Passive Reconnaissance Techniques PLAB for INT course

 Tap the Edge icon 

  • go to

https://practice-labs.com
practice labs website is displayed.
In Microsoft Edge, at the bottom of the skills.practice-labs.com homepage, select Mission to view the company’s mission page. Close any pop-ups that appear.
The Our mission page is displayed.
Scroll down to the Latest from our blog section on the skills.practice-labs.com/our-mission page and select View all posts to view the company’s blog.
The Blog page is displayed.
On the blog.practice-labs.com page, select the Learning Technologies 2022 post. This post may no longer be available as the first link, in that case, select the first blog post available.
The Learning Technologies 2022 blog is displayed.
Select the Contact us link at the bottom of the blog.practice-labs.com page.
The Contact us page is displayed
Minimize the Microsoft Edge browser window.
Click the File Explorer icon on the Taskbar.
In the File Explorer window, navigate to This PC > Local Disk (C:)> PLAB > OSINT folder.
Double-click on the Reconnaissance Data Collection text file.
The Reconnaissance Data Collection text file is displayed in Notepad
Restore Microsoft Edge from the Taskbar.
On the skills.practice-labs.com/contact page, highlight the right-hand column of the webpage from “United Kingdom” through “US Support”.
Use the Ctrl+c keys to copy the data to the clipboard.
In Notepad (the Reconnaissance Data Collection.txt file), use the Ctrl+v keys to paste the highlighted column into the Notepad file under the ***WEBSITE VISIT RESULTS*** header.
Then use the Ctrl+s keys to save the file.
Task 2 - Domain Registry Search
WHOIS provides contact information for the domain registrant, period of registration, name servers, the status of DNSSEC, and other things. This search can be conducted with online resources or using the command line interface (CLI) in Kali Linux using the default port 43. This lab does not provide proxy support for port 43.
In this task, you will conduct a whois search on PLAB (practice-labs.com) using lookup.icann.org (a whois alternative) on PLABWIN10. You will then save the output of the search to PLABWIN10 C:\PLAB\OSINT\Reconnaissance Data Collection.txt file.
Step 1
Connect to PLABWIN10.
Click the Microsoft Edge icon on the Taskbar.
In the Microsoft Edge URL bar, type the following and press Enter:

Step 2
Click OK on the A note about our privacy policies and terms of service: popup message.
In the lookup.icann.org website, type the following into the search box and press Lookup:
Figure 1.18 Screenshot of PLABWIN10: Displaying Microsoft Edge and conducting the whois search on practice-labs.com.
Figure 1.18 Screenshot of PLABWIN10: Displaying Microsoft Edge and conducting the whois search on practice-

Step 3
On the lookup.icann.org webpage, select the search results from the “Domain Information” through to the “Authoritative Servers” sections. Then use the Ctrl+c keys to copy the highlighted section to the clipboard.
Figure 1.19 Screenshot of PLABWIN10: Displaying selecting the lookup.icann.org search results.
Figure 1.19 Screenshot of PLABWIN10: Displaying selecting the lookup.icann.org search results.
Step 4
Click the File Explorer icon on the Taskbar.
Figure 1.20 Screenshot of PLABWIN10: Displaying opening File Explorer from the Taskbar.
Figure 1.20 Screenshot o
Step 5
In the File Explorer window, navigate to This PC > Local Disk (C:)> PLAB > OSINT folder.
Double-click on the Reconnaissance Data Collection text file.f PLABWIN10: Displaying opening File Explorer from the Taskbar.
Figure 1.21 Screenshot of PLABWIN10: Displaying opening the Reconnaissance Data Collection.txt file.
Figure 1.21 Screenshot of PLABWIN10: Displaying opening the Reconnaissance Data Collection.txt file.
Step 6
In the How do you want to open this file? pop-up window, select Notepad, and click OK.
The Reconnaissance Data Collection text file is displayed in Notepad.
Figure 1.22 Screenshot of PLABWIN10: Displaying the Reconnaissance Data Collection.txt file.
Figure 1.22 Screenshot of PLABWIN10: Displaying the Reconnaissance Data Collection.txt file.

