Mastering Passive Reconnaissance: Top 20 techniques for Ethical Information Gathering (Part 1)

Cybersecurity Learning and Career Growth. Advanced
, , , , , , , , , ,
1

recon
recon1792×1024 246 KB

Introduction

In cybersecurity, passive reconnaissance is a valuable skill. It allows professionals, attackers, and essentially anyone with an internet connection, to gather information about a ‘target’ without directly interacting with the target system. This non-intrusive method, often the first step in ethical hacking, is excellent in identifying potential vulnerabilities and strategizing subsequent actions. Drawing from my own experience as a blue teamer, I’ve frequently employed passive information gathering to gain insights into potential attackers targeting our systems, ranging from investigating their IP addresses and domain names to finding out more information about suspected malicious websites.

In this two-part blog series, we’ll delve deep into passive reconnaissance, showcasing the top 20 commands and tools vital for anyone venturing into cybersecurity. This article, Part 1, will cover the first 10, with the subsequent part detailing the remaining techniques.

Why Passive Reconnaissance Matters

Passive reconnaissance serves as an essential component for discreetly gathering information. By using this method, we can learn a lot about a target without alerting them or leaving any evidence of our investigation within the target infrastructure. Here’s why passive reconnaissance is important:

:mag: Understanding Potential Vulnerabilities: With passive reconnaissance, you can get details about a target system’s setup, design, and the technologies it uses. This information can help spot potential weak spots or issues that might be taken advantage of in later stages of security testing or assessments.

:footprints: Assessing Digital Footprint: Passive reconnaissance techniques let you see a target’s digital footprint. This can include finding out about domains linked to the target organization, any subdomains they use, email addresses connected to the domain, and other key details that help you get a clearer picture of the target.

:clipboard: Planning Subsequent Stages: The information you get from passive reconnaissance can help plan the next steps. Knowing what you’re dealing with helps decide which methods are most likely to work and where to focus efforts. The next steps often vary based on the goal of the information gathering:

  • :shield: Blue Team Perspective: Strengthen defenses, patch vulnerabilities, and anticipate potential attack vectors. Monitor for any suspicious activities based on the data gathered.

  • :dart: Red Team Perspective: Plan and execute attacks against the target. Their goal is often to exploit vulnerabilities and test the system’s resilience.

  • :warning: Malicious Attacker Perspective: Exploit vulnerabilities for personal gain, such as stealing data or causing disruptions.

By understanding all perspectives, it becomes clear how passive reconnaissance plays a crucial role in assisting certain goals. Whether you’re defending, testing, or attacking a system, the insights gained from this initial phase are invaluable.

Passive vs. Active Reconnaissance

While we’re focusing on passive reconnaissance, it’s essential to differentiate it from its counterpart: active reconnaissance. Passive reconnaissance is about gathering information without directly interacting with the target system, ensuring stealth and discretion. In contrast, active reconnaissance involves direct interaction with the target, such as pinging the system, port scanning, or even attempting to access open directories. While both are crucial in the reconnaissance phase, passive methods are favored when discretion is required.

The Top 20 Commands and Tools for Passive Reconnaissance

Before we delve into the specifics, it’s essential to understand that the tools and techniques we’re about to explore are powerful. They can provide a wealth of information, but this also comes with great responsibility.

Disclaimer: The demonstrations and techniques showcased in this blog are for educational purposes only. Always seek permission before conducting any reconnaissance or penetration testing against a target. Unauthorized scanning and data collection is illegal and unethical. Respect privacy and always act within the bounds of the law and ethical guidelines. Always prioritize ethical behavior. The knowledge shared here is powerful, and it’s crucial to use it responsibly.

Imagine you’re a cybersecurity investigator. You’ve been tasked with gathering as much information as possible about a particular company, your goal is to understand its digital footprint, the technologies it uses, and any potential vulnerabilities. Let’s embark on this journey together.

To provide a hands-on perspective, I’ll be using my website, Crushing Security, as an example.

Our exploration will be segmented into the following categories:

  • :globe_with_meridians: Initial Domain Information: Tools and commands that provide foundational details about a domain, such as its registrar, creation date, and associated IP addresses.
  • :spider_web: Website and Infrastructure Analysis: Techniques to understand the underlying technologies of a website, server details, and hosting information.
  • :link: Subdomains and Related Domains: Tools that help in uncovering subdomains associated with the main domain and other domains that might be related or connected.
  • :male_detective: Deep OSINT and Data Gathering: Advanced open-source intelligence tools that dive deeper into gathering data about the target from various online sources.
  • :no_entry_sign: Potential Vulnerabilities and Threats: Techniques and tools that help in identifying possible security weaknesses associated with the target.
  • :rotating_light: Monitoring and Alerts: Tools that provide real-time or periodic monitoring of the target and alerting mechanisms for any changes or suspicious activities.

