Offensive OSINT

The information that is targeted for collection is dependent on the initial goal of the penetration test. For example, if testers want to access personal health records, they will need the names and biographical information of relevant parties involved (third-party insurance companies, healthcare providers, head of IT operations professional, commercial suppliers, and so on), their usernames, and passwords. If the route of an attack involves social engineering, they may supplement this information with details that give credibility to the requests for information:

• Domain names: Identification of the target for the attackers or penetration testers during an external scenario begins with domain names, which is the most crucial element of OSINT.

• DNS reconnaissance and route mapping: Once a tester has identified a target that has an online presence and contains items of interest, the next step is to identify the IP addresses and routes to the target.

Domain Name System (DNS) reconnaissance is concerned with identifying who owns a particular domain or series of IP addresses (who is-type information), the DNS information defining the actual domain names and IP addresses assigned to the target, and the route between the penetration tester or the attacker and the final target.

This information gathering is semiactive – some of the information is available from freely available open sources, while other information is available from third parties, such as DNS registrars. Although the registrar may collect IP addresses and data concerning requests made by the attacker, it is rarely provided to the end target. The information that could be directly monitored by the target, such as DNS server logs, is almost never reviewed or retained. Because the information needed can be queried using a defined systematic and methodical approach, its collection can be automated.

In the following sections, we will discuss how easy it would be to enumerate all the domain names just by using simple tools from Kali Linux.