- Master passive and active footprinting methodologies
- Understand web application reconnaissance techniques
- Learn DNS enumeration and zone transfer attacks
- Develop OSINT (Open Source Intelligence) skills
- Explore social engineering information gathering
- Master advanced Google dorking techniques
- Understand network range and infrastructure discovery
Footprinting is the systematic process of collecting information about target systems, networks, and organizations to identify potential attack vectors and reduce the attack surface scope. It represents the first phase of the ethical hacking methodology and forms the foundation for all subsequent security testing activities.
- Reduce attack surface: Focus efforts on viable targets and entry points
- Identify security perimeter: Map external-facing systems and services
- Gather intelligence: Collect organizational, technical, and personnel information
- Plan attack strategy: Develop targeted approach based on discovered information
Information gathering without direct interaction with target systems, minimizing detection risk.
- No direct target contact: Information gathered from third-party sources
- Stealth approach: Minimal detection risk and forensic evidence
- Publicly available data: Relies on open source intelligence (OSINT)
- Legal compliance: Generally permissible as uses public information
- Search engines: Google, Bing, DuckDuckGo advanced queries
- Social media platforms: LinkedIn, Twitter, Facebook, Instagram
- Public databases: WHOIS, DNS records, certificate transparency
- Archive services: Wayback Machine, cached content
- Professional networks: Company websites, press releases, job postings
Direct interaction with target systems to gather detailed technical information.
- Direct system interaction: Scanning, probing, and service enumeration
- Higher information quality: Detailed technical specifications
- Detection risk: May trigger security alerts and logging
- Legal considerations: Requires explicit authorization
- Network scanning: Port scans, service detection, OS fingerprinting
- DNS enumeration: Zone transfers, subdomain brute forcing
- Social engineering: Phone calls, emails, physical reconnaissance
- Website interaction: Technology fingerprinting, directory enumeration
- Website parsing: Contact pages, staff directories, privacy policies
- WHOIS records: Administrative and technical contacts
- Social media: Professional profiles and public posts
- Code repositories: GitHub, GitLab commit histories
- Job postings: Contact information in recruitment listings
# Common email patterns for organizations
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]WHOIS databases provide comprehensive domain registration and ownership information.
- Registrar details: Domain registration service provider
- Registration dates: Creation, expiration, and last updated
- Contact information: Administrative, technical, and billing contacts
- Name servers: Authoritative DNS servers for the domain
- IP ranges: Associated network blocks and ASN information
- WHOIS privacy protection: May obscure actual ownership details
- GDPR compliance: European domains may have limited public information
- Corporate vs personal: Business domains typically provide more detail
- Geographic location: Country, region, city coordinates
- ISP information: Internet service provider and organization
- ASN details: Autonomous system number and network blocks
- Infrastructure mapping: Data center and hosting provider identification
- VPN and proxy services: May show incorrect geographic location
- CDN networks: Content delivery networks can obscure true server location
- IP reputation: Historical usage and security incident associations
- Server technologies: Web servers (Apache, Nginx, IIS)
- Programming languages: PHP, Python, Java, .NET
- Frameworks: React, Angular, Django, Laravel
- Content management: WordPress, Drupal, Joomla
- Analytics and tracking: Google Analytics, social media pixels
- Browser extensions: Wappalyzer, BuiltWith, WhatRuns
- Command-line tools: whatweb, WebTechNOTIce
- Response header analysis: Server headers, X-Powered-By headers
- Source code analysis: JavaScript libraries, CSS frameworks
- Website evolution: Changes in design, content, and functionality
- Exposed directories: Previously accessible paths and endpoints
- API documentation: Historical API endpoints and parameters
- Code comments: Developer comments in HTML and JavaScript
- Technology changes: Evolution of technology stack over time
- Vulnerability windows: Historical software versions with known CVEs
- Design patterns: Understanding of development practices
- Content migration: Identifying moved or deprecated functionality
- Primary use: Maps domain names to IPv4 addresses
- Intelligence value: Reveals server infrastructure and hosting providers
- Security implications: Direct access points for targeted attacks
- Primary use: Maps domain names to IPv6 addresses
- Intelligence value: Modern infrastructure and dual-stack configurations
- Security implications: Often overlooked in security configurations
- Primary use: Specifies mail servers for email delivery
- Intelligence value: Email infrastructure and third-party services
- Security implications: Email security posture and phishing targets
- Primary use: Caching duration for DNS records
- Intelligence value: Infrastructure change frequency and practices
- Security implications: DNS cache poisoning and hijacking opportunities
- Primary use: Domain name aliases and redirections
- Intelligence value: Service relationships and infrastructure mapping
- Security implications: Subdomain takeover vulnerabilities
- Primary use: Domain verification and policy specification
- Intelligence value: Third-party services, SPF, DKIM, DMARC policies
- Security implications: Email security posture and service enumeration
Zone transfers allow secondary DNS servers to replicate complete DNS zone data from primary servers.
