0xor1day

Passive Reconnaissance

3 min read

Passive Reconnaissance -whois, nslookup, dig -Publicly available records so they don’t alert the target

-DNSDumpster, Shodan.io -collect information about the target without directly connecting to the target

Reconnaissance(recon): a preliminary survey to gather information about a target

Passive vs. Active

  1. Passive: rely on publicly available knowledge without directly engaging with the target -Looking up DNS records of a domain from a public DNS server -Checking job ads related to the target website -Reading new articles about the target company

  2. Active: requires direct engagement with the target (Invasive) -connecting to one of the company servers (HTTP, FTP and SMTP) -calling the company in an attempt to get information (Social Engineering) -Entering company premises pretending to be someone else

Passive Recon

  1. WHOIS - request and response protocol that follows the RFC 3912 specification.
  • listens on TCP port 43 for incoming requests
  • domain registrar is responsible for maintaining the WHOIS record -Replies with various information -Registrar: which registrar is the domain name registered -contact info: name, org, address, phone -creation, update and expiration dates -name server: which server to ask to resolve the domain name

eg: whois tryhackme.com

  1. nslookup and dig nslookup - Name Server Look Up - find the IP address of a domain name

eg: nslookup tryhackme.com

nslookup [options] [DOMAIN_NAME] [Server] options: A: IPv4 addresses AAAA: IPv6 addresses CNAME: cononical name MX: mail servers SOA: Start of Authority TXT: TXT Records

DOMAIN_NAME: the domain name to be looked up

Server: Server in DNS server to query -cloudflare: 1.1.1.1 and 1.0.0.1 -google: 8.8.8.8 and 8.8.4.4 -Quad9: 9.9.9.9 and 149.112.112.112

eg: check email servers nslookup -type=MX tryhackme.com

dig: Domain Information Groper dig [@SERVER] [DOMAIN_NAME] TYPE eg: dig @1.1.1.1 tryhackme.com MX

nslookup -type=TXT thmlabs.com

  1. DNSDumpster https://dnsdumpster.com -find subdomains that are not explicitly advertised -DNSDumpster: gives detailed ansers to DNS queries revealing subdomains that would take time-consuming search to find -DNSDumpster - also provides any collected information about listening servers -even attempts to geolocate them -displays collected information graphically

  2. Shodan.io -learn about connected and exposed devices -connect to every device reachable online to build a search engine of connected “things” -result -IP address -hosting company -geographic location -server type and version Shodan.io Room on THM

Review Command Line Purpose Commandline Example Lookup WHOIS record: whois tryhackme.com Lookup DNS A records: nslookup -type=A tryhackme.com Lookup DNS MX records at DNS server: nslookup -type=MX tryhackme.com 1.1.1.1 Lookup DNS TXT records: nslookup -type=TXT tryhackme.com Lookup DNS A records: dig tryhackme.com A Lookup DNS MX records at DNS server: dig @1.1.1.1 tryhackme.com MX Lookup DNS TXT records: dig tryhackme.com TXT

Graph View