Introduction
In cybersecurity, passive reconnaissance is a valuable skill. It allows professionals, attackers, and essentially anyone with an internet connection, to gather information about a ‘target’ without directly interacting with the target system. This non-intrusive method, often the first step in ethical hacking, is excellent in identifying potential vulnerabilities and strategizing subsequent actions. Drawing from my own experience as a blue teamer, I’ve frequently employed passive information gathering to gain insights into potential attackers targeting our systems, ranging from investigating their IP addresses and domain names to finding out more information about suspected malicious websites.
In this two-part blog series, we’ll delve deep into passive reconnaissance, showcasing the top 20 commands and tools vital for anyone venturing into cybersecurity. This article, Part 1, will cover the first 10, with the subsequent part detailing the remaining techniques.
Why Passive Reconnaissance Matters
Passive reconnaissance serves as an essential component for discreetly gathering information. By using this method, we can learn a lot about a target without alerting them or leaving any evidence of our investigation within the target infrastructure. Here’s why passive reconnaissance is important:
Understanding Potential Vulnerabilities: With passive reconnaissance, you can get details about a target system’s setup, design, and the technologies it uses. This information can help spot potential weak spots or issues that might be taken advantage of in later stages of security testing or assessments.
Assessing Digital Footprint: Passive reconnaissance techniques let you see a target’s digital footprint. This can include finding out about domains linked to the target organization, any subdomains they use, email addresses connected to the domain, and other key details that help you get a clearer picture of the target.
Planning Subsequent Stages: The information you get from passive reconnaissance can help plan the next steps. Knowing what you’re dealing with helps decide which methods are most likely to work and where to focus efforts. The next steps often vary based on the goal of the information gathering:
-
Blue Team Perspective: Strengthen defenses, patch vulnerabilities, and anticipate potential attack vectors. Monitor for any suspicious activities based on the data gathered.
-
Red Team Perspective: Plan and execute attacks against the target. Their goal is often to exploit vulnerabilities and test the system’s resilience.
-
Malicious Attacker Perspective: Exploit vulnerabilities for personal gain, such as stealing data or causing disruptions.
By understanding all perspectives, it becomes clear how passive reconnaissance plays a crucial role in assisting certain goals. Whether you’re defending, testing, or attacking a system, the insights gained from this initial phase are invaluable.
Passive vs. Active Reconnaissance
While we’re focusing on passive reconnaissance, it’s essential to differentiate it from its counterpart: active reconnaissance. Passive reconnaissance is about gathering information without directly interacting with the target system, ensuring stealth and discretion. In contrast, active reconnaissance involves direct interaction with the target, such as pinging the system, port scanning, or even attempting to access open directories. While both are crucial in the reconnaissance phase, passive methods are favored when discretion is required.
The Top 20 Commands and Tools for Passive Reconnaissance
Before we delve into the specifics, it’s essential to understand that the tools and techniques we’re about to explore are powerful. They can provide a wealth of information, but this also comes with great responsibility.
Disclaimer: The demonstrations and techniques showcased in this blog are for educational purposes only. Always seek permission before conducting any reconnaissance or penetration testing against a target. Unauthorized scanning and data collection is illegal and unethical. Respect privacy and always act within the bounds of the law and ethical guidelines. Always prioritize ethical behavior. The knowledge shared here is powerful, and it’s crucial to use it responsibly.
Imagine you’re a cybersecurity investigator. You’ve been tasked with gathering as much information as possible about a particular company, your goal is to understand its digital footprint, the technologies it uses, and any potential vulnerabilities. Let’s embark on this journey together.
To provide a hands-on perspective, I’ll be using my website, Crushing Security, as an example.
Our exploration will be segmented into the following categories:
- Initial Domain Information: Tools and commands that provide foundational details about a domain, such as its registrar, creation date, and associated IP addresses.
- Website and Infrastructure Analysis: Techniques to understand the underlying technologies of a website, server details, and hosting information.
- Subdomains and Related Domains: Tools that help in uncovering subdomains associated with the main domain and other domains that might be related or connected.
- Deep OSINT and Data Gathering: Advanced open-source intelligence tools that dive deeper into gathering data about the target from various online sources.