# Attempting zone transfer
dig @ns1.target.com target.com AXFR
dnsrecon -d target.com -t axfr
fierce -dns target.com- Complete subdomain enumeration: Full internal DNS structure exposure
- Infrastructure mapping: Internal network topology revelation
- Service discovery: Hidden services and development environments
- Workplace monitoring: Overhearing conversations in public spaces
- Phone conversations: Public areas, elevators, transportation
- Meeting rooms: Conference calls and strategy discussions
- Technical discussions: IT support calls and troubleshooting
- Network traffic: Unencrypted communications monitoring
- VoIP communications: Internet-based phone call interception
- Video conferences: Unsecured meeting platforms
- Instant messaging: Corporate chat platforms and tools
- Passwords and PINs: Authentication credential observation
- Screen content: Sensitive documents and communications
- Access codes: Physical security systems and badges
- Personal information: Social security numbers, addresses
- Airport lounges: Business travelers using laptops
- Coffee shops: Public WiFi and workspace areas
- Public transportation: Mobile device usage
- Office buildings: Shared workspaces and elevators
- Financial documents: Bank statements, invoices, contracts
- Technical documentation: Network diagrams, user manuals
- Personnel information: Employee directories, organizational charts
- Security materials: Passwords written on paper, access cards
- Property laws: Trash ownership and trespassing regulations
- Privacy expectations: Personal vs. corporate information
- Professional boundaries: Ethical hacking scope limitations
# Installation and Usage
git clone https://github.com/issamelferkh/userrecon.git
cd userrecon
./userrecon.sh
# Features
# - Searches across 75+ social media platforms
# - Automated username enumeration
# - Results aggregation and reportingUse Cases: Social media presence mapping, username correlation across platforms Limitations: Rate limiting on platforms, privacy settings may hide profiles
# Installation
pip3 install sherlock-project
# Usage Examples
sherlock target_username # Search across all supported sites
sherlock target_username --timeout 10 # Custom timeout settings
sherlock target_username --print-found # Only display found accounts
sherlock target_username --csv # Export results to CSVCapabilities: 300+ platform support, concurrent searching, detailed reporting Considerations: Some platforms may require API keys for full functionality
# Domain-based email harvesting
theHarvester -d target.com -b all -l 500 # Search all sources
theHarvester -d target.com -b google # Google-specific search
theHarvester -d target.com -b linkedin # LinkedIn employee enumeration
theHarvester -d target.com -b dnsdumpster # DNS subdomain discovery
# Export options
theHarvester -d target.com -b all -f output.html # HTML report
theHarvester -d target.com -b all -f output.xml # XML formatIntelligence Gathering: Emails, subdomains, hosts, employee names Advanced Features: Shodan integration, virtual host detection, DNS enumeration
- Employee enumeration: Current and former staff identification
- Organizational structure: Department mapping and hierarchy
- Technology insights: Skills, certifications, and tool usage
- Contact information: Professional email patterns and phone numbers
- Business relationships: Partners, clients, and vendor connections
- Technology stack requirements: Required skills and tools
- Infrastructure insights: System requirements and environments
- Security posture: Security-related job postings and requirements
- Organizational growth: Expansion areas and strategic initiatives
- Contact patterns: HR and technical contact information
# Title and content searches
intitle:"login page" site:target.com # Find login pages
intext:"password reset" site:target.com # Find password reset functionality
inurl:admin site:target.com # Administrative interfaces
inanchor:"contact us" site:target.com # Link anchor text search# Document and file enumeration
filetype:pdf site:target.com # PDF documents
filetype:doc site:target.com # Word documents
filetype:xlsx site:target.com # Excel spreadsheets
filetype:pptx site:target.com # PowerPoint presentations
filetype:txt site:target.com # Text files# Configuration and error pages
"Index of /" site:target.com # Directory listings
"error in your SQL syntax" site:target.com # SQL error messages
"Warning: mysql_" site:target.com # MySQL warnings
"ORA-" site:target.com # Oracle database errors# Complex search patterns
site:target.com (inurl:admin OR inurl:administrator OR inurl:panel)
site:target.com filetype:pdf (password OR confidential OR internal)
site:target.com "powered by" (inurl:login OR inurl:admin)- Footholds: Initial access points and entry vectors
- Web server detection: Technology and version identification
- Error messages: System configuration and database information
- Network or vulnerability data: Infrastructure and security weaknesses
- Files containing passwords: Credential and authentication data
- Sensitive online shopping info: E-commerce and payment data
- Exploit-DB GHDB
- Community contributions: Crowdsourced dork discovery
- Regular updates: New techniques and query patterns
Comprehensive domain analysis providing technical and business intelligence.
