 4-5 Displaying filenames of
content on a website
Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Analyzing a Company’s Website (8
of 8)

Figure 4-6 ZAP scanning report

Simpson, Antill, Wilson, Hands-On Ethical Hacking and Network Defense, 4 th Edition. © 2023 Cengage. All Rights
Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in
part.
Analyzing a Company’s Website
Using httrack
HTTrack is an open-source
website copier tool that
allows users to download
websites from the Internet
to a local directory for
offline browsing. It mirrors
the structure of the original
website, including HTML,
images, and other
resources, making it useful
for analysis, archiving, and
testing.
Google Hacking
• Keywords that can be used to narrow search results
• Boolean logic – “apache server” AND
“vulnerabilities”
• Site specific – site:apache.org tomcat
• Specific locations in the content – inurl:, intext:,
intitle:, allinurl:, allintext:, allintitle:
• Specific filetypes – filetype:pdf site:Microsoft.com
windows
Internet of Things (IoT)

Millions of devices around the world Limited functionality, non-standard input/output Web site shodan.io also has a database of IoT
capabilities (no physical/external keyboard, no devices
traditional monitor, etc)
Internet of Things (IoT) – Shodan
Search (DNP3)

Shodan (www.shodan.io) is
a search engine for
discovering IoT devices, their
vendors, types, and
capabilities.
Allows specific searches,
such as by protocols (e.g.,
DNP3, FINS) or device types.
Provides:
Device location by
country or organization.
Details about devices,
such as open ports and
configurations.
 Intelligence can be gathered from many directions including
social networking sites

RIRs can provide details about IP address ranges belonging to

a company and the people who manage those IP addresses
at the company
DNS provides IP addresses from hostnames
Summary
Google Hacking is the use of keywords to narrow search
results

IoT devices can be found using sites like Thingful and Shodan
 • Write a report detailing as much open
source intelligence as you can about
this institution
Assignment • Include your methodology and results
• Include recommendations where the
institution can reasonably reduce its
information exposure