Embedded Files
TryHackMe - Passive Reconnaissance
Learn about the essential tools for passive reconnaissance, such as whois, nslookup, and dig.
π Before the dawn of computer systems and networks, in the Art of War, Sun Tzu taught, βIf you know the enemy and know yourself, your victory will not stand in doubt.β If you are playing the role of an attacker, you need to gather information about your target systems. If you are playing the role of a defender, you need to know what your adversary will discover about your systems and networks.
Reconnaissance (recon) can be defined as a preliminary survey to gather information about a target. It is the first step in The Unified Kill Chain to gain an initial foothold on a system.
β WHOIS is a request and response protocol that follows the RFC 3912 specification. A WHOIS server listens on TCP port 43 for incoming requests. The domain registrar is responsible for maintaining the WHOIS records for the domain names it is leasing. The WHOIS server replies with various information related to the domain requested.
Example whois {DOMAIN_NAME}
β NSLOOKUP is used to find the IP address of a domain name, which stands for Name Server Look Up. Example nslookup {DOMAIN_NAME}
β DIG is for more advanced DNS queries and additional functionality, you can use dig, the acronym for βDomain Information Groper,β.
Example dig {DOMAIN_NAME} or dig {DOMAIN_NAME} TYPE. List of TYPE are such as MX,TXT,A,AAA,SOA and CNAME.
Additional to this, we can consider using multiple search engines to compile information such as DNSDUMPSTER or SHODAN.IO
Page updated
Google Sites
Report abuse