- Potential Vulnerabilities and Threats: Techniques and tools that help in identifying possible security weaknesses associated with the target.
- Monitoring and Alerts: Tools that provide real-time or periodic monitoring of the target and alerting mechanisms for any changes or suspicious activities.
Now that we understand the importance of passive reconnaissance let’s dive into the top 20 commands and tools that will empower you to master this skill.
Initial Domain Information
When beginning passive reconnaissance against a target, the first step is often to gather foundational details about the domain in question. This lays the foundation for deeper investigations and can reveal crucial insights about the target’s online presence, affiliations, and potential vulnerabilities. In this section, we’ll explore tools and commands that help us uncover these initial pieces of information.
Progress Tracker:
Initial Domain Information
Website and Infrastructure Analysis
Subdomains and Related Domains
Deep OSINT and Data Gathering
Potential Vulnerabilities and Threats
Monitoring and Alerts
1. whois - The First Clue
Before diving deep, I start with the basics. Let’s see who’s behind CrushingSecurity.com.
Action: We can either run the whois
command, or utilize a website such as Free online network tools - traceroute, nslookup, dig, whois lookup, ping - IPv6
┌──(kali㉿kali)-[~]
└─$ whois crushingsecurity.com 1 ⨯
Domain Name: CRUSHINGSECURITY.COM
Registry Domain ID: 2688172295_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2023-08-25T12:19:36Z
Creation Date: 2022-04-10T08:14:52Z
Registry Expiry Date: 2024-04-10T08:14:52Z
Registrar: NameCheap, Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: RACHEL.NS.CLOUDFLARE.COM
Name Server: RAM.NS.CLOUDFLARE.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2023-09-28T18:31:09Z <<<
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain name: crushingsecurity.com
Registry Domain ID: 2688172295_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2023-04-07T21:31:02.33Z
Creation Date: 2022-04-10T08:14:52.00Z
Registrar Registration Expiration Date: 2024-04-10T08:14:52.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.9854014545
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Redacted for Privacy
Registrant Organization: Privacy service provided by Withheld for Privacy ehf
Registrant Street: Kalkofnsvegur 2
Registrant City: Reykjavik
Registrant State/Province: Capital Region
Registrant Postal Code: 101
Registrant Country: IS
Registrant Phone: +354.4212434
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Redacted for Privacy
Admin Organization: Privacy service provided by Withheld for Privacy ehf
Admin Street: Kalkofnsvegur 2
Admin City: Reykjavik
Admin State/Province: Capital Region
Admin Postal Code: 101
Admin Country: IS
Admin Phone: +354.4212434
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID:
Tech Name: Redacted for Privacy
Tech Organization: Privacy service provided by Withheld for Privacy ehf
Tech Street: Kalkofnsvegur 2
Tech City: Reykjavik
Tech State/Province: Capital Region
Tech Postal Code: 101
Tech Country: IS
Tech Phone: +354.4212434
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: [email protected]
Name Server: rachel.ns.cloudflare.com
Name Server: ram.ns.cloudflare.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2023-09-28T03:24:26.36Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
Note: Alternatively, you can perform these queries on websites such as: Central Ops
Findings:
- The domain
crushingsecurity.com
is registered with NameCheap, Inc. - It was created on April 10, 2022, and is set to expire on April 10, 2024.
- The domain uses Cloudflare’s DNS servers:
rachel.ns.cloudflare.com
andram.ns.cloudflare.com
. - The domain’s IP addresses are
104.21.23.15
and172.67.208.73
, which belong to Cloudflare, Inc. - The domain’s registrant, admin, and tech details have been redacted for privacy, but they are associated with an organization in Reykjavik, Capital Region, Iceland.
- The domain is currently under the status of
clientTransferProhibited
, which means it cannot be transferred to another registrar without the owner’s consent.
Insights from the Findings:
- Domain Age: CrushingSecurity.com is a relatively recent domain, established just over a year ago. This could suggest a newer initiative or project.
- Cloudflare DNS: The domain’s reliance on Cloudflare’s DNS servers hints at a preference for performance and security, given Cloudflare’s reputation for DDoS protection and CDN services.
