Scribd
Upload
70 views2 pages

Practicals 1

This document provides instructions for using various open-source tools and web services to gather information that could aid in targeting an organization. The key steps include: 1. Using DNS enumeration tools like dnsenum and dig to identify DNS records like mail servers, subdomains, and zone transfers. 2. Using metadata extraction tools like exiftool and strings on files from the target to find personally identifiable information like user names, email addresses, and internal details. 3. Leveraging automated tools like Shodan, Spiderfoot, and IPNeighbour to discover services, subdomains, geolocation and other technical details about domains and IP addresses. 4. Employing domain enumeration via the Recon-

Uploaded by

Tarik Ameziane
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views2 pages

Practicals 1

This document provides instructions for using various open-source tools and web services to gather information that could aid in targeting an organization. The key steps include: 1. Using DNS enumeration tools like dnsenum and dig to identify DNS records like mail servers, subdomains, and zone transfers. 2. Using metadata extraction tools like exiftool and strings on files from the target to find personally identifiable information like user names, email addresses, and internal details. 3. Leveraging automated tools like Shodan, Spiderfoot, and IPNeighbour to discover services, subdomains, geolocation and other technical details about domains and IP addresses. 4. Employing domain enumeration via the Recon-

Uploaded by

Tarik Ameziane
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

PRACTICAL DAY 1 - Using Kali, free tools and web services for footprinting

1. DNS HARVESTING:
Execute the following command and observe the output. What useful informations can you find that can be used
for attack? NOTE: For this practical we will be using zonetransfer.me, which is intentionally made for pen test learning

a) DNS Enumeration
dnsenum zonetransfer.me
b) Zone transfer:
dig axfr @nsztm1.digi.ninja zonetransfer.me

2. Metadata Extraction

In this lab we will learn how to find valuable data for structuring our attack in documents belonging to
the target company. The files you will examine in this lab are:

WidgetStatisticalAnalysis.xls

WidgetStatisticalWhitepaper.doc

WidgetStatisticalWhitepaper.pdf

You can use any tools you want but all you really need is exiftool and strings (if some of these are not
installed please install first).

ExifTool syntax:

exiftool filename

To run strings:

strings filename

Try this for each of the files, and answers the following questions:

a) What is the full name of user Bob? What is Bob’s nickname?


b) What is Bob’s email address?
c) What Personally Identifiable Information is located in the spreadsheet (.xls) file?
d) What information is associated with the organization’s firewall ruleset?
e) Look through the files to find all file system paths and URLs.

3. Automated Tools and Services for Data Collection


a) Go to shodan.com and create an account. Research inpt.ac.ma domain. What useful
information can you see? Explore Shodan to learn more about its capabilities
b) In your Kali please start Spiderfoot tool. Research inpt.ac.ma domain. What useful
information can you see? Put all informations you believe can be used for the attack in a
separate file! You can start the software with:
spiderfoot -l 127.0.0.1:8000 (you can use any port that you choose)
c) Go to www.ipneighbour.com and do a query on 3 domains of your choice. What data did we
saw here?

4. RECON-NG for Domain enumeration

We will use Bing Web hostname enumerator module and try to find additional subdomains on the
https://www.facebook.com/ website:
a) Load the module:
• recon/domainshosts/bing_domain_web
• show info c (displays the information about the module)
b) Set the target and execute (you can also use some of the domains identified in the previous
practical)
• load recon/domains-hosts/bing_domain_web
• run

5. Execute the command below using nmap. Check the output and assess the relevance to a
potential penetration test.
nmap --script dns-brute --script-args dns-brute.domain=inpt.ac.ma

6. Go to https://centralops.net/co/ and enter a domain of your choice. Use all available options and
let centralops do the scaning for you. Observe the output and analyze it.
7.

8. Search GitHub for MegaCorpOne account. Within this account let us try and find some sensitive
information. Search for any files with the word “users” in the name: filename:users

Try similar searches across entire GitHub (note, you will need to register and login)

You might also like