User Tools

Site Tools

diy:network-recon

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
diy:network-recon [2024/06/08 04:18] Humphrey Boa-Gartdiy:network-recon [2024/08/06 05:48] (current) – external edit 127.0.0.1
Line 5: Line 5:
 Lets say this site is, hypothetically, [[http://scanme.nmap.org|scanme.nmap.org]]. So where to begin? Before you can start to do anything (dox, attack, shut down, etc) you first need to run some basic tools. You have to profile where this site intersects with the rest of the internet, and the real world. Lets say this site is, hypothetically, [[http://scanme.nmap.org|scanme.nmap.org]]. So where to begin? Before you can start to do anything (dox, attack, shut down, etc) you first need to run some basic tools. You have to profile where this site intersects with the rest of the internet, and the real world.
  
-===== Finding IP Addresses & Other Basic Info =====+===== Finding IP Addresses & DNS Info =====
  
 Every machine (or **host**) on the internet has an **IP address**, and every domain name resolves to an IP address. Domain names are only aliases for IP addresses because //whatever.com// is easier to remember than //187.158.173.109//. The inverse is not necessarily true. An IP may have no domain name pointing to it. Every machine (or **host**) on the internet has an **IP address**, and every domain name resolves to an IP address. Domain names are only aliases for IP addresses because //whatever.com// is easier to remember than //187.158.173.109//. The inverse is not necessarily true. An IP may have no domain name pointing to it.
Line 15: Line 15:
 ==== ping ==== ==== ping ====
  
-The classic ''ping'' command works on pretty much everyone's machine, without having to install anything. It functions by sending an echo request to the IP address or domain name specified, and waiting to receive a reply back. While this command is most useful for diagnosing connection issues, it will also reveal the IP address for a domain:+The classic ''ping'' command works on pretty much everyone's machine, without having to install anything. It functions by sending a simple echo request to the IP address or domain name specified, and waiting to receive a reply back. While this command is most useful for diagnosing connection issues, a ping will also reveal the host IP address for a given domain:
  
   $ ping scanme.nmap.org   $ ping scanme.nmap.org
Line 38: Line 38:
 ==== nslookup ==== ==== nslookup ====
  
-Another commonly bundled cross-platform command, ''nslookup'' checks DNS records to find the IP address of a given domain:+Another commonly bundled cross-platform command, ''nslookup'' checks DNS records to find the IP address formally associated with a given domain:
  
   $ nslookup scanme.nmap.org   $ nslookup scanme.nmap.org
Line 108: Line 108:
 Read more [[https://phoenixnap.com/kb/linux-dig-command-examples|dig command examples]]. Read more [[https://phoenixnap.com/kb/linux-dig-command-examples|dig command examples]].
  
-==== Browser Based Tools ==== 
- 
-  * [[https://nslookup.io|NsLookup.io]] 
  
 ===== WHOIS ===== ===== WHOIS =====
Line 116: Line 113:
 [[wp>WHOIS]] is a query and response protocol that is used for querying databases that store an Internet resource's registered users or assignees. These resources include domain names, IP address blocks and autonomous systems, but it is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format. [[wp>WHOIS]] is a query and response protocol that is used for querying databases that store an Internet resource's registered users or assignees. These resources include domain names, IP address blocks and autonomous systems, but it is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format.
  
-WHOIS lookups are a great way to find out more information about a web site or IP address. They can clue you in to who the target uses for a host or domain registrar, geographic locations, and sometimes even the real-world names & addresses of the site owners or administrators. WHOIS lookups are a necessary fundamental skill for recon and [[tactics:dox|doxxing]].+WHOIS lookups are a great way to find out more information about a web site or IP address. They can clue you in to who the target uses for a host or domain registrar, geographic locations, and sometimes even the real-world names & addresses of the site owners or administrators. WHOIS lookups are a necessary fundamental skill for  {{tagpage>recon}} and [[tactics:dox|doxxing]].
  
