Ethical Hacking - Footprinting

• Footprinting is a part of reconnaissance process which is used

for gathering possible information about a target computer
system or network. Footprinting could be
both passive and active. Reviewing a company’s website is an
example of passive footprinting, whereas attempting to gain
access to sensitive information through social engineering is an
example of active information gathering.
 Reconnaissance

• Information Gathering and getting to know

the target systems is the first process in ethical
hacking. Reconnaissance is a set of processes
and techniques (Footprinting, Scanning &
Enumeration) used to covertly discover and
collect information about a target system.
• During reconnaissance, an ethical hacker attempts to
gather as much information about a target system as
possible, following the seven steps listed below −
• Gather initial information
• Determine the network range
• Identify active machines
• Discover open ports and access points
• Fingerprint the operating system
• Uncover services on ports
• Map the network
 Active Reconnaissance

• In this process, you will directly interact with the computer

system to gain information. This information can be relevant and
accurate. But there is a risk of getting detected if you are
planning active reconnaissance without permission. If you are
detected, then system admin can take severe action against you
and trail your subsequent activities.
 Passive Reconnaissance

• In this process, you will not be directly connected to a computer

system. This process is used to gather essential information
without ever interacting with the target systems.
• Footprinting is basically the first step where hacker gathers as
much information as possible to find ways to intrude into a
target system or at least decide what type of attacks will be
more suitable for the target.
• During this phase, a hacker can collect the following
information −
• Domain name
• IP Addresses
• Namespaces
• Employee information
• Phone numbers
• E-mails
• Job Information
 DNS
• Domain Name Server or we can say Domain Name System
is a distributed method that helps humans to remember
name of any website. Generally websites are hosted on
servers using their IP Address. Humans cannot remember IP
Address (numbers) all the time. That’s where DNS helps.
DNS make any IP Address into normal text so anyone can
remember the address of any website, according to ethical
hacking professors.
 Domain Name Information

• You can use http://www.whois.com/whois website to get

detailed information about a domain name information
including its owner, its registrar, date of registration, expiry,
name server, owner's contact information, etc.
 Quick Fix

• It's always recommended to keep your domain name

profile a private one which should hide the above-
mentioned information from potential hackers.
• NSLOOKUP is used to figure out whether DNS record
are configured properly or not.
• To start using NSLOOKUP, firstly a user need to open
COMMAND PROMPT.
• In Windows GO TO START MENU TYPE CMD. There you
can see the COMMAND PROMPT CLICK ON CMD.EXE
• After opening CMD Type NSLOOKUP:-
• Type NSLOOKUP in the COMMAND PROMPT as shown
in screenshot below:
• The result will be Firstly line it will tell us the
• Default Server: dns.google
• Address (Default Gateway).
 DNS RECORD TYPE = A : SHOWS THE
ADDRESS RECORD
• After above command, type particular domain name
• As you can see in above screenshot NSLOOKUP is
showing
• Name of the server – www.yahoo.com
• After name you can see the Address of the server
which is
• If you type set type=A and press enter you will
get the same result as shown in above image. By
default NSLOOKUP command inquire the DNS
server for type A records.
 DNS RECORD TYPE = MX : SHOWS TO
DOMAIN MAIL SERVER
• ype set type = MX and press enter
• Now type yahoo.com
• Each MX record have its own preference and
the lower numbers have a higher preference.
So when mail is sent is uses MX record with
the lowest preference, if lowest preference
MX record is not reachable than MX record
with the next high preference will be used.
However if the records have same value MX
preference, both MX records will be used
simultaneously.
• In the above screen shot you see mail server.
This MX record means that website of
yahoo.com is having mail exchange record. MX
record or you can say it mail exchange record
tells the mail delivery destination for a
particular domain .i.e. webimprints.com as
shown above.
 DNS RECORD TYPE = CNAME : SHOWS
CANONICAL NAME
• Type set type=CNAME and press enter
• Now type yahoo.com

