Passive information gathering

DNS enumeration

Domain Name System (DNS) enumeration is the process of identifying the DNS servers and records associated with a target:

  • Address (A) records containing the IP addresses for domains

  • Mail Exchange (MX) records containing mail addresses

  • Canonical Name (CNAME) records used for aliasing domains and identifying subdomains within DNS records

  • Name Server (NS) records showthe authoritative (or main) name server for the domain

  • State of Authority (SOA) records have important information about the domain such as the primary name server, timestamp showing last update and the party responsible for the domain

  • Pointer Records (PTR) map an IPv4 address to the CNAME on the host, aka ‘reverse record’ because it connects a record with an IP address to a hostname instead of the other way around

  • TXT records may include additional information (e.g. configuration)

Whois

A whois lookup can be used to get general information about the domain such as the registrar, domain owner, their contact information and DNS server:

whois google.com

Nslookup

Nslookup (Name Server lookup) is used for querying the domain name system for DNS records:

nslookup google.com

Query DNS records using the option -type= followed by the DNS record type:

nslookup -type=A google.com

Use ‘any’ as DNS record type to return all DNS records for the domain:

nslookup -type=any google.com

SPF Record

A Sender Policy Framework (SPF) record is a type of DNS record that identifies which mail servers are permitted to send email on behalf of your domain. SPF records prevent spammers from sending messages with forged ‘From’ addresses from a particular domain. A receiving mail server uses the sending domain's SPF record to check if the message comes from a legitmate server.

Host

Host can be used to convert domain names to IP addresses and vice versa:

host google.com

Zone transfers

DNS servers usually have redundant/secondary servers which must be synced to each other. The replication method is called a zone transfer. DNS servers with zone transfers enabled to the public can reveal servers which would not be found by guessing. Zone transfers are typically disabled for DNS servers, but are still worth checking.

Check for zone transfer capability using host, use this command to retrieve the name server:

host -t ns google.com

Then use the name server as an argument in the next command:

host -t axfr -l google.com ns1.google.com

Dig

Dig is pretty much like Host.

Retrieve MX records for the google.com domain:

dig -t mx google.com

To request all records, specify any as parameter:

dig -t any google.com

To test for zone transfers, use the following command: (zonetransfer is deliberately vulnerable)

dig axfr @nsztm1.digi.ninja zonetransfer.me

Fierce

Fierce tries to find name servers for the given domain and perform a zone transfer on each one. It also checks for a wildcard DNS record and guesses subdomains using an internal wordlist.

Type fierce -h for help (this works for most things):

fierce -dns google.com

To specify a custom wordlist:

fierce -dns google.com –wordlist /path/to/wordlist/

Wildcard domains

A Wildcard DNS record is a DNS record that will match any request when there is no record available that explicitly matches that request. The Wildcard DNS record is uses an asterisk as the first label: *.domain.com.

For example:

www.domain.com     A      1.1.1.1

vpn.domain.com     A      1.1.1.2

test.domain.com    A      1.1.1.3

*.domain.com       A      1.1.1.1

Requesting the IP for a domain that is not explicitly defined, such as xw4647.domain.com will return the wildcard response of 1.1.1.1.

Tools like Fierce will first make a request for an unlikely subdomain (e.g sffvfdghdf9w3534.google.com) before guessing common names from a wordlist to determine if wildcard domains are present.

DNSenum

DNSenum enumerates the DNS information to discover non-contiguous IP blocks. It also attempts zone transfers on DNS:

dnsenum google.com

DNSrecon

DNSrecon is another automated tool for querying DNS records and attempting zone transfers.

For options, type dnsrecon -h:

dnsrecon -d google.com

Sublist3r

Sublist3r enumerates subdomains using popular search engines to discover subdomains for a selected domain name. It can also guess subdomains using an integrated tool named Subbrute, which uses a wordlist to enumerate DNS records and subdomains:

sublist3r -d google.com

To add brute forcing with Subbrute, use the -b option to the command and control the number of additional threads to use with the -t option:

sublist3r -d google.com -b -t 100

Email harvesting

The Harvester

The Harvester is used for e-mail harvesting across several search engines. If an organization doesn't have a public employee directory, this can be a quick way to gather email addresses for phishing or searching for passwords in recent database dumps.

For example:

theharvester -d microsoft.com -b google -l 5

The domain is specified by -d and the data source with -b (Google). Search results can be limited with the -l option.

Recon-ng

Recon-ng is a Metasploit-style reconnaissance framework which can harvest emails and also check data dumps for passwords:

show modules

use recon/contacts-credentials/hibp_breach

[recon-ng][default][hibp_breach] > show info

set source info@microsoft.com

Similar to Metasploit, you can select specific data dumps and set the source email to search.

Search engines

Google dorks

Google can identify subdomains for a particular website:

site:msn.com -site:www.msn.com

site:*.nextcloud.com

To exclude a specific subdomain:

site:*.nextcloud.com -site:help.nextcloud.com

Social Media

Search specific social media sites for information:

site:twitter.com orgname
site:linkedin.com orgname
site:facebook.com orgname

Non-HTML documents

Search for specific filetypes on organizational websites:

site:example.com filetype:pdf

Shodan

To-do

PreviousReconnaissanceNextActive information gathering

Last updated