📡 CEH Module 3: Scanning & Enumeration – Uncovering Open Doors in Networks

 

🕵️‍♂️ CEH Module 1: Information Gathering – Discover the Digital Footprints

Welcome to Module 1 of the Certified Ethical Hacking (CEH) course — Information Gathering, also known as Footprinting.

This phase is crucial in ethical hacking. Before testing a system or launching any attack simulation, an ethical hacker must first collect as much information as possible — without touching the target system directly. Sounds interesting, right? Let’s break it down step by step.

---

📖 What is Information Gathering?

Information Gathering is the process of collecting data about a target system or organization using publicly available sources.

It’s usually divided into two main types:

• ✅ Passive Information Gathering – No direct interaction with the target.

• ✅ Active Information Gathering – Direct interaction to get more in-depth data.

---

🧰 Top Tools, Commands & Websites for Information Gathering

Let’s look at the most commonly used commands and websites that every ethical hacker should know in this phase.

---

🔎 1. WHOIS Lookup

🔹 Command:

bash
whois example.com

🔹 Website:
👉 https://whois.domaintools.com

🔹 Purpose:
Finds domain details such as registrant info, DNS, IP blocks, and creation/expiry dates.

---

🌐 2. DNS Enumeration

🔹 Command:

bash
nslookup example.com

🔹 Advanced DNS Query:

bash
dig example.com ANY

🔹 Online Tool:
👉 https://dnsdumpster.com

🔹 Purpose:
Gathers DNS records, subdomains, MX records, and DNS zones.

---

🔍 3. Google Dorking

🔹 Examples:

plaintext
site:example.com filetype:pdf
intitle:"index of" confidential

🔹 Purpose:
Uncovers sensitive files, login portals, admin panels, and exposed directories using advanced search operators.

---

🌎 4. Shodan – Search Engine for Internet-Connected Devices

🔹 Website:
👉 https://www.shodan.io

🔹 Example Query:

plaintext
apache port:80 country:"IN"

🔹 Purpose:
Finds open ports, services, webcams, and IoT devices exposed online.

---

📬 5. theHarvester – Collect Emails & Subdomains

🔹 Command:

bash
theharvester -d example.com -b google

🔹 Purpose:
Extracts public emails, subdomains, hosts, and names from search engines and public sources.

---

🧾 6. Netcraft – Hosting & Technology Discovery

🔹 Website:
👉 https://www.netcraft.com

🔹 Purpose:
Identifies hosting provider, technologies used (like Apache, Nginx, PHP), and server OS.

---

🔍 7. Censys – Internet-Wide Search Engine

🔹 Website:
👉 https://censys.io

🔹 Purpose:
Scans and indexes open ports, SSL certificates, and services of millions of hosts across the web.

---

🧠 8. Recon-ng – Web Reconnaissance Framework

🔹 Start Command:

bash
recon-ng

🔹 Purpose:
CLI-based tool used to automate reconnaissance tasks and integrate multiple public data sources.

---

📌 Quick Summary

Tool/Website	Function	Type
WHOIS	Domain ownership and IP details	Passive
nslookup/dig	DNS and MX record lookup	Passive
theHarvester	Collect email and subdomain data	Passive
Google Dorks	Expose hidden content and files	Passive
Shodan	Scan internet-facing services/devices	Passive
Netcraft	Hosting provider and server tech info	Passive
Censys	SSL certs, open ports, IP scanning	Passive
Recon-ng	Automate information gathering	Passive

---

⚠️ Legal Reminder

❗ Use these tools only on systems you own or are authorized to test.
Ethical hacking is about permission, education, and protection — not exploitation.

---

🔜 What's Next?

In Module 2, we’ll step into Scanning and Enumeration, where we actively interact with the target to uncover live systems, open ports, and running services.

---

🔗 Stay Connected with Us

Looking for exciting tech content, ethical hacking guides, and helpful tools?
Make sure you’re following us everywhere!

📺 YouTube Channel:
TechFusionPro09
🎥 Tutorials, Tips & Tech Insights — Subscribe Now!

📸 Instagram:
@blackops404
🔥 Behind-the-scenes content, updates, and community vibes!

🌐 Official Website:
mannutanwar.odoo.com
📚 Explore all our blogs, tools, and free courses in one place.