© The Author(s), under exclusive license to APress Media, LLC, part of Springer Nature 2021
A. SheikhCertified Ethical Hacker (CEH) Preparation Guidehttps://doi.org/10.1007/978-1-4842-7258-9_2

2. Footprinting and Reconnaissance/Scanning Networks

Ahmed Sheikh1  
Miami, FL, USA

In this chapter, you will learn about footprinting and what type of information can be sought using this technique, including how to recognize the types of information that a hacker may want to obtain. In this chapter, you will gain an understanding of various information-gathering tools and methodologies. There are several additional concepts that will be covered in this chapter: port scanning, network scanning, vulnerability scanning, Transmission Control Protocols (TCP) communication flags, types of port scans, and scanning countermeasures.

By the end of this chapter, you will be able to
  • Identify the types of information sought in the process of footprinting.

  • Describe information-gathering tools and methodologies.

  • Explain DNS enumeration.

  • Perform active and passive reconnaissance.

  • Recognize the differences between port scanning, network scanning, and vulnerability scanning.

  • Identify TCP flag types.

  • Identify types of port scans.

  • Identify scanning countermeasures.


There are various resources available on the Internet to assist you in deciding how a company’s network is built. The mechanism of discovering details of an organization’s network is known as footprinting. The detection techniques used to gather information about a target are referred to as reconnaissance . Footprinting is a non-intrusive process. You are not obtaining unauthorized access to data. Numerous tools are available to help collect a wealth of information legally and this is described as competitive intelligence. You expand the competitive intelligence when you add innovation to the mix. Network attacks typically start with information gathered from the site of a company.

The WHOIS tool is used to collect information about IP addresses and domain names. It can also be used to identify company email accounts. You may use a URL to find out which web server and operating system are being used, as well as the names of IT workers. Footprinting is the first of three preattack phases. Information sought while footprinting includes domain names, telephone numbers, authentication, access control lists, IP addresses, service, and presence of IDS.

Information Gathering Methodology

Attackers can get information from web pages, search engines, the advance search feature within a website, searching on publicly traded companies, or extracting an archive of a website. To begin information gathering, consider the following guidelines:
  1. 1.

    Acquire initial information (domain name).

  2. 2.

    Locate the network range (Nslookup, WHOIS).

  3. 3.

    Confirm active machines (ping).

  4. 4.

    Discover open ports or access points (port scanners).

  5. 5.

    Detect operating systems (telnet query).

  6. 6.

    Map the network.


Archived Websites

The Wayback Machine (www.archive.org/) is a platform that enables people to access archived versions of websites. Visitors to the Wayback Machine will type in a URL, choose a specific date, and then surf an archived version of the website (Figure 2-1).
Figure 2-1

Some of the archived information available for CSSIA (http://cssia.org/)

Searching Public Records

Public information may not provide immediately revealing data, but it can be used to build a bigger picture. Various sites offer information that is a matter of public record:


The WHOIS (www.whois.com) utility is used to gather IP addresses and domain information. Recall that DNS uses name servers to resolve names. After determining the name server that a company uses, you can try to transfer all of the records for which the DNS server is responsible. This is called a zone transfer. To determine an organization’s primary DNS server, look for a DNS server containing a Start of Authority (SOA) record. Once the primary DNS server has been determined, perform another zone transfer to see all host computers on the network. This information can help to form the organization’s network diagram.

A few of the tools used are categorized by the type of information that they help gather:

Domain Name Search
DNS Information Tools
Zone Transfers

Locating the Network Range

You can now proceed onward to locating the network range of a target system. Traceroute tools such as NeoTrace and Visual Route can be of use. Use of the Traceroute utility can be detected, but the other tools are passive in nature.

A few options include

Other useful tools include web spiders, which can pick up email addresses and store them in a database. Think spammers here. Other tools like GEO spiders can plot network activity on a world map. And Google Earth provides imagery and geographic information for almost any location.

Finally, there are many metasearch engine tools that send a user’s request to several other search engines and then display the aggregated results including Dogpile, WebFerret, Robots.txt, WTR-Web the Ripper 2, and Website Watcher.

Conducting Active and Passive Reconnaissance Against a Target

Before you begin scanning, you should have a clear understanding of how networks connected to the Internet work.

My attack machine has a public IP address of, as shown in Figure 2-2. The organization being scanned in the example has a public IP address of No web server software is installed on the firewall machine itself. Actually, web services like FTP or HTTP run on Windows 2003 SQL, not the firewall itself. When requests for these services are made, the firewall reroutes those requests to the Windows 2003 SQL server operating on the internal network. Thus, although Windows 2003 SQL is not linked directly to the Internet, Internet users can use services on the machine due to the redirection of firewalls.
Figure 2-2

Network attack

Scanning Networks

After an attacker has identified a target system and does reconnaissance, the attacker will move on to gaining entry into the target system. With network scanning, the attacker can obtain information about the target such as what operating system is used and the services that are being run.

Scanning is a form of extended reconnaissance in which the attacker tries to find ways to intrude into the target system. A sound understanding of the TCP, UDP, and ICMP protocols is important to understand the objectives of this chapter.

