👹
👹
👹
👹
Hacker's Grimoire
Search…
Hacker's Grimoire
Reconnaissance
Passive information gathering
Active information gathering
Exploitation
Post exploitation
Linux basics
Windows basics
Learning resources
Powered By GitBook
Passive information gathering

DNS enumeration

Domain Name System (DNS) enumeration is the process of identifying the DNS servers and records associated with a target:
  • Address (A) records containing the IP addresses for domains
  • Mail Exchange (MX) records containing mail addresses
  • Canonical Name (CNAME) records used for aliasing domains and identifying subdomains within DNS records
  • Name Server (NS) records showthe authoritative (or main) name server for the domain
  • State of Authority (SOA) records have important information about the domain such as the primary name server, timestamp showing last update and the party responsible for the domain
  • Pointer Records (PTR) map an IPv4 address to the CNAME on the host, aka ‘reverse record’ because it connects a record with an IP address to a hostname instead of the other way around
  • TXT records may include additional information (e.g. configuration)

Whois

A whois lookup can be used to get general information about the domain such as the registrar, domain owner, their contact information and DNS server:
1
whois google.com
Copied!

Nslookup

Nslookup (Name Server lookup) is used for querying the domain name system for DNS records:
1
nslookup google.com
Copied!
Query DNS records using the option -type= followed by the DNS record type:
1
nslookup -type=A google.com
Copied!
Use ‘any’ as DNS record type to return all DNS records for the domain:
1
nslookup -type=any google.com
Copied!

SPF Record

A Sender Policy Framework (SPF) record is a type of DNS record that identifies which mail servers are permitted to send email on behalf of your domain. SPF records prevent spammers from sending messages with forged ‘From’ addresses from a particular domain. A receiving mail server uses the sending domain's SPF record to check if the message comes from a legitmate server.

Host

Host can be used to convert domain names to IP addresses and vice versa:
1
host google.com
Copied!

Zone transfers

DNS servers usually have redundant/secondary servers which must be synced to each other. The replication method is called a zone transfer. DNS servers with zone transfers enabled to the public can reveal servers which would not be found by guessing. Zone transfers are typically disabled for DNS servers, but are still worth checking.
Check for zone transfer capability using host, use this command to retrieve the name server:
1
host -t ns google.com
Copied!
Then use the name server as an argument in the next command:
1
host -t axfr -l google.com ns1.google.com
Copied!

Dig

Dig is pretty much like Host.
Retrieve MX records for the google.com domain:
1
dig -t mx google.com
Copied!
To request all records, specify any as parameter:
1
dig -t any google.com
Copied!
To test for zone transfers, use the following command: (zonetransfer is deliberately vulnerable)
1
dig axfr @nsztm1.digi.ninja zonetransfer.me
Copied!

Fierce

Fierce tries to find name servers for the given domain and perform a zone transfer on each one. It also checks for a wildcard DNS record and guesses subdomains using an internal wordlist.
Type fierce -h for help (this works for most things):
1
fierce -dns google.com
Copied!
To specify a custom wordlist:
1
fierce -dns google.com –wordlist /path/to/wordlist/
Copied!

Wildcard domains

A Wildcard DNS record is a DNS record that will match any request when there is no record available that explicitly matches that request. The Wildcard DNS record is uses an asterisk as the first label: *.domain.com.
For example:
1
www.domain.com A 1.1.1.1
2
​
3
vpn.domain.com A 1.1.1.2
4
​
5
test.domain.com A 1.1.1.3
6
​
7
*.domain.com A 1.1.1.1
Copied!
Requesting the IP for a domain that is not explicitly defined, such as xw4647.domain.com will return the wildcard response of 1.1.1.1.
Tools like Fierce will first make a request for an unlikely subdomain (e.g sffvfdghdf9w3534.google.com) before guessing common names from a wordlist to determine if wildcard domains are present.

DNSenum

DNSenum enumerates the DNS information to discover non-contiguous IP blocks. It also attempts zone transfers on DNS:
1
dnsenum google.com
Copied!

DNSrecon

DNSrecon is another automated tool for querying DNS records and attempting zone transfers.
For options, type dnsrecon -h:
1
dnsrecon -d google.com
Copied!

Sublist3r

Sublist3r enumerates subdomains using popular search engines to discover subdomains for a selected domain name. It can also guess subdomains using an integrated tool named Subbrute, which uses a wordlist to enumerate DNS records and subdomains:
1
sublist3r -d google.com
Copied!
To add brute forcing with Subbrute, use the -b option to the command and control the number of additional threads to use with the -t option:
1
sublist3r -d google.com -b -t 100
Copied!

Email harvesting

The Harvester

The Harvester is used for e-mail harvesting across several search engines. If an organization doesn't have a public employee directory, this can be a quick way to gather email addresses for phishing or searching for passwords in recent database dumps.
For example:
1
theharvester -d microsoft.com -b google -l 5
Copied!
The domain is specified by -d and the data source with -b (Google). Search results can be limited with the -l option.

Recon-ng

Recon-ng is a Metasploit-style reconnaissance framework which can harvest emails and also check data dumps for passwords:
1
show modules
2
​
3
use recon/contacts-credentials/hibp_breach
4
​
5
[recon-ng][default][hibp_breach] > show info
6
​
7
set source [email protected]
Copied!
Similar to Metasploit, you can select specific data dumps and set the source email to search.

Search engines

Google dorks

Google can identify subdomains for a particular website:
1
site:msn.com -site:www.msn.com
2
​
3
site:*.nextcloud.com
Copied!
To exclude a specific subdomain:
1
site:*.nextcloud.com -site:help.nextcloud.com
Copied!

Social Media

Search specific social media sites for information:
1
site:twitter.com orgname
2
site:linkedin.com orgname
3
site:facebook.com orgname
Copied!

Non-HTML documents

Search for specific filetypes on organizational websites:
1
site:example.com filetype:pdf
Copied!

Shodan

To-do
Previous
Reconnaissance
Next
Active information gathering
Last modified 28d ago
Copy link
Contents
DNS enumeration
Whois
Nslookup
Host
Dig
Fierce
DNSenum
DNSrecon
Sublist3r
Email harvesting
The Harvester
Recon-ng
Search engines
Google dorks
Shodan