eJPT - 1.1 Information Gathering
HmadPassive Reconnaissance
Passive information gathering involves gathering as much information as possible without actively engaging with the target system.
Host Command
The
hostcommand is a DNS lookup utility. If more than one IP address comes up, then that website is running a proxy such as Cloudflare.Use
robots.txtto view what is enabled and disabled.Use
sitemap.xmlto view all pages indexed for the website.Can use BuiltWith, Wappalyzer, or whatweb to see what web technologies are being used.
To download an entire website, use the tool httrack. Can copy an entire website to view directories and files
Whois
This is an internet protocol tool used to query databases that store registered users. This will include domain names, IP addresses, and autonomous systems. You can use the website who.is or via the terminal.
Netcraft
A tool that's very useful for passive recon of a website. Can find out about certifications, what is being run is the backend as well as client-side, and whether a website is vulnerable to certain attacks.
DNS Recon
Very useful tool to find out about NS (Name Servers), MX (Mail Servers) and the A, and AAAA addresses (so IPv4 and v6). Dnsrecon is a command/tool with the Kali Linux terminal. Another very useful website is called dnsdumpster. It gives quite a visual understanding of how a website is laid out, what domains are used, etc. More on this later...
Wafw00f
A WAF is a web application firewall. It is inbuilt within Kali. Very useful to see what the website is protected by etc.
Sublist3r
It enumerates subdomains of websites using OSINT. Don't use the brute force option as otherwise it will fall into active information gathering. Can be very useful. Check GitHub.
Google Dorks
This involves using certain keywords within the Google search bar to find specific results. A useful tool to view old versions of websites which is called the Wayback Machine. Another very useful tool is the Google Hacking Databases which can be accessed here.
The Harvester
Designed for OSINT. It gathers emails, names, subdomains, IPs and URLs. Normally pre-installed in Linux and is also available on GitHub. Spyse is built for penetration testers but it requires an API key (so paid).
Leaked Databases
One website to use to see whether an email address has been leaked is haveibeenpawned.com. From there, you can check the password and whether they have changed it or not as most of the time, the same password is used across multiple websites.
Active Reconnaissance
Active information gathering is to try and gather as much information as possible by engaging with the target system (for which you require authorization).
DNS Zone Transfers
DNS stands for a Domain Name System and it's a protocol that is used to resolve domain names / hostnames to IP addresses. It maps domain names to their respective IP's and these servers contain the records of almost all the domains on the internet.
There are different types of DNS records as we covered before as shown below:
| Record | Resolves to... |
| A | Hostname or domain to an IPv4 address |
| AAAA | Hostname or domain to an IPv6 address |
| NS | Domains nameserver |
| MX | Domain to a mail server |
| CNAME | Used for domain aliases |
| TXT | Text record |
| HINFO | Host information |
| SOA | Domain authority |
| SRV | Service records |
| PTR | IP address to a hostname |
DNS interrogation is the process of enumerating DNS records for a specific domain and the objective is to probe a DNS server to provide us with DNS records for a specific domain.
In some cases, DNS server admins may want to copy / transfer zone files from one DNS server to another which is known as a zone transfer. If misconfigured, then it can be abused by attackers to copy the zone file from the primary DNS server to another DNS server. This will provide them with a view of an organisation's network layout.
You can perform a zone transfer with dnsenum (automatically does a brute force) / dig. Fierce is another tool used a pre-cursor to Nmap etc.
Nmap
We will cover this tool in a lot more detail in the 1.2 Footprinting & Scanning section. For now, here's what you need to know. Firstly, to find your own ip address, use the command ip a s or any other alternative. You can then use nmap with the -sn switch or netdiscover. Remember to use sudo when running these commands.
Nmap has a lot of switches / options to choose from. Some of the most common ones are below:
| Switch | Usecase |
| -v | Verbose, shows what's happening in real time |
| -sV | Finds the version of a service running on a port |
| -O | Detects what operating system is running |
| -A | Enables all detection (OS, version, scripts, etc.) |
| -T0 to -T5 | Intensity of a scan from low to high speed |
| -sC | Scans with default NSE scripts |
| -F | Uses smaller packets to get past filters |
| -p | To scan all or specific ports |
| -Pn | Disables host discovery and only scans ports |
| -sn | Disables port scanning and only does host discovery |
| -sU | UDP port scan |
| -sS | TCP SYN port scan |
That’s it for this section. Next one up is the CTF or skill check that iNE has put up.
— Hmad
Subscribe to my newsletter
Read articles from Hmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Hmad
Hmad
I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.