CEH v13 Module 02 Cheat Sheet: Footprinting and Reconnaissance
Devesh AgarwalFootprinting and Reconnaissance
This cheat sheet focuses on Footprinting and Reconnaissance, one of the most critical phases in ethical hacking. This reference is split into two practical sections:
๐ง Part 1: Key Concepts for CEH MCQs
๐ ๏ธ Part 2: Tools and Commands to Practice Recon
๐ง Part 1: Key Concepts for CEH MCQs
๐ What is Footprinting?
Footprinting is the process of gathering information about a target system, organization, or individual to plan an attack. It's the first step in the hacking lifecycle.
There are two types:
Passive Footprinting โ Gathering data without direct interaction (e.g., public websites).
Active Footprinting โ Direct interaction with the target (e.g., port scanning).
๐งพ Objectives of Footprinting
Identify domain names
Discover IP address ranges
Map network infrastructure
Gather employee details
Find open ports and services
Extract DNS information
Understand security posture
๐ก Footprinting Techniques
| Technique | Description |
| WHOIS Lookup | Domain ownership info |
| DNS Interrogation | Record types like A, MX, NS, TXT |
| Network Scanning | Identifying active hosts |
| Email Harvesting | Gathering emails via search engines |
| Social Engineering | Manipulating individuals for info |
| Google Hacking (Dorking) | Advanced Google search techniques |
| Website Mirroring | Cloning websites for offline review |
| Traceroute | Mapping network path |
๐ง Google Hacking โ Dork Examples
Use Google Dorks to find exposed sensitive data:
site:example.com filetype:pdf
intitle:"index of" confidential
inurl:admin login
These help uncover:
Internal documents
Login pages
Server files
๐ DNS Record Types
| Record | Purpose |
| A | Maps domain to IP address |
| MX | Mail server information |
| NS | Nameserver for the domain |
| TXT | Misc data (e.g., SPF records) |
| SOA | Start of authority record |
| PTR | Reverse DNS lookups |
๐ Footprinting Countermeasures
Use WHOIS privacy protection
Disable DNS zone transfers
Limit exposure on social media
Use robots.txt to hide sensitive paths from search engines
Implement firewalls and filters
๐ ๏ธ Part 2: Tools and Commands for Practical Recon
๐งฐ Top Tools Used in Footprinting
| Tool | Function |
| Recon-ng | Reconnaissance automation framework |
| theHarvester | Email and domain enumeration |
| Maltego | Visual OSINT analysis |
| Nmap | Host discovery and port scanning |
| Netcraft | Domain analysis and tech profiling |
| HTTrack | Website mirroring |
| Shodan | Device search engine |
| Google Dorks | Search engine hacking |
๐ง Command Examples
๐ WHOIS
bashCopyEditwhois example.com
๐ง theHarvester
bashCopyEdittheHarvester -d example.com -l 500 -b google
๐งฌ DNS Lookup
bashCopyEditnslookup
> set type=any
> example.com
bashCopyEditdig example.com any
dig example.com mx
๐ Nmap for Active Scanning
bashCopyEditnmap -sn 192.168.1.0/24 # Ping sweep
nmap -O 192.168.1.10 # OS detection
๐ Recon-ng
bashCopyEditrecon-ng
> marketplace install all
> use recon/domains-hosts/bing_domain_web
> set SOURCE example.com
> run
๐ง Quick Recap
| Category | Example Tool or Concept |
| Passive Recon | WHOIS, Google Dorks, Netcraft |
| Active Recon | Nmap, DNS Queries, Traceroute |
| OSINT Automation | Recon-ng, theHarvester, Maltego |
| Countermeasures | WHOIS privacy, DNS hardening |
Subscribe to my newsletter
Read articles from Devesh Agarwal directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by