- Privacy Measures: The redacted registrant details show a deliberate effort to maintain privacy, a commendable security practice.
- Domain Transfer Protection: The
clientTransferProhibited
status acts as a safeguard against unauthorized domain transfers, indicating a layer of security against potential domain hijacking attempts.
2. dig - Investigating DNS Records
After understanding who’s behind CrushingSecurity.com, I want to delve deeper into its network infrastructure. DNS records can reveal a lot about a domain’s setup, including its IP addresses, mail servers, and more.
Action: To gather these details, I use the dig
command. This tool is perfect for querying DNS nameservers and getting a clearer picture of a domain’s setup.
┌──(kali㉿kali)-[~]
└─$ dig crushingsecurity.com A
; <<>> DiG 9.18.7-1-Debian <<>> crushingsecurity.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57134
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;crushingsecurity.com. IN A
;; ANSWER SECTION:
crushingsecurity.com. 300 IN A 172.67.208.73
crushingsecurity.com. 300 IN A 104.21.23.15
;; Query time: 32 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Sep 28 14:17:39 EDT 2023
;; MSG SIZE rcvd: 81
┌──(kali㉿kali)-[~]
└─$ dig crushingsecurity.com MX
; <<>> DiG 9.18.7-1-Debian <<>> crushingsecurity.com MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42015
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;crushingsecurity.com. IN MX
;; ANSWER SECTION:
crushingsecurity.com. 300 IN MX 0 crushingsecurity-com.mail.protection.outlook.com.
;; Query time: 24 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Sep 28 14:17:44 EDT 2023
;; MSG SIZE rcvd: 110
┌──(kali㉿kali)-[~]
└─$ dig crushingsecurity.com NS
; <<>> DiG 9.18.7-1-Debian <<>> crushingsecurity.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19331
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;crushingsecurity.com. IN NS
;; ANSWER SECTION:
crushingsecurity.com. 86400 IN NS rachel.ns.cloudflare.com.
crushingsecurity.com. 86400 IN NS ram.ns.cloudflare.com.
;; Query time: 28 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Sep 28 14:17:49 EDT 2023
;; MSG SIZE rcvd: 102
┌──(kali㉿kali)-[~]
└─$ dig crushingsecurity.com TXT
; <<>> DiG 9.18.7-1-Debian <<>> crushingsecurity.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64856
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;crushingsecurity.com. IN TXT
;; ANSWER SECTION:
crushingsecurity.com. 300 IN TXT "MS=ms79582234"
crushingsecurity.com. 300 IN TXT "v=spf1 include:_spf.mlsend.com include:spf.protection.outlook.com -all"
;; Query time: 32 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Sep 28 14:17:54 EDT 2023
;; MSG SIZE rcvd: 158
┌──(kali㉿kali)-[~]
└─$ dig www.crushingsecurity.com CNAME
; <<>> DiG 9.18.7-1-Debian <<>> www.crushingsecurity.com CNAME
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59242
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.crushingsecurity.com. IN CNAME
;; AUTHORITY SECTION:
crushingsecurity.com. 1800 IN SOA rachel.ns.cloudflare.com. dns.cloudflare.com. 2319522339 10000 2400 604800 1800
;; Query time: 32 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Sep 28 14:18:04 EDT 2023
;; MSG SIZE rcvd: 114
In the above dig queries I have queried for the following:
- A Record (
dig domain.com A
):- Returns the IP addresses associated with the domain.
- Indicates where the domain’s website is hosted.
- MX Record (
dig domain.com MX
):- Returns the Mail Exchange records.
- Indicates the mail servers responsible for receiving email messages on behalf of a domain.
- NS Record (
dig domain.com NS
):- Returns the Name Server records.
- Indicates which DNS servers are authoritative for the domain.
- TXT Record (
dig domain.com TXT
):- Returns the Text records.
- Often used for various purposes like verifying domain ownership, SPF records (for email security), etc.
- CNAME Record (
dig subdomain.domain.com CNAME
):- Returns the Canonical Name record.
- Indicates that the domain name is an alias for another domain, to which it’s mapped.
