Reconnaissance is the first step of the kill chain when conducting a penetration
test or an attack against a network or server target. An attacker will typically
dedicate up to seventy-five percent of the overall work effort for a penetration test
to reconnaissance, as it is this phase that allows the target to be defined, mapped,
and explored for the vulnerabilities that will eventually lead to exploitation.

There are two types of reconnaissance: passive reconnaissance, and
active reconnaissance.
Generally, passive reconnaissance is concerned with analysing information that is
openly available, usually from the target itself or public sources online. On accessing
this information, the tester or attacker does not interact with the target in an unusual
manner—requests and activities will not be logged, or will not be traced directly to
the tester. Therefore, passive reconnaissance is conducted first to minimize the direct
contact that may signal an impending attack or to identify the attacker.

Basic principles of reconnaissance

Reconnaissance activities are segmented on a gradient of interactivity with the target
network or device.The attacker's source IP address and activities are not logged
so tester can not be traced back.basic example like just google about any company or organisation
or people anything .

the basic difference between the active and passive reconnaissance is passive, actually you are not directly interact
with system or organisation its mean your ip or mac address does not get searching about any organisation or visiting
any public site..
but active reconnaissance actually tester directly interact with system or scanning port on that organisation..
sometime firewall or blocking ICMP packet may triggered the alarm of the system an your IP and MAC address get noted through which you can
easily traceable.

                        PASSIVE RECONNAISSANCE


OSINT is information collected from public sources, particularly the Internet. The
amount of available information is considerable—most intelligence and military
organizations are actively engaged in OSINT activities to collect information about
their targets, and to guard against data leakage about them. through wich they can maintain
their privacy or through this they know what are the maximum information are public in their websites.

like you can see the an pdf of OSINT of The US Army manual ATP 2-22.9 through website :

OSINT gathering usually starts with a review of the target's official online presence
website, blogs, social-media pages(facebook,twitter,G+ or linktln etc.), and third-party data repositories such as public
financial records.

through this tester can get many usefull information about his victim like.
Employee names and contact information, especially names, e-mail addresses, and phone numbers also
he get Clues about the corporate culture and language; this will facilitate social engineering attacks.
through the active reconnassance he can get Technologies in use. For example, if the target issues a press release about
adopting new devices or software, the attacker will review the vendor's
website for bug reports, known or suspected vulnerabilities, and details that
could be used to facilitate various attacks.

this OSINT can be more specilies through the smart use of search engines like google ,bing or yahoo or most famous for hackers
all knows google is the most used search for effective use of the google their are special commands for search called
GOOGLE DORKING which we will deal in further.

                  DNS reconnaissance and route mapping

Once a tester has identified the targets that have an online presence and contain
items of interest, the next step is to identify the IP addresses and routes to the target.

DNS reconnaissance is concerned with identifying who owns a particular domain or
series of IP addresses provided or assigned to domain.

these information we will get some through internet publically like locatio or
something stuff but some information like admin/owner of domain,cantact information,hosting server name
etc etc.can get through the third party we may be record your request i mean record your visit and IP or MAC address.
that reveal the privacy of attacker.
it's mean DNS reconnassance is not fully passive recconnassance.

and an another point to be note...


DNS reconnassance and route mapping can be done with the help of many softwares and websites online like
Whois,traceroute,whatweb etc.every time you will get some different result so don't faith blindly on these result
but you have to campare or just ,justify your results through getting result from softwares.


The first step in researching the IP address space is to identify the addresses that
are assigned to the target site. This is usually accomplished by using the whois
command, which allows people to query databases that store information on the
registered users of an Internet resource, such as a domain name or IP address.

An attacker can use information from a whois query to:

•     Identify a location for a physical attack
•     Identify phone numbers that can be used for a war dialing attack, or to
conduct a social engineering attack
•     Conduct recursive searches to locate other domains hosted on the same
server as the target or operated by the same user; if they are insecure, an
attacker can exploit them to gain administrative access to the server, and then
compromise the target server

•     In cases where the domain is due to expire, an attacker can attempt to seize
the domain, and create a look-alike website to compromise visitors who
think they are on the original website
command :

whois <website name>

example :


in this screenshot it shown that..

the given website with the help of google map or

you will get the exact location of the domain.

in this screenshot shown that through the whois command you will get the admin name along with the e-mail ,phone number etc etc.
we will learn later how to retrieve e-mail from website through theharvester software.

in this screenshot shown that what is the server name.
so through this command you will get lots of information about victim.

this is used for getting the IP address of any domain .
actually it work on the basis of TCP/IP three way handshaking by sending an ICMP packet to the destination.
sometime this command : ping used for checking the speed of the network..

three things are their..

1. icmp     packet...actually its an syncronised packet for three way hand shaking //we will talk later

2.ttl   (time to live) actually its the life time of the intially generated packet which deside how much time packet to be exits.

  here time means actually by every newly generated packet have its default ttl value depend on OS.
  which is decrement by 1 every time it pass through an router.we will talk more detail later actually it use for Os detection
  we will see it later.

3.time    actually this one used for approx getting idea about network speed.less the time more the speed.

