Home > Articles

Footprinting, Reconnaissance, Scanning, and Enumeration

  • Feb 25, 2026
This chapter is from the book

This chapter is from the book

CEH Certified Ethical Hacker Cert Guide Premium Edition and Practice Test, 5th EditionCEH Certified Ethical Hacker Cert Guide Premium Edition and Practice Test, 5th Edition

Learn More Buy

This chapter is from the book

This chapter is from the book

CEH Certified Ethical Hacker Cert Guide Premium Edition and Practice Test, 5th EditionCEH Certified Ethical Hacker Cert Guide Premium Edition and Practice Test, 5th Edition

Learn More Buy

This chapter covers the following topics:

  • Footprinting: The process of accumulating data about a specific network environment, usually for the purpose of completing the footprinting process, mapping the attack surface, and finding ways to intrude into the environment. Fingerprinting can be categorized as either active or passive. Active fingerprinting is more accurate but also more easily detected. Passive fingerprinting is the act of identifying systems without injecting traffic or packets into the network. EC Council defines footprinting as a part of a larger process known as reconnaissance.

  • Reconnaissance: An information-gathering stage of a hacking process that collects data about the target system. The goal of reconnaissance is to identify as many potential attack vectors as possible. Data collected from reconnaissance can include security policies, network infrastructure (such as IP address range and subnet mask), employee contact details (such as email addresses and phone numbers) and host information (such as operating system type and version). All these can be used to find vulnerabilities.

  • Scanning: The identification of active machines that is accomplished by means of ping sweeps and port scans. Both aid in an analysis of understanding whether the machine is actively connected to the network and reachable. After all details of a network and its operations have been recorded, the attacker can then identify vulnerabilities that could possibly allow access or act as an entry point.

  • Enumeration: A technique of extracting valid usernames, machine names, directory names, and so on, from a system. Enumeration gives attackers a lot of information that can be used to exploit vulnerabilities. Enumeration collects detailed information about a target system, such as the operating system and network details. Enumeration can be used in an offensive and defensive manner. Enumeration is important in ethical hacking because it gives hackers the necessary information that can be used to launch an attack.

This chapter introduces you to two of the most important pre-attack phases: footprinting and scanning. Although these steps don’t constitute breaking in, they occur at the point at which a hacker or ethical hacker will start to get information. The goal here is to discover what a hacker or other malicious user can uncover about the organization, its technical infrastructure, locations, employees, policies, security stance, and financial situation. Just as most hardened criminals don’t rob a jewelry store without preplanning, elite hackers and cybercriminals won’t attack a network before they understand what they are up against. Even script kiddies will do some pre-attack reconnaissance as they look for a target of opportunity. For example, think of how a burglar walks around a building to look for entry points.

This chapter begins by looking at a number of general mechanisms individuals can attempt to passively gain information about an organization without alerting the organization. This chapter also discusses interactive scanning techniques and reviews their benefits. Note in this context, the goal of scanning is to discover open ports and applications. This chapter concludes with attack surface mapping techniques.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 3-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

Table 3-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section

Questions

Footprinting

1–8

Scanning

9–15

CAUTION

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

1. Where should an ethical hacker start the information-gathering process?

  1. a. Interview with company

  2. b. Dumpster diving

  3. c. Company’s website

  4. d. Interview with employees

2. What common Windows and Linux tool is used for port scanning?

  1. a. Hping

  2. b. Amap

  3. c. Nmap

  4. d. SuperScan

3. What does the Nmap -sT switch do?

  1. a. UDP scan

  2. b. ICMP scan

  3. c. TCP full connect scan

  4. d. TCP ACK scan

4. Which of the following would be considered outside the scope of footprinting and information gathering?

  1. a. Finding physical addresses

  2. b. Attacking targets

  3. c. Identifying potential targets

  4. d. Reviewing a company website

5. During a security assessment, you are asked to help with a footprinting activity. Which of the following might be used to determine network range?

  1. a. ARIN

  2. b. DIG

  3. c. Traceroute

  4. d. Ping host

6. You have been asked to gather some specific information during a penetration test. The “intitle” string is used for what activity?

  1. a. Traceroute

  2. b. Google search

  3. c. Website query

  4. d. Host scanning

7. During a footprinting exercise, you have been asked to gather information from APNIC and LACNIC. What are these examples of?

  1. a. IPv6 options

  2. b. DHCP servers

  3. c. DNS servers

  4. d. RIRs

8. CNAMEs are associated with which of the following?

  1. a. ARP

  2. b. DNS

  3. c. DHCP

  4. d. Google hacking

9. Which of the following TCP scan types is also known as the half-open scan?

  1. a. FIN scan

  2. b. XMAS scan

  3. c. SYN scan

  4. d. Null scan

10. What scan is also known as a zombie scan?

  1. a. IDLE scan

  2. b. SYN scan

  3. c. FIN scan

  4. d. Stealth scan

11. What is the TCP port scan that is used to toggle on the FIN, URG, and PSH TCP flags?

  1. a. XMAS scan

  2. b. Null scan

  3. c. ACK scan

  4. d. None of these answers are correct

12. You were hired to perform penetration testing for a local school. You discovered an FTP server in the network. What type of FTP scan technique would make the scan harder to trace?

  1. a. FTP bounce scan

  2. b. FTP stealth SYN scan

  3. c. FTP null scan

  4. d. Slowloris FTP scan

13. Which of the following tools can be used to enumerate systems that are running NetBIOS?

  1. a. Nmap

  2. b. nbtscan

  3. c. Metasploit

  4. d. All of these answers are correct

14. What type of information can you obtain when successfully enumerating insecure SNMP systems?

  1. a. Network interface configuration

  2. b. The device hostname and current time

  3. c. The device IP routing table

  4. d. All of these answers are correct

15. What SMTP command can be used to verify whether a user’s email mailbox exists in an email server?

  1. a. EXPN

  2. b. VRFY

  3. c. RCPT

  4. d. None of these answers are correct

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.