Footprinting is an essential aspect of the hacking process. It involves acquiring vital information about the computer system or application to be targeted.

It can be carried out either passively or actively. The passive collection of information implies the lack of active interaction between the attacker and the targeted system. In ethical hacking, footprinting is a reconnaissance stage that can assist you to learn about your web application and discover its security vulnerabilities.

If done well, especially by utilizing the strategies espoused by experts like Darren Rainey (who is an experienced cyber security professional from the U.K), you’ll understand the loopholes an attacker can use to exploit your systems. Consequently, you’ll implement suitable protection strategies to guard against hackers. During this stage, various tools can be used for gathering a lot of data, including information about the domain name, IP addresses, and other details of the hacker requests.

Here are two common tools you can use to carry out footprinting and mitigate the risks of attacks.

1. Nmap

Nmap also referred to as network mapper, is a useful tool for carrying out footprinting. With the tool, you can gather information about the hosts present on a network, the services (application name and version), the host or service uptime, as well as other useful details.

Nmap sends raw IP packets to the target host network and then evaluates the responses to understand the systems and characteristics of the network.

Nmap has several useful commands you can use to footprint a web application. Here, we are going to talk about a few of them. (We’ll use the Nmap tool available on Kali Linux).

Let’s start by checking the IP address of a website.

nmap -sL <website URL>

The -sL (short for Simple List) flag is used to tell Nmap to perform a simple DNS query to the specified address.

Here is the output.

Now, since we now the IP address of our target website, let’s now perform a verbose scan to get more information about it (using the -v flag).

nmap -v 93.184.216.34

Here is the output.

Let’s scan the target to get information about the operating system it uses (using the -O flag). Although Nmap is not very precise in identifying the operating system of a target, it still comes pretty close.

nmap -O 93.184.216.34

Here is the output.

We can also get the hosting details of the target website.

nmap -sL <ip address>/24

24 is used to specify the subnet. With the above command, you can identify the hostnames for every IP address in the subnet. This way, you’ll not need to send specific packets to the individual hosts.

Here is the output.

Lastly, let’s find out if the target host is safeguarded by a firewall.

nmap -sA 93.184.216.34

Here is the output.

The -sA flag performs an ACK scan to map out the firewall rules of the target host. It establishes if the rules are stateful as well as the ports that are filtered.

During the scanning of unfiltered applications, open and closed ports will both send back RST packets. As such, Nmap will identify them as unfiltered, implying that the ACK packets can reach them.

2. Recon-ng

Another useful tool you can use to footprint web applications is Recon-ng. The tool enables you to automatically gather information during the initial steps of penetration testing; something which could otherwise consume a lot of time.

Recon-ng has numerous features which allow you to hit websites to collect passive information on your target. You can also use the tool to actively scrutinize the target itself for vital information.

(We’ll use the Recon-ng tool available on Kali Linux).

Recon-ng has different modules you can use for performing reconnaissance on a target. To list the ones available, just type “show modules.”

As you can see from the above screenshot, the modules are many. You can choose the one to use depending on whether you want to carry out a passive or active attack.

For example, if you want to do a Google search for the subdomains of a website, you’ll be forced to follow the tiresome process of using site: and inurl: operators.

After that, you’ll use the -inurl operator to get a list of the subdomains. This process is very cumbersome and can take a lot of time, especially if the target website has numerous subdomains.

With the recon/domains-hosts/google_site_web module available in Recong-ng, you can complete this process automatically and faster.

Here is how you can list the subdomains of a site using the tool.

As you can see from the above screenshot, the tool is listing all the subdomains for hackthissite.org. Within seconds, numerous subdomains appear.

The listing of subdomains of a website is just one module present in the Recon-ng tool. You can also use other modules to extract useful reconnaissance information, such as searching Twitter for specific tweets and searching for contact details on social websites.

Wrapping up:

We’ve just highlighted two of the most common and versatile tools for footprinting web applications.

Are there any other tools you know about? Are there any other tools you wish to learn about?

Please provide your comments below.