Passive Reconnaissance
Amit Pandit
Introduction
Reconnaissance is the first and the most important step in Hacking. It is the process of discovering and collecting as much possible information about our target system or organization.
After a proper Recon an attacker can plan its further attack strategy against its target including social engineering and technical attacks
There are two main types of Reconnaissance:
Passive Reconnaissance — It is the process in which an attacker tries to collects information which are present in the public without directly engaging with the target and might be used as a threat
Active Reconnaissance — It is the process in which an attacker actively interacts with the target system to collect various information
Here i am going to cover Passive Reconnaissance in details.
Passive reconnaissance includes various activities like looking for DNS records from public DNS servers, checking ads and posts related to the organization, reading news articles related to the target, checking publicly available certificates, visiting social media pages and surfing its website as a normal user
Let’s discuss tools and services which are really used
WHOIS
Whois is a protocol that fetches WHOIS record against a domain name form the domain registrar. WHOIS record includes many crucial information like:
- Registrar: Via which registrar was the domain name registered
- Detail of registrant: Name, organization, address, phone, email & etc (these info can be made hidden by activating paid privacy services)
- Creation, update and expiration dates of the domain
- Name Server: Which DNS server is used for name resolution
We can simply use a client tool whois (comes installed in kali) to fetch all those information against a domain. Its syntax is whois DOMAIN_NAME
NSLOOKUP
Nslookup stands for Name Server Lookup used for querying the Domain Name System to fetch DNS records against a domain.
There are different types of DNS records stored in a Domain System.
Syntax is nslookup -type=record_type DOMAIN_NAME SERVER. SERVER is the DNS server that we want to query result from, it can be any local or public DNS server like:
- 1.1.1.1 or 1.0.0.1 for Cloudflare
- 8.8.8.8 or 8.8.4.4 for Google
- 9.9.9.9 or 149.112.112.112 for Quad9
For example nslookup -type=A example.com 1.1.1.1, will fetch all the IPv4 records from the specified DNS Server (1.1.1.1) against the domain (example.com). Likewise we can use MX instead of A to fetch info about the Mail Exchange servers which can be essential for further investigation
DIG
Dig stands for Domain Information Groper, it also fetches DNS record form Domain Name server (does the same thing like nslookup) but is my personal favorite tool because it returns more information as compared to other tools. Syntax is dig -t record_type DOMAIN_NAME @SERVER
DNSDUMPSTER
DNSDumpster is a domain research online tool and its speciality is that it also provides hidden subdomain (host information) along with other DNS record information (like DNS servers, MX records, TXT records & Host records) against a domain in a well organized manner. It also tries to resolve domain names to IP addresses and even tries to get their geo location.
To use just go to ‘https://dnsdumpster.com/’ and enter target domain in the search query & just a single search will be enough to fetch all the mentioned information
IOT SEARCH ENGINES
There are IOT search engines like shodan, censys and natlas that help us search for various types of systems connected to the internet and services running on them based on different filters. They can be used for a variety of things like mapping and gathering information about internet-connected devices or can even be used to learn various pieces of information about a targeted client’s network without even being the part of the network.
These types of search engines can provide a lot of information about any internet connected device; some of them are IP address, hosting company, geographical location, server type, ports opened, services running, versions and more.
Visit ‘https://help.shodan.io/the-basics/search-query-fundamentals’ to know more about Shodan
FULLHUNT
FullHunt is also an online tool that claims to be the attack surface database of the entire Internet. It searches for all the internet facing assets against a provided domain and scans for open services, ports and technologies. It also tries to figure out possible attack surfaces and vulnerabilities for the organization
GITHUB GREP
Grep.app is an online search engine for GitHub repositories, it will present a list of repositories that matches our search query. It can be important for finding hidden/open information from source code and discovering sensitive information like api, db creds, ftp creds, and much more
SUBLIST3R
Sublist3r is a python based tool which helps to find subdomains of a website using Open-Source Intelligence. It gathers information from open resources like search engines (Google, Bing, Yahoo), Netcraft, VirusTotal, DNSDumpster, ThreatCrowd and ReverseDNS
CERTIFICATE SEARCH — CRT
Crt.sh is online website which has certificate transparency logs of every registered domain. It can be used to find subdomains, as it provides details of every domain and subdomain including certificate issuer name. To use it we only need to enter a domain in the search query
EMAIL SEARCH
Hunter.io and phonebook.cz can be used to find various email addresses related to a company’s domain
WAPPALYZER
Wappalyzer is a browser extension that gives instant information about a website’s technology like CMS, CDN, framework, ecommerce platform, JavaScript libraries, programming languages used and more just by visiting the website
WAYBACK MACHINE
Wayback Machine is a digital archive of the World Wide Web, it allows us to go ‘back in time’ and see how websites looked in the past. Which can be a great help for us to figure out the technologies being used by seeing the previous version and also to find some mistakes in the website which has been removed in recent update. To use it just go to ‘https://archive.org/web/’ and search the target’s url
I have covered most of the useful tools and techniques used in the industry for passive reconnaissance, and some of them are my personal favorite. But there are other more tools which might prove to be useful under certain circumstances. I will recommend researching all of them and pick up what works for you !!
While performing a Penetration Test or Red Team Assessment, these techniques are helpful in gathering various pieces of information about a client’s system or network, without actively connecting to it. But, these can also be used on the defensive side to figure out leaking information and exposed services belonging to the organization and fixing them
Hope you liked it, if so do follow me on Medium and connect with me in Linkedin https://www.linkedin.com/in/amit-pandit-a7b304236