 ==== Domain Information ==== ==== Domain Information ====
  
-On all *nix based systems it's pretty easy to find out any available details about a domain. That's what the ''whois'' command is for. Every domain registrar runs a WHOIS database for the domains it is hosting. Their database usually contains information about the owner & assigned contacts of the domain, such as email, phone, and street address. Some registrars require that the administrative contact is a natural person, not an organization. Keep in mind that some domain owners will lie about this, which can be grounds for domain suspension, but it is hardly enforced. Some domain owners subscribe to privacy services (such as **Domains by Proxy** or **Withheld for Privacy**) in which case you will have to try another way to get the information.+**WHOIS** lookups are extremely easy to do. That's what the ''whois'' command is for. Every domain registrar runs a WHOIS database for the domains it is hosting. These databases usually contain information about the owner & assigned contacts of the domain, such as email, phone, and street address. Keep in mind that some domain owners will lie about this, which can be grounds for domain suspension, but it is hardly enforced. Some domain owners subscribe to privacy services (such as **Domains by Proxy** or **Withheld for Privacy**) in which case you will have to try another way to get the information.
  
 ''whois'' generally doesn't like being run against subdomains, so you will have to point it at the root domain: ''whois'' generally doesn't like being run against subdomains, so you will have to point it at the root domain:
Line 127: Line 124:
  
 The lengthy results of this command (which we will not paste here) reveal that Nmap does in fact use one of the aforementioned domain privacy services. It also shows that they use [[https://www.dynadot.com|Dynadot]] as a domain registrar, which in turn points to [[https://linode.com|Linode's nameservers]], revealing two more of their service providers. The lengthy results of this command (which we will not paste here) reveal that Nmap does in fact use one of the aforementioned domain privacy services. It also shows that they use [[https://www.dynadot.com|Dynadot]] as a domain registrar, which in turn points to [[https://linode.com|Linode's nameservers]], revealing two more of their service providers.
- 
-If you don't have access to the command line, there are a handful of sites you can use for DNS lookups in your browser: 
- 
-  * [[https://whois.domaintools.com|DomainTools]] 
-  * [[https://lookup.icann.org/en|ICANN Lookup]] 
-  * [[https://www.whois.com/whois/|Whois.com]] 
  
 ==== More IP Information ==== ==== More IP Information ====
Line 140: Line 131:
   $ whois 45.33.32.156   $ whois 45.33.32.156
  
-Running ''whois'' against either of Nmap's IP addresses brings up more information about their host, Linode, including the email address to send abuse and DMCA shutdown notices to.+Running ''whois'' against either of Nmap's IP addresses brings up more information about Nmap'host, including the email address to send abuse and DMCA shutdown notices to. (Very exploitable.) 
 + 
 +===== Browser Based Tools ===== 
 + 
 +If you don't have access to the command line, there are a handful of sites you can use for DNS & WHOIS lookups in your browser: 
 + 
 +  * [[https://whois.domaintools.com|DomainTools]] 
 +  * [[https://lookup.icann.org/en|ICANN Lookup]] 
 +  * [[https://www.whois.com/whois/|Whois.com]] 
 +  * [[https://nslookup.io|NsLookup.io]]
  
 ===== More Things You Can Do ===== ===== More Things You Can Do =====
Line 147: Line 147:
  
   * You can compile the info you found into [[tactics:dox|a dox file]] for the target.   * You can compile the info you found into [[tactics:dox|a dox file]] for the target.
-  * You can [[arms:nmap|run a port scan]] on the host to further profile the server environment of the site.+  * You can [[arms:nmap|run a port scan]] on the host(s) to further profile the server environment(s) of the target.
  
 {{tag>Tutorials Recon}} {{tag>Tutorials Recon}}
diy/network-recon.1717820313.txt.gz · Last modified: 2024/08/06 05:53 (external edit)

Find this page online at: https://bestpoint.institute/diy/network-recon