… ye gotta know where ye’re just gonna rush in and with what. Ye cannae just rush in anywhere. It looks bad, havin’ to rush oout again straight awa’ … ~ Terry Pratchett

Reconnaissance is the gathering of as much information as possible about a target without “touching” the target.

If not for testing your own setups, a system often has implied boundaries (legal and lawful rules), that can be negotiated and agreed upon in a Rules of Engagement when testing others. Most intelligence gathering (or reconnaissance) using public resources is lawful and legal in most countries. Before moving into scanning or enumeration, pentesters usually protect themselves with a Get Out Of Jail Free Card (pdf).

Security Distros

[linkview show_cat_name=”0″ cat_name=”Security Distros”]

Intelligence Gathering

As a running example on this page, I will be using the intelligence gathering required for the fracking edits and nuclear power edits bots. The quality of the bots depends on the quality on the intelligence gathering. We need to learn as much about these industries and its main companies as we can: what they do, who they do it for, who does it for them, where they do it from – both online and in the kinetic world, what community or charity work they are involved in. … and while doing so noting domain names if coming across any.

Tools to use are your own intelligence, search engines (crawler and human based), your own webcrawlers, link analysis tools, and various domain tools.

[linkview show_cat_name=”0″ cat_name=”Intelligence Gathering”]

GNU wget is a free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols. It is a non-interactive commandline tool, so it may easily be called from scripts, cron jobs, terminals without X-Windows support, etc.

What comes out after much jumping about is a list of company names, partner and subsidiary company names, and DNS names, and  maps which reflect the industry with its major companies (divisions of companies) involved in the fracking respectively nuclear power producing industry.

Human Recon

Also known as doxing. From the human relationships perspectives search for connections between executive teams and board members of  companies in the industry, and ties with companies in other industries. Anonymously made changes to the specific fracking and nuclearpower related wikipedia pages we’ll be tracking can come from relations.

[linkview show_cat_name=”0″ cat_name=”Human Recon”]

Follow The Money

[linkview show_cat_name=”0″ cat_name=”Follow The Money”]


In footprinting DNS domain names are mined from the domains of the company names collected in intelligence gathering and then translated to IP adresses or IP address ranges.

When having a list of IP addresses or IP netblocks of the target, then a neat DNS trick is to convert the addresses into hostnames using reverse lookups to get the PTR record entry. The results give clues as to whether the host is a shared host, owned and hosted by the company or just remote hosted. Note: Reverse records are easily brute forced in IPv4. DNS does not require a PTR record (reverse entry). Entries in the reverse zone must match entries in the forward zone.

If a netblock range is owned by the target and registered to the target we are lucky, but often we will only get the network service provider to which the netblock is allocated to. In that case, we will have to query the service provider in order to gain more info about the specific netblock. If no reverse entry is present and no record of the IP is found, then some creativity is called for. And it depends.

Try the pastebins. Lots of people been posting previously done footprinting on it.

SSL may be familiar as a “protection” against eavesdroppers and men-in-the-middle, but it is useful for footprinters. One of the security checks performed by browsers when deciding on the validity of a SSL certificate is whether the Common Name contained in the certificate matches the DNS name of the host requested from the browser. If an HTTPS website is hosted on that address then simply browse to that IP address and, when presented with the invalid certificate error, message, look for the “real” host name.

Try a SMTP bounce back, also called a Non-Delivery Report/Receipt (NDR), a (failed) Delivery Status Notification (DSN) message, a Non-Delivery Notification (NDN) or simply a bounce, an automated electronic mail message from a mail system informing the sender of another message about a delivery problem. Send a message to a fake email address within a target’s domain. If the mailserver has no catchall then you will receive a bounce back message, and the header may contain host names and IP addresses of the servers that handled it. Make the message inconspicuous in case there is a catchall. Leave no easily discernable trail. Even when the other techniques produce results, it can still be handy to do an SMTP bounce.

[linkview show_cat_name=”0″ cat_name=”Footprinting”]

If any new relevant companies are found in the process, gather intelligence.

Scanning and Enumeration

A check on the vitality of the IP address and IP address ranges collected. And an overview of the function and services of the associated systems. In general, scanning and enumerating can break things. Most scanning is legal. Some scanning and most enumeration is not. It depends on laws in your location, the location of the target and (diplomatic) treaties between the two.

Note: Nipper was an open source tool until its developer (Titania) released a commercial version and tried to hide their old GPL releases.

[linkview show_cat_name=”0″ cat_name=”Scanning and Enumeration”]


[linkview show_cat_name=”0″ cat_name=”Fuzzing”]

  1 comment for “Reconnaissance

  1. June 11, 2015 at 8:29 am

    may I kindly point pof and dnsenum both passive.

Leave a Reply

Your email address will not be published. Required fields are marked *