RECONNAISSANCE &

FOOTPRINTING
@mmar

2
3
Reconnaissance is the preparatory phase where an attacker
gathers as much information as possible about the target prior to
launching the attack
Reconnaissance is the process of gathering personal or sensitive
information about the target by an attacker to gain unauthorized
access to the victim's computer
 Types
 Reconnaissance by definition is not illegal and many reconnaissance techniques are
completely legal
 LegalReconnaissance
• Looking up all the information about a company available on the internet,
including published phone numbers,address etc
• Interviewing amember of the staff for aschool project

 IllegalReconnaissance
• Developing a “front” company and acting as a representative of that company,
specifically for the purpose of robbing or defrauding that target company

 QuestionableReconnaissance
• Scanning a document lying on a desk might be legal in some cases
• Dumpster diving might not be illegal in some cases
• In much of the world performing port scanislegal

5 @mmar
Reconnaissance is further sub divided into three phases
given as follow

Step-1 Step-2 Step-3

• Footprinting • Scanning • Enumeration
 Passive (0SINT)

6
FOOTPRINTING

10
Footprinting

11 @mmar
Footprinting

12 @mmar
FOOTPRINTING
through Search Engines

13
 Google Dorks
 Google hacking / Dorking utilizes Google's advanced search
engine features, which allow you to pick out custom content.
You can, for instance, pick out results from a certain domain
name using the site filter
Filter Example Description
returns results only from the
site site:tryhackme.com
specified website address

returns results that have the

inurl inurl:admin
specified word in the URL

returns results which are a

filetype filetype:pdf
particular file extension

intitle intitle:admin returns results that contain the

specified word in the title

14 @mmar
 Google Dorks
 inurl:indianairforce.nic.in intext:confidential|sensitive

15 @mmar
 Google Dorks
 The Google Hacking database (GHDB) is an index of search
queries (we call them dorks) used to find publicly available
information, intended for pentesters and security
researchers

https://www.exploit-db.com/google-hacking-database

16 @mmar
 Google Advanced
Search
 Google Advanced Search is a set of specialized search
features and filters that allow users to refine their search
queries to find more precise and specific results. It offers a
range of tools beyond the basic search bar, enabling users to
tailor their searches based on various criteria
Site or domain File Type Date Range

Language Region Usage Rights

https://www.google.com/advanced_search
17 @mmar
 Other Search
Engines

Search Engine URL Remarks

Bing https://www.bing.com/

Yandex https://yandex.com/ Russian

Baidu https://www.baidu.com/ Chinese

Privacy preserving
DuckDuckGo https://duckduckgo.com/
search Engine

18 @mmar
Image Metadata
(Exif tool)

19
 Exif tool
 Metadata is essentially data about data. In the context of images and
multimedia files, metadata can include information like the date and time
the photo was taken, camera settings, GPS location data, copyright
information, and more. ExifTool allows you to view, edit, and manipulate
this metadata, making it a useful tool for photographers, archivists, and
anyone who needs to manage or modify metadata in their files.

https://github.com/exiftool/exiftool (Kali Linux)

http://exif.regex.info/down.html
https://jimpl.com/
https://exifdata.com/
20 @mmar
Reverse Image Search

21
Using Search Engines, you can quickly discover visually similar photos from
around the web using Reverse Image Searching technology, utilizing content-
based image retrieval (CBIR) query techniques. Uploading a photograph from your
device or inputting the URL of an image, you can ask a search engine to locate and
show you related images used on other websites, either those images that are
exactly the same or the same but a different size, or those that contain similar
looking items or people. you may be able to identify where an image was taken by
recognizing a statue or building in the background that can be identified by the
Search Engine. Similarly, Search Engines may be able to locate other images of
your subject or logos on sites that identify them
 Reverse Image
Search Engines

Name URL Works well for

Bing Visual Search https://www.bing.com/visualsearch Flipped and Altered Images, and

Faces
Yandex Visual Search https://yandex.com/images/ Faces, Buildings, and Locations

Google Images Search https://www.google.com/imghp

Tineye https://tineye.com/ Logos and Alternate sized versions

of the same image.
PimEyes https://pimeyes.com/en Faces

23 @mmar
 IoT Search Engines
 Shodan: Shodan is often referred to as the "search engine for hackers" because it
allows users to search for internet-connected devices and systems based on
various criteria such as IP address, ports, banners, and more. It is commonly used
for security research, and it can be used to find vulnerable devices, industrial
control systems, webcams, and other internet-connected resources.

