> For the complete documentation index, see [llms.txt](https://ceh-practical.cavementech.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ceh-practical.cavementech.com/module-2.-footprinting-and-reconnaissance/2.-perform-footprinting-through-internet-research-services.md).

# 2. Perform Footprinting Through Internet Research Services

## 1. Find the Company’s Domains, Subdomains and Hosts using Netcraft and DNSdumpster

Domains and sub-domains are part of critical network infrastructure for any organization. A company's top-level domains (TLDs) and subdomains can provide much useful information such as organizational history, services and products, and contact information. A public website is designed to show the presence of an organization on the Internet, and is available for free access.

Visit the Netcraft Website.

{% embed url="<https://www.netcraft.com>" %}

Click on menu icon from the top-right corner of the page and navigate to the **Resources** -> **Research Tools**. In the **Tools | Netcraft** page, click on **Site Report** option.

<figure><img src="/files/WgRo9qy95127wCxzpovY" alt=""><figcaption></figcaption></figure>

The **What’s that site running?** page appears. To extract information associated with the organizational website such as infrastructure, technology used, sub domains, background, network, etc., type the target website’s URL (here, **<https://www.certifiedhacker.com>**) in the text field, and then click the **LOOK UP** button. The **Site report for <https://www.certifiedhacker.com>** page appears, containing information related to **Background**, **Network**, **Hosting History**, etc.

<figure><img src="/files/KPXy8a98fCUrjWIBATTI" alt=""><figcaption></figcaption></figure>

In the **Network** section, click on the website link (here, **certifiedhacker.com**) in the **Domain** field to view the subdomains.

### Footprinting through DNS Dumpster

Open a new tab in **Firefox** browser and go to **<https://dnsdumpster.com/>**. Search for **certifiedhacker.com** in the search box.

{% embed url="<https://dnsdumpster.com/>" %}

<figure><img src="/files/E0Z8eaGsAawGKtf9m6oW" alt=""><figcaption></figcaption></figure>

The website displays the **GEOIP of Host Locations.** Scroll down to view the list of **DNS Servers**, **MX Records**, **Host Record (A)** along with their IP addresses.

<figure><img src="/files/eDpe1nBOn8E2578ukt75" alt=""><figcaption></figcaption></figure>

Further, scroll down to view the domain mapping of the website. Click on **Download .xlsx of Hosts** button to download the list of hosts.

&#x20;

<figure><img src="/files/xDLMBL6UO7ZwSdpuihTo" alt=""><figcaption></figcaption></figure>

### Other tools

* sublis3ter
* [pentest-tools](https://pentest-tools.com/information-gathering/find-subdomains-of-domain)
* FFUF
* Gobuster
* Dirb

## <mark style="color:red;">2. People search</mark>

{% embed url="<https://www.peekyou.com>" %}

{% embed url="<https://pipl.com/>" %}

{% embed url="<https://www.intelius.com/>" %}

{% embed url="<https://www.beenverified.com>" %}

## <mark style="color:red;">3. Emails Using theHarvester</mark>

```
theHarvester -d microsoft.com -l 200 -b baidu
```

{% hint style="info" %}
-d domains

-l limit results

-b source (baidu,google,etc)
{% endhint %}

## <mark style="color:red;">4.Dark and Deep web searching</mark>

<https://www.torproject.org/download/>

Tor uses duckduckgo for search

hidden wiki

## <mark style="color:red;">5. OS footprinting with Censys</mark>

&#x20;You can search the site through censys search and get the OS of the system.

{% embed url="<https://search.censys.io/>" %}

{% embed url="<https://www.shodan.io/>" %}

### Best CEH Practicalpractical Preparation Course

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ceh-practical.cavementech.com/module-2.-footprinting-and-reconnaissance/2.-perform-footprinting-through-internet-research-services.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.