The document provides an extensive overview of reconnaissance and open-source intelligence techniques used in penetration testing, focusing on DNS enumeration, metadata collection, and server enumeration tools. It lists various tools available for gathering information about target systems, including functionalities and commands for each tool. The conclusion emphasizes the importance of operational security and thorough reconnaissance to effectively execute penetration testing strategies.

1. Reconnaissance
Open-source intelligence

2. Chris Thomas
Systems Specialist
Leon
Teale
Penetration Tester
http://secheads.co.uk
http://batserver.co.uk
https://www.linkedin.com/in/leonteale
https://www.facebook.com/leonteale

3. Reconnaissance / OSINT
Reconnaissance is the process of learning as much as possible about the target
using the tools and services we have available.
Information we wish to gather is:
Servers: Hostnames / IPs / OSes / geo-location / hosting environment
Services: What is running on the servers / version numbers
Metadata: Usernames / Full names / passwords / software versions / internal file
path disclosure
Misc: Email harvesting / DNS bruteforcing

4. All starts with a name
Starting with a domain name such as google.com allows us to start enumerating
hosts and building our picture of the companies infrastructure

5. DNS and Email Reconnaissance

6. DNS Enumeration Tools
➢ DNSRecon - A powerful DNS enumeration script
➢ DNSenum - A good DNS enum tool with wildcard filtering
➢ Fierce - A semi-lightweight enumeration scanner
➢ TheHarvester - Commonly used for email enum but has a DNS enum built-in
➢ Nmap - Yes it's a port scanner, but it can bruteforce subdomains too (check nmap scripts)
➢ Google Dorks - Using search engines to list their pre-crawled result (passive)
➢ Dig - For simple DNS requests against the name server. Also good for AXFR checks
➢ Subbrute - A DNS meta-query spider that enumerates DNS records, and subdomains
➢ dnscan - a python wordlist-based DNS subdomain scanner
➢ Recon-Ng - The recon-ng framework has a brute_hosts module that allows to bruteforce
subdomains.
➢ Gobuster - Alternative directory and file busting tool written in Go
➢ AltDNS - offers bruteforcing based on permutations of already found domains
➢ Dnsdumpster.com - Not a kali tool but good for DNS enumeration
➢ Website scraping - Using various tools you can scrape a target domain for email addresses

7. dnsrecon
dnsrecon -t brt,std,axfr -D wordlist.txt -d batserver.co.uk
Dns Recon using a subdomain list for bruteforcing,
standard checks such as SOA NS lookups etc.. and a
Zone-transfer vulnerability check.
dnsrecon -r 46.235.225.0/24
Dns Recon using a reverse lookup against the IP address ranges. In
this instance a /24 and looking for associated domain names.
Assuming reverseDNS is set up.

8. dnsenum
Dnsenum batserver.co.uk
Dnsenum will provide standard DNS lookups such as
NS,MX,AXFR and bind versions
Dnsenum -f wordlist.txt batserver.co.uk
Dns Recon using bruteforce attack using a specified subdomain list.
If a wildcard is identified. Then Dnsenum will filter out all the unique
IP entries to try bypass the wildcard results.

9. theHarvester
(DNS)
theharvester -l 500 -b all -d google.com
theHarvester is typically used for email enumeration but
can also be used for passive DNS enumeration taken from
search engines and rDNS recursive checks.

10. Dig
Dig axfr domain.com @ns.domain.com
Dig can be used to do Zone-transfer requests. An
misconfigured and vulnerable nameserver will list all zone
records to unauthorised hosts.
Apparently.. Some companies swear this is not a security
issue *sigh
Dig @ns.123-reg.co.uk batserver.co.uk MX
Dig can also be used for specific requests such as querying the MX
records from the nameserver for a specific domain.

11. Fierce
Fierce -dns domain.com
Fierce is similar to most other DNS bruting tools. Its more a
matter of preference. But seems to be amongst the top 3
commonly used by day to day security professionals. And
most importantly is a kali default tool.
Still trying to work out how they CAN'T see this is a
security problem...

12. theHarvester
(email)
theharvester -l 500 -b all -d domain.com
theHarvester does queries against search engines to
scrape email addresses. You can define the search engine
and the amount of results to return. Absolutely the first
tool to start with when doing email enumeration.

13. Metadata Reconnaissance

14. Metadata Enumeration Tools
➢ FOCA - Windows based GUI for scraping, downloading and analysing files for metadata
➢ Metagoofil - Linux based tool for scraping, downloading and analysing files for metadata
➢ Exiftool - Simple tool for extracting metadata from typically images, good for usernames and GPS

15. Foca
site:site.com filetype:pdf
FOCA (Fingerprinting Organizations with Collected
Archives) is a tool used mainly to find metadata and
hidden information in the documents its scans. These
documents may be on web pages and can be
downloaded and analyzed with FOCA.
It is capable of analyzing a wide variety of documents, with
the most common being Microsoft Office, Open Office, or
PDF files, although it also analyzes Adobe InDesign or
SVG files, for instance.

