The Footprinting & Reconnaissance Bible: A Detailed Guide for CEH v12

Greetings, Cyber Sleuths! 👋🏽

In this series of articles, I will attempt to summarise everything you need to know about footprinting and reconnaissance to be able to ace the module related to it in the CEH v12 Exam Materials (although I have to admit I couldn’t spell reconnaissance myself for the life of it without autocorrect xD).

I decided to write this article because I’ve found it very hard to read through the study material of 2000+ pages. Plus, I find it difficult to engage with theoretical concepts on hacking; my learning style is more hands-on, favoring practical application. Therefore, I invested time in actively implementing the theories and lab sessions outlined in the CEH syllabus. And, I made this guide for those who share similar struggles and seek a more practical approach to learning.

By the end of this, you’ll walk out an expert on reconnaissance. (Or just a creepy stalker?)… (Or both)…

What are we getting ourselves into?

I’ll start by giving you a high-level overview of what I’ll be covering in the upcoming posts.

While the CEH textbook has this elaborate diagram attempting to summarize and categorize all footprinting techniques,

We will be stripping this diagram down to its barebones and cover the essential topics from here which are:

This syllabus approach is closer to what’s followed in the lab manual and is a better way to get acquainted with the concept of footprinting.

Additionally, I will be taking the example of a fictitious company called Evil Corp to weave in narratives and come up with analogies. (Please tell me Mr. Robot fans are reading this who get the reference.)

What is Footprinting & Recon though?

So you want to hack into Evil Corp? You’ve all seen those movies where hackers just slam their fingers on the keyboard, Matrix-style, and voila, they’re in. It’s like magic, right? Yeah, well, reality check — it doesn’t quite work that way. I tried it once; all I got was carpal tunnel syndrome.

Imagine you’re planning a heist. What’s the first thing you’d do? Buy a cool mask? While that may seem tempting, If your heist turns out to be unrealistic in the first place, you’re setting yourself up for failure. So you gotta do some planning (aka recon). You’d have to figure out the guards’ schedules, where the lasers are, and if there’s a pizza delivery guy who’s always late — that’s your way in.

Throwing in a La Casa de Papel poster in there to give you a good idea of the level of planning we’re talking about here

In the digital world, it’s the same deal. You need to know your target — what systems they’re using, who their digital bouncers are, and if there’s a lazy admin who hasn’t updated their software since the ’90s. It’s like finding the weak link, and sometimes that weak link is as predictable as a pizza guy running late.

This high-level overview is pretty much all you need to know about why we need this stage in our hacking process.

The Big Boy (and Girl) Dictionary of Digital Detectives

While the analogy may have had you all hyped up for this series of articles, We need to hit a bit of a speedbreaker first and slow down. We need to learn some big boy (and girl) words. Because let’s face it, saying “I used a WHOIS Lookup” sounds a heck of a lot cooler than “I Googled some stuff.” So continuing the analogy approach, here are some terms you’ll want to remember going forward.