Note: Alternatively, you can perform these queries on websites such as: https://mxtoolbox.com/
Findings:
- The ‘A’ records for
crushingsecurity.com
are104.21.23.15
and172.67.208.73
. - The domain uses Cloudflare’s DNS servers:
rachel.ns.cloudflare.com
andram.ns.cloudflare.com
. - The MX record indicates the use of Microsoft’s email protection services with the address
crushingsecurity-com.mail.protection.outlook.com
. - TXT records provide SPF information, indicating allowed email senders for the domain, and a Microsoft verification string.
- There’s no specific CNAME record for the
www
subdomain, suggesting it uses the main domain’s A records.
Insights from the Findings:
- Cloudflare Hosting: The IP addresses associated with the domain are typical of Cloudflare, reinforcing the notion of a performance and security-centric setup.
- Microsoft’s Email Protection: The MX record points to Microsoft’s email protection services, suggesting a commitment to secure email communication.
- Email Security: The presence of SPF records in the TXT entries indicates measures to prevent email spoofing, a common attack vector.
3. host - A Quick Glance at Domain Details
After diving into DNS records, I like to use the host
command for a quick overview of a domain’s basic details. It’s a simple tool that provides a concise summary of a domain’s IP addresses and other associated records.
Action: To gather these details, I use the host
command.
┌──(kali㉿kali)-[~]
└─$ host crushingsecurity.com
crushingsecurity.com has address 104.21.23.15
crushingsecurity.com has address 172.67.208.73
crushingsecurity.com has IPv6 address 2606:4700:3033::6815:170f
crushingsecurity.com has IPv6 address 2606:4700:3031::ac43:d049
crushingsecurity.com mail is handled by 0 crushingsecurity-com.mail.protection.outlook.com.
Findings:
- The domain
crushingsecurity.com
resolves to two IPv4 addresses:104.21.23.15
and172.67.208.73
. - The domain also has two associated IPv6 addresses:
2606:4700:3033::6815:170f
and2606:4700:3031::ac43:d049
. - The mail for
crushingsecurity.com
is managed bycrushingsecurity-com.mail.protection.outlook.com
.
Insights from the Findings:
- Robust Hosting: Multiple IP addresses, both in IPv4 and IPv6 formats, suggest a setup optimized for redundancy and performance.
- Consistent Email Security: The MX record’s alignment with previous findings from the
dig
command underscores the domain’s focus on secure email practices.
4. nslookup - DNS Lookup Utility
To further validate and cross-check the information, I use nslookup
. It’s another tool for querying DNS servers to obtain domain name or IP address mappings.
Action: Running the nslookup
command for crushingsecurity.com
.
┌──(kali㉿kali)-[~]
└─$ nslookup crushingsecurity.com
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
Name: crushingsecurity.com
Address: 104.21.23.15
Name: crushingsecurity.com
Address: 172.67.208.73
Name: crushingsecurity.com
Address: 2606:4700:3031::ac43:d049
Name: crushingsecurity.com
Address: 2606:4700:3033::6815:170f
Findings:
- The domain
crushingsecurity.com
resolves to the same IP addresses as found with thehost
anddig
commands. - The DNS server used for this lookup is
1.1.1.1
, which is Cloudflare’s public DNS resolver.
Insights from the Findings:
- Consistent Data: The matching results across various tools (whois, dig, host, and nslookup) provide a high degree of confidence in the data’s accuracy.
- Cloudflare’s Public DNS: Utilizing Cloudflare’s public DNS resolver for the lookup showcases a commitment to fast and privacy-centric queries.
Summary: Initial Domain Information
In our exploration of crushingsecurity.com
, we utilized a suite of tools to gather foundational details about the domain. These details not only provide insights into the domain’s setup but also set the stage for deeper investigations. Here’s an overview of our findings:
- Domain Registration and Ownership: The domain is registered with NameCheap, Inc., created in April 2022, and is set to expire in April 2024. The registrant details have been redacted for privacy but are associated with Reykjavik, Iceland.