Now that we understand the importance of passive reconnaissance let’s dive into the top 20 commands and tools that will empower you to master this skill.

:globe_with_meridians: Initial Domain Information

When beginning passive reconnaissance against a target, the first step is often to gather foundational details about the domain in question. This lays the foundation for deeper investigations and can reveal crucial insights about the target’s online presence, affiliations, and potential vulnerabilities. In this section, we’ll explore tools and commands that help us uncover these initial pieces of information.

Progress Tracker:

:arrow_right: :globe_with_meridians: Initial Domain Information
:white_large_square: :wrench: Website and Infrastructure Analysis
:white_large_square: :link: Subdomains and Related Domains
:white_large_square: :male_detective: Deep OSINT and Data Gathering
:white_large_square: :no_entry_sign: Potential Vulnerabilities and Threats
:white_large_square: :rotating_light: Monitoring and Alerts

1. whois - The First Clue

Before diving deep, I start with the basics. Let’s see who’s behind CrushingSecurity.com.

:wrench: Action: We can either run the whois command, or utilize a website such as Free online network tools - traceroute, nslookup, dig, whois lookup, ping - IPv6

┌──(kali㉿kali)-[~]
└─$ whois crushingsecurity.com                                                                                                                     1 ⨯
   Domain Name: CRUSHINGSECURITY.COM
   Registry Domain ID: 2688172295_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.namecheap.com
   Registrar URL: http://www.namecheap.com
   Updated Date: 2023-08-25T12:19:36Z
   Creation Date: 2022-04-10T08:14:52Z
   Registry Expiry Date: 2024-04-10T08:14:52Z
   Registrar: NameCheap, Inc.
   Registrar IANA ID: 1068
   Registrar Abuse Contact Email: [email protected]
   Registrar Abuse Contact Phone: +1.6613102107
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Name Server: RACHEL.NS.CLOUDFLARE.COM
   Name Server: RAM.NS.CLOUDFLARE.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2023-09-28T18:31:09Z <<<

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain name: crushingsecurity.com
Registry Domain ID: 2688172295_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2023-04-07T21:31:02.33Z
Creation Date: 2022-04-10T08:14:52.00Z
Registrar Registration Expiration Date: 2024-04-10T08:14:52.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.9854014545
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: 
Registrant Name: Redacted for Privacy
Registrant Organization: Privacy service provided by Withheld for Privacy ehf
Registrant Street: Kalkofnsvegur 2 
Registrant City: Reykjavik
Registrant State/Province: Capital Region
Registrant Postal Code: 101
Registrant Country: IS
Registrant Phone: +354.4212434
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: [email protected]
Registry Admin ID: 
Admin Name: Redacted for Privacy
Admin Organization: Privacy service provided by Withheld for Privacy ehf
Admin Street: Kalkofnsvegur 2 
Admin City: Reykjavik
Admin State/Province: Capital Region
Admin Postal Code: 101
Admin Country: IS
Admin Phone: +354.4212434
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: [email protected]
Registry Tech ID: 
Tech Name: Redacted for Privacy
Tech Organization: Privacy service provided by Withheld for Privacy ehf
Tech Street: Kalkofnsvegur 2 
Tech City: Reykjavik
Tech State/Province: Capital Region
Tech Postal Code: 101
Tech Country: IS
Tech Phone: +354.4212434
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: [email protected]
Name Server: rachel.ns.cloudflare.com
Name Server: ram.ns.cloudflare.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2023-09-28T03:24:26.36Z <<<
For more information on Whois status codes, please visit https://icann.org/epp

Note: Alternatively, you can perform these queries on websites such as: Central Ops

:bar_chart: Findings:

  • The domain crushingsecurity.com is registered with NameCheap, Inc.
  • It was created on April 10, 2022, and is set to expire on April 10, 2024.
  • The domain uses Cloudflare’s DNS servers: rachel.ns.cloudflare.com and ram.ns.cloudflare.com.
  • The domain’s IP addresses are 104.21.23.15 and 172.67.208.73, which belong to Cloudflare, Inc.
  • The domain’s registrant, admin, and tech details have been redacted for privacy, but they are associated with an organization in Reykjavik, Capital Region, Iceland.
  • The domain is currently under the status of clientTransferProhibited, which means it cannot be transferred to another registrar without the owner’s consent.

