The hacker methodology is comprised of a few different phases. They are recon (both active and passive), gaining access (aka exploitation), Escalation of privilege, maintaining access, and covering tracks. Over the next few weeks I will be covering basics for each of these phases and a few tools for accomplishing these phases.
The recon phase of an assessment can be broken down into two parts. The passive recon phase (often called OSINT[Open Source Intel]) and the active recon phase (often called scanning and enumeration). For this article I will be discussing the passive recon, it’s benefits, and some techniques for performing passive recon.
The biggest benefit that can be gained from passive recon is gaining a better understanding of the environment that you will be assessing. For that a few tools that can be used are nslookup, dig, whois, dnsdumpster, and google dorks. These tools will help you paint a picture of the environment, users in that environment, and potential targets for your assessment. These are only a few of the tools that can be used. There are many many more available and I will be writing more guides over the coming weeks.
Some of the first tools I would use to gain information are nslookup and dig, which are two command line based tools that can be found in linux nativley. You can utilize both nslookup and dig in windows as well however you will have to install dig. These tools allow you to check records for a domain like A, MX, TXT, PTR and other advanced DNS records. An example of how these tools would be used is
$ dig google.com
; <<>> DiG 9.10.3 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4373
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 81 IN A 172.217.9.14
;; Query time: 12 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Feb 02 09:00:36 CST 2018
;; MSG SIZE rcvd: 55
and
$ nslookup google.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: google.com
Address: 172.217.14.174
As you can see from this we gain important IP information about our target. This gives us a starting point for further information gathering in the passive phase and targets for our active phase.
The next tool I would utilize is whois. Whois is a web based tool, however there is a cmd line version you can use as well. This tool will give you information such as the domain name, what registrar was used to register the domain, when it was registered, when the registration expires, who registered it, and contact info. This information can tell us a few different things. We know how far back to look with the waybackmachine to identify any kind of sensitive information that may have been on the companies website as well as any web functionality(such as admin pages) they may now be hiding. The contact information found in the whois record can be used for phishing campaigns in your assessment. The contact info will give you things like email schemes for the company and phone numbers for the company as well. Here is an example of what googles whois information looks like.
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: Google LLC
Registrant Street: 1600 Amphitheatre Parkway,
Registrant City: Mountain View
Registrant State/Province: CA
Registrant Postal Code: 94043
Registrant Country: US
Registrant Phone: +1.6502530000
Registrant Phone Ext:
Registrant Fax: +1.6502530001
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: Google LLC
Admin Street: 1600 Amphitheatre Parkway,
Admin City: Mountain View
Admin State/Province: CA
Admin Postal Code: 94043
Admin Country: US
Admin Phone: +1.6502530000
Admin Phone Ext:
Admin Fax: +1.6502530001
Admin Fax Ext:
Admin Email: [email protected]
After using whois I would dnsdumpster. which like whois is a web based tool. This tool paints a picture for you of the terrain by showing relationships between IPs, domains, and mail servers. This information can be used to help narrow down targets, open up new possible targets, and help you decide what tools to use on your assessment. DNSDumpster will tell you any sub domains the company may own, their mail servers, and any web servers they are running, and the IPs associated with these assests. Many times companies will have sub domains that host things like API code, are used to respond to requests from things like mobile apps, or host additional web services. If the company gives you permission to target their domain and sub domains this tool will help you be more successful.
DNSDumpster CyDefe.com
Another tool for identifying sensitive information a company may have publicly available is called google dorks. This is simply using google with special search parameters to query available information. For example if you were to search site:cydefe.com filetype:pdf you would get a listing of every pdf file publicly available from cydefe.com. Often times companies accidentally have files publicly available that shouldn't be. This information includes things like internal directories for emails and telephones, as well as company memos. All of which benefits you on an assessment by giving you more targets for phishing campaigns.
Again as I said before this is only a few tools and techniques you can utilize in an assessment. However these tools and techniques are a good starting point. Keep checking back over the next few weeks for more phases of the hacker methodology, tool tutorials, and much more. Until next time, happy hacking.