• In the above screen shot you see a canonical

name points. This CNAME record means that
the website of webimprints.com is having one
alias name to another.
• In CNAME canonical record matches the domain or a
subdomain to different domain. Each CNAME record, DNS
lookups use the target domain’s DNS resolution as to
indicate a resolution.
• When a name server is requested the first DNS lookup will
try to find the CNAME entry with target of name server.
• CNAME record exists so that domains can have same
canonical names. You should not use a CNAME record to
send/receive an email, as mail server handles the mail in
abrupt manner. The targeted domain for a CNAME record
should also have a normal A record.
• In the above screen shot you see a host name server. This name
server is the NS record for webimprints.com domain. This NS record
means that website of yahoo.com is having 5 host DNS server.
• At rooting level its get important that there should be some
trustworthy name server configured to respond to queries against a
domain name, explain ethical hacking specialists.
• A nameserver is a server that has DNS package installed on it. So
nameserver owned by a web host that is specifically used to manage
the domain names associated with their web hosting customers.
• The request to the DNS are send randomly if one host is not
responding another host will be use.
 DNS RECORD TYPE = NS : SHOWS HOST
NAME SERVER
• Type set type=NS and press enter
• Now type yahoo.com
 DNS RECORD TYPE = SRV : INDICATE
AUTHORITY FOR DOMAIN
• Type set type=SRV and press enter
• Now type yahoo.com
 DNS RECORD TYPE = RP : RESPONSIBLE
PERSON
• Type set type=RP and press enter
• Now type yahoo.com
• RP stores an email address who is holding the
domain. RP is actually pointing out that the
person is responsible for the host.
• The mailbox name stored with a single space
between more information pointers.
 DNS RECORD TYPE = HINFO : HOST
INFORMATION HOLDS
These pointed record are the TXT record for webimprints.com
domain.
• This TXT record means that website is having records that are
not used in direct traffic.
• The TXT record provides text information of some other
sources on internet. This text can be human readable or
machine readable.
• TXT can holds the domain name, its contact number, address.
• TXT records can have some common uses like-Domain keys
(DK), Sender Policy Framework (SPF), Domain key identified
email (DKIM).
 Finding IP Address

• You can use ping command at your prompt.

This command is available on Windows as well
as on Linux OS.
$ping
 Finding Hosting Company

• Once you have the website address, you can

get further detail by using ip2location.com
website. Following is the example to find out
the details of an IP address −
• Here the ISP row gives you the detail about
the hosting company because IP addresses are
usually provided by hosting companies only.
 Quick Fix
• If a computer system or network is linked with the Internet
directly, then you cannot hide the IP address and the related
information such as the hosting company, its location, ISP, etc.
If you have a server containing very sensitive data, then it is
recommended to keep it behind a secure proxy so that
hackers cannot get the exact details of your actual server. This
way, it will be difficult for any potential hacker to reach your
server directly.
• Another effective way of hiding your system IP and ultimately
all the associated information is to go through a Virtual
Private Network (VPN). If you configure a VPN, then the
whole traffic routes through the VPN network, so your true IP
address assigned by your ISP is always hidden.
 IP Address Ranges

• Small sites may have a single IP address

associated with them, but larger websites
usually have multiple IP addresses serving
different domains and sub-domains.
• You can obtain a range of IP addresses
assigned to a particular company using 
American Registry for Internet Numbers (ARIN
)
• You can enter company name in the
highlighted search box to find out a list of all
the assigned IP addresses to that company.
 History of the Website

• I t is very easy to get a complete history of

any website using www.archive.org.
• You can enter a domain name in the search
box to find out how the website was looking
at a given point of time and what were the
pages available on the website on different
dates.
 Quick Fix
• Though there are some advantages of keeping
your website in an archive database, but if you
do not like anybody to see how your website
progressed through different stages, then you
can request archive.org to delete the history
of your website.