Skip to content

Information Gathering

Introduction

Passive Information Gathering

Website Recon & Footprinting

What are we looking for:
  • IP Addresses
  • Directories hidden from search engines
  • Names
  • Email addresses
  • Phone Numbers
  • Physical addresses
  • Web technologies being used

# The whatis command is used to get brief information about Linux commands or functions.
whatis host
host hackersploit.org
About /robots.txt
https://hackersploit.org/robots.txt
sitemaps.org
https://hackersploit.org/sitemap.xml
https://hackersploit.org/sitemaps.xml

Whois Enumeration

Homepage
| Kali Linux Tools

Website Footprinting With Netcraft

Homepage
| Kali Linux Tools

DNS Recon

TO-DO

Create a list of DNS records types. Ex: AAAA, TXT, MS, MX...

dnsrecon (cli tool)

DNSRecon

DNSRecon is a Python script that provides the ability to perform:

  • Check all NS Records for Zone Transfers.
  • Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT).
  • Perform common SRV Record Enumeration.
  • Top Level Domain (TLD) Expansion.
  • Check for Wildcard Resolution.
  • Brute Force subdomain and host A and AAAA records given a domain and a wordlist.
  • Perform a PTR Record lookup for a given IP Range or CIDR.
  • Check a DNS Server Cached records for A, AAAA and CNAME.
  • Records provided a list of host records in a text file to check.
  • Enumerate Hosts and Subdomains using Google.

DNSRecon Homepage
dnsrecon | Kali Linux Tools 

dnsrecon -d hackersploit.org

dnsdumpster.com (web tool)

DNSdumpster

DNSdumpster.com is a FREE domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.

DNSdumpster Homepage

WAF With wafw00f

WAFW00F

This package identifies and fingerprints Web Application Firewall (WAF) products using the following logic:

  • Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions.
  • If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is.
  • If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to the attacks.

WAFW00F Homepage
wafw00f | Kali Linux Tools 

wafw00f hackersploit.org
# Option: -a or --findall --> MEANS --> Testing For All Possible WAF Instances
wafw00f hackersploit.org -a

Subdomain Enumeration With Sublist3r

Sublist3r

This package contains a Python security tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting over the network. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.

Sublist3r Homepage
sublist3r | Kali Linux Tools 

sudo apt install sublist3r
sublist3r -d hackersploit.org
sublist3r -d hackersploit.org -e google,yahoo

Google Dorks

TO-DO

Google Dorks Ex:

Google Homepage
Google Hacking Database 

site:ine.com
site:ine.com inurl:admin
site:*.ine.com
site:*.ine.com inurl:admin
site:*.ine.com intitle:admin
site:*.ine.com filetype:pdf
site:ine.com instructors
intitle:index of

cache:ine.com
waybackmachine -> https://archive.org/web/

inurl:auth_user_file.txt
inurl:passwd.txt

Email Harvesting With theHarvester

theHarvester

The package contains a tool for gathering subdomain names, e-mail addresses, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, pgp key servers).

theHarvester Homepage
theHarvester | Kali Linux Tools 

theHarvester -d hackersploit.org -b google,linkedin

Leaked Password Databases

';--have i beenpwned?

Active Information Gathering

DNS Zone Transfers

DNS

  • Domain Name System (DNS) is a protocol that is used to resolve domain names/hostnames to IP addresses.
  • During the early days of the internet, users would have to remember the IP addresses of the sites that they wanted to visit, DNS resolves this issue by mapping domain names (easier to recall) to their respective IP addresses.
  • A DNS server (nameserver) is like a telephone directory that contains domain names and their corresponding IP addresses.
  • A plethora of public DNS servers have been set up by companies like Cloudflare (1.1.1.1) and Google (8.8.8.8). These DNS servers contain the records of almost all domains on the internet.

DNS Records

  • A - Resolves a hostname or domain to an IPv4 address.
  • AAAA - Resolves a hostname or domain to an IPv6 address.
  • NS - Reference to the domains nameserver.
  • MX - Resolves a domain to a mail server.
  • CNAME - Used for domain aliases.
  • TXT - Text record.
  • HINFO - Host information.
  • SOA - Domain authority.
  • SRV - Service records.
  • PTR - Resolves an IP address to a hostname.

DNS Interrogation

  • DNS interrogation is the process of enumerating DNS records for a specific domain.
  • The objective of DNS interrogation is to probe a DNS server to provide us with DNS records for a specific domain.
  • This process can provide with important information like the IP address of a domain, subdomains, mail server addresses etc.

DNS Zone Transfer

  • In certain cases DNS server admins may want to copy or transfer zone files from one DNS server to another. This process is known as a zone transfer.
  • If misconfigured and left unsecured, this functionality can be abused by attackers to copy the zone file from the primary DNS server to another DNS server.
  • A DNS Zone transfer can provide penetration testers with a holistic view of an organization's network layout.
  • Furthermore, in certain cases, internal network addresses may be found on an organization's DNS servers.

ZoneTransfer.me Homepage 

dnsenum zonetransfer.me
dig axfr @nsztm1.digi.ninja zonetransfer.me
fierce -dns zonetransfer.me

Info

sudo vim /etc/hosts

Host Discovery With Nmap

nmap

Nmap is a utility for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning techniques, version detection (determine service protocols and application versions listening behind ports), and TCP/IP fingerprinting (remote host OS or device identification). Nmap also offers flexible target and port specification, decoy/stealth scanning, sunRPC scanning, and more. Most Unix and Windows platforms are supported in both GUI and commandline modes. Several popular handheld devices are also supported, including the Sharp Zaurus and the iPAQ.

Nmap Homepage
Nmap | Kali Linux Tools 

ip a s
sudo nmap -sn 192.168.2.0/24
sudo netdiscover -i eth0 -r 192.168.2.0/24

Port Scanning With Nmap

# default nmap scan
nmap 10.4.19.218
# ultrapassa ping not permited
nmap -Pn 10.4.19.218
# tcp ports
 # all
nmap -Pn -p- 10.4.19.218
 # some ports
nmap -Pn -p 80,445,3389 10.4.19.218
 # range
nmap -Pn -p1-100 10.4.19.218
 # fast scan
nmap -Pn -F 10.4.19.218
# udp port
nmap -Pn -sU 10.4.19.218
# fast and verbosity
nmap -Pn -F 10.4.19.218 -v
# service version scan
nmap -Pn -F -sV 10.4.19.218
# OS system detect
nmap -Pn -F -sV -O 10.4.19.218 -v
# list nmap scripts
nmap -Pn -F -sV -O -sC 10.4.19.218 -v
# nmap agrresive scan
nmap -Pn -F -A 10.4.19.218 -v
# speed scan
nmap -Pn -F -T5 -sV -O -sC 10.4.19.218 -v
# output to file
nmap -Pn -F 10.4.19.218 -oN test.txt
nmap -Pn -F 10.4.19.218 -oX test.xml

Homepage
| Kali Linux Tools

Windows Recon: Nmap Host Discovery

Conclusion