0.1-10 ms  //high speed

command :

ping <website name>/<IP address>

example :


another command for checking net speed..

command :

ping   //pinging google

                             DNS reconnaissance

The Domain Name System (DNS), is a distributed database that resolves names
( to its IP addresses (

Kali features several tools designed to iteratively query DNS information for a
particular target. The selected tool must accommodate the Internet Protocol version
that is used for communications with the target—IPv4 or IPv6.

            DNS reconnassance by IPv4 tools....

dnsenum, dnsmap, and dnsrecon  :

These are comprehensive DNS scanners—DNS record enumeration (A, MX, TXT, SOA, wildcard,and so on), subdomain brute-force attacks, Google lookup, reverse lookup, zone transfer, and zone walking. dsnrecon is usually the first choice—it is   highly reliable, results are well parsed, and data can  be directly imported into the Metasploit Framework.  

dnstracer :

   This determines where a given Domain Name System gets its information from, and follows the chain of DNS servers back to the servers which know the data.
dnswalk :

   This DNS debugger checks specified domains for internal consistency and accuracy  

fierce :

This locates non-contiguous IP space and hostnames  against specified domains by attempting zone  transfers, and then attempting brute-force attacks to gain DNS information.
 During testing, most investigators run fierce to confirm that all possible targets have been identified, and then run at least two comprehensive tools (for example,dnsenum and dnsrecon) to generate the maximum amount of data and provide a degree of cross validation.

              DNSRECON-a powerful DNS enumeration script

DNSRECON have ability to perform these things :

1.    Check all NS Records for Zone Transfers

2.    Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)

3.    Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion

4.    Check for Wildcard Resolution

5.  Brute Force subdomain and host A and AAAA records given a domain and a wordlist

6.    Perform a PTR Record lookup for a given IP Range or CIDR

7.    Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check
8.  Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google

commands :

dnsrecon -h  //this is the manual page for dnsrecon

DNSrecon allows the penetration tester to obtain the SOA record, name servers (NS)

mail exchanger (MX) hosts

servers sending e-mails using Sender Policy Framework(SPF), and the IP address ranges in use

command :

dnsrecon -t std -d <website name>

command description :

 -t, --type        <types> Specify the type of enumeration to perform:

 std      To Enumerate general record types, enumerates.

 -d, --domain      <domain>  Domain to Target for enumeration.

example :

dnsrecon -t  std -d

obtained SOA records..

NS --name servers

MX -- mail exchanger hosts

SPF --sender policy framework //used by servers for sending e-mails

Scan a domain (-d, use a dictionary to brute force hostnames (-D /usr/share/wordlists/dnsmap.txt),
do a standard scan (-t std), and save the output to a file (–xml dnsrecon.xml):

command :

dnsrecon -d -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml

description :

 -d, --domain      <domain>  Domain to Target for enumeration.

-D, --dictionary  <file>    Dictionary file of sub-domain and hostnames to use for brute force.

/usr/share/wordlists/dnsmap.txt  this is the location of wordlist used in bruetforce in dnsrecon

 -t, --type        <types>   Specify the type of enumeration to perform:

 std      To Enumerate general record types, enumerates.

--xml dnsrecon.xml    this is the result obtain is store in .xml formate in dnsrecon.xml named folder


for better results in more descriptive form abour SOA record you can try through online by website


it's really good website.

      DNS reconnassance by IPv6 tools...

Application                                          Description

dnsdict6                          Enumerates subdomains to obtain                                 IPv4 and IPv6 addresses (if present)
                                using a brute force search based on                                a supplied dictionary file or its own                                  internal list.

dnsrevenum6                          Performs reverse DNS                                             enumeration given an IPv6 address.


DNSDICT6 is a Information Gathering tool provided with KALI. This tool is used to find all the sub-domains of a
website or web server. The most advanced use of DSNDICT6 is to enumerate all IPv4 and IPv6 addresses.This tool is quite a powerful
 tool because it also extracts those sub domains which are restricted or invisible for users.

Basic Syntax of DNSDICT6 is :

dnsdict6 [-d4] [-s|-m|-l|-x|-u] [-t THREADS] [-D] domain [dictionary-file]

There are certain Parameters that we can use with dnsdict6 :

 -4      do also dump IPv4 addresses

 -t      specify the number of threads to use (default: 8, max: 32).

 -D      dump the selected built-in wordlist, no scanning.

 -d      display IPv6 information on NS and MX DNS domain information.

 -S      perform SRV service name guessing

 -[smlxu] choose the dictionary size by -s(mall=100), -m(edium=1419) (DEFAULT)
           -l(arge=2601), -x(treme=5886) or -u(ber=16724)

For example :

    dnsdict6 -d4    

     dnsdict6 -d -4  

  ( This will extract MX ,NS and all sub-domains of google and their IPv4 and IPv6 information).

 dnsdict6 -4

( This will extract all sub-domains of google and their IPv4 and IPv6 information).

Now say we want to Enumerate all the sub-domains on a website say

Then type the command :

    dnsdict6 -d46 -s -t 20

The above command will enumerate all IPv4 and IPv6 information of all sub-domains of and -s will
perform service guessing and 20 is the number of threads running simultaneously to achieve it.

information gathering -II will be post soon..until this is 

                       SIGN OUT

Popular Posts