Recon and Footprinting in hacking

Recon and Footprinting in hacking

Recon and Footprinting in hacking 

the first step toward hacking

Reconnaissance plays a very important role in a successful hack. recon and footprinting are so important that all bug bounty hunters and ethical hackers spent almost 30% to 40% of the time in it. It is all about gaining valuable information from the target such as open ports what services they running, vulnerabilities in system and network, operating systems and so on.. this information can further be used in hacking and exploitation,
Reconnaissance is processing to getting to know our target throughout.

Types of Reconnaissance

There are two types of recon which are Passive recon and Active recon. they both have their advantages and disadvantages.

Passive Recon -  passive recon is like watching target without interacting with it and that's why its undetectable and stealthy to use.
because of not interacting approach it gives less valuable information and slow than active recon but its undetectable to really helps in cases where anonymity for attacker is a must.
not making active connections and gather information in recon is done by lots of tools and programs which we will see in this tutorial further.

 Active Recon -  In Active recon, we can use many tools and programs to interact with target sending requests and gain information about a target system thoroughly.
we can get maximum information of target but the disadvantage is firewalls, IDS and other intrusion detection system can catch us with this increasing requests made by us that make it so noisy and not good for stealthy attack but we can use some of the tricks to make attacks stealthy like NMAP stealth scan.
but in many cases, it's ok to be noisy and get information fast and active recon works perfect here.

 We have seen types of recon now its time to introduce you with common terms used in recon.

  • Discovery: First of all we need to know who are our possible target are and getting to know all about our target to know who are our target and what they have to introduce.

  • Port Scanning: ports are used to connect with applications and services and manage the connection with them. open ports are something that needs to be avoided because they can be exploited very easily. there are lots of services and applications can run trough ports and scanning ports gives information about them all.
  • OS Fingerprinting: while the hacking targets operating system can play a very important role lots of attacks and exploits are works only for the specific operating system and their version so make sure to know OS while recon. just like windows servers attacks not work on Linux based server.
Now we'll see how it works.

1) Whois lookup

WHOIS mainly called 'who is' is an internet-based query and response time domain search which can provide lots of information about the domain name, servers in the domain, owners' information like location and services they use and much more information that can be made use of.
also, domains IP block, anonymouse systems, and other information is given by WHOIS in a human-readable format.
just search whois in google open it and type website name you want to know about.

whois lookup


Censys does a good job of scanning IP addresses and gathering information from a set of different ports. it gives us an overview of what lives on a system with the help of TLS handshakes, using certificates, DNS configuration and many more things,
Censys gives detailed data od scans of ports and services used in target and gives a freshest and thorough results.
it gives actionable security insights about your attack surface..






Shodan is a search engine used to information gathering and recon which gives tons of data about a target that can be categorized by ports, services,  hostnames, etc.
 we can also search by-product used by a target such as Nginx server we can give it queries to find that product and search with its instance.
shodan is also very good for finding IoT devices connected with network who are using them and mush more, which is best about it.
it let us understand digital footprints of target and uncover which is directly accessible from the internet.



 Archive.org ( or Wayback machine ) gives us all the data website have in past although it is deleted or removed some times,
all we have to do is visit archive.org and search for our target it gives us a timeline from where website started and posts are updated etc. just select a date and year you wanted to see and uncover the lost sensitive data.
 simple but effective sometimes

Archive.org sitemap
Archive.org sitemap


5)Google Hacking Database

google can be normally used for searching for different websites and give us a simple result.
but using GHDB is set of search queries ( usually call them dorks) are give us publicly available but not given normally by google search.
for example if we searched dork like, intitle: and keyword you can get all sites who have keyword in there title same with inurl:

Google Hacking Database

Google Hacking Database
Google Hacking Database


All above are passive recon but Nmap is active one.. and the only one you need. it can gather all information about DNS, Servers, IP addresses and much more.. 

I already posted tutorial about nmap check it out..
Recon and Footprinting is the process of collecting as much information as possible about a target network, this gives us blueprint of our attack to be done, information gathered by recon and footprinting can be very useful in further attacks and exploitation,
the term blueprint is used because it makes detail structure of target to be attacked and makes it more easy to attack vulnerable point instead of trying everything and getting frustrated
Footprinting is done to:
  1. Decreased attack area for faster attacking
  2. Get to know the security of the target.
  3. An information database will be used in an attack.
  4. Network maps can be generated.

Others methods of recon foot-printing include:

  1. By using Social Networking Sites
  2. communicating to target directly (Social Engineering )
  3. Through Job Portals
  4. email footprinting

 Why it is necessary

let's assume the scenario you want to hack someone's bank account with phishing.
rather than throwing any bank account scam page will alarm the person that its fraud and he can complain in cybersecurity our get more furious about security.. but if you recon and footprinted the target carefully you can gain information so the target can really trust your mail and fill info in it..

this is my technique you can use your there are lots of things out there..
so this is it for recon and footprinting stay tuned for next steps..

till then..

Happy Hacking..😊

You may like these posts

Post a Comment