Mastering Kali Linux for Advanced Penetration Testing（Second Edition）

上QQ阅读APP看书，第一时间看更新

DNS reconnaissance and route mapping

Once a tester has identified targets that have an online presence and are of interest, the next step is to identify the IP addresses and routes to the target.

DNS reconnaissance involves identifying who owns a particular domain or series of IP addresses (whois-type information), the DNS information defining the actual domain names and IP addresses assigned to the target, and the route between the penetration tester, or the attacker, and the final target.

This information gathering is semi-active – some of the information is available from freely available open sources, while other information is available from third parties such as DNS registrars. Although the registrar may collect IP addresses and data concerning requests made by the attacker, it is rarely provided to the end target. Information that could be directly monitored by the target, such as DNS server logs, is almost never reviewed or retained.

Because the information needed can be queried using a defined systematic and methodical approach, its collection can be automated.

Note that DNS information may contain stale or incorrect entries. To minimize inaccurate information, query different source servers and use different tools to cross-validate results. Review results, and manually verify any suspect findings. Use a script to automate the collection of this information. This script should create a folder for the penetration test, and then a series of folders for each application being run. After the script executes each command, pipe the results directly to the specific holding folder.