Introduction

• whois - to query WHOIS servers
• nslookup - to query DNS servers
• dig - to query DNS servers

Note: These are all publicly available records and hence do not alert the target.

Passive Versus Active Recon

• Reconnaissance -
  • It is a preliminary survey to gather information about a target.
  • It is the first step in The Unified Kill Chain to gain an initial foothold on a system.
  • It can be divided into:
    • Passive Reconnaissance
    • Active Reconnaissance
  • Passive Reconnaissance-
    • We rely on publicly available knowledge.
    • It is the knowledge that we can access from publicly available resources without directly engaging with the target.
    • It includes many activities like-
      • Looking up DNS records of a domain from a public DNS server.
      • Checking job ads related to the target website.
      • Reading news articles about the target company.
  • Active Reconnaissance-
    • It cannot be achieved so discreetly.
    • It requires direct engagement with the target.
    • Examples of active recon include-
      • Connecting to one of the company servers such as HTTP, FTP, and SMTP.
      • Calling the company in an attempt to get information (social engineering).
      • Entering company premises pretending to be a repairman.

Whois

• WHOIS is a request and response protocol that follows the RFC 3912 specification.

• A WHOIS server listens on TCP port 43 for incoming requests.

• The domain registrar is responsible for maintaining the WHOIS records for the domain names.

• he WHOIS server replies with various information related to the domain requested, for example-

  • Registrar: Via which registrar was the domain name registered
  • Contact info of registrant: Name, organization, address, phone, among other things. (unless made hidden via a privacy service)
  • Creation, update, and expiration dates: When was the domain name first registered, when was the domain last updated, and when does it needs to be renewed.
  • Name Server: Which server to ask to resolve the domain name

  

nslookup and dig

• We can find the IP address of a domain name using nslookup.

• nslookup stands for Name Server Lookup.

• We need to issue the command- nslookup DOMAIN_NAME, for example - nslookup tryhackme.com.

• We can also use - nslookup OPTIONS DOMAIN_NAME SERVER

• The three main parameters are:-

  • OPTIONS- It contains the query type. For example - We can use A for IPv4 addresses and AAAA for IPv6 addresses.

    Query type	Result
    A	IPv4 Addresses
    AAAA	IPv6 Addresses
    CNAME	Canonical Name
    MX	Mail Servers
    SOA	Start of Authority
    TXT	TXT Records

  • DOMAIN_NAME- It is the domain name we are looking up.

  • SERVER- It is the DNS server that we want to query. We can choose any public DNS server to query. Cloudflare offers 1.1.1.1 and 1.0.0.1. Similarly Google offers 8.8.8.8 and 8.8.4.4.

  • There are many more public DNS servers that we can choose.

• Example syntax- nslookup -type=A tryhackme.com 1.1.1.1can be used to return all the IPv4 addresses used by tryhackme.com.