Recon

Recon is a set of Passive Information Gathering techniques. Its main goal is to find as much of information about the target as possible. Passive in this context means that the information can only be obtained by methods which don't require an active interaction with the target (other than a normal user would have).

DNS

Forward lookup brute force

Here's how to do it automatically using forward lookup brute force:

www
ftp
mail
owa
proxy
router

and then a one-liner in bash:

for ip in $(cat list.txt); do host $ip.<url>.com; done

A more comprehensive namelist can be found on Kali under /usr/share/seclists.

Reverse Lookup Brute Force

Check the IP ranges listed during the Forward Lookup and do the reverse:

for ip in $(seq 1 254); do host <ip>.$ip; done | grep -v "not found"

Attempt Zone Transfer

You can do it either manually:

host -l megacorpone.com ns2.megacorpone.com

Or via script:

#!/bin/bash
if [ -z "$1" ]; then
	echo "[*] Simple Zone transfer script"
	echo "[*] Usage: $0 <domain name>"
	exit 0
fi
for server in $(host -t ns $1 | cut -d " " -f4); do
	host -l $1 $server | grep "has address"
done

Tools

dnsrecon

dnsrecon -d <domain-name> -t axfr
dnsrecon -d <domain-name> -D <namelist> -t brt

dnsenum

dnsenum <domain-name>

Subdomains

Tools

amass

amass enum -brute -o <output-file> -d <domain-name> -v

aquatone

cat <domain-list> | aquatone --ports xlarge

crt.sh

curl -s https://crt.sh/?q=%.$1 | grep ">*.$1" | sed 's/<[/]*[TB][DR]>/\n/g' | grep -vE "<|^[\*]*[\.]*$1" | sort -u | awk 'NF'

Other steps to take during Recon

  • Google Dorking
  • Run recon-ng
  • Check the open-source code if available; e.g.: look for things like users, passwords, keys, tokens, etc
  • User Information Gathering:
  • Run SSL Server Test using sshlabs - alternative to crt.sh
  • Search for target on pastebin. Note: Pastebin no longer has a search option, but a quick google dork resolves the issue: site:pastebin.com <target_url>
  • ANS Data
  • Search the Crunchbase for new acquisitions (ths could lead to finding new apex domains)
  • Run the target through shodan.io
  • Run reverse WHOIS
  • Use kaeferjaeger for cloud resources
  • Check the development stack using builtwith
  • Ads and analytics - get the code from one page and search where else it is used