# Disboard #
  • Reconnaissance
    • Quick Guide
    • Ports and Protocols
    • Passive Reconnaissance
    • Active Reconnaissance
  • Web
    • OWASP Top 10
    • OWASP API
    • SQL Injection
      • Microsoft SQL Injection
    • Cross Site Scripting
    • Browser Vulnerabilities
    • Steganography
    • Fuzzing
  • Linux
    • Privilege Escalation
    • Hydra
    • Password Cracking
    • Docker
    • Program Life Cycle
    • Snort
  • Windows
    • Privilege Escalation
    • Active Directory
    • Powershell
  • Exploitation
    • Shells
      • Upgrading Shells
    • Metasploit
      • Meterpreter
    • KOTH
    • Source Code Review
  • Hack the Box
    • ARCHETYPE
    • BASE
    • BASHED
    • EXPLORE
    • NIBBLES
  • Try Hack Me
    • ADVENTURE TIME
    • HACKFINITY
    • MOTHER'S SECRET
    • OFFSEC
    • POSTEXPLOIT
    • ROASTED
    • TEMPEST
    • TRAVERSE
  • CompTIA
    • Network
      • 1.0 Networking Fundamentals
      • 2.0 Network Implementations
      • 3.0 Network Operations
      • 4.0 Network Security
      • 5.0 Network Troubleshooting
    • PenTest
  • SIEM
    • Splunk
    • Elastic
  • Wireless
    • Wi-Fi Hacking
  • Other
    • PicoCTF
    • SSH Tunneling
    • Life Hacks
    • My Pokémon API
    • Github
Powered by GitBook
On this page
  • WHOIS
  • NSLookup
  • Dig
  • Online Resources
  1. Reconnaissance

Passive Reconnaissance

https://tryhackme.com/room/passiverecon

PreviousPorts and ProtocolsNextActive Reconnaissance

Last updated 1 year ago

"If you know the enemy and know yourself, your victory will not stand in doubt" - Sun Tzu

Passive reconnaissance relies on publicly available knowledge, it can be accessed from public resources without directly engaging with the target. This includes:

  • Looking up DNS records of a domain from a public DNS server

  • Checking job ads related to a target website

  • Reading news articles about the target company

WHOIS

WHOIS is a request and response protocol commonly applied in querying databases which contain stored registered assignees or users of an Internet resource. This includes an IP address block, domain names, or an autonomous system. Some important output lines to note include:

  • Registrar: Via which registrar was the domain name registered?

  • Contact info of registrant: Name, organization, address, phone, etc. of registrant

  • Creation, update, and expiration dates: When was the domain name first registered; updated; when does it need to be renewed?

  • Name Server: Which server to ask to resolve the domain name?

Command: whois $DOMAIN_NAME

Note that due to automated tools abusing WHOIS queries to harvest email addresses, many WHOIS services take measures against it

NSLookup

The nslookup (name server look up) tool is a web based DNS client that queries DNS records for a given domain name.

Cmd: nslookup $OPTIONS $DOMAIN_NAME $SERVER

  • $OPTIONS contains the query type as shown in the following table, for instance 'A' is used for IPv4 addresses and 'AAAA' for IPv6 addresses

  • $DOMAIN_NAME is the domain name being searched

  • $SERVER is the DNS server that is to be queried, this can be any local or public DNS server - examples include Cloudflare (1.1.1.1 and 1.0.0.1), Google (8.8.8.8 and 8.8.4.4), and Quad9 (9.9.9.9 and 149.112.112.112)

Query Type
Result

A

IPv4 Address

AAAA

IPv6 Address

CNAME

Canonical Name

MX

Mail Servers

SOA

Start of Authority

TXT

TXT Records

Example: nslookup -type=A website.com 1.1.1.1

Dig

The dig (domain information groper) command is a flexible tool for interrogating DNS name servers. It's often used for more advanced DNS queries and additional functionality.

Cmd: dig $SERVER $DOMAIN_NAME $TYPE

  • $SERVER is the DNS server to be queried

  • $DOMAIN_NAME is the domain name being searched

  • $TYPE contains the DNS record type

Online Resources

Online service that offers detailed answers to DNS queries, will returned collected information in easy to read tables and graphs. It will provide any collected information about listening servers, subdomains, and respective IP addresses.

Connects to every device reachable online to build a search engine of connected "things" in contrast with a search engine for web pages. It collects all the information related to the service and saves it in a database to make it searchable.

DNSDumpster:

ShodanIO:

https://dnsdumpster.com/
https://www.shodan.io/