It is important to note that in Internet protocols, 65,535 is the number of TCP and UDP ports available in an IP address. You need to know which ports attackers are going after so those ports can be protected. When an attacker discovers an open service, finding a vulnerability is not difficult. Port scanning analyses a range of IP addresses in order to identify services that are running. Network scanning investigates the activity on a network, such as tracking data flow and network devices’ functionality, and can detect active hosts on a network. Vulnerability scanning proactively identifies security vulnerabilities on a network to evaluate where a system can be exploited.

The purpose of scanning can be for any of the following objectives:
  • Identify live systems on a network.

  • Find out what ports are open.

  • Figure out the target’s operating system.

  • Figure out what services are running and/or listening.

  • Find out IP addresses.

  • Identify particular applications.

  • Find vulnerabilities in any system on the network.

Scanning Methodology

Understanding scanning methodology is essential to selecting the appropriate tools needed to complete this task. There are five steps that can guide the process of scanning: checking for live systems, checking for open ports, fingerprinting the operating system, scanning for vulnerabilities, and probing the network.

Keeping these five steps in mind, the following additional factors are important to consider:
  • A ping sweep is a scanning technique used to determine the range of IP addresses mapping to live systems on the network.

  • A familiarity with the three-way handshake and the TCP communications flags that guide the connection between hosts are inputs into selecting a scanning method.

  • It is a great advantage to the attacker if the operating system running on a target system is known. Banner grabbing can be used to help identify the OS.

  • There are many tools available for vulnerability scanning including Nessus, SAINT, and GFI LANgard.

Three-Way Handshake

Recall the three-way handshake (Figure 2-3). A system that receives a SYN packet from a remote system responds with a SYN/ACK packet if its port is open. Finally, the sending system sends an ACK. If a port is closed and receives the initial SYN packet, it sends back an RST/ACK packet.
Figure 2-3

Three-way handshake

TCP Flags

The following list includes types of TCP flags and the purpose of each:
  • URG: Marks incoming data as urgent

  • ACK: Confirms that packets have been obtained successfully

  • PUSH: Ensures that data is prioritized and processed at the transmitting or receiving end, and is used at the start and end of a data transfer

  • SYN: Begins the three-way handshake between two hosts

  • FIN: Disconnects the connection formed using the SYN flag

  • RST: Used when a segment comes in which is not expected for the current connection. It also indicates the remote host has reset the connection.

Types of Port Scans

There are several types of port scans . It is important to be familiar with each one.
  1. 1.

    SYN scan: With the three-way handshake, the attacker’s computer sends the initial SYN packet. If the attacker receives a SYN/ACK packet back in response, the attacker quickly responds with an RST/ACK packet to close the session so that the connection does not complete. The attacker knows that port is open.

  2. 2.

    Connect scan: With a connect scan, the three-way handshake is completed, which makes this scan easily detected.

  3. 3.

    NULL scan: In a NULL scan, all packet flags are off. A closed port will respond to a NULL scan with an RST packet. If no packet is received, the probability that the port is open is high.

  4. 4.

    XMAS scan: With the XMAS scan, the FIN, PSH, and URG flags are set. Closed ports will respond to this type of packet with an RST packet.

  5. 5.

    ACK scan: An ACK scan is used to get past a firewall, which is a filtering device. A filtering device looks for the SYN packet. If the attacked port returns an RST packet, the port is unfiltered.

  6. 6.

    FIN scan: With the FIN scan, a FIN packet is sent to the target. If the port is closed, an RST packet will be returned.

  7. 7.

    UDP scan: With a UDP scan, a UDP packet is sent to the target computer. A response of “Port Unreachable” means that the port is closed.


Using Nmap

Nmap is an application that can be used to identify machines on a network in a Linux, Mac, or Windows environment. It can also be used to evaluate which Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports are open on a machine (Figure 2-4). Nmap can provide an indication of the operating system being used by the remote machine.
Figure 2-4

Nmap shows five open ports

  • Without any switches, Nmap will be successful against systems that block ICMP.

  • The default Nmap scan scans numerous ports, but not all.

  • You won’t see a MAC address while scanning a system over the Internet.


Zenmap is the GUI front end for Nmap (Figure 2-5). Enter the same IP address in the Zenmap tool. After the scan is completed, click Ports/Hosts for the results (Figure 2-6). The web log file shows the scans with Zenmap (Figure 2-7).
Figure 2-5

Zenmap is the GUI front end for Nmap

Figure 2-6

Nmap scan results

Figure 2-7

Zenmap scan and weblog file

Crafting Packets

With Fping (www.fping.com/), you can specify a range of IP addresses at the command prompt or you can create a file containing multiple IP addresses and use it as an input file. This is included in BackTrack software.

Hping (www.hping.org/download) can bypass filtering devices through crafting or modifying packets . To find out more, type Hping -help at the command line.

Scanning Countermeasures

There are various steps that you can take as countermeasures to make scanning unsuccessful:
  • Utilize a firewall, which should detect probes.

  • Install a network intrusion detection system. It should identify the OS detection methods used by various tools.

  • Close any unneeded ports.

  • Deploy tools to detect port scans.


Many tools are available to help you protect an organization’s networks. The process involves footprinting, or finding information on the network, by using reconnaissance, which are the detection methods you use to find information. You learned how attackers use network scanning to get information on the target.


..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.