• Use common CLI utilities for reconnaissance
  • Perform WHOIS lookups
  • Conduct DNS enumeration using nslookup and dig
  • Apply Google Dorking techniques
  • Use Netcraft for OSINT analysis
  • Perform background research on individuals

Scenario; you are tasked with performing OSINT research, information gathering, and reconnaissance activities. These activities are simulations of the first phase of a typical penetration test. First, you will confirm the IP address of your Kali system, and then you will test connectivity to the Structureality website. Next, you will perform a whois lookup and perform a DNS reconnaissance, and then you will perform Google Dorking. Finally, you will perform OSINT using Netcraft, and then you will perform a background search on a person.

Target domain; www.structureality.com

The goal was to collect as much publicly available information as possible using different tools and methods.

ping www.structureality.com -c 4 > target_info.txt

  • c 4 → Sends only 4 packets (instead of infinite)
  • > → Redirects output to a file

To view the output run command:

cat target_info.txt

The display should show that the FDQN of www.structureality.com resolves to 203.0.113.1. You should also see that while 4 packets were transmitted,

! If no replies are received, the target may be protected by a WAF blocking ICMP requests.

In a real-world pentest, you would take note of all information discovered. You might take a screenshot or save all web pages visited during the reconnaissance of a target.

Whois reconnaissance

Another common practice in the penetration testing phase of reconnaissance is determining the ownership of the targets registered domain name. Using whois this can provide details about the company, name, address, phone, email address and personnel set as contact points.

perform who is query using the whois database host of 192.0.2.10 against the target's registered domain name and capture the output to a file by entering;

whois -h 192.0.2.10 www.structureality.com > target_whois.txt

Display the output by running command; cat target_whois.txt

None
output showing domain name, resgistry domain ID, registrar, relevant dates, registration status and name server.

DNS Reconnaissance

another common penetration testing task is to enumerate information from DNS about the target. this can often be used to discover other related FQDNs, name servers, email servers and more! you will be using CLI tools nslookup and dig

NSLOOKUP

nslookup is a program that queries that DNS . nslookup has two modes; Interactive and a non-interactive, a non-interactive is when you declare nslookup every query, in a interactive nslookup, you don't have to declare it. you just have to follow the following program's syntax

to enter interactive mode; run nslookup, then type in server to know what server it is. the result should be the IP address of the

None

view the address of the resource record of the FQDN of the target by entering; www.structureality.com

The results should show an IP address. the same ip address discovered through ping (earlier)

None
! Notice that the result is 'non-authoritative.' This means the information came from a local cache, not the official source. For the most accurate results, use the authoritative server.

Resolve the nameserver discovered from the prior whois exercise of ns.structureality.com into its IP address by entering: ns.structureality.com

None
resulting IPv4 address for ns.structureality.com

change the lookup server for nslookup to be the Ipv4 address of the name server (ns.structureality.com) by entering command; server 203.0.113.226

Now results come directly from the authoritative source.

DIG

You could also use the dig utility to extract DNS information from an authoritative DNS server related to the registered domain name of structureality.com. And capture the output into the file by entering:

dig @203.0.113.225 www.structureality.com > target_dns.txt

To view the results run command; target_dns.txt

None
Notice that this operation captured the SOA record for structureality.com. While not clearly labeled in the dig output, the same values of origin, mail addr, serial, refresh, retry, expire, and minimum are present.
None
the double dash(>>) is to append the target_dns.txt output text file. the because the (>) will replace the target_dns.txt

run command; dig @203.0.113.225 strcutureality.com -t mx >> target_dns.txt

dig @203.0.113.225 structureality.com -t ns >> target_dns.txt

server 203.0.113.226 now results come directly from authoritative source

Information Extracted:

  • SOA (Start of Authority)
  • Mail servers (MX)
  • Name servers (NS)

Google Dorking

Google Dorking is the activity of using Google's advanced search expressions to gain more control and focus on search operations. This is also known as google hacking and learning Google foo.

Using Google search expressions including site and filetype, you can attempt to discover a link to the robots.txt file hosted at twitter.com using the following search query :

site:twitter.com filetype:txt robots

None
This search query should show results that include www.twitter.com/robots.txt. Select this link.
None
You should see the presentation of a text file that has instructions for various search engine spidering bots (identified by the term "User-agent") related to directories and pages that can (via an "Allow:") or cannot (via a "Disallow:") be indexed. Looking through a robots.txt file could reveal interesting locations where sensitive or important data could be stored.

Another tip! to discover insecure Cisco devices on the internet.

None
Using Google search expressions including filetype and the phrase "enable password 7", attempt to discover results that reveal an insecurity in Cisco devices on the Internet. Use the following search query construction:

Search query = filetype:cfg "enable password 7", click on an index.

None
Configuration file of a Cisco switch which includes the password 7 hash format of the primary password for this device. Look through the file to locate the line that starts with "enable password 7".

Notice the hash value of 09424F0A170414425D, we can crack the hash by decoding it, to decode it go to https://www.ifm.net.nz/cookbooks/passwordcracker.html

None
decoded password was nacnac06, educational purposes only

Google is one of the best OSINT tools out there. to learn more about Google Dorking, here's an educational website that explains advanced search operators in detail; https://ahrefs.com/blog/google-advanced-search-operators/

NetCraft

There are a tons of online research tools that can be used to perform OSINT gathering about online sites and services. One of these is Netcraft. A recent marketing statement from their site is: "Combining detection, threat intelligence and robust disruption & takedown, Netcraft's automated digital risk protection platform keeps your organization and customers safe from phishing, scams, fraud and cyber attacks.". , you will use Netcraft's service to discover information about a website.

None

In your local browser type https://sitereport.netcraft.com/

In the "What's that site running?" search field, type http://comptia.org, then select Analyze.

None

The information collected and presented by Netcraft is a combination of public data pulled in real-time from various sources and historical data collected by Netcraft's own polling, probing, and indexing operations.

! In the Network section, on the "Domain" line in the second column, select the link comptia.org. This should display a page titled "Hostnames matching *.comptia.org.

None
Notice that there are dozens of sub-domains defined and managed by Comptia.

Performing a background check on a person

A key element of OSINT is gathering details about people associated with a target organization. There are many sites that can be used for this purpose. you will use the people search engine of government database indexing service of SearchSystems.

www.searchsystems.net

None
! The sites indexed on SearchSystems.net are public record databases. As a US citizen, you have the right to access and view these records. Some linked sites will allow for information access with a basic search. Some of the linked sites will require that you create an account and confirm your email address before allowing you to search for information. A few of these sites are restricted to confirmed and approved regional residency (such as a state, county, or city), which may require that you provide proof of residence before you can access their records.

enter www.searchsystems.net to access SearchSystems to view the 70,000+ public databases maintained by your taxes which contain information about individuals

You are welcome to explore the various databases you discover on SearchSystems. Each site you visit will likely be hosted and operated by a different entity, so the sites' quality and ease of use can vary greatly

You might think to yourself why is this useful?

Why this matters (real-world perspective)

MX records

They reveal email systems, which attackers can use for phishing.

WHOIS data

Can expose names, emails, and infrastructure details for social engineering.

DNS records

Help map out hidden services like:

  • admin panels
  • test servers
  • internal tools

Google Dorking

Can uncover accidentally exposed files like configs or backups.

Netcraft

Helps identify technologies and possible outdated systems.