- Hosting and Infrastructure:
crushingsecurity.com
is hosted on Cloudflare, as indicated by its IP addresses and DNS servers. This choice suggests a focus on performance and security. - Email Configuration: The domain’s email setup leans on Microsoft’s protection services, emphasizing secure email communication. SPF records further enhance email security by reducing the chance of email spoofing.
- Additional Insights: The domain’s recent creation might indicate a newer initiative. The use of Cloudflare and Microsoft services, combined with privacy measures and domain transfer protection, suggests that this is a domain that values security and performance.
As we delve deeper into our investigation, these foundational details will guide our next steps, helping us understand the website’s infrastructure and potential vulnerabilities better. Up next, we’ll dive into the passive recon techniques for website and infrastructure analysis, where we’ll uncover more about the technologies powering crushingsecurity.com
and potential areas of interest.
Website and Infrastructure Analysis
After gathering initial domain information, it’s crucial to understand the underlying technologies of a website and its infrastructure. This section will provide insights into the server details, hosting information, and other technical aspects of the target.
Progress Tracker:
Initial Domain Information
Website and Infrastructure Analysis
Subdomains and Related Domains
Deep OSINT and Data Gathering
Potential Vulnerabilities and Threats
Monitoring and Alerts
5. BuiltWith - Discovering Web Technologies
To understand the technologies behind a website, I use BuiltWith. It’s a web service that provides details about the technologies used to build and host a website.
Action: Visit BuiltWith and enter the domain crushingsecurity.com
.
Findings from BuiltWith for CrushingSecurity.com:
Key Technologies:
- MailerLite: Email marketing software.
- Create React App & Material-UI: Website built using React and Material Design.
- Cloudflare & Oracle Cloud: Hosting and CDN services.
- React: Frontend JavaScript library.
- Office 365 Mail & SPF: Email services and security.
- SSL by Default & HSTS: Security measures for data in transit.
Insights from the Findings:
- MailerLite: The presence of MailerLite indicates potential email collection points on the website. Such collection points could be of interest for attackers looking to exploit potential vulnerabilities in form handling or to access stored email data.
- React & Material-UI: The website’s reliance on React and Material-UI suggests a modern design approach. However, like all frameworks, vulnerabilities can emerge over time. An attacker might look for outdated libraries or exposed data through React’s state or props.
- Cloudflare & Oracle Cloud: The dual hosting setup with Cloudflare and Oracle Cloud indicates a layered infrastructure. While Cloudflare offers DDoS protection, attackers often attempt to discover the original IP of the server to bypass such protections. On the Oracle Cloud side, any misconfigured security lists or exposed credentials could be potential entry points.
- Office 365 Mail & SPF: The use of SPF is a proactive step against email spoofing. However, attackers familiar with email security might probe for the absence of other protective measures like DMARC and DKIM. Additionally, any misconfigurations in mailbox rules or forwarding settings in Office 365 could be exploited.
- SSL & HSTS: The commitment to secure data in transit through SSL and HSTS is evident. Yet, expired or misconfigured SSL certificates can be a weak link. Attackers might also look for domains not covered by the HSTS policy or attempt to exploit older protocols if they are still supported.
6. urlscan.io - Web Page Analysis and Visualization
urlscan.io is a powerful tool that provides insights into the content, behavior, and structure of websites. It allows for passive analysis of web pages, offering visual representation, and comprehensive data about IP addresses, domain relationships, HTTP requests, and more.
Action: For a passive approach, I utilized urlscan.io to gather comprehensive information about crushingsecurity.com
without directly visiting the site.
Findings from urlscan.io for CrushingSecurity.com:
- IP and Domain Information: The website contacted 2 IPs across 1 domain. The main IP is
2606:4700:3033::6815:170f
, located in the United States and belongs toCLOUDFLARENET
. - TLS Certificate: Issued by
GTS CA 1P5
on August 25th, 2023, and is valid for 3 months. - HTTP Transactions: There were 34 HTTP transactions, all of which were secured using HTTPS.
- Resources: The site loads various resources like JavaScript files, CSS, fonts, and images.
