Typically, an attacker would start with a small amount of information and gather more information while scanning, eventually moving on to performing different types of scans and gathering additional information. For instance, the attacker targeting h4cker.org might start by using DNS lookups to determine the IP address or addresses used by h4cker.org and any other subdomains that might be in use.
$dnsrecon -d h4cker.org
From there, an attacker can begin to dig deeper by scanning the identified hosts. Once the attacker knows which hosts are alive on the target site, he or she then needs to determine what kind of services the hosts are running.
You can use other basic DNS tools, such as the nslookup, host, and dig Linux commands, to perform name resolution and obtain additional information about a domain.
Similarly, you can use the dig < domain> mx command to obtain the email servers used by h4cker.org (mail exchanger [MX] record)
You can easily identify domain technical and administrative contacts by using the Whois tool. Many organizations keep their registration details private and instead use the domain registrar organization contacts.
$whois tesla.com
TIP Various tools, such as Recon-ng, the Harvester, and Maltego, help automate the process of passive reconnaissance and support many DNS-based and Whois queries. Several of these tools are listed in Omar Santos' GitHub repository at https://github.com/The-Art-of-Hacking/h4cker/tree/master/osint.
The whois tool can also be used to gather information about IP address ranges that are assigned to an organization.
Because organizations may use the same IP networks for other externally facing servers, knowing the address ranges is valuable for determining which networks to target during a penetration test.
Nslookup is a command line tool that is available in Linux and Windows. Its basic usage is to convert a domain name to an IP address. Nslookup has other functionality that can provide additional information.
Use the **nslookup** command with no options to enter interactive mode. To exit interactive mode at any time, type exit to return to the CLI prompt.
The CLI prompt changes to > to indicate that you are now in interactive mode and can enter the various nslookup commands. Enter the domain name cisco.com to resolve the domain name to an IP address. By default, the nslookup command queries A and AAAA records for the target.
To find the domain name servers configured for cisco.com, use the set type command to change the query type to “ns” to return the name server information.
Occasionally it is desirable to use a different DNS server to perform lookups. This may be necessary if the local DNS server is unable to resolve an address or resolves the host name to an internal private address and you need to obtain the internet accessible address of the host.
nslookup [hostname] [server IP]