:thinking: Insights from the Findings:

  • Domain Age: CrushingSecurity.com is a relatively recent domain, established just over a year ago. This could suggest a newer initiative or project.
  • Cloudflare DNS: The domain’s reliance on Cloudflare’s DNS servers hints at a preference for performance and security, given Cloudflare’s reputation for DDoS protection and CDN services.
  • Privacy Measures: The redacted registrant details show a deliberate effort to maintain privacy, a commendable security practice.
  • Domain Transfer Protection: The clientTransferProhibited status acts as a safeguard against unauthorized domain transfers, indicating a layer of security against potential domain hijacking attempts.

2. dig - Investigating DNS Records

After understanding who’s behind CrushingSecurity.com, I want to delve deeper into its network infrastructure. DNS records can reveal a lot about a domain’s setup, including its IP addresses, mail servers, and more.

:wrench: Action: To gather these details, I use the dig command. This tool is perfect for querying DNS nameservers and getting a clearer picture of a domain’s setup.

┌──(kali㉿kali)-[~]
└─$ dig crushingsecurity.com A


; <<>> DiG 9.18.7-1-Debian <<>> crushingsecurity.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57134
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;crushingsecurity.com.          IN      A

;; ANSWER SECTION:
crushingsecurity.com.   300     IN      A       172.67.208.73
crushingsecurity.com.   300     IN      A       104.21.23.15

;; Query time: 32 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Sep 28 14:17:39 EDT 2023
;; MSG SIZE  rcvd: 81

                                                                                                                                                       
┌──(kali㉿kali)-[~]
└─$ dig crushingsecurity.com MX

; <<>> DiG 9.18.7-1-Debian <<>> crushingsecurity.com MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42015
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;crushingsecurity.com.          IN      MX

;; ANSWER SECTION:
crushingsecurity.com.   300     IN      MX      0 crushingsecurity-com.mail.protection.outlook.com.

;; Query time: 24 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Sep 28 14:17:44 EDT 2023
;; MSG SIZE  rcvd: 110

                                                                                                                                                       
┌──(kali㉿kali)-[~]
└─$ dig crushingsecurity.com NS

; <<>> DiG 9.18.7-1-Debian <<>> crushingsecurity.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19331
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;crushingsecurity.com.          IN      NS

;; ANSWER SECTION:
crushingsecurity.com.   86400   IN      NS      rachel.ns.cloudflare.com.
crushingsecurity.com.   86400   IN      NS      ram.ns.cloudflare.com.

;; Query time: 28 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Sep 28 14:17:49 EDT 2023
;; MSG SIZE  rcvd: 102

                                                                                                                                                       
┌──(kali㉿kali)-[~]
└─$ dig crushingsecurity.com TXT

; <<>> DiG 9.18.7-1-Debian <<>> crushingsecurity.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64856
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;crushingsecurity.com.          IN      TXT

;; ANSWER SECTION:
crushingsecurity.com.   300     IN      TXT     "MS=ms79582234"
crushingsecurity.com.   300     IN      TXT     "v=spf1 include:_spf.mlsend.com include:spf.protection.outlook.com -all"

;; Query time: 32 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Sep 28 14:17:54 EDT 2023
;; MSG SIZE  rcvd: 158

                                                                                                                                                       
┌──(kali㉿kali)-[~]
└─$ dig www.crushingsecurity.com CNAME


; <<>> DiG 9.18.7-1-Debian <<>> www.crushingsecurity.com CNAME
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59242
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.crushingsecurity.com.      IN      CNAME

;; AUTHORITY SECTION:
crushingsecurity.com.   1800    IN      SOA     rachel.ns.cloudflare.com. dns.cloudflare.com. 2319522339 10000 2400 604800 1800

;; Query time: 32 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Sep 28 14:18:04 EDT 2023
;; MSG SIZE  rcvd: 114

In the above dig queries I have queried for the following:

  • A Record (dig domain.com A):
    • Returns the IP addresses associated with the domain.
    • Indicates where the domain’s website is hosted.
  • MX Record (dig domain.com MX):
    • Returns the Mail Exchange records.
    • Indicates the mail servers responsible for receiving email messages on behalf of a domain.
  • NS Record (dig domain.com NS):
    • Returns the Name Server records.
    • Indicates which DNS servers are authoritative for the domain.
  • TXT Record (dig domain.com TXT):
    • Returns the Text records.
    • Often used for various purposes like verifying domain ownership, SPF records (for email security), etc.
  • CNAME Record (dig subdomain.domain.com CNAME):
    • Returns the Canonical Name record.
    • Indicates that the domain name is an alias for another domain, to which it’s mapped.

