Featured image

Table of Contents Link to heading

Reconnaissance Link to heading

(recon) a preliminary survey to gather information about a target.

If you are playing the role of an attacker, you need to gather information about your target systems. If you are playing the role of a defender, you need to know what your adversary will discover about your systems and networks.

It is the first step in The Unified Kill Chain to gain an initial foothold on a system.

Reconnaissance (recon) can be classified into two parts:

  1. Passive Recon: can be carried out by watching passively
  2. Active Recon: requires interacting with the target to provoke it in order to observe its response.

Passive Reconnaissance Link to heading

In passive reconnaissance, you rely on publicly available knowledge.

It is the knowledge that you can access from publicly available resources without directly engaging with the target.

Think of it like you are looking at target territory from afar without stepping foot on that territory.

Passive reconnaissance activities include many activities, for instance:

  • Looking up DNS records of a domain from a public DNS server.
  • Checking job ads related to the target website.
  • Reading news articles about the target company.

Active Reconnaissance Link to heading

Active reconnaissance, on the other hand, cannot be achieved so discreetly.

It requires direct engagement with the target.

Think of it like you check the locks on the doors and windows, among other potential entry points.

Active recon can be classified as:

  1. External Recon: Conducted outside the target’s network and focuses on the externally facing assets assessable from the Internet. One example is running Nikto from outside the company network.
  2. Internal Recon: Conducted from within the target company’s network. In other words, the pentester or red teamer might be physically located inside the company building. In this scenario, they might be using an exploited host on the target’s network. An example would be using Nessus to scan the internal network using one of the target’s computers.

Examples of active reconnaissance activities include:

  • Connecting to one of the company servers such as HTTP, FTP, and SMTP.
  • Calling the company in an attempt to get information (social engineering).
  • Entering company premises pretending to be a repairman.

Considering the invasive nature of active reconnaissance, one can quickly get into legal trouble unless one obtains proper legal authorisation.

Nessus Link to heading

a vulnerability scanner developed by Tenable Network Security, designed to scan hosts and subnets for network-level and service-level vulnerabilities.

Nmap Link to heading

a network scanning and audit tool that allows the user to monitor or observe the network-level posture of a host by providing data about open ports and services running on these ports.

Various features of Nmap include:

  • Host discovery
  • Scan techniques
  • Port specification and scan order
  • Service or version detection
  • Script scan
  • OS detection
  • Timing and performance
  • Evasion and spoofing
  • Output
  • Target specification

WHOIS Link to heading

a request and response protocol to get information about a domain name.

A WHOIS server listens on TCP port 43 for incoming requests. The domain registrar is responsible for maintaining the WHOIS records for the domain names it is leasing.

The WHOIS server replies with various information related to the domain requested, including:

  • Registrar: Via which registrar was the domain name registered?
  • Contact info of registrant: Name, organisation, address, phone, among
  • other things. (unless made hidden via a privacy service)
  • Creation, update, and expiration dates: When was the domain name first
  • registered? When was it last updated? And when does it need to be renewed?
  • Name Server: Which server to ask to resolve the domain name?

In particular, we are able to get the DNS servers from the registrar.

Example: whois tanducmai.com

nslookup Link to heading

(Name Server Look Up) find the IP address of a domain name.

You need to issue the command nslookup DOMAIN_NAME, for example, nslookup tanducmai.com. Or, more generally, you can use nslookup OPTIONS DOMAIN_NAME SERVER. These three main parameters are:

  1. OPTIONS contains the query type as shown in the table below.
  2. DOMAIN_NAME is the domain name you are looking up.
  3. SERVER is the DNS server that you want to query. You can choose any local or public DNS server to query.
    • Cloudflare offers 1.1.1.1 and 1.0.0.1
    • Google offers 8.8.8.8 and 8.8.4.4
    • Quad9 offers 9.9.9.9 and 149.112.112.112.
    • There are many more public DNS servers that you can choose from if you want alternatives to your ISP’s DNS servers.
Query typeResult
AIPv4 Addresses
AAAAIPv6 Addresses
CNAMECanonical Name
MXMail Servers
SOAStart of Authority
TXTTXT Records

For instance, nslookup -type=A tryhackme.com 1.1.1.1 (or nslookup -type=a tryhackme.com 1.1.1.1 as it is case-insensitive) can be used to return all the IPv4 addresses used by tryhackme.com.

dig Link to heading

(Domain Information Groper) allows for more advanced DNS queries and additional functionality (compared to nslookup).

