# Passive Reconnaissance ## Passive Reconnaissance Passive reconnaissance gathering relies on third-party sources like Google, LinkedIn, Censys, Shodan, etc, where we aren't actively sending any packet to the target network. ### Whois The gathering of WHOIS data is a classic source of OSINT data. A registrar collects information about the registrant, such as name, phone number, address, and email address, when they register a domain name. The billing, technical, and administrative contacts for the domain may have different contact information. ```bash whois breachdefs.com ``` `Domain Name: BREACHDEFS.COM`\ `Registry Domain ID: 2634387189_DOMAIN_COM-VRSN`\ `Registrar WHOIS Server: whois.ovh.com`\ `Registrar URL: http://www.ovh.com`\ `Updated Date: 2021-08-17T12:42:22Z`\ `Creation Date: 2021-08-17T10:30:19Z`\ `Registry Expiry Date: 2022-08-17T10:30:19Z`\ `Registrar: OVH sas`\ `<--- SNIP --->`\ `Name Server: DNS100.OVH.NET`\ `Name Server: NS100.OVH.NET`\ `DNSSEC: signedDelegation`\ `DNSSEC DS Data: 16651 8 2 1C86375048C1865BCAA33D474297B00F813EDF32D188DA18F803F7AD0671D16F`\ `<--- SNIP --->`\ `Registry Registrant ID:`\ `Registrant Name: REDACTED FOR PRIVACY`\ `Registrant Organization:` \ `Registrant Street: REDACTED FOR PRIVACY`\ `Registrant City: REDACTED FOR PRIVACY`\ `Registrant State/Province:`\ `Registrant Postal Code: REDACTED FOR PRIVACY`\ `Registrant Country: FR`\ `Registrant Phone: REDACTED FOR PRIVACY`\ `Registrant Email: REDACTED FOR PRIVACY.` From it we can see that the DNS is registered on ovh.com.\ WHOIS information stopped being useful in 2016 with GDPR, by default now the whois doesn't display anymore the personal information of the registrant.\ It's why we are greated by: `Registrant Name: REDACTED FOR PRIVACY` ### DNS brute force DNS enumeration is the process of identifying all of an organization's DNS servers and their related entries. #### DNSEnum [DNSEnum](https://tools.kali.org/information-gathering/dnsenum) is a cli tool that automatically identifies basic DNS records such as domain (A), name servers (NS), mail exchange servers (MX) and also perform a basic DNS brute force on it. ``` dnsenum breachdefs.com ``` ![Result of dnsenum breachdefs.com](https://3042479842-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Mg9lbsm9-YvGLXNeKT0%2F-Mk2wP-htwKRq0AvC2gB%2F-Mk2y9LIUq0NrwHJkAdD%2Fimage.png?alt=media\&token=0a7e9430-7888-452e-a958-085ce8bc6b72) #### Nmap We can also use nmap and the subdomain list from seclist to bruteforce the DNS subdomain of our target. ``` wget -O hostfile.txt https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-5000.txt nmap --script dns-brute --script-args dns-brute.domain=breachdefs.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sL ``` ![Result of nmap DNS bruteforcing](https://3042479842-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Mg9lbsm9-YvGLXNeKT0%2F-Mk2mHE-bCYaamOPgaJc%2F-Mk2s9ytzfVJRqwL97l9%2Fimage.png?alt=media\&token=2c3a5fa6-a146-4c3b-ae37-fa258bdf89de) We see that we discover a lot more hostname than before. It's normal since we don't rely on public available informations, but we actively brute force the DNS server