The pentesting (jumpy and creative) "reconnaissance" process, can be extremely useful. What if, for example, we want to know the current state of smart cities.

Querying DNS servers

The whois system is used by system administrators to obtain contact information for IP address assignments or domain name administrators. dig is a networking tool that can query DNS servers for information. It can be very helpful for diagnosing problems with domain pointing and is a good way to verify that your server configuration is working. An alternative to dig is a command called host. This command functions in a very similar way to dig, with many of the same options. And if dig and whois do not provide you with enough information, tools like dnsmap and dnsenum can be handy.

Enumerating targets

Enumerating targets on a local network can be done with nmap, arping, hping and fping. The last three allow for constructing arbitrary packets for almost any networking protocol, for analysis of replies.

Resources

• Hack Back! A DIY Guide for Those Without the Patience to Wait for Whistleblowers http://leaksource.info/2014/08/09/hack-back-a-diy-guide-for-those-without-the-patience-to-wait-for-whistleblowers/