Note: Alternatively, you can perform these queries on websites such as: https://mxtoolbox.com/

:bar_chart: Findings:

  • The ‘A’ records for crushingsecurity.com are 104.21.23.15 and 172.67.208.73.
  • The domain uses Cloudflare’s DNS servers: rachel.ns.cloudflare.com and ram.ns.cloudflare.com.
  • The MX record indicates the use of Microsoft’s email protection services with the address crushingsecurity-com.mail.protection.outlook.com.
  • TXT records provide SPF information, indicating allowed email senders for the domain, and a Microsoft verification string.
  • There’s no specific CNAME record for the www subdomain, suggesting it uses the main domain’s A records.

:thinking: Insights from the Findings:

  • Cloudflare Hosting: The IP addresses associated with the domain are typical of Cloudflare, reinforcing the notion of a performance and security-centric setup.
  • Microsoft’s Email Protection: The MX record points to Microsoft’s email protection services, suggesting a commitment to secure email communication.
  • Email Security: The presence of SPF records in the TXT entries indicates measures to prevent email spoofing, a common attack vector.

3. host - A Quick Glance at Domain Details

After diving into DNS records, I like to use the host command for a quick overview of a domain’s basic details. It’s a simple tool that provides a concise summary of a domain’s IP addresses and other associated records.

:wrench: Action: To gather these details, I use the host command.

┌──(kali㉿kali)-[~]
└─$ host crushingsecurity.com
crushingsecurity.com has address 104.21.23.15
crushingsecurity.com has address 172.67.208.73
crushingsecurity.com has IPv6 address 2606:4700:3033::6815:170f
crushingsecurity.com has IPv6 address 2606:4700:3031::ac43:d049
crushingsecurity.com mail is handled by 0 crushingsecurity-com.mail.protection.outlook.com.

:bar_chart: Findings:

  • The domain crushingsecurity.com resolves to two IPv4 addresses: 104.21.23.15 and 172.67.208.73.
  • The domain also has two associated IPv6 addresses: 2606:4700:3033::6815:170f and 2606:4700:3031::ac43:d049.
  • The mail for crushingsecurity.com is managed by crushingsecurity-com.mail.protection.outlook.com.

:thinking: Insights from the Findings:

  • Robust Hosting: Multiple IP addresses, both in IPv4 and IPv6 formats, suggest a setup optimized for redundancy and performance.
  • Consistent Email Security: The MX record’s alignment with previous findings from the dig command underscores the domain’s focus on secure email practices.

4. nslookup - DNS Lookup Utility

To further validate and cross-check the information, I use nslookup. It’s another tool for querying DNS servers to obtain domain name or IP address mappings.

:wrench: Action: Running the nslookup command for crushingsecurity.com.

┌──(kali㉿kali)-[~]
└─$ nslookup crushingsecurity.com
Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
Name:   crushingsecurity.com
Address: 104.21.23.15
Name:   crushingsecurity.com
Address: 172.67.208.73
Name:   crushingsecurity.com
Address: 2606:4700:3031::ac43:d049
Name:   crushingsecurity.com
Address: 2606:4700:3033::6815:170f

:bar_chart: Findings:

  • The domain crushingsecurity.com resolves to the same IP addresses as found with the host and dig commands.
  • The DNS server used for this lookup is 1.1.1.1, which is Cloudflare’s public DNS resolver.

:thinking: Insights from the Findings:

  • Consistent Data: The matching results across various tools (whois, dig, host, and nslookup) provide a high degree of confidence in the data’s accuracy.
  • Cloudflare’s Public DNS: Utilizing Cloudflare’s public DNS resolver for the lookup showcases a commitment to fast and privacy-centric queries.

Summary: Initial Domain Information

In our exploration of crushingsecurity.com, we utilized a suite of tools to gather foundational details about the domain. These details not only provide insights into the domain’s setup but also set the stage for deeper investigations. Here’s an overview of our findings:

  • Domain Registration and Ownership: The domain is registered with NameCheap, Inc., created in April 2022, and is set to expire in April 2024. The registrant details have been redacted for privacy but are associated with Reykjavik, Iceland.
  • Hosting and Infrastructure: crushingsecurity.com is hosted on Cloudflare, as indicated by its IP addresses and DNS servers. This choice suggests a focus on performance and security.
  • Email Configuration: The domain’s email setup leans on Microsoft’s protection services, emphasizing secure email communication. SPF records further enhance email security by reducing the chance of email spoofing.
  • Additional Insights: The domain’s recent creation might indicate a newer initiative. The use of Cloudflare and Microsoft services, combined with privacy measures and domain transfer protection, suggests that this is a domain that values security and performance.

