Passive information gathering

DNS enumeration

Domain Name System (DNS) enumeration is the process of identifying the DNS servers and records associated with a target:

  • Address (A) records containing the IP addresses for domains

  • Mail Exchange (MX) records containing mail addresses

  • Canonical Name (CNAME) records used for aliasing domains and identifying subdomains within DNS records

  • Name Server (NS) records showthe authoritative (or main) name server for the domain

  • State of Authority (SOA) records have important information about the domain such as the primary name server, timestamp showing last update and the party responsible for the domain

  • Pointer Records (PTR) map an IPv4 address to the CNAME on the host, aka ‘reverse record’ because it connects a record with an IP address to a hostname instead of the other way around

  • TXT records may include additional information (e.g. configuration)


A whois lookup can be used to get general information about the domain such as the registrar, domain owner, their contact information and DNS server:



Nslookup (Name Server lookup) is used for querying the domain name system for DNS records:


Query DNS records using the option -type= followed by the DNS record type:

nslookup -type=A

Use ‘any’ as DNS record type to return all DNS records for the domain:

nslookup -type=any

SPF Record

A Sender Policy Framework (SPF) record is a type of DNS record that identifies which mail servers are permitted to send email on behalf of your domain. SPF records prevent spammers from sending messages with forged ‘From’ addresses from a particular domain. A receiving mail server uses the sending domain's SPF record to check if the message comes from a legitmate server.


Host can be used to convert domain names to IP addresses and vice versa:


Zone transfers

DNS servers usually have redundant/secondary servers which must be synced to each other. The replication method is called a zone transfer. DNS servers with zone transfers enabled to the public can reveal servers which would not be found by guessing. Zone transfers are typically disabled for DNS servers, but are still worth checking.

Check for zone transfer capability using host, use this command to retrieve the name server:

host -t ns

Then use the name server as an argument in the next command:

host -t axfr -l


Dig is pretty much like Host.

Retrieve MX records for the domain:

dig -t mx

To request all records, specify any as parameter:

dig -t any

To test for zone transfers, use the following command: (zonetransfer is deliberately vulnerable)

dig axfr


Fierce tries to find name servers for the given domain and perform a zone transfer on each one. It also checks for a wildcard DNS record and guesses subdomains using an internal wordlist.

Type fierce -h for help (this works for most things):

fierce -dns

To specify a custom wordlist:

fierce -dns –wordlist /path/to/wordlist/

Wildcard domains

A Wildcard DNS record is a DNS record that will match any request when there is no record available that explicitly matches that request. The Wildcard DNS record is uses an asterisk as the first label: *

For example: A A A
* A

Requesting the IP for a domain that is not explicitly defined, such as will return the wildcard response of

Tools like Fierce will first make a request for an unlikely subdomain (e.g before guessing common names from a wordlist to determine if wildcard domains are present.


DNSenum enumerates the DNS information to discover non-contiguous IP blocks. It also attempts zone transfers on DNS:



DNSrecon is another automated tool for querying DNS records and attempting zone transfers.

For options, type dnsrecon -h:

dnsrecon -d


Sublist3r enumerates subdomains using popular search engines to discover subdomains for a selected domain name. It can also guess subdomains using an integrated tool named Subbrute, which uses a wordlist to enumerate DNS records and subdomains:

sublist3r -d

To add brute forcing with Subbrute, use the -b option to the command and control the number of additional threads to use with the -t option:

sublist3r -d -b -t 100

Email harvesting

The Harvester

The Harvester is used for e-mail harvesting across several search engines. If an organization doesn't have a public employee directory, this can be a quick way to gather email addresses for phishing or searching for passwords in recent database dumps.

For example:

theharvester -d -b google -l 5

The domain is specified by -d and the data source with -b (Google). Search results can be limited with the -l option.


Recon-ng is a Metasploit-style reconnaissance framework which can harvest emails and also check data dumps for passwords:

show modules
use recon/contacts-credentials/hibp_breach
[recon-ng][default][hibp_breach] > show info
set source

Similar to Metasploit, you can select specific data dumps and set the source email to search.

Search engines

Google dorks

Google can identify subdomains for a particular website:

To exclude a specific subdomain:


Social Media

Search specific social media sites for information: orgname orgname orgname

Non-HTML documents

Search for specific filetypes on organizational websites: filetype:pdf