.svg)
Reconnaissance is the cornerstone of any successful penetration testing strategy. This crucial phase involves gathering information about the target environment, enabling penetration testers to identify vulnerabilities and potential entry points. In this comprehensive guide, we will walk through various reconnaissance techniques and tools, providing a step-by-step approach for both beginners and intermediate penetration testers.
Google Dorking
Google Dorking refers to the practice of using advanced search operators in Google's search engine to discover specific information that is not easily accessible through conventional searches. This technique is often employed by security professionals, researchers, and hackers to find vulnerabilities, exposed sensitive information, or other details that may be hidden from regular search queries. Here’s the table for detailed Google Dorking operators and its example.
The Harvester
The Harvester is a versatile tool designed for harvesting information from various sources. It is developed by the Christian Martorella at Edge Security. Let’s learn how to use it effectively to collect emails, subdomains, and other valuable data.
The Harvester is a Python script, so ensure you have Python installed and the pip package manager. Then, install The Harvester using,
The basic command structure is,
where domain is your target and source is the data source (e.g., Google, Bing, PGP).
Understand it better with an example, To collect emails and subdomains from "example.com" using Google and Bing, run,
The Harvester supports various sources like search engines, social media, PGP servers, and more. There is much more to the harvester to explore. You can find much more interesting functionalities of theHarvester.
Whois
Whois lookup provides details about domain registration, including contact information. Tools like Whois databases and online services such as Whois Lookup can help gather information about the target domain. It can be done using online web applications like Whois Domain Tools, or it can be done using the command line on your machine. Here’s the example of whois record of itsecgames.com using Whois Domain Tools:
This same records can be fetched using command line utility as well, just we have to use whois command following with domain name. Example, issuing whois itsecgames.com will return the results shown in the picture below.
Before moving further, the same information can also be extracted using Netcraft as well. Actually, Netcraft provides more than just domain information; it searches the whole web to find any related information to a given domain name, including Site Background, Host History, Sender Policy Framework and much more. Let’s see how we can get this information easily using Netcraft.
Enter the target’s domain address and start the search. It will show you the domains related to the keywords you provided. Here its showing me two web addresses for the itsecgames.com,
You may get different results based on your searching keywords. One thing to notice here is, Netcraft has provided us with the OS of the server on which the website is hosted. This is very important information to do penetration testing, because if the OS is Linux and you are exploiting it with Windows exploits; you will never get any desirable result. Now, let’s go further and look into the details of “www.itsecgames.com”. You can see it from the site report.
You are provided with site background, which is giving information like site rank, when it has been first seen on the internet, language of the website, and etc. In the network section, it's giving us domain details and IP addresses related to the domain. And on scrolling down you will see hosting history, SSL/TLS information, web trackers and even site technologies used.
Upto this point, we may have DNS server IPs, Name Servers or both. But what if we are not having the IP of a given domain or web server. No worries, there is a solution for it too. Let’s take a look at the solution, Host.
Host
The 'host' command in Linux is a powerful tool for DNS reconnaissance. Learn how to use it to obtain information about a target's DNS records and IP addresses. It is a versatile command-line utility that provides various DNS-related information. It can map domain names into IP addresses and vice-versa using DNS caches and tables. Here are some common uses of the 'host' command,
Other ways you can gather information is using Open Source Intelligence (OSINT) framework and Social Engineering. You can get details on OSINT and Social Engineering from here.
Conclusion
Effective reconnaissance involves sifting through vast amounts of information to identify potential attack vectors. For effective penetration testing, learn how to prioritize and filter intelligence for actionable insights. Practical hands-on experience is crucial for mastering reconnaissance. Discover realistic scenarios, labs, and platforms for honing your skills. Some of the very good online platforms to learn Ethical Hacking and Penetration Testing are HackTheBox and TryHackMe.
Reconnaissance is just the beginning. The further journey of Penetration Testing is much more interesting compared to Reconnaissance. As a beginner, it's good practice to keep Recon and Scanning different, but as you gain more knowledge and experience, you may treat both of them together.
Alphabin also provides complete penetration testing including a dedicated phase and engineer for reconnaissance during testing to ensure security of your information and integrity of business.
.svg)
.svg)
.svg)