Footprinting Tools

Comprehensive collection of footprinting tools and techniques for reconnaissance and information gathering.

WHOIS Lookup

Basic WHOIS Queries

# Domain WHOIS
whois TARGET_DOMAIN

# IP WHOIS
whois TARGET_IP

# ASN WHOIS
whois -h whois.radb.net AS12345

# Multiple domains
whois TARGET_DOMAIN1 TARGET_DOMAIN2 TARGET_DOMAIN3

# Specific WHOIS server
whois -h whois.verisign-grs.com TARGET_DOMAIN

# WHOIS with output file
whois TARGET_DOMAIN > whois_results.txt

# WHOIS with verbose output
whois -v TARGET_DOMAIN

# WHOIS with quiet output
whois -q TARGET_DOMAIN

Advanced WHOIS Options

# WHOIS with specific fields
whois -H TARGET_DOMAIN

# WHOIS with JSON output
whois -j TARGET_DOMAIN

# WHOIS with XML output
whois -x TARGET_DOMAIN

# WHOIS with CSV output
whois -c TARGET_DOMAIN

# WHOIS with HTML output
whois -h TARGET_DOMAIN

# WHOIS with raw output
whois -r TARGET_DOMAIN

# WHOIS with summary
whois -s TARGET_DOMAIN

# WHOIS with technical
whois -t TARGET_DOMAIN

# WHOIS with administrative
whois -a TARGET_DOMAIN

# WHOIS with billing
whois -b TARGET_DOMAIN

DNS Enumeration

Basic DNS Queries

# A record lookup
dig TARGET_DOMAIN A

# AAAA record lookup
dig TARGET_DOMAIN AAAA

# CNAME record lookup
dig TARGET_DOMAIN CNAME

# MX record lookup
dig TARGET_DOMAIN MX

# NS record lookup
dig TARGET_DOMAIN NS

# SOA record lookup
dig TARGET_DOMAIN SOA

# TXT record lookup
dig TARGET_DOMAIN TXT

# PTR record lookup
dig -x TARGET_IP

# ANY record lookup
dig TARGET_DOMAIN ANY

# All record types
dig TARGET_DOMAIN ALL

Advanced DNS Queries

# DNS with specific server
dig @8.8.8.8 TARGET_DOMAIN A

# DNS with specific port
dig @8.8.8.8 -p 53 TARGET_DOMAIN A

# DNS with TCP
dig @8.8.8.8 +tcp TARGET_DOMAIN A

# DNS with UDP
dig @8.8.8.8 +notcp TARGET_DOMAIN A

# DNS with recursion
dig @8.8.8.8 +recurse TARGET_DOMAIN A

# DNS without recursion
dig @8.8.8.8 +norecurse TARGET_DOMAIN A

# DNS with trace
dig @8.8.8.8 +trace TARGET_DOMAIN A

# DNS with short answer
dig @8.8.8.8 +short TARGET_DOMAIN A

# DNS with verbose answer
dig @8.8.8.8 +verbose TARGET_DOMAIN A

# DNS with debug
dig @8.8.8.8 +debug TARGET_DOMAIN A

DNS Zone Transfer

# Zone transfer attempt
dig @TARGET_DOMAIN AXFR

# Zone transfer with specific server
dig @ns1.TARGET_DOMAIN AXFR TARGET_DOMAIN

# Zone transfer with multiple servers
dig @ns1.TARGET_DOMAIN AXFR TARGET_DOMAIN
dig @ns2.TARGET_DOMAIN AXFR TARGET_DOMAIN
dig @ns3.TARGET_DOMAIN AXFR TARGET_DOMAIN

