Footprinting and Reconnaissance in Ethical Hacking

Footprinting/reconnaissance are the first steps used when performing a penetration test. They are performed pre-attack and are used to gather information about a target network or computer that will be useful later on during the actual attack. The advantage of good reconnaissance work is that it reduces the time taken during the actual attack, because you know where to focus. Additionally, it increases your chances of success because you have a tailored plan of attack, based on what you’ve found. Some of the key pieces of information that are gathered during reconnaissance are IP address, Whois records, DNS information, the operating systems used, employee email addresses and phone numbers.

Reconnaissance tries to accomplish several goals:

Identify Security Posture: The information gathered during the reconnaissance phase can help a tester understand how a company’s network is set up. This includes the presence of firewalls, security configurations of applications and more.

Create a Network Map: A network map is an outline of the different devices in a network and how they are placed in relation to another, it is referred to as the network topology. It includes things like routers, servers, workstations and more.

Identify Attack Surface: Reconnaissance can help to reduce the number of systems to a specific range that interest the pen tester. This will allow the tester to be more focused on a subset of systems instead of trying to break into all the possible targets.

Identify Vulnerabilities: This is the ultimate goal of gathering information, the tester is trying to find information on weaknesses in the network that they can use to get access to it. You can’t expect every vulnerability to be one you can exploit, so the more vulnerabilities you find before you start the better.

Employee Information: Many employee’s personal information is easily found online and can be used to perform phishing attacks. Which is when a user is tricked into performing an action or giving up information that can be used to gain access to a network. About 70% of cyber attacks use a combination of phishing and hacking, which means this information is very useful for a pen test.

Common Reconnaissance Techniques

Google Hacking: Google hacking is using advanced google search operators to find information that should not be accessible to the public. This includes finding hidden web pages, live camera feeds, SSH private keys, vulnerability web servers or files that contain useful information on the company. You can find a detailed tutorial here.

Port Scanning: This uses famous tools like nmap to check which ports are open on a given system. This is important because by finding out what ports and services are running on a machine, it helps in identifying potential weak points.

Vulnerability Scanning: This uses automated tools that can scan for known vulnerabilities. If you aren’t worried about alerting your target to your presence this can be a relatively easy way to find potential entry points.

Social Engineering: This technique uses impersonation or manipulation on another person in order to gather useful information from the target. A common example of this may be contacting an employee and pretending to be someone higher up in the company so that person feels compelled to answer their questions. Symantec found that 65% of attacker groups use spear phishing as their primary infection method.

Dumpster Diving: This involves people obtaining important information by going through trash at the company location. Many times important documents are thrown away without being shredded and are completely readable. So this technique can be surprisingly successful in helping to breach companies.


Good information gathering can greatly improve the results of penetration tests. Doing good work ahead of time gives the tester good direction on where best to spend their time and saves time down the road. Some of the most important goals here are to create a network map, identify potential areas of interest and find vulnerabilities that will allow you to gain access to the network. If you like this article and would like to read more, I write regularly at securitymadesimple.




Shimon Brathwaite is a cybersecurity professional, entrepreneur, consultant, and author at

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Black Hat is back. But it’s different.

What is money laundering and how do you protect your assets?

Write-Up: Memory Forensics in the DEF CON DFIR CTF.

BooPay Token $BooPay

Design Patterns for Cloud: Federated Identity Pattern

{UPDATE} Savanna Animals: Toddlers Games & Baby Puzzles 1+ Hack Free Resources Generator

Vulnerability Analysis of Polygon’s MRC20 Contract

Know How Intrinsic Security is Required by Modern Applications

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shimon Brathwaite

Shimon Brathwaite

Shimon Brathwaite is a cybersecurity professional, entrepreneur, consultant, and author at

More from Medium

Antivirus Evasion With Shellter

Laboratory General Description

What is Penetration Testing or Ethical Hacking?

White Hat vs Black Hat vs. Gray Hat

Forensics with Wireshark: HTB Chase