Domains
Learning Company Information
Depending on the type of test (white, gray or black box) you might need to learn details about the company/organization before you can start doing anything. A great way to do this is using publically available information! We can gain an understanding of the company and their organization by looking at IP Addresses, networks/routes, DNS information and SSL/TLS information!
show dig, nslookup, whois, ip address information, bgp information.
theHarvester
Domain Information
Domain names are managed by registrars and they are then accredited by gTLD (generic top level domain) and ccTLD (country code top level domain) registries. This mean that the registrars work with domain name registries for companies (and people) to purchase domain names. We can use this knowledge and information to our advantage to learn about the company!
We will look at various tools that we can use to gain this information. A breif video demonstration and explanation will be provided.
DNS Records
Before we get into this we also need to cover DNS. Recall DNS provides us the ability to map and domain name to a specific IP Address. Also, some DNS records provided the ability to supply additioanl information as needed. Below is a list of some of the most common DNS records and their meaning.
A (Address) Record: Associates a domain name with an IPv4 address. It translates the domain name to the corresponding IP address.
AAAA (IPv6 Address) Record: Similar to the A record, but for IPv6 addresses. It maps a domain name to its corresponding IPv6 address.
CNAME (Canonical Name) Record: Creates an alias or nickname for a domain. It points the domain name to another domain's canonical name, allowing multiple domain names to resolve to the same IP address.
MX (Mail Exchanger) Record: Specifies the mail server responsible for accepting incoming email messages for a domain. It directs email to the appropriate mail server.
TXT (Text) Record: Stores additional text information associated with a domain. It can be used for various purposes, such as verification, sender policy framework (SPF) records, domain ownership proof, and other custom information.
NS (Name Server) Record: Identifies the authoritative DNS servers for a domain. It indicates which DNS servers are responsible for providing DNS information for a particular domain.
SOA (Start of Authority) Record: Provides essential information about a DNS zone, such as the primary name server, contact information, serial number, refresh time, retry time, and other parameters.
PTR (Pointer) Record: Performs reverse DNS lookup. It maps an IP address to a domain name, allowing reverse resolution.
SRV (Service) Record: Specifies the location of a specific service or application in a domain. It includes information such as the protocol, port number, priority, weight, and target host.
whois
traceroute/tracert
host/nslookup
dig
BGP Information
To learn a bit about BGP you can read the following article:
https://www.techtarget.com/searchnetworking/definition/BGP-Border-Gateway-Protocol