 Censys: Censys is another search engine that focuses on internet-wide scanning

and indexing. It provides a searchable database of information about hosts and
networks on the internet. Censys is often used for security research, asset
discovery, and monitoring internet-wide trends

24 @mmar
 Shodan

 Enumerating Devices on Shodan (Search Queries):

 port:1833 (Default MQTT Port)
 port:502 (Modbus-enabled ICS/SCADA systems)
 SCADA Country:"US“ (Search for SCADA systems using geolocation)
 “Schneider Electric” (Search for SCADA systems using PLC name)
 upnp httpd (Search for devices with UPnP functionality that also have an exposed
web server)
 Server: gSOAP/2.8" "Content-Length: 583 (Find electric Vehicle chargers)

https://securitytrails.com/blog/top-shodan-dorks

25 @mmar
 Shodan

Based on Shodan’s results, we know exactly which version of OpenSSH is running on each server. If we
click on an IP address, we can retrieve a summary of the host
26 @mmar
27 @mmar
FOOTPRINTING
through Social Media

28
29 @mmar
30 @mmar
31 @mmar
32 @mmar
33 @mmar
Leaked Credentials

34 @mmar
Leaked Credentials

35 @mmar
 Leaked Credentials

[email protected] dell6*****
[email protected] 27343945
59119138

[email protected]
CENSORED PASSWORD HASH
pakis*********** 32614a9c0df2de4368d288f0b33c70c180b88f1f
Abutt***** a5ce3c18d20098d90b695d0a75c43df99998ab61
pakis******** afce7959d4b69e9b2f8c9bb1d5773fa4f72e8458

@mmar
Leaked Credentials

37 @mmar
FOOTPRINTING
Open Source Code

38
 Open Source Code
 Code stored online can provide a glimpse into the programming languages
and frameworks used by an organization. On a few rare occasions,
developers have even accidentally committed sensitive data and credentials
to public repos (GitHub,, GitHub Gist GitLab SourceForge)

 This manual searching approach will work best on small repos. For larger
repos, we can use several tools to help automate some of the searching, such
as Gitrob and Gitleaks. Most of these tools require an access token to use the
source code-hosting provider’s API

39 @mmar
 Open Source Code
 GitHub’s search, for example, is very flexible. We can use GitHub to search a
user’s or organization’s repos; however, we need an account if we want to
search across all public repos

40 @mmar
 Open Source Code
 The following screenshot shows an example of Gitleaks finding an AWS
access key ID in a file

41 @mmar
FOOTPRINTING
Web Services

42
43 @mmar
44 @mmar
45 @mmar
46 @mmar
47 @mmar
48 @mmar
49 @mmar
FOOTPRINTING
Websites

50
 AIM
• Find Directories and pages of a website
• Find Subdomains
• Find the Technology Stack used to build the site

51
52 @mmar
53 @mmar
54 @mmar
55 @mmar
56 @mmar
Website Monitoring Tools

57 @mmar
 Finding Technology
Stack
 Wappalyzer (https://www.wappalyzer.com/) is an online tool
and browser extension that helps identify what technologies
a website uses, such as frameworks, Content Management
Systems (CMS), payment processors and much more, and it
can even find version numbers as well. BuiltWith is another
online tool that provides the same functionality
 What web is a command line utility that provides the same
information on CLI

58 @mmar
 Security Headers
and SSL/TLS
 Security Headers (https://securityheaders.com/) will analyze HTTP
response headers and provide basic analysis of the target site’s security
posture. We can use this to get an idea of an organization’s coding and
security practices based on the results

59 @mmar
 Security Headers
and SSL/TLS
 Another scanning tool we can use is the SSL Server Test from Qualys SSL
Labs (https://www.ssllabs.com/ssltest/).This tool analyzes a server’s
SSL/TLS configuration and compares it against current best practices. It
will also identify some SSL/TLS related vulnerabilities, such as Poodle or
Heartbleed

60 @mmar
61 @mmar
 Finding Subdomains
Site:microsoft.com -inurl:www

62 @mmar
63 @mmar
64 @mmar
 Finding Subdomains
https://app.pentest-tools.com/

65 @mmar
@mmar
@mmar
 Way Back
Machine
 The Wayback Machine is a historical archive of websites that
dates back to the late 90s. You can search a domain name,
and it will show you all the times the service scraped the web
page and saved the contents. This service can help uncover
old pages that may still be active on the current website.

https://archive.org/web/)