# Zone transfer with output
dig @TARGET_DOMAIN AXFR > zone_transfer.txt

# Zone transfer with verbose
dig @TARGET_DOMAIN AXFR +verbose

# Zone transfer with debug
dig @TARGET_DOMAIN AXFR +debug

Nslookup

Basic Nslookup Queries

# A record lookup
nslookup TARGET_DOMAIN

# AAAA record lookup
nslookup -type=AAAA TARGET_DOMAIN

# CNAME record lookup
nslookup -type=CNAME TARGET_DOMAIN

# MX record lookup
nslookup -type=MX TARGET_DOMAIN

# NS record lookup
nslookup -type=NS TARGET_DOMAIN

# SOA record lookup
nslookup -type=SOA TARGET_DOMAIN

# TXT record lookup
nslookup -type=TXT TARGET_DOMAIN

# PTR record lookup
nslookup TARGET_IP

# Interactive mode
nslookup
> set type=A
> TARGET_DOMAIN
> set type=MX
> TARGET_DOMAIN
> exit

Advanced Nslookup Options

# Nslookup with specific server
nslookup TARGET_DOMAIN 8.8.8.8

# Nslookup with debug
nslookup -debug TARGET_DOMAIN

# Nslookup with verbose
nslookup -verbose TARGET_DOMAIN

# Nslookup with timeout
nslookup -timeout=10 TARGET_DOMAIN

# Nslookup with retries
nslookup -retries=3 TARGET_DOMAIN

# Nslookup with port
nslookup -port=53 TARGET_DOMAIN

# Nslookup with query type
nslookup -querytype=A TARGET_DOMAIN

# Nslookup with class
nslookup -class=IN TARGET_DOMAIN

Host Command

Basic Host Queries

# A record lookup
host TARGET_DOMAIN

# AAAA record lookup
host -t AAAA TARGET_DOMAIN

# CNAME record lookup
host -t CNAME TARGET_DOMAIN

# MX record lookup
host -t MX TARGET_DOMAIN

# NS record lookup
host -t NS TARGET_DOMAIN

# SOA record lookup
host -t SOA TARGET_DOMAIN

# TXT record lookup
host -t TXT TARGET_DOMAIN

# PTR record lookup
host TARGET_IP

# All record types
host -a TARGET_DOMAIN

Advanced Host Options

# Host with specific server
host TARGET_DOMAIN 8.8.8.8

# Host with verbose output
host -v TARGET_DOMAIN

# Host with debug output
host -d TARGET_DOMAIN

# Host with timeout
host -W 10 TARGET_DOMAIN

# Host with retries
host -r TARGET_DOMAIN

# Host with class
host -C TARGET_DOMAIN

# Host with query type
host -t A TARGET_DOMAIN

# Host with reverse lookup
host -r TARGET_IP

Social Engineering

Email Harvesting

# TheHarvester
theHarvester -d TARGET_DOMAIN -b google

# TheHarvester with multiple sources
theHarvester -d TARGET_DOMAIN -b google,bing,yahoo,baidu,duckduckgo

# TheHarvester with output file
theHarvester -d TARGET_DOMAIN -b google -f results.html

# TheHarvester with limit
theHarvester -d TARGET_DOMAIN -b google -l 100

# TheHarvester with proxy
theHarvester -d TARGET_DOMAIN -b google -p 127.0.0.1:8080

# TheHarvester with timeout
theHarvester -d TARGET_DOMAIN -b google -t 10

# TheHarvester with verbose
theHarvester -d TARGET_DOMAIN -b google -v

# TheHarvester with quiet
theHarvester -d TARGET_DOMAIN -b google -q

Social Media Intelligence

# Social-Engineer Toolkit
setoolkit

# Maltego
maltego

# Recon-ng
recon-ng

# SpiderFoot
spiderfoot -l 127.0.0.1:5001

# OSINT Framework
osintframework.com

# Shodan
shodan search TARGET_DOMAIN

# Censys
censys.io

# VirusTotal
virustotal.com

# PassiveTotal
passivetotal.com

Search Engine Queries

Google Dorking

# Site-specific search
site:TARGET_DOMAIN

# File type search
site:TARGET_DOMAIN filetype:pdf

# Directory search
site:TARGET_DOMAIN inurl:admin

# Login page search
site:TARGET_DOMAIN inurl:login

# Configuration file search
site:TARGET_DOMAIN filetype:conf

# Database file search
site:TARGET_DOMAIN filetype:db

# Backup file search
site:TARGET_DOMAIN filetype:bak

# Log file search
site:TARGET_DOMAIN filetype:log

# Error page search
site:TARGET_DOMAIN inurl:error

# API endpoint search
site:TARGET_DOMAIN inurl:api

Advanced Search Queries

# Intitle search
intitle:"index of" TARGET_DOMAIN

# Inurl search
inurl:admin TARGET_DOMAIN

# Intext search
intext:"password" site:TARGET_DOMAIN

# Filetype search
filetype:sql site:TARGET_DOMAIN

# Ext search
ext:php site:TARGET_DOMAIN

# Cache search
cache:TARGET_DOMAIN

# Related search
related:TARGET_DOMAIN

# Link search
link:TARGET_DOMAIN

# Info search
info:TARGET_DOMAIN

Custom Scripts

Python Footprinting Script

import socket
import dns.resolver
import whois
import requests
import json

def footprint_target(domain):
    results = {}
    
    # WHOIS lookup
    try:
        w = whois.whois(domain)
        results['whois'] = {
            'registrar': w.registrar,
            'creation_date': w.creation_date,
            'expiration_date': w.expiration_date,
            'name_servers': w.name_servers,
            'emails': w.emails
        }
    except Exception as e:
        results['whois'] = {'error': str(e)}
    
    # DNS lookup
    try:
        dns_results = {}
        
        # A records
        a_records = dns.resolver.resolve(domain, 'A')
        dns_results['A'] = [str(record) for record in a_records]
        
        # AAAA records
        aaaa_records = dns.resolver.resolve(domain, 'AAAA')
        dns_results['AAAA'] = [str(record) for record in aaaa_records]
        
        # MX records
        mx_records = dns.resolver.resolve(domain, 'MX')
        dns_results['MX'] = [str(record) for record in mx_records]
        
        # NS records
        ns_records = dns.resolver.resolve(domain, 'NS')
        dns_results['NS'] = [str(record) for record in ns_records]
        
