Without performing reconnaissance (information gathering) on the target, both threat actors and penetration testers will have difficulties moving on to the later phases of the Cyber Kill Chain. Hence, ethical hackers and penetration testers must conduct extensive research into gathering as much information as possible to create a profile of their target. Reconnaissance can be divided into two categories: • Passive: Uses an indirect approach and does not engage the target to gather information. • Active: Directly engages the target to gather specific details.
Footprinting:
Footprinting is part of the reconnaissance phase; however, since footprinting can provide more specific details about the target, we can consider footprinting to be a subset of the reconnaissance phase.
Follow the footprints!!!!
Footprinting allows a penetration tester to understand the security posture of the target infrastructure, quickly identify security vulnerabilities on the target systems and networks, create a network map of the organization, and reduce the area of focus to the specific IP addresses, domain names, and the types of devices regarding which information is required.

- Collecting network information (domain names, IP addressing schemes, and network protocols)
- Collecting system information (user and group names, routing tables, and system names)
- Collecting organization information (employee details, company directory, and location details)
Difference between Recon and footprinting:
Despite of being the subset of Reconnaissance , foot printing goes a lot deeper for gathering information without actively interacting with the target. Technically if we compare passive recon with footprinting it will make a lot more sense. In passive recon we just look for basic information that are available online on a surface level, footprinting take it a step further , i will show some useful steps to do deeper footprinting:
• Checking search engines such as Yahoo, Bing, and Google • Performing Google hacking/dorking techniques (advanced Google searches) • Information gathering through social media platforms such as Facebook, LinkedIn, Instagram, and Twitter • Footprinting the company’s website • Performing email footprinting techniques • Using WHOIS databases to retrieve domain information • Performing Domain Name System (DNS) footprinting • Network footprint techniques • Social engineering techniques Try to use as much as OSINT techniques as you can on a deeper level by taking and forwarding a good level info, no info is less, everything counts.