Differences

This shows you the differences between two versions of the page.

--- method_2_recon [2022/12/29 23:50] – [Google Hacks] gman
+++ method_2_recon [2022/12/31 22:10] (current) – [SMTP] gman
@@ Line 46: / Line 46: @@
 ====== [1] OSInt ======
-**WhoIs:** ''whois'' provides information such as email addresses, phone numbers, and possibly even physical addresses associated with a domain name or IP address.
+===== WhoIs =====
-**NSLookUp:** ''nslookup'' is similar to whois but a bit more flexible and focused.
+''whois'' provides information such as email addresses, phone numbers, and possibly even physical addresses associated with a domain name or IP address.
+**Problem:** A major problem with whois lookups today is that the amount of visible data has been greatly reduced in an effort to provide better privacy and protection.
+**Work-Around:** There are services that provide historical whois lookups (kind of like a WayBack Machine for DNS/WhoIs stuff). Examples:
+  * DomainHistory.net (but it appears dead)
+  * WhoIsMind.com (but it appears out of service)
+  * What the heck...?
+===== NSLookUp =====
+''nslookup'' is similar to whois but a bit more flexible and focused.
 <code>
@@ Line 59: / Line 70: @@
 nslookup 172.250.191.174
 </code>
+===== FOCA =====
 **FOCA: Fingerprinting Organizations with Collected Archives**
@@ Line 74: / Line 87: @@
   * This will dump all the metadata into Metadata Summary and Document Analysis
   * Have fun!
+===== Routing Info =====
+Routing information is network information, and you can find it in public BGP((Border Gateway Protocol)) route information servers called BGP Looking Glasses.
+  * You can find a list of them here: [[https://www.bgp4.as/looking-glasses | bgp4]]
 ----
@@ Line 206: / Line 224: @@
   - **inurl:[string]:** Restricts results to documents containing your string in the URL.
     * Example: ''inurl:101labs''
-  - **intitle:[string]:**
+  - **intitle:[string]:** Restricts results to documents containing your string in the web page's title.
-  - **site[site | domain]:**
+    * Example: ''intitle:apple''
-  - **filetype:[filetype suffix]:**
+  - **site[site | domain]:** Restrics results to the site or domain specified.
+    * Example: ''site:.gov''
+    * Example: ''site:theology101.net''
+  - **filetype:[filetype suffix]:** Restrics results to documents with the suffix specified.
+    * Example: ''filetype:pdf''
 ----
@@ Line 231: / Line 253: @@
 Example syntax: ''dnsenum --enum google.com''
+===== SMTP =====
+**Simple Mail Transfer Protocol (SMTP):** A vintage email sending protocol.
+  * No much built in security.
+  * Runs on port 25.
+You can gather info on SMTP by telnetting to the service port (25) and grabbing the banner information and then using [[https://cr.yp.to/smtp/vrfy.html |VRFY and/or EXPN]] to gather more info. Example sytax:
+<code>
+telnet example.server.com 25
+# once connected, type:
+VRFY [username]
+# or
+EXPN [user_alias]
+</code>
+**Exploits:** SMTP exploits are usually associated with a vulnerable version.
+  * Connect (by telnet). Grab banner info (VRFY, EXPN).
+  * This should give you a clue as to the SMTP version on your target.
+===== SNMP =====
+You can use SNMP to gather information on a system //**if**// you have access to the system //**and**// you know the "read" community string (which is often: ''public'').
+**Tools:**
+  - [[https://www.kali.org/tools/snmpenum/ | snmpenum]]
+  - [[http://www.net-snmp.org/wiki/index.php/Snmpwalk | snmpwalk]]
+<code>
+# Example syntax for snmpwalk, assuming 'public' as the community string
+snmpwalk -c public -v1 192.168.1.1
+</code>
 ----