Footprinting is essential for scoping your target, as it will give you an idea of what sort of systems you’re attacking, what public IP ranges your target owns (attack surface), what domains
Footpringint is focused on *passive* reconnaissance. You will learn as much as you can indirectly about the target first. Then, you will have very controlled direct interaction with the target in the semi-passive phase. Semi-passive footprinting should be largely indistinguishable from normal traffic (eg, do some DNS queries or look at their webpage, but don’t do brute-force reverse DNS lookups or hardcore crawling of every page, etc.)
The idea is not to touch the target organization until you’ve gathered enough info indirectly
For example, if you see the target company is looking to hire Oracle DBA’s on LinkedIn or Dice, then you can guess what sort of databases their running 🙂