68 @mmar
69 @mmar
FOOTPRINTING
Emails

70
71 @mmar
72 @mmar
73 @mmar
74 @mmar
https://phonebook.cz/

75 @mmar
FOOTPRINTING
WHOIS INFORMATION

76
77 @mmar
78 @mmar
79 @mmar
FOOTPRINTING
DNS INFORMATION

80
81 @mmar
82 @mmar
 Record Types

Axfr Zone transfer. Includes all records

about a domain

83 @mmar
 Dig
Most common DNS Enumeration tool
DNS Enumeration swiss army knife

84
 Dig
 Dig can be used for simple domain lookup

>dig zonetransfer.me

85 @mmar
 Dig
 We can also specify the type of record with dig command

>dig ns zonetransfer.me (Name server)

>dig mx zonetransfer.me (Mail server)
>dig cname zonetransfer.me (cname record)

86 @mmar
 Host
Simplest DNS Enumeration tool

87
 Host
 Host provides a simple way to perform DNS lookups and
retrieve DNS records
>host zonetransfer.me

88 @mmar
 Host
 We can use host tool to look up a specific record

>host -t ns zonetransfer.me (Name server)

>host -t mx zonetransfer.me (Mail server)

89 @mmar
 Host
 Host can be used to map IP address to the website with
reverse lookup
>host 192.168.2.2

90 @mmar
 nslookup
(A cross platform tool for DNS
Enumeration)

91
 nslookup
 We can use nslookup on windows to enumerate dns
records

>nslookup zonetransfer.me

92 @mmar
 nslookup
 We can specify a specific record type and use the tool in an
interactive manner

>nslookup
>Set type=ns
>zonetransfer.me

93 @mmar
Zone Transfer

94
 Zone Transfer

Zone transfer is a mechanism in DNS for sharing and synchronizing

DNS database information between servers. Pentesters and hackers
can leverage zone transfer to gather intelligence about a target's DNS
infrastructure. Zone transfers provide a comprehensive list of DNS
records, including subdomains, IP addresses, and mail servers

95
 CONCEPT

1 2
Identify the name Initiate Zone
server transfer

96
 Zone transfer
 Host tool can be used to initiate zone transfer. First look for
the name server and then check if it supports zone transfer.
Try all listed name servers for best results

>host -t ns zonetransfer.me

97 @mmar
 Zone transfer

>host –l zonetransfer.me nsztm2.digi.ninja

98 @mmar
 Zone transfer

 Dig can also be used to initiate zone transfer

>dig ns zonetransfer.me
>dig axfr zonetransfer.me @nsztm2.digi.ninja

99 @mmar
 Zone transfer
 Similarly, nslookup can also be used to perform zone
transfer

>nslookup
>set type=ns
>zonetranfer.me
>server nsztm2.digi.ninja
>set type=any
>ls –d zonetransfer.me

100 @mmar
Automated tools

101
 DNS Recon
 DNSRECON is designed to automate and streamline the
process of querying DNS servers, retrieving DNS records,
and conducting various types of DNS-related scans

>dnsrecon –d zonetransfer.me –t axfr

102 @mmar
 DNS Recon
 To perform our brute force attempt, we will use the -d
option to specify a domain name, -D to specify a file name
containing potential subdomain strings, and -t to specify the
type of enumeration to perform, in this case brt for brute
force

103 @mmar
 DNS Enum

 DNSenum is another automated tool that collects all

possible information about the target

>dnsenum zonetransfer.me

104 @mmar
 Fierce
 Fierce is another tool for DNS enumeration

>fierce --domain zonetransfer.me

105 @mmar
 Historical DNS Records

https://securitytrails.com/

106 @mmar
FOOTPRINTING
Network

107
108 @mmar
109
110 @mmar
111 @mmar
112 @mmar
FOOTPRINTING
Social Engineering

113
114 @mmar
OSINT Cheat Sheet

115 @mmar
 FOOTPRINTING
Identify Target
Identify IP Network and Website Network topology
DNS, Subdomains, whois, web
Identify ASN (https://ipinfo.io/) Information technologies
Identify Servers if possible Identify Admins (whois)
https://lookup.icann.org/en/lookup
Gather Org Information
Gather Passwords
Gather Employees Emails, phone nos
Haveibeenpawned
(harverster) (hunter.io),Linkedin
breadcheddirectory
Gather documents
(google dorks)
army secret site:*.gov.in filetype:pdf

Scanning &
Enumeration
116
117
THANKS

118