Passive Reconnaissance
Passive Reconnaissance
Passive reconnaissance gathering relies on third-party sources like Google, LinkedIn, Censys, Shodan, etc, where we aren't actively sending any packet to the target network.
Whois
The gathering of WHOIS data is a classic source of OSINT data. A registrar collects information about the registrant, such as name, phone number, address, and email address, when they register a domain name. The billing, technical, and administrative contacts for the domain may have different contact information.
Domain Name: BREACHDEFS.COM
Registry Domain ID: 2634387189_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.ovh.com
Registrar URL: http://www.ovh.com
Updated Date: 2021-08-17T12:42:22Z
Creation Date: 2021-08-17T10:30:19Z
Registry Expiry Date: 2022-08-17T10:30:19Z
Registrar: OVH sas
<--- SNIP --->
Name Server: DNS100.OVH.NET
Name Server: NS100.OVH.NET
DNSSEC: signedDelegation
DNSSEC DS Data: 16651 8 2 1C86375048C1865BCAA33D474297B00F813EDF32D188DA18F803F7AD0671D16F
<--- SNIP --->
Registry Registrant ID:
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization:
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province:
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: FR
Registrant Phone: REDACTED FOR PRIVACY
Registrant Email: REDACTED FOR PRIVACY.
From it we can see that the DNS is registered on ovh.com. WHOIS information stopped being useful in 2016 with GDPR, by default now the whois doesn't display anymore the personal information of the registrant. It's why we are greated by:
Registrant Name: REDACTED FOR PRIVACY
DNS brute force
DNS enumeration is the process of identifying all of an organization's DNS servers and their related entries.
DNSEnum
DNSEnum is a cli tool that automatically identifies basic DNS records such as domain (A), name servers (NS), mail exchange servers (MX) and also perform a basic DNS brute force on it.
Nmap
We can also use nmap and the subdomain list from seclist to bruteforce the DNS subdomain of our target.
We see that we discover a lot more hostname than before. It's normal since we don't rely on public available informations, but we actively brute force the DNS server
Last updated