As we delve deeper into our investigation, these foundational details will guide our next steps, helping us understand the website’s infrastructure and potential vulnerabilities better. Up next, we’ll dive into the passive recon techniques for website and infrastructure analysis, where we’ll uncover more about the technologies powering crushingsecurity.com and potential areas of interest.

:wrench: Website and Infrastructure Analysis

After gathering initial domain information, it’s crucial to understand the underlying technologies of a website and its infrastructure. This section will provide insights into the server details, hosting information, and other technical aspects of the target.

Progress Tracker:

:white_check_mark: :globe_with_meridians: Initial Domain Information
:arrow_right: :wrench: Website and Infrastructure Analysis
:white_large_square: :link: Subdomains and Related Domains
:white_large_square: :male_detective: Deep OSINT and Data Gathering
:white_large_square: :no_entry_sign: Potential Vulnerabilities and Threats
:white_large_square: :rotating_light: Monitoring and Alerts

5. BuiltWith - Discovering Web Technologies

To understand the technologies behind a website, I use BuiltWith. It’s a web service that provides details about the technologies used to build and host a website.

:wrench: Action: Visit BuiltWith and enter the domain crushingsecurity.com.

:bar_chart: Findings from BuiltWith for CrushingSecurity.com:

image
image784×1356 122 KB

Key Technologies:

  • MailerLite: Email marketing software.
  • Create React App & Material-UI: Website built using React and Material Design.
  • Cloudflare & Oracle Cloud: Hosting and CDN services.
  • React: Frontend JavaScript library.
  • Office 365 Mail & SPF: Email services and security.
  • SSL by Default & HSTS: Security measures for data in transit.

:thinking: Insights from the Findings:

  • MailerLite: The presence of MailerLite indicates potential email collection points on the website. Such collection points could be of interest for attackers looking to exploit potential vulnerabilities in form handling or to access stored email data.
  • React & Material-UI: The website’s reliance on React and Material-UI suggests a modern design approach. However, like all frameworks, vulnerabilities can emerge over time. An attacker might look for outdated libraries or exposed data through React’s state or props.
  • Cloudflare & Oracle Cloud: The dual hosting setup with Cloudflare and Oracle Cloud indicates a layered infrastructure. While Cloudflare offers DDoS protection, attackers often attempt to discover the original IP of the server to bypass such protections. On the Oracle Cloud side, any misconfigured security lists or exposed credentials could be potential entry points.
  • Office 365 Mail & SPF: The use of SPF is a proactive step against email spoofing. However, attackers familiar with email security might probe for the absence of other protective measures like DMARC and DKIM. Additionally, any misconfigurations in mailbox rules or forwarding settings in Office 365 could be exploited.
  • SSL & HSTS: The commitment to secure data in transit through SSL and HSTS is evident. Yet, expired or misconfigured SSL certificates can be a weak link. Attackers might also look for domains not covered by the HSTS policy or attempt to exploit older protocols if they are still supported.

6. urlscan.io - Web Page Analysis and Visualization

urlscan.io is a powerful tool that provides insights into the content, behavior, and structure of websites. It allows for passive analysis of web pages, offering visual representation, and comprehensive data about IP addresses, domain relationships, HTTP requests, and more.

:wrench: Action: For a passive approach, I utilized urlscan.io to gather comprehensive information about crushingsecurity.com without directly visiting the site.

:bar_chart: Findings from urlscan.io for CrushingSecurity.com:

  • IP and Domain Information: The website contacted 2 IPs across 1 domain. The main IP is 2606:4700:3033::6815:170f, located in the United States and belongs to CLOUDFLARENET.
  • TLS Certificate: Issued by GTS CA 1P5 on August 25th, 2023, and is valid for 3 months.
  • HTTP Transactions: There were 34 HTTP transactions, all of which were secured using HTTPS.
  • Resources: The site loads various resources like JavaScript files, CSS, fonts, and images.
  • API Calls: There were multiple calls to api.crushingsecurity.com, some of which resulted in a 401 status, indicating unauthorized access attempts.
  • Outgoing Links: There are 73 outgoing links, many of which lead to different sections of the crushingsecurity.com community, indicating a rich ecosystem of content and resources.

