PenTest Steps




  1. RECONNAISSANCE  – Footprinting
    1. Google: Google and hacking tool? Yes, google can be used as a hacking tool. However, you need to know how to make effective searches.

      I.) Phrase search (“”): By putting double quotes around a set of words, you are telling Google to consider the exact words in that exact order without any change. This is useful if you need exact strings in your search.
      II.) Search within a specific website (site:): Google allows you to specify that your search results must come from a given website. For example, the query nessus will return pages about nessus but only from This can be very useful if you already know what site can give best info about your target.
      III.) Terms you want to exclude (-)
      Attaching a minus sign immediately before a word indicates that you do not want pages that contain this word to appear in your results. The minus sign should appear immediately before the word and should be preceded with a space. For example, in the query anti-virus software, the minus sign is used as a hyphen and will not be interpreted as an exclusion symbol; whereas the query anti-virus -software will search for the words ‘anti-virus’ but exclude references to software.
      IV) Fill in the blanks (*): The *, or wildcard, is a little-known feature that can be very powerful. If you include * within a query, it tells Google to try to treat the star as a placeholder for any unknown term(s) and then find the best matches. For example, the search Google *  will give you results about many of Google’s products. Note that the * operator works only on whole words, not parts of words.

      Whois: Whois important tools that can list very important information about the websites such as e-mail addresses, contact names, phones, expiration date of the websites. On your linux machine you can run whois domainName and get details of the domain. You can also use This is a website that give details of a given IP.

      Traceroute: With traceroute you can get some information about the network. Traceroute list the routers between you and the target. This can be really useful information if you lunch a networking attack against the router.

      Nslookup/host/dig : All of these tools do same job: List ip addresses for a given domain name. It basically query.

      For example, if you want to learn IP address of, type
      C:\Users\ismail nslookup
      Non-authoritative answer:
      Dig has more capacity besides giving you IP address of a domain (that can be done by pinging the server right? ).
      There is a good article at slicehost website that cover some details of dig.

      robot.txt: The Robot Exclusion Standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a website which is otherwise publicly viewable. Robots are often used by search engines to categorize and archive web sites, or by webmasters to proofread source code. The standard is unrelated to, but can be used in conjunction with, Sitemaps, a robot inclusion standard for websites.

      As an ethical hacker, you can check if the webserver has a robot.txt file by looking Some system admins think disallowing search engines searching directories may have sensitive information is a security measure that prevent others see these directories in search results. HOWEVER, by listing your sensitive directories in robot.txt will just make hackers to focus on these directories and worse thing you already saying where to attack…

      I would not recommend using robot.txt. Instead secure these important directories by encrypting, or using access control methods.

      As an ethical hacker always check robot.txt because there are lots system admins who does not know security very well.


      Foot printing is an important phase of hacking. In this phase, the goal is get as much as information about the target. This information will be critical part of the attack vectors that be used in the next phases.

      There are much more tools than what I covered here. You need to know them for the CEH exam.

      Tip: Study active and passive foot printing, know the difference.

      – See more at:

    • NMAP

      Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon used to discover hosts and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.

      You need to know some basic options, scan types, IP addresses’ and ports’ formats in nmap.


      -sT: connect scan

      -sX:XMAS scan
      -sS: syn scan (half open)

      -sP: ping scan
      -sF: fyn scan -sU:UDP scan
      -sO: raw scan -O: OS detection

      3 way hand shake will be performed on the connect scan, that is why this option is slow and will have lots of footprints on the target system.
      Syn scan will only send SYN packets to targets. If the port is open then we will receive SYN+ACK other wise we will receive RST that indicates the port is closed…
      Ping scan: This also known as ping sweep. Basically nmap will be pinging all the given machines and determine live hosts.
      UDP scan: In case you want to see UDP ports, you need to run a UDP scan.

      IP addresses




      nmap -sS -p1-65535
      nmap -sT -O -p23

      – See more at: