Samer Aoudi
EH Pentest Lab Environment Network Traffic Analysis Wi-Fi Security Malware Analysis Reconnaissance Social Engineering Network & Port Scanning Sniffing Attacks Intrusion Detection & Prevention
Courses CTF Platform Security Tools Commands Cheatsheet Awareness Blog About
Reconnaissance

In this practical activity, you will use various tools to collect information about your target.

Why this activity? In some cases, you will perform a pentest in a dark/black-box environment with no target information provided. Being able to understand your target is essential to subsequent steps. As a simple example, a person's name can be used to get an email address or username. In a later step, you may brute force the password to gain access to that person's account. In a clear-box model, you are given the information and thus recon becomes redundant.
Prerequisite Knowledge: None
Requirements: Lab Environment Setup
Duration: 60+min
Files: None
Related Videos:
DNS Analysis  OSINT Analysis
Task #1: Search Engines
Footprinting is the process of gathering as much information as possible about a target system (including organizational, contact, and network data).
Active vs. Passive Foot Printing:
Active Footprinting is an intrusive approach whereby the tester/attacker may leave tracks/evidence of their search.
Passive, on the other hand, is a nonintrusive process that involves public searches and that usually doesn’t leave unwanted traces.
Google Dorking (AKA Google Hacking)
It is a footprinting technique that involves manipulating a search string with additional specific operators to search for vulnerabilities.
Operator Description
cache:Show Google's cached version of a specific page.
filetype:Returns only search results that match a particular file extension.
related:Returns other websites that are similar to the queried website.
site:Returns only search results from a particular website.
inanchor:Returns pages that are linked to using anchor text matching the search query.
allinanchor:Same as inanchor, but matching every term that appears after allinanchor.
intext:Returns only search results that match in the page's body.
allintext:Same as intext, but matching every term that appears after allintext.
intitle:Returns only search results that match in the page's title.
allintitle:Same as intitle, but matching every term that appears after allintitle.
inurl:Returns only search results that match in the page's URL.
allinurl:Same as inurl, but matching every term that appears after allinurl.
Shodan is the world's first search engine for Internet-connected devices. It allows you to use Internet intelligence to make better decisions.

In this activity, you will use different search engines and search techniques to discover information online

Expert Mode
  1. Use Google Dorking to discover documents (e.g., PDF) in various websites
  2. Use SHODAN to discover unusual information
Regular Mode
Task in details »
  1. Go to Google and type the following inurl:login site:altoromutual.com
  2. Note down the number of results you got
  3. Type the following search terms filetype:pdf site:altoromutual.com
  4. Note down what you discovered
  5. Select any three websites of your choice and discover the following for each site: a) one Word document, b) one PDF file, and c) one Excel sheet
  6. Note down your websites and file names to later provide answers in the Questions section
  7. Go to SHODAN and register for a free account
  8. Click the Explore link and find the Popular Tags section
  9. Try different tags such (e.g. IoT; camera; etc.). For each tag category, list three interesting things you discovered. In case you cannot find the required tags, you can follow these links: IOT, Password, and FTP
  10. Search for SCADA and click Possible Vulnerable SCADA from the search results (you must be logged in). Alternatively, you can follow this link Possible Vulnerable SCADA
  11. Note down your observations to later provide answers in the Questions section
WHOIS is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name
ICANN is the Internet Corporation for Assigned Names and Numbers. It is an internationally organized non-profit corporation that, among other things, oversees IP address space allocation and top-level domain (TLD) management.

In this activity, you will use different tools to perform WHOIS lookup on selected target organizations

Expert Mode
  1. Using IANA, discover what organization manages the .ae top-level domain (TLD)
  2. Discover the WHOIS directory for .ae top-level domain (TLD)
  3. Discover various WHOIS information for few websites with different TLDs
  4. Use NETCRAFT to discover various information for few websites with different TLDs
Regular Mode
Task in details »
  1. Go to IANA and type .ae
  2. Note down the organization name and the WHOIS directory
  3. Go to the UAE (.ae) WHOIS directory and perform a WHOIS lookup for the HCT domain (hint: you must type the full domain in the Query field)
  4. Note down the registrar name and the name server(s) for the target domain
  5. Go to the following WHOIS directory and perform a WHOIS lookup for the HCT domain
  6. Did you get any results back? Justify (note down your answers to later provide answers in the Questions section)
  7. Using this WHOIS directory perform a WHOIS lookup for the following domains: youtube.com and twitter.com
  8. For each domain, note down the following information: Registrant Name; Organization; Phone; Email; Registrar WHOIS Server; Registration Expiration Date; and Name Servers
  9. Go to NETCRAFT and perform a search on the following domains: youtube.com and twitter.com (hint: find Resources → Tools → Site Report)
  10. For each domain, note down the following information: Hosting Company; IP Address; OS (For IP address); and Web Server
DNS Lookup Tools
  • DNSENUM
  • DNSRECON
  • FIERCE
  • DIG
  • HOST
  • NSLOOKUP
Common DNS Records:
  • A –IP Address
  • NS –Name Server
  • MX –Mail Exchange
  • TXT –Generic text record
  • RP –Responsible Person
  • SOA –Start of Authority
  • CNAME –Canonical Name
  • HINFO –Host Information
  • SRV –Service Location
  • AXFR –Zone Transfer

