Passive Reconnaissance

 

🔍 Passive Reconnaissance with Whois, Nslookup, Dig, DNSDumpster, and Shodan.io

In the world of cybersecurity and ethical hacking, passive reconnaissance is one of the first steps in gathering information about a target—without ever interacting with the systems directly. In this blog post, we’ll walk through powerful command-line tools and online services used for passive information gathering:

🧰 Tools Covered in This Blog:

  • whois

  • nslookup

  • dig

  • DNSDumpster

  • Shodan.io

🗂️ 1. WHOIS Lookup

The WHOIS protocol provides essential domain registration data, such as:

  • Domain owner's contact info

  • Registration and expiration dates

  • DNS name servers

Command:

bash
whois tryhackme.com

This helps uncover registrar details, admin contact info, and DNS servers associated with the domain.

🌐 2. DNS Lookups with nslookup

nslookup (Name Server Lookup) is a tool for querying DNS to obtain domain name or IP address mapping.

📌 Usage Patterns:

bash
nslookup -type=A tryhackme.com
nslookup -type=MX tryhackme.com
nslookup -type=TXT tryhackme.com
nslookup -type=A tryhackme.com 1.1.1.1  # Using Cloudflare DNS

🔍 Types of DNS Records:

TypeDescription
AIPv4 address
AAAAIPv6 address
MXMail servers
TXTText info (e.g., SPF)
SOAStart of Authority
CNAMECanonical name (alias)

💻 3. Advanced Queries with dig (Domain Information Groper)

While nslookup is straightforward, dig provides more detailed and customizable DNS queries.

📌 Basic Examples:

bash
dig tryhackme.com A
dig tryhackme.com MX
dig tryhackme.com TXT

📌 Using a Specific DNS Server:

bash
dig @1.1.1.1 tryhackme.com MX

dig also shows:

  • TTL (Time To Live)

  • Authoritative answer flags

  • Server details

🧠 4. Discover Hidden Subdomains with DNSDumpster

Most tools like dig and nslookup won't help you discover subdomains unless you already know them.

🔎 What is DNSDumpster?

DNSDumpster is a free online tool that reveals:

  • Subdomains (e.g., wiki.tryhackme.com, blog.tryhackme.com)

  • DNS servers

  • MX records

  • TXT records

  • IP addresses and geolocation

  • Visual DNS maps (graph view)

Use Case: Find forgotten or unmaintained subdomains that may be vulnerable or misconfigured—a goldmine for penetration testers.

🌍 5. Exposed Devices Search with Shodan.io

Shodan.io is a search engine for internet-connected devices. Instead of websites, it indexes:

  • Servers

  • Routers

  • Cameras

  • IoT devices

  • Industrial systems

  • ...and much more.

🔍 What Can You Learn?

  • IP address

  • Hosting provider

  • Device location

  • Open ports

  • Software versions

  • SSL certificates

  • CVEs (known vulnerabilities)

📌 Example Queries:

sh
tryhackme.com
hostname:"tryhackme.com"
port:22
org:"Cloudflare"

Pro Tip: Search by IP addresses you got from nslookup or dig.

📌 Summary Table of Commands

PurposeCommand
WHOIS infowhois tryhackme.com
A record (IPv4) via nslookupnslookup -type=A tryhackme.com
MX record via nslookup with servernslookup -type=MX tryhackme.com 1.1.1.1
TXT record via nslookupnslookup -type=TXT tryhackme.com
A record via digdig tryhackme.com A
MX record via dig with DNS serverdig @1.1.1.1 tryhackme.com MX
TXT record via digdig tryhackme.com TXT

🧠 Final Thoughts

Passive reconnaissance is crucial in penetration testing. Using tools like:

  • whois for registrar info,

  • nslookup / dig for DNS records,

  • DNSDumpster for subdomain mapping, and

  • Shodan.io for finding open services—

...you can gather critical information without even touching the target's infrastructure directly.

Mastering these tools will give you a powerful edge during reconnaissance, both as an attacker and as a defender.

Comments

Post a Comment

Popular Posts