eLearnSecurity Blog

Pentesting 101: More Domain Tools

Tools of the trade for cyber security professionals

In the first article in eLearnSecurity’s introduction to pentesting methodology, Hisomeru discussed why Technical OSINT is foundational to penetration testing and introduced tools to gather information from a client. In this article, Hisomeru continues the discussion on how to collect Technical OSINT.

Domain Tools is a great storehouse of information that a penetration tester can use to gather information on a potential target. It doesn’t have as fancy graphics as Robtex, but it has the majority of information needed to start the job. The information presented is very clear and concise. It does give you a screenshot gallery of the web page and links to whois information for other related domains like nmap.net and nmap.com. You can see more information at this link. http://whois.domaintools.com/nmap.org

Moving away from websites to more Linux command line-based tools, there is a tool called “dnsenum” at our disposal. Dnsenum is a simple program that can take different command line switches to give us different information. In this example we just use nmap.org as the command line argument and nothing more. You’ll notice dnsenum shows us the mail server information. This valueable information tells us that the mail server is run by Google and that they don’t have their own in-house mail server. For future reference, a mail server can serve as a potential entry point into a network. It also specifically tells us that *.nmap.org will redirect to www.nmap.org due to wildcard domains.

Staying with the Linux command line options for technical OSINT, another tool available to us is “theHarvester.” Instead of using a web browser to search and deliver the requested information, theHarvester works from the Linux command line and derives its information from various search engines. More information on how this tool works can be found at: https://github.com/laramies/theHarvester.

Below is an example of how to use theHarvester.

You’ll notice that the four tools previously mentioned all show data in different ways and have different interfaces. Using all these tools in conjunction can provide a mostly complete picture of the target network. This happens to be the case in our example of using nmap.org. In the search results from theHarvester, we find that there are more subdomains. Some of these subdomains are to help in the event of a typo, others are completely dormant or haven’t been in use for some time. Others are listed that aren’t publicly listed on a site like Robtex. If we take a look at svn.nmap.org, you’ll notice that it isn’t exactly a website but more of a file repository. This website is a front-end for Subversion. Subversion is a software versioning and revision system used by developers to maintain source code. This could be a potentially useful tool later on in a penetration test to find exploitable bugs in a company’s source code. For right now, we will leave svn.nmap.org alone and continue to focus on fleshing out the Technical OSINT on nmap.org.

Another way to find more Technical OSINT is using Google search, or more specifically using Google Dorks. Google Dorks are search terms that are used in conjunction with the target network. For instance, if we wanted to see if nmap.org hosted Microsoft Word documents we could use a search term something like this: “site:nmap.orgfiletype:doc”. This would show any search results with nmap.org being the hosting server and any files of the “doc” type. Another example of a Google Dork would be “site:nmap.org inurl:login”. This could potentially show if there were a hidden login page for the website that isn’t linked anywhere on the website. It is also important to note that Google Dorks isn’t limited to just the Google search engine but also the DuckDuckGo search engine.

As shown above, documents can be discovered using Google Dorks. Documents can lead to some great Technical OSINT on the company but can also lead to Human OSINT through metadata. We will focus more on that in the next article. 

Hisomeru is a contributing player in the infosec community. In Hisomeru’s more than 15 years of experience, Hisormeru has managed IT security teams, developed custom tools and performed penetration tests. Cyber security is Hisomeru’s passion and Hisomeru has taught many individuals cutting edge penetration testing techniques. Hisomeru’s twitter is: https://twitter.com/Hisomeru

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go to top of page