section: “cyber-shujaa” categories: [“cyber-shujaa”] title: “Reconnaissance” date: 2025-06-11

Passive Reconnaissance

1.0 Introduction

This module will talk about the foundational concepts and tools of passive reconnaissance in cybersecurity. Passive reconnaissance involves gathering information about a target without directly interacting with it, ensuring stealth and minimizing the risk of detection. Crushing Security

We’ll delve into essential command-line tools such as whois, nslookup, and dig. These tools help retrieve publicly available data like domain registration details, DNS records, and IP addresses. For instance, whois can provide information about a domain’s registrant, while nslookup and dig can uncover DNS configurations and mail server details.

Additionally, the module introduces online services like DNSDumpster and Shodan.io. DNSDumpster assists in discovering subdomains and mapping a domain’s infrastructure, whereas Shodan.io acts as a search engine for internet-connected devices, revealing information about servers, IoT devices, and more.

1.1 Passive vs Active

In passive reconnaissance, you rely on publicly available knowledge. It is the knowledge that you can access from publicly available resources without directly engaging with the target.

Active reconnaissance, on the other hand, cannot be achieved so discreetly. It requires direct engagement with the target. Think of it like you check the locks on the doors and windows, among other potential entry points.

1.2 Whois

WHOIS is a request and response protocol that follows the RFC 3912 specification. A WHOIS server listens on TCP port 43 for incoming requests.

The WHOIS server replies with various information related to the domain requested. Of particular interest, we can learn:

  • Registrar: Via which registrar was the domain name registered?
  • Contact info of registrant: Name, organization, address, phone, among other things. (unless made hidden via a privacy service)
  • Creation, update, and expiration dates: When was the domain name first registered? When was it last updated? And when does it need to be renewed?
  • Name Server: Which server to ask to resolve the domain name?

1.3 nslookup and dig

nslookup is a command-line tool used to query DNS servers for information about domain names.

Common Record Types:

  • A – IPv4 address
  • AAAA – IPv6 address
  • MX – Mail exchange servers
  • CNAME – Canonical name (alias)
  • TXT – Text records (e.g., SPF, DKIM)
  • SOA – Start of Authority

dig, short for Domain Information Groper, is a command-line tool used to query DNS (Domain Name System) servers. It’s commonly used in network troubleshooting, penetration testing, and passive reconnaissance to gather detailed DNS information about a domain.

What dig Does:

  • Translates a domain name (like example.com) into its corresponding IP address.
  • Retrieves different types of DNS records, such as:

o   A – IPv4 address

o   AAAA – IPv6 address

o   MX – Mail exchange servers

o   CNAME – Canonical name (aliases)

o   TXT – Text records (used for things like SPF/DKIM)

o   NS – Name servers

o   SOA – Start of Authority (domain management info)

1.4 DNSDumpster

Question

Lookup tryhackme.com on DNSDumpster. What is one interesting subdomain that you would discover in addition to www and blog?

1.5 Shodan.io

Shodan is a powerful search engine for internet-connected devices. Unlike Google, which indexes websites, Shodan indexes devices, servers, services, and their metadata including security cameras, routers, databases, web servers, industrial control systems, and more.

Questions

According to Shodan.io, what is the 2nd country in the world in terms of the number of publicly accessible Apache servers?Top of Form

Based on Shodan.io, what is the 3rd most common port used for Apache?

Top of Form

Based on Shodan.io, what is the 3rd most common port used for nginx?

Top of Form

1.6 Conclusion

In this room, we explored the fundamentals of passive reconnaissance, a crucial phase in cybersecurity and penetration testing where information is gathered without directly interacting with the target systems. We focused on both command-line tools and online platforms that allow us to uncover valuable data while remaining stealthy.

Tools We Covered:

  • whois – To retrieve domain registration info, such as owner, registrar, and DNS servers.
  • nslookup – To perform DNS lookups and retrieve records like A, MX, and TXT.
  • dig – A more advanced DNS query tool for detailed DNS record information.
  • DNSDumpster – A web-based service for DNS mapping and discovering related infrastructure.
  • Shodan.io – A search engine that maps internet-exposed devices and services.

Key Takeaways:

  • Passive recon helps you map out the digital footprint of a target without triggering alerts.
  • Tools like nslookup and dig are essential for DNS reconnaissance and help uncover IP addresses, email configurations, and text records.
  • Shodan and DNSDumpster enhance recon by visualizing exposed assets and networks.
  • Understanding how to use different query types (A, MX, TXT, etc.) can reveal insights that might otherwise go unnoticed.