Getting ready

We will understand three techniques here in this recipe:

Let us start with zone transfer.

How to do it...

Zone Transfer is a special method used by the DNS server to exchange authoritative records for a domain between multiple servers. This method is responsible for transferring bulk lists of domain information between primary and secondary servers. A misconfigured DNS server can respond to client query and provide information about the queried domain.

Consider the following example in which a query dig @ns1.example.com example.com axfr returns a list of IP addresses and their corresponding host names:

This query has identified ten host names, out of which eight unique hosts belong to example.com. We can see that the host names are descriptive enough to give a clear understanding about the type of service that is running.

Analyzing the SMTP header can be another potential source of collecting information about the target. It can provide us with information about the mail server, its IP address, version, and so on. The only drawback of this method is that we need an e-mail that is sent from the target location to analyze it. The following screenshot shows the part of the header of a mail sent from the target.

Careful analysis of the header shows that the IP address of the mail server is 83.166.169.248. The mail server uses the ESMTP service and the user uses the IMAP service. This additional information can be very useful in further exploring the target.

The last technique is using Google dorks. This method can work only in some cases but it is worth giving it a try as you never know what secret information it can reveal. Many times Google crawlers reach certain files or documents that are stored on the target server for internal use, but due to internet access; the crawler indexes the document in the search results. In that case, we can look for such files by using some Google search tricks. The combination of site and filetype in search results can reveal some exciting stuff.

For example, perform the following search queries in Google:

Similarly, we can try several different combinations to dig out results from Google search.

How it works...

The dig query basically returns the data that is provided by the IP or domain owner while it is being registered. The zone transfer information is particularly provided to the DNS servers in order to build a proper mapping of registered domains. The dig query can help in fetching this information. The SMTP header is the original data body of an e-mail. Since it is the main data representation of e-mails, it contains lots of information about the sender of the e-mail.

Google dorks are nothing but the search results of various files that the Google crawler indexes. Once the file has been indexed in a Google search, it can be viewed by using some specific search types.

There's more...