Week 1: Passive Reconnaissance - Paiet/SEC-335 GitHub Wiki

Information gathering is critical in penetration testing. Without gathering information about the targets, we may not know what to target. With the amount and type of information we gather, we can form the strategy for penetration testing.

We normally use Open source intelligence (OSINT) to obtain information that is available publicly. There is nothing wrong with collecting such information as it is not confidential or private. There are various places one can look for information:

• Whois database

• Target's Website

• Social media profiles of employees

• Google search results

• DNS information

• Blogs and public forums

A tool, such as Maltego, helps us with detailed Footprinting information about a Website.

In this class we learned about passive reconnaissance for vulnerabilities in a network:

• Used the WHOis Website

• Performed social media lookups

• Learned about Shodan

• Used Google Hacking

• Used DNS Querying

• Learned about theHarvester (big "H", not little "h")

Things we didn't really talk about: 

• Recon-ng

• Maltego

The WHOis Website is a Website that returns information about a domain name. For example, if you enter a domain name, such as Champlain.edu, WHOis will return the name and address of the domain's owner, which in this case, is Champlain. You can also use the whois command in Kali Linux. Using this command, you can find out information about a domain, such as:

• Registrar

• Server name

• WHOis Server

• Referral URL

• IP address range

You can find out a lot of information about a particular domain. This information can be further used in attacking a particular domain or a server.

You can greatly protect yourself by using a service like CloudFlare for DNS.