CEH v13: Footprinting and Reconnaissance

Click Here to Return To the Certified Ethical Hacker (CEH v13) Course Page #

Footprinting and Reconnaissance is the first phase of an engagement in the EC-Council CEH v13 course. This module covers how you gather information about a target before sending a single attack packet. The more you learn here, the less noise you make later.

Reconnaissance builds a profile of the target: domains, IP ranges, employees, technologies, and exposed services. Good recon often decides whether a test succeeds.

Passive vs. Active Reconnaissance #

You split recon by how much you touch the target.

Passive recon uses OSINT (open-source intelligence) from search engines, social media, job posts, and public records. Active recon includes DNS queries and banner grabbing that reach the target.

OSINT and Google Dorking #

Search operators turn a search engine into a recon tool. This is Google dorking.

site:example.com filetype:pdf
intitle:"index of" site:example.com
inurl:admin site:example.com

These find exposed documents, open directories, and login pages. Job listings reveal the technology stack, and employee names feed later social engineering.

DNS, WHOIS, and Network Records #

You map the target’s external footprint with public records.

• WHOIS returns registrar, contact, and registration dates for a domain.
• DNS records (A, MX, NS, TXT) reveal mail servers, name servers, and services.
• BGP data exposes the IP ranges an organization owns.

# Pull DNS records and WHOIS data
dig example.com ANY +noall +answer
whois example.com

Recon Tooling #

Try the on-site Shodan IP lookup tool to see exposed service data for an address. Use these tools only against assets in your authorized scope.

Next Steps #

Move from passive recon to active discovery in Scanning Networks . Review the legal limits in Introduction to Ethical Hacking . Return to the Certified Ethical Hacker (CEH v13) Course .