Step 7
Use the Ctrl+v keys to paste the lookup.icann.org data under the ***WHOIS RESULTS*** header section.
Press the Ctrl+s keys to save the file.
Figure 1.23 Screenshot of PLABWIN10: Displaying copying the selected data into the Notepad file under the ***WHOIS RESULTS*** header.
Figure 1.23 Screenshot of PLABWIN10: Displaying copying the selected data into the Notepad file under the ***WHOIS RESULTS*** header.
Keep the Notepad and Microsoft Edge browser windows open.
Task 3 - DNS Record Query
Domain DNS records are stored on authoritative servers associated with the target domain. These records can include domain name to IPv4/IPv6 address resolution, authoritative nameserver resolution, records that verify domain ownership, mail server addresses, spam e-mail prevention protocols, and other records. These records can be critical in unknown-environment penetration testing (formerly known as blackbox penetration testing).
DNS queries may be answered with cached responses. Because a cached response allows for the possibility of the response being incorrect (if a configuration change has occurred and the records have not yet been updated), only authoritative DNS responses should be used for penetration testing.
In this task, you will conduct a DNS record query.
Step 1
In PLABWIN10, restore the Microsoft Edge browser window from the Taskbar.
In the Microsoft Edge URL bar, type the following and press Enter:
Figure 1.24 Screenshot of PLABWIN10: Displaying Microsoft Edge and typing “nslookup.io” into the URL bar.
Figure 1.24 Screenshot of PLABWIN10: Displaying Microsoft Edge and typing “nslookup.io” into the URL bar.
Note: Looking up DNS records can be done in several ways. In the Windows Operating System, “nslookup” is the tool that is used in either the Command Prompt or Powershell. In Linux, the Domain Information Groper (dig) is used for DNS queries. For our reconnaissance, we will choose an online nslookup utility that will query several authoritative domain nameservers and provide us with the same information we could receive by conducting the nslookup or dig search manually.
Step 2
Click Accept in the You control your privacy popup message.
In the “Domain Name” search bar, type the following, then click Find DNS Records:
Figure 1.25 Screenshot of PLABWIN10: Displaying the nslookup.io webpage.
Figure 1.25 Screenshot of PLABWIN10: Displaying the nslookup.io webpage.
Step 3
The DNS records for practice-labs.com page is displayed.
Figure 1.26 Screenshot of PLABWIN10: Displaying the results of the nslookup.io DNS record search.
Figure 1.26 Screenshot of PLABWIN10: Displaying the results of the nslookup.io DNS record search.
Note: As listed at the top of the results, the returned records are provided from a Cloudfare DNS server. The nslookup.io webpage also allows us to view the results of Google DNS or OpenDNS servers. Each of these results states that at the end of the Time to Live (TTL), the records will be updated by an authoritative nameserver. This means that the provided results are cached results and non-authoritative.
Step 4
On the nslookup.io results page, select the Authoritative tab
Figure 1.27 Screenshot of PLABWIN10: Displaying the nslookup.io results page and selecting the Authoritative tab.
Figure 1.27 Screenshot of PLABWIN10: Displaying the nslookup.io results page and selecting the Authoritative tab.
Note: These results are returned from an authoritative nameserver (authoritative for the practice-labs.com domain). While the non-authoritative answers may be the same, a non-authoritative answer updates configuration changes slower than an authoritative server. For this reason, we will rely only on the authoritative DNS query results.
Step 5
To the right of the Local DNS tab, click the Settings(gear) icon.
Toggle Show raw data to On.
Figure 1.28 Screenshot of PLABWIN10: Displaying the nslookup.io results, and clicking on the Settings icon and toggling on the selector to Show raw data.
Figure 1.28 Screenshot of PLABWIN10: Displaying the nslookup.io results, and clicking on the Settings icon and toggling on the selector to Show raw data.