16. Metagoofil
metagoofil -d domain.com -t pdf -l 100 -n 25 -o folder -f file.html
Metagoofil is an information gathering tool designed for extracting
metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx)
belonging to a target company.
Metagoofil will perform a search in Google to identify and
download the documents to local disk and then will extract the
metadata with different libraries like Hachoir, PdfMiner and others.
With the results it will generate a report with usernames, software
versions and servers or machine names that will help Penetration
testers in the information gathering phase.

17. Exiftool
Exiftool file.ext
ExifTool is a customisable set of Perl modules plus a full-featured
application for reading and writing meta information in a wide
variety of files
Exiftool is useful when extracting information such as GPS co-
ordinates and author names. Also the file save location of the
original image and software information.
This gives us an insight into the architecture of the internal systems
as well as versioning.

18. Server / Services Reconnaissance

19. Server Enumeration Tools
➢ NMAP - The most powerful port scanning tool with many additional scripts and functions
➢ WHOIS - For querying databases that store the registered users or assignees of an Internet resource
➢ Host - A simple utility for performing DNS lookups. Normally used to convert names to IPs and vice versa
➢ Application errors - Causing web service applications to error can inadvertently give away system information
➢ Shodan - An online databank of internet connected devices that have been pre-scanned
➢ Netcat - Useful for making TCP and UDP connections to open ports and services
➢ Telnet - A tool for logging into a remote computer and connecting to running services

20. NMAP
Nmap -sV -O domain.com
NMAP is not just a port scanner, it is a feature rich application
capable of port scans, OS identification, versions checks and
running NSE scripts. You could practically do a full penetration test
using only NMAP!
-sV = get versions
-O = Guess operating system
This is one of the most basic scans but clearly shows sufficient
information about the target host.
The more complex your scan the longer it takes but the more
information obtained.

21. WHOIS
Whois domain.com
WHOIS is a query and response protocol that is widely used for
querying databases that store the registered users or assignees of
an Internet resource, such as a domain name, an IP address block,
or an autonomous system, but is also used for a wider range of
other information.
With this information you can identify;
● Registrant address
● Registry dates
● Registrar
● Nameservers
● IP addresses

22. Application
Errors
http://domain.com/index.php?type=%%%%%%
Providing a web server with an invalid request or URL can
sometimes trigger an application error if the webserver is not
configured correctly.
This specific response provides the internal file path disclosure
“Source File” and the software versions.
This allows us to target attacks specifically for this server and use
direct exploits if the software is out of date.

23. Shodan
shodan search --fields ip_str,port,org,hostnames microsoft iis 6.0
Shodan typically is a web based search engine, it can be used to
filter for specific targets or a wide internet search. It also supports a
CLI version, requires an API key
Shodan-cli search command lets you search Shodan and view the
results in a terminal-friendly way. By default it will display the IP,
port, hostnames and data. You can use the --fields parameter to
print whichever banner fields you're interested in.
Basically, if it’s online, its been scanned, saved, filed and attacked.

24. Netcat
NC -v -n <ip> <port>
Netcat allows you to connect to open ports and send TCP or UDP
requests to the service.
If the service is a web server you can provide standard HTTP
requests.
Like application errors, if you make the service give a 400
response (bad request) then you can possibly get system or service
information.
Such as web server version .

25. 3rd Party Reconnaissance

26. Password
Leaks
Cat adobe_leak.txt | grep “domain.com”
Using password leaks from hacked 3rd parties. It is possible to
identify usernames, emails and often passwords for companies that
use their company credentials as authentication.
Latest Security Breaches 2016
IRS - Feb 29th
Snapchat - March 3rd
Verizon Enterprise Solutions - March 25th
Multiple Major Email Providers - May 5th
Linked-in - May 17th
Oracle - August 12th
Dropbox - September 2nd
Yahoo - September 22nd

27. Data Dumps
Pastebin, Tinypaste, Hastebin, Chop, Snipt and support forums
An interesting method of reconnaissance is common sites that
allow users to dump data either for personal/private access or as a
temporary sharing method.
It is not uncommon for people or admins to use discussion boards
and support forums to post and receive help with technical issues.
This can lead to stored or even just cached details about their
systems, infrastructure, set up etc..

28. Conclusion

29. Conclusion
Practice good Operational Security!
You might have secured your own system but it's not just
your own that is a target to attackers.
Good recon can take a long time. The more information you
gather the larger the attack surface and the more intel you
have for precisely executing and attack.
This isn't DB_autopwn, be smart, hack smart.