MODULE -2

Footprinting
&
Reconnaissance

NOTE: Shutting down the labs , restart , making modifications to

the software, or performing any updates is strictly prohibited.
Doing so will result in the termination of your lab access.
Footprinting and reconnaissance
Footprinting and reconnaissance are initial phases in the process of information
gathering and intelligence gathering in cybersecurity and ethical hacking:

Lab objectives:
• Footprinting involves collecting information about a target system or
organization to understand its network architecture, infrastructure, and
potential vulnerabilities.
• It includes passive data collection methods like searching public
information, social media, WHOIS databases, and other publicly available
resources to gather details about the target.
• The aim is to gather as much information as possible without directly
interacting with the target, helping hackers identify potential entry points
and weaknesses in the system's security.

• Reconnaissance, also known as "scanning," is an active information-

gathering phase.
• It involves probing the target system or network using tools and
techniques to collect specific information like IP addresses, open ports,
services running on those ports, and potential vulnerabilities.
• Reconnaissance may include techniques like port scanning, network
mapping, and vulnerability scanning to gain deeper insights into the
target's security posture.
• The data obtained during reconnaissance helps in developing a more
targeted and informed approach for subsequent stages of ethical hacking
or penetration testing.
Step 1. Start labs by clicking [ START LABS ] button

Users will be redirected to labs environment

Right Click on windows 10 machine & click on open in new tab

In a new tab, users can access the Windows 10 environment directly

. Navigate to the File Explorer, and within the Documents folder, locate the
"Tools" directory. This folder contains various tools relevant to the modules for
user convenience and easy access
LAB -1
Performing FootPrinting Through Search Engines
Performing footprinting using Google dorks involves using specific search
queries or operators within Google's search engine to find sensitive
information or vulnerabilities on the internet.
1. Turn on windows 10 , open any browser or you can open any browser in
your windows machine
2. Type google.com
3. Type intitle:password site:google.com

The Google dork "intitle:password site:google.com" is a search

query designed to find web pages on the Google website
containing the term "password" in their title, potentially indicating
pages that have the word "password" in their title tags.
4. Type site:google.com filetype:pdf

The search query "site:google.com filetype:pdf" in Google is

used to find PDF files specifically within the Google.com domain.
This query restricts the search results to PDF documents hosted on
the Google.com website.
 5. When you open any link, it will display a PDF form related to the
search query.

7. Similarly, we have various Google dorks such as "allinurl," "intitle,"

and more, each serving different search functions and refining
search results based on specific URL or page title parameters.

allinurl:
• This operator searches for URLs containing all specified terms.
• Example: allinurl: cybersecurity training will find URLs that contain both
"cybersecurity" and "training" in their addresses.

intitle:
• Searches for pages with specific words in their title.
• Example: intitle:login google will show pages that have "login" and "google"
in their titles.

intext:
• Helps find pages with specific words in their text.
 • Example: intext:Python programming will display pages containing the phrase
"Python programming" in their content

inurl:
• Finds URLs containing a specific word or phrase.
• Example: inurl:login page will display URLs that contain "login" in their
address.

TASK-2 Gathering information through IOT search engines.

IoT (Internet of Things) search engines are specialized tools used to

discover and gather information about connected devices, their
configurations, and publicly available IoT-related data.

Step1. open shodan.io website

• Shodan is a popular search engine for IoT devices. It allows users to search for
specific devices, services, or protocols across the internet.
• Users can search for specific IoT devices using keywords or filters. For
example, searching for "webcam" or "printer" might reveal publicly accessible
devices.
Step 2. search for amazon or any set of servce or port
number ftp or 21 as shown in image.
 The search query you're referring to likely provides information
about publicly available services that might have vulnerabilities.
This might include details about these devices, such as IP
addresses, locations, configurations, and possibly whether they
have known vulnerabilities. Since vsftpd is a popular FTP server
software, finding instances of it through Shodan could help identify
potential targets or systems for further analysis regarding their
security status. However, note that finding vsftpd instances doesn't
necessarily imply they're all vulnerable; it depends on various
factors, including specific configurations and patch levels.

LAB -2
Performing FootPrinting Through Web Services
Footprinting through web services involves collecting data on a target's
online presence and systems by using search engines, specialized tools,
and website analysis to gather information on infrastructure,
technologies, and potential vulnerabilities. This process aims to map and
understand the digital footprint of an organization or service.

