Using Publicly-available Information To Learn More About A Target (Passive Footprinting)

Even a novice can research a target using publicly-available information. This is also called passive footprinting and there are numerous tools and commands to find this information:

  1. You can gather information about an organization or individual through the Domain Name Service. DNS converts IP addresses to human-understandable domain names, i.e. to, or finding an IP address through a domain name, to
    There are numerous sites for this. The one I use is Reverse IP Lookup on DNS Checker.(click to open)
  2. WHOIS searches for registered users of the domain and their IP address blocks. For example, a company’s HQ location, contact info, primary name servers, and other domains registered with the entity. Try ICANN’s service. (click to open)
  3. The NSLookup tool can similarly provide info. Open a command prompt:
    Open the Command Prompt in Windows 10 by

    • Typing “command prompt” into the Start menu to search for it. …
    • Press Win + R to open the Run box, then type “cmd” and hit Enter to open it.
    • Press Win + X (or right-click the Start button) and choose Command Prompt from the menu.

    Now try “nslookup”:

You can use the query option to find out other data, like the email service (“query=mx”).

4. Another command is tracert (Windows) or traceroute (Linux, MacOS), which will let you see the route–and time–to the destination server. For example, “tracert” gives you the following:

5. You can also glean information from Google and the target’s website, details that can be used in social engineering, such as the company’s business hours, address, and headquarters, C-suite or other employee social media accounts, marketing documents (collateral, Powerpoints, white papers),  yearly/quarterly financial reports, meta data on these documents (author/software used), and Exif data (location and time) on photos (Use Exif tool).

6. MIT media labs tool called Immersion is now available publicly and can quickly help identify a key target’s email contacts and the main topics of discussion. Both MS Word’s Document Inspector and Adobe Acrobat’s Examine Document tool can scrub the metadata off your documents.

7. Internet Archive(’s Wayback Machine. I like seeing past versions of a target’s site to glean information that is no longer available on the newer site (for phishing or other less nefarious purposes). (click to open)

8. contains the most recently cached version of the target’s site: Google Cached Pages of Any Website – CachedView

9. Employee social media accounts can provide: what projects they have been working on, their location, their contacts, post writing tone and post activity, and any other metadata that can be used for social engineering. Social media photos can also have Exif data (location and time)(Use Exif tool.) Other tools include:

a. Social Engineering Toolkit – helps with social engineering attacks.
b. Creepy – geolocation tool that uses social media and file metadata about individuals to provide better information.
c. Metasploit – A LOT of tools to assist you phishing and other attacks.

10. Paid database services of public information: home address, email and social media accounts, phone numbers, details of relatives, arrest records. Example: Public Data Check | Background Reports | Criminal, Driving & Phone Records

Leave a Reply

Your email address will not be published. Required fields are marked *