Step 6
The A records are displayed.
Figure 1.29 Screenshot of PLABWIN10: Displaying the Authoritative tab from the nslookup.io results.
Figure 1.29 Screenshot of PLABWIN10: Displaying the Authoritative tab from the nslookup.io results.
Note: Observe the raw data to learn that the DNS query is done with the Linux “dig” command and that the query is directed at several authoritative nameservers in the practice-labs.com domain.
Step 7
Highlight the Authoritative tab - Raw Data results page from the “A Records” to the “SOA Records”.
Press the Ctrl+c keys to copy them to the clipboard.
Figure 1.30 Screenshot of PLABWIN10: Displaying highlighting the nslookup.io results from the Authoritative tab.
Figure 1.30 Screenshot of PLABWIN10: Displaying highlighting the nslookup.io results from the Authoritative tab
Step 8
Restore Notepad (the Reconnaissance Data Collection.txt file) from the Taskbar.
Press Ctrl+V to paste the nslookup results under the ***DNS QUERY RESULTS*** header. Then, use the Ctrl+S keys to save the file.
Figure 1.31 Screenshot of PLABWIN10: Copying the selected data into the Notepad file under the ***DNS QUERY RESULTS*** header.
Figure 1.31 Screenshot of PLABWIN10: Copying the selected data into the Notepad file under the ***DNS QUERY RESULTS*** header.
Keep the Reconnaissance Data Collection - Notepad window open.
Close the Microsoft Edge browser window.
Task 4 - Online SSL Check
Online SSL checkers provide the status of certificates associated with a specific domain. From a penetration testing perspective, the Subject Alternative Name (SAN) field of a certificate may list multiple subdomains associated with a single certificate, each of which can be penetration tested. Additionally, the status of certificates can provide the tester with an indication of how well the webserver is administered. Expired certificates and/or revoked certificates with old (and possibly forgotten) subdomains may increase the domain attack surface.
In this task, you will search for SSL certificates with an online SSL checker.
Step 1
Connect to PLABKALI.
Note: If required, log in using the password Passw0rd.
Click the Terminal Emulator icon on the Desktop toolbar.
Figure 1.32 Screenshot of PLABKALI: Displaying the desktop and selecting the Terminal Emulator.
Figure 1.32 Screenshot of PLABKALI: Displaying the desktop and selecting the Terminal Emulator.
Step 2
At the command prompt, type the following, then press Enter:
sslscan practice-labs.com

Figure 1.33 Screenshot of PLABKALI: Displaying the results of the sslscan command in the Terminal Emulator.
Figure 1.33 Screenshot of PLABKALI: Displaying the results of the sslscan command in the Terminal Emulator.
Step 3
Minimize the Terminal window.
On the PLABKALI desktop, click the Text Editor icon on the top pane.
Figure 1.34 Screenshot of PLABKALI: Displaying opening the Text Editor.
Note: The sslscan results will be copied into the Text Editor and transferred to Myfiles so that they can be added to the Reconnaissance Data Collection.txt file on PLABWIN10.
Step 4
Click the Terminal Emulator icon on the Desktop toolbar.

Figure 1.35 Screenshot of PLABKALI: Displaying opening the Terminal Emulator.
Step 5
Highlight the sslscan results.
Right-click on the selected results and select Copy Selection.
Figure 1.36 Screenshot of PLABKALI: Displaying highlighting the sslscan results at the command prompt and right-clicking on the selection and selecting Copy Selection.
Step 6
Click on the Text Editor icon on the Desktop toolbar.
Press the Ctrl+v keys to paste the sslscan results into the file.
Figure 1.37 Screenshot of PLABKALI: Displaying pasting the sslscan results into the Text Editor.
Step 7
On the Text Editor window, click the File dropdown menu and select Save As.
Figure 1.38 Screenshot of PLABKALI: Displaying accessing the File menu and selecting Save As in the Text Editor window.
Step 8
In the Save As dialog box, select Desktop on the left pane.
Type the following for the Name field and click Save.
sslscan_results

