Information Gathering

Tools and Techniques

Recon-ng
• Recon-ng is a full-featured Web
Reconnaissance framework written
in Python. Complete with
independent modules, database
interaction, built in convenience
functions, interactive help, and
command completion, Recon-ng
provides a powerful environment in
which open source web-based
reconnaissance can be conducted
quickly and thoroughly.
Recon-ng Commands
• marketplace info all
• marketplace search hackertarget
• marketplace install recon/domains-hosts/hackertarget
• modules load recon/domains-hosts/hackertarget
• info
• options set SOURCE website
• run
DNS Enumeration
• Dnsenum is a tool for DNS
enumeration, which is the process
of locating all DNS servers and DNS
entries for an organization.

• DNS enumeration will allow us to

gather critical information about
the organization such as
usernames, computer names, IP
addresses, and so on.

• Commands
• dnesnum -enum domain.com
DNS Reconnaissance
• DNS reconnaissance is part of the information gathering stage on a
penetration test engagement.
• When a penetration tester is performing a DNS reconnaissance is
trying to obtain as much as information as he can regarding the DNS
servers and their records.
• The information that can be gathered it can disclose the network
infrastructure of the company without alerting the IDS/IPS.
• This is due that most of the organizations are not monitoring their
DNS server traffic and those that do they only monitor the zone
transfers attempts.
• The types of enumeration that
performs include the following:
• Zone Transfer
• Reverse Lookup
• Domain and Host Brute-Force
• Standard Record Enumeration
(wildcard,SOA,MX,A,TXT etc.)
• Cache Snooping
• Zone Walking
• Google Lookup
• Commands
• dnsrecon –d domain.com
LBD (Load Balacing Detector)
• lbd (load balancing detector) detects if a given domain uses DNS
and/or HTTP Load-Balancing (via Server: and Date: header and diffs
between server answers).
• Command
• lbd domaon.com
WAFW00F
• Web Application firewalls are typically firewalls working on the
application layer which monitors & modifies HTTP requests. The
key difference is that WAFs work on Layer 7 – Application Layer
of the OSI Model.
• A WAF will be typically present in a web application where there
is Strict Transport Security enabled like a banking website or an
e-commerce website. While conducting a pentest, detecting the
waf comes under recon, and mapping the web application
architecture.
Commands
• Wafw00f –l
• Wafw00f domain.com
• Waw00f –a domain.com
(Aggressively Test for Firewalls)
• Wafw00f domain.com –a –v
(Aggressively + Verbosity)
Masscan
• Masscan has been around for some time now and already it’s in
use by pentesters all around. It’s a reconnaissance tool which
can transmit up to 10 million packets per second. It uses
asynchronous transmission & a custom TCP/IP stack. So
different threads are used for transmission & reception of
packets.
• Masscan can be used to enumerate a large number of hosts
very quickly. In fact, the author of the tool claims it can scan the
whole internet within 6 minutes. It can be used for stress
testing also due to its high transmission rate.
Commands
• masscan –regres (The above will
test whether the installation is
proper)
• Masscaan ipaddress/bits –porti
• Masscan ipadres/bits –p80,43
Thank you