Hour 7 of 8

Footprinting & Reconnaissance

OSINT · Passive vs Active · Sources, Tools, Tradecraft

~60 min3 interactive labs

CEH Objectives ▸ Define footprinting & list its objectives · Differentiate passive vs active reconnaissance · Identify OSINT sources: WHOIS, DNS, CT logs, search engines, Wayback, social · Map footprinting tools to data types · Recognise footprinting countermeasures

Maps to Module 02 · Footprinting and Reconnaissance

OP. GLASSHOUSE — RECON

Mission Brief

The CISO at Glasshouse Bank wants to see what an attacker would see BEFORE they touch a single packet on production. Build a passive footprint covering organisation, infrastructure, people, and history — using only public sources.

▸Produce a 1-page passive footprint covering 5 data categories

▸Correctly tag each finding as passive or active

▸Identify at least 3 attacker entry-points from the footprint alone

Story · The bank that thought it was invisible

Glasshouse Bank's CISO opens with: 'We're not on social media, our domain is private-registered, and nobody knows our subdomains. Good luck.'

You smile politely. Within 20 minutes — and zero packets to production — you have: the registrar and contact email, every subdomain ever issued a TLS cert (87 of them), the mail provider from MX + SPF, a forgotten staging portal still indexed by archive.org, three employee LinkedIn profiles naming internal tooling, and a GitHub repo with a .env file from 2022.

This is footprinting. Done well, the noisy phases that follow only ever target assets that actually exist.

Trainer · Core Concepts

Footprinting defined

The methodical collection of information about a target — domains, IPs, technologies, people, exposed services, historical artefacts — before any disruptive action. CEH treats it as Phase 1 of the ethical-hacking lifecycle and the foundation of the Reconnaissance tactic in MITRE ATT&CK (TA0043).

Passive vs Active — the legal boundary

PASSIVE = no packets sent to target infrastructure. Sources are third-party: RDAP/WHOIS, Certificate Transparency (crt.sh), Shodan/Censys cached data, Wayback Machine, search engines, LinkedIn, GitHub, breach dumps. ACTIVE = packets land on the target: DNS queries to their authoritative NS, port scans, banner grabs, web crawls. Passive is almost always in scope; active needs explicit RoE approval.

The 7 data categories CEH expects

1) Organisational (people, structure, partners) · 2) Network (IP ranges, ASN, routing) · 3) System (OS, services, banners) · 4) DNS (records, zones, mail infra) · 5) Web (technologies, headers, paths, archived versions) · 6) Email (formats, MX, SPF/DKIM/DMARC) · 7) People (roles, contacts, breach exposure).

Tools per category

WHOIS/RDAP for ownership · dig/nslookup + DoH for DNS · crt.sh / Sublist3r / amass for subdomains · theHarvester for emails/hosts · Shodan/Censys for service intel · Wayback Machine for historical content · Maltego for graph correlation · Google dorks (site:, filetype:, inurl:) for content discovery · Hunter.io for email format · HaveIBeenPwned for breach exposure.

Countermeasures

Privacy-registered WHOIS · scrub document metadata (exiftool) · disable directory listing · serve a thoughtful robots.txt (not security through obscurity) · monitor CT logs for unauthorised certs · rotate developer secrets and audit GitHub for leaks · employee training on what to publish on LinkedIn.

Knowledge Map · drag to explore

core

Footprinting

Phase-1 passive intel collection

mode

Passive

No packets to target

mode

Active

Packets to target

passive

WHOIS / RDAP

Domain ownership

passive

CT Logs

Issued TLS certs (crt.sh)

passive

Wayback

Historical content

passive

Shodan

Cached service banners

passive

Org chart + tooling

active

dig / DoH

Authoritative DNS

active

nmap

Live port/banner scan

active

Zone Transfer

AXFR/IXFR — active!

Micro Labs

CLASSIFY

Lab 19 · Passive vs Active classifier

Tag each recon activity as PASSIVE (no packets to target) or ACTIVE (packets to target).

Items · drag to a bucket

Query crt.sh for subdomains

dig @ns1.target.com AXFR

RDAP lookup via rdap.org

nmap -sV target.com

Browse archived pages on web.archive.org

Shodan search 'org:Glasshouse'

Banner grab with curl -I https://target.com

Search LinkedIn for current employees

DNS query to target's authoritative NS

Read commit history on a public GitHub repo

0/10 placed

MATCH

Lab 20 · Source → Data category

Match each OSINT source to the data category it most reliably yields.

Vulnerability

Risk statement

0/5 matched

DECISION

Lab 21 · Pick the right countermeasure

For each leak, pick the single most effective countermeasure.

SCENARIO 1

An attacker enumerates 87 subdomains from crt.sh, several pointing to internal-only staging apps.

SCENARIO 2

A 2021 admin portal still appears in Wayback Machine snapshots.

SCENARIO 3

A developer's GitHub repo contains a 2022 .env with what looks like an old DB password.

0/3 decided

Knowledge Check

1. Which of these is unambiguously ACTIVE reconnaissance?

2. Which record family leaks the most about a target's email infrastructure?

3. Privacy-registered WHOIS primarily defends against…

4. Which is NOT a footprinting countermeasure?

0/4 answered

Challenge · 1-page Glasshouse footprint

Using only passive sources, write a 1-page footprint covering: organisation, infrastructure, mail posture, web history, and people exposure — each bullet tagged [P] passive or [A] active and cited.

CEH v13 Exam Focus

★★★★★

Frequently tested

·Definition of footprinting and its 7 data categories
·Passive vs active boundary — and the trap of AXFR/banner grab
·Tools mapped to data types (theHarvester, Sublist3r, Maltego, Shodan, crt.sh)
·Google dorks: site:, filetype:, inurl:, intitle:, cache:
·Countermeasures: WHOIS privacy, metadata scrubbing, CT monitoring

Memory tricks

·ONS-DWE-P — Org, Network, System, DNS, Web, Email, People (the 7 categories)
·Passive = 'no packets to target'. Memorise the four-word version.
·AXFR is ACTIVE — always.

Common traps

⚠Calling DNS zone transfer passive
⚠Calling 'curl -I' passive (it hits the target)
⚠Forgetting that Shodan ITSELF is passive for you, even though Shodan actively scanned earlier
⚠Confusing CT logs with DNS — CT lists certs ever issued, not currently live hosts

Rapid revision

▸WHOIS/RDAP → ownership
▸crt.sh → subdomains
▸Wayback → history
▸Shodan → banners
▸theHarvester → emails+subs+hosts
▸Maltego → graph correlation

Interview Prep

Hour 6: Ethical Hacking Methodology Hour 8: Live Reconnaissance Simulators