        # TXT records
        txt_records = dns.resolver.resolve(domain, 'TXT')
        dns_results['TXT'] = [str(record) for record in txt_records]
        
        results['dns'] = dns_results
        
    except Exception as e:
        results['dns'] = {'error': str(e)}
    
    # HTTP headers
    try:
        response = requests.get(f'http://{domain}', timeout=10)
        results['http_headers'] = dict(response.headers)
        results['http_status'] = response.status_code
    except Exception as e:
        results['http_headers'] = {'error': str(e)}
    
    # HTTPS headers
    try:
        response = requests.get(f'https://{domain}', timeout=10, verify=False)
        results['https_headers'] = dict(response.headers)
        results['https_status'] = response.status_code
    except Exception as e:
        results['https_headers'] = {'error': str(e)}
    
    return results

# Usage
domain = "TARGET_DOMAIN"
results = footprint_target(domain)
print(json.dumps(results, indent=2))

Bash Footprinting Script

#!/bin/bash

DOMAIN="TARGET_DOMAIN"
OUTPUT_FILE="footprint_results.txt"

echo "=== Footprinting $DOMAIN ===" > "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

# WHOIS lookup
echo "=== WHOIS Information ===" >> "$OUTPUT_FILE"
whois "$DOMAIN" >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

# DNS lookup
echo "=== DNS Information ===" >> "$OUTPUT_FILE"
echo "A Records:" >> "$OUTPUT_FILE"
dig "$DOMAIN" A +short >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

echo "AAAA Records:" >> "$OUTPUT_FILE"
dig "$DOMAIN" AAAA +short >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

echo "MX Records:" >> "$OUTPUT_FILE"
dig "$DOMAIN" MX +short >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

echo "NS Records:" >> "$OUTPUT_FILE"
dig "$DOMAIN" NS +short >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

echo "TXT Records:" >> "$OUTPUT_FILE"
dig "$DOMAIN" TXT +short >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

# HTTP headers
echo "=== HTTP Headers ===" >> "$OUTPUT_FILE"
curl -I "http://$DOMAIN" >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

# HTTPS headers
echo "=== HTTPS Headers ===" >> "$OUTPUT_FILE"
curl -I "https://$DOMAIN" >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

echo "Footprinting completed. Results saved to $OUTPUT_FILE"

Information Gathering

Company Information

# LinkedIn company search
linkedin.com/company/TARGET_COMPANY

# Glassdoor company search
glassdoor.com/Overview/Working-at-TARGET_COMPANY-EI_IE123456.11,23.htm

# Crunchbase company search
crunchbase.com/organization/TARGET_COMPANY

# AngelList company search
angel.co/TARGET_COMPANY

# Indeed company search
indeed.com/cmp/TARGET_COMPANY

# Google company search
google.com/search?q=TARGET_COMPANY

# Bing company search
bing.com/search?q=TARGET_COMPANY

# Yahoo company search
yahoo.com/search?p=TARGET_COMPANY

Employee Information

# LinkedIn employee search
linkedin.com/search/results/people/?company=TARGET_COMPANY

# Facebook employee search
facebook.com/search/people/?q=TARGET_COMPANY

# Twitter employee search
twitter.com/search?q=TARGET_COMPANY

# Instagram employee search
instagram.com/explore/tags/TARGET_COMPANY

# GitHub employee search
github.com/search?q=TARGET_COMPANY

# Stack Overflow employee search
stackoverflow.com/users?tab=reputation&filter=all

# Reddit employee search
reddit.com/search?q=TARGET_COMPANY

# Quora employee search
quora.com/search?q=TARGET_COMPANY

Best Practices

Rate Limiting

# Add delay between requests
sleep 1

# Use fewer threads
nmap -T1 TARGET_IP

# Use proxy rotation
curl --proxy http://proxy1:8080 TARGET_URL

Stealth Mode

# Use random user agents
curl -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" TARGET_URL

# Use realistic delays
sleep 2

# Use smaller wordlists
nmap -p 1-1000 TARGET_IP

Output Analysis

# Save results to file
whois TARGET_DOMAIN > results.txt

# Filter by specific information
grep "Registrar" results.txt
grep "Name Server" results.txt
grep "Creation Date" results.txt
grep "Expiration Date" results.txt

# Sort by date
sort -k3 -n results.txt

Troubleshooting

Common Issues

# Connection timeout
curl --connect-timeout 10 TARGET_URL

# Too many requests
sleep 5

# Invalid domain
dig TARGET_DOMAIN

# Permission denied
sudo whois TARGET_DOMAIN

Performance Optimization

# Use appropriate tools
nmap -T4 TARGET_IP

# Use smaller ranges
nmap -p 1-1000 TARGET_IP

# Use specific scripts
nmap --script vuln TARGET_IP
  • Always obtain proper authorization before testing
  • Respect rate limits and server resources
  • Use appropriate tools for the target
  • Document findings properly
  • Follow responsible disclosure practices