Methodology

Publicly Available

- Search engines
  - Google,bing,yahoo, shodan, netcraft, etc
- WHOIS
- Company Websites
  - Press releases, discussion forums, data breaches
- Social media
  - Linkedin, Twitter, Facebook, Instagram

Internet and social media

https://www.google.com
- Google Hacking For Penetration Testers’ Third Edition (Syngress)
https://www.google.com/maps
https://www.exploit-db.com/google-hacking-database/ Google Dorking Exploit Database
https://www.shodan.io Search engine for internet connected devices
https://www.tineye.com Reverse image search
https://lullar-com-3.appspot.com/ Profile Search
https://www.netcraft.com Internet security services
https://pastebin.com store and share text online
https://haveibeenpwned.com checks if your account has been compromised
https://censys.io track your publicly exposed assets
https://sitereport.netcraft.com/ Find infrastructure/technologies of websites
https://hunter.io Email recon
https://www.netdb.io/ IOT search engine
https://securitytrails.com/dns-trails DNS subdomains recon
https://securityheaders.com/ HTTP headers recon
https://www.wigle.net/ WIFI Wifi networks /local area
https://www.kitterman.com/spf/validate.html Validate SMTP SPF fields
https://www.fraudmarc.com/dmarc-check Validate SMTP SPF/DMARC policies
https://mxtoolbox.com/DMARC.aspx Validate SMTP SPF/DMARC policies
https://dmarcian.com/dmarc-inspector/ Validate SMTP DMARC policy

NIC databases:

Identify:

IP addresses
sub(domains)
external partners
technologies used
email address
websites
Customers, naming conventions
Email and VPN systems

WHOIS

Used to query databases for registration information for a users internet resource

whois [domain.com]

DNS Enumeration

(dns servers and dns records).

- A - IP
- MX - mail exchange servers
- CNAME - aliasing domains
- NS - Name Server (main name server)
- SOA - start of authority, important info about domain such as ns and timestamps
- PTR- maps IPv4 address to the CNAME on the host
- TXT - text inserted by admin
- SPF - identifies which mail servers are permitted to send email on behalf of the domain, prevents spammers from sending messages with forged ‘from’

Zone Transfer

Test for zone transfer

Host

retrieve name servers- Host -t ns [domain]

Test for zone transfer- Host -t axfr -l [domain] [name server]

Dig

query specific record (can use any)- Dig -t [type] [domain]

test for zone transfer- Dig axfr @[name server] [domain]

Fierce reconnaissance tool (perl) for DNS vulnerabilities.

first locates dns record then tries to perform zone transfers and brutes subdomains using internal word list - Fierce -dns [domain]

use your own wordlist- Fierce -dns [domain] -wordlist [path to wordlist]

DNSenum

DNSenum - (perl) like fierce- Dnsenum [domain]

DNSrecon Dnsrecon -d [domain]

Nslookup (or host [domain/ip])

DNS Enumeration

DNS Lookup

nslookup [domain.com]

Reverse DNS lookup

nslookup -type=PTR [ip address]

MX(Mail Exchange) lookup

nslookup -type=MX [domain.com]

Dig

DNS IP Lookup, commonly used for zone transfer

Zone transfer record type: (full) axfr , (incremental) ixfr

dig axfr [domain.com] @[nameserver]

Netdiscover (*nix)

Arp reconnaissance tool (default is active mode)

Options:

-p - for passive mode

-i - Interface

-r - IP range

netdiscover -i eth0/lo/wlan0 -r 192.168.1.0/24

Arp

Coverts IP to MAC. Lists hosts

arp -a

*Nix use ip neigh

Sublist3r

(python) - enumerate subdomains from publicly available sources (install kali)

Subbrute- integrated tool for brute forcing subdomains

default scan Sublist3r -d [domain]

brute forcing and number of threads Sublist3r -d [domain] -b -t 100

The Harvester

email harvesting using publicly available search engines

-l is number of results Theharvester -d [domain] -b [search engine] -l [#]

Simply Email

Enumerates/verifies email addresses online

https://github.com/killswitch-GUI/SimplyEmail.git

./SimplyEmail.py -all -e [domain.com]