Finding company’s domains and subdomains by using

netcraft tool

Step1. Visit https://netcraft.com

Step 2. Click on Resources and press research tools as shown in the

image.
Step 3. Click on site report as shown in the image.
Step 4. now search for any domain you would like to search for and click
on lookup button

The site report for microsoft.com would display network information,

background details, and other relevant information.
Step 5. Click on Microsoft.com in the network field ,domain
Microsoft.com , this will show up the subdomains of the domain
Microsoft.com

This result will display subdomains of Microsoft along with some info.
Task 2- Gather emails through theharvester tool

TheHarvester is an open-source tool utilized for cybersecurity

reconnaissance, collecting email addresses, subdomains, and related
data from public sources. It aids in understanding a target's online
presence and potential security vulnerabilities.

Step 1 . login to linux

Step 2. we are going to clone the theHarvester tool into parrot os .

git clone https://github.com/laramies/theHarvester.git
Step 3. Clone the tool

Step4 . now navigate into the theHarvester folder by changing the directory
cd theHarvester
now run
pip3 install -r requirements.txt
Step 5. now run python3 theHarvester.py

Step6 . now we will find subdomains by using theHarvester tool.

python3 theHarvester.py -d Microsoft.com -l 200 -b bing

TheHarvester -d microsoft.com -l 200 -b google: This command searches for

subdomains of "microsoft.com" using Google as the search engine, retrieving a
maximum of 200 results.
Here is the search results from theHarvester tool display the discovered
subdomains linked to microsoft.com.

Task 3- find out the target operating system using

censys

1.Censys is a search engine that specializes in internet-wide scanning

and indexing of various devices, networks, and systems. It helps users
discover and analyze connected devices, internet-facing servers, and
their configurations

Step 1. Visit censys.com

Step2. click on censys search
2.As you can see, the search results display basic information about the
operating system, details related to Microsoft, and other network-related
information of the target
LAB -3
Performing FootPrinting Through social networking
sites

Footprinting" through social networking sites refers to the process of

gathering information about someone using their online presence,
particularly on social media platforms. This information can include
personal details, interests, connections, activities, and more.

Step 1. Clone the sherlock tool into parrot os

https://github.com/sherlock-project/sherlock.git

Step 2. Now navigate into the sherlock folder and install the
requirements

cd sherlock
Pip3 install -r requirements.txt
Step 3. Now navigate into another sherlock folder inside of the tool

cd sherlock

Step 4. Now run the tool using python

Python3 sherlock.py satyanadella

Assuming you have the Sherlock tool installed and you want to search
for the username "satyanadella"
LAB -3
Performing WebSite FootPrinting
Website footprinting involves gathering information about a site's
ownership, infrastructure, and technology stack, often using WHOIS,
DNS enumeration, and web server identification tools to understand its
structure and potential vulnerabilities.

Gather information about the target using ping tool

Step 1 . log into the windows 10 machine

Step 2. Open cmd

Step 3. type ping google.com

ping google.com

Note the target ip address and also the you can see the ping statstics of
the target.

Task-2 Gather information about the target using

website informer
Step 1. Visit website.informer.com

Step 2. Search for google.com

a search result for google.com contains info, whoi’s data statistics , and
other network information

Task-3 Gather information about the target using

web data extractor.

Step 1. Open windows 10

Step 2. Click on file explorer and navigate to documents

Step 3. Click on tools and navigate to module2 tools > web spiders >
web data extractor

Step 4. Now install the tool

Step 5 . double click the file the main screen appears

Step 6 . click on new to start a new session.

Give google.com in the url field.

And tick the settings as shown in the image .

Step 7 . now click on start

Task-4: clone a target website using httrack website

copier tool.

Step 1. In the windows 10 lab machine , navigate to documents, tools,

module 2 , website mirroring tools ,httrack.

Step 2. double click the file and install it

Step 3. The httrack website copier tool wizard opens
Step 4. Click on next

Step 5. Give any name to the project and click next

Step 6. Give any url , and click on set options.

Step 7. click on scan rules and tick the three boxes and click ok

Step 8. Click next

Step 9. Check disconnect when finished, click on finish

Step 10 . site cloning progress will be started.

Step 11. Upon completion , it will display browse mirrored website , click on it.
Step 12. It will open the mirrored website in firefox

Step 13. Analyze all directories, html , images and site structure and other files.

