Reconnaissance

Last modified: 2023-10-26

DNS Network Reconnaissance Web

Basic reconnaisance flows.

Acquisitions

We need to find the other companies which are owned by the target company.

CrunchBase

An autonomous system number (ASN) is a collection of connected IP routing prefixes under the control of network operators. It is assigned to an autonomous system (AS) by the Internet Assigned Numbers Authority (IANA).
Border Gateway Protocol (BGP) is used to notify the routing policy to the other AS or routers.
We can also find IP ranges belonging to the ASN.

BGP Toolkit
ASN Lookup

WHOIS

whois is used to find information about the registered users of the domain.

whois example.com

Archived Web Pages

Wayback Machine is an online tool that archives a lot of websites.

Subnet Scan

You need only the ping scan (skip port scan) by adding the option "-sP".

# /24 - 255.255.255.0
nmap -sP <target-ip>/24 -T2
# /16 - 255.255.0.0
nmap -sP <target-ip>/16 -T2
# /8 - 255.0.0.0
nmap -sP <target-ip>/8 -T2

Port Scan

See Port Scan for details.

Subdomains

See also Subdomain Discovery, DNS Pentesting.

Google Search

For example, input site:facebook.com in the search form. We should see a list of subdomains for the facebook.com.

VirusTotal

For example, input “facebook.com” in the search form of the URL section. We shoud see a list of subdomains for the facebook.com in the RELATIONS section.

Subdomain Takeover

It allows an adversary to claim and take control of the victim's subdomain.

Resource: OWASP

We can get more information if the organization uses social platforms as below.

Discord
Facebook
GitHub
Mastodon
Reddit
Twitter

Trace Route Packets

To track the route packets from our IP to target host, run the following command.

traceroute example.com

Find Vulnerabilites

Automation

Nuclei

Nuclei is a vulnerability scanner based on simple YAML based DSL.
```
nuclei -h
```

Exploit DB

You can search vulnerabilites written in Exploit-DB by using "searhsploit".

searchsploit <keyword>

If you found vulnerabilities of target, copy them to current directory.
For example,

searchsploit -m windows/remote/42031.py
# or
searchsploit -m 42031

Exploit-DB is a database of exploits.
Find the exploit and download it. For example:

wget https://www.exploit-db.com/raw/42966 -O exploit.py

Format the exploit code for UNIX.

dos2unix exploit.py

# Manual converting
sed -i 's/\r//' example.py

References

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover

OSINT

Search Technique

Network

Subdomain

Others

Reconnaissance

References

ON THIS PAGE