1. Active Footprinting: Directly interacting with the target system to gather information.
   Analogy: Knocking on someone’s door to see if they’re home.
2. Passive Footprinting: Gathering information without direct interaction with the target system.
   Analogy: Watching a house to see who comes and goes.
3. DNS Interrogation: Querying DNS servers to obtain information about domain names.
   Analogy: Asking the phone book for a list of people living at a specific address.
4. WHOIS Lookup: Querying databases to retrieve information about domain registration details.
   Analogy: Looking up who owns a property in a public registry.
5. Traceroute: Tracking the path data packets take from source to destination to map network paths.
   Analogy: Following the trail of breadcrumbs to find where they lead.
6. Ping Sweep: Sending ICMP Echo Request packets to multiple hosts to determine which are alive.
   Analogy: Somewhat, like calling multiple phones to see which ones ring.
7. Port Scanning: Identifying open ports on a target system to determine available services.
   Analogy: Checking which doors in a building are unlocked.
8. Banner Grabbing: Capturing the initial response from a network service to determine its version and type.
   Analogy: Reading the welcome sign to know what type of store you’re entering.
9. Network Mapping: Creating a map of the network’s devices and their interconnections.
   Analogy: Drawing a floor plan of a building showing all rooms and connections.
10. OS Fingerprinting: Identifying the operating system of a target system based on responses to network probes.
    Analogy: Recognizing a car’s make and model by its engine sound.
11. Social Engineering: Manipulating people into divulging confidential information.
    Analogy: Tricking someone into giving you their password by pretending to be tech support.
12. Website Mirroring: Downloading an entire website to examine its structure and content offline.
    Analogy: Uhh… Cloned websites your grandma enters her credit card information into after falling for a tech support scam I guess?
13. Metadata Analysis: Extracting hidden data from files, such as author details and creation dates.
    Analogy: Checking the tags on a photo to see when and where it was taken.
14. Email Harvesting: Collecting email addresses using techniques like web scraping.
    Analogy: Picking apples from multiple trees in an orchard.
15. Google Dorking: Using advanced search operators to find sensitive information indexed by search engines.
    Analogy: Using special keywords to find hidden gems in a massive database. You’ll understand this in the next article. It’s basically Google on Steroids.
16. Network Sniffing: Capturing and analyzing packets traversing a network.
    Analogy: Eavesdropping on conversations in a crowded room.
17. IP Address Range Discovery: Identifying the range of IP addresses used by a target organization.
    Analogy: Finding out all the phone numbers in a specific area code.
18. Reverse IP Lookup: Finding other domains hosted on the same server as the target.
    Analogy: Discovering all tenants living in a particular apartment building.
19. Zone Transfer: Transferring the DNS zone file to obtain a list of all domain names and IP addresses in a network.
    Analogy: Getting a full list of addresses in a neighborhood from the city registry.
20. SMTP Probing: Interacting with mail servers to gather information about email accounts and server configuration.
    Analogy: Asking a post office about how many mailboxes they manage.
21. Web Spidering: Automatically browsing a website to collect information about its structure and links.
    Analogy: Sending a drone to explore every room in a building and make a map.
22. Security Vulnerability Research: Identifying known vulnerabilities associated with the target’s software and hardware.
    Analogy: Checking a list of known defects in a car model to see if your car has any issues.
23. Fingerprinting Web Applications: Determining the specific software and versions used to run a web application.
    Analogy: Identifying the brand and version of a smartphone by its features.
24. Job Postings Analysis: Reviewing job ads to gain insights into an organization’s technology stack and infrastructure.
    Analogy: Looking at the “help-wanted” ads outside a pizza shop to see what workers they have.
25. Physical Security Footprinting: Gathering information about the physical layout and security measures of a facility.
    Analogy: Walking around a building to note all the security cameras and entry points.
26. Network Enumeration: Discovering devices, shares, and services on a network.
    Analogy: Counting all the devices connected to a local Wi-Fi network.
27. VoIP Enumeration: Identifying and mapping VoIP infrastructure components.
    Analogy: Listing all the internet phone lines in an office.

There are a bunch of tool names as well that you might encounter like Maltego, Shodan, Netcraft, or Nmap but since they’re tools as opposed to terms, we’ll use them soon in the upcoming articles and you’ll pick them up from there.

Next up, we’ll learn about search engines and how to use them in our recon process. You can find the next article right here:

Report an Issue to Me

If you want me to add information, and sources or have any issues with this, Please contact me at owaisahmedshariff@duck.com or leave a comment below.

For sensitive reports, You can use the following public PGP key to send me a message:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZXhfexYJKwYBBAHaRw8BAQdAr1FVvX195HeEoQ5t8nZoejim7Rg2cpvdc5GX
P6XVeCO0Kk93YWlzIFNoYXJpZmYgPG93YWlzYWhtZWRzaGFyaWZmQGR1Y2suY29t
PoiZBBMWCgBBFiEEeE11HJGlC2vN4J8UcWCWH84KI7UFAmV4X3sCGwMFCQWkrZUF
CwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQcWCWH84KI7WDvgEA0XXhb9wo
wFfZFgHtyHyW2CAt5IAuJZyjmgTT/tGvGR0A/0WKYyIWJgDSgyjcVcbZem2Ff/i6
iJJPNEYMhxuDh6cHuDgEZXhfexIKKwYBBAGXVQEFAQEHQKs/5qbm8AwrGS22c0HQ
Jlws4Arc/QN6IMx+M27WIAAtAwEIB4h+BBgWCgAmFiEEeE11HJGlC2vN4J8UcWCW
H84KI7UFAmV4X3sCGwwFCQWkrZUACgkQcWCWH84KI7We6gD/bmGue2oV8RITXlag
5pIfE+1ukiGlYsXR06WVVNYspQUBAKb1L5+rO3fusuX6d6Y5mv7v5EDJASqalyuP
BCtK5KAD
=c0nI
-----END PGP PUBLIC KEY BLOCK-----

You can support me on my socials below to show me support:

Instagram: @ridiculosh

Linkedin: @owais-shariff

GitHub: @NotSooShariff

Website: osh.fyi

Twitter: @NotSoShariff

If you find this article informative, be sure to drop me a follow for the upcoming ones and also leave a reaction or comment to give me feedback.

See you in the next one!