- API Calls: There were multiple calls to
api.crushingsecurity.com
, some of which resulted in a401
status, indicating unauthorized access attempts. - Outgoing Links: There are 73 outgoing links, many of which lead to different sections of the
crushingsecurity.com
community, indicating a rich ecosystem of content and resources.
urlscan summary
urlscan outgoing links
urlscan behavior (API calls etc)
Insights from the Findings:
- Modern Web Infrastructure: Again, the use of Cloudflare and the presence of chunked JavaScript files suggest a modern web infrastructure.
- Security Emphasis: All HTTP transactions being secured with HTTPS and the use of HSTS (from previous findings) indicate a strong commitment to security.
- Community Engagement: The numerous outgoing links to the community section of
crushingsecurity.com
highlight an active and engaged user base. - API Interactions: The multiple calls to the API endpoints suggest dynamic content loading and possibly user authentication mechanisms. These endpoints could be extremely valuable for later proving of information / potential authentication bypass attempts.
7. Netcraft Site Report - Web Server Technologies and Hosting History
Netcraft provides a comprehensive web server survey, and its Site Report tool offers insights into the hosting history, technology stack, and other details of a website.
Action: I’ll use the Netcraft Site Report to gather details about crushingsecurity.com
.
Findings from Netcraft Site Report for CrushingSecurity.com:
- Hosting History: The website has been consistently hosted with Cloudflare, Inc., indicating a preference for Cloudflare’s content delivery network and security services.
- Hosting Provider: The website is hosted by Cloudflare, which is known for its content delivery network, DDoS protection, and other web security features.
- Nameserver: The domain uses Cloudflare’s nameservers, further confirming its reliance on Cloudflare services.
- Content Management System (CMS): The website’s title suggests it was created using
create-react-app
, a popular JavaScript library for building user interfaces. - Technologies: The website uses JavaScript and is served through Cloudflare’s CDN. It also uses UTF8 character encoding and Gzip for HTTP compression.
Insights from the Findings:
- Cloudflare Services: The consistent use of Cloudflare services, from hosting to DNS, indicates a strong reliance on Cloudflare for performance, security, and reliability.
- React App: The website being a React App suggests a modern web development approach, focusing on dynamic content and user interactivity.
- Web Technologies: The use of JavaScript, UTF8, and Gzip indicates a focus on performance and efficient data transmission.
8. Censys - Another Internet Search Engine
Censys is similar to Shodan but provides a different perspective and dataset. It scans the internet constantly to provide fresh data about exposed devices and services.
Action: Visit Censys and search for crushingsecurity.com
.
Findings from Censys for crushingsecurity.com
:
- IP Address: The domain resolves to
144.21.55.183
. - Location: The server is located in London, United Kingdom.
- Autonomous System: The server is part of the ORACLE-BMC-31898 autonomous system.
- DNS Records: The domain has associated DNS names
community.crushingsecurity.com
andforum.crushingsecurity.com
. - SSL/TLS Certificates: The SSL certificate is issued by Let’s Encrypt, with a public key algorithm of RSA (4096 bit). It’s valid from Jul 3, 2023, to Oct 1, 2023.
- HTTP Service on Port 80: The server responds with a 301 Moved Permanently status, redirecting to
https://community.crushingsecurity.com/
. - HTTPS Service on Port 443: Similar to the HTTP service, it redirects to the secure version of the site with a 301 Moved Permanently status. The server also enforces Strict Transport Security with a max-age of 63072000.
- Server Metadata: The server runs on
nginx/1.23.3
.
Insights from the Findings:
- Robust SSL Configuration: The use of a 4096-bit RSA certificate from Let’s Encrypt indicates a strong encryption setup, ensuring secure communications.
- Consistent Redirection: Both HTTP and HTTPS services redirect to the secure version of the site, emphasizing a commitment to secure web traffic.
- Server Information: The use of
nginx/1.23.3
provides insights into the web server technology in use, which can be useful for further investigations or vulnerability assessments. - Geographical Location: The server’s location in London might indicate where the primary audience or user base is located or where the hosting infrastructure is optimized.
- Autonomous System Insights: Being part of the ORACLE-BMC-31898 autonomous system suggests that the infrastructure is hosted on Oracle Cloud, consistent with previous findings.
