###### `tryhackeme` `Passive Recon` `Active Recon`
Owner: 侯智晟
Email: meowheckerouo@gamil.com
[TOC]
# Passive Reconnaissance
Passive Reconnaissance allows us to collect information without directly connecting to the target.
Command line Tools
- whois---query whois server
- nslookup---Query DNS server
- dig---Query DNS server
Whois and DNS server data are public.
Online Server
- DNSDumpster
- Shodan.io
Common Passive Recon Activities
Lookup target DNS record from public DNS servers.
Check job ads related to the target website.
Read employees' social media profiles.
....
## Whois (Protocol)
Retrieve target information from the domain registrar (public).
Whois is a request/response protocol following RFC 3912 specifications.
listen on 43 port
Whois record contains domain information:
- Domain Registrar
- Contact info of registrant
- Creation, update, and expiration date
- Name Server (DNS server) -> Domain
### Find Extra Attack surfaces
If the owner didn't subscribe to privacy service:
- Register Email
- DNS Server
- Other User Information
Note
Many whois servers have protection mechanisms against the abuse of whois info queries. Nowadays, many registrants provide privacy services to avoid email harvesting and keep information private.
### LAB - whois Client (cmd tools)
```
whois "Domain Name"
```
Solved !!
## nslookup (cmd tools)
nslookup query the DNS server(Public/Internal) and retrieve the IP or external information.
Syntax
```
nslookup TYPES DOMAIN_NAME TARGET_DNS_SERVER
```
### Commands Args
- TYPES
A - IPv4
AAAA - IPv6
CNAME -> Pointer to NAME e.g query: meow.com -> Return: meowhecker.com
MX -> Mail Server
SOA -> Start of Authority
TXT -> Text Records (Comment)
- DOMAIN_NAME
The Target domain we want to query
- TARGET_DNS_SERVER
This optional
Google -> 8.8.8.8/8.8.4.4
Cloudflare -> 1.1.1.1 / 1.0.0.1
More Public Server
https://duckduckgo.com/?q=public+dns&ia=answer
For instance -> `nslookup -type=A tryhackme.com 1.1.1.1`
We can more deeply check or recon those IP address, if these are in the scope of testing.
### Analysis Target Mali Server
```
nslookup -type=MX tryhackme.com 1.1.1.1
```
### TXT record Query
```
nslookup -type=txt tryhackme.com 1.1.1.1
```
## Dig (Domain Information Groper)
More Advance DNS record query tools
Syntax:
```
Dig DOMAIN_NAME TYPE @NAMER_SERVER
```
### LAB - TXT Record
Target Domain -> thmlabs.com
Solved !!
## DNSDumpster (Online)
DNSDumpster can enumerate domains and subdomains, allowing attackers to find external attack faces by enumerating subdomains.
Sub-domain enumerate technique is depend Brute-force DNS query
website:https://dnsdumpster.com/
Target: tryhackme.com
### DNS Server Info
### MX record
### TxT Record
### Host Record (Sub domain)
### Mapping the domain
### LAB-DNSDumspter
Solved !
## Shodan.io
Shodan attempts to connect to every online device, building a search engine of devices.
- Ip
- Host Company
- Geographic Location
- Server type and version
### Search Fundamentals
#### Banner
Shodan stores received information in the object called a banner, which is the fundamental unit of data.
Case-1 Device banner
```
{
"data": "Moxa Nport Device
Status: Authentication disabled
Name: NP5232I_4728
MAC: 00:90:e8:47:10:2d",
"ip_str": "46.252.132.235",
"port": 4800,
"org": "SingTel Mobile",
"location": {
"country_code": "SG"
}
}
```
Data -> device response
Case-2 HTTP banner
```
HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Sat, 03 Oct 2015 06:09:24 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 6466
Connection: keep-alive
```
Web software -> nginx
#### Search Banner
Shodan only searches the data property!
if we want to search more Moxa Nport device
Search Filter (Login Require)
Syntax
```
filterName:value
```
For instant
```
country:TW
```
### LAB- Shodan.io
Solved !
# Active Reconnaissance
Using ping, telnet, web browser tools to gather information
Active Recon have invasive, Before we do that we need to obtain proper legal authentication
We directly connect to target machine such action typically might leave information in logs (IP info, Connection Time)
Engagement , we have to pretend normal user such connect via HTTP
Common Active Recon Activities
Connect to target via HTTP, FTP, SMTP, Ping
pretending employees
Calling the company
## TraceRoute
TraceRoute tool allow us to discover the router across the path form our machine to target machine
### TTL (Time to Live )
### TimeOUT Packet Drop
So we can abuse the mechanism to router information.
`*` indicate that our system didn’t receive two expected ICMP time exceeded in-transit messages.
### LAB-Trace Route
Solved !!
## Telnet
Cline/Server Model
Telnet protocol allow us communication with remote server via command line interface.
Telnet Default server (22)
### Connect to remote server and retrieve banner
Connect to Port 80 Server
Send:
`GET / HTTP/1.1`
host:"target DOmain"
We will receive server's banner after we send the request.
We have to press double enter after end of message
We obtain the web software version -> To find Public vulnerability.
### LAB - Telnet-Web Server
Solved !!
## NetCat
NetCat support TCP/UDP protocol, it can be used to be client or server
Flags:
- l Listen mode
- p Specify the port
- n Number Only (IP Address) not use DNS to resolute the Domain
- v / vv verbos Information
- k Keep listens after the client disconnection
Sever
```
nc -lvnpk 443
```
Client
```
nc MACHINE_IP PORT
```
Once client connect to server, the server will create the tcp tunnel for message communication
### LAB NetCat
Retrieve the target's banner
>A banner is a piece of information displayed by a host that provides details about the service or system
Google Drive
Gist
Clipboard
Sign in with Wallet