Step 14 . once done click on finish and exit

LAB -4
Performing whois FootPrinting

WHOIS footprinting" refers to the practice of gathering information

about domain registrations using WHOIS databases. This involves
retrieving details such as the domain owner's name, contact information,
registration and expiration dates, domain registrar, and sometimes
technical information related to the domain.

Task-1: perform whois lookup using whoisdomain

tools.

Step1. visit https://whois.domaintools.com/

Step 2. Enter any url of a website

Step 3. This search results displays, organization details such as network

information , register date , domain owner , ip address , location etc
LAB -5
Performing dns FootPrinting
DNS footprinting involves the process of gathering information about a
domain's DNS (Domain Name System) infrastructure. This includes
obtaining details such as IP addresses associated with the domain, mail
servers, name servers, and other DNS records related to the domain.

Task-1: gather dns information using nslookup

command line tool

Step 1. Open command promt in windows lab machine

Step 2. Type nslookup and press enter.

Step 3. Now type

set type=a
testphp.vulnweb.com
thus, it displays the ip address of the target website

step 4. Now type

set type=cname
testphp.vulnweb.com

this returns the server name server along with mail server address
as shown in the image .
Task-2: perform reverse dns lookup using dnsrecon
and reverse ip domain check.

Step 1. Visit https://yougetsignal.com/

And click on reverse ip domain check
step 2. Now enter any url and click on check .

The result indicates that these listed subdomains are hosted on the
identical server as testphp.vulnweb.com.
Task-3: perform reverse dns lookup using dnsrecon
Step 1. open parrot os lab machine.

Step 2. Step 2 type dnsrecon and press enter.

Step 3. If you see anything command not found type,

sudo apt-get install dnsrecon

step 4. dnsrecon -d bing.com

-d stands for domain.

This display the results of the target name server, mail server , text
records , ip address .

this concludes the demonstration of gathering information about the

target by performing reverse dns lookup , youget signal , dnsrecon tool
Task-4: perform network footprinting using tracert,
traceroute.

Step 1. Open command promt in windows 10 lab machine

Step 2. Type
tracert google.com
This displays the hops and packets made before reaching the destination .

Step 3. Open parrot os lab machine. To do a traceroute to google.com

traceroute google.com

This concludes the demonstration of a network trace routing using windows

and linux platforms.

Task-4: perform footprinting using various

footprinting tools.
. BillCipher
.OSINT Framework
Step 1. Log into parrot os lab machine
Step 2. Clone the billcipher tool into parrot os
git clone https://github.com/bahatiphill/BillCipher.git
cd BillCipher
pip3 install -r requirements.txt
python3 billcipher.py
After installation run
Step 3 .python3 billcipher.py
Step 4. As you can see in the image it is promting for website/ip
Type website and press enter , now enter any website url and press enter.

Step5. Now choose any on option what information do you want to collect ?
Step 6 . for example here I m choosing 1

This will display the results of text records , a records and other information
about the target

Step 7 . now it will promt for do you want to continue

Type yes and press enter
Step 8 . it will promt you for enter websie /ip , type website and hit ener.

Step 9 . now you can choose any website type the website name and hit enter.

Now the process repeats , explore various techniques and options in this tool
by following the same process as we seen in the previous steps .
Task-5: perform footprinting using osintframework
tool.
Step 1. Visit https://osintframework.com

Step 2. Click on any of those given options you would like to use

Example : if you choose domain name it will display the subresources of

that option .
Step 3 . now you can choose what information would you like to collect
for example if you want to collect subdomains of a target website click
on subdomains
Step 4. This is will display different tools that will be used to fetch the
subdomains of a target you can choose any one or you can try all for
better results.

Step 5. Lets assume if you want to choose pentester-tools.com

submdomains as shown in the above image . and click on it.
it will redirect you to external website .enter a url and press start scan.
Step 6 . it will take few min to find the subdomains of the target website.

Step 7 . now scroll down to see the list of subdomains of the target
website.
NOTE: After using the labs, log out or close them.

Step 1. Click on windows

Step 2. Click on power and press disconnect as

shown in the below image.
Step 3. Now click on home or logout .
FOR - LINUX:

Step 1. Click on menu as shown in the image.

Step 2. Click on exit the current session.
Step 3. Click on logout.

Step 4. You can click home or logout.

NOTE: Shutting down the labs, making modifications to the

software, or performing any updates is strictly prohibited. Doing so
will result in the termination of your lab access.