🌏Passive Information Gathering

Tools Used in Passive Information Gathering

Website Recon & Footprinting

  • The host command can be used to find the IP addresses of a web application.

  • Browser add-ons like BuiltWith and Wappalyzer can identify technologies used by websites.

  • The WhatWeb command identifies technologies used by websites.

  • HTTrack can help you download the source code of any website on the internet.

  • Netcraft Tool helps analyze and evaluate the security and performance of websites.

  • Wafw00f is a tool used to identify and fingerprint web application firewalls (WAFs) protecting a website.

Whois Enumeration

  • Whois is a tool, and there are a few websites out there that perform similar functions to Whois by providing information about domain registration details.

DNS Recon

  • dnsrecon is a tool used for DNS reconnaissance to gather information about DNS servers and perform various DNS-related tasks.

  • DNSdumpster.com is a FREE domain research tool that can discover hosts related to a domain.

Subdomain Enumeration

  • Sublist3r is a Python-based tool used for enumerating subdomains of a domain.

Google Dorks

  • Google Dorks are specific search queries that use advanced operators to help users find hidden information on the internet.

  • Wayback Machine is an online tool provided by the Internet Archive that allows users to view archived versions of websites over time.

Email Harvesting

  • theHarvester s a command-line tool used for gathering information like email addresses, subdomains, hosts, employee names, open ports, and banners from different public sources.

Leaked Password Databases

  • Have I Been Pwned is a website that allows you to check if your email address or username has been compromised in a data breach.

Website Recon & Footprinting

When performing footprinting for a web application, it's essential to explore the application's functionality and review all associated links to gain a comprehensive understanding. Additionally, you should check for the presence of a robots.txt or sitemap.xml file. The robots.txt file instructs web robots or search engine crawlers on which parts of a website they are allowed to access, while the sitemap.xml file provides a structured list of all the pages on a website.

Browser add-ons like BuiltWith or Wappalyzer can be useful for identifying the technologies and frameworks used by the application. While the WhatWeb command can also help with this, its output may not be as organized.

To enhance this process, consider using additional tools and techniques, such as:

  1. HTTP Headers Analysis: Inspect the HTTP headers to gather information about the server and technologies used.

  2. Whois is a command or protocol used to retrieve information about domain registration details, such as the owner's contact information and registration date. There are several websites available that offer similar functionality.

  3. DNS Enumeration: Identify subdomains and related DNS information using tools like DNSRecon or Fierce.

  4. Web Archive: Utilize the Wayback Machine to view historical versions of the website and understand its evolution.

  5. HTTrack is a tool for Windows and Linux that could help you dump the source code of any website on the internet.

  6. Wafw00f is a tool used to identify and fingerprint web application firewalls (WAFs) protecting a website.

  7. theHarvester a command-line tool used for gathering information like email addresses, subdomains, hosts, employee names, open ports, and banners from different public sources like search engines, PGP key servers, and SHODAN computer database.

Netcraft Tool

The Netcraft Tool helps analyze and evaluate the security and performance of websites, providing useful information. It offers a comprehensive overview and integrates several tools, including WhatWeb, Whois, and host.

These methods can provide a more comprehensive understanding of the web application and its underlying technologies.

DNS Reconnaissance

DNS (Domain Name System) records are used to map domain names to corresponding IP addresses and manage various aspects of domain names and associated services. There are different types of DNS records, including:

  1. A (Address) Record: Maps a domain name to an IPv4 address.

  2. AAAA (IPv6 Address) Record: Maps a domain name to an IPv6 address.

  3. CNAME (Canonical Name) Record: Creates an alias for a domain name, pointing to another domain's A or AAAA record.

  4. MX (Mail Exchange) Record: Specifies the mail server responsible for handling email messages for a domain.

  5. TXT (Text) Record: Contains human-readable text and is used for various purposes, like domain verification and SPF records.

  6. NS (Name Server) Record: Delegates the authority for a subdomain to a specific name server, identifying authoritative DNS servers.

  7. PTR (Pointer) Record: Used for reverse DNS lookups, mapping an IP address to a domain name.

  8. SOA (Start of Authority) Record: Contains essential information about the domain, such as primary name server and administrative email address.

  9. SRV (Service) Record: Defines the location of specific services within a domain, commonly used for SIP, XMPP, and other protocols.

  10. CAA (Certificate Authority Authorization) Record: Specifies which certificate authorities are allowed to issue SSL/TLS certificates for a domain.

There are around 50 standardized DNS record types defined by IANA in the DNS parameters registry. However, not all DNS servers support all of these types, and the ones mentioned above are the most commonly used for regular domain management and services.

DNS Recon refers to the process of gathering and analyzing information about a target's domain names and associated DNS records to gain insights into its infrastructure and potential vulnerabilities.

  • dnsrecon is a tool used for DNS reconnaissance to gather information about DNS servers and perform various DNS-related tasks.

  • DNSdumpster is a FREE domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.

Google Dorks

Google Dorks are specific search queries that use advanced operators to help users find hidden information on the internet. These search queries allow users to find sensitive information, vulnerable websites, and other valuable data that is not typically accessible through regular searches.

site:rootkid.com

inurl:admin

intitle:admin

filetype:pdf

cache:rootkid.in

Hacker's Mantra:Privacy is dead, and social media holds the smoking gun. - Pete Cashmore

PreviousInformation GatheringNextActive Information Gathering

Last updated