CEH v13 Module 02 Cheat Sheet: Footprinting and Reconnaissance

Devesh AgarwalDevesh Agarwal
3 min read

Footprinting and Reconnaissance

This cheat sheet focuses on Footprinting and Reconnaissance, one of the most critical phases in ethical hacking. This reference is split into two practical sections:

  • ๐Ÿง  Part 1: Key Concepts for CEH MCQs

  • ๐Ÿ› ๏ธ Part 2: Tools and Commands to Practice Recon


๐Ÿง  Part 1: Key Concepts for CEH MCQs

๐Ÿ” What is Footprinting?

Footprinting is the process of gathering information about a target system, organization, or individual to plan an attack. It's the first step in the hacking lifecycle.

There are two types:

  • Passive Footprinting โ€“ Gathering data without direct interaction (e.g., public websites).

  • Active Footprinting โ€“ Direct interaction with the target (e.g., port scanning).


๐Ÿงพ Objectives of Footprinting

  • Identify domain names

  • Discover IP address ranges

  • Map network infrastructure

  • Gather employee details

  • Find open ports and services

  • Extract DNS information

  • Understand security posture


๐Ÿ“ก Footprinting Techniques

TechniqueDescription
WHOIS LookupDomain ownership info
DNS InterrogationRecord types like A, MX, NS, TXT
Network ScanningIdentifying active hosts
Email HarvestingGathering emails via search engines
Social EngineeringManipulating individuals for info
Google Hacking (Dorking)Advanced Google search techniques
Website MirroringCloning websites for offline review
TracerouteMapping network path

๐Ÿง  Google Hacking โ€“ Dork Examples

Use Google Dorks to find exposed sensitive data:

site:example.com filetype:pdf
intitle:"index of" confidential
inurl:admin login

These help uncover:

  • Internal documents

  • Login pages

  • Server files


๐ŸŒ DNS Record Types

RecordPurpose
AMaps domain to IP address
MXMail server information
NSNameserver for the domain
TXTMisc data (e.g., SPF records)
SOAStart of authority record
PTRReverse DNS lookups

๐Ÿ” Footprinting Countermeasures

  • Use WHOIS privacy protection

  • Disable DNS zone transfers

  • Limit exposure on social media

  • Use robots.txt to hide sensitive paths from search engines

  • Implement firewalls and filters


๐Ÿ› ๏ธ Part 2: Tools and Commands for Practical Recon

๐Ÿงฐ Top Tools Used in Footprinting

ToolFunction
Recon-ngReconnaissance automation framework
theHarvesterEmail and domain enumeration
MaltegoVisual OSINT analysis
NmapHost discovery and port scanning
NetcraftDomain analysis and tech profiling
HTTrackWebsite mirroring
ShodanDevice search engine
Google DorksSearch engine hacking

๐Ÿ”ง Command Examples

๐Ÿ”Ž WHOIS

bashCopyEditwhois example.com

๐Ÿง  theHarvester

bashCopyEdittheHarvester -d example.com -l 500 -b google

๐Ÿงฌ DNS Lookup

bashCopyEditnslookup
> set type=any
> example.com
bashCopyEditdig example.com any
dig example.com mx

๐Ÿ“ Nmap for Active Scanning

bashCopyEditnmap -sn 192.168.1.0/24       # Ping sweep
nmap -O 192.168.1.10          # OS detection

๐ŸŒ Recon-ng

bashCopyEditrecon-ng
> marketplace install all
> use recon/domains-hosts/bing_domain_web
> set SOURCE example.com
> run

๐Ÿง  Quick Recap

CategoryExample Tool or Concept
Passive ReconWHOIS, Google Dorks, Netcraft
Active ReconNmap, DNS Queries, Traceroute
OSINT AutomationRecon-ng, theHarvester, Maltego
CountermeasuresWHOIS privacy, DNS hardening
0
Subscribe to my newsletter

Read articles from Devesh Agarwal directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Devesh Agarwal
Devesh Agarwal