# 2. Perform Footprinting Through Internet Research Services

## 1. Find the Company’s Domains, Subdomains and Hosts using Netcraft and DNSdumpster

Domains and sub-domains are part of critical network infrastructure for any organization. A company's top-level domains (TLDs) and subdomains can provide much useful information such as organizational history, services and products, and contact information. A public website is designed to show the presence of an organization on the Internet, and is available for free access.

Visit the Netcraft Website.

{% embed url="<https://www.netcraft.com>" %}

Click on menu icon from the top-right corner of the page and navigate to the **Resources** -> **Research Tools**. In the **Tools | Netcraft** page, click on **Site Report** option.

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FEiJpAPKgdjzjzdBLyuA2%2Fimage.png?alt=media&#x26;token=19053383-3d8a-4bb5-860c-4250ec59cfb3" alt=""><figcaption></figcaption></figure>

The **What’s that site running?** page appears. To extract information associated with the organizational website such as infrastructure, technology used, sub domains, background, network, etc., type the target website’s URL (here, **<https://www.certifiedhacker.com>**) in the text field, and then click the **LOOK UP** button. The **Site report for <https://www.certifiedhacker.com>** page appears, containing information related to **Background**, **Network**, **Hosting History**, etc.

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FWsciwcwluZGOGpIsMars%2Fimage.png?alt=media&#x26;token=1a935c73-9a94-4316-b823-903175c7f195" alt=""><figcaption></figcaption></figure>

In the **Network** section, click on the website link (here, **certifiedhacker.com**) in the **Domain** field to view the subdomains.

### Footprinting through DNS Dumpster

Open a new tab in **Firefox** browser and go to **<https://dnsdumpster.com/>**. Search for **certifiedhacker.com** in the search box.

{% embed url="<https://dnsdumpster.com/>" %}

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FWUIiFv6IL37qWS0a3zDs%2Fimage.png?alt=media&#x26;token=660aa5dd-482b-4291-ba0b-4ab135e3f869" alt=""><figcaption></figcaption></figure>

The website displays the **GEOIP of Host Locations.** Scroll down to view the list of **DNS Servers**, **MX Records**, **Host Record (A)** along with their IP addresses.

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FPAiwP0oeUM3vcPIt9KHI%2Fimage.png?alt=media&#x26;token=00ffac80-65c6-49d9-8710-a117ea780121" alt=""><figcaption></figcaption></figure>

Further, scroll down to view the domain mapping of the website. Click on **Download .xlsx of Hosts** button to download the list of hosts.

&#x20;

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FWcjzmHmOmQaT6JwgKgWq%2Fimage.png?alt=media&#x26;token=e663b2d6-0492-49fe-8624-f3db262b95db" alt=""><figcaption></figcaption></figure>

### Other tools

* sublis3ter
* [pentest-tools](https://pentest-tools.com/information-gathering/find-subdomains-of-domain)
* FFUF
* Gobuster
* Dirb

## <mark style="color:red;">2. People search</mark>

{% embed url="<https://www.peekyou.com>" %}

{% embed url="<https://pipl.com/>" %}

{% embed url="<https://www.intelius.com/>" %}

{% embed url="<https://www.beenverified.com>" %}

## <mark style="color:red;">3. Emails Using theHarvester</mark>

```
theHarvester -d microsoft.com -l 200 -b baidu
```

{% hint style="info" %}
-d domains

-l limit results

-b source (baidu,google,etc)
{% endhint %}

## <mark style="color:red;">4.Dark and Deep web searching</mark>

<https://www.torproject.org/download/>

Tor uses duckduckgo for search

hidden wiki

## <mark style="color:red;">5. OS footprinting with Censys</mark>

&#x20;You can search the site through censys search and get the OS of the system.

{% embed url="<https://search.censys.io/>" %}

{% embed url="<https://www.shodan.io/>" %}

### Best CEH Practicalpractical Preparation Course

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}