Problem solve Get help with specific problems with your technologies, process and projects.

Penetration testing reconnaissance -- Footprinting, scanning and enumerating

The second installment of a six-part penetration testing tutorial for consultants and value-added resellers (VARs) that discusses three important information gathering processes for successful penetration testers.

In this, the second installment of a six-part penetration testing tutorial for consultants and value-added resellers...

(VARs), I discuss reconnaissance, footprinting, scanning and enumerating -- the information gathering processes a tester employs to begin a penetration test.

As a penetration tester, you should use the same processes a hacker uses to examine a network. Penetration (or external assessment) testing usually starts with three pre-test phases: footprinting, scanning and enumerating. These pre-test phases are very important and can make the difference between a successful penetration test that provides a complete picture of the customer's exposure or one that doesn't.

Together, the three pre-test phases are called reconnaissance. This process seeks to gather as much information about the target network as possible, following these seven steps:

  1. Gather initial information
  2. Determine the network range
  3. Identify active machines
  4. Discover open ports and access points
  5. Fingerprint the operating system
  6. Uncover services on ports
  7. Map the network

Keep in mind the penetration test process is more organic than these steps would indicate. These pre-test phases entail the process of discovery, and although the process is commonly executed in this order, a good tester knows how to improvise and head in a different direction, depending upon the information found.


Footprinting is the active blueprinting of the security profile of an organization. It involves gathering information about your customer's network to create a unique profile of the organization's networks and systems. It's an important way for an attacker to gain information about an organization passively, that is, without the organization's knowledge.

Footprinting employs the first two steps of reconnaissance, gathering the initial target information and determining the network range of the target. Common tools/resources used in the footprinting phase are:

  • Whois
  • SmartWhois
  • NsLookup
  • Sam Spade

We'll explore these and other tools in the next installment of this series.

Footprinting may also require manual research, such as studying the company's Web page for useful information, for example:

  • Company contact names, phone numbers and email addresses
  • Company locations and branches
  • Other companies with which the target company partners or deals
  • News, such as mergers or acquisitions
  • Links to other company-related sites
  • Company privacy policies, which may help identify the types of security mechanisms in place

Other resources that may have information about the target company are:

  • The SEC's EDGAR database if the company is publicly traded
  • Job boards, either internal to the company or external sites
  • Disgruntled employee blogs and Web sites
  • Trade press

You can also get more active with footprinting. For example, you can call the organization's help desk, and by employing social engineering techniques, get them to reveal privileged information.


The next four information-gathering steps -- identifying active machines, discovering

Penetration testing tutorial
Read more tips in our Penetration testing tutorial by SearchSecurityChannel expert Russell Dean Vines and learn how ethical hackers can sell their services, protect themselves from legal risk and conduct a penetration test of their customers' networks.

Although you're still in info-gathering mode, scanning is more active than footprinting, and here the you'll begin to get a more detailed picture of your target (customer).

Some common tools used in the scanning phase are:

  • NMap
  • Ping
  • Traceroute
  • Superscan
  • Netcat
  • NeoTrace
  • Visual Route

Again, I'll get into more detail about these tools in part three.


The last step mentioned, mapping the network, is the result of the scanning phase and leads us to the enumeration phase. As the final pre-test phase, the goal of enumeration is to paint a fairly complete picture of the target.

In enumeration, a tester tries to identify valid user accounts or poorly-protected resource shares using active connections to systems and directed queries.

The type of information sought by testers during the enumeration phase can be users and groups, network resources and shares, and applications.

The techniques used for enumeration include:

  • Obtaining Active Directory information and identifying vulnerable user accounts
  • Discovering NetBIOS name enumeration with NBTscan
  • Using snmputil for SNMP enumeration
  • Employing Windows DNS queries
  • Establishing null sessions and connections

Remember that during a penetration test, you'll need to document every step and finding, not only for the final report, but also to alert the organization immediately to serious vulnerabilities that may exist.

In the next segment of our penetration testing tutorial, we look at some of the penetration testing tools and techniques mentioned here, including password cracking tools.

About the author
Russell Dean Vines is a bestselling author, Chief Security Advisor for Gotham Technology Group, LLC, and former President of the RDV Group. His most recent book is
The CISSP and CAP Prep Guide, published by John S. Wiley and Sons. As an expert for, Russell welcomes your questions on pen testing and information security threats.

open ports and access points, fingerprinting the operating system, and uncovering services on ports -- are considered part of the scanning phase. Your goal here is to discover open ports and applications by performing external or internal network scanning, pinging machines, determining network ranges and port scanning individual systems.

Dig Deeper on Cybersecurity risk assessment and management

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Data gathering 4 pentest: Footprinting, scanning and enumerating.