In this activity, you will use different tools to perform DNS Analysis on selected target domains.

Expert Mode
  1. Using HOST, perform DNS analysis on the following target hackthissite.org
  2. Using DIG, perform DNS analysis on the following target twitter.com
  3. Using NSLOOKUP, perform DNS analysis on the following target instagram.com
  4. Using HOST, perform DNS Zone Transfer on the following target zonetransfer.me
  5. Using DNSENUM, perform DNS analysis on the following target hackthissite.org
  6. Using DNSRECON, perform DNS analysis on the following target hackthissite.org
  7. Using FIERCE, perform DNS analysis on the following target hackthissite.org
Regular Mode
Task in details »
  1. Power on Kali and open a new Terminal window
  2. Learn about HOST using the man pages: man host
  3. Learn about HOST using the help system: host -h
  4. Repeat for DIG: man dig and dig -h
  5. Repeat for the other tools: man <tool-name> and <tool-name> -h
    6. You need to be able to use man and help to learn how to use Linux tools
  6. Ping the following target and note down its IP ping hackthissite.org
  7. Run the following command host hackthissite.org
  8. Note down your observation regarding the difference
  9. Run the following command dig hackthissite.org
    10. In essence the different DNS tools perform similar tasks but have different syntax and produce output in different styles
  10. Run the following HOST command to retrieve the IP address record: host -t a hackthissite.org
  11. Run the following HOST command to retrieve the Name Server address record: host -t ns hackthissite.org
  12. Run the following HOST command to retrieve the Mail Exchange address record: host -t mx hackthissite.org
  13. In the same style, try the other DNS records listed above
    14. Not all records will have information (i.e., some may be empty)
  14. Run the following DIG command to retrieve the IP address record: dig a twitter.com
  15. Run the following DIG command to retrieve the Name Server address record: dig ns twitter.com
  16. Run the following DIG command to retrieve the Mail Exchange address record: dig mx twitter.com
  17. In the same style, try the other DNS records listed above
    18. Note how DIG's syntax to specify the DNS record is different (easier)
  18. Run the following NSLOOKUP command to retrieve the IP address record: nslookup -type=a instagram.com
  19. Run the following NSLOOKUP command to retrieve the Name Server address record: nslookup -type=ns instagram.com
  20. Run the following NSLOOKUP command to retrieve the Mail Exchange address record: nslookup -type=mx instagram.com
  21. In the same style, try the other DNS records listed above
    22. Let's perform a Zone Transfer using the AXFR record (in two steps)
  22. Step 1 -get the name server of the target: dig ns zonetransfer.me
    23. The results from the above command: nsztm1.digi.ninja
  23. Step 2 -use the AXFR record: dig axfr zonetransfer.me nsztm1.digi.ninja
  24. Try a Zone Transfer using HOST
    25. It is very unlikely that a zone transfer will work. It is a relatively old technique. It is a way to get data and information that can help in an attack.
  25. Learn about DNSENUM using man or help and use it against the following target hackthissite.org
  26. Learn about DNSRECON using man or help and use it against the following target hackthissite.org
  27. Learn about FIERCE using man or help and use it against the following target hackthissite.org
OSINT is Open-Source Intelligence

In this activity, you will use different tools to perform OSINT analysis

Expert and Regular Modes
  1. Watch OSINT Analysis video and perform the steps below
  2. Using Maltego, retrieve at least one email address from the following target altoromutual.com
  3. Use Spiderfoot to investigate suspicious websites or email addresses (for instance an email address or a URL from a spam email you received recently)
Name
Red fields are required.
1
2
3
website:
domain:
site:
allinanchor:
intext:
inurl:
filetype:
fileextension:
extension:
They are mostly honeypots
They donnot exist
They are mostly Telnet services
How many hackthissite.org IP addresses did you discover with:
CNAME
HINFO
ALIAS

               
© Samer Aoudi 2005-2024