The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » method_2_recon
method_2_recon

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
method_2_recon [2022/12/26 19:39] – [[3] Active Recon] gmanmethod_2_recon [2022/12/31 22:10] (current) – [SMTP] gman
Line 46: Line 46:
 ====== [1] OSInt ====== ====== [1] OSInt ======
  
-**WhoIs:** ''whois'' provides information such as email addresses, phone numbers, and possibly even physical addresses associated with a domain name or IP address.+===== WhoIs =====
  
-**NSLookUp:** ''nslookup'' is similar to whois but a bit more flexible and focused.+''whois'' provides information such as email addresses, phone numbers, and possibly even physical addresses associated with a domain name or IP address. 
 + 
 +**Problem:** A major problem with whois lookups today is that the amount of visible data has been greatly reduced in an effort to provide better privacy and protection. 
 + 
 +**Work-Around:** There are services that provide historical whois lookups (kind of like a WayBack Machine for DNS/WhoIs stuff). Examples: 
 +  * DomainHistory.net (but it appears dead) 
 +  * WhoIsMind.com (but it appears out of service) 
 +  * What the heck...? 
 + 
 +===== NSLookUp ===== 
 + 
 +''nslookup'' is similar to whois but a bit more flexible and focused.
  
 <code> <code>
Line 59: Line 70:
 nslookup 172.250.191.174 nslookup 172.250.191.174
 </code> </code>
 +
 +===== FOCA =====
  
 **FOCA: Fingerprinting Organizations with Collected Archives** **FOCA: Fingerprinting Organizations with Collected Archives**
Line 74: Line 87:
   * This will dump all the metadata into Metadata Summary and Document Analysis   * This will dump all the metadata into Metadata Summary and Document Analysis
   * Have fun!   * Have fun!
 +
 +===== Routing Info =====
 +
 +Routing information is network information, and you can find it in public BGP((Border Gateway Protocol)) route information servers called BGP Looking Glasses.
 +  * You can find a list of them here: [[https://www.bgp4.as/looking-glasses | bgp4]]
  
 ---- ----
Line 202: Line 220:
 [[https://www.googleguide.com/advanced_operators_reference.html | The Google Guide ]] [[https://www.googleguide.com/advanced_operators_reference.html | The Google Guide ]]
   * For Google tips, tricks, & how Google works...   * For Google tips, tricks, & how Google works...
 +
 +Four of the most useful Google queries: 
 +  - **inurl:[string]:** Restricts results to documents containing your string in the URL.
 +    * Example: ''inurl:101labs''
 +  - **intitle:[string]:** Restricts results to documents containing your string in the web page's title.
 +    * Example: ''intitle:apple''
 +  - **site[site | domain]:** Restrics results to the site or domain specified.
 +    * Example: ''site:.gov''
 +    * Example: ''site:theology101.net'' 
 +  - **filetype:[filetype suffix]:** Restrics results to documents with the suffix specified.
 +    * Example: ''filetype:pdf'' 
  
 ---- ----
Line 208: Line 237:
  
 Much of active recon involves scanning. So... for right now, see "[[method_3_scanning | Scanning]]." Much of active recon involves scanning. So... for right now, see "[[method_3_scanning | Scanning]]."
 +
 +===== URL Enum =====
 +
 +URL enumeration makes a list of URLs in a domain, often showing hidden files and directories.
 +  * This is especially important in web application pentesting.
 +  * NOTE: This is an aggressive process.
 +  * Tool: [[https://www.kali.org/tools/ffuf/ | FFUF]] (Fuzz Faster U Fool)
 +
 +===== DNS Enum =====
 +
 +DNS enumeration is like an aggressive DNS lookup (think whois on steroids).
 +  * This is active recon and it will take a long time.
 +  * It barfs out a butt-ton of information.
 +  * Tool: [[https://www.kali.org/tools/dnsenum/ | dnsenum]]
 +
 +Example syntax: ''dnsenum --enum google.com''
 +
 +===== SMTP =====
 +
 +**Simple Mail Transfer Protocol (SMTP):** A vintage email sending protocol.
 +  * No much built in security.
 +  * Runs on port 25.
 +
 +You can gather info on SMTP by telnetting to the service port (25) and grabbing the banner information and then using [[https://cr.yp.to/smtp/vrfy.html |VRFY and/or EXPN]] to gather more info. Example sytax:
 +
 +<code>
 +telnet example.server.com 25
 +
 +# once connected, type:
 +VRFY [username]
 +# or
 +EXPN [user_alias]
 +</code>
 +
 +**Exploits:** SMTP exploits are usually associated with a vulnerable version.
 +  * Connect (by telnet). Grab banner info (VRFY, EXPN).
 +  * This should give you a clue as to the SMTP version on your target.
 +===== SNMP =====
 +
 +You can use SNMP to gather information on a system //**if**// you have access to the system //**and**// you know the "read" community string (which is often: ''public'').
 +
 +**Tools:**
 +  - [[https://www.kali.org/tools/snmpenum/ | snmpenum]]
 +  - [[http://www.net-snmp.org/wiki/index.php/Snmpwalk | snmpwalk]]
 +
 +<code>
 +# Example syntax for snmpwalk, assuming 'public' as the community string
 +snmpwalk -c public -v1 192.168.1.1
 +</code>
 +
  
 ---- ----
method_2_recon.1672083592.txt.gz · Last modified: by gman