Notes/src/Security/Training/Phase1/444_External Footprinting - Reconnaissance and Mapping/module-2 - Passive Reconnaissance.txt

Overview:
    -- WHOIS
    -- BGP
    -- Internet Scanning Projects
    -- DNS Bruteforcing
    -- Digging Deep on Third Party Servers
    -- Source Code Services

    ---   TESTING FACEBOOK   ---
    Hostenames, IPs, reconnaisance
    Must Read:
        https://www.facebook.com/whitehat


*** Collecting information about the company without communicating with any of their systems.

[  Challenge  ]:
    --  Tool(s)  --
        Kali Linux

    Start with:
        -- facebook.com
    End with:
        -- +100,000 IPv4
        -- +100 IPv6 Ranges
        -- More than 5k hostnames


::  WHOIS  ::
--  Tool(s)  --
    dmitry: Demographic Information Gathering Tool  -- See  module-2-image-1  image
    whois:  Gets the company info
    nslookup:   DNS lookup
    ARIN Site


Is a protocol that translates URL to company information
Go from a URL to list of IP addresses.
Associated anonymous system information (ASN Info)
*** Can use IPs to bypass some information hiding services against WHOIS lookups (see nslookup to get ip/domain)


seed URL:         facebook.com
WHOIS lookups:
                  +100,000 IPv4
                  +100 IPv6 Ranges


::  BGP  ::  (Border Gateway Protocal)
*** Exchanges antonymous system network routing information
    (Ie, creates A PATH BETWEEN THESE SYSTEMS)
    Routing decisions on core internet
*** AS (antonymous system) is associated with network ranges

--  Tool(s)  --
    See  module-2-image-2  image


::  Internet Scanning Projects  ::
*** Internet scanning projects perform TCP and UDP port scans across the entire internet on a daily or weekly basis.
    The data is then made publicly available and the goal is to provide the public with the data for analysis.
    IE, great for gathering info/reconnaissance

--  Tool(s)  --
    scans.io : Hosted and maintained by University of Michigan
               censys.io  allows for interactive querying against data
        Relevant to Footprinting:
            DNSs:              Virtual Hosts
            SSL Certificates:  Subject alternative names (another list of hostnames)
            Live Services
    commoncrawl.org:  crawl of the internet itself. (Kinda like backend of Google)
    www.shodan.io
    crt.sh:  Comodo Certificate sdearch
    pigz:  parallel decompression of tar,gzip files


::  DNS Bruteforcing  ::
--  Tool(s)  --
    DNSRecon on Kali:  dnsrecon -d <your domain> -t <types: brt for bruteforce> -n 8.8.8.8 -D <dictionary> -c <store results path file> -f <if dns wildcard in place>
    Fierce on Kali

Advanced Tactics:
    Recursive Bruteforce
    Use organization  specific patterns.
    Ask someone


::  Digging Deep on Third Party Servers  ::
(Think like an attacker)
(Think like an employee)

*** Think of the two sites as philosophy than actual steps.
    Does it make sense to check these basically?

--  Tool(s)  --
    virustotal.com :  Might list domains checked by users. (When OK they are acrtual domains of company)
    threatcrowd.org : Malware threat information


Think about 3rd party services.
Think about mergers and acquisitions.
Think about presentation sharing sites such as slideshare.net or prezi.com
Industry blog posts
Conference videos

Other Courses:
    Reconnaissance/Footprinting by Dale Meredith


::  Source Code Services  ::
--  Tool(s)  --
    Gitrob
    Gumbler

--  Group(s)  --
    Github
    Bitbucket
    SourceForge
    Googlecode (Now defunct)
Initial push... 2021-02-20 19:25:30 -06:00			`Overview:`
			`-- WHOIS`
			`-- BGP`
			`-- Internet Scanning Projects`
			`-- DNS Bruteforcing`
			`-- Digging Deep on Third Party Servers`
			`-- Source Code Services`

			`--- TESTING FACEBOOK ---`
			`Hostenames, IPs, reconnaisance`
			`Must Read:`
			`https://www.facebook.com/whitehat`


			`*** Collecting information about the company without communicating with any of their systems.`

			`[ Challenge ]:`
			`-- Tool(s) --`
			`Kali Linux`

			`Start with:`
			`-- facebook.com`
			`End with:`
			`-- +100,000 IPv4`
			`-- +100 IPv6 Ranges`
			`-- More than 5k hostnames`



			`:: WHOIS ::`
			`-- Tool(s) --`
			`dmitry: Demographic Information Gathering Tool -- See module-2-image-1 image`
			`whois: Gets the company info`
			`nslookup: DNS lookup`
			`ARIN Site`


			`Is a protocol that translates URL to company information`
			`Go from a URL to list of IP addresses.`
			`Associated anonymous system information (ASN Info)`
			`*** Can use IPs to bypass some information hiding services against WHOIS lookups (see nslookup to get ip/domain)`


			`seed URL: facebook.com`
			`WHOIS lookups:`
			`+100,000 IPv4`
			`+100 IPv6 Ranges`




			`:: BGP :: (Border Gateway Protocal)`
			`*** Exchanges antonymous system network routing information`
			`(Ie, creates A PATH BETWEEN THESE SYSTEMS)`
			`Routing decisions on core internet`
			`*** AS (antonymous system) is associated with network ranges`

			`-- Tool(s) --`
			`See module-2-image-2 image`




			`:: Internet Scanning Projects ::`
			`*** Internet scanning projects perform TCP and UDP port scans across the entire internet on a daily or weekly basis.`
			`The data is then made publicly available and the goal is to provide the public with the data for analysis.`
			`IE, great for gathering info/reconnaissance`

			`-- Tool(s) --`
			`scans.io : Hosted and maintained by University of Michigan`
			`censys.io allows for interactive querying against data`
			`Relevant to Footprinting:`
			`DNSs: Virtual Hosts`
			`SSL Certificates: Subject alternative names (another list of hostnames)`
			`Live Services`
			`commoncrawl.org: crawl of the internet itself. (Kinda like backend of Google)`
			`www.shodan.io`
			`crt.sh: Comodo Certificate sdearch`
			`pigz: parallel decompression of tar,gzip files`




			`:: DNS Bruteforcing ::`
			`-- Tool(s) --`
			`DNSRecon on Kali: dnsrecon -d <your domain> -t <types: brt for bruteforce> -n 8.8.8.8 -D <dictionary> -c <store results path file> -f <if dns wildcard in place>`
			`Fierce on Kali`

			`Advanced Tactics:`
			`Recursive Bruteforce`
			`Use organization specific patterns.`
			`Ask someone`




			`:: Digging Deep on Third Party Servers ::`
			`(Think like an attacker)`
			`(Think like an employee)`

			`*** Think of the two sites as philosophy than actual steps.`
			`Does it make sense to check these basically?`

			`-- Tool(s) --`
			`virustotal.com : Might list domains checked by users. (When OK they are acrtual domains of company)`
			`threatcrowd.org : Malware threat information`


			`Think about 3rd party services.`
			`Think about mergers and acquisitions.`
			`Think about presentation sharing sites such as slideshare.net or prezi.com`
			`Industry blog posts`
			`Conference videos`

			`Other Courses:`
			`Reconnaissance/Footprinting by Dale Meredith`




			`:: Source Code Services ::`
			`-- Tool(s) --`
			`Gitrob`
			`Gumbler`

			`-- Group(s) --`
			`Github`
			`Bitbucket`
			`SourceForge`
			`Googlecode (Now defunct)`