Part-1 Tools
In order to conduct any type of penetration testing, first we must understand the target. To understand the target in depth, we are require to investigate the target in such a way that we can discover more potential attack vectors which may or may not be readily available to public users. There are different approaches and techniques for reconnaissance, we will explore various types of tools used for network reconnaissance in this article. The types of tools you used depends on the types of targets and what data you are gathering and what level of access you have.
NMAP
Nmap is a must have tool for every security professional.
Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
OS- Linux , Windows, Macbook
Example-
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80Nmap: the Network Mapper — Free Security Scanner
DNS Enumeration
This is not exactly a tool but it can be categorize in the techniques side.However certain tools are required for enumerating DNS. Firstly, why do we need to enumerate DNS server — DNS server translate domains or urls and resolve them into their respective ip addresses
What is a DNS server? | Cloudflare
DNS enumeration involves gathering information such as computer names, ip addresses, associate nameservers, mail servers and so on.
Tools: Several tools can be used for this.
Nslookup
Nslookup is an extensive tool which is preinstalled in Kali Linux
nslookup is a network administration command-line tool for querying the Domain Name System to obtain the mapping between domain name and IP address, or other DNS records.
An online web version can be found on Online nslookup — Find DNS records
Example :
nslookup ibm.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: ibm.com
Address: 23.211.215.249
Name: ibm.com
Address: 2600:140f:b800:182::3831
Name: ibm.com
Address: 2600:140f:b800:1b6::3831DNSlookup
Various types of information can be gather using different kinds of tools.
A Record Lookup — Address or IPv4 DNS records, these store IP addresses for domain names.
AAAA Record Lookup — Address v6 or IPv6 DNS records, same as A records but store IPv6 IP addresses.
CAA Record Lookup — Certificate Authority Authorization DNS records are used to store which certificate authorities are allowed to issue certificates for the domain.
CNAME Record Lookup — Canonical Name or sometimes known as Alias records are used to point to other DNS records. Often used for subdomains like www.
MX Record Lookup — Mail Exchanger DNS records are used to store which email servers are responsible for handling email for the domain name.
NS Record Lookup — Nameserver DNS records store the authoritative nameserver for a domain name.
PTR Record Lookup — Pointer or reverse DNS records. This is the opposite of A or AAAA DNS records and is used to turn an IP address into a hostname.
SOA Record Lookup — Start of Authority DNS records store meta details about a domain name such as the administrator contact email address and when the domain last had changes made to its DNS configuration.
SRV Record Lookup — Service DNS records store protocol and port numbers for services offered by the domain name, for example VoIP or chat server.
TXT Record Lookup — Text records are used to store notes as DNS records, however they are typically used to store configuration settings for various services like SPF records which are used to define which email servers are allowed to send email from the domain or verification codes for some webmaster tools.
Source -DNS Lookup — Check All DNS records for any domain (whatsmydns.net)
TOOLS:
DNS Lookup Tool — DNS Tools — MxToolbox
Dig
This tool is also preinstalled on Kali Linux. Dig is a simple tool but has a lot of features. It is a command line tool built in Linux.It can be used for enumerating DNS , zone transfers, MX records, Reverse DNS lookup and so on.
Example:
dig @8.8.8.8 ibm.com
; <<>> DiG 9.16.15-Debian <<>> @8.8.8.8 ibm.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34841
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ibm.com. IN A
;; ANSWER SECTION:
ibm.com. 20 IN A 23.49.53.206
;; Query time: 104 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Mar 07 21:34:04 IST 2023
;; MSG SIZE rcvd: 52
How to Use Linux dig Command (DNS Lookup) {With Examples} (phoenixnap.com)
Host
Host tool is a simple tool which will gives you the particular ip address associated with your url. It also gives the mail server.
Usage: host <domain>
Example:
host ibm.com
ibm.com has address 23.211.215.249
ibm.com has IPv6 address 2600:140f:b800:182::3831
ibm.com has IPv6 address 2600:140f:b800:1b6::3831
ibm.com mail is handled by 5 mx0b-001b2d01.pphosted.com.
ibm.com mail is handled by 5 mx0a-001b2d01.pphosted.com.Wireshark
Wireshark is a network packet analyzer tool, or application that captures packets from a network connection, like the connection between your computer and your home office or the internet.
OS — Windows, Linux , Macbook
Wireshark User’s Guide: Version 4.1.0
Example:
Traceroute
It is a straightforward yet sophisticated command-line tool for tracking the route an IP packet takes across one or more networks. Traceroute shows the route taken by data as it moves from its source to its destination. This is an important way to find out how many devices are in the network.
Netcat
Netcat is a feature-packed networking utility which reads and writes data across networks from the command line. It can be used for port scanning, act as a server and so on.
How to Use Netcat Commands: Examples and Cheat Sheets (varonis.com)
