In this recipe, we will look at how to make use of tools meant for online information gathering. We will cover tools that serve the purpose of gathering information with respect to Whois, domain tools, and MX mail servers. Shodan is a powerful search engine that locates drives for us over the Internet. With the help of various filters, we can find information about our targets. Among hackers, it is also called the world's most dangerous search engine.
We will make use of tools such as DNsenum for the purpose of Whois enumeration, find out all the IP addresses involved in a domain, and also how Shodan provides us with open-port information of the target searched.
The steps are as follows:
dnsenum <domainname>
The output will be as shown in the following screenshot:
dnsenum -p 5 -s 20 facebook.com
The output will be as shown in the following screenshot:
As we can see the p
and the s
switches tell dnsenum to search across 4 pages of google and the maximum number of scrape entries to be pulled from google.
dnsenum -f subdomains.txt facebook.com
Here subdomains is a custom list of possible subdomains, we get the output as follows:
Coming back to the simplisting dns enumeration, we performed and for the ones above, it is observed that the output contains a lot of information, so it is always better to save the output in a file. One option is to use the push the output to the file using the following command:
dnsenum <domain name> > dnsenum_info.txt
The output will be as shown in the following screenshot:
How ever if we need to use the output enum for another tool we must use the switch provided in dnsenum to take the output in the XML format as majority of tools support XML import functions. Use the following command:
dnsenum -o dnsenum_info <domain name>
The output will be as shown in the following screenshot:
dnsenum
command gives you a lot of information about your target:
Country:IN
.You can see how it fetches a humungous output:
As we can see, the amount of functionality provided is vast. We should take the time to explore all the options one after another.
The dnsenum <domain name>
syntax queries the DNS server of the mentioned domain name, followed by the name server and mail server. It also performs a check on whether zone transfer can take place.
The commands used work as follows:
-o
: When specified with a file name, this provides an XML-based output of the DNS enumeration done-p = pages <value>
: The number of google search pages to process when scraping names; the default is 20 pages; the -s
switch must be specified-s = scrap <value>
: The maximum number of subdomains that will be scraped from google-f, = file <file>
: Read subdomains from this file to perform brute forceShodan has a huge list of filters; the filter used above is as follows:
More information gathering can be done by using the Shodan search engine.
The Shodan search engine lets a user find specific types of computers or devices over the Internet with the help of different filter combinations. This can be a great resource for gathering information about a target. We can learn more about the Shodan filters by visiting http://www.shodanhq.com/help/filters .
3.149.250.1