Footprinting Tools
Footprinting Tools Comprehensive collection of footprinting tools and techniques for reconnaissance and information gathering. WHOIS Lookup Basic WHOIS Queries # Domain WHOIS whois TARGET_DOMAIN # IP WHOIS whois TARGET_IP # ASN WHOIS whois -h whois.radb.net AS12345 # Multiple domains whois TARGET_DOMAIN1 TARGET_DOMAIN2 TARGET_DOMAIN3 # Specific WHOIS server whois -h whois.verisign-grs.com TARGET_DOMAIN # WHOIS with output file whois TARGET_DOMAIN > whois_results.txt # WHOIS with verbose output whois -v TARGET_DOMAIN # WHOIS with quiet output whois -q TARGET_DOMAIN Advanced WHOIS Options # WHOIS with specific fields whois -H TARGET_DOMAIN # WHOIS with JSON output whois -j TARGET_DOMAIN # WHOIS with XML output whois -x TARGET_DOMAIN # WHOIS with CSV output whois -c TARGET_DOMAIN # WHOIS with HTML output whois -h TARGET_DOMAIN # WHOIS with raw output whois -r TARGET_DOMAIN # WHOIS with summary whois -s TARGET_DOMAIN # WHOIS with technical whois -t TARGET_DOMAIN # WHOIS with administrative whois -a TARGET_DOMAIN # WHOIS with billing whois -b TARGET_DOMAIN DNS Enumeration Basic DNS Queries # A record lookup dig TARGET_DOMAIN A # AAAA record lookup dig TARGET_DOMAIN AAAA # CNAME record lookup dig TARGET_DOMAIN CNAME # MX record lookup dig TARGET_DOMAIN MX # NS record lookup dig TARGET_DOMAIN NS # SOA record lookup dig TARGET_DOMAIN SOA # TXT record lookup dig TARGET_DOMAIN TXT # PTR record lookup dig -x TARGET_IP # ANY record lookup dig TARGET_DOMAIN ANY # All record types dig TARGET_DOMAIN ALL Advanced DNS Queries # DNS with specific server dig @8.8.8.8 TARGET_DOMAIN A # DNS with specific port dig @8.8.8.8 -p 53 TARGET_DOMAIN A # DNS with TCP dig @8.8.8.8 +tcp TARGET_DOMAIN A # DNS with UDP dig @8.8.8.8 +notcp TARGET_DOMAIN A # DNS with recursion dig @8.8.8.8 +recurse TARGET_DOMAIN A # DNS without recursion dig @8.8.8.8 +norecurse TARGET_DOMAIN A # DNS with trace dig @8.8.8.8 +trace TARGET_DOMAIN A # DNS with short answer dig @8.8.8.8 +short TARGET_DOMAIN A # DNS with verbose answer dig @8.8.8.8 +verbose TARGET_DOMAIN A # DNS with debug dig @8.8.8.8 +debug TARGET_DOMAIN A DNS Zone Transfer # Zone transfer attempt dig @TARGET_DOMAIN AXFR # Zone transfer with specific server dig @ns1.TARGET_DOMAIN AXFR TARGET_DOMAIN # Zone transfer with multiple servers dig @ns1.TARGET_DOMAIN AXFR TARGET_DOMAIN dig @ns2.TARGET_DOMAIN AXFR TARGET_DOMAIN dig @ns3.TARGET_DOMAIN AXFR TARGET_DOMAIN # Zone transfer with output dig @TARGET_DOMAIN AXFR > zone_transfer.txt # Zone transfer with verbose dig @TARGET_DOMAIN AXFR +verbose # Zone transfer with debug dig @TARGET_DOMAIN AXFR +debug Nslookup Basic Nslookup Queries # A record lookup nslookup TARGET_DOMAIN # AAAA record lookup nslookup -type=AAAA TARGET_DOMAIN # CNAME record lookup nslookup -type=CNAME TARGET_DOMAIN # MX record lookup nslookup -type=MX TARGET_DOMAIN # NS record lookup nslookup -type=NS TARGET_DOMAIN # SOA record lookup nslookup -type=SOA TARGET_DOMAIN # TXT record lookup nslookup -type=TXT TARGET_DOMAIN # PTR record lookup nslookup TARGET_IP # Interactive mode nslookup > set type=A > TARGET_DOMAIN > set type=MX > TARGET_DOMAIN > exit Advanced Nslookup Options # Nslookup with specific server nslookup TARGET_DOMAIN 8.8.8.8 # Nslookup with debug nslookup -debug TARGET_DOMAIN # Nslookup with verbose nslookup -verbose TARGET_DOMAIN # Nslookup with timeout nslookup -timeout=10 TARGET_DOMAIN # Nslookup with retries nslookup -retries=3 TARGET_DOMAIN # Nslookup with port nslookup -port=53 TARGET_DOMAIN # Nslookup with query type nslookup -querytype=A TARGET_DOMAIN # Nslookup with class nslookup -class=IN TARGET_DOMAIN Host Command Basic Host Queries # A record lookup host TARGET_DOMAIN # AAAA record lookup host -t AAAA TARGET_DOMAIN # CNAME record lookup host -t CNAME TARGET_DOMAIN # MX record lookup host -t MX TARGET_DOMAIN # NS record lookup host -t NS TARGET_DOMAIN # SOA record lookup host -t