Passive Information Gathering

I prepared this presentation for the 757 White Hat Hackers meeting on 10/26 where I presented on Passive Information Gathering. Passive Information Gathering is simply reconnaissance methods that don’t touch the target and leave any traces of your presence.

Topics:

  • Whois
  • Dig
  • Recon-ng
  • Theharvester
  • Network-tools.com
  • Netcraft Toolbar
  • SiteDigger
  • Shodan
  • Maltego

Whois

Whois is usually installed in all Linux systems and returns the following domain information:

Registrar: The company/organization that registered the domain on behalf of the domain’s owner.
Name Servers: The servers that control the domain’s DNS.
Creation Date: The date the domain was originally registered.
Expiration Date: When the domain will expire.
Contacts: Publicly accessible information, required by registrars

Usage: “whois <domainName>”

root@DESKTOP-7ETQJM7:~# whois nasa.gov
% DOTGOV WHOIS Server ready
 Domain Name: NASA.GOV
 Status: ACTIVE

>>> Last update of whois database: 2016-10-28T17:55:42Z <<<
Please be advised that this whois server only contains information pertaining
to the .GOV domain. For information for other domains please use the whois
server at RS.INTERNIC.NET.
root@DESKTOP-7ETQJM7:~# whois yahoo.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

 Server Name: YAHOO.COM.ACCUTAXSERVICES.COM
 IP Address: 98.136.43.32
 IP Address: 66.196.84.168
 Registrar: WILD WEST DOMAINS, LLC
 Whois Server: whois.wildwestdomains.com
 Referral URL: http://www.wildwestdomains.com


 Server Name: YAHOO.COM.ANGRYPIRATES.COM
 IP Address: 8.8.8.8
 Registrar: NAME.COM, INC.
 Whois Server: whois.name.com
 Referral URL: http://www.name.com


 Server Name: YAHOO.COM.AU
 Registrar: WILD WEST DOMAINS, LLC
 Whois Server: whois.wildwestdomains.com
 Referral URL: http://www.wildwestdomains.com


 Server Name: YAHOO.COM.BGPETERSON.COM
 IP Address: 66.218.71.205
 Registrar: TUCOWS DOMAINS INC.
 Whois Server: whois.tucows.com
 Referral URL: http://www.tucowsdomains.com


 Server Name: YAHOO.COM.BIGROCK.IN
 Registrar: BIGROCK SOLUTIONS LIMITED
 Whois Server: Whois.bigrock.com
 Referral URL: http://www.bigrock.com


 Server Name: YAHOO.COM.BR
 Registrar: ENOM, INC.
 Whois Server: whois.enom.com
 Referral URL: http://www.enom.com


 Server Name: YAHOO.COM.CN
 Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
 Whois Server: whois.dns.com.cn
 Referral URL: http://www.dns.com.cn


 Server Name: YAHOO.COM.DALLARIVA.COM
 IP Address: 66.218.71.205
 Registrar: DOMAIN.COM, LLC
 Whois Server: whois.domain.com
 Referral URL: http://www.domain.com


 Server Name: YAHOO.COM.ELPOV.COM
 IP Address: 66.21.71.205
 Registrar: TIERRANET INC. D/B/A DOMAINDISCOVER
 Whois Server: whois.domaindiscover.com
 Referral URL: http://www.domaindiscover.com


 Server Name: YAHOO.COM.HACKED.BY.JAPTRON.ES
 Registrar: GODADDY.COM, LLC
 Whois Server: whois.godaddy.com
 Referral URL: http://www.godaddy.com


 Server Name: YAHOO.COM.HK
 Registrar: ENOM, INC.
 Whois Server: whois.enom.com
 Referral URL: http://www.enom.com


 Server Name: YAHOO.COM.IS.N0T.AS.1337.AS.SEARCH.GULLI.COM
 IP Address: 80.190.192.24
 Registrar: COREHUB, S.R.L.
 Whois Server: whois.corehub.net
 Referral URL: http://corehub.net


 Server Name: YAHOO.COM.JTNELECTRIC.COM
 IP Address: 66.218.71.205
 IP Address: 216.109.116.20
 Registrar: GODADDY.COM, LLC
 Whois Server: whois.godaddy.com
 Referral URL: http://www.godaddy.com


 Server Name: YAHOO.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
 IP Address: 203.36.226.2
 Registrar: INSTRA CORPORATION PTY, LTD.
 Whois Server: whois.instra.net
 Referral URL: http://www.instra.com


 Server Name: YAHOO.COM.MX
 Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 Whois Server: whois.PublicDomainRegistry.com
 Referral URL: http://www.publicdomainregistry.com


 Server Name: YAHOO.COM.MY
 Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 Whois Server: whois.PublicDomainRegistry.com
 Referral URL: http://www.publicdomainregistry.com


 Server Name: YAHOO.COM.SG
 Registrar: DOTSTER, INC.
 Whois Server: whois.dotster.com
 Referral URL: http://www.dotster.com


 Server Name: YAHOO.COM.TW
 Registrar: GODADDY.COM, LLC
 Whois Server: whois.godaddy.com
 Referral URL: http://www.godaddy.com


 Server Name: YAHOO.COM.TWIXTEARS.COM
 IP Address: 66.218.71.205
 Registrar: DOMAIN.COM, LLC
 Whois Server: whois.domain.com
 Referral URL: http://www.domain.com


 Server Name: YAHOO.COM.VIRGINCHASSIS.COM
 IP Address: 66.218.71.205
 Registrar: DOMAIN.COM, LLC
 Whois Server: whois.domain.com
 Referral URL: http://www.domain.com


 Server Name: YAHOO.COM.VN
 Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
 Whois Server: whois.melbourneit.com
 Referral URL: http://www.melbourneit.com.au


 Server Name: YAHOO.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
 IP Address: 69.41.185.196
 Registrar: TUCOWS DOMAINS INC.
 Whois Server: whois.tucows.com
 Referral URL: http://www.tucowsdomains.com


 Server Name: YAHOO.COM.ZZZZZZ.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
 IP Address: 203.36.226.2
 Registrar: INSTRA CORPORATION PTY, LTD.
 Whois Server: whois.instra.net
 Referral URL: http://www.instra.com


 Server Name: YAHOO.COM.ZZZZZZZ.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM
 IP Address: 209.126.190.70
 Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 Whois Server: whois.PublicDomainRegistry.com
 Referral URL: http://www.publicdomainregistry.com


 Domain Name: YAHOO.COM
 Registrar: MARKMONITOR INC.
 Sponsoring Registrar IANA ID: 292
 Whois Server: whois.markmonitor.com
 Referral URL: http://www.markmonitor.com
 Name Server: NS1.YAHOO.COM
 Name Server: NS2.YAHOO.COM
 Name Server: NS3.YAHOO.COM
 Name Server: NS4.YAHOO.COM
 Name Server: NS5.YAHOO.COM
 Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
 Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
 Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
 Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
 Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
 Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
 Updated Date: 26-aug-2015
 Creation Date: 18-jan-1995
 Expiration Date: 19-jan-2023

>>> Last update of whois database: Fri, 28 Oct 2016 17:56:10 GMT <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: yahoo.com
Registry Domain ID: 3643624_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2015-08-26T15:30:44-0700
Creation Date: 1995-01-18T00:00:00-0800
Registrar Registration Expiration Date: 2023-01-18T21:00:00-0800
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: Yahoo! Inc.
Registrant Street: 701 First Avenue
Registrant City: Sunnyvale
Registrant State/Province: CA
Registrant Postal Code: 94089
Registrant Country: US
Registrant Phone: +1.4083493300
Registrant Phone Ext:
Registrant Fax: +1.4083493301
Registrant Fax Ext:
Registrant Email: domainadmin@yahoo-inc.com
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: Yahoo! Inc.
Admin Street: 701 First Avenue
Admin City: Sunnyvale
Admin State/Province: CA
Admin Postal Code: 94089
Admin Country: US
Admin Phone: +1.4083493300
Admin Phone Ext:
Admin Fax: +1.4083493301
Admin Fax Ext:
Admin Email: domainadmin@yahoo-inc.com
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: Yahoo! Inc.
Tech Street: 701 First Avenue
Tech City: Sunnyvale
Tech State/Province: CA
Tech Postal Code: 94089
Tech Country: US
Tech Phone: +1.4083493300
Tech Phone Ext:
Tech Fax: +1.4083493301
Tech Fax Ext:
Tech Email: domainadmin@yahoo-inc.com
Name Server: ns4.yahoo.com
Name Server: ns2.yahoo.com
Name Server: ns1.yahoo.com
Name Server: ns5.yahoo.com
Name Server: ns3.yahoo.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2016-10-28T10:52:20-0700 <<<

The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for
information purposes, and to assist persons in obtaining information about or
related to a domain name registration record. MarkMonitor.com does not guarantee
its accuracy. By submitting a WHOIS query, you agree that you will use this Data
only for lawful purposes and that, under no circumstances will you use this Data to:
 (1) allow, enable, or otherwise support the transmission of mass unsolicited,
 commercial advertising or solicitations via e-mail (spam); or
 (2) enable high volume, automated, electronic processes that apply to
 MarkMonitor.com (or its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.

MarkMonitor is the Global Leader in Online Brand Protection.

MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed Services

Visit MarkMonitor at http://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220

For more information on Whois status codes, please visit
 https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en

Dig

Domain Internet Groper

Options:

root@DESKTOP-7ETQJM7:~# dig -h
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
 {global-d-opt} host [@local-server] {local-d-opt}
 [ host [@local-server] {local-d-opt} [...]]
Where: domain is in the Domain Name System
 q-class is one of (in,hs,ch,...) [default: in]
 q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
 (Use ixfr=version for type ixfr)
 q-opt is one of:
 -x dot-notation (shortcut for reverse lookups)
 -i (use IP6.INT for IPv6 reverse lookups)
 -f filename (batch mode)
 -b address[#port] (bind to source address/port)
 -p port (specify port number)
 -q name (specify query name)
 -t type (specify query type)
 -c class (specify query class)
 -k keyfile (specify tsig key file)
 -y [hmac:]name:key (specify named base64 tsig key)
 -4 (use IPv4 query transport only)
 -6 (use IPv6 query transport only)
 -m (enable memory usage debugging)
 d-opt is of the form +keyword[=value], where keyword is:
 +[no]vc (TCP mode)
 +[no]tcp (TCP mode, alternate syntax)
 +time=### (Set query timeout) [5]
 +tries=### (Set number of UDP attempts) [3]
 +retry=### (Set number of UDP retries) [2]
 +domain=### (Set default domainname)
 +bufsize=### (Set EDNS0 Max UDP packet size)
 +ndots=### (Set NDOTS value)
 +[no]edns[=###] (Set EDNS version) [0]
 +[no]search (Set whether to use searchlist)
 +[no]showsearch (Search with intermediate results)
 +[no]defname (Ditto)
 +[no]recurse (Recursive mode)
 +[no]ignore (Don't revert to TCP for TC responses.)
 +[no]fail (Don't try next server on SERVFAIL)
 +[no]besteffort (Try to parse even illegal messages)
 +[no]aaonly (Set AA flag in query (+[no]aaflag))
 +[no]adflag (Set AD flag in query)
 +[no]cdflag (Set CD flag in query)
 +[no]cl (Control display of class in records)
 +[no]cmd (Control display of command line)
 +[no]comments (Control display of comment lines)
 +[no]rrcomments (Control display of per-record comments)
 +[no]question (Control display of question)
 +[no]answer (Control display of answer)
 +[no]authority (Control display of authority)
 +[no]additional (Control display of additional)
 +[no]stats (Control display of statistics)
 +[no]short (Disable everything except short
 form of answer)
 +[no]ttlid (Control display of ttls in records)
 +[no]all (Set or clear all display flags)
 +[no]qr (Print question before sending)
 +[no]nssearch (Search all authoritative nameservers)
 +[no]identify (ID responders in short answers)
 +[no]trace (Trace delegation down from root [+dnssec])
 +[no]dnssec (Request DNSSEC records)
 +[no]nsid (Request Name Server ID)
 +[no]sigchase (Chase DNSSEC signatures)
 +trusted-key=#### (Trusted Key when chasing DNSSEC sigs)
 +[no]topdown (Do DNSSEC validation top down mode)
 +[no]split=## (Split hex/base64 fields into chunks)
 +[no]multiline (Print records in an expanded format)
 +[no]onesoa (AXFR prints only one soa record)
 +[no]keepopen (Keep the TCP socket open between queries)
 global d-opts and servers (before host name) affect all queries.
 local d-opts and servers (after host name) affect only that lookup.
 -h (print help and exit)
 -v (print version and exit)

My favorite dig option is axfr, for a zone transfer. Zone transfers are a DNS transaction used to replicate records between DNS servers. It’s rare to find a DNS server these days that allow a zone transfer, but it’s something you should check. If you succeed in performing a zone transfer, you will have all dns records for a domain.

Example: dig axfr @dns-server domain.name

Recon-ng

https://bitbucket.org/LaNMaSteR53/recon-ng

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to social engineer, use the Social-Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng! See the Usage Guide for more information.
Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the "module" class. The "module" class is a customized "cmd" interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done. Building modules is simple and takes little more than a few minutes. See the Development Guide for more information.

If you know how to use Metasploit, you should feel right at home using recon-ng. You can even automate recon-ng using resource files like you can with Metasploit.

Some of the modules are passive, they never touch the target network, while some directly probe and can even attack the system you are targeting.

To install recon-ng in Kali, enter the command:

apt-get update && apt-get install recon-ng

At each level in recon-ng you can get help by typing the help and show commands.

[recon-ng][default] > help

Commands (type [help|?] <topic>):
---------------------------------
add Adds records to the database
back Exits the current context
delete Deletes records from the database
exit Exits the framework
help Displays this menu
keys Manages framework API keys
load Loads specified module
pdb Starts a Python Debugger session
query Queries the database
record Records commands to a resource file
reload Reloads all modules
resource Executes commands from a resource file
search Searches available modules
set Sets module options
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
unset Unsets module options
use Loads specified module
workspaces Manages workspaces

[recon-ng][default] > show
Shows various framework items

Usage: show [banner|companies|contacts|credentials|dashboard|domains|hosts|keys|leaks|locations|modules|netblocks|options|ports|profiles|pushpins|repositories|schema|vulnerabilities|workspaces]

Recon-ng uses the concept of workspaces to organize targets. To add a workspace, use “workspaces add <workspaceName>”. The prompt will change from “default” to display the current workspace.

[recon-ng][default] > workspaces add demo

In the new workspace, add a company and domain:

[recon-ng][demo] > add companies
company (TEXT): SANS
description (TEXT): SANS
[recon-ng][demo] > add domains
domain (TEXT): sans.org

Full list of modules:

[recon-ng][default] > show modules

 Discovery
 ---------
 discovery/info_disclosure/cache_snoop
 discovery/info_disclosure/interesting_files

 Exploitation
 ------------
 exploitation/injection/command_injector
 exploitation/injection/xpath_bruter

 Import
 ------
 import/csv_file
 import/list

 Recon
 -----
 recon/companies-contacts/bing_linkedin_cache
 recon/companies-contacts/indeed
 recon/companies-contacts/jigsaw/point_usage
 recon/companies-contacts/jigsaw/purchase_contact
 recon/companies-contacts/jigsaw/search_contacts
 recon/companies-contacts/linkedin_auth
 recon/companies-multi/github_miner
 recon/companies-multi/whois_miner
 recon/contacts-contacts/mailtester
 recon/contacts-contacts/mangle
 recon/contacts-contacts/unmangle
 recon/contacts-credentials/hibp_breach
 recon/contacts-credentials/hibp_paste
 recon/contacts-domains/migrate_contacts
 recon/contacts-profiles/fullcontact
 recon/credentials-credentials/adobe
 recon/credentials-credentials/bozocrack
 recon/credentials-credentials/hashes_org
 recon/domains-contacts/metacrawler
 recon/domains-contacts/pgp_search
 recon/domains-contacts/whois_pocs
 recon/domains-credentials/pwnedlist/account_creds
 recon/domains-credentials/pwnedlist/api_usage
 recon/domains-credentials/pwnedlist/domain_creds
 recon/domains-credentials/pwnedlist/domain_ispwned
 recon/domains-credentials/pwnedlist/leak_lookup
 recon/domains-credentials/pwnedlist/leaks_dump
 recon/domains-domains/brute_suffix
 recon/domains-hosts/bing_domain_api
 recon/domains-hosts/bing_domain_web
 recon/domains-hosts/brute_hosts
 recon/domains-hosts/builtwith
 recon/domains-hosts/certificate_transparency
 recon/domains-hosts/google_site_api
 recon/domains-hosts/google_site_web
 recon/domains-hosts/hackertarget
 recon/domains-hosts/netcraft
 recon/domains-hosts/shodan_hostname
 recon/domains-hosts/ssl_san
 recon/domains-hosts/threatcrowd
 recon/domains-hosts/vpnhunter
 recon/domains-vulnerabilities/ghdb
 recon/domains-vulnerabilities/punkspider
 recon/domains-vulnerabilities/xssed
 recon/domains-vulnerabilities/xssposed
 recon/hosts-domains/migrate_hosts
 recon/hosts-hosts/bing_ip
 recon/hosts-hosts/freegeoip
 recon/hosts-hosts/ipinfodb
 recon/hosts-hosts/resolve
 recon/hosts-hosts/reverse_resolve
 recon/hosts-hosts/ssltools
 recon/hosts-locations/migrate_hosts
 recon/hosts-ports/shodan_ip
 recon/locations-locations/geocode
 recon/locations-locations/reverse_geocode
 recon/locations-pushpins/flickr
 recon/locations-pushpins/instagram
 recon/locations-pushpins/picasa
 recon/locations-pushpins/shodan
 recon/locations-pushpins/twitter
 recon/locations-pushpins/youtube
 recon/netblocks-companies/whois_orgs
 recon/netblocks-hosts/reverse_resolve
 recon/netblocks-hosts/shodan_net
 recon/netblocks-ports/census_2012
 recon/netblocks-ports/censysio
 recon/ports-hosts/migrate_ports
 recon/profiles-contacts/dev_diver
 recon/profiles-contacts/github_users
 recon/profiles-profiles/namechk
 recon/profiles-profiles/profiler
 recon/profiles-profiles/twitter_mentioned
 recon/profiles-profiles/twitter_mentions
 recon/profiles-repositories/github_repos
 recon/repositories-profiles/github_commits
 recon/repositories-vulnerabilities/gists_search
 recon/repositories-vulnerabilities/github_dorks

 Reporting
 ---------
 reporting/csv
 reporting/html
 reporting/json
 reporting/list
 reporting/pushpin
 reporting/xlsx
 reporting/xml

Striker Security has published an excellent guide to recon-ng modules. Get it here: https://strikersecurity.com/pdfs/recon-ng-guide.pdf

Instead of viewing the full list of modules, you can search for them.

[recon-ng][demo] > search domains
[*] Searching for 'domains'...

 Recon
 -----
 recon/contacts-domains/migrate_contacts
 recon/domains-contacts/metacrawler
 recon/domains-contacts/pgp_search
 recon/domains-contacts/whois_pocs
 recon/domains-credentials/pwnedlist/account_creds
 recon/domains-credentials/pwnedlist/api_usage
 recon/domains-credentials/pwnedlist/domain_creds
 recon/domains-credentials/pwnedlist/domain_ispwned
 recon/domains-credentials/pwnedlist/leak_lookup
 recon/domains-credentials/pwnedlist/leaks_dump
 recon/domains-domains/brute_suffix
 recon/domains-hosts/bing_domain_api
 recon/domains-hosts/bing_domain_web
 recon/domains-hosts/brute_hosts
 recon/domains-hosts/builtwith
 recon/domains-hosts/certificate_transparency
 recon/domains-hosts/google_site_api
 recon/domains-hosts/google_site_web
 recon/domains-hosts/hackertarget
 recon/domains-hosts/netcraft
 recon/domains-hosts/shodan_hostname
 recon/domains-hosts/ssl_san
 recon/domains-hosts/threatcrowd
 recon/domains-hosts/vpnhunter
 recon/domains-vulnerabilities/ghdb
 recon/domains-vulnerabilities/punkspider
 recon/domains-vulnerabilities/xssed
 recon/domains-vulnerabilities/xssposed
 recon/hosts-domains/migrate_hosts

To use a module, enter “use <full path to module>”. Recon-ng offers tab completion, so you can type a partial path and hit the tab key to complete each section of the path between slashes. Once you’ve entered a module, use “show info” to find module info and required parameters.

[recon-ng][demo][shodan_hostname] > use recon/domains-hosts/bing_domain_web
[recon-ng][demo][bing_domain_web] > show info

 Name: Bing Hostname Enumerator
 Path: modules/recon/domains-hosts/bing_domain_web.py
 Author: Tim Tomes (@LaNMaSteR53)

Description:
 Harvests hosts from Bing.com by using the 'site' search operator. Updates the 'hosts' table with the
 results.

Options:
 Name Current Value Required Description
 ------ ------------- -------- -----------
 SOURCE default yes source of input (see 'show info' for details)

Source Options:
 default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
 <string> string representing a single input
 <path> path to a file containing a list of inputs
 query <sql> database query returning one column of inputs

[recon-ng][demo][bing_domain_web] >

To start the module, enter “run”.

[recon-ng][demo][bing_domain_web] > run

--------
SANS.ORG
--------
[*] URL: https://www.bing.com/search?first=0&q=domain%3Asans.org
[*] [host] files.sans.org (<blank>)
[*] [host] labs.sans.org (<blank>)
[*] [host] www.sans.org (<blank>)
[*] [host] cyber-defense.sans.org (<blank>)
[*] [host] redmine.sans.org (<blank>)
[*] [host] securingthehuman.sans.org (<blank>)
[*] [host] software-security.sans.org (<blank>)
[*] [host] lists.sans.org (<blank>)
[*] [host] access.sans.org (<blank>)
[*] [host] digital-forensics.sans.org (<blank>)
[*] [host] sic.sans.org (<blank>)
[*] [host] uk.sans.org (<blank>)
[*] [host] ics.sans.org (<blank>)
[*] [host] pen-testing.sans.org (<blank>)
[*] [host] qms.sans.org (<blank>)
[*] [host] handlers.sans.org (<blank>)
[*] Sleeping to avoid lockout...

Now lets check out any new hosts added to the database.

[recon-ng][demo][bing_domain_web] > show hosts

 +---------------------------------------------------------------------------------------------------------------+
 | rowid | host | ip_address | region | country | latitude | longitude | module |
 +---------------------------------------------------------------------------------------------------------------+
 | 1 | files.sans.org | | | | | | bing_domain_web |
 | 2 | labs.sans.org | | | | | | bing_domain_web |
 | 3 | www.sans.org | | | | | | bing_domain_web |
 | 4 | cyber-defense.sans.org | | | | | | bing_domain_web |
 | 5 | redmine.sans.org | | | | | | bing_domain_web |
 | 6 | securingthehuman.sans.org | | | | | | bing_domain_web |
 | 7 | software-security.sans.org | | | | | | bing_domain_web |
 | 8 | lists.sans.org | | | | | | bing_domain_web |

(cropped for brevity)

Let’s try a different module then take another look at the hosts.

[recon-ng][demo][bing_domain_web] > search shodan
[*] Searching for 'shodan'...

 Recon
 -----
 recon/domains-hosts/shodan_hostname
 recon/hosts-ports/shodan_ip
 recon/locations-pushpins/shodan
 recon/netblocks-hosts/shodan_net

[recon-ng][demo][bing_domain_web] > use recon/domains-hosts/shodan_hostname
[recon-ng][demo][shodan_hostname] > run

--------
SANS.ORG
--------
[*] Searching Shodan API for: hostname:sans.org
[*] [port] 204.51.94.14 (25/<blank>) - smtp31b.sans.org
[*] [host] smtp31b.sans.org (204.51.94.14)
[*] [port] 66.35.59.19 (80/<blank>) - web23a.den.sans.org
[*] [host] web23a.den.sans.org (66.35.59.19)
[*] [port] 66.35.59.8 (53/<blank>) - dns21b.sans.org
[*] [host] dns21b.sans.org (66.35.59.8)
(cropped for brevity)

[recon-ng][demo][shodan_hostname] > show hosts

 +--------------------------------------------------------------------------------------------------------------------+
 | rowid | host | ip_address | region | country | latitude | longitude | module |
 +--------------------------------------------------------------------------------------------------------------------+
 | 1 | files.sans.org | | | | | | bing_domain_web |
 | 2 | labs.sans.org | | | | | | bing_domain_web |
 | 3 | www.sans.org | | | | | | bing_domain_web |
 | 4 | cyber-defense.sans.org | | | | | | bing_domain_web |
(cropped for brevity)
   42 | smtp31b.sans.org | 204.51.94.14 | | | | | shodan_hostname |
 | 43 | web23a.den.sans.org | 66.35.59.19 | | | | | shodan_hostname |
 | 44 | dns21b.sans.org | 66.35.59.8 | | | | | shodan_hostname |
 | 45 | admin.sans.org | 204.51.94.215 | | | | | shodan_hostname |
 | 46 | 204-51-94-246.clp.sans.org | 204.51.94.246 | | | | | shodan_hostname |
 | 47 | labs.sans.org | 204.51.94.233 | | | | | shodan_hostname |


Theharvester

The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.
This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization. Source: https://code.google.com/p/theharvester/

┌─[kali]─[~]
└──> theharvester -d chkd.org -b all -e chsext1.chkd.org

*******************************************************************
* *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* TheHarvester Ver. 2.7 *
* Coded by Christian Martorella *
* Edge-Security Research *
* cmartorella@edge-security.com *
*******************************************************************


Full harvest..
[-] Searching in Google..
 Searching 0 results...
 Searching 100 results...
[-] Searching in PGP Key server..
[-] Searching in Bing..
 Searching 50 results...
 Searching 100 results...
[-] Searching in Exalead..
 Searching 50 results...
 Searching 100 results...
 Searching 150 results...


[+] Emails found:
------------------
+john.harrington@chkd.org
ASampson@chkd.org
Amy.Sampson@chkd.org
Amy@chkd.org
Barbara.Benson@chkd.org
Beach@chkd.org
Beverly.Jacobson@chkd.org
(cropped for brevity)
[+] Hosts found in search engines:
------------------------------------
[-] Resolving hostnames IPs... 
92.242.140.21:2Fwww.chkd.org
208.255.163.169:apihrp.chkd.org
157.21.35.200:kdmedia.chkd.org
208.255.163.168:mekids.chkd.org
208.255.163.189:webmail.chkd.org
208.255.163.163:www.chkd.org
[+] Virtual hosts:
==================
208.255.163.169 apihrp.chkd.org
157.21.35.200 kdmedia.chkd.org
208.255.163.189 webmail.chkd.org
208.255.163.163 www.chkd.org
208.255.163.163 208.255.163.163

Network-tools.com

This site offers a number of web-based tools, including:

Express
Ping
Trace
Whois (IDN Conversion Tool)
DNS Records (Advanced Tool)
Network Lookup
Spam Blacklist Check
URL Decode
URL Encode
HTTP Headers SSL
Email Tests

One of the tools I find useful on this site is the Network Lookup. Enter an IP address or domain name and it will show the network address/range which is useful for finding IP address ranges owned by the target to include in active scans. This is the output of checking “Network Lookup” on www.sans.org.

NetRange: 66.35.59.0 - 66.35.59.255
CIDR: 66.35.59.0/24

Netcraft Toolbar

http://toolbar.netcraft.com/site_report

This site is useful to see what technology a website is running.

SiteDigger

http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx

SiteDigger 3.0 searches Google’s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites.

sitedigger

Shodan.io

https://www.shodan.io/

The search engine for the Internet of Things

Think of Shodan as a search engine that returns results that include the banner of a site or device. Want to find open vulnerable sites, VNC servers, IoT devices, webcams that don’t require authentication and allow you to waste hours of your day? You can also use shodan to generate a list of target IP addresses, export the list, and import into your security tool of choice.

You can find a free guide to Shodan on exploit-db.com:  https://www.exploit-db.com/docs/33859.pdf

Maltego

Maltego Community Edition is pre-installed in Kali Linux.

Maltego is an interactive data mining tool that renders directed graphs for link analysis. The tool is used in online investigations for finding relationships between pieces of information from various sources located on the Internet. Maltego uses the idea of transforms to automate the process of querying different data sources. This information is then displayed on a node based graph suited for performing link analysis.

Currently there are three versions of the Maltego client namely Maltego CE, Maltego Classic and Maltego XL. This page will focus on Maltego Community Edition (CE). All three Maltego clients come with access to a library of standard transforms for the discovery of data from a wide range of public sources that are commonly used in online investigations and digital forensics.

(Visited 1,664 times, 2 visits today)

1 thought on “Passive Information Gathering”

  1. Great info Steve and thanks for the blurb on Shodan. Just last week I was looking for a good reference for utilizing Shodan…now I have one!

Leave a Reply

Your email address will not be published. Required fields are marked *