Penetration Testing Reconassaince Command Line Tricks Dig, Mass Domain Resolution, Ping Sweeping

By | June 25, 2016
Here are some simple command line tricks to help while doing recon on your target network/host
A simple way to automatically resolve domain names, can be used with a for loop to resolve a massive list of domain names, you can also add a cronjob and create an .out file if you want to track domain name resolution changes. First lets set a regular expression variable that will extract only a legit IPs from the output:
root@computersecurity:~/# IP=(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
now lets use the variable to do a simple domain name resolution and only return the IP address of the domain being resolved (we’ll remove Google’s DNS server from the results)
root@computersecurity:~/# dig @8.8.8.8 computersecurity.org | grep -E -o $IP | grep -v 8.8.8.8
– The raw output is just the IP below:
104.238.84.235
 Another easy way to profile your target is to download their webpage content or homepage and extract out all of the subdomains out and resolve them to IP addresses to map out their network infrastructure, here is an example below of the index page of msn:
root@computersecurity:~/# wget http://www.msn.com
–2016-06-25 00:52:45–  http://www.msn.com/
Resolving www.msn.com (www.msn.com)… 204.79.197.203
Connecting to www.msn.com (www.msn.com)|204.79.197.203|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 40206 (39K) [text/html]
Saving to: ‘index.html’index.html          100%[===================>]  39.26K  –.-KB/s    in 0.01s2016-06-25 00:52:45 (2.97 MB/s) – ‘index.html’ saved [40206/40206]
We run this simple command:
root@computersecurity:~/# for url in $(grep -o ‘[A-Za-z0-9_\.-]*\.*msn.com’ index.html | sort -u); do host $url | grep “has address”|cut -d” ” -f4;done
137.117.100.176
65.52.108.11
104.85.61.237
204.79.197.200
40.114.54.223
204.79.197.203
Just like that we see that msn has a lot of subdomains hosted all over the place
Once you have IP ranges and you are authorized to touch them we can write a simple bash script that do a ping sweep of a network in seconds – here is the sweep of my own network completing in less than a second

root@computersecurity:~/# cat > pingsweep.sh
#!/bin/bash
for ip in $(seq 1 255); do
ping -c 1 192.168.1.$ip | grep “bytes from” | cut -d” ” -f4 | cut -d”:” -f1 &
done
root@computersecurity:~/# chmod +x *.sh
root@computersecurity:~/# ./pingsweep.sh
192.168.1.1
192.168.1.2
192.168.1.101
192.168.1.100
192.168.1.107

 

Share Button

2 thoughts on “Penetration Testing Reconassaince Command Line Tricks Dig, Mass Domain Resolution, Ping Sweeping

  1. Pingback: Margaret Cunniffe is an Australian Fraudster based in Melbourne Victoria who abuses those closest to her to achieve her selfish objectives.

  2. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *