How to Perform Footprinting and Reconnaissance in CEH Labs?

Introduction

Footprinting & Reconnaissance is Phase 1 of the CEH methodology and carries 12–15% weightage in theory plus 2–4 flags in practical. 90% of successful attacks start with good recon — finding subdomains, employee emails, tech stack, forgotten servers. Poor recon = failed pentest. At Ethical Hacking Training Institute we give every student 200+ real corporate domains and live OSINT targets so you practice exactly like real red teamers from day 1.

Passive vs Active Reconnaissance – Theory & Exam Difference

Type

Use passive recon first.

Google Dorks – The Most Powerful Free Recon Tool

• site:target.com filetype:pdf
• site:target.com inurl:admin
• site:target.com ext:sql | ext:bak | ext:old
• intitle:"index of" site:target.com
• intext:"sql syntax" site:target.com
• Our lab has 100+ dork challenges daily

WHOIS, DNS & Domain Recon Techniques

WHOIS reveals registrant name, email, phone, creation date. DNS enumeration gives NS, MX, TXT (SPF) records. Zone transfer attempt (dig axfr) rarely works today but is tested in theory. Reverse DNS, PTR records, and DNS brute-forcing find hidden infrastructure. We provide 200+ real domains with full WHOIS/DNS data for practice.

Start with WHOIS lookups.

Subdomain Enumeration – Find Hidden Assets

• Sublist3r, Amass, Assetfinder
• Certificate transparency logs (crt.sh)
• Brute force with ffuf + SecLists
• DNS dumpster, SecurityTrails
• Google dorks + GitHub search
• Our lab has 100k+ wordlist & live subdomains

Email & People OSINT Tools

theHarvester collects emails, subdomains, hosts from Google, Bing, LinkedIn. Hunter.io and Emailrep.io verify emails reputation. LinkedIn advanced search + Maltego transforms map employee relationships. These are gold for social engineering prep. We run daily email harvesting challenges on real companies.

Advanced Recon Tools You Must Master

• Maltego CE – visual relationship mapping
• Recon-ng – modular framework like Metasploit
• SpiderFoot – automated OSINT collection
• Shodan/Censys – exposed devices & services
• Wayback Machine – historical versions

Use Maltego for OSINT.

Recon Workflow for CEH Practical Exam

• 1. Google dorks → sensitive files
• 2. WHOIS + DNS recon
• 3. Subdomain brute + certificate logs
• 4. theHarvester + Maltego
• 5. Document everything in report

Conclusion

Good recon wins half the pentest. Join Ethical Hacking Training Institute and get:

• 200+ real corporate domains
• All recon tools pre-installed
• Daily new targets
• Weekend & weekday batches
• 100% placement support

Book free demo — start recon on real company in 10 minutes!

Avoid common mistakes.

Frequently Asked Questions

How many marks for recon in CEH?

12–15% theory + 2–4 practical flags.

Is passive recon enough?

For theory yes — practical needs active too.

Which tool is most asked?

theHarvester & Maltego.

Is subdomain enumeration important?

Yes — finds hidden attack surface.

Is Shodan in syllabus?

Yes — IoT & exposed devices.

Do you provide real domains?

Yes — 200+ real companies daily.

Is Google dorks tested?

Yes — 5–8 questions guaranteed.

Is Maltego free?

Community Edition yes — we provide it.

Weekend batch covers recon?

Yes — full hands-on.

Can freshers learn recon?

Yes — we start from zero.

Is WHOIS still useful?

Yes — registrant info leaks.

Do you teach report writing?

Yes — professional recon reports.

Is DNS brute force tested?

Yes — with fierce or dnsrecon.

Is recon legal?

Yes — only on authorized targets in lab.

How to start today?

Book free demo — do recon on real company in 10 minutes!