What is Footprinting
Refers to the process of collecting as much as information as possible about the target system to find ways to penetrate into the system. An Ethical hacker has to spend the majority of his time in profiling an organization, gathering information about the host, network and people related to the organization.
Information such as ip address, Whois records, DNS information, an operating system used, employee email id, Phone numbers etc is collected.
Footprinting helps to
Know Security Posture – The data gathered will help us to get an overview of the security posture of the company such as details about the presence of a firewall, security configurations of applications etc.
Reduce Attack Area – Can identify a specific range of systems and concentrate on particular targets only. This will greatly reduce the number of systems we are focussing on.
Identify vulnerabilities – we can build an information database containing the vulnerabilities, threats, loopholes available in the system of the target organization.
Draw Network map – helps to draw a network map of the networks in the target organization covering topology, trusted routers, presence of server and other information.
Objectives of Footprinting
This is the process of collecting information related to a target network. Information like Domain name, subdomains, network blocks, IP addresses of reachable systems, IDSes running, Rouge websites/private websites, TCP & UDP services running, VPN points, networking protocols, ACL’s, etc are collected.
Collect System Information
The information related to the target system like user and group names, system banners, routing tables, SNMP information, system names etc are collected using various methods.
Collect Organization’s information –
The information related to employee details, organization website, Location details, security policies implemented, the background of the organization may serve as an important piece of information for compromising the security of the target using direct or social engineering attacks.
Various methods used to collect information about the target organization. They are
Footprinting through Search Engines
This is a passive information gathering process where we gather information about the target from social media, search engines, various websites etc. Information gathered includes name, personal details, geographical location detrails, login pages, intranet portals etc. Even some target specific information like Operating system details, IP details, Netblock information, technologies behind web application etc can be gathered by searching through search engines
Eg: collecting information from Google, Bingo etc
Google hacking refers to collecting information using google dorks (keywords) by constructing search queries which result in finding sensitive information.details collected include compromised passwords, default credentials, competitor information, information related to a particular topic etc.
Eg:inurl:, site:, allintitle etc
Examining HTML Source and Examining Cookies:
Html source codes of a web application may give us an understanding of the application functionality, hidden fields, comments, variable names etc. Cookies are used to identify a user in his session. these cookies may be stored in the browser or passed in the URL, or in the HTTP header.
The entire website can be mirrored using tools like HTTtracker to gather information at our own phase.
Extract website Archives: older versions of website can be obtained
which may reveal some information related to the target.
email header reveals information about the mail server, original sender’s email id, internal IP addressing scheme, as well as the possible architecture of the target network
Competitive intelligence gathering is the process of gathering information about the competitors from resources such as the Internet.
Eg: company website, search engine, internet, online databases, press releases, annual reports, trade journals
Google Hacking/Google Dorks
This is a process of creating search queries to extract hidden information by using Google operators to search specific strings of text inside the search results.
Some google operators, site, allinurl, inurl, allintitle
Whois databases and the servers are operated by RIR – Regional Internet Registries. These databases contain the personal information of Domain Owners. Whois is a Query response protocol used for querying Whois databases and its protocol is documented in RFC 3912. Whois utility interrogates the Internet domain name administration system and returns the domain ownership, address, location, phone numbers, and other details about a specified domain name.
DNS is a naming system for computers that converts human-readable domain names into computer readable IP-addresses and vice versa.DNS uses UDP port 53 to serve its requests. A zone subsequently stores all information, or resource records, associated with a particular domain into a zone file; Resource records responded by the name servers should have the following fields:
Domain Name — Identifying the domain name or owner of the records
Record Types — Specifying the type of data in the resource record
Record Class — Identifying a class of network or protocol family in use
Time to Live (TTL) — Specifying the amount of time a record can be stored in cache before discarded.
Record Data — Providing the type and class dependent data to describe the resources.
A (address)—Maps a hostname to an IP address
SOA (Start of Authority)—Identifies the DNS server responsible for the domain information
CNAME (canonical name)—Provides additional names or aliases for the address record
MX (mail exchange)—Identifies the mail server for the domain
SRV (service)—Identifies services such as directory services
PTR (pointer)—Maps IP addresses to hostnames
NS (name server)—Identifies other name servers for the domain
HINFO = Host Information Records
DNS servers perform zone transfers to keep themselves up to date with the latest information. A zone transfer of a target domain gives a list of all public hosts, their respective IP addresses, and the record type.
Footprinting through Social Engineering:
Social media like twitter, facebook are searched to collect information like personal details, user credentials, other sensitive information using various social engineering techniques. Some of the techniques include
- Eavesdropping: It is the process of intercepting unauthorized communication to gather information
- Shoulder surfing: Secretly observing the target to gather sensitive information like passwords, personal identification information, account information etc
- Dumpster Diving: This is a process of collecting sensitive information by looking into the trash bin. Many of the documents are not shredded before disposing them into the trash bin . Retrieving these documents from trash bin may reveal sensitive information regarding contact information, financial information, tender information etc.
- Footprinting countermeasures:
- Creating awareness among the employees and users about the dangers of social engineering
- Limiting the sensitive information
- encrypting sensitive information
- using privacy services on whois lookup database
- Disable directory listings in the web servers
- Enforcing security policies