# 2. Perform Footprinting Through Internet Research Services

## 1. Find the Company’s Domains, Subdomains and Hosts using Netcraft and DNSdumpster

Domains and sub-domains are part of critical network infrastructure for any organization. A company's top-level domains (TLDs) and subdomains can provide much useful information such as organizational history, services and products, and contact information. A public website is designed to show the presence of an organization on the Internet, and is available for free access.

Visit the Netcraft Website.

{% embed url="<https://www.netcraft.com>" %}

Click on menu icon from the top-right corner of the page and navigate to the **Resources** -> **Research Tools**. In the **Tools | Netcraft** page, click on **Site Report** option.

<figure><img src="/files/WgRo9qy95127wCxzpovY" alt=""><figcaption></figcaption></figure>

The **What’s that site running?** page appears. To extract information associated with the organizational website such as infrastructure, technology used, sub domains, background, network, etc., type the target website’s URL (here, **<https://www.certifiedhacker.com>**) in the text field, and then click the **LOOK UP** button. The **Site report for <https://www.certifiedhacker.com>** page appears, containing information related to **Background**, **Network**, **Hosting History**, etc.

<figure><img src="/files/KPXy8a98fCUrjWIBATTI" alt=""><figcaption></figcaption></figure>

In the **Network** section, click on the website link (here, **certifiedhacker.com**) in the **Domain** field to view the subdomains.

### Footprinting through DNS Dumpster

Open a new tab in **Firefox** browser and go to **<https://dnsdumpster.com/>**. Search for **certifiedhacker.com** in the search box.

{% embed url="<https://dnsdumpster.com/>" %}

<figure><img src="/files/E0Z8eaGsAawGKtf9m6oW" alt=""><figcaption></figcaption></figure>

The website displays the **GEOIP of Host Locations.** Scroll down to view the list of **DNS Servers**, **MX Records**, **Host Record (A)** along with their IP addresses.

<figure><img src="/files/eDpe1nBOn8E2578ukt75" alt=""><figcaption></figcaption></figure>

Further, scroll down to view the domain mapping of the website. Click on **Download .xlsx of Hosts** button to download the list of hosts.

&#x20;

<figure><img src="/files/xDLMBL6UO7ZwSdpuihTo" alt=""><figcaption></figcaption></figure>

### Other tools

* sublis3ter
* [pentest-tools](https://pentest-tools.com/information-gathering/find-subdomains-of-domain)
* FFUF
* Gobuster
* Dirb

## <mark style="color:red;">2. People search</mark>

{% embed url="<https://www.peekyou.com>" %}

{% embed url="<https://pipl.com/>" %}

{% embed url="<https://www.intelius.com/>" %}

{% embed url="<https://www.beenverified.com>" %}

## <mark style="color:red;">3. Emails Using theHarvester</mark>

```
theHarvester -d microsoft.com -l 200 -b baidu
```

{% hint style="info" %}
-d domains

-l limit results

-b source (baidu,google,etc)
{% endhint %}

## <mark style="color:red;">4.Dark and Deep web searching</mark>

<https://www.torproject.org/download/>

Tor uses duckduckgo for search

hidden wiki

## <mark style="color:red;">5. OS footprinting with Censys</mark>

&#x20;You can search the site through censys search and get the OS of the system.

{% embed url="<https://search.censys.io/>" %}

{% embed url="<https://www.shodan.io/>" %}

### Best CEH Practicalpractical Preparation Course

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ceh-practical.cavementech.com/module-2.-footprinting-and-reconnaissance/2.-perform-footprinting-through-internet-research-services.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.