image
image1228×919 168 KB

urlscan summary

image
image1198×1204 102 KB

urlscan outgoing links

image
image1235×1175 87.1 KB

urlscan behavior (API calls etc)

:thinking: Insights from the Findings:

  • Modern Web Infrastructure: Again, the use of Cloudflare and the presence of chunked JavaScript files suggest a modern web infrastructure.
  • Security Emphasis: All HTTP transactions being secured with HTTPS and the use of HSTS (from previous findings) indicate a strong commitment to security.
  • Community Engagement: The numerous outgoing links to the community section of crushingsecurity.com highlight an active and engaged user base.
  • API Interactions: The multiple calls to the API endpoints suggest dynamic content loading and possibly user authentication mechanisms. These endpoints could be extremely valuable for later proving of information / potential authentication bypass attempts.

7. Netcraft Site Report - Web Server Technologies and Hosting History

Netcraft provides a comprehensive web server survey, and its Site Report tool offers insights into the hosting history, technology stack, and other details of a website.

:wrench: Action: I’ll use the Netcraft Site Report to gather details about crushingsecurity.com.

:bar_chart: Findings from Netcraft Site Report for CrushingSecurity.com:

  • Hosting History: The website has been consistently hosted with Cloudflare, Inc., indicating a preference for Cloudflare’s content delivery network and security services.
  • Hosting Provider: The website is hosted by Cloudflare, which is known for its content delivery network, DDoS protection, and other web security features.
  • Nameserver: The domain uses Cloudflare’s nameservers, further confirming its reliance on Cloudflare services.
  • Content Management System (CMS): The website’s title suggests it was created using create-react-app, a popular JavaScript library for building user interfaces.
  • Technologies: The website uses JavaScript and is served through Cloudflare’s CDN. It also uses UTF8 character encoding and Gzip for HTTP compression.

image
image1480×1312 70.2 KB

:thinking: Insights from the Findings:

  • Cloudflare Services: The consistent use of Cloudflare services, from hosting to DNS, indicates a strong reliance on Cloudflare for performance, security, and reliability.
  • React App: The website being a React App suggests a modern web development approach, focusing on dynamic content and user interactivity.
  • Web Technologies: The use of JavaScript, UTF8, and Gzip indicates a focus on performance and efficient data transmission.

8. Censys - Another Internet Search Engine

Censys is similar to Shodan but provides a different perspective and dataset. It scans the internet constantly to provide fresh data about exposed devices and services.

:wrench: Action: Visit Censys and search for crushingsecurity.com.

:bar_chart: Findings from Censys for crushingsecurity.com:

  • IP Address: The domain resolves to 144.21.55.183.
  • Location: The server is located in London, United Kingdom.
  • Autonomous System: The server is part of the ORACLE-BMC-31898 autonomous system.
  • DNS Records: The domain has associated DNS names community.crushingsecurity.com and forum.crushingsecurity.com.
  • SSL/TLS Certificates: The SSL certificate is issued by Let’s Encrypt, with a public key algorithm of RSA (4096 bit). It’s valid from Jul 3, 2023, to Oct 1, 2023.
  • HTTP Service on Port 80: The server responds with a 301 Moved Permanently status, redirecting to https://community.crushingsecurity.com/.
  • HTTPS Service on Port 443: Similar to the HTTP service, it redirects to the secure version of the site with a 301 Moved Permanently status. The server also enforces Strict Transport Security with a max-age of 63072000.
  • Server Metadata: The server runs on nginx/1.23.3.

image
image1220×1266 123 KB

:thinking: Insights from the Findings:

  • Robust SSL Configuration: The use of a 4096-bit RSA certificate from Let’s Encrypt indicates a strong encryption setup, ensuring secure communications.
  • Consistent Redirection: Both HTTP and HTTPS services redirect to the secure version of the site, emphasizing a commitment to secure web traffic.
  • Server Information: The use of nginx/1.23.3 provides insights into the web server technology in use, which can be useful for further investigations or vulnerability assessments.
  • Geographical Location: The server’s location in London might indicate where the primary audience or user base is located or where the hosting infrastructure is optimized.
  • Autonomous System Insights: Being part of the ORACLE-BMC-31898 autonomous system suggests that the infrastructure is hosted on Oracle Cloud, consistent with previous findings.

Next, we’ll explore subdomains and related domains associated with crushingsecurity.com.