Figure 1.39 Screenshot of PLABKALI: Saving the Mousepad Text Editor to the PLABKALI desktop as “sslscan_results”.
Step 9
Minimize the Text editor and the Terminal Emulator windows.
On the PLABKALI desktop, select Firefox from the Desktop toolbar.
Figure 1.40 Screenshot of PLABKALI: Displaying selecting Firefox.
Step 10
The Firefox Intranet page is displayed.
Click on the My files tab.
Note: The intranet, by default, is set as the homepage in Firefox. We will be uploading the sslscan_results file to MyFiles through the intranet page.
Figure 1.41 Screenshot of PLABKALI: Displaying selecting the MyFiles tab on the Intranet page.
Note: The MyFiles area, as the name suggests, is where your files are stored. MyFiles can be accessed by all network-connected virtual machines.
Step 11
With the My files tab selected, click Browse.
Figure 1.42 Screenshot of PLABKALI: Displaying selecting Browse on the Intranet page.
Step 12
On the File Upload dialog box, select Desktop on the left pane.
Select sslscan_results and click Open.
Figure 1.43 Screenshot of PLABKALI: Displaying selecting the sslscan_results file and clicking Open.
Note: Now that the file has been uploaded to MyFiles, it can be accessed from PLABWIN10.
Step 13
Close the Firefox browser window.
Figure 1.44 Screenshot of PLABKALI: Displaying closing the Firefox browser.
Close the Terminal Emulator and Text Editor windows.
Step 14
Connect to PLABWIN10.
Click the Microsoft Edge icon on the Taskbar.
Figure 1.45 Screenshot of PLABWIN10: Displaying opening Microsoft Edge from the Taskbar.
Note: The intranet, by default, is set as the homepage in Microsoft Edge. We will be downloading the sslscan_results file from MyFiles through the intranet page.
If a Microsoft Edge instance is already open, type “intranet” into the URL bar and press Enter.
Step 15
On the Microsoft Edge Intranet page, click on the My files tab.
Figure 1.46 Screenshot of PLABWIN10: Displaying selecting the My files tab on the intranet page.
Step 16
Select the sslscan_results file.
The download of the file begins in the upper right-hand corner Download box.
When the download is complete, select Open file from the Download pop-up box.
Figure 1.47 Screenshot of PLABWIN10: Displaying selecting Open file from the Downloads pop-up box.
Step 17
In the Downloads dialog box, select the sslscan_results file and press Enter.
Select Notepad from the “How do you want to open this file?” pop-up window.
Click OK.
Figure 1.48 Screenshot of PLABWIN10: Displaying opening the sslscan_results file using Notepad.
Step 18
The sslscan_results - Notepad window is displayed.
Figure 1.49 Screenshot of PLABWIN10: Displaying the sslscan_results file opened in Notepad.
Note: At this point, two instances of Notepad should be open on PLABWIN10, the first is the Reconnaissance Data Collection.txt file, and the second is the sslscan_results file.
Step 19
In the sslscan_results file, press Ctrl+A keys to highlight all the content.
Press the Ctrl+c keys to copy the highlighted data to the clipboard.
Figure 1.50 Screenshot of PLABWIN10: Displaying copying the sslscan_results data to the clipboard.
Step 20
In the Reconnaissance Data Collection.txt file, press the Ctrl+v keys to paste the sslscan results under the ***SSLCHECK RESULTS*** header.
Press the Ctrl+s keys to save the file.
Figure 1.51 Screenshot of PLABWIN10: Displaying copying the selected data into the Notepad file under the ***SSLCHECK RESULTS*** header.
Screenshot
1 of 7
Click the button to take a screenshot of PLABWIN10
Close the Reconnaissance Data Collection - Notepad window.
Step 21
Close the sslscan_results - Notepad window.
Figure 1.52 Screenshot of PLABWIN10: Displaying closing the Notepad file.
Figure 1.52 Screenshot of PLABWIN10: Displaying closing the Notepad file.
Step 22
Close the Microsoft Edge browser window.
Figure 1.53 Screenshot of PLABWIN10: Displaying closing the Microsoft Edge browser window.
Close the File Explorer window.

Comments

Post a Comment

Popular Posts