DNS Recon

The Domain Name System is crucial for human interaction with networks.  Gathering information about a target is critical to performing a successful penetration test, and the DNS service is one of the key sources of this information.  Today, I want to write about the different types of information that can be discovered by probing this service using a mix of command line tools and web resources.  There are many tools available to interact with DNS, but today I’m going to cover the use of nslookup, host, and *dig *on the command line, and the netcraft website.

Continue reading DNS Recon

Subdomain Enumeration

As with most things related to pen-testing, there are many different ways to enumerate the subdomains of your target.  One promising tool I’ve been playing with recently is Recon-Ng.  I won’t be at all surprised if recon-ng becomes as popular for the reconnaissance phase of a pen-test as metasploit has become for the exploit phase.  Today, though, I want to talk about a fun method I used a few weeks ago to find out more about the subdomains of my target.  But first, here are some completely passive methods of enumerating subdomains.

Continue reading Subdomain Enumeration