Open in app

Sign in

Write

Sign in

Footprinting and Reconnaissance using Windows OS

Ansh Vaid
6 min readOct 29, 2021

--

Image taken from here

This blog is in continuation previous blog on footprinting and reconnaissance. Previously you understood how to do footprinting with the help of Windows OS. In this blog I am going to show how footprinting can be performed with the help of Linux OS.

Attention Future Hackers It is mandatory to have a Kali Linux (Parrot OS works too). None other linux distro should be used, because the tools and commands I am going to discuss are installed beforehand in the Kali Linux. In other distros you will have to additionally download and install the packages from internet and various dependencies too. You are understanding the concepts of hacking, so it is mandatory for you to have Kali linux at least.

CAUTION: For practicing hacking always try for these two websites:

http://certifiedhacker.com

http://testphp.vulnweb.com

For practicing purpose there are other resources too, but as a beginner these two sites are recommended, other ways will also be shared by me once you get the basic concepts, in my upcoming blogs. And since you are practicing hacking, you should not try on some other websites other than the above two websites I mentioned, because you might end up breaking something in other websites, also there are other security techniques implemented on those website which can keep a track on you for doing malicious things and take some legal actions against you.

Information Gathering By CMD Commands

There are some commands in information gathering that you can try for other websites as well, but it is still advised not to try on them. Now let’s start with practical concept of footprinting.

1. Tracert

Use: With this command you get the path(number of hops) to reach the website for which you are running this command.
Syntax: tracert [URL of website]

In above snapshot you could see that my packet needed 14 hops to reach the destination, i.e. certifiedhacker.com website. Also you can see the “ * * * “ pattern in some places. This is due to fact that the response from the router exceeded the ttl(time to live), therefore no information regarding the router could be found. The tracert sends three packets, and the round trip time is displayed of each packet. Round trip time is just a time taken for the packet to reach the destination router and come back to our device. Also the tracert command gives the IP address of the website for which you are finding route.

2. Ping

Use: With this command you get the IP address of target. Also you can find the maximum size of frame that is accepted at the server side which can help attackers during DOS attack.
Syntax:

  1. ping [URL of website]
  2. ping -f -l {size of frame} [URL of website]
    The 1st syntax is normal pinging, where you will get the IP address of the website. In 2nd syntax “-f” “-l” are the options which is used to specify the frame and length respectively and the {size of frame} is an integer which you can change time to time until your frame gets discarded. By changing the values of the size of frame you get the boundary value of the size of frame that is accepted at server side.

3. Nslookup

Use: With this command you can get the information regarding the Domain Name System(DNS). Just type nslookup in cmd and press enter key. You will get a shell with “>” symbol on left. Then you have to set various options depending upon the information you want. The options are-

  • A: For getting IP address.
  • ptr: For name from IP address.
  • ns: For getting name server.
  • cname: For getting alias name.
  • SOA: For getting Start Of Authority.

These options are set in the shell in following manner- set type=[option name] then press enter to set the option. Type URL then press enter to get information regarding the option you set earlier.

Syntax: nslookup

4. Google Dorks

Use: Advanced google search, also known as google hacking is another way to extract sensitive or hidden information with the help of complex search queries. Query can find some valuable data about the target from google search engine. This type of google search gives more specific result about what you have searched, unlike normal searching where you get lakhs of links. The operators in the search query used are-

  • inurl: This restricts the search results only to pages containing the word specified in the URL
  • intitle: This operator restricts results to only those pages containing the specified term in the title
  • inanchor: This operator results those pages containing query terms specified in the anchor text on link to the page
  • site: Restricts search results to a specified site or domain
  • cache: This operator displays google’s cached version of a web page, instead of current version of the web page.
  • file by: This operator provides the search result with the specified file format specified by you after the operator.

These are few operators used during google search. There are more operators, but these are mostly used during search.

Syntax: operator:[link name or string depending on operator] You should not have spaces between operator, : and search string. Also carefully look the number search results found by this method and normal google search.

There are several good websites that help in providing information regarding the target, such as- IP address, website first seen, DNS, website architecture, location of the server, port numbers open etc. These sites are also used by general public for security reasons, so that they could not be fooled by anyone who is trying impersonate as someone else and trying to extract any information from them etc.

Netcraft.com
This is an amazing website where you just have to put the URL of the target website about whose information you want to gather. Then automatically it will give you the information related to the website such as-

  • Rank of site
  • When was the site first seen
  • Any risk on site
  • Hosting company
  • IP address
  • Nameserver
  • Domain registrar
  • Location of server
  • Server side technologies
  • Languages used at client side scripting

Visit the site and try this website. Many other options are also available. It is a vast website, with lots of information related to the target.

Shodan.io

This website also provides you with maximum information about the target website. But it could also show the various port numbers that are open at the server side.

Archive.org
This website provides you the older versions of the websites. Sometimes the older versions of websites have some sensitive files, which the organization forgets to remove and hide the links in their current versions. So those can be accessed from the older version of websites.

There are other websites also from which information gathering could be done. But most of the details about the target can be found from above websites that are discussed. You may also refer following websites for information gathering-

This blog was all about the information gathering with the help of some commands on CMD and websites. These commands are executed in CMD which is present in Windows OS, so don’t forget to open CMD as an administrator because some commands need administrative privileges also. In next blog I will discuss how the information gathering can be done in Linux Operating System

Social Media Links: LinkedIn | GitHub | Instagram | Twitter

Visit My Website: https://cybergeeks.website/

Originally published at https://github.com.

Cybersecurity
Ethical Hacking
Ethics
Windows Hacking
Hacking

--

--

Ansh Vaid

Written by Ansh Vaid

267 Followers

Security Assessment Engineer at IITK | Cyber security researcher | eJPT | eWPTXv2 | PenTest+ | CASP+

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams