From Gender and Tech Resources

The pentesting (jumpy and creative) "reconnaissance" process can be useful for research. What if, for example, we want to know (more about) the current state of smart cities?

Querying DNS servers

The whois system is used by system administrators to obtain contact information for IP address assignments or domain name administrators. dig is a networking tool that can query DNS servers for information. It can be very helpful for diagnosing problems with domain pointing and is a good way to verify that your server configuration is working. An alternative to dig is a command called host. This command functions in a very similar way to dig, with many of the same options. And if dig and whois do not provide you with enough information, tools like dnsmap and dnsenum can be handy.

When you have an IP address an IP lookup will provide details such as ISP name, country, state, city, longitude and latitude. Domain names can help us to find out important information such as address, email id and phone number.

Using whois from the command line you may or may not get useful results. It runs on port 43, and information returned is in plain ASCII format, but because whois servers all over the internet are managed by a wide variety of organisations, information returned may vary. And the different whois clients have different functionality too.

Whois proxies can be used between a client and a server. Those usually use the http or https protocol. If port 43 is blocked, that is not a problem when a client is using proxies through a browser. Also, likely a proxy will determine which server to contact for different lookups.

Almost all services prevent data mining for preventing data gathering for spamming, and that also limits the service for other purposes such as intelligence gathering. Recently, some ISP’s are discussing limiting their service even further.

RWhois (referral whois) is a directory services protocol which extends the whois protocol in a hierarchical and scalable way. It focuses on the distribution of “network objects” (domain names, IP addresses, email addresses) and uses the hierarchical nature of these network objects to more accurately discover the requested information. It is similar to DNS but apparently, still not in general use.

Enumerating targets

Enumerating targets on a local network can be done with nmap, arping, hping and fping. The last three allow for constructing arbitrary packets for almost any networking protocol, for analysis of replies.