Passive Reconnaissance

Passive Reconnaissance

Passive reconnaissance gathering relies on third-party sources like Google, LinkedIn, Censys, Shodan, etc, where we aren't actively sending any packet to the target network.


The gathering of WHOIS data is a classic source of OSINT data. A registrar collects information about the registrant, such as name, phone number, address, and email address, when they register a domain name. The billing, technical, and administrative contacts for the domain may have different contact information.


Domain Name: BREACHDEFS.COM Registry Domain ID: 2634387189_DOMAIN_COM-VRSN Registrar WHOIS Server: Registrar URL: Updated Date: 2021-08-17T12:42:22Z Creation Date: 2021-08-17T10:30:19Z Registry Expiry Date: 2022-08-17T10:30:19Z Registrar: OVH sas <--- SNIP ---> Name Server: DNS100.OVH.NET Name Server: NS100.OVH.NET DNSSEC: signedDelegation DNSSEC DS Data: 16651 8 2 1C86375048C1865BCAA33D474297B00F813EDF32D188DA18F803F7AD0671D16F <--- SNIP ---> Registry Registrant ID: Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: FR Registrant Phone: REDACTED FOR PRIVACY Registrant Email: REDACTED FOR PRIVACY.

From it we can see that the DNS is registered on WHOIS information stopped being useful in 2016 with GDPR, by default now the whois doesn't display anymore the personal information of the registrant. It's why we are greated by:


DNS brute force

DNS enumeration is the process of identifying all of an organization's DNS servers and their related entries.


DNSEnum is a cli tool that automatically identifies basic DNS records such as domain (A), name servers (NS), mail exchange servers (MX) and also perform a basic DNS brute force on it.



We can also use nmap and the subdomain list from seclist to bruteforce the DNS subdomain of our target.

wget -O hostfile.txt
nmap --script dns-brute --script-args,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sL

We see that we discover a lot more hostname than before. It's normal since we don't rely on public available informations, but we actively brute force the DNS server

Last updated