Difference between revisions of "Reconnaissance"
From Gender and Tech Resources
m |
m |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
− | The pentesting (jumpy and creative) "reconnaissance" process | + | The pentesting (jumpy and creative) "reconnaissance" process can be useful for research. What if, for example, we want to know (more about) the current state of [[Timeline_that_is_soooo_1984_...#Smart_Cities|smart cities]]? |
== Querying DNS servers == | == Querying DNS servers == | ||
The <code>whois</code> system is used by system administrators to obtain contact information for IP address assignments or domain name administrators. <code>dig</code> is a networking tool that can query DNS servers for information. It can be very helpful for diagnosing problems with domain pointing and is a good way to verify that your server configuration is working. An alternative to <code>dig</code> is a command called <code>host</code>. This command functions in a very similar way to dig, with many of the same options. And if <code>dig</code> and <code>whois</code> do not provide you with enough information, tools like <code>dnsmap</code> and <code>dnsenum</code> can be handy. | The <code>whois</code> system is used by system administrators to obtain contact information for IP address assignments or domain name administrators. <code>dig</code> is a networking tool that can query DNS servers for information. It can be very helpful for diagnosing problems with domain pointing and is a good way to verify that your server configuration is working. An alternative to <code>dig</code> is a command called <code>host</code>. This command functions in a very similar way to dig, with many of the same options. And if <code>dig</code> and <code>whois</code> do not provide you with enough information, tools like <code>dnsmap</code> and <code>dnsenum</code> can be handy. | ||
+ | |||
+ | When you have an IP address an IP lookup will provide details such as ISP name, country, state, city, longitude and latitude. Domain names can help us to find out important information such as address, email id and phone number. | ||
+ | |||
+ | Using whois from the command line you may or may not get useful results. It runs on port 43, and information returned is in plain ASCII format, but because whois servers all over the internet are managed by a wide variety of organisations, information returned may vary. And the different whois clients have different functionality too. | ||
+ | |||
+ | Whois proxies can be used between a client and a server. Those usually use the http or https protocol. If port 43 is blocked, that is not a problem when a client is using proxies through a browser. Also, likely a proxy will determine which server to contact for different lookups. | ||
+ | |||
+ | Almost all services prevent data mining for preventing data gathering for spamming, and that also limits the service for other purposes such as intelligence gathering. Recently, some ISP’s are discussing limiting their service even further. | ||
+ | |||
+ | RWhois (referral whois) is a directory services protocol which extends the whois protocol in a hierarchical and scalable way. It focuses on the distribution of “network objects” (domain names, IP addresses, email addresses) and uses the hierarchical nature of these network objects to more accurately discover the requested information. It is similar to DNS but apparently, still not in general use. | ||
== Enumerating targets == | == Enumerating targets == |
Latest revision as of 09:45, 24 September 2015
The pentesting (jumpy and creative) "reconnaissance" process can be useful for research. What if, for example, we want to know (more about) the current state of smart cities?
Querying DNS servers
The whois
system is used by system administrators to obtain contact information for IP address assignments or domain name administrators. dig
is a networking tool that can query DNS servers for information. It can be very helpful for diagnosing problems with domain pointing and is a good way to verify that your server configuration is working. An alternative to dig
is a command called host
. This command functions in a very similar way to dig, with many of the same options. And if dig
and whois
do not provide you with enough information, tools like dnsmap
and dnsenum
can be handy.
When you have an IP address an IP lookup will provide details such as ISP name, country, state, city, longitude and latitude. Domain names can help us to find out important information such as address, email id and phone number.
Using whois from the command line you may or may not get useful results. It runs on port 43, and information returned is in plain ASCII format, but because whois servers all over the internet are managed by a wide variety of organisations, information returned may vary. And the different whois clients have different functionality too.
Whois proxies can be used between a client and a server. Those usually use the http or https protocol. If port 43 is blocked, that is not a problem when a client is using proxies through a browser. Also, likely a proxy will determine which server to contact for different lookups.
Almost all services prevent data mining for preventing data gathering for spamming, and that also limits the service for other purposes such as intelligence gathering. Recently, some ISP’s are discussing limiting their service even further.
RWhois (referral whois) is a directory services protocol which extends the whois protocol in a hierarchical and scalable way. It focuses on the distribution of “network objects” (domain names, IP addresses, email addresses) and uses the hierarchical nature of these network objects to more accurately discover the requested information. It is similar to DNS but apparently, still not in general use.
Enumerating targets
Enumerating targets on a local network can be done with nmap
, arping
, hping
and fping
. The last three allow for constructing arbitrary packets for almost any networking protocol, for analysis of replies.
Resources
- Hack Back! A DIY Guide for Those Without the Patience to Wait for Whistleblowers http://leaksource.info/2014/08/09/hack-back-a-diy-guide-for-those-without-the-patience-to-wait-for-whistleblowers/