Next, we’ll explore subdomains and related domains associated with crushingsecurity.com
.
Summary: Website and Infrastructure Analysis
In our deep dive into the website and infrastructure of crushingsecurity.com
, several key insights emerged:
- Modern Web Development: The site heavily relies on contemporary technologies like React, Material-UI, and Emotion, indicating a focus on user experience and dynamic content delivery.
- Security Emphasis: The consistent implementation of security measures such as SSL, HSTS, and SPF across different tools underscores the site’s commitment to data protection. The use of Cloudflare not only for hosting but also for DNS and CDN services showcases a practical approach to web security. Additionally, the findings from urlscan.io and Censys further emphasize the site’s dedication to security, with all HTTP transactions being secured with HTTPS, a robust SSL configuration, and a valid TLS certificate in place.
- Performance: The website’s configuration as a Progressive Web App (PWA) and its support for HTTP/3 highlight an emphasis on speed and offline capabilities. The site’s interactions with various resources and API calls, as observed from urlscan.io, suggest dynamic content loading and possibly user authentication mechanisms.
- Email Infrastructure: The presence of MailerLite and Office 365 Mail suggests potential email collection points and a proactive stance against email spoofing.
- Network Insights: The Censys analysis provided insights into the server’s geographical location, its association with Oracle Cloud, and its robust SSL configuration. This, combined with the detailed IP and domain information from urlscan.io, gives a comprehensive understanding of the site’s network infrastructure.
- Community Engagement: The numerous outgoing links to the community section of
crushingsecurity.com
, as identified by urlscan.io, highlight an active and engaged user base, indicating a rich ecosystem of content and resources.
Subdomains and Related Domains
Subdomains often host different parts of a website, such as forums, blogs, or e-commerce platforms. Identifying these subdomains can provide a more comprehensive view of the target’s online presence. Additionally, understanding related domains can give insights into other projects, affiliations, or ventures associated with the main domain. In this section, we’ll explore tools that help uncover these subdomains and related domains to paint a clearer picture of the target’s digital landscape.
Initial Domain Information
Website and Infrastructure Analysis
Subdomains and Related Domains
Deep OSINT and Data Gathering
Potential Vulnerabilities and Threats
Monitoring and Alerts
9. DNSdumpster - DNS Recon & Research
DNSdumpster is a free domain research tool that provides a visual map of DNS entries for a domain. It’s an excellent tool for discovering hosts related to a domain, especially for passive DNS reconnaissance.
Action: I utilized DNSdumpster to gather comprehensive DNS information about crushingsecurity.com
.
Findings from DNSdumpster for crushingsecurity.com
:
- DNS Servers: The domain uses Cloudflare’s DNS servers, specifically
rachel.ns.cloudflare.com
andram.ns.cloudflare.com
. - MX Records: The domain’s mail exchange (MX) record points to
crushingsecurity-com.mail.protection.outlook.com
, indicating that the domain uses Microsoft’s Outlook for its email services. - TXT Records: Two TXT records were found:
"MS=ms79582234"
"v=spf1 include:_spf.mlsend.com include:spf.protection.outlook.com -all"
- Host Records (A):
- Main domain (
crushingsecurity.com
) resolves to two IP addresses:172.67.208.73
and104.21.23.15
. - Subdomain
forum.crushingsecurity.com
resolves to144.21.55.183
. - Another subdomain
lhr.dev.community.crushingsecurity.com
resolves to144.21.59.208
.
- Main domain (
dnsdumpster results
dnsdumpster generated map to visualize findings
Insights from the Findings:
- Cloudflare Usage: The domain’s reliance on Cloudflare’s DNS servers is consistent with previous findings, emphasizing its use of Cloudflare services.
- Email Services: The MX record pointing to Outlook and the associated TXT records suggest that the domain uses Microsoft’s email services, possibly Office 365.
- Subdomains: Two subdomains were identified,
forum.crushingsecurity.com
andlhr.dev.community.crushingsecurity.com
. These could be areas of interest for further investigation, as they might host different content or services than the main domain.
10. SecurityTrails - Comprehensive Domain Information and Subdomain Enumeration
SecurityTrails is a platform that provides comprehensive data about domains, including DNS records, subdomains, historical data, and more. It’s a valuable tool for passive subdomain enumeration and understanding the broader digital footprint of a domain.
Action: I utilized SecurityTrails to gather detailed DNS information and enumerate subdomains for crushingsecurity.com
.
Findings from SecurityTrails for crushingsecurity.com
:
- Enumerated Subdomains:
dev.crushingsecurity.com
lhr.dev.community.crushingsecurity.com
newsletter.crushingsecurity.com
www.crushingsecurity.com
kb.crushingsecurity.com
blogs.crushingsecurity.com
contact.crushingsecurity.com
mail.crushingsecurity.com
support.crushingsecurity.com
forum.crushingsecurity.com
api.crushingsecurity.com
earlyaccess.crushingsecurity.com
community.crushingsecurity.com
autodiscover.crushingsecurity.com
Insights from the Findings:
- Diverse Subdomains: The variety of subdomains suggests a multifaceted online presence, with potential areas dedicated to development (
dev
), community engagement (forum
,community
), support (support
), and more. - Potential Areas of Interest: The identified subdomains could host different functionalities or services than the main domain. For instance, the “newsletter” subdomain might be related to email campaigns, while the “earlyaccess” subdomain could be a portal for beta testers or early adopters. Each of these subdomains can be potential areas for further investigation or vulnerability assessments.
Security Trails DNS Records
Security Trails Subdomains
With the combined findings from DNSdumpster and SecurityTrails, we have a comprehensive list of subdomains associated with crushingsecurity.com
. These subdomains can be further probed for vulnerabilities, misconfigurations, or other potential areas of interest in subsequent sections of our investigation.
Part 1 Summary
In the first segment of our exploration, we uncovered the digital footprint of our target crushingsecurity.com
through a series of passive reconnaissance techniques. We’ve managed to gather a wealth of information without directly interacting with the target, ensuring our activities remain low-key and undetected.
Here’s a recap of our accomplishments:
Initial Domain Information: We began by understanding the foundational details of the domain, such as its registration, hosting, and associated metadata. This provided us with a baseline understanding of the target’s online presence.
Website and Infrastructure Analysis: Delving deeper, we explored the underlying technologies and infrastructure supporting the website. From web development frameworks to hosting providers, we pieced together a comprehensive view of the site’s technical landscape.
Subdomains and Related Domains: We didn’t stop at the main domain. We ventured into subdomains, uncovering additional areas of interest to potentially target. This step was crucial, as subdomains often host different functionalities and can reveal more about the target’s operations.
With Part 1 wrapped up, we’ve set the stage for a deeper dive.
Coming Up in Part 2:
In the next part of this series, we’ll escalate our efforts, employing a new set of tools and techniques to demonstrate a range of other tools and techniques to perform passive reconnaissance. We’ll be focusing on:
Deep OSINT and Data Gathering: Here, we’ll perform open-source intelligence to uncover hidden details, relationships, and patterns related to our target.
Potential Vulnerabilities and Threats: With the information at hand, we’ll assess potential weak points and threats that could be exploited by malicious actors.
Monitoring and Alerts: Finally, we’ll explore tools and techniques to keep a watchful eye on the target, setting up alerts for any changes or suspicious activities.
What’s Next?
Stay tuned for Part 2, where we’ll continue our journey into the depths of passive reconnaissance, unveiling more tips and tricks to enhance your reconnaissance skills!
To be the first to hear about the next blog:
Connect on Twitter - CrushingSecurity
Connect on Twitter - Steve
Stay Updated with Our Cybersecurity Newsletter
Do you have any questions or would like to share your thoughts? Be sure to join and contribute here! Join Our Community We’d love to hear from other members of the community and share knowledge to all become cyber pros!
For a comprehensive list of all the passive reconnaissance tools mentioned in this blog, as well as any future additions, please visit our masterlist: Passive Reconnaissance Tools Masterlist.
Connect with me:
Twitter
Stay Updated with Our Cybersecurity Newsletter
Want to support our mission to spread cybersecurity awareness? Support Our Mission