Passive information gathering
DNS enumeration
Domain Name System (DNS) enumeration is the process of identifying the DNS servers and records associated with a target:
Address (A) records containing the IP addresses for domains
Mail Exchange (MX) records containing mail addresses
Canonical Name (CNAME) records used for aliasing domains and identifying subdomains within DNS records
Name Server (NS) records showthe authoritative (or main) name server for the domain
State of Authority (SOA) records have important information about the domain such as the primary name server, timestamp showing last update and the party responsible for the domain
Pointer Records (PTR) map an IPv4 address to the CNAME on the host, aka ‘reverse record’ because it connects a record with an IP address to a hostname instead of the other way around
TXT records may include additional information (e.g. configuration)
Whois
A whois lookup can be used to get general information about the domain such as the registrar, domain owner, their contact information and DNS server:
whois google.comNslookup
Nslookup (Name Server lookup) is used for querying the domain name system for DNS records:
nslookup google.comQuery DNS records using the option -type= followed by the DNS record type:
nslookup -type=A google.comUse ‘any’ as DNS record type to return all DNS records for the domain:
nslookup -type=any google.comSPF Record
A Sender Policy Framework (SPF) record is a type of DNS record that identifies which mail servers are permitted to send email on behalf of your domain. SPF records prevent spammers from sending messages with forged ‘From’ addresses from a particular domain. A receiving mail server uses the sending domain's SPF record to check if the message comes from a legitmate server.
Host
Host can be used to convert domain names to IP addresses and vice versa:
host google.comZone transfers
DNS servers usually have redundant/secondary servers which must be synced to each other. The replication method is called a zone transfer. DNS servers with zone transfers enabled to the public can reveal servers which would not be found by guessing. Zone transfers are typically disabled for DNS servers, but are still worth checking.
Check for zone transfer capability using host, use this command to retrieve the name server:
host -t ns google.comThen use the name server as an argument in the next command:
host -t axfr -l google.com ns1.google.comDig
Dig is pretty much like Host.
Retrieve MX records for the google.com domain:
dig -t mx google.comTo request all records, specify any as parameter:
dig -t any google.comTo test for zone transfers, use the following command: (zonetransfer is deliberately vulnerable)
dig axfr @nsztm1.digi.ninja zonetransfer.meFierce
Fierce tries to find name servers for the given domain and perform a zone transfer on each one. It also checks for a wildcard DNS record and guesses subdomains using an internal wordlist.
Type fierce -h for help (this works for most things):
fierce -dns google.comTo specify a custom wordlist:
fierce -dns google.com –wordlist /path/to/wordlist/Wildcard domains
A Wildcard DNS record is a DNS record that will match any request when there is no record available that explicitly matches that request. The Wildcard DNS record is uses an asterisk as the first label: *.domain.com.
For example:
www.domain.com A 1.1.1.1
vpn.domain.com A 1.1.1.2
test.domain.com A 1.1.1.3
*.domain.com A 1.1.1.1Requesting the IP for a domain that is not explicitly defined, such as xw4647.domain.com will return the wildcard response of 1.1.1.1.
Tools like Fierce will first make a request for an unlikely subdomain (e.g sffvfdghdf9w3534.google.com) before guessing common names from a wordlist to determine if wildcard domains are present.
DNSenum
DNSenum enumerates the DNS information to discover non-contiguous IP blocks. It also attempts zone transfers on DNS:
dnsenum google.comDNSrecon
DNSrecon is another automated tool for querying DNS records and attempting zone transfers.
For options, type dnsrecon -h:
dnsrecon -d google.comSublist3r
Sublist3r enumerates subdomains using popular search engines to discover subdomains for a selected domain name. It can also guess subdomains using an integrated tool named Subbrute, which uses a wordlist to enumerate DNS records and subdomains:
sublist3r -d google.comTo add brute forcing with Subbrute, use the -b option to the command and control the number of additional threads to use with the -t option:
sublist3r -d google.com -b -t 100Email harvesting
The Harvester
The Harvester is used for e-mail harvesting across several search engines. If an organization doesn't have a public employee directory, this can be a quick way to gather email addresses for phishing or searching for passwords in recent database dumps.
For example:
theharvester -d microsoft.com -b google -l 5The domain is specified by -d and the data source with -b (Google). Search results can be limited with the -l option.
Recon-ng
Recon-ng is a Metasploit-style reconnaissance framework which can harvest emails and also check data dumps for passwords:
show modules
use recon/contacts-credentials/hibp_breach
[recon-ng][default][hibp_breach] > show info
set source info@microsoft.comSimilar to Metasploit, you can select specific data dumps and set the source email to search.
Search engines
Google dorks
Google can identify subdomains for a particular website:
site:msn.com -site:www.msn.com
site:*.nextcloud.comTo exclude a specific subdomain:
site:*.nextcloud.com -site:help.nextcloud.comSocial Media
Search specific social media sites for information:
site:twitter.com orgname
site:linkedin.com orgname
site:facebook.com orgnameNon-HTML documents
Search for specific filetypes on organizational websites:
site:example.com filetype:pdfShodan
To-do
Last updated