SOA TARGET_DOMAIN # TXT record lookup host -t TXT TARGET_DOMAIN # PTR record lookup host TARGET_IP # All record types host -a TARGET_DOMAIN Advanced Host Options # Host with specific server host TARGET_DOMAIN 8.8.8.8 # Host with verbose output host -v TARGET_DOMAIN # Host with debug output host -d TARGET_DOMAIN # Host with timeout host -W 10 TARGET_DOMAIN # Host with retries host -r TARGET_DOMAIN # Host with class host -C TARGET_DOMAIN # Host with query type host -t A TARGET_DOMAIN # Host with reverse lookup host -r TARGET_IP Social Engineering Email Harvesting # TheHarvester theHarvester -d TARGET_DOMAIN -b google # TheHarvester with multiple sources theHarvester -d TARGET_DOMAIN -b google,bing,yahoo,baidu,duckduckgo # TheHarvester with output file theHarvester -d TARGET_DOMAIN -b google -f results.html # TheHarvester with limit theHarvester -d TARGET_DOMAIN -b google -l 100 # TheHarvester with proxy theHarvester -d TARGET_DOMAIN -b google -p 127.0.0.1:8080 # TheHarvester with timeout theHarvester -d TARGET_DOMAIN -b google -t 10 # TheHarvester with verbose theHarvester -d TARGET_DOMAIN -b google -v # TheHarvester with quiet theHarvester -d TARGET_DOMAIN -b google -q Social Media Intelligence # Social-Engineer Toolkit setoolkit # Maltego maltego # Recon-ng recon-ng # SpiderFoot spiderfoot -l 127.0.0.1:5001 # OSINT Framework osintframework.com # Shodan shodan search TARGET_DOMAIN # Censys censys.io # VirusTotal virustotal.com # PassiveTotal passivetotal.com Search Engine Queries Google Dorking # Site-specific search site:TARGET_DOMAIN # File type search site:TARGET_DOMAIN filetype:pdf # Directory search site:TARGET_DOMAIN inurl:admin # Login page search site:TARGET_DOMAIN inurl:login # Configuration file search site:TARGET_DOMAIN filetype:conf # Database file search site:TARGET_DOMAIN filetype:db # Backup file search site:TARGET_DOMAIN filetype:bak # Log file search site:TARGET_DOMAIN filetype:log # Error page search site:TARGET_DOMAIN inurl:error # API endpoint search site:TARGET_DOMAIN inurl:api Advanced Search Queries # Intitle search intitle:"index of" TARGET_DOMAIN # Inurl search inurl:admin TARGET_DOMAIN # Intext search intext:"password" site:TARGET_DOMAIN # Filetype search filetype:sql site:TARGET_DOMAIN # Ext search ext:php site:TARGET_DOMAIN # Cache search cache:TARGET_DOMAIN # Related search related:TARGET_DOMAIN # Link search link:TARGET_DOMAIN # Info search info:TARGET_DOMAIN Custom Scripts Python Footprinting Script import socket import dns.resolver import whois import requests import json def footprint_target(domain): results = {} # WHOIS lookup try: w = whois.whois(domain) results['whois'] = { 'registrar': w.registrar, 'creation_date': w.creation_date, 'expiration_date': w.expiration_date, 'name_servers': w.name_servers, 'emails': w.emails } except Exception as e: results['whois'] = {'error': str(e)} # DNS lookup try: dns_results = {} # A records a_records = dns.resolver.resolve(domain, 'A') dns_results['A'] = [str(record) for record in a_records] # AAAA records aaaa_records = dns.resolver.resolve(domain, 'AAAA') dns_results['AAAA'] = [str(record) for record in aaaa_records] # MX records mx_records = dns.resolver.resolve(domain, 'MX') dns_results['MX'] = [str(record) for record in mx_records] # NS records ns_records = dns.resolver.resolve(domain, 'NS') dns_results['NS'] = [str(record) for record in ns_records] # TXT records txt_records = dns.resolver.resolve(domain, 'TXT') dns_results['TXT'] = [str(record) for record in txt_records] results['dns'] = dns_results except Exception as e: results['dns'] = {'error': str(e)} # HTTP headers try: response = requests.get(f'http://{domain}', timeout=10) results['http_headers'] = dict(response.headers) results['http_status'] = response.status_code except Exception as e: results['http_headers'] = {'error': str(e)} # HTTPS headers try: response = requests.get(f'https://{domain}', timeout=10, verify=False) results['https_headers'] = dict(response.headers) results['https_status'] = response.status_code except Exception as e: results['https_headers'] = {'error': str(e)} return results # Usage domain = "TARGET_DOMAIN" results = footprint_target(domain) print(json.dumps(results, indent=2)) Bash Footprinting Script #!