Just imagine this, you are a hunter or a fisherman, I mean a professional. And you are planning your excursion to find your prey. What do you need? You need to know the terrain you will enter to take your prize. You need to watch for prints or get the right bait, you must know the habits of your prey. This is exactly what this means in the virtual world, the Hacker will gather all there is to know about what he sees as his target, being a corporation or just an individual. He’ll begin by doing a reconnaissance excursion, and watch every move a victim or a corporation has, have and probably will make, to finally set the trap more likely to be infallible on their systems.

Footprinting is the process of capturing as much information about a particular organization as possible. The objective of footprinting is to obtain this information in such a way as to not notify the organization. This information is available publicly, either from third parties or from the organization itself. The primary items targeted when footprinting includes:

  • The size and scope of the particular organization’s Internet presence
  • The presence of partnerships and any indication of backend network connectivity
  • An analysis of the current security policy
  • The location of operations and other facilities
  • The names and e-mail addresses of current important employees
  • The ability of the organization to control critical information about itself

Tools, Installation, and ways of use

In the next part, we have a list of known tools to collect information. We can perform an additional investigation and find many more tools for this type of tests and depending on the company you can make use of them.

  • Nslookup
  • Web-Based Tools


WHOIS allows you to query the information an organization entered when they registered their domain. ICANN regulations require all domain holders to submit WHOIS information. This information is displayed in public ‘WHOIS’ database. The information available includes the Registrant, Administrative, Billing, and Technical contact information.

The way to make the query is very simple you enter the website and enter the domain name as shown in the following image.


Nslookup is employed to query domain name servers. A nslookup query can be used to resolve IP addresses to hostnames. Hackers will typically target the MX record as it contains the IP address of the mail server. Another well-used tactic is that of attempting a zone transfer. These attacks typically take the following form:

c:\ nslookup server <ipaddress> set type=any ls -d

Zone transfers should be prevented by limiting the devices that can permit this information, and by blocking TCP port 53 (Domain Name System) at the firewall. Note that “nslookup” is deprecated on many newer UNIX systems so consider using “dig” instead.

This is the same as the previous one, we must also enter the website and put the domain name as shown in the following image. We invite you to carry out tests with domains of your interest and analyze the results.

Web-based Tools

Many web-based tools are available to help hidden domain information. These services provide whois information, DNS information, and network queries.

From the previous list, we recommend you use Betterwhois we assure you that you will be amazed by the information you will get. How are there many websites that will provide you with a lot of information in this part of the process? We recommend that you do lots of tests and choose the tool that you like the most.

Domain Location and Path Discovery

If you are unsure of a domain’s location, the best way to determine its position is by use of the traceroute command. Traceroute identifies a path to a domain by incrementing the TTL field of the IP header.

When the TTL falls to zero, an ICMP message is generated. These ICMP messages identify each particular hop on the path to the destination. An example traceroute is shown below:

Tracing route to []
over a maximum of 30 hops:
  1   <1 ms    <1 ms <1 ms
  2    8 ms   2 ms 2 ms  openrg.home []
  3   42 ms    31 ms 31 ms
  4   29 ms    29 ms 28 ms
  5   47 ms    46 ms 47 ms []
  6    *   * 48 ms []
  7    *   * *     Request timed out.
  8   48 ms    50 ms 49 ms
  9   47 ms    47 ms 48 ms
Trace complete.

We use the trial version of This shows us on the geo-map the location of the target website and much more information in an organized way we invite you to explore this tool and analyze The route of any site of interest as shown in the following image.

ARIN, RIPE, and Regional Databases RIR’s are discoverable by IP address. If just the domain name is available, you can verify the IP by pinging the domain name. RIR’s and their area of control include:

ARIN (American Registry for Internet Numbers) – Contains domain information for domains being hosted in the Americas

RIPE (Réseaux IP Européens Network Coordination Centre) – Contains domain information for sites being hosted in the European area

APNIC (Asia Pacific Network Information Centre) – Contains domain information for sites be- ing hosted in the Asian Pacific area

AFRINIC (proposed African Regional Internet Registry) – Contains domain information for sites being hosted in Africa

LACNIC (Latin American and Caribbean Network Information Centre) – Contains domain information for sites in Latin America, South America, and the Caribbean

Determining the Network Range: You can query the RIR to identify what network range that the particular organization owns. If you select the wrong RIR, you will receive an error message, pointing out to the correct record holder.

Google Groups

Google Groups, The Google Groups area has taken over the DejaNews archives. Google groups are a common place for people to post questions about security or network problems. Data from Google Groups postings are archived for many years, and this information can yield many interesting facts about the systems or procedures that the organization is using. Some organizations will even post router configurations and their passwords in Google Groups. This is something your organization should not do! I’ve posted my PIX configuration below. I have included my IP addresses and e-mail address. Can anyone see why my home users cannot access the internal server through the firewall from my <RET MOVED_IP>? I’m concerned that my users are not going to be able to telecommute.

E-mail Tips and Tricks

The Simple Mail Transfer Protocol (SMTP) is employed for sending an e-mail. Every single e-mail you receive has a header that contains vital information such as the IP address of the particular server sending the message, the corresponding names of any attachments provided with the e-mail, and the time and date of the e-mail that was sent and received.

Bouncing E-mail – One conventional technique is to send an e-mail to an invalid e-mail address. The sole purpose of this technique is to examine the SMTP header that will be returned, revealing the e-mail server’s IP address, application type, and version.

Other ways to track interesting e-mail is to use software that will permit you to verify from where the e-mail originated from and how the recipient handled it.

eMailTracking Pro – This tool will enable you to track e-mail back to the sender – This tool allows you to find out when your e-mail was opened, how long it was read, and whether or not it got forwarded to someone else.

Now you can start with your tests and start getting the information of interest

Try Certified Ethical Hacker for FREE!!!


This post was written by Ruben Dario Caravajal Herrera