Key Information:
- IP address and hosting: Server location and provider details
- DNS configuration: Name servers and record information
- Subdomains: Associated subdomain discovery
- Technology stack: Server software and applications
- Contact information: Administrative and technical contacts
Professional-grade domain intelligence with historical and predictive analytics.
Advanced Features:
- WHOIS history: Historical ownership and configuration changes
- DNS history: Previous DNS configurations and changes
- IP neighborhood: Other domains on same infrastructure
- Risk assessment: Domain reputation and threat intelligence
- API access: Programmatic intelligence gathering
Visual DNS reconnaissance with interactive network mapping.
Capabilities:
- DNS enumeration: Comprehensive DNS record discovery
- Visual mapping: Graphical representation of infrastructure
- Subdomain discovery: Active and passive subdomain enumeration
- Network topology: Infrastructure relationship visualization
# Organization-based searches
org:"Target Organization" # Organization assets
net:"192.168.1.0/24" # Network range scanning
country:"US" city:"New York" # Geographic filtering# Service-specific searches
port:22 country:"US" # SSH services by country
apache version:"2.4" country:"DE" # Specific Apache versions
"default password" port:23 # Telnet with default creds
ssl:"target.com" # SSL certificate search# Device-specific searches
"Server: webcam" # Web cameras
"HP LaserJet" port:9100 # Network printers
"Schneider Electric" port:502 # Industrial control systems
title:"DVR" country:"US" # Digital video recordersProfessional Features: API access, monitoring alerts, vulnerability tracking Security Considerations: Responsible disclosure, legal compliance, ethical usage
- Technology detection: Comprehensive framework and tool identification
- Historical analysis: Technology adoption and migration patterns
- Market intelligence: Competitor technology comparison
- Lead generation: Business development opportunities
- Browser integration: Real-time technology detection
- API access: Programmatic technology identification
- Technology categories: Detailed classification and versioning
- Competitive analysis: Market share and adoption trends
# Basic subdomain enumeration
sublist3r -d target.com # Standard enumeration
sublist3r -d target.com -v # Verbose output
sublist3r -d target.com -b # Enable brute force
sublist3r -d target.com -p 80,443 # Specific port testing
# Output and reporting
sublist3r -d target.com -o subdomains.txt # Save results to fileSearch Engines Used: Google, Yahoo, Bing, Baidu, Ask, Netcraft, DNSdumpster Advanced Features: Brute force integration, port scanning, output formatting
# Passive enumeration
amass enum -d target.com # Basic enumeration
amass enum -d target.com -src # Show data sources
amass enum -d target.com -ip # Include IP addresses
# Active enumeration
amass enum -active -d target.com # Active reconnaissance
amass enum -brute -d target.com # Brute force subdomains
amass enum -d target.com -config config.ini # Custom configurationData Sources: 55+ different information sources Advanced Capabilities: DNS zone walking, certificate transparency, reverse DNS
# Standard domain enumeration
dnsrecon -d target.com # Basic enumeration
dnsrecon -d target.com -t std # Standard record types
dnsrecon -d target.com -t axfr # Zone transfer attempt
dnsrecon -d target.com -t brt # Brute force subdomains
# Advanced techniques
dnsrecon -d target.com -r 192.168.1.0/24 # Reverse DNS lookup
dnsrecon -d target.com -t srv # SRV record enumerationEnumeration Types: Standard, zone transfer, brute force, reverse lookup, cache snooping Output Formats: Standard, XML, CSV, JSON for integration
- OWASP Testing Guide - Information Gathering - Comprehensive web application reconnaissance
- NIST SP 800-115 - Technical Guide to Information Security Testing
- SANS Reading Room - Footprinting and reconnaissance research
- "Footprinting Techniques and Tools" - Academic analysis of reconnaissance methods
- Passive DNS Analysis - DNS intelligence gathering techniques
- OSINT Framework - Comprehensive tool and technique repository
- Commercial OSINT: Maltego, Recorded Future, ThreatConnect
- DNS Intelligence: SecurityTrails, DomainTools, PassiveTotal
- Social Media: Social Searcher, Hootsuite Insights, Brandwatch
- Search Platforms: Shodan, Binary Edge, Zoomeye
Last Updated: January 2024 | CEH v12 Compatible