/bin/bash DOMAIN="TARGET_DOMAIN" OUTPUT_FILE="footprint_results.txt" echo "=== Footprinting $DOMAIN ===" > "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # WHOIS lookup echo "=== WHOIS Information ===" >> "$OUTPUT_FILE" whois "$DOMAIN" >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # DNS lookup echo "=== DNS Information ===" >> "$OUTPUT_FILE" echo "A Records:" >> "$OUTPUT_FILE" dig "$DOMAIN" A +short >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "AAAA Records:" >> "$OUTPUT_FILE" dig "$DOMAIN" AAAA +short >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "MX Records:" >> "$OUTPUT_FILE" dig "$DOMAIN" MX +short >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "NS Records:" >> "$OUTPUT_FILE" dig "$DOMAIN" NS +short >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "TXT Records:" >> "$OUTPUT_FILE" dig "$DOMAIN" TXT +short >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # HTTP headers echo "=== HTTP Headers ===" >> "$OUTPUT_FILE" curl -I "http://$DOMAIN" >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # HTTPS headers echo "=== HTTPS Headers ===" >> "$OUTPUT_FILE" curl -I "https://$DOMAIN" >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "Footprinting completed. Results saved to $OUTPUT_FILE" Information Gathering Company Information # LinkedIn company search linkedin.com/company/TARGET_COMPANY # Glassdoor company search glassdoor.com/Overview/Working-at-TARGET_COMPANY-EI_IE123456.11,23.htm # Crunchbase company search crunchbase.com/organization/TARGET_COMPANY # AngelList company search angel.co/TARGET_COMPANY # Indeed company search indeed.com/cmp/TARGET_COMPANY # Google company search google.com/search?q=TARGET_COMPANY # Bing company search bing.com/search?q=TARGET_COMPANY # Yahoo company search yahoo.com/search?p=TARGET_COMPANY Employee Information # LinkedIn employee search linkedin.com/search/results/people/?company=TARGET_COMPANY # Facebook employee search facebook.com/search/people/?q=TARGET_COMPANY # Twitter employee search twitter.com/search?q=TARGET_COMPANY # Instagram employee search instagram.com/explore/tags/TARGET_COMPANY # GitHub employee search github.com/search?q=TARGET_COMPANY # Stack Overflow employee search stackoverflow.com/users?tab=reputation&filter=all # Reddit employee search reddit.com/search?q=TARGET_COMPANY # Quora employee search quora.com/search?q=TARGET_COMPANY Best Practices Rate Limiting # Add delay between requests sleep 1 # Use fewer threads nmap -T1 TARGET_IP # Use proxy rotation curl --proxy http://proxy1:8080 TARGET_URL Stealth Mode # Use random user agents curl -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" TARGET_URL # Use realistic delays sleep 2 # Use smaller wordlists nmap -p 1-1000 TARGET_IP Output Analysis # Save results to file whois TARGET_DOMAIN > results.txt # Filter by specific information grep "Registrar" results.txt grep "Name Server" results.txt grep "Creation Date" results.txt grep "Expiration Date" results.txt # Sort by date sort -k3 -n results.txt Troubleshooting Common Issues # Connection timeout curl --connect-timeout 10 TARGET_URL # Too many requests sleep 5 # Invalid domain dig TARGET_DOMAIN # Permission denied sudo whois TARGET_DOMAIN Performance Optimization # Use appropriate tools nmap -T4 TARGET_IP # Use smaller ranges nmap -p 1-1000 TARGET_IP # Use specific scripts nmap --script vuln TARGET_IP Legal and Ethical Considerations Always obtain proper authorization before testing Respect rate limits and server resources Use appropriate tools for the target Document findings properly Follow responsible disclosure practices