[THM] Passive Reconnaissance

박소정·2022년 6월 30일
tryhackme네트워크해킹
0

tryhackme

목록 보기
10/10
post-thumbnail
post-custom-banner

Passive Reconnaissance(정찰)
https://tryhackme.com/room/passiverecon

Learn about the essential tools for passive reconnaissance, such as whois, nslookup, and dig.

Task 2 Passive Versus Active Recon

Reconnaissance(recon) can be defined as a preliminary survey to gather information about a target.

  1. Passive Reconnaissance
    In passive reconnaissance, we rely on publicly available knowledge.
  • Looking up DNS records of a domain from a public DNS server
  • Checking job ads related to the target website.
  • Reading news articles about the company.
  1. Active Reconnaissance
    It requires direct engagement with the target.
  • Connecting to one of the company servers such as HTTP, FTP, SMTP
  • Calling the company in an attempt to get information
  • Entering company premises pretending to be a repairman.

Task 3 Whois

Whois is a request and respond protocol that follows the RFC3912 specification. The Whois server replies with various information related to the domain requested.

  • Registrar: Via which registrar was the domain name registered?
  • Contact info of registrant: Name, organization, address, phone, among other things.
  • Creation, update, and expiration dates
  • Name Server: Which server to ask to resolve the domain name?

whois DOMAIN_NAME

Task 4 nslookup and dig

We can find the IP address of a domain name using nslookup(Name Server Look UP)
Nslookup DOMAIN_NAME

Query typeResult
AIPv4 Addresses
AAAAIPv6 Addresses
CNAMECanonical Name
MX MailServers
SOAStart of Authority
TXTTXT Recodes

Ex) nslookup -type=MX tryhackme

For more advanced DNS queries and additional functionality, we can use dig(Domain Information Groper)
dig DOMAIN_NAME TYPE

Task 5 DNSDumpster

DNS lookup tools can’t find subdomains on their own. (like tryhackme has the subdomains wiki.tryhackme.com, webmail.tryhackme.com…)
DNSDumpster offers detailed answers to DNS queries. : https://dnsdumpster.com/

Task 6 Shodan.io

It can be helpful to learn various pieces of information about the client’s network, without actively connecting to it. Shodan.io tries to connect to every device reachable online to build a search engine of connected “things” in contrast with a search engine for web pages.
Via this Shodan.io search result, we can learn several things related to our search, such as

  • IP address
  • Hosting company
  • Geographic location
  • Server type and version
profile
박소정
이전 포스트

[THM] Burp Suite: Other Modules

post-custom-banner

0개의 댓글