We can use dig DOMAIN_NAME, but to specify the record type, we would use dig DOMAIN_NAME TYPE. Optionally, we can select the server we want to query using dig @SERVER DOMAIN_NAME TYPE.

host Link to heading

another useful alternative for querying DNS servers for DNS records.

traceroute Link to heading

traces the route taken by the packets from our system to the target host.

Unix-like systems: traceroute MS Windows systems: tracert.

It provides the routers (hops) connecting us to the target system. It’s worth stressing that some routers don’t respond to the packets sent by traceroute, and as a result, we do not see their IP addresses.

DNSDumpster Link to heading

DNS lookup tools, such as nslookup and dig, cannot find subdomains on their own. The domain you are inspecting might include a different subdomain that can reveal much information about the target. For instance, if tryhackme.com has the subdomains wiki.tryhackme.com and webmail.tryhackme.com, you want to learn more about these two as they can hold a trove of information about your target. There is a possibility that one of these subdomains has been set up and is not updated regularly. Lack of proper regular updates usually leads to vulnerable services. But how can we know that such subdomains exist?

We can consider using multiple search engines to compile a list of publicly known subdomains. One search engine won’t be enough; moreover, we should expect to go through at least tens of results to find interesting data. After all, you are looking for subdomains that are not explicitly advertised, and hence it is not necessary to make it to the first page of search results. Another approach to discover such subdomains would be to rely on brute-forcing queries to find which subdomains have DNS records.

To avoid such a time-consuming search, one can use an online service that offers detailed answers to DNS queries, such as DNSDumpster. If we search DNSDumpster for tryhackme.com, we will discover the subdomain blog.tryhackme.com, which a typical DNS query cannot provide. In addition, DNSDumpster will return the collected DNS information in easy-to-read tables and a graph. DNSDumpster will also provide any collected information about listening servers.

We will search for tryhackme.com on DNSDumpster to give you a glimpse of the expected output. Among the results, we got a list of DNS servers for the domain we are looking up. DNSDumpster also resolved the domain names to IP addresses and even tried to geolocate them. We can also see the MX records; DNSDumpster resolved all five mail exchange servers to their respective IP addresses and provided more information about the owner and location. Finally, we can see TXT records. Practically a single query was enough to retrieve all this information.

DNSDumpster will also represent the collected information graphically. DNSDumpster displayed the data from the table earlier as a graph. You can see addresses.

Shodan.io Link to heading

When you are tasked to run a penetration test against specific targets, as part of the passive reconnaissance phase, a service like Shodan.io can be helpful to learn various pieces of information about the client’s network, without actively connecting to it. Furthermore, on the defensive side, you can use different services from Shodan.io to learn about connected and exposed devices belonging to your organisation.

Shodan.io tries to connect to every device reachable online to build a search engine of connected “things” in contrast with a search engine for web pages. Once it gets a response, it collects all the information related to the service and saves it in the database to make it searchable.

Via this Shodan.io search result, we can learn several things related to our search, such as:

  • IP address
  • Hosting company
  • Geographic location
  • Server type and version

We can also use Shodan from the command line. To use Shodan from the command-line properly, you need to create an account with Shodan, then configure Shodan to use your API key using the command, shodan init API_KEY. You can use different filters depending on the type of your Shodan account.

ViewDNS.info Link to heading

VidewDNS.info offers Reverse IP Lookup. Initially, each web server would use one or more IP addresses; however, today, it is common to come across shared hosting servers. With shared hosting, one IP address is shared among many different web servers with different domain names. With reverse IP lookup, starting from a domain name or an IP address, you can find the other domain names using a specific IP address(es).

Threat Intelligence Platform Link to heading

Threat Intelligence Platform requires you to provide a domain name or an IP address, and it will launch a series of tests from malware checks to WHOIS and DNS queries. The WHOIS and DNS results are similar to the results we would get using whois and dig, but Threat Intelligence Platform presents them in a more readable and visually appealing way. There is extra information that we get with our report. For instance, after we look up a domain name, we can see the Name Server (NS) records are resolved to their respective IPv4 and IPv6 addresses.