Summary: Website and Infrastructure Analysis

In our deep dive into the website and infrastructure of crushingsecurity.com, several key insights emerged:

  1. Modern Web Development: The site heavily relies on contemporary technologies like React, Material-UI, and Emotion, indicating a focus on user experience and dynamic content delivery.
  2. Security Emphasis: The consistent implementation of security measures such as SSL, HSTS, and SPF across different tools underscores the site’s commitment to data protection. The use of Cloudflare not only for hosting but also for DNS and CDN services showcases a practical approach to web security. Additionally, the findings from urlscan.io and Censys further emphasize the site’s dedication to security, with all HTTP transactions being secured with HTTPS, a robust SSL configuration, and a valid TLS certificate in place.
  3. Performance: The website’s configuration as a Progressive Web App (PWA) and its support for HTTP/3 highlight an emphasis on speed and offline capabilities. The site’s interactions with various resources and API calls, as observed from urlscan.io, suggest dynamic content loading and possibly user authentication mechanisms.
  4. Email Infrastructure: The presence of MailerLite and Office 365 Mail suggests potential email collection points and a proactive stance against email spoofing.
  5. Network Insights: The Censys analysis provided insights into the server’s geographical location, its association with Oracle Cloud, and its robust SSL configuration. This, combined with the detailed IP and domain information from urlscan.io, gives a comprehensive understanding of the site’s network infrastructure.
  6. Community Engagement: The numerous outgoing links to the community section of crushingsecurity.com, as identified by urlscan.io, highlight an active and engaged user base, indicating a rich ecosystem of content and resources.

:link: Subdomains and Related Domains

Subdomains often host different parts of a website, such as forums, blogs, or e-commerce platforms. Identifying these subdomains can provide a more comprehensive view of the target’s online presence. Additionally, understanding related domains can give insights into other projects, affiliations, or ventures associated with the main domain. In this section, we’ll explore tools that help uncover these subdomains and related domains to paint a clearer picture of the target’s digital landscape.

:white_check_mark: :globe_with_meridians: Initial Domain Information
:white_check_mark: :wrench: Website and Infrastructure Analysis
:arrow_right: :link: Subdomains and Related Domains
:white_large_square: :male_detective: Deep OSINT and Data Gathering
:white_large_square: :no_entry_sign: Potential Vulnerabilities and Threats
:white_large_square: :rotating_light: Monitoring and Alerts

9. DNSdumpster - DNS Recon & Research

DNSdumpster is a free domain research tool that provides a visual map of DNS entries for a domain. It’s an excellent tool for discovering hosts related to a domain, especially for passive DNS reconnaissance.

:wrench: Action: I utilized DNSdumpster to gather comprehensive DNS information about crushingsecurity.com.

:bar_chart: Findings from DNSdumpster for crushingsecurity.com:

  • DNS Servers: The domain uses Cloudflare’s DNS servers, specifically rachel.ns.cloudflare.com and ram.ns.cloudflare.com.
  • MX Records: The domain’s mail exchange (MX) record points to crushingsecurity-com.mail.protection.outlook.com, indicating that the domain uses Microsoft’s Outlook for its email services.
  • TXT Records: Two TXT records were found:
    • "MS=ms79582234"
    • "v=spf1 include:_spf.mlsend.com include:spf.protection.outlook.com -all"
  • Host Records (A):
    • Main domain (crushingsecurity.com) resolves to two IP addresses: 172.67.208.73 and 104.21.23.15.
    • Subdomain forum.crushingsecurity.com resolves to 144.21.55.183.
    • Another subdomain lhr.dev.community.crushingsecurity.com resolves to 144.21.59.208.

image
image1318×1196 114 KB

dnsdumpster results

image
image1612×425 65.9 KB

dnsdumpster generated map to visualize findings

:thinking: Insights from the Findings:

  • Cloudflare Usage: The domain’s reliance on Cloudflare’s DNS servers is consistent with previous findings, emphasizing its use of Cloudflare services.
  • Email Services: The MX record pointing to Outlook and the associated TXT records suggest that the domain uses Microsoft’s email services, possibly Office 365.
  • Subdomains: Two subdomains were identified, forum.crushingsecurity.com and lhr.dev.community.crushingsecurity.com. These could be areas of interest for further investigation, as they might host different content or services than the main domain.

10. SecurityTrails - Comprehensive Domain Information and Subdomain Enumeration

SecurityTrails is a platform that provides comprehensive data about domains, including DNS records, subdomains, historical data, and more. It’s a valuable tool for passive subdomain enumeration and understanding the broader digital footprint of a domain.

:wrench: Action: I utilized SecurityTrails to gather detailed DNS information and enumerate subdomains for crushingsecurity.com.

:bar_chart: Findings from SecurityTrails for crushingsecurity.com:

  • Enumerated Subdomains:
    • dev.crushingsecurity.com
    • lhr.dev.community.crushingsecurity.com
    • newsletter.crushingsecurity.com
    • www.crushingsecurity.com
    • kb.crushingsecurity.com
    • blogs.crushingsecurity.com
    • contact.crushingsecurity.com
    • mail.crushingsecurity.com
    • support.crushingsecurity.com
    • forum.crushingsecurity.com
    • api.crushingsecurity.com
    • earlyaccess.crushingsecurity.com
    • community.crushingsecurity.com
    • autodiscover.crushingsecurity.com

:thinking: Insights from the Findings:

  • Diverse Subdomains: The variety of subdomains suggests a multifaceted online presence, with potential areas dedicated to development (dev), community engagement (forum, community), support (support), and more.
  • Potential Areas of Interest: The identified subdomains could host different functionalities or services than the main domain. For instance, the “newsletter” subdomain might be related to email campaigns, while the “earlyaccess” subdomain could be a portal for beta testers or early adopters. Each of these subdomains can be potential areas for further investigation or vulnerability assessments.
    image
    image1543×877 66 KB

    Security Trails DNS Records
    image
    image1531×1085 62 KB

    Security Trails Subdomains

With the combined findings from DNSdumpster and SecurityTrails, we have a comprehensive list of subdomains associated with crushingsecurity.com. These subdomains can be further probed for vulnerabilities, misconfigurations, or other potential areas of interest in subsequent sections of our investigation.

Part 1 Summary

In the first segment of our exploration, we uncovered the digital footprint of our target crushingsecurity.com through a series of passive reconnaissance techniques. We’ve managed to gather a wealth of information without directly interacting with the target, ensuring our activities remain low-key and undetected.

Here’s a recap of our accomplishments:

:white_check_mark: :globe_with_meridians: Initial Domain Information: We began by understanding the foundational details of the domain, such as its registration, hosting, and associated metadata. This provided us with a baseline understanding of the target’s online presence.

:white_check_mark: :wrench: Website and Infrastructure Analysis: Delving deeper, we explored the underlying technologies and infrastructure supporting the website. From web development frameworks to hosting providers, we pieced together a comprehensive view of the site’s technical landscape.

:white_check_mark: :link: Subdomains and Related Domains: We didn’t stop at the main domain. We ventured into subdomains, uncovering additional areas of interest to potentially target. This step was crucial, as subdomains often host different functionalities and can reveal more about the target’s operations.

With Part 1 wrapped up, we’ve set the stage for a deeper dive.

Coming Up in Part 2:

In the next part of this series, we’ll escalate our efforts, employing a new set of tools and techniques to demonstrate a range of other tools and techniques to perform passive reconnaissance. We’ll be focusing on:

:white_large_square: :male_detective: Deep OSINT and Data Gathering: Here, we’ll perform open-source intelligence to uncover hidden details, relationships, and patterns related to our target.

:white_large_square: :no_entry_sign: Potential Vulnerabilities and Threats: With the information at hand, we’ll assess potential weak points and threats that could be exploited by malicious actors.

:white_large_square: :rotating_light: Monitoring and Alerts: Finally, we’ll explore tools and techniques to keep a watchful eye on the target, setting up alerts for any changes or suspicious activities.

What’s Next?

Stay tuned for Part 2, where we’ll continue our journey into the depths of passive reconnaissance, unveiling more tips and tricks to enhance your reconnaissance skills!

To be the first to hear about the next blog:
:bird: Connect on Twitter - CrushingSecurity
:bird: Connect on Twitter - Steve
:newspaper: Stay Updated with Our Cybersecurity Newsletter

Do you have any questions or would like to share your thoughts? Be sure to join and contribute here! :busts_in_silhouette: Join Our Community We’d love to hear from other members of the community and share knowledge to all become cyber pros! :sunglasses:

For a comprehensive list of all the passive reconnaissance tools mentioned in this blog, as well as any future additions, please visit our masterlist: Passive Reconnaissance Tools Masterlist.

:globe_with_meridians: Connect with me:
:bird: Twitter
:newspaper: Stay Updated with Our Cybersecurity Newsletter
:heart: Want to support our mission to spread cybersecurity awareness? Support Our Mission