This post contains various commands and methods for performing passive recon of a target. This article will be expanded upon as time goes on.
Performing Whois lookups
We can utilize public WHOIS databases to perform lookups on domains. https://lookup.icann.org/
It may also be worthwhile utilizing other services, such as Namecheap. Once you know who the registrar is, it is typically best to perform a Whois lookup for your target using their domain registrar.https://www.namecheap.com/domains/whois/
We can also utilize a Kali terminal for this:whois <targetDomain>
You can use additional options to instruct the tool to use a different server. whois -h whois.godaddy.com <targetDomain>
Performing DNS enumeration with Nslookup
To perform a lookup of the A records against a particular domain:nslookup <targetDomain>
To look up the mail records:nslookup -query=mx <targetDomain>
To look up Nameservers:nslookup -query=ns <targetDomain>
To get all records that are available:nslookup -query=any <targetDomain>
You can also drop into nslookup with no parameters interactively. nslookup
While interactively working with nslookup, you can set your query:
set q=mx
You can also set your server if you wanted to query a different DNS server than your default one:
server 8.8.8.8
Performing DNS enumeration with Dig
To extract A records and Namerservers of a domain:dig <targetDomain>
To query just A records:dig <targetDomain> A
You can also limit the output to a specific record, and just return the answer section:dig +nocmd <targetDomain> MX +noall +answer
Can attempt a DNS Zone transfer:dig +nocmd <targetDomain> AXFR +noall +answer @<targetDNSServer>
To see more about a DNS Zone Transfer, see https://infinitelogins.com/2020/04/23/performing-dns-zone-transfer/
Automating DNS Enumeration
Fierce can be used to enumerate subdomains, IP ranges, and hostnames by using public DNS queries, zone transfer attempts, and brute forcing techniques. fierce -dns <targetDomain>
You can also specify a specific DNS server for the tool to use.fierce -dns <targetDomain> -dnsserver <targetNamserver>
We can also leverage a tool called DNSEnum to do something similar. It will look for the A records of the target domain, looks up the NS and MX records. Finally, it will attempt a zone transfer attack.dnsenum <targetDomain>
You can also specify a specific DNS server for the tool to use. Sometimes the results will differ.dnsenum <targetDomain> --dnsserver <targetNamserver>
You can use DNSEnum to brute force subdomains as well.dnsenum <targetDomain> -f <dictionaryList>
DNSMap can also be used, but it doesn’t do much other than brute-force with a built-in wordlist.dnsmap <targetDomain> -w wordlist.txt -r /tmp/results.txt
DNSMap to enumerate subdomains in bulk fashion:dnsmap-bulk.sh domains.txt /tmp/results.txt
DNSRecon is an ‘all-in-one’ tool that can do most everything. dnsrecon -d <targetDomain>
Google and Bing Dorking
Bing offers a query filter that returns websites hosted on a given IP address by entering the following Bing search:ip:<targetIP>
Search Google for results within a particular website:insite:<targetURL>
Search Google for specific filetypes:insite:<targetURL> filetype:pdf
Search Google for particular text in title:insite:<targetURL> intitle:admin
insite:<targetURL> intitle:index of
Search Google for particular text in body:insite:<targetURL> intext:admin
insite:<targetURL> intext:index of
Additional payloads are found here. https://gist.github.com/clarketm/919457847cece7ce40323dc217623054