This post contains various commands and methods for performing passive recon of a target. This article will be expanded upon as time goes on.
Performing Whois lookups
We can utilize public WHOIS databases to perform lookups on domains.
It may also be worthwhile utilizing other services, such as Namecheap. Once you know who the registrar is, it is typically best to perform a Whois lookup for your target using their domain registrar.
We can also utilize a Kali terminal for this:
You can use additional options to instruct the tool to use a different server.
whois -h whois.godaddy.com <targetDomain>
Performing DNS enumeration with Nslookup
To perform a lookup of the A records against a particular domain:
To look up the mail records:
nslookup -query=mx <targetDomain>
To look up Nameservers:
nslookup -query=ns <targetDomain>
To get all records that are available:
nslookup -query=any <targetDomain>
You can also drop into nslookup with no parameters interactively.
While interactively working with nslookup, you can set your query:
You can also set your server if you wanted to query a different DNS server than your default one:
Performing DNS enumeration with Dig
To extract A records and Namerservers of a domain:
To query just A records:
dig <targetDomain> A
You can also limit the output to a specific record, and just return the answer section:
dig +nocmd <targetDomain> MX +noall +answer
Can attempt a DNS Zone transfer:
dig +nocmd <targetDomain> AXFR +noall +answer @<targetDNSServer>
To see more about a DNS Zone Transfer, see https://infinitelogins.com/2020/04/23/performing-dns-zone-transfer/
Automating DNS Enumeration
Fierce can be used to enumerate subdomains, IP ranges, and hostnames by using public DNS queries, zone transfer attempts, and brute forcing techniques.
fierce -dns <targetDomain>
You can also specify a specific DNS server for the tool to use.
fierce -dns <targetDomain> -dnsserver <targetNamserver>
We can also leverage a tool called DNSEnum to do something similar. It will look for the A records of the target domain, looks up the NS and MX records. Finally, it will attempt a zone transfer attack.
You can also specify a specific DNS server for the tool to use. Sometimes the results will differ.
dnsenum <targetDomain> --dnsserver <targetNamserver>
You can use DNSEnum to brute force subdomains as well.
dnsenum <targetDomain> -f <dictionaryList>
DNSMap can also be used, but it doesn’t do much other than brute-force with a built-in wordlist.
dnsmap <targetDomain> -w wordlist.txt -r /tmp/results.txt
DNSMap to enumerate subdomains in bulk fashion:
dnsmap-bulk.sh domains.txt /tmp/results.txt
DNSRecon is an ‘all-in-one’ tool that can do most everything.
dnsrecon -d <targetDomain>
Google and Bing Dorking
Bing offers a query filter that returns websites hosted on a given IP address by entering the following Bing search:
Search Google for results within a particular website:
Search Google for specific filetypes:
Search Google for particular text in title:
insite:<targetURL> intitle:index of
Search Google for particular text in body:
insite:<targetURL> intext:index of
Additional payloads are found here. https://gist.github.com/clarketm/919457847cece7ce40323dc217623054