, , ,

Day 046 #FromZeroToHacker – Passive Reconnaissance

Reconnaissance is the first step in a hacking attempt. We try to gather all the information we can about a target. In passive reconnaissance, we rely on public knowledge we can access without engaging the target.

Let’s recon what we can learn today in our daily #FromZeroToHacker challenge.

Table of contents
Introduction
What have I learnt today?
Stats
Resources

Introduction to Passive Reconnaissance

In this lesson, we will learn the difference between passive and active reconnaissance, then focus on passive reconnaissance and its tools:

  • whois to query WHOIS servers
  • nslookup to query DNS servers
  • dig to query DNS servers

We will learn also the usage of two online services: DNSDumpster and Shodan.io.

This is the first lesson of the Network Security module:

  1. Passive Reconnaissance
  2. Active Reconnaissance
  3. Nmap Live Host Discovery
  4. Nmap Basic Port Scans
  5. Nmap Advanced Port Scans
  6. Nmap Post Port Scans
  7. Protocols and Servers
  8. Protocols and Servers 2
  9. Network Security Challenge

This lesson requires basic networking knowledge and familiarity with the command line. You can find this required knowledge in the Network Fundamentals and Linux Fundamentals modules.

What have I learnt today?

Passive versus Active recon

When we are playing the role of an attacker, gathering information about the target is vital. When we are playing the role of a defender, we need to know what our adversary will discover about our systems and networks.

Reconnaissance or Recon can be defined as a Preliminary survey to gather information about a target. Reconnaissance can be passive or active.

In passive reconnaissance, we rely on public knowledge that we can access without directly engaging the target. Imagine you are looking at a target from afar.

Passive reconnaissance
  • Looking up DNS records of a domain from a public DNS server.
  • Checking job ads related to the target website.
  • Reading news articles about the target company.

Meanwhile, active reconnaissance needs direct engagement with the target. Like checking the locks on the doors and windows of a house.

Active reconnaissance

Active reconnaissance activities are:

  • Connecting to one of the company servers such as HTTP, FTP and SMTP.
  • Calling the company in an attempt to get information (social engineering).
  • Entering company premises pretending to be a repairman.

Whois

WHOIS is a request and response protocol. A WHOIS server listens on TCP port 43 for incoming requests, replying with various information related to the domain requested. Thanks to this we can learn:

  • Registrar: Via which registrar was the domain name registered?
  • Contact info of registrant: Name, organisation, address, phone, etc.
  • Creation, update, and expiration dates: When it was first registered? When it was last updated? When does it need to be renewed?
  • Name server: Which server to ask to resolve the domain name

While many online services provide this information, we can use our local WHOIS client in our Linux terminal with the whois <DOMAIN_NAME> command:

Whois example

This information can be inspected to find new attack vectors, such as social engineering or technical attacks. For example, we may consider an attack against the email server of the admin user or the DNS servers.

Many WHOIS services redact email addresses, many registrants set privacy services to avoid their email addresses being harvested and other actions to keep their information private.

nslookup and dig

In the previous task, we used WHOIS to get the DNS servers from the registrar.

We can find the IP address of a domain using nslookup or Name Server LOOK UP. We can use the command nslookup <OPTIONS> <DOMAIN_NAME> <SERVER>. The three main parameters are:

  • OPTIONS contains the query type. A for IPv4 addresses, AAAA for IPv6 addresses, TXT for TXT records, etc.
  • DOMAIN_NAME is the domain name we are looking up.
  • SERVER is the DNS server we want to query.

For example, nslookup -type=A tryhackme.com 1.1.1.1 returns all the IPv4 addresses:

nslookup type a

A and AAAA options are used to return IPv4 and IPv6 addresses, which is pretty helpful to know when we want to attack a target. We can test each IP address for insecurities.

Let’s try now to learn about the email servers and configurations with nslookup -type=MX tryhackme.com:

nslookup type mx

When a mail server tries to deliver an email to XXXXXXXXX@tryhackme.com, it will first try to connect to aspmx.l.google.com, as this Mail exchange has order 1. If it fails, it will try mail exchange servers alt1.aspmx.l.google.com or alt2.aspmx.l.google.com, as they have order 5.

Mail servers hardly will be running a vulnerable server version, so mail servers aren’t a good place to attack.

For more advanced DNS queries we have dig, or Domain Information Groper. Let’s try to look the MX records and compare them with the nslookup results we got. The command to do so is dig @<SERVER> <DOMAIN_NAME> <TYPE>:

  • SERVER is the DNS server we want to query.
  • DOMAIN_NAME is the domain name we are looking up
  • TYPE contains the DNS record type.
nslooup vs dig comparison

As you can see, dig returns more information (for example, the TTL or Time To Live).

DNSDumpster

While nslookup and dig can reveal information about the domain, but they don’t give us any information about the subdomains, where they can reveal much information about our target. Not only information, we can find insecurities as a lack of proper updates or other weaknesses that makes the website vulnerable.

We can use multiple search engines to find the subdomains, but even this time-consuming task won’t find hidden subdomains.

Thanks to DNSDumpter we can avoid this. This online service offers detailed answers to DNS queries.

DNS Dumpster

Not only we can find the subdomains, but one query reveals the DNS servers, MX records, TXT records, and more. Just in one query. Pretty convenient!

But not only that: DNSDumpster also resolved the domain names to IP addresses and tried to geolocate them.

Even more: DNSDumpster also represents all the information found graphically:

DNS Dumpster graphic

Shodan.io

Shodan.io help us when discovering pieces of information about the client’s network without connecting to it.

Shodan.io tries to connect to every device reachable online to build a search engine of connected devices, instead of a search engine looking for web pages. It connects all the information related to the service, saving it in the database, and making all the information searchable.

Shodan.io

Using Shodan.io we can learn things about our target such as IP address, hosting company, geographic location, server type and version, etc.

And not only that: Shodan also has interesting meta-information. For example, if we search for Apache servers:

Shodan.io meta information

Summary

In this lesson, we have covered the following:

  • The difference between Passive and Active recon
  • How to use whois, nslookup and dig
  • How to find extra information in DNSDumpster
  • How to find interesting information about your target and more in Shodan.io

Stats

From 97.156th to 93.124th. Now in the top 100.000!

Here is also the Skill Matrix:

Skills matrix

Resources

Module: Network Security

TryHackMe: Passive Reconnaissance

Other resources

Network Fundamentals